doc/utils: fix typo for min() description

Signed-off-by: Paul B Mahol <onemda@gmail.com> (cherry picked from commit bdf474bcff) Signed-off-by: Timothy Gu <timothygu99@gmail.com>
swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE*
2016-03-02 16:46:34 -08:00 · 2015-12-15 11:21:17 +01:00 · 2015-12-15 11:21:16 +01:00 · 2015-12-06 14:14:49 +01:00 · 2015-12-06 14:14:43 +01:00 · 2015-12-06 14:14:41 +01:00
119 changed files with 824 additions and 293 deletions
@@ -14,7 +14,6 @@ patches and related discussions.
 Project Leader
 ==============

-Michael Niedermayer
  final design decisions


@@ -1 +1 @@
-2.2.14
+2.2.16
@@ -22,6 +22,7 @@
 #include "libavutil/time.h"
 #include "libavutil/log.h"
 #include "libavutil/opencl.h"
+#include "libavutil/avstring.h"
 #include "cmdutils.h"

 typedef struct {
@@ -238,7 +239,8 @@ int opt_opencl_bench(void *optctx, const char *opt, const char *arg)
                devices[count].platform_idx = i;
                devices[count].device_idx = j;
                devices[count].runtime = score;
-                strcpy(devices[count].device_name, device_node->device_name);
+                av_strlcpy(devices[count].device_name, device_node->device_name,
+                           sizeof(devices[count].device_name));
                count++;
            }
        }
@@ -3585,6 +3585,7 @@ elif enabled x86; then
    case $cpu in
        i[345]86|pentium)
            cpuflags="-march=$cpu"
+            disable i686
            disable mmx
        ;;
        # targets that do NOT support nopl and conditional mov (cmov)
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 2.2.14
+PROJECT_NUMBER         = 2.2.16

 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
@@ -225,10 +225,14 @@ Possible flags for this option are:
@item sse4.1
@item sse4.2
@item avx
+@item avx2
@item xop
+@item fma3
@item fma4
@item 3dnow
@item 3dnowext
+@item bmi1
+@item bmi2
@item cmov
@end table
@item ARM
@@ -240,6 +244,11 @@ Possible flags for this option are:
@item vfpv3
@item neon
@end table
+@item AArch64
+@table @samp
+@item vfp
+@item neon
+@end table
@item PowerPC
@table @samp
@item altivec
@@ -3855,7 +3855,7 @@ within the parameter list.
@item
 Show the text at the center of the video frame:
@example
-drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2"
+drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2"
@end example

@item
@@ -121,8 +121,6 @@ You will need the following prerequisites:
 (if using MSVC 2012 or earlier)
@item @uref{http://www.mingw.org/, MSYS}
@item @uref{http://yasm.tortall.net/, YASM}
-@item @uref{http://gnuwin32.sourceforge.net/packages/bc.htm, bc for Windows} if
-you want to run @uref{fate.html, FATE}.
@end itemize

 To set up a proper environment in MSYS, you need to run @code{msys.bat} from
@@ -269,7 +267,7 @@ binutils, gcc4-core, make, git, mingw-runtime, texi2html

 In order to run FATE you will also need the following "Utils" packages:
@example
-bc, diffutils
+diffutils
@end example

 If you want to build FFmpeg with additional libraries, download Cygwin
@@ -858,7 +858,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise.
 Return the maximum between @var{x} and @var{y}.

@item min(x, y)
-Return the maximum between @var{x} and @var{y}.
+Return the minimum between @var{x} and @var{y}.

@item mod(x, y)
 Compute the remainder of division of @var{x} by @var{y}.
@@ -353,7 +353,6 @@ void term_init(void)
        signal(SIGQUIT, sigterm_handler); /* Quit (POSIX).  */
    }
 #endif
-    avformat_network_deinit();

    signal(SIGINT , sigterm_handler); /* Interrupt (ANSI).    */
    signal(SIGTERM, sigterm_handler); /* Termination (ANSI).  */
@@ -2382,11 +2381,13 @@ static int transcode_init(void)
            codec->rc_max_rate    = icodec->rc_max_rate;
            codec->rc_buffer_size = icodec->rc_buffer_size;
            codec->field_order    = icodec->field_order;
-            codec->extradata      = av_mallocz(extra_size);
-            if (!codec->extradata) {
-                return AVERROR(ENOMEM);
+            if (icodec->extradata_size) {
+                codec->extradata      = av_mallocz(extra_size);
+                if (!codec->extradata) {
+                    return AVERROR(ENOMEM);
+                }
+                memcpy(codec->extradata, icodec->extradata, icodec->extradata_size);
            }
-            memcpy(codec->extradata, icodec->extradata, icodec->extradata_size);
            codec->extradata_size= icodec->extradata_size;
            codec->bits_per_coded_sample  = icodec->bits_per_coded_sample;

@@ -2253,6 +2253,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg)
    time_t today2 = time(NULL);
    struct tm *today = localtime(&today2);

+    if (!today)
+        return AVERROR(errno);
+
    snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min,
             today->tm_sec);
    return opt_vstats_file(NULL, opt, filename);
@@ -2729,7 +2732,7 @@ const OptionDef options[] = {
    { "itsscale",       HAS_ARG | OPT_DOUBLE | OPT_SPEC |
                        OPT_EXPERT | OPT_INPUT,                      { .off = OFFSET(ts_scale) },
        "set the input ts scale", "scale" },
-    { "timestamp",      HAS_ARG | OPT_PERFILE,                       { .func_arg = opt_recording_timestamp },
+    { "timestamp",      HAS_ARG | OPT_PERFILE | OPT_OUTPUT,          { .func_arg = opt_recording_timestamp },
        "set the recording timestamp ('now' to set the current time)", "time" },
    { "metadata",       HAS_ARG | OPT_STRING | OPT_SPEC | OPT_OUTPUT, { .off = OFFSET(metadata) },
        "add metadata", "string=string" },
@@ -425,7 +425,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 * Save current output configuration if and only if it has been locked.
 */
 static void push_output_configuration(AACContext *ac) {
-    if (ac->oc[1].status == OC_LOCKED) {
+    if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
        ac->oc[0] = ac->oc[1];
    }
    ac->oc[1].status = OC_NONE;
@@ -881,7 +881,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx,
        if (len == 15 + 255)
            len += get_bits(gb, 16);
        if (get_bits_left(gb) < len * 8 + 4) {
-            av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+            av_log(avctx, AV_LOG_ERROR, overread_err);
            return AVERROR_INVALIDDATA;
        }
        skip_bits_long(gb, 8 * len);
@@ -3021,6 +3021,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
            AV_WL32(side, 2*AV_RL32(side));
    }

+    if (!ac->frame->data[0] && samples) {
+        av_log(avctx, AV_LOG_ERROR, "no frame data found\n");
+        err = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
    *got_frame_ptr = !!samples;
    if (samples) {
        ac->frame->nb_samples = samples;
@@ -313,7 +313,7 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
    ctx->bitres.size   = 6144 - pctx->frame_bits;
    ctx->bitres.size  -= ctx->bitres.size % 8;
    pctx->fill_level   = ctx->bitres.size;
-    minath = ath(3410, ATH_ADD);
+    minath = ath(3410 - 0.733 * ATH_ADD, ATH_ADD);
    for (j = 0; j < 2; j++) {
        AacPsyCoeffs *coeffs = pctx->psy_coef[j];
        const uint8_t *band_sizes = ctx->bands[j];
@@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,
                    if (active_lines > 0.0f)
                        band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction);
                    pe += calc_pe_3gpp(band);
-                    band->norm_fac = band->active_lines / band->thr;
+                    if (band->thr > 0.0f)
+                        band->norm_fac = band->active_lines / band->thr;
+                    else
+                        band->norm_fac = 0.0f;
                    norm_fac += band->norm_fac;
                }
            }
@@ -520,7 +520,7 @@ static int sbr_make_f_master(AACContext *ac, SpectralBandReplication *sbr,
 /// High Frequency Generation - Patch Construction (14496-3 sp04 p216 fig. 4.46)
 static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr)
 {
-    int i, k, sb = 0;
+    int i, k, last_k = -1, last_msb = -1, sb = 0;
    int msb = sbr->k[0];
    int usb = sbr->kx[1];
    int goal_sb = ((1000 << 11) + (sbr->sample_rate >> 1)) / sbr->sample_rate;
@@ -534,6 +534,12 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr)

    do {
        int odd = 0;
+        if (k == last_k && msb == last_msb) {
+            av_log(ac->avctx, AV_LOG_ERROR, "patch construction failed\n");
+            return AVERROR_INVALIDDATA;
+        }
+        last_k = k;
+        last_msb = msb;
        for (i = k; i == k || sb > (sbr->k[0] - 1 + msb - odd); i--) {
            sb = sbr->f_master[i];
            odd = (sb + sbr->k[0]) & 1;
@@ -137,7 +137,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
        return ret;

    /* report that the buffer was completely consumed */
-    return buf_size;
+    return avpkt->size;
 }

 static av_cold int aasc_decode_end(AVCodecContext *avctx)
@@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
    int band_start, band_end, begin, end1;
    int lowcomp, fastleak, slowleak;

+    if (end <= 0)
+        return AVERROR_INVALIDDATA;
+
    /* excitation function */
    band_start = ff_ac3_bin_to_band_tab[start];
    band_end   = ff_ac3_bin_to_band_tab[end-1] + 1;
@@ -575,6 +575,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
    case AV_CODEC_ID_ADPCM_IMA_DK4:
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
        nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch;
        break;
    case AV_CODEC_ID_ADPCM_IMA_RAD:
@@ -588,13 +590,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
        int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
        nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples;
        break;
    }
    case AV_CODEC_ID_ADPCM_MS:
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
-        nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch;
+        nb_samples = (buf_size - 6 * ch) * 2 / ch;
        break;
    case AV_CODEC_ID_ADPCM_SBPRO_2:
    case AV_CODEC_ID_ADPCM_SBPRO_3:
@@ -607,6 +611,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
        case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break;
        }
        if (!s->status[0].step_index) {
+            if (buf_size < ch)
+                return AVERROR_INVALIDDATA;
            nb_samples++;
            buf_size -= ch;
        }
@@ -1525,6 +1531,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

    *got_frame_ptr = 1;

+    if (avpkt->size < bytestream2_tell(&gb)) {
+        av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb));
+        return avpkt->size;
+    }
+
    return bytestream2_tell(&gb);
 }

@@ -311,6 +311,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
        int lpc_quant[2];
        int rice_history_mult[2];

+        if (!alac->rice_limit) {
+            avpriv_request_sample(alac->avctx,
+                                  "Compression with rice limit 0");
+            return AVERROR(ENOSYS);
+        }
+
        decorr_shift       = get_bits(&alac->gb, 8);
        decorr_left_weight = get_bits(&alac->gb, 8);

@@ -355,11 +355,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

        ctx->cs_switch = 1;

+        for (i = 0; i < avctx->channels; i++) {
+            sconf->chan_pos[i] = -1;
+        }
+
        for (i = 0; i < avctx->channels; i++) {
            int idx;

            idx = get_bits(&gb, chan_pos_bits);
-            if (idx >= avctx->channels) {
+            if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) {
                av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n");
                ctx->cs_switch = 0;
                break;
@@ -676,7 +680,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)


    if (!sconf->rlslms) {
-        if (sconf->adapt_order) {
+        if (sconf->adapt_order && sconf->max_order) {
            int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                2, sconf->max_order + 1));
            *bd->opt_order       = get_bits(gb, opt_order_length);
@@ -1238,6 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
    ALSChannelData *ch = cd[c];
    unsigned int   dep = 0;
    unsigned int channels = ctx->avctx->channels;
+    unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;

    if (reverted[c])
        return 0;
@@ -1268,9 +1273,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
    bd->raw_samples = ctx->raw_samples[c] + offset;

    for (dep = 0; !ch[dep].stop_flag; dep++) {
-        unsigned int smp;
-        unsigned int begin = 1;
-        unsigned int end   = bd->block_length - 1;
+        ptrdiff_t smp;
+        ptrdiff_t begin = 1;
+        ptrdiff_t end   = bd->block_length - 1;
        int64_t y;
        int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset;

@@ -1282,11 +1287,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,

            if (ch[dep].time_diff_sign) {
                t      = -t;
+                if (begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                begin -= t;
            } else {
+                if (end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                end   -= t;
            }

+            if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master ||
+                FFMAX(end   + 1,   end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1,   end + 1 + t),
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
            for (smp = begin; smp < end; smp++) {
                y  = (1 << 6) +
                     MUL64(ch[dep].weighting[0], master[smp - 1    ]) +
@@ -1299,6 +1321,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
                bd->raw_samples[smp] += y >> 7;
            }
        } else {
+
+            if (begin - 1 < ctx->raw_buffer - master ||
+                end   + 1 > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + begin - 1, master + end + 1,
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
            for (smp = begin; smp < end; smp++) {
                y  = (1 << 6) +
                     MUL64(ch[dep].weighting[0], master[smp - 1]) +
@@ -1456,6 +1488,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

    // TODO: read_diff_float_data

+    if (get_bits_left(gb) < 0) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb));
+        return AVERROR_INVALIDDATA;
+    }
+
    return 0;
 }

@@ -1660,6 +1697,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
        avctx->sample_fmt          = sconf->resolution > 1
                                     ? AV_SAMPLE_FMT_S32 : AV_SAMPLE_FMT_S16;
        avctx->bits_per_raw_sample = (sconf->resolution + 1) * 8;
+        if (avctx->bits_per_raw_sample > 32) {
+            av_log(avctx, AV_LOG_ERROR, "Bits per raw sample %d larger than 32.\n",
+                   avctx->bits_per_raw_sample);
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
    }

