Update for 2.6.5

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
rtmpcrypt: Do the xtea decryption in little endian mode
2015-11-22 16:37:37 +01:00 · 2015-11-19 03:51:40 +01:00 · 2015-11-19 03:51:39 +01:00 · 2015-11-19 03:51:39 +01:00 · 2015-11-19 03:51:39 +01:00 · 2015-11-19 03:51:39 +01:00
143 changed files with 1183 additions and 339 deletions
@@ -1,6 +1,210 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 2.6.5:
+- rtmpcrypt: Do the xtea decryption in little endian mode
+- avformat/matroskadec: Check subtitle stream before dereferencing
+- avformat/utils: Do not init parser if probing is unfinished
+- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions
+- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range
+- avcodec/jpeg2000: Check comp coords to be within the supported size
+- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()
+- avcodec/wmaprodec: Check for overread in decode_packet()
+- avcodec/smacker: Check that the data size is a multiple of a sample vector
+- avcodec/takdec: Skip last p2 sample (which is unused)
+- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()
+- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()
+- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height
+- avcodec/dpx: Move need_align to act per line
+- avcodec/flashsv: Check size before updating it
+- avcodec/ivi: Check image dimensions
+- avcodec/utils: Better check for channels in av_get_audio_frame_duration()
+- avcodec/jpeg2000dec: Check for duplicate SIZ marker
+- doc/ffmpeg: Clarify that the sdp_file option requires an rtp output.
+- ffmpeg: Don't try and write sdp info if none of the outputs had an rtp format.
+- jvdec: avoid unsigned overflow in comparison
+- avcodec/jpeg2000dec: Clip all tile coordinates
+- avcodec/hevc_ps: Check chroma_format_idc
+- avcodec/microdvddec: Check for string end in 'P' case
+- avcodec/dirac_parser: Fix undefined memcpy() use
+- avformat/xmv: Discard remainder of packet on error
+- avformat/xmv: factor return check out of if/else
+- avcodec/mpeg12dec: Do not call show_bits() with invalid bits
+- libavutil/channel_layout: Check strtol*() for failure
+- avcodec/ffv1dec: Check for 0 quant tables
+- avcodec/mjpegdec: Reinitialize IDCT on BPP changes
+- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
+- avutil/file_open: avoid file handle inheritance on Windows
+- opusdec: Don't run vector_fmul_scalar on zero length arrays
+- avcodec/ffv1: Initialize vlc_state on allocation
+- avcodec/ffv1dec: update progress in case of broken pointer chains
+- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons
+- avformat/httpauth: Add space after commas in HTTP/RTSP auth header
+- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise
+- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check
+- avcodec/ffv1dec: Explicitly check read_quant_table() return value
+- avcodec/rangecoder: Check e
+- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream.
+- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG
+- avfilter/af_asyncts: use llabs for int64_t
+- avcodec/g2meet: Also clear tile dimensions on header_fail
+- avcodec/g2meet: Fix potential overflow in tile dimensions check
+- avcodec/svq1dec: Check init_get_bits8() for failure
+- avcodec/tta: Check init_get_bits8() for failure
+- avcodec/vp3: Check init_get_bits8() for failure
+- swresample/swresample: Fix integer overflow in seed calculation
+- avformat/mov: Fix integer overflow in FFABS
+- avutil/common: Add FFNABS()
+- avutil/common: Document FFABS() corner case
+- avformat/dump: Fix integer overflow in aspect ratio calculation
+- avcodec/truemotion1: Check for even width
+- avcodec/mpeg12dec: Set dimensions in mpeg1_decode_sequence() only in absence of errors
+- avcodec/libopusenc: Fix infinite loop on flushing after 0 input
+- avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops
+- avformat/hevc: Fix parsing errors
+- ffmpeg: Use correct codec_id for av_parser_change() check
