I've backported the first two commits into my local 0.5 release branch, but since AFAIUI this issue is still confidential, I haven't pushed it to git.ffmpeg.org yet. Also, if someone has a CVE Number for the second issue, I can add it to the commit message. This means that both patches are being scheduled for a potential 0.5.4 release.
I've also checked that FFmpeg 0.6 and later have both patches already included.
I've backported the first two commits into my local 0.5 release branch, but since AFAIUI this issue is still confidential, I haven't pushed it to git.ffmpeg.org yet. Also, if someone has a CVE Number for the second issue, I can add it to the commit message. This means that both patches are being scheduled for a potential 0.5.4 release.
I've also checked that FFmpeg 0.6 and later have both patches already included.