    // set maximum Rice parameter for progressive decoding based on resolution
@@ -1722,9 +1765,9 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate and assign channel data buffer for mcc mode
    if (sconf->mc_coding) {
-        ctx->chan_data_buffer  = av_malloc(sizeof(*ctx->chan_data_buffer) *
+        ctx->chan_data_buffer  = av_mallocz(sizeof(*ctx->chan_data_buffer) *
                                           num_buffers * num_buffers);
-        ctx->chan_data         = av_malloc(sizeof(*ctx->chan_data) *
+        ctx->chan_data         = av_mallocz(sizeof(*ctx->chan_data) *
                                           num_buffers);
        ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) *
                                           num_buffers);
@@ -598,14 +598,14 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
    int ksummax, ksummin;

    rice->ksum = 0;
-    for (i = 0; i < 5; i++) {
+    for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
        out[i] = get_rice_ook(&ctx->gb, 10);
        rice->ksum += out[i];
    }
    rice->k = av_log2(rice->ksum / 10) + 1;
    if (rice->k >= 24)
        return;
-    for (; i < 64; i++) {
+    for (; i < FFMIN(blockstodecode, 64); i++) {
        out[i] = get_rice_ook(&ctx->gb, rice->k);
        rice->ksum += out[i];
        rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1;
@@ -1472,13 +1472,13 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
            av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
            return AVERROR_INVALIDDATA;
        }
-        s->samples = nblocks;

        /* Initialize the frame decoder */
        if (init_frame_decoder(s) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n");
            return AVERROR_INVALIDDATA;
        }
+        s->samples = nblocks;
    }

    if (!s->data) {
@@ -381,7 +381,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data,

    *got_frame_ptr = 1;

-    return avctx->block_align;
+    return FFMIN(avctx->block_align, avpkt->size);
 }

 AVCodec ff_atrac3p_decoder = {
@@ -599,8 +599,8 @@ void ff_atrac3p_ipqf(FFTContext *dct_ctx, Atrac3pIPQFChannelCtx *hist,
                     const float *in, float *out)
 {
    int i, s, sb, t, pos_now, pos_next;
-    DECLARE_ALIGNED(32, float, idct_in)[ATRAC3P_SUBBANDS];
-    DECLARE_ALIGNED(32, float, idct_out)[ATRAC3P_SUBBANDS];
+    LOCAL_ALIGNED(32, float, idct_in, [ATRAC3P_SUBBANDS]);
+    LOCAL_ALIGNED(32, float, idct_out, [ATRAC3P_SUBBANDS]);

    memset(out, 0, ATRAC3P_FRAME_SAMPLES * sizeof(*out));

@@ -69,6 +69,8 @@ void avpriv_copy_bits(PutBitContext *pb, const uint8_t *src, int length)
    if (length == 0)
        return;

+    av_assert0(length <= put_bits_left(pb));
+
    if (CONFIG_SMALL || words < 16 || put_bits_count(pb) & 7) {
        for (i = 0; i < words; i++)
            put_bits(pb, 16, AV_RB16(src + 2 * i));
@@ -570,6 +570,11 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
                return AVERROR_INVALIDDATA;
            }
            esc_code = get_ue_code(gb, esc_golomb_order);
+            if (esc_code < 0 || esc_code > 32767) {
+                av_log(h->avctx, AV_LOG_ERROR, "esc_code invalid\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            level    = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
            while (level > r->inc_limit)
                r++;
@@ -581,6 +581,14 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel,
    }

    nchans = get_bits(&s->gb, 3) + 1;
+    if (xxch && nchans >= 3) {
+        av_log(s->avctx, AV_LOG_ERROR, "nchans %d is too large\n", nchans);
+        return AVERROR_INVALIDDATA;
+    } else if (nchans + base_channel > DCA_PRIM_CHANNELS_MAX) {
+        av_log(s->avctx, AV_LOG_ERROR, "channel sum %d + %d is too large\n", nchans, base_channel);
+        return AVERROR_INVALIDDATA;
+    }
+
    s->total_channels = nchans + base_channel;
    s->prim_channels  = s->total_channels;

@@ -839,6 +847,10 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)

    if (!base_channel) {
        s->subsubframes[s->current_subframe]    = get_bits(&s->gb, 2) + 1;
+        if (block_index + s->subsubframes[s->current_subframe] > s->sample_blocks/8) {
+            s->subsubframes[s->current_subframe] = 1;
+            return AVERROR_INVALIDDATA;
+        }
        s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3);
    }

@@ -1800,8 +1812,13 @@ static int dca_xbr_parse_frame(DCAContext *s)
    for(i = 0; i < num_chsets; i++) {
        n_xbr_ch[i] = get_bits(&s->gb, 3) + 1;
        k = get_bits(&s->gb, 2) + 5;
-        for(j = 0; j < n_xbr_ch[i]; j++)
+        for(j = 0; j < n_xbr_ch[i]; j++) {
            active_bands[i][j] = get_bits(&s->gb, k) + 1;
+            if (active_bands[i][j] > DCA_SUBBANDS) {
+                av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]);
+                return AVERROR_INVALIDDATA;
+            }
+        }
    }

    /* skip to the end of the header */
@@ -1843,23 +1860,34 @@ static int dca_xbr_parse_frame(DCAContext *s)
                for(i = 0; i < n_xbr_ch[chset]; i++) {
                    const uint32_t *scale_table;
                    int nbits;
+                    int scale_table_size;

                    if (s->scalefactor_huffman[chan_base+i] == 6) {
                        scale_table = scale_factor_quant7;
+                        scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant7);
                    } else {
                        scale_table = scale_factor_quant6;
+                        scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant6);
                    }

                    nbits = anctemp[i];

                    for(j = 0; j < active_bands[chset][i]; j++) {
                        if(abits_high[i][j] > 0) {
-                            scale_table_high[i][j][0] =
-                                scale_table[get_bits(&s->gb, nbits)];
+                            int index = get_bits(&s->gb, nbits);
+                            if (index >= scale_table_size) {
+                                av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index);
+                                return AVERROR_INVALIDDATA;
+                            }
+                            scale_table_high[i][j][0] = scale_table[index];

                            if(xbr_tmode && s->transition_mode[i][j]) {
-                                scale_table_high[i][j][1] =
-                                    scale_table[get_bits(&s->gb, nbits)];
+                                int index = get_bits(&s->gb, nbits);
+                                if (index >= scale_table_size) {
+                                    av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index);
+                                    return AVERROR_INVALIDDATA;
+                                }
+                                scale_table_high[i][j][1] = scale_table[index];
                            }
                        }
                    }
@@ -797,7 +797,10 @@ static void decode_lowdelay(DiracContext *s)
            slice_num++;

            buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
        }

    avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,
@@ -894,6 +897,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
    /*[DIRAC_STD] 11.2.4 motion_data_dimensions()
      Calculated in function dirac_unpack_block_motion_data */

+    if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 ||
+        s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 ||
+        !s->plane[0].xblen || !s->plane[0].yblen) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n",
+               s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift);
+        return AVERROR_INVALIDDATA;
+    }
    if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) {
        av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n");
        return -1;
@@ -1734,6 +1745,12 @@ static int dirac_decode_picture_header(DiracContext *s)
                    get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF);
                    break;
                }
+
+        if (!s->ref_pics[i]) {
+            av_log(s->avctx, AV_LOG_ERROR, "Reference could not be allocated\n");
+            return -1;
+        }
+
    }

    /* retire the reference frames that are not used anymore */
@@ -1929,8 +1946,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            break;

        data_unit_size = AV_RB32(buf+buf_idx+5);
-        if (buf_idx + data_unit_size > buf_size || !data_unit_size) {
-            if(buf_idx + data_unit_size > buf_size)
+        if (data_unit_size > buf_size - buf_idx || !data_unit_size) {
+            if(data_unit_size > buf_size - buf_idx)
            av_log(s->avctx, AV_LOG_ERROR,
                   "Data unit with size %d is larger than input buffer, discarding\n",
                   data_unit_size);
@@ -349,7 +349,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, int x, int
    dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444));
    dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444));

-    if (ctx->cur_field) {
+    if (frame->interlaced_frame && ctx->cur_field) {
        dest_y += frame->linesize[0];
        dest_u += frame->linesize[1];
        dest_v += frame->linesize[2];
@@ -103,7 +103,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
 av_cold int ffv1_init_slices_state(FFV1Context *f)
 {
    int i, ret;
-    for (i = 0; i < f->slice_count; i++) {
+    for (i = 0; i < f->max_slice_count; i++) {
        FFV1Context *fs = f->slice_context[i];
        if ((ret = ffv1_init_slice_state(f, fs)) < 0)
            return AVERROR(ENOMEM);
@@ -115,10 +115,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f)
 {
    int i;

-    f->slice_count = f->num_h_slices * f->num_v_slices;
-    av_assert0(f->slice_count > 0);
+    f->max_slice_count = f->num_h_slices * f->num_v_slices;
+    av_assert0(f->max_slice_count > 0);

-    for (i = 0; i < f->slice_count; i++) {
+    for (i = 0; i < f->max_slice_count; i++) {
        FFV1Context *fs = av_mallocz(sizeof(*fs));
        int sx          = i % f->num_h_slices;
        int sy          = i / f->num_h_slices;
@@ -203,7 +203,7 @@ av_cold int ffv1_close(AVCodecContext *avctx)
        ff_thread_release_buffer(avctx, &s->last_picture);
    av_frame_free(&s->last_picture.f);

-    for (j = 0; j < s->slice_count; j++) {
+    for (j = 0; j < s->max_slice_count; j++) {
        FFV1Context *fs = s->slice_context[j];
        for (i = 0; i < s->plane_count; i++) {
            PlaneContext *p = &fs->plane[i];
@@ -217,14 +217,14 @@ av_cold int ffv1_close(AVCodecContext *avctx)
    av_freep(&avctx->stats_out);
    for (j = 0; j < s->quant_table_count; j++) {
        av_freep(&s->initial_states[j]);
-        for (i = 0; i < s->slice_count; i++) {
+        for (i = 0; i < s->max_slice_count; i++) {
            FFV1Context *sf = s->slice_context[i];
            av_freep(&sf->rc_stat2[j]);
        }
        av_freep(&s->rc_stat2[j]);
    }

-    for (i = 0; i < s->slice_count; i++)
+    for (i = 0; i < s->max_slice_count; i++)
        av_freep(&s->slice_context[i]);

    return 0;
@@ -122,6 +122,7 @@ typedef struct FFV1Context {

    struct FFV1Context *slice_context[MAX_SLICES];
    int slice_count;
+    int max_slice_count;
    int num_v_slices;
    int num_h_slices;
    int slice_width;
@@ -536,6 +536,12 @@ static int read_extra_header(FFV1Context *f)
    f->num_h_slices               = 1 + get_symbol(c, state, 0);
    f->num_v_slices               = 1 + get_symbol(c, state, 0);

+    if (f->chroma_h_shift > 4U || f->chroma_v_shift > 4U) {
+        av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n",
+               f->chroma_h_shift, f->chroma_v_shift);
+        return AVERROR_INVALIDDATA;
+    }
+
    if (f->num_h_slices > (unsigned)f->width  || !f->num_h_slices ||
        f->num_v_slices > (unsigned)f->height || !f->num_v_slices
       ) {
@@ -544,8 +550,11 @@ static int read_extra_header(FFV1Context *f)
    }

    f->quant_table_count = get_symbol(c, state, 0);
-    if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+    if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) {
+        av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count);
+        f->quant_table_count = 0;
        return AVERROR_INVALIDDATA;
+    }

    for (i = 0; i < f->quant_table_count; i++) {
        f->context_count[i] = read_quant_tables(c, f->quant_tables[i]);
@@ -641,6 +650,12 @@ static int read_header(FFV1Context *f)
            }
        }

+        if (chroma_h_shift > 4U || chroma_v_shift > 4U) {
+            av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n",
+                   chroma_h_shift, chroma_v_shift);
+            return AVERROR_INVALIDDATA;
+        }
+
        f->colorspace                 = colorspace;
        f->avctx->bits_per_raw_sample = bits_per_raw_sample;
        f->chroma_planes              = chroma_planes;
@@ -748,6 +763,7 @@ static int read_header(FFV1Context *f)
            av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n");
            return AVERROR_INVALIDDATA;
        }
+        f->slice_count = f->max_slice_count;
    } else if (f->version < 3) {
        f->slice_count = get_symbol(c, state, 0);
    } else {
@@ -762,8 +778,8 @@ static int read_header(FFV1Context *f)
            p -= size + trailer;
        }
    }
-    if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) {
-        av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count);
+    if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) {
+        av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count);
        return AVERROR_INVALIDDATA;
    }

@@ -986,6 +1002,7 @@ static int init_thread_copy(AVCodecContext *avctx)
    f->picture.f      = NULL;
    f->last_picture.f = NULL;
    f->sample_buffer  = NULL;
+    f->max_slice_count = 0;
    f->slice_count = 0;

    for (i = 0; i < f->quant_table_count; i++) {
@@ -1056,7 +1073,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src)
        av_assert0(!fdst->sample_buffer);
    }