+- ffmpeg: Check av_parser_change() for failure
+- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE
+- ffmpeg: check avpicture_fill() return value
+- avformat/mux: Update sidedata in ff_write_chained()
+- avcodec/flashsvenc: Correct max dimension in error message
+- avcodec/svq1enc: Check dimensions
+- avcodec/dcaenc: clear bitstream end
+- libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame()
+- rawdec: fix mjpeg probing buffer size check
+- rawdec: fix mjpeg probing
+- videodsp: don't overread edges in vfix3 emu_edge.
+- lavf/matroskadec: Fully parse and repack MP3 packets
+- avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check
+- avformat/oggenc: Check segments_count for headers too
+- avformat/avidec: Workaround broken initial frame
+- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB
+- hevc: fix wpp threading deadlock.
+- avcodec/ffv1: separate slice_count from max_slice_count
+- lavf/img2dec: Fix memory leak
+- avcodec/mp3: fix skipping zeros
+- avformat/srtdec: make sure we probe a number
+- avformat/srtdec: more lenient first line probing
+- doc: mention libavcodec can decode Opus natively
+- MAINTAINERS: Remove myself as leader
+
+
+version 2.6.4:
+- imc: use correct position for flcoeffs2 calculation
+- hevc: check slice address length
+- snow: remove an obsolete av_assert2
+- webp: fix infinite loop in webp_decode_frame
+- wavpack: limit extra_bits to 32 and use get_bits_long
+- ffmpeg: only count got_output/errors in decode_error_stat
+- ffmpeg: exit_on_error if decoding a packet failed
+- pthread_frame: forward error codes when flushing
+- huffyuvdec: validate image size
+- wavpack: use get_bits_long to read up to 32 bits
+- nutdec: check maxpos in read_sm_data before returning success
+- vc1dec: use get_bits_long and limit the read bits to 32
+- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts
+- avcodec/vp8: Check buffer size in vp8_decode_frame_header()
+- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free()
+- avcodec/diracdec: Check for hpel_base allocation failure
+- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy()
+- avfilter/af_aresample: Check ff_all_* for allocation failures
+- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case
+- swscale/utils: Clear pix buffers
+- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write()
+- ffmpeg: Fix cleanup after failed allocation of output_files
+- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate
+- ffmpeg: Fix crash with ost->last_frame allocation failure
+- ffmpeg: Fix cleanup with ost = NULL
+- avcodec/pthread_frame: check avctx on deallocation
+- avcodec/sanm: Reset sizes in destroy_buffers()
+- avcodec/alac: Clear pointers in allocate_buffers()
+- bytestream2: set the reader to the end when reading more than available
+- avcodec/utils: use a minimum 32pixel width in  avcodec_align_dimensions2() for H.264
+- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init()
+- oggparsedirac: check return value of init_get_bits
+- wmalosslessdec: reset frame->nb_samples on packet loss
+- wmalosslessdec: avoid reading 0 bits with get_bits
+- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2()
+- avcodec/aacsbr: Assert that bs_num_env is positive
+- avcodec/aacsbr: check that the element type matches before applying SBR
+- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h
+- vp9/update_prob: prevent out of bounds table read
+- avfilter/vf_transpose: Fix rounding error
+- avcodec/pngdec: Check values before updating context in decode_fctl_chunk()
+- avcodec/pngdec: Require a IHDR chunk before fctl
+- avcodec/pngdec: Only allow one IHDR chunk
+- wmavoice: limit wmavoice_decode_packet return value to packet size
+- swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian
+- ffmpeg: Do not use the data/size of a bitstream filter after failure
+- swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext}
+- swscale/x86/rgb2rgb_template: add missing xmm clobbers
+- vda: unlock the pixel buffer base address.
+- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c()
+- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE
+- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian
+- swr: Remember previously set int_sample_format from user
+- matroskadec: check audio sample rate
+- matroskadec: validate audio channels and bitdepth
+- avcodec/dpxenc: implement write16/32 as functions
+- postproc: fix unaligned access
+- ffmpeg: Free last_frame instead of just unref
+- avio: fix potential crashes when combining ffio_ensure_seekback + crc
+- examples/demuxing_decoding: use properties from frame instead of video_dec_ctx
+- h264: er: Copy from the previous reference only if compatible
+- sonic: set avctx->channels in sonic_decode_init
+- vp8: change mv_{min,max}.{x,y} type to int
+- vp9: change type of tile_size from unsigned to int64_t
+- arm: only enable setend on ARMv6
+- libopenjpegdec: check existence of image component data
+- mov: abort on EOF in ff_mov_read_chan
+- ffmpeg_opt: Check for localtime() failure
+- avformat: Fix bug in parse_rps for HEVC.
+- takdec: ensure chan2 is a valid channel index
+- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling
+- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet()
+- libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'.
+- avcodec/jpeg2000dec: Check that coords match before applying ICT
+- avformat/ffmdec: Check ffio_set_buf_size() return value
+- avcodec/adpcm: Check for overreads
+- avcodec/alsdec: Check for overread
+- avcodec/atrac3plusdec: consume only as many bytes as available
+- libavutil/softfloat: Fix av_normalize1_sf bias.
+- swresample/swresample: Cleanup on init failure.
+- Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference"
+- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec
+- swresample/dither: check memory allocation
+- libopenjpegenc: add NULL check for img before accessing it
+- swresample: Check the return value of resampler->init()
+- h264: Make sure reinit failures mark the context as not initialized
+- avfilter/x86/vf_fspp: Fix invalid combination of opcode and operands
+- ffmpeg_opt: Set the video VBV parameters only for the video stream from -target
+- avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits()
+- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes()
+- avcodec/mpegvideo_enc: Update the buffer size as more slices are merged
+- avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size()
+- avformat/wavdec: Increase dts packet threshold to fix more misdetections
+- avformat/wavdec: Increase probe_packets limit
+- nutdec: abort if EOF is reached in decode_info_header/read_sm_data
+- nutdec: stop skipping bytes at EOF
+- nutdec: fix infinite resync loops
+- avformat/nutdec: Check X in 2nd branch of index reading
+- avformat/nutdec: Fix recovery when immedeately after seeking a failure happens
+- avformat/nutdec: Return error on EOF from get_str()
+- rtsp: Make sure we don't write too many transport entries into a fixed-size array
+- rtpenc_jpeg: handle case of picture dimensions not dividing by 8
+- avcodec/golomb: get_ur_golomb_jpegls: Fix reading huge k values
+- avformat/swfdec: Do not error out on pixel format changes
+- avformat/mov: Mark avio context of decompressed atoms as seekable
+- avcodec/mjpegenc_common: Use ff_mpv_reallocate_putbitbuffer()
+- avcodec/mpegvideo: Factor ff_mpv_reallocate_putbitbuffer() out
+- avfilter/x86/vf_hqdn3d: Fix register types
+- avcodec/exr: fix crash caused by merge
+- avcodec/x86/h264_weight: handle weight1=128
+- avcodec/dvbsubdec: Fix buf_size check in dvbsub_parse_display_definition_segment()
+- avcodec/hevc_ps: Only discard overread VPS if a previous is available
+- avcodec/flacenc: Fix Invalid Rice order
+- lavd/xcbgrab: fix comparison with screen size.
+
 version 2.6.3:
 - avcodec/libtheoraenc: Check for av_malloc failure
 - ffmpeg_opt: Fix -timestamp parsing
@@ -14,7 +14,6 @@ patches and related discussions.
 Project Leader
 ==============