-    av_assert1(fdst->slice_count == fsrc->slice_count);
+    av_assert1(fdst->max_slice_count == fsrc->max_slice_count);


    ff_thread_release_buffer(dst, &fdst->picture);
@@ -955,6 +955,7 @@ slices_ok:

    if ((ret = ffv1_init_slice_contexts(s)) < 0)
        return ret;
+    s->slice_count = s->max_slice_count;
    if ((ret = ffv1_init_slices_state(s)) < 0)
        return ret;

@@ -964,7 +965,7 @@ slices_ok:
        if (!avctx->stats_out)
            return AVERROR(ENOMEM);
        for (i = 0; i < s->quant_table_count; i++)
-            for (j = 0; j < s->slice_count; j++) {
+            for (j = 0; j < s->max_slice_count; j++) {
                FFV1Context *sf = s->slice_context[j];
                av_assert0(!sf->rc_stat2[i]);
                sf->rc_stat2[i] = av_mallocz(s->context_count[i] *
@@ -1188,6 +1189,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
            for (i = 0; i < f->quant_table_count; i++)
                memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i]));

+            av_assert0(f->slice_count == f->max_slice_count);
            for (j = 0; j < f->slice_count; j++) {
                FFV1Context *fs = f->slice_context[j];
                for (i = 0; i < 256; i++) {
@@ -346,8 +346,16 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit,

        if (i < limit - 1) {
            if (k) {
-                buf = SHOW_UBITS(re, gb, k);
-                LAST_SKIP_BITS(re, gb, k);
+                if (k > MIN_CACHE_BITS - 1) {
+                    buf = SHOW_UBITS(re, gb, 16) << (k-16);
+                    LAST_SKIP_BITS(re, gb, 16);
+                    UPDATE_CACHE(re, gb);
+                    buf |= SHOW_UBITS(re, gb, k-16);
+                    LAST_SKIP_BITS(re, gb, k-16);
+                } else {
+                    buf = SHOW_UBITS(re, gb, k);
+                    LAST_SKIP_BITS(re, gb, k);
+                }
            } else {
                buf = 0;
            }
@@ -3351,7 +3351,7 @@ static int h264_slice_header_init(H264Context *h, int reinit)
    ret = ff_h264_alloc_tables(h);
    if (ret < 0) {
        av_log(h->avctx, AV_LOG_ERROR, "Could not allocate memory\n");
-        return ret;
+        goto fail;
    }

    if (nb_slices > MAX_THREADS || (nb_slices > h->mb_height && h->mb_height)) {
@@ -3370,14 +3370,16 @@ static int h264_slice_header_init(H264Context *h, int reinit)
        ret = context_init(h);
        if (ret < 0) {
            av_log(h->avctx, AV_LOG_ERROR, "context_init() failed.\n");
-            return ret;
+            goto fail;
        }
    } else {
        for (i = 1; i < h->slice_context_count; i++) {
            H264Context *c;
            c                    = h->thread_context[i] = av_mallocz(sizeof(H264Context));
-            if (!c)
-                return AVERROR(ENOMEM);
+            if (!c) {
+                ret = AVERROR(ENOMEM);
+                goto fail;
+            }
            c->avctx             = h->avctx;
            if (CONFIG_ERROR_RESILIENCE) {
                c->dsp               = h->dsp;
@@ -3416,13 +3418,17 @@ static int h264_slice_header_init(H264Context *h, int reinit)
        for (i = 0; i < h->slice_context_count; i++)
            if ((ret = context_init(h->thread_context[i])) < 0) {
                av_log(h->avctx, AV_LOG_ERROR, "context_init() failed.\n");
-                return ret;
+                goto fail;
            }
    }

    h->context_initialized = 1;

    return 0;
+fail:
+    free_tables(h, 0);
+    h->context_initialized = 0;
+    return ret;
 }

 int ff_set_ref_count(H264Context *h)
@@ -3512,6 +3518,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    int field_pic_flag, bottom_field_flag;
    int first_slice = h == h0 && !h0->current_slice;
    int frame_num, picture_structure, droppable;
+    int mb_aff_frame, last_mb_aff_frame;
    PPS *pps;

    h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;
@@ -3669,6 +3676,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
         h->height != h->avctx->coded_height  ||
         must_reinit ||
         needs_reinit)) {
+        h->context_initialized = 0;
        if (h != h0) {
            av_log(h->avctx, AV_LOG_ERROR,
                   "changing width %d -> %d / height %d -> %d on "
@@ -3727,7 +3735,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    }

    h->mb_mbaff        = 0;
-    h->mb_aff_frame    = 0;
+    mb_aff_frame       = 0;
+    last_mb_aff_frame  = h0->mb_aff_frame;
    last_pic_structure = h0->picture_structure;
    last_pic_droppable = h0->droppable;
    droppable          = h->nal_ref_idc == 0;
@@ -3745,12 +3754,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            picture_structure = PICT_TOP_FIELD + bottom_field_flag;
        } else {
            picture_structure = PICT_FRAME;
-            h->mb_aff_frame      = h->sps.mb_aff;
+            mb_aff_frame      = h->sps.mb_aff;
        }
    }
    if (h0->current_slice) {
        if (last_pic_structure != picture_structure ||
-            last_pic_droppable != droppable) {
+            last_pic_droppable != droppable ||
+            last_mb_aff_frame  != mb_aff_frame) {
            av_log(h->avctx, AV_LOG_ERROR,
                   "Changing field mode (%d -> %d) between slices is not allowed\n",
                   last_pic_structure, h->picture_structure);
@@ -3766,6 +3776,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    h->picture_structure = picture_structure;
    h->droppable         = droppable;
    h->frame_num         = frame_num;
+    h->mb_aff_frame      = mb_aff_frame;
    h->mb_field_decoding_flag = picture_structure != PICT_FRAME;

    if (h0->current_slice == 0) {
@@ -4635,8 +4646,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg)

        for (;;) {
            // START_TIMER
-            int ret = ff_h264_decode_mb_cabac(h);
-            int eos;
+            int ret, eos;
+
+            if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) {
+                av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n",
+                       h->mb_index_end);
+                er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x,
+                             h->mb_y, ER_MB_ERROR);
+                return AVERROR_INVALIDDATA;
+            }
+
+            ret = ff_h264_decode_mb_cabac(h);
            // STOP_TIMER("decode_mb_cabac")

            if (ret >= 0)
@@ -4698,7 +4718,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg)
        }
    } else {
        for (;;) {
-            int ret = ff_h264_decode_mb_cavlc(h);
+            int ret;
+
+            if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) {
+                av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n",
+                       h->mb_index_end);
+                er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x,
+                             h->mb_y, ER_MB_ERROR);
+                return AVERROR_INVALIDDATA;
+            }
+
+            ret = ff_h264_decode_mb_cavlc(h);

            if (ret >= 0)
                ff_h264_hl_decode_mb(h);
@@ -4789,19 +4819,33 @@ static int execute_decode_slices(H264Context *h, unsigned context_count)

    av_assert0(h->mb_y < h->mb_height);

+    h->mb_index_end = INT_MAX;
+
    if (h->avctx->hwaccel ||
        h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)
        return 0;
    if (context_count == 1) {
        return decode_slice(avctx, &h);
    } else {
+        int j, mb_index;
        av_assert0(context_count > 0);
-        for (i = 1; i < context_count; i++) {
+        for (i = 0; i < context_count; i++) {
+            int mb_index_end = h->mb_width * h->mb_height;
            hx                 = h->thread_context[i];
-            if (CONFIG_ERROR_RESILIENCE) {
+            mb_index = hx->resync_mb_x + hx->resync_mb_y * h->mb_width;
+            if (CONFIG_ERROR_RESILIENCE && i) {
                hx->er.error_count = 0;
            }
            hx->x264_build     = h->x264_build;
+            for (j = 0; j < context_count; j++) {
+                H264Context *sl2 = h->thread_context[j];
+                int mb_index2 = sl2->resync_mb_x + sl2->resync_mb_y * h->mb_width;
+
+                if (i==j || mb_index > mb_index2)
+                    continue;
+                mb_index_end = FFMIN(mb_index_end, mb_index2);
+            }
+            hx->mb_index_end = mb_index_end;
        }

        avctx->execute(avctx, decode_slice, h->thread_context,
@@ -4974,9 +5018,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,
                continue;

 again:
-            if (   (!(avctx->active_thread_type & FF_THREAD_FRAME) || nals_needed >= nal_index)
-                && !h->current_slice)
-                h->au_pps_id = -1;
            /* Ignore per frame NAL unit type during extradata
             * parsing. Decoding slices is not possible in codec init
             * with frame-mt */
@@ -5006,8 +5047,14 @@ again:
                    ret = -1;
                    goto end;
                }
-                if(!idr_cleared)
+                if(!idr_cleared) {
+                    if (h->current_slice && (avctx->active_thread_type & FF_THREAD_SLICE)) {
+                        av_log(h, AV_LOG_ERROR, "invalid mixed IDR / non IDR frames cannot be decoded in slice multithreading mode\n");
+                        ret = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                    idr(h); // FIXME ensure we don't lose some frames if there is reordering
+                }
                idr_cleared = 1;
                h->has_recovery_point = 1;
            case NAL_SLICE:
@@ -5016,6 +5063,10 @@ again:
                hx->inter_gb_ptr      = &hx->gb;
                hx->data_partitioning = 0;

+                if (   nals_needed >= nal_index
+                    || (!(avctx->active_thread_type & FF_THREAD_FRAME) && !context_count))
+                    h->au_pps_id = -1;
+
                if ((err = decode_slice_header(hx, h)))
                    break;

@@ -5180,8 +5231,14 @@ again:

            if (err < 0) {
                av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n");
-                h->ref_count[0] = h->ref_count[1] = h->list_count = 0;
+                hx->ref_count[0] = hx->ref_count[1] = hx->list_count = 0;
            } else if (err == 1) {
+                if (context_count > 1) {
+                    ret = execute_decode_slices(h, context_count - 1);
+                    if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE))
+                        goto end;
+                    context_count = 0;
+                }
                /* Slice could not be decoded in parallel mode, copy down
                 * NAL unit stuff to context 0 and restart. Note that
                 * rbsp_buffer is not transferred, but since we no longer
@@ -488,6 +488,7 @@ typedef struct H264Context {
    int mb_x, mb_y;
    int resync_mb_x;
    int resync_mb_y;
+    int mb_index_end;
    int mb_skip_run;
    int mb_height, mb_width;
    int mb_stride;
@@ -173,7 +173,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
        buf      += ctx->length_size;
        unit_type = *buf & 0x1f;

-        if (buf + nal_size > buf_end || nal_size < 0)
+        if (nal_size > buf_end - buf || nal_size < 0)
            goto fail;

        if (ctx->first_idr && (unit_type == 7 || unit_type == 8))
@@ -703,7 +703,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
         */
        if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) {
            /* Just mark the second field valid */
-            h->cur_pic_ptr->reference = PICT_FRAME;
+            h->cur_pic_ptr->reference |= h->picture_structure;
        } else if (h->cur_pic_ptr->long_ref) {
            av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference "
                                           "assignment for second field "
@@ -644,11 +644,25 @@ static int hls_slice_header(HEVCContext *s)

    sh->num_entry_point_offsets = 0;
    if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) {
-        sh->num_entry_point_offsets = get_ue_golomb_long(gb);
+        unsigned num_entry_point_offsets = get_ue_golomb_long(gb);
+        // It would be possible to bound this tighter but this here is simpler
+        if (num_entry_point_offsets > get_bits_left(gb)) {
+            av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets);
+            return AVERROR_INVALIDDATA;
+        }
+
+        sh->num_entry_point_offsets = num_entry_point_offsets;
        if (sh->num_entry_point_offsets > 0) {
            int offset_len = get_ue_golomb_long(gb) + 1;
            int segments = offset_len >> 4;
            int rest = (offset_len & 15);
+
+            if (offset_len < 1 || offset_len > 32) {
+                sh->num_entry_point_offsets = 0;
+                av_log(s->avctx, AV_LOG_ERROR, "offset_len %d is invalid\n", offset_len);
+                return AVERROR_INVALIDDATA;
+            }
+
            av_freep(&sh->entry_point_offset);
            av_freep(&sh->offset);
            av_freep(&sh->size);
@@ -2024,6 +2038,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int

        if (more_data < 0) {
            s->tab_slice_address[ctb_addr_rs] = -1;
+            avpriv_atomic_int_set(&s1->wpp_err,  1);
+            ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
            return more_data;
        }

@@ -2627,7 +2643,6 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)

    /* parse the NAL units */
    for (i = 0; i < s->nb_nals; i++) {
-        int ret;
        s->skipped_bytes = s->skipped_bytes_nal[i];
        s->skipped_bytes_pos = s->skipped_bytes_pos_nal[i];

@@ -283,10 +283,10 @@ typedef struct RefPicListTab {
 } RefPicListTab;

 typedef struct HEVCWindow {
-    int left_offset;
-    int right_offset;
-    int top_offset;
-    int bottom_offset;
+    unsigned int left_offset;
+    unsigned int right_offset;
+    unsigned int top_offset;
+    unsigned int bottom_offset;
 } HEVCWindow;

 typedef struct VUI {
@@ -396,6 +396,11 @@ int ff_hevc_decode_nal_vps(HEVCContext *s)
        if (vps->vps_poc_proportional_to_timing_flag)
            vps->vps_num_ticks_poc_diff_one = get_ue_golomb_long(gb) + 1;
        vps->vps_num_hrd_parameters = get_ue_golomb_long(gb);
+        if (vps->vps_num_hrd_parameters > (unsigned)vps->vps_num_layer_sets) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "vps_num_hrd_parameters %d is invalid\n", vps->vps_num_hrd_parameters);
+            goto err;
+        }
        for (i = 0; i < vps->vps_num_hrd_parameters; i++) {
            int common_inf_present = 1;

@@ -898,7 +903,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
                         (sps->output_window.left_offset + sps->output_window.right_offset);
    sps->output_height = sps->height -
                         (sps->output_window.top_offset + sps->output_window.bottom_offset);
-    if (sps->output_width <= 0 || sps->output_height <= 0) {
+    if (sps->width  <= sps->output_window.left_offset + (int64_t)sps->output_window.right_offset  ||
+        sps->height <= sps->output_window.top_offset  + (int64_t)sps->output_window.bottom_offset) {
        av_log(s->avctx, AV_LOG_WARNING, "Invalid visible frame dimensions: %dx%d.\n",
               sps->output_width, sps->output_height);
        if (s->avctx->err_recognition & AV_EF_EXPLODE) {
@@ -907,10 +913,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
        }
        av_log(s->avctx, AV_LOG_WARNING,
               "Displaying the whole video surface.\n");
-        sps->pic_conf_win.left_offset   =
-        sps->pic_conf_win.right_offset  =
-        sps->pic_conf_win.top_offset    =
-        sps->pic_conf_win.bottom_offset = 0;
+        memset(&sps->pic_conf_win, 0, sizeof(sps->pic_conf_win));
+        memset(&sps->output_window, 0, sizeof(sps->output_window));
        sps->output_width               = sps->width;
        sps->output_height              = sps->height;
    }
@@ -1125,14 +1129,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s)
    if (pps->tiles_enabled_flag) {
        pps->num_tile_columns = get_ue_golomb_long(gb) + 1;
        pps->num_tile_rows    = get_ue_golomb_long(gb) + 1;
-        if (pps->num_tile_columns == 0 ||
+        if (pps->num_tile_columns <= 0 ||
            pps->num_tile_columns >= sps->width) {
            av_log(s->avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n",
                   pps->num_tile_columns - 1);
            ret = AVERROR_INVALIDDATA;
            goto err;
        }
-        if (pps->num_tile_rows == 0 ||
+        if (pps->num_tile_rows <= 0 ||
            pps->num_tile_rows >= sps->height) {
            av_log(s->avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n",
                   pps->num_tile_rows - 1);
@@ -111,6 +111,11 @@ static int active_parameter_sets(HEVCContext *s)
    get_bits(gb, 1); // num_sps_ids_minus1
    num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1

+    if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) {
+        av_log(s->avctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1);
+        return AVERROR_INVALIDDATA;
+    }
+
    active_seq_parameter_set_id = get_ue_golomb_long(gb);
    if (active_seq_parameter_set_id >= MAX_SPS_COUNT) {
        av_log(s->avctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id);
@@ -1159,11 +1159,16 @@ static void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
    int32_t *src[3],  i0,  i1,  i2;
    float   *srcf[3], i0f, i1f, i2f;

-    for (i = 1; i < 3; i++)
+    for (i = 1; i < 3; i++) {
        if (tile->codsty[0].transform != tile->codsty[i].transform) {
            av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n");
            return;
        }
+        if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) {
+            av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n");
+            return;
+        }
+    }

    for (i = 0; i < 3; i++)
        if (tile->codsty[0].transform == FF_DWT97)
@@ -1602,7 +1607,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                        int cn   = bytestream2_get_be16(&s->g);
                        int av_unused typ  = bytestream2_get_be16(&s->g);
                        int asoc = bytestream2_get_be16(&s->g);
-                        if (cn < 4 || asoc < 4)
+                        if (cn < 4 && asoc < 4)
                            s->cdef[cn] = asoc;
                    }
                }
@@ -164,6 +164,9 @@ static opj_image_t *mj2_create_image(AVCodecContext *avctx, opj_cparameters_t *p

    img = opj_image_create(numcomps, cmptparm, color_space);

+    if (!img)
+        return NULL;
+
    // x0, y0 is the top left corner of the image
    // x1, y1 is the width, height of the reference grid
    img->x0 = 0;
@@ -108,6 +108,8 @@ static int get_stats(AVCodecContext *avctx, int eos)
        // libtheora generates a summary header at the end
        memcpy(h->stats, buf, bytes);
        avctx->stats_out = av_malloc(b64_size);
+        if (!avctx->stats_out)
+            return AVERROR(ENOMEM);
        av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset);
    }
    return 0;
@@ -362,7 +362,7 @@ static av_cold int vpx_init(AVCodecContext *avctx,
    if (enccfg.g_pass == VPX_RC_FIRST_PASS)
        enccfg.g_lag_in_frames = 0;
    else if (enccfg.g_pass == VPX_RC_LAST_PASS) {
-        int decode_size;
+        int decode_size, ret;

        if (!avctx->stats_in) {
            av_log(avctx, AV_LOG_ERROR, "No stats file for second pass\n");
@@ -370,12 +370,12 @@ static av_cold int vpx_init(AVCodecContext *avctx,
        }

        ctx->twopass_stats.sz  = strlen(avctx->stats_in) * 3 / 4;
-        ctx->twopass_stats.buf = av_malloc(ctx->twopass_stats.sz);
-        if (!ctx->twopass_stats.buf) {
+        ret = av_reallocp(&ctx->twopass_stats.buf, ctx->twopass_stats.sz);
+        if (ret < 0) {
            av_log(avctx, AV_LOG_ERROR,
                   "Stat buffer alloc (%zu bytes) failed\n",
                   ctx->twopass_stats.sz);
-            return AVERROR(ENOMEM);
+            return ret;
        }
        decode_size = av_base64_decode(ctx->twopass_stats.buf, avctx->stats_in,
                                       ctx->twopass_stats.sz);
@@ -177,7 +177,7 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s)
                                 s->quant_matrixes[index][s->scantable.permutated[8]]) >> 1;
        av_log(s->avctx, AV_LOG_DEBUG, "qscale[%d]: %d\n",
               index, s->qscale[index]);
-        len -= 65;
+        len -= 1 + 64 * (1+pr);
    }
    return 0;
 }
@@ -168,7 +168,10 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p)
        put_marker(p, APP0);
        put_bits(p, 16, 16);
        avpriv_put_string(p, "JFIF", 1); /* this puts the trailing zero-byte too */
-        put_bits(p, 16, 0x0102);         /* v 1.02 */
+        /* The most significant byte is used for major revisions, the least
+         * significant byte for minor revisions. Version 1.02 is the current
+         * released revision. */
+        put_bits(p, 16, 0x0102);
        put_bits(p,  8, 0);              /* units type: 0 - aspect ratio */
        put_bits(p, 16, avctx->sample_aspect_ratio.num);
        put_bits(p, 16, avctx->sample_aspect_ratio.den);
@@ -101,7 +101,7 @@ enum AudioObjectType {
    AOT_USAC,                  ///< N                       Unified Speech and Audio Coding
 };

-#define MAX_PCE_SIZE 304 ///<Maximum size of a PCE including the 3-bit ID_PCE
+#define MAX_PCE_SIZE 320 ///<Maximum size of a PCE including the 3-bit ID_PCE
                         ///<marker and the comment

 int avpriv_copy_pce_data(PutBitContext *pb, GetBitContext *gb);
@@ -186,14 +186,14 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        int x = 0, y = 0;

        length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3);
-        if (length)
+        if (length > 0)
            x = get_xbits(gb, length);

        if (!(ctx->divx_version == 500 && ctx->divx_build == 413))
            skip_bits1(gb);     /* marker bit */

        length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3);
-        if (length)
+        if (length > 0)
            y = get_xbits(gb, length);

        skip_bits1(gb);         /* marker bit */
@@ -1642,9 +1642,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
    uint32_t header;
    int ret;

+    int skipped = 0;
    while(buf_size && !*buf){
        buf++;
        buf_size--;
+        skipped++;
    }

    if (buf_size < HEADER_SIZE)
@@ -1699,7 +1701,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
            return ret;
    }
    s->frame_size = 0;
-    return buf_size;
+    return buf_size + skipped;
 }

 static void mp_flush(MPADecodeContext *ctx)
@@ -3610,6 +3610,8 @@ static int encode_picture(MpegEncContext *s, int picture_number)
    }
    s->avctx->execute(s->avctx, encode_thread, &s->thread_context[0], NULL, context_count, sizeof(void*));
    for(i=1; i<context_count; i++){
+        if (s->pb.buf_end == s->thread_context[i]->pb.buf)
+            set_put_bits_buffer_size(&s->pb, FFMIN(s->thread_context[i]->pb.buf_end - s->pb.buf, INT_MAX/8-32));
        merge_context_after_encode(s, s->thread_context[i]);
    }
    emms_c();
@@ -36,17 +36,15 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
    unsigned char rle_code;
    unsigned char extra_byte, odd_pixel;
    unsigned char stream_byte;
-    unsigned int pixel_ptr = 0;
-    int row_dec = pic->linesize[0];
-    int row_ptr = (avctx->height - 1) * row_dec;
-    int frame_size = row_dec * avctx->height;
+    int pixel_ptr = 0;
+    int line = avctx->height - 1;
    int i;

-    while (row_ptr >= 0) {
+    while (line >= 0 && pixel_ptr <= avctx->width) {
        if (bytestream2_get_bytes_left(gb) <= 0) {
            av_log(avctx, AV_LOG_ERROR,
-                   "MS RLE: bytestream overrun, %d rows left\n",
-                   row_ptr);
+                   "MS RLE: bytestream overrun, %dx%d left\n",
+                   avctx->width - pixel_ptr, line);
            return AVERROR_INVALIDDATA;
        }
        rle_code = stream_byte = bytestream2_get_byteu(gb);
@@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
            stream_byte = bytestream2_get_byte(gb);
            if (stream_byte == 0) {
                /* line is done, goto the next one */
-                row_ptr -= row_dec;
+                line--;
                pixel_ptr = 0;
            } else if (stream_byte == 1) {
                /* decode is done */
@@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
                stream_byte = bytestream2_get_byte(gb);
                pixel_ptr += stream_byte;
                stream_byte = bytestream2_get_byte(gb);
-                row_ptr -= stream_byte * row_dec;
            } else {
                // copy pixels from encoded stream
                odd_pixel =  stream_byte & 1;
                rle_code = (stream_byte + 1) / 2;
                extra_byte = rle_code & 0x01;
-                if (row_ptr + pixel_ptr + stream_byte > frame_size ||
+                if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width ||
                    bytestream2_get_bytes_left(gb) < rle_code) {
                    av_log(avctx, AV_LOG_ERROR,
                           "MS RLE: frame/stream ptr just went out of bounds (copy)\n");
@@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
                    if (pixel_ptr >= avctx->width)
                        break;
                    stream_byte = bytestream2_get_byteu(gb);
-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
+                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
                    pixel_ptr++;
                    if (i + 1 == rle_code && odd_pixel)
                        break;
                    if (pixel_ptr >= avctx->width)
                        break;
-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
+                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
                    pixel_ptr++;
                }

@@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
            }
        } else {
            // decode a run of data
-            if (row_ptr + pixel_ptr + stream_byte > frame_size) {
+            if (pixel_ptr + rle_code > avctx->width + 1) {
                av_log(avctx, AV_LOG_ERROR,
                       "MS RLE: frame ptr just went out of bounds (run)\n");
                return AVERROR_INVALIDDATA;
@@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
                if (pixel_ptr >= avctx->width)
                    break;
                if ((i & 1) == 0)
-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
+                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
                else
-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
+                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
                pixel_ptr++;
            }
        }
@@ -900,6 +900,7 @@ static av_cold int png_dec_init(AVCodecContext *avctx)
 {
    PNGDecContext *s = avctx->priv_data;

+    avctx->color_range = AVCOL_RANGE_JPEG;
    s->avctx = avctx;
    s->last_picture.f = av_frame_alloc();
    s->picture.f = av_frame_alloc();
@@ -182,6 +182,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons

    if (ctx->slice_count != slice_count || !ctx->slices) {
        av_freep(&ctx->slices);
+        ctx->slice_count = 0;
        ctx->slices = av_mallocz(slice_count * sizeof(*ctx->slices));
        if (!ctx->slices)
            return AVERROR(ENOMEM);
@@ -217,6 +217,7 @@ static inline void skip_put_bytes(PutBitContext *s, int n)
 {
    av_assert2((put_bits_count(s) & 7) == 0);
    av_assert2(s->bit_left == 32);
+    av_assert0(n <= s->buf_end - s->buf_ptr);
    s->buf_ptr += n;
 }

@@ -240,6 +241,7 @@ static inline void skip_put_bits(PutBitContext *s, int n)
 static inline void set_put_bits_buffer_size(PutBitContext *s, int size)
 {
    s->buf_end = s->buf + size;
+    s->size_in_bits = 8*size;
 }

 #endif /* AVCODEC_PUT_BITS_H */
@@ -129,8 +129,7 @@ static int allocate_buffers(ShortenContext *s)
            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
            return AVERROR_INVALIDDATA;
        }
-        if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) ||
-            s->blocksize + s->nwrap <= (unsigned)s->nwrap) {
+        if (s->blocksize + (uint64_t)s->nwrap >= UINT_MAX / sizeof(int32_t)) {
            av_log(s->avctx, AV_LOG_ERROR,
                   "s->blocksize + s->nwrap too large\n");
            return AVERROR_INVALIDDATA;
@@ -278,7 +277,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
    if (command == FN_QLPC) {
        /* read/validate prediction order */
        pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE);
-        if (pred_order > s->nwrap) {
+        if ((unsigned)pred_order > s->nwrap) {
            av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n",
                   pred_order);
            return AVERROR(EINVAL);
@@ -370,6 +369,11 @@ static int read_header(ShortenContext *s)
        s->nmean = get_uint(s, 0);

        skip_bytes = get_uint(s, NSKIPSIZE);
+        if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) {
+            av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes);
+            return AVERROR_INVALIDDATA;
+        }
+
        for (i = 0; i < skip_bytes; i++)
            skip_bits(&s->gb, 8);
    }
@@ -137,6 +137,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
    if (!cur_frame) {
        av_frame_unref(mjpeg_data);
        ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt);
+        if (ret < 0) {
+            s->mjpeg_data_size = 0;
+            return ret;
+        }
    } else if (!s->mjpeg_data_size)
        return AVERROR(EINVAL);

@@ -497,12 +497,15 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
 // copes better with quantization, and calculates the
 // actual whitened result as it goes.