-Michael Niedermayer
  final design decisions


@@ -1 +1 @@
-2.6.3
+2.6.5
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 2.6.3
+PROJECT_NUMBER         = 2.6.5

 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
@@ -81,22 +81,24 @@ static int decode_packet(int *got_frame, int cached)
            fprintf(stderr, "Error decoding video frame (%s)\n", av_err2str(ret));
            return ret;
        }
-        if (video_dec_ctx->width != width || video_dec_ctx->height != height ||
-            video_dec_ctx->pix_fmt != pix_fmt) {
-            /* To handle this change, one could call av_image_alloc again and
-             * decode the following frames into another rawvideo file. */
-            fprintf(stderr, "Error: Width, height and pixel format have to be "
-                    "constant in a rawvideo file, but the width, height or "
-                    "pixel format of the input video changed:\n"
-                    "old: width = %d, height = %d, format = %s\n"
-                    "new: width = %d, height = %d, format = %s\n",
-                    width, height, av_get_pix_fmt_name(pix_fmt),
-                    video_dec_ctx->width, video_dec_ctx->height,
-                    av_get_pix_fmt_name(video_dec_ctx->pix_fmt));
-            return -1;
-        }

        if (*got_frame) {
+
+            if (frame->width != width || frame->height != height ||
+                frame->format != pix_fmt) {
+                /* To handle this change, one could call av_image_alloc again and
+                 * decode the following frames into another rawvideo file. */
+                fprintf(stderr, "Error: Width, height and pixel format have to be "
+                        "constant in a rawvideo file, but the width, height or "
+                        "pixel format of the input video changed:\n"
+                        "old: width = %d, height = %d, format = %s\n"
+                        "new: width = %d, height = %d, format = %s\n",
+                        width, height, av_get_pix_fmt_name(pix_fmt),
+                        frame->width, frame->height,
+                        av_get_pix_fmt_name(frame->format));
+                return -1;
+            }
+
            printf("video_frame%s n:%d coded_n:%d pts:%s\n",
                   cached ? "(cached)" : "",
                   video_frame_count++, frame->coded_picture_number,
@@ -1175,9 +1175,9 @@ The option is intended for cases where features are needed that cannot be
 specified to @command{ffserver} but can be to @command{ffmpeg}.

@item -sdp_file @var{file} (@emph{global})
-Print sdp information to @var{file}.
+Print sdp information for an output stream to @var{file}.
 This allows dumping sdp information when at least one output isn't an
-rtp stream.
+rtp stream. (Requires at least one of the output formats to be rtp).

@item -discard (@emph{input})
 Allows discarding specific streams or frames of streams at the demuxer.
@@ -948,8 +948,8 @@ following image formats are supported:
@item Musepack SV8           @tab     @tab  X
@item Nellymoser Asao        @tab  X  @tab  X
@item On2 AVC (Audio for Video Codec) @tab     @tab  X
-@item Opus                   @tab  E  @tab  E
-    @tab supported through external library libopus
+@item Opus                   @tab  E  @tab  X
+    @tab encoding supported through external library libopus
@item PCM A-law              @tab  X  @tab  X
@item PCM mu-law             @tab  X  @tab  X
@item PCM signed 8-bit planar  @tab  X  @tab  X
@@ -455,7 +455,10 @@ static void ffmpeg_cleanup(int ret)
    /* close files */
    for (i = 0; i < nb_output_files; i++) {
        OutputFile *of = output_files[i];
-        AVFormatContext *s = of->ctx;
+        AVFormatContext *s;
+        if (!of)
+            continue;
+        s = of->ctx;
        if (s && s->oformat && !(s->oformat->flags & AVFMT_NOFILE))
            avio_closep(&s->pb);
        avformat_free_context(s);
@@ -465,7 +468,12 @@ static void ffmpeg_cleanup(int ret)
    }
    for (i = 0; i < nb_output_streams; i++) {
        OutputStream *ost = output_streams[i];
-        AVBitStreamFilterContext *bsfc = ost->bitstream_filters;
+        AVBitStreamFilterContext *bsfc;
+
+        if (!ost)
+            continue;
+
+        bsfc = ost->bitstream_filters;
        while (bsfc) {
            AVBitStreamFilterContext *next = bsfc->next;
            av_bitstream_filter_close(bsfc);
@@ -649,6 +657,7 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost)
            if (!new_pkt.buf)
                exit_program(1);
        } else if (a < 0) {
+            new_pkt = *pkt;
            av_log(NULL, AV_LOG_ERROR, "Failed to open bitstream filter %s for stream %d with codec %s",
                   bsfc->filter->name, pkt->stream_index,
                   avctx->codec ? avctx->codec->name : "copy");
@@ -1155,7 +1164,10 @@ static void do_video_out(AVFormatContext *s,
    if (!ost->last_frame)
        ost->last_frame = av_frame_alloc();
    av_frame_unref(ost->last_frame);
-    av_frame_ref(ost->last_frame, next_picture);
+    if (next_picture && ost->last_frame)
+        av_frame_ref(ost->last_frame, next_picture);
+    else
+        av_frame_free(&ost->last_frame);
 }