-static void modified_levinson_durbin(int *window, int window_entries,
+static int modified_levinson_durbin(int *window, int window_entries,
        int *out, int out_entries, int channels, int *tap_quant)
 {
    int i;
    int *state = av_calloc(window_entries, sizeof(*state));

+    if (!state)
+        return AVERROR(ENOMEM);
+
    memcpy(state, window, 4* window_entries);

    for (i = 0; i < out_entries; i++)
@@ -567,6 +570,7 @@ static void modified_levinson_durbin(int *window, int window_entries,
    }

    av_free(state);
+    return 0;
 }

 static inline int code_samplerate(int samplerate)
@@ -627,6 +631,9 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx)

    // generate taps
    s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant));
+    if (!s->tap_quant)
+        return AVERROR(ENOMEM);
+
    for (i = 0; i < s->num_taps; i++)
        s->tap_quant[i] = ff_sqrt(i+1);

@@ -656,7 +663,7 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx)

    s->window_size = ((2*s->tail_size)+s->frame_size);
    s->window = av_calloc(s->window_size, sizeof(*s->window));
-    if (!s->window)
+    if (!s->window || !s->int_samples)
        return AVERROR(ENOMEM);

    avctx->extradata = av_mallocz(16);
@@ -769,8 +776,11 @@ static int sonic_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
        s->tail[i] = s->int_samples[s->frame_size - s->tail_size + i];

    // generate taps
-    modified_levinson_durbin(s->window, s->window_size,
+    ret = modified_levinson_durbin(s->window, s->window_size,
                s->predictor_k, s->num_taps, s->channels, s->tap_quant);
+    if (ret < 0)
+        return ret;
+
    if ((ret = intlist_write(&c, state, s->predictor_k, s->num_taps, 0)) < 0)
        return ret;

@@ -873,17 +883,24 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)

    if (s->version >= 1)
    {
+        int sample_rate_index;
        s->channels = get_bits(&gb, 2);
-        s->samplerate = samplerate_table[get_bits(&gb, 4)];
+        sample_rate_index = get_bits(&gb, 4);
+        if (sample_rate_index >= FF_ARRAY_ELEMS(samplerate_table)) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid sample_rate_index %d\n", sample_rate_index);
+            return AVERROR_INVALIDDATA;
+        }
+        s->samplerate = samplerate_table[sample_rate_index];
        av_log(avctx, AV_LOG_INFO, "Sonicv2 chans: %d samprate: %d\n",
            s->channels, s->samplerate);
    }

-    if (s->channels > MAX_CHANNELS)
+    if (s->channels > MAX_CHANNELS || s->channels < 1)
    {
        av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n");
        return AVERROR_INVALIDDATA;
    }
+    avctx->channels = s->channels;

    s->lossless = get_bits1(&gb);
    if (!s->lossless)
@@ -913,6 +930,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)

    // generate taps
    s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant));
+    if (!s->tap_quant)
+        return AVERROR(ENOMEM);
+
    for (i = 0; i < s->num_taps; i++)
        s->tap_quant[i] = ff_sqrt(i+1);

@@ -932,6 +952,8 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)
            return AVERROR(ENOMEM);
    }
    s->int_samples = av_calloc(s->frame_size, sizeof(*s->int_samples));
+    if (!s->int_samples)
+        return AVERROR(ENOMEM);

    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
    return 0;
@@ -800,6 +800,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
                    if (s->mcdparams[i].present) {
                        s->mcdparams[i].index = get_bits(gb, 2);
                        s->mcdparams[i].chan2 = get_bits(gb, 4);
+                        if (s->mcdparams[i].chan2 >= avctx->channels) {
+                            av_log(avctx, AV_LOG_ERROR,
+                                   "invalid channel 2 (%d) for %d channel(s)\n",
+                                   s->mcdparams[i].chan2, avctx->channels);
+                            return AVERROR_INVALIDDATA;
+                        }
                        if (s->mcdparams[i].index == 1) {
                            if ((nbit == s->mcdparams[i].chan2) ||
                                (ch_mask & 1 << s->mcdparams[i].chan2))
@@ -439,8 +439,10 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size)

 static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src)
 {
-    dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x);
-    dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y);
+    dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.x, INT16_MIN, INT16_MAX));
+    dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.y, INT16_MIN, INT16_MAX));
 }

 /**
@@ -133,6 +133,11 @@ typedef struct VP8Frame {
    AVBufferRef *seg_map;
 } VP8Frame;

+typedef struct VP8intmv {
+    int x;
+    int y;
+} VP8intmv;
+
 #define MAX_THREADS 8
 typedef struct VP8Context {
    VP8ThreadData *thread_data;
@@ -151,8 +156,8 @@ typedef struct VP8Context {
    uint8_t deblock_filter;
    uint8_t mbskip_enabled;
    uint8_t profile;
-    VP56mv mv_min;
-    VP56mv mv_max;
+    VP8intmv mv_min;
+    VP8intmv mv_max;

    int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type
    int ref_count[3];
@@ -3840,7 +3840,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame,
                            tile_row, s->tiling.log2_tile_rows, s->sb_rows);
            if (s->pass != 2) {
                for (tile_col = 0; tile_col < s->tiling.tile_cols; tile_col++) {
-                    unsigned tile_size;
+                    int64_t tile_size;

                    if (tile_col == s->tiling.tile_cols - 1 &&
                        tile_row == s->tiling.tile_rows - 1) {
@@ -231,6 +231,12 @@ static int decode_format80(VqaContext *s, int src_size,
    unsigned char color;
    int i;

+    if (src_size < 0 || src_size > bytestream2_get_bytes_left(&s->gb)) {
+        av_log(s->avctx, AV_LOG_ERROR, "Chunk size %d is out of range\n",
+               src_size);
+        return AVERROR_INVALIDDATA;
+    }
+
    start = bytestream2_tell(&s->gb);
    while (bytestream2_tell(&s->gb) - start < src_size) {
        opcode = bytestream2_get_byte(&s->gb);
@@ -472,6 +472,14 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb,
                s->decorr[i].samplesB[0] = L;
            }
        }
+
+        if (type == AV_SAMPLE_FMT_S16P) {
+            if (FFABS(L) + FFABS(R) > (1<<19)) {
+                av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R);
+                return AVERROR_INVALIDDATA;
+            }
+        }
+
        pos = (pos + 1) & 7;
        if (s->joint)
            L += (R -= (L >> 1));
@@ -140,9 +140,7 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride)
    DECLARE_ALIGNED(8, int16_t, b2)[64];

    for(i=0; i<2; i++){
-        DECLARE_ALIGNED(8, uint64_t, tmp);
-
-        cavs_idct8_1d(block+4*i, ff_pw_4.a);
+        cavs_idct8_1d(block + 4 * i, ff_pw_4.a);

        __asm__ volatile(
            "psraw     $3, %%mm7  \n\t"
@@ -153,20 +151,20 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride)
            "psraw     $3, %%mm2  \n\t"
            "psraw     $3, %%mm1  \n\t"
            "psraw     $3, %%mm0  \n\t"
-            "movq   %%mm7,    %0   \n\t"
+            "movq   %%mm7,  (%0)  \n\t"
            TRANSPOSE4( %%mm0, %%mm2, %%mm4, %%mm6, %%mm7 )
-            "movq   %%mm0,  8(%1)  \n\t"
-            "movq   %%mm6, 24(%1)  \n\t"
-            "movq   %%mm7, 40(%1)  \n\t"
-            "movq   %%mm4, 56(%1)  \n\t"
-            "movq    %0,    %%mm7  \n\t"
+            "movq   %%mm0,  8(%0)  \n\t"
+            "movq   %%mm6, 24(%0)  \n\t"
+            "movq   %%mm7, 40(%0)  \n\t"
+            "movq   %%mm4, 56(%0)  \n\t"
+            "movq    (%0),  %%mm7  \n\t"
            TRANSPOSE4( %%mm7, %%mm5, %%mm3, %%mm1, %%mm0 )
-            "movq   %%mm7,   (%1)  \n\t"
-            "movq   %%mm1, 16(%1)  \n\t"
-            "movq   %%mm0, 32(%1)  \n\t"
-            "movq   %%mm3, 48(%1)  \n\t"
-            : "=m"(tmp)
-            : "r"(b2+32*i)
+            "movq   %%mm7,   (%0)  \n\t"
+            "movq   %%mm1, 16(%0)  \n\t"
+            "movq   %%mm0, 32(%0)  \n\t"
+            "movq   %%mm3, 48(%0)  \n\t"
+            :
+            : "r"(b2 + 32 * i)
            : "memory"
        );
    }
@@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8
    add  off_regd, 1
    or   off_regd, 1
    add        r4, 1
+    cmp        r6d, 128
+     je .nonnormal
    cmp        r5, 128
     jne .normal
+.nonnormal
    sar        r5, 1
    sar        r6, 1
    sar  off_regd, 1
@@ -23,7 +23,9 @@
 #define AVCODEC_X86_MATHOPS_H

 #include "config.h"
+
 #include "libavutil/common.h"
+#include "libavutil/x86/asm.h"

 #if HAVE_INLINE_ASM

@@ -88,6 +90,7 @@ static inline av_const int mid_pred(int a, int b, int c)
    return i;
 }

+#if HAVE_6REGS
 #define COPY3_IF_LT(x, y, a, b, c, d)\
 __asm__ volatile(\
    "cmpl  %0, %3       \n\t"\
@@ -97,6 +100,8 @@ __asm__ volatile(\
    : "+&r" (x), "+&r" (a), "+r" (c)\
    : "r" (y), "r" (b), "r" (d)\
 );
+#endif /* HAVE_6REGS */
+
 #endif /* HAVE_I686 */

 #define MASK_ABS(mask, level)                   \
@@ -45,7 +45,7 @@ void ff_four_imdct36_float_avx(float *out, float *buf, float *in, float *win,

 DECLARE_ALIGNED(16, static float, mdct_win_sse)[2][4][4*40];

-#if HAVE_SSE2_INLINE
+#if HAVE_6REGS && HAVE_SSE2_INLINE

 #define MACS(rt, ra, rb) rt+=(ra)*(rb)
 #define MLSS(rt, ra, rb) rt-=(ra)*(rb)
@@ -189,7 +189,7 @@ static void apply_window_mp3(float *in, float *win, int *unused, float *out,
    *out = sum;
 }

-#endif /* HAVE_SSE2_INLINE */
+#endif /* HAVE_6REGS && HAVE_SSE2_INLINE */

 #if HAVE_YASM
 #define DECL_IMDCT_BLOCKS(CPU1, CPU2)                                       \
@@ -255,7 +255,7 @@ av_cold void ff_mpadsp_init_x86(MPADSPContext *s)
        }
    }

-#if HAVE_SSE2_INLINE
+#if HAVE_6REGS && HAVE_SSE2_INLINE
    if (INLINE_SSE2(cpu_flags)) {
        s->apply_window_float = apply_window_mp3;
    }
@@ -31,6 +31,8 @@
 /* not permutated inverse zigzag_direct + 1 for MMX quantizer */
 DECLARE_ALIGNED(16, static uint16_t, inv_zigzag_direct16)[64];

+#if HAVE_6REGS
+
 #if HAVE_MMX_INLINE
 #define COMPILE_TEMPLATE_MMXEXT 0
 #define COMPILE_TEMPLATE_SSE2   0
@@ -82,6 +84,8 @@ DECLARE_ALIGNED(16, static uint16_t, inv_zigzag_direct16)[64];
 #include "mpegvideoenc_template.c"
 #endif /* HAVE_SSSE3_INLINE */

+#endif /* HAVE_6REGS */
+
 #if HAVE_INLINE_ASM
 static void  denoise_dct_mmx(MpegEncContext *s, int16_t *block){
    const int intra= s->mb_intra;
@@ -206,21 +210,25 @@ av_cold void ff_dct_encode_init_x86(MpegEncContext *s)
 #if HAVE_MMX_INLINE
        int cpu_flags = av_get_cpu_flags();
        if (INLINE_MMX(cpu_flags)) {
+#if HAVE_6REGS
            s->dct_quantize = dct_quantize_MMX;
+#endif
            s->denoise_dct  = denoise_dct_mmx;
        }
 #endif
-#if HAVE_MMXEXT_INLINE
+#if HAVE_6REGS && HAVE_MMXEXT_INLINE
        if (INLINE_MMXEXT(cpu_flags))
            s->dct_quantize = dct_quantize_MMXEXT;
 #endif
 #if HAVE_SSE2_INLINE
        if (INLINE_SSE2(cpu_flags)) {
+#if HAVE_6REGS
            s->dct_quantize = dct_quantize_SSE2;
+#endif
            s->denoise_dct  = denoise_dct_sse2;
        }
 #endif
-#if HAVE_SSSE3_INLINE
+#if HAVE_6REGS && HAVE_SSSE3_INLINE
        if (INLINE_SSSE3(cpu_flags))
            s->dct_quantize = dct_quantize_SSSE3;
 #endif
@@ -606,6 +606,7 @@ static void ff_snow_vertical_compose97i_mmx(IDWTELEM *b0, IDWTELEM *b1, IDWTELEM
 }
 #endif //HAVE_7REGS

+#if HAVE_6REGS
 #define snow_inner_add_yblock_sse2_header \
    IDWTELEM * * dst_array = sb->line + src_y;\
    x86_reg tmp;\
@@ -872,6 +873,7 @@ static void ff_snow_inner_add_yblock_mmx(const uint8_t *obmc, const int obmc_str
    else
        ff_snow_inner_add_yblock(obmc, obmc_stride, block, b_w, b_h, src_x,src_y, src_stride, sb, add, dst8);
 }
+#endif /* HAVE_6REGS */

 #endif /* HAVE_INLINE_ASM */

@@ -886,7 +888,9 @@ void ff_dwt_init_x86(SnowDWTContext *c)
 #if HAVE_7REGS
            c->vertical_compose97i = ff_snow_vertical_compose97i_sse2;
 #endif
+#if HAVE_6REGS
            c->inner_add_yblock = ff_snow_inner_add_yblock_sse2;
+#endif
        }
        else{
            if (mm_flags & AV_CPU_FLAG_MMXEXT) {
@@ -895,7 +899,9 @@ void ff_dwt_init_x86(SnowDWTContext *c)
            c->vertical_compose97i = ff_snow_vertical_compose97i_mmx;
 #endif
            }
+#if HAVE_6REGS
            c->inner_add_yblock = ff_snow_inner_add_yblock_mmx;
+#endif
        }
    }
 #endif /* HAVE_INLINE_ASM */
@@ -27,6 +27,7 @@
 #include "libavutil/attributes.h"
 #include "libavutil/cpu.h"
 #include "libavutil/x86/cpu.h"
+#include "libavutil/x86/asm.h"
 #include "libavcodec/vc1dsp.h"
 #include "dsputil_x86.h"
 #include "vc1dsp.h"
@@ -86,10 +87,10 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp)
 {
    int cpu_flags = av_get_cpu_flags();

-    if (INLINE_MMX(cpu_flags))
+    if (HAVE_6REGS && INLINE_MMX(cpu_flags))
        ff_vc1dsp_init_mmx(dsp);

-    if (INLINE_MMXEXT(cpu_flags))
+    if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags))
        ff_vc1dsp_init_mmxext(dsp);

 #define ASSIGN_LF(EXT) \
@@ -33,7 +33,7 @@
 #include "dsputil_x86.h"
 #include "vc1dsp.h"

-#if HAVE_INLINE_ASM
+#if HAVE_6REGS && HAVE_INLINE_ASM

 #define OP_PUT(S,D)
 #define OP_AVG(S,D) "pavgb " #S ", " #D " \n\t"
@@ -754,4 +754,4 @@ av_cold void ff_vc1dsp_init_mmxext(VC1DSPContext *dsp)
    dsp->vc1_inv_trans_8x4_dc = vc1_inv_trans_8x4_dc_mmxext;
    dsp->vc1_inv_trans_4x4_dc = vc1_inv_trans_4x4_dc_mmxext;
 }
-#endif /* HAVE_INLINE_ASM */
+#endif /* HAVE_6REGS && HAVE_INLINE_ASM */
@@ -185,8 +185,12 @@ hvar_fn
 %elif (%2-%%off) == 2
    mov            valw, [srcq+%2-2]
 %elifidn %1, body
-    mov            vald, [srcq+%2-3]
-%else
+    mov            valb, [srcq+%2-1]
+    sal            vald, 16
+    mov            valw, [srcq+%2-3]
+%elifidn %1, bottom
+    movd mm %+ %%mmx_idx, [srcq+%2-4]
+%else ; top
    movd mm %+ %%mmx_idx, [srcq+%2-3]
 %endif
 %endif ; (%2-%%off) >= 1
@@ -242,12 +246,15 @@ hvar_fn
    mov     [dstq+%2-2], valw
 %elifidn %1, body
    mov     [dstq+%2-3], valw
-    shr            vald, 16
+    sar            vald, 16
    mov     [dstq+%2-1], valb
 %else
    movd           vald, mm %+ %%mmx_idx
+%ifidn %1, bottom
+    sar            vald, 8
+%endif
    mov     [dstq+%2-3], valw
-    shr            vald, 16
+    sar            vald, 16
    mov     [dstq+%2-1], valb
 %endif
 %endif ; (%2-%%off) >= 1
@@ -64,6 +64,7 @@ void ff_vp3_h_loop_filter_mmxext(uint8_t *src, int stride,
    "paddb "#regb", "#regr"             \n\t"                    \
    "paddb "#regd", "#regp"             \n\t"

+#if HAVE_6REGS
 static void put_vp_no_rnd_pixels8_l2_mmx(uint8_t *dst, const uint8_t *a, const uint8_t *b, ptrdiff_t stride, int h)
 {
 //    START_TIMER
@@ -95,15 +96,16 @@ static void put_vp_no_rnd_pixels8_l2_mmx(uint8_t *dst, const uint8_t *a, const u
        :"memory");
 //    STOP_TIMER("put_vp_no_rnd_pixels8_l2_mmx")
 }
+#endif /*HAVE_6REGS */
 #endif /* HAVE_MMX_INLINE */

 av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags)
 {
    int cpu_flags = av_get_cpu_flags();

-#if HAVE_MMX_INLINE
+#if HAVE_6REGS && HAVE_MMX_INLINE
    c->put_no_rnd_pixels_l2 = put_vp_no_rnd_pixels8_l2_mmx;
-#endif /* HAVE_MMX_INLINE */
+#endif /* HAVE_6REGS && HAVE_MMX_INLINE */

 #if ARCH_X86_32
    if (EXTERNAL_MMX(cpu_flags)) {
@@ -24,7 +24,7 @@
 #ifndef AVCODEC_X86_VP56_ARITH_H
 #define AVCODEC_X86_VP56_ARITH_H

-#if HAVE_INLINE_ASM && HAVE_FAST_CMOV
+#if HAVE_INLINE_ASM && HAVE_FAST_CMOV && HAVE_6REGS
 #define vp56_rac_get_prob vp56_rac_get_prob
 static av_always_inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob)
 {
@@ -343,7 +343,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
            continue;
        } else if (ret < 0)
            return ret;
-        d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q);
+        d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX);
        av_dlog(avctx, "sink_idx:%d time:%f\n", i, d);
        av_frame_unref(frame);

@@ -138,7 +138,9 @@ static int config_props(AVFilterLink *inlink)
    s->hsub = pixdesc->log2_chroma_w;
    s->vsub = pixdesc->log2_chroma_h;

-    s->bpp = av_get_bits_per_pixel(pixdesc) >> 3;
+    s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ?
+             1 :
+             av_get_bits_per_pixel(pixdesc) >> 3;
    s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA);
    s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0;

@@ -289,7 +289,7 @@ static inline void line_noise_avg_c(uint8_t *dst, const uint8_t *src,
 static inline void line_noise_avg_mmx(uint8_t *dst, const uint8_t *src,
                                      int len, int8_t **shift)
 {
-#if HAVE_MMX_INLINE
+#if HAVE_MMX_INLINE && HAVE_6REGS
    x86_reg mmx_len= len&(~7);

    __asm__ volatile(
@@ -438,7 +438,9 @@ static av_cold int init(AVFilterContext *ctx)
    if (HAVE_MMX_INLINE &&
        cpu_flags & AV_CPU_FLAG_MMX) {
        n->line_noise = line_noise_mmx;
+#if HAVE_6REGS
        n->line_noise_avg = line_noise_avg_mmx;
+#endif
    }
    if (HAVE_MMXEXT_INLINE &&
        cpu_flags & AV_CPU_FLAG_MMXEXT)
@@ -27,8 +27,8 @@ SECTION .text
 %if lut_bits != 8
    sar    %1q, 8-lut_bits
 %endif
-    movsx  %1d, word [%3q+%1q*2]
-    add    %1d, %2d
+    movsx  %1q, word [%3q+%1q*2]
+    add    %1q, %2q
 %endmacro

 %macro LOAD 3 ; dstreg, x, bitdepth
@@ -104,7 +104,7 @@ int ff_audio_rechunk_interleave(AVFormatContext *s, AVPacket *out, AVPacket *pkt
                        int (*get_packet)(AVFormatContext *, AVPacket *, AVPacket *, int),
                        int (*compare_ts)(AVFormatContext *, AVPacket *, AVPacket *))
 {
-    int i;
+    int i, ret;

    if (pkt) {
        AVStream *st = s->streams[pkt->stream_index];
@@ -118,12 +118,10 @@ int ff_audio_rechunk_interleave(AVFormatContext *s, AVPacket *out, AVPacket *pkt
            }
            av_fifo_generic_write(aic->fifo, pkt->data, pkt->size, NULL);
        } else {
-            int ret;
            // rewrite pts and dts to be decoded time line position
            pkt->pts = pkt->dts = aic->dts;
            aic->dts += pkt->duration;
-            ret = ff_interleave_add_packet(s, pkt, compare_ts);
-            if (ret < 0)
+            if ((ret = ff_interleave_add_packet(s, pkt, compare_ts)) < 0)
                return ret;
        }
        pkt = NULL;
@@ -133,10 +131,8 @@ int ff_audio_rechunk_interleave(AVFormatContext *s, AVPacket *out, AVPacket *pkt
        AVStream *st = s->streams[i];
        if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO) {
            AVPacket new_pkt;
-            int ret;
            while ((ret = interleave_new_audio_packet(s, &new_pkt, i, flush)) > 0) {
-                ret = ff_interleave_add_packet(s, &new_pkt, compare_ts);
-                if (ret < 0)
+                if ((ret = ff_interleave_add_packet(s, &new_pkt, compare_ts)) < 0)
                    return ret;
            }
            if (ret < 0)
@@ -604,6 +604,23 @@ static int avi_read_header(AVFormatContext *s)
            default:
                av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1);
            }
+
+            if (ast->sample_size < 0) {
+                if (s->error_recognition & AV_EF_EXPLODE) {
+                    av_log(s, AV_LOG_ERROR,
+                           "Invalid sample_size %d at stream %d\n",
+                           ast->sample_size,
+                           stream_index);
+                    goto fail;
+                }
+                av_log(s, AV_LOG_WARNING,
+                       "Invalid sample_size %d at stream %d "
+                       "setting it to 0\n",
+                       ast->sample_size,
+                       stream_index);
+                ast->sample_size = 0;
+            }
+
            if (ast->sample_size == 0) {
                st->duration = st->nb_frames;
                if (st->duration > 0 && avi->io_fsize > 0 && avi->riff_end > avi->io_fsize) {
@@ -1432,7 +1449,8 @@ static int avi_read_idx1(AVFormatContext *s, int size)
        ast = st->priv_data;

        if (first_packet && first_packet_pos) {
-            data_offset  = first_packet_pos - pos;
+            if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos)
+                data_offset  = first_packet_pos - pos;
            first_packet = 0;
        }
        pos += data_offset;
@@ -765,6 +765,7 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size)
    uint8_t *buffer;
    int max_buffer_size = s->max_packet_size ?
                          s->max_packet_size : IO_BUFFER_SIZE;
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;

    buf_size += s->buf_ptr - s->buffer + max_buffer_size;

@@ -782,6 +783,8 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size)
    s->buf_end = buffer + (s->buf_end - s->buffer);
    s->buffer = buffer;
    s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
    return 0;
 }

@@ -190,7 +190,10 @@ static int read_header(AVFormatContext *s)
            return ret;
    }

-    avio_seek(pb, vst->index_entries[0].pos, SEEK_SET);
+    if (vst->index_entries)
+        avio_seek(pb, vst->index_entries[0].pos, SEEK_SET);
+    else
+        avio_skip(pb, 4);

    bink->current_track = -1;
    return 0;
@@ -95,7 +95,9 @@ static int ffm_read_data(AVFormatContext *s,
    retry_read:
            if (pb->buffer_size != ffm->packet_size) {
                int64_t tell = avio_tell(pb);
-                ffio_set_buf_size(pb, ffm->packet_size);
+                int ret = ffio_set_buf_size(pb, ffm->packet_size);
+                if (ret < 0)
+                    return ret;
                avio_seek(pb, tell, SEEK_SET);
            }
            id = avio_rb16(pb); /* PACKET_ID */
@@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb,
    }
 }

-static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
+static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
                                unsigned int max_sub_layers_minus1)
 {
    unsigned int i;
@@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
        else
            low_delay_hrd_flag = get_bits1(gb);