 static double psnr(double d)
@@ -1755,17 +1767,21 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p

    opkt.duration = av_rescale_q(pkt->duration, ist->st->time_base, ost->st->time_base);
    opkt.flags    = pkt->flags;
-
    // FIXME remove the following 2 lines they shall be replaced by the bitstream filters
-    if (  ost->enc_ctx->codec_id != AV_CODEC_ID_H264
-       && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG1VIDEO
-       && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO
-       && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1
+    if (  ost->st->codec->codec_id != AV_CODEC_ID_H264
+       && ost->st->codec->codec_id != AV_CODEC_ID_MPEG1VIDEO
+       && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO
+       && ost->st->codec->codec_id != AV_CODEC_ID_VC1
       ) {
-        if (av_parser_change(ost->parser, ost->st->codec,
+        int ret = av_parser_change(ost->parser, ost->st->codec,
                             &opkt.data, &opkt.size,
                             pkt->data, pkt->size,
-                             pkt->flags & AV_PKT_FLAG_KEY)) {
+                             pkt->flags & AV_PKT_FLAG_KEY);
+        if (ret < 0) {
+            av_log(NULL, AV_LOG_FATAL, "av_parser_change failed\n");
+            exit_program(1);
+        }
+        if (ret) {
            opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0);
            if (!opkt.buf)
                exit_program(1);
@@ -1776,9 +1792,15 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p
    }
    av_copy_packet_side_data(&opkt, pkt);

-    if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) {
+    if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO &&
+        ost->st->codec->codec_id == AV_CODEC_ID_RAWVIDEO &&
+        (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) {
        /* store AVPicture in AVPacket, as expected by the output format */
-        avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height);
+        int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height);
+        if (ret < 0) {
+            av_log(NULL, AV_LOG_FATAL, "avpicture_fill failed\n");
+            exit_program(1);
+        }
        opkt.data = (uint8_t *)&pict;
        opkt.size = sizeof(AVPicture);
        opkt.flags |= AV_PKT_FLAG_KEY;
@@ -1829,9 +1851,12 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output)
        ret = AVERROR_INVALIDDATA;
    }

-    if (*got_output || ret<0 || pkt->size)
+    if (*got_output || ret<0)
        decode_error_stat[ret<0] ++;

+    if (ret < 0 && exit_on_error)
+        exit_program(1);
+
    if (!*got_output || ret < 0) {
        if (!pkt->size) {
            for (i = 0; i < ist->nb_filters; i++)
@@ -1974,9 +1999,12 @@ static int decode_video(InputStream *ist, AVPacket *pkt, int *got_output)
            );
    }

-    if (*got_output || ret<0 || pkt->size)
+    if (*got_output || ret<0)
        decode_error_stat[ret<0] ++;

+    if (ret < 0 && exit_on_error)
+        exit_program(1);
+
    if (*got_output && ret >= 0) {
        if (ist->dec_ctx->width  != decoded_frame->width ||
            ist->dec_ctx->height != decoded_frame->height ||
@@ -2092,9 +2120,12 @@ static int transcode_subtitles(InputStream *ist, AVPacket *pkt, int *got_output)
    int i, ret = avcodec_decode_subtitle2(ist->dec_ctx,
                                          &subtitle, got_output, pkt);

-    if (*got_output || ret<0 || pkt->size)
+    if (*got_output || ret<0)
        decode_error_stat[ret<0] ++;

+    if (ret < 0 && exit_on_error)
+        exit_program(1);
+
    if (ret < 0 || !*got_output) {
        if (!pkt->size)
            sub2video_flush(ist);
@@ -2306,6 +2337,9 @@ static void print_sdp(void)
        }
    }

+    if (!j)
+        goto fail;
+
    av_sdp_create(avc, j, sdp, sizeof(sdp));

    if (!sdp_filename) {
@@ -2321,6 +2355,7 @@ static void print_sdp(void)
        }
    }

+fail:
    av_freep(&avc);
 }

@@ -2282,9 +2282,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
        opt_default(NULL, "g", norm == PAL ? "15" : "18");

        opt_default(NULL, "b:v", "1150000");
-        opt_default(NULL, "maxrate", "1150000");
-        opt_default(NULL, "minrate", "1150000");
-        opt_default(NULL, "bufsize", "327680"); // 40*1024*8;
+        opt_default(NULL, "maxrate:v", "1150000");
+        opt_default(NULL, "minrate:v", "1150000");
+        opt_default(NULL, "bufsize:v", "327680"); // 40*1024*8;

        opt_default(NULL, "b:a", "224000");
        parse_option(o, "ar", "44100", options);
@@ -2311,9 +2311,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
        opt_default(NULL, "g", norm == PAL ? "15" : "18");

        opt_default(NULL, "b:v", "2040000");
-        opt_default(NULL, "maxrate", "2516000");
-        opt_default(NULL, "minrate", "0"); // 1145000;
-        opt_default(NULL, "bufsize", "1835008"); // 224*1024*8;
+        opt_default(NULL, "maxrate:v", "2516000");
+        opt_default(NULL, "minrate:v", "0"); // 1145000;
+        opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8;
        opt_default(NULL, "scan_offset", "1");

        opt_default(NULL, "b:a", "224000");
@@ -2333,9 +2333,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
        opt_default(NULL, "g", norm == PAL ? "15" : "18");

        opt_default(NULL, "b:v", "6000000");
-        opt_default(NULL, "maxrate", "9000000");
-        opt_default(NULL, "minrate", "0"); // 1500000;
-        opt_default(NULL, "bufsize", "1835008"); // 224*1024*8;
+        opt_default(NULL, "maxrate:v", "9000000");
+        opt_default(NULL, "minrate:v", "0"); // 1500000;
+        opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8;

        opt_default(NULL, "packetsize", "2048");  // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack.
        opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8
@@ -2379,6 +2379,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg)
    time_t today2 = time(NULL);
    struct tm *today = localtime(&today2);

+    if (!today)
+        return AVERROR(errno);
+
    snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min,
             today->tm_sec);
    return opt_vstats_file(NULL, opt, filename);
@@ -77,6 +77,8 @@ static int vda_retrieve_data(AVCodecContext *s, AVFrame *frame)
                  frame->width, frame->height);

    ret = av_frame_copy_props(vda->tmp_frame, frame);
+    CVPixelBufferUnlockBaseAddress(pixbuf, kCVPixelBufferLock_ReadOnly);
+
    if (ret < 0)
        return ret;

@@ -3148,7 +3148,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
    if (INT_MAX / 8 <= buf_size)
        return AVERROR_INVALIDDATA;

-    if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0)
+    if ((err = init_get_bits8(&gb, buf, buf_size)) < 0)
        return err;

    switch (ac->oc[1].m4ac.object_type) {
@@ -1018,6 +1018,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr,
 {
    unsigned int cnt = get_bits_count(gb);

+    sbr->id_aac = id_aac;
+
    if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) {
        if (read_sbr_single_channel_element(ac, sbr, gb)) {
            sbr_turnoff(sbr);
@@ -1694,6 +1696,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac,
    int nch = (id_aac == TYPE_CPE) ? 2 : 1;
    int err;

+    if (id_aac != sbr