-        if (!low_delay_hrd_flag)
+        if (!low_delay_hrd_flag) {
            cpb_cnt_minus1 = get_ue_golomb_long(gb);
+            if (cpb_cnt_minus1 > 31)
+                return AVERROR_INVALIDDATA;
+        }

        if (nal_hrd_parameters_present_flag)
            skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
@@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
            skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
                                          sub_pic_hrd_params_present_flag);
    }
+
+    return 0;
 }

 static void skip_timing_info(GetBitContext *gb)
@@ -444,7 +449,7 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx,
         *
         * NumDeltaPocs[RefRpsIdx]: num_delta_pocs[rps_idx - 1]
         */
-        for (i = 0; i < num_delta_pocs[rps_idx - 1]; i++) {
+        for (i = 0; i <= num_delta_pocs[rps_idx - 1]; i++) {
            uint8_t use_delta_flag = 0;
            uint8_t used_by_curr_pic_flag = get_bits1(gb);
            if (!used_by_curr_pic_flag)
@@ -457,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx,
        unsigned int num_negative_pics = get_ue_golomb_long(gb);
        unsigned int num_positive_pics = get_ue_golomb_long(gb);

+        if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb))
+            return AVERROR_INVALIDDATA;
+
        num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics;

        for (i = 0; i < num_negative_pics; i++) {
@@ -91,7 +91,7 @@ void ff_program_add_stream_index(AVFormatContext *ac, int progid, unsigned int i
 * @return 0, or < 0 on error
 */
 int ff_interleave_add_packet(AVFormatContext *s, AVPacket *pkt,
-                              int (*compare)(AVFormatContext *, AVPacket *, AVPacket *));
+                             int (*compare)(AVFormatContext *, AVPacket *, AVPacket *));

 void ff_read_frame_flush(AVFormatContext *s);

@@ -1187,15 +1187,13 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
            newpktdata = av_realloc(pkt_data, pkt_size);
            if (!newpktdata) {
                inflateEnd(&zstream);
+                result = AVERROR(ENOMEM);
                goto failed;
            }
            pkt_data = newpktdata;
            zstream.avail_out = pkt_size - zstream.total_out;
            zstream.next_out = pkt_data + zstream.total_out;
-            if (pkt_data) {
-                result = inflate(&zstream, Z_NO_FLUSH);
-            } else
-                result = Z_MEM_ERROR;
+            result = inflate(&zstream, Z_NO_FLUSH);
        } while (result==Z_OK && pkt_size<10000000);
        pkt_size = zstream.total_out;
        inflateEnd(&zstream);
@@ -1221,15 +1219,13 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
            newpktdata = av_realloc(pkt_data, pkt_size);
            if (!newpktdata) {
                BZ2_bzDecompressEnd(&bzstream);
+                result = AVERROR(ENOMEM);
                goto failed;
            }
            pkt_data = newpktdata;
            bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
            bzstream.next_out = pkt_data + bzstream.total_out_lo32;
-            if (pkt_data) {
-                result = BZ2_bzDecompress(&bzstream);
-            } else
-                result = BZ_MEM_ERROR;
+            result = BZ2_bzDecompress(&bzstream);
        } while (result==BZ_OK && pkt_size<10000000);
        pkt_size = bzstream.total_out_lo32;
        BZ2_bzDecompressEnd(&bzstream);
@@ -1459,7 +1455,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
 static void matroska_add_index_entries(MatroskaDemuxContext *matroska) {
    EbmlList *index_list;
    MatroskaIndex *index;
-    int index_scale = 1;
+    uint64_t index_scale = 1;
    int i, j;

    index_list = &matroska->index;
@@ -1547,9 +1543,13 @@ static int matroska_read_header(AVFormatContext *s)
    matroska->ctx = s;

    /* First read the EBML header. */
-    if (ebml_parse(matroska, ebml_syntax, &ebml)
-        || ebml.version > EBML_VERSION       || ebml.max_size > sizeof(uint64_t)
-        || ebml.id_length > sizeof(uint32_t) || ebml.doctype_version > 3 || !ebml.doctype) {
+    if (ebml_parse(matroska, ebml_syntax, &ebml) || !ebml.doctype) {
+        av_log(matroska->ctx, AV_LOG_ERROR, "EBML header parsing failed\n");
+        ebml_free(ebml_syntax, &ebml);
+        return AVERROR_INVALIDDATA;
+    }
+    if (ebml.version > EBML_VERSION       || ebml.max_size > sizeof(uint64_t)
+        || ebml.id_length > sizeof(uint32_t) || ebml.doctype_version > 3) {
        av_log(matroska->ctx, AV_LOG_ERROR,
               "EBML header using unsupported features\n"
               "(EBML version %"PRIu64", doctype %s, doc version %"PRIu64")\n",
@@ -1929,8 +1929,8 @@ static int matroska_read_header(AVFormatContext *s)
                snprintf(buf, sizeof(buf), "%s_%d",
                         ff_matroska_video_stereo_plane[planes[j].type], i);
                for (k=0; k < matroska->tracks.nb_elem; k++)
-                    if (planes[j].uid == tracks[k].uid) {
-                        av_dict_set(&s->streams[k]->metadata,
+                    if (planes[j].uid == tracks[k].uid && tracks[k].stream) {
+                        av_dict_set(&tracks[k].stream->metadata,
                                    "stereo_mode", buf, 0);
                        break;
                    }
@@ -2345,6 +2345,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref,
                av_strlcat(filename, "../", sizeof(filename));

            av_strlcat(filename, ref->path + l + 1, sizeof(filename));
+            if (!use_absolute_path)
+                if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1)
+                    return AVERROR(ENOENT);

            if (strlen(filename) + 1 == sizeof(filename))
                return AVERROR(ENOENT);
@@ -2813,6 +2816,7 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        goto free_and_return;
    if (ffio_init_context(&ctx, moov_data, moov_len, 0, NULL, NULL, NULL, NULL) != 0)
        goto free_and_return;
+    ctx.seekable = AVIO_SEEKABLE_NORMAL;
    atom.type = MKTAG('m','o','o','v');
    atom.size = moov_len;
    ret = mov_read_default(c, &ctx, atom);
@@ -566,6 +566,11 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st,
    label_mask = 0;
    for (i = 0; i < num_descr; i++) {
        uint32_t label;
+        if (pb->eof_reached) {
+            av_log(s, AV_LOG_ERROR,
+                   "reached EOF while reading channel layout\n");
+            return AVERROR_INVALIDDATA;
+        }
        label     = avio_rb32(pb);          // mChannelLabel
        avio_rb32(pb);                      // mChannelFlags
        avio_rl32(pb);                      // mCoordinates[0]
@@ -67,6 +67,7 @@ typedef void SetServiceCallback(void *opaque, int ret);
 typedef struct MpegTSSectionFilter {
    int section_index;
    int section_h_size;
+    int last_ver;
    uint8_t *section_buf;
    unsigned int check_crc:1;
    unsigned int end_of_section_reached:1;
@@ -421,6 +422,8 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, unsigned int
    sec->opaque = opaque;
    sec->section_buf = av_malloc(MAX_SECTION_SIZE);
    sec->check_crc = check_crc;
+    sec->last_ver = -1;
+
    if (!sec->section_buf) {
        av_free(filter);
        return NULL;
@@ -1345,6 +1348,7 @@ static int mp4_read_od(AVFormatContext *s, const uint8_t *buf, unsigned size,
 static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_len)
 {
    MpegTSContext *ts = filter->u.section_filter.opaque;
+    MpegTSSectionFilter *tssf = &filter->u.section_filter;
    SectionHeader h;
    const uint8_t *p, *p_end;
    AVIOContext pb;
@@ -1359,6 +1363,9 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_le
        return;
    if (h.tid != M4OD_TID)
        return;
+    if (h.version == tssf->last_ver)
+        return;
+    tssf->last_ver = h.version;

    mp4_read_od(s, p, (unsigned)(p_end - p), mp4_descr, &mp4_descr_count, MAX_MP4_DESCR_COUNT);

@@ -1452,8 +1459,12 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type
        }
        break;
    case 0x1F: /* FMC descriptor */
-        get16(pp, desc_end);
-        if (mp4_descr_count > 0 && (st->codec->codec_id == AV_CODEC_ID_AAC_LATM || st->request_probe>0) &&
+        if (get16(pp, desc_end) < 0)
+            break;
+        if (mp4_descr_count > 0 &&
+            (st->codec->codec_id == AV_CODEC_ID_AAC_LATM ||
+             (st->request_probe == 0 && st->codec->codec_id == AV_CODEC_ID_NONE) ||
+             st->request_probe > 0) &&
            mp4_descr->dec_config_descr_len && mp4_descr->es_id == pid) {
            AVIOContext pb;
            ffio_init_context(&pb, mp4_descr->dec_config_descr,
@@ -1618,6 +1629,7 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type
 static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len)
 {
    MpegTSContext *ts = filter->u.section_filter.opaque;
+    MpegTSSectionFilter *tssf = &filter->u.section_filter;
    SectionHeader h1, *h = &h1;
    PESContext *pes;
    AVStream *st;
@@ -1637,6 +1649,9 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
    p = section;
    if (parse_section_header(h, &p, p_end) < 0)
        return;
+    if (h->version == tssf->last_ver)
+        return;
+    tssf->last_ver = h->version;

    av_dlog(ts->stream, "sid=0x%x sec_num=%d/%d\n",
           h->id, h->sec_num, h->last_sec_num);
@@ -1774,6 +1789,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
 static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len)
 {
    MpegTSContext *ts = filter->u.section_filter.opaque;
+    MpegTSSectionFilter *tssf = &filter->u.section_filter;
    SectionHeader h1, *h = &h1;
    const uint8_t *p, *p_end;
    int sid, pmt_pid;
@@ -1788,6 +1804,9 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
        return;
    if (h->tid != PAT_TID)
        return;
+    if (h->version == tssf->last_ver)
+        return;
+    tssf->last_ver = h->version;

    ts->stream->ts_id = h->id;

@@ -1842,6 +1861,7 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
 static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len)
 {
    MpegTSContext *ts = filter->u.section_filter.opaque;
+    MpegTSSectionFilter *tssf = &filter->u.section_filter;
    SectionHeader h1, *h = &h1;
    const uint8_t *p, *p_end, *desc_list_end, *desc_end;
    int onid, val, sid, desc_list_len, desc_tag, desc_len, service_type;
@@ -1856,6 +1876,10 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
        return;
    if (h->tid != SDT_TID)
        return;
+    if (h->version == tssf->last_ver)
+        return;
+    tssf->last_ver = h->version;
+
    onid = get16(&p, p_end);
    if (onid < 0)
        return;
@@ -2150,11 +2174,13 @@ static int handle_packets(MpegTSContext *ts, int nb_packets)
        for (i = 0; i < NB_PID_MAX; i++) {
            if (ts->pids[i]) {
                if (ts->pids[i]->type == MPEGTS_PES) {
-                   PESContext *pes = ts->pids[i]->u.pes_filter.opaque;
-                   av_buffer_unref(&pes->buffer);
-                   pes->data_index = 0;
-                   pes->state = MPEGTS_SKIP; /* skip until pes header */
-                   pes->last_pcr = -1;
+                    PESContext *pes = ts->pids[i]->u.pes_filter.opaque;
+                    av_buffer_unref(&pes->buffer);
+                    pes->data_index = 0;
+                    pes->state = MPEGTS_SKIP; /* skip until pes header */
+                    pes->last_pcr = -1;
+                } else if (ts->pids[i]->type == MPEGTS_SECTION) {
+                    ts->pids[i]->u.section_filter.last_ver = -1;
                }
                ts->pids[i]->last_cc = -1;
            }
@@ -640,12 +640,12 @@ int av_write_frame(AVFormatContext *s, AVPacket *pkt)
 #define CHUNK_START 0x1000

 int ff_interleave_add_packet(AVFormatContext *s, AVPacket *pkt,
-                              int (*compare)(AVFormatContext *, AVPacket *, AVPacket *))
+                             int (*compare)(AVFormatContext *, AVPacket *, AVPacket *))
 {
+    int ret;
    AVPacketList **next_point, *this_pktl;
    AVStream *st   = s->streams[pkt->stream_index];
    int chunked    = s->max_chunk_size || s->max_chunk_duration;
-    int ret;

    this_pktl      = av_mallocz(sizeof(AVPacketList));
    if (!this_pktl)
@@ -657,11 +657,13 @@ FF_DISABLE_DEPRECATION_WARNINGS
 FF_ENABLE_DEPRECATION_WARNINGS
 #endif
    pkt->buf       = NULL;
+    pkt->side_data = NULL;
+    pkt->side_data_elems = 0;
    if ((pkt->flags & AV_PKT_FLAG_UNCODED_FRAME)) {
        av_assert0(pkt->size == UNCODED_FRAME_PACKET_SIZE);
        av_assert0(((AVFrame *)pkt->data)->buf);
    } else {
-        // duplicate the packet if it uses non-allocated memory
+        // Duplicate the packet if it uses non-allocated memory
        if ((ret = av_dup_packet(&this_pktl->pkt)) < 0) {
            av_free(this_pktl);
            return ret;
@@ -716,6 +718,7 @@ next_non_null:

    s->streams[pkt->stream_index]->last_in_packet_buffer =
        *next_point                                      = this_pktl;
+
    return 0;
 }

@@ -746,12 +749,12 @@ int ff_interleave_packet_per_dts(AVFormatContext *s, AVPacket *out,
                                 AVPacket *pkt, int flush)
 {
    AVPacketList *pktl;
-    int stream_count = 0, noninterleaved_count = 0;
+    int stream_count = 0;
+    int noninterleaved_count = 0;
    int i, ret;

    if (pkt) {
-        ret = ff_interleave_add_packet(s, pkt, interleave_compare_dts);
-        if (ret < 0)
+        if ((ret = ff_interleave_add_packet(s, pkt, interleave_compare_dts)) < 0)
            return ret;
    }

@@ -1712,9 +1712,10 @@ static int mxf_write_header(AVFormatContext *s)
                return ret;
            sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate;
            if (s->oformat == &ff_mxf_d10_muxer) {
-                if (sc->video_bit_rate == 50000000) {
-                    if (mxf->time_base.den == 25) sc->index = 3;
-                    else                          sc->index = 5;
+                if ((sc->video_bit_rate == 50000000) && (mxf->time_base.den == 25)) {
+                    sc->index = 3;
+                } else if ((sc->video_bit_rate == 49999840 || sc->video_bit_rate == 50000000) && (mxf->time_base.den != 25)) {
+                    sc->index = 5;
                } else if (sc->video_bit_rate == 40000000) {
                    if (mxf->time_base.den == 25) sc->index = 7;
                    else                          sc->index = 9;
@@ -99,6 +99,7 @@ typedef struct NUTContext {
    unsigned int max_distance;
    unsigned int time_base_count;
    int64_t last_syncpoint_pos;
+    int64_t last_resync_pos;
    int header_count;
    AVRational *time_base;
    struct AVTreeNode *syncpoints;
@@ -46,11 +46,15 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen)
    while (len > maxlen) {
        avio_r8(bc);
        len--;
+        if (bc->eof_reached)
+            len = maxlen;
    }

    if (maxlen)
        string[FFMIN(len, maxlen - 1)] = 0;

+    if (bc->eof_reached)
+        return AVERROR_EOF;
    if (maxlen == len)
        return -1;
    else
@@ -210,8 +214,11 @@ static int skip_reserved(AVIOContext *bc, int64_t pos)
        avio_seek(bc, pos, SEEK_CUR);
        return AVERROR_INVALIDDATA;
    } else {
-        while (pos--)
+        while (pos--) {
+            if (bc->eof_reached)
+                return AVERROR_INVALIDDATA;
            avio_r8(bc);
+        }
        return 0;
    }
 }
@@ -290,10 +297,15 @@ static int decode_main_header(NUTContext *nut)
        if (tmp_fields > 7)
            tmp_head_idx = ffio_read_varlen(bc);

-        while (tmp_fields-- > 8)
+        while (tmp_fields-- > 8) {
+            if (bc->eof_reached) {
+                av_log(s, AV_LOG_ERROR, "reached EOF while decoding main header\n");
+                return AVERROR_INVALIDDATA;
+            }
            ffio_read_varlen(bc);
+        }

-        if (count == 0 || i + count > 256) {
+        if (count <= 0 || count > 256 - (i <= 'N') - i) {
            av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i);
            return AVERROR_INVALIDDATA;
        }
@@ -472,7 +484,7 @@ static int decode_info_header(NUTContext *nut)
    AVIOContext *bc    = s->pb;
    uint64_t tmp, chapter_start, chapter_len;
    unsigned int stream_id_plus1, count;
-    int chapter_id, i;
+    int chapter_id, i, ret;
    int64_t value, end;
    char name[256], str_value[1024], type_str[256];
    const char *type;
@@ -495,6 +507,10 @@ static int decode_info_header(NUTContext *nut)
                                     nut->time_base[chapter_start %
                                                    nut->time_base_count],
                                     start, start + chapter_len, NULL);
+        if (!chapter) {
+            av_log(s, AV_LOG_ERROR, "Could not create chapter.\n");
+            return AVERROR(ENOMEM);
+        }
        metadata = &chapter->metadata;
    } else if (stream_id_plus1) {
        st       = s->streams[stream_id_plus1 - 1];
@@ -503,8 +519,14 @@ static int decode_info_header(NUTContext *nut)
        metadata = &s->metadata;

    for (i = 0; i < count; i++) {
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n");
+            return ret;
+        }
        value = get_s(bc);
+        str_value[0] = 0;
+
        if (value == -1) {
            type = "UTF-8";
            get_str(bc, str_value, sizeof(str_value));
@@ -538,7 +560,8 @@ static int decode_info_header(NUTContext *nut)

            if (stream_id_plus1 && !strcmp(name, "r_frame_rate")) {
                sscanf(str_value, "%d/%d", &st->r_frame_rate.num, &st->r_frame_rate.den);
-                if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den)
+                if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den ||
+                    st->r_frame_rate.num < 0 || st->r_frame_rate.num < 0)
                    st->r_frame_rate.num = st->r_frame_rate.den = 0;
                continue;
            }
@@ -671,6 +694,10 @@ static int find_and_decode_index(NUTContext *nut)
                    has_keyframe[n++] = flag;
                has_keyframe[n++] = !flag;
            } else {
+                if (x <= 1) {
+                    av_log(s, AV_LOG_ERROR, "index: x %"PRIu64" is invalid\n", x);
+                    goto fail;
+                }
                while (x != 1) {
                    if (n >= syncpoint_count + 1) {
                        av_log(s, AV_LOG_ERROR, "index overflow B\n");
@@ -714,12 +741,26 @@ fail:
    return ret;
 }

+static int nut_read_close(AVFormatContext *s)
+{
+    NUTContext *nut = s->priv_data;
+    int i;
+
+    av_freep(&nut->time_base);
+    av_freep(&nut->stream);
+    ff_nut_free_sp(nut);
+    for (i = 1; i < nut->header_count; i++)
+        av_freep(&nut->header[i]);
+
+    return 0;
+}
+
 static int nut_read_header(AVFormatContext *s)
 {
    NUTContext *nut = s->priv_data;
    AVIOContext *bc = s->pb;
    int64_t pos;
-    int initialized_stream_count;
+    int initialized_stream_count, ret = 0;

    nut->avf = s;

@@ -729,7 +770,7 @@ static int nut_read_header(AVFormatContext *s)
        pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
        if (pos < 0 + 1) {
            av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
-            return AVERROR_INVALIDDATA;
+            goto fail;
        }
    } while (decode_main_header(nut) < 0);

@@ -739,7 +780,7 @@ static int nut_read_header(AVFormatContext *s)
        pos = find_startcode(bc, STREAM_STARTCODE, pos) + 1;
        if (pos < 0 + 1) {
            av_log(s, AV_LOG_ERROR, "Not all stream headers found.\n");
-            return AVERROR_INVALIDDATA;
+            goto fail;
        }
        if (decode_stream_header(nut) >= 0)
            initialized_stream_count++;
@@ -753,7 +794,7 @@ static int nut_read_header(AVFormatContext *s)

        if (startcode == 0) {
            av_log(s, AV_LOG_ERROR, "EOF before video frames\n");
-            return AVERROR_INVALIDDATA;
+            goto fail;
        } else if (startcode == SYNCPOINT_STARTCODE) {
            nut->next_startcode = startcode;
            break;
@@ -775,7 +816,14 @@ static int nut_read_header(AVFormatContext *s)

    ff_metadata_conv_ctx(s, NULL, ff_nut_metadata_conv);

-    return 0;
+end:
+    if (ret < 0)
+        nut_read_close(s);
+    return FFMIN(ret, 0);
+fail:
+    nut_read_close(s);
+
+    return AVERROR_INVALIDDATA;
 }

 static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos)
@@ -788,14 +836,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
    int sample_rate = 0;
    int width = 0;
    int height = 0;
-    int i;
+    int i, ret;

    for (i=0; i<count; i++) {
        uint8_t name[256], str_value[256], type_str[256];
        int value;
        if (avio_tell(bc) >= maxpos)
            return AVERROR_INVALIDDATA;
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n");
+            return ret;
+        }
        value = get_s(bc);

        if (value == -1) {
@@ -937,8 +989,13 @@ static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id,
        *header_idx = ffio_read_varlen(bc);
    if (flags & FLAG_RESERVED)
        reserved_count = ffio_read_varlen(bc);
-    for (i = 0; i < reserved_count; i++)
+    for (i = 0; i < reserved_count; i++) {
+        if (bc->eof_reached) {
+            av_log(s, AV_LOG_ERROR, "reached EOF while decoding frame header\n");
+            return AVERROR_INVALIDDATA;
+        }
        ffio_read_varlen(bc);
+    }

    if (*header_idx >= (unsigned)nut->header_count) {
        av_log(s, AV_LOG_ERROR, "header_idx invalid\n");
@@ -1070,7 +1127,8 @@ static int nut_read_packet(AVFormatContext *s, AVPacket *pkt)
        default:
 resync:
            av_log(s, AV_LOG_DEBUG, "syncing from %"PRId64"\n", pos);
-            tmp = find_any_startcode(bc, nut->last_syncpoint_pos + 1);
+            tmp = find_any_startcode(bc, FFMAX(nut->last_syncpoint_pos, nut->last_resync_pos) + 1);
+            nut->last_resync_pos = avio_tell(bc);
            if (tmp == 0)
                return AVERROR_INVALIDDATA;
            av_log(s, AV_LOG_DEBUG, "sync\n");
@@ -1160,25 +1218,14 @@ static int read_seek(AVFormatContext *s, int stream_index,
    av_log(NULL, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos2);
    pos = find_startcode(s->pb, SYNCPOINT_STARTCODE, pos2);
    avio_seek(s->pb, pos, SEEK_SET);
+    nut->last_syncpoint_pos = pos;
    av_log(NULL, AV_LOG_DEBUG, "SP: %"PRId64"\n", pos);
    if (pos2 > pos || pos2 + 15 < pos)
        av_log(NULL, AV_LOG_ERROR, "no syncpoint at backptr pos\n");
    for (i = 0; i < s->nb_streams; i++)
        nut->stream[i].skip_until_key_frame = 1;

-    return 0;
-}
-
-static int nut_read_close(AVFormatContext *s)
-{
-    NUTContext *nut = s->priv_data;
-    int i;
-
-    av_freep(&nut->time_base);
-    av_freep(&nut->stream);
-    ff_nut_free_sp(nut);
-    for (i = 1; i < nut->header_count; i++)
-        av_freep(&nut->header[i]);
+    nut->last_resync_pos = 0;

    return 0;
 }
@@ -249,7 +249,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st,
        if (i == total_segments)
            page->granule = granule;

-        if (!header) {
+        {
            AVStream *st = s->streams[page->stream_index];

            int64_t start = av_rescale_q(page->start_granule, st->time_base,
@@ -257,10 +257,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st,
            int64_t next  = av_rescale_q(page->granule, st->time_base,
                                         AV_TIME_BASE_Q);

-            if (page->segments_count == 255 ||
-                (ogg->pref_size     > 0 && page->size   >= ogg->pref_size) ||
-                (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) {
+            if (page->segments_count == 255) {
                ogg_buffer_page(s, oggstream);
+            } else if (!header) {
+                if ((ogg->pref_size     > 0 && page->size   >= ogg->pref_size) ||
+                    (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) {
+                    ogg_buffer_page(s, oggstream);
+                }
            }
        }
    }
@@ -112,7 +112,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data,
        return data->split_pkts > 0;
    }

-    if (len < 6) {
+    if (len < 6 || len > INT_MAX/2) {
        av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len);
        return AVERROR_INVALIDDATA;
    }
@@ -557,10 +557,6 @@ static int rtp_write_packet(AVFormatContext *s1, AVPacket *pkt)
            const uint8_t *mb_info =
                av_packet_get_side_data(pkt, AV_PKT_DATA_H263_MB_INFO,
                                        &mb_info_size);
-            if (!mb_info) {
-                av_log(s1, AV_LOG_ERROR, "failed to allocate side data\n");
-                return AVERROR(ENOMEM);
-            }
            ff_rtp_send_h263_rfc2190(s1, pkt->data, size, mb_info, mb_info_size);
            break;
        }
@@ -40,8 +40,8 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size)
    s->timestamp = s->cur_timestamp;

    /* convert video pixel dimensions from pixels to blocks */
-    w = s1->streams[0]->codec->width  >> 3;
-    h = s1->streams[0]->codec->height >> 3;
+    w = (s1->streams[0]->codec->width  + 7) >> 3;
+    h = (s1->streams[0]->codec->height + 7) >> 3;

    /* check if pixel format is not the normal 420 case */
    if (s1->streams[0]->codec->pix_fmt == AV_PIX_FMT_YUVJ422P) {
@@ -80,6 +80,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size)
        } else if (buf[i + 1] == SOS) {
            /* SOS is last marker in the header */
            i += AV_RB16(&buf[i + 2]) + 2;
+            if (i > size) {
+                av_log(s1, AV_LOG_ERROR,
+                       "Insufficient data. Aborted!\n");
+                return;
+            }
            break;
        }
    }
@@ -907,6 +907,8 @@ static void rtsp_parse_transport(RTSPMessageHeader *reply, const char *p)
            p++;

        reply->nb_transports++;
+        if (reply->nb_transports >= RTSP_MAX_TRANSPORTS)
+            break;
    }
 }

@@ -24,7 +24,7 @@
 #include "libavutil/avstring.h"

 AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q,
-                                    const uint8_t *event, int len, int merge)
+                                    const uint8_t *event, size_t len, int merge)
 {
    AVPacket *subs, *sub;

@@ -218,7 +218,7 @@ int ff_smil_extract_next_chunk(AVIOContext *pb, AVBPrint *buf, char *c)
 const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
 {
    int in_quotes = 0;
-    const int len = strlen(attr);
+    const size_t len = strlen(attr);

    while (*s) {
        while (*s) {
@@ -47,7 +47,7 @@ typedef struct {
 *              previous one instead of adding a new entry, 0 otherwise
 */
 AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q,
-                                    const uint8_t *event, int len, int merge);
+                                    const uint8_t *event, size_t len, int merge);

 /**
 * Set missing durations and sort subtitles by PTS, and then byte position.
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.14
 .2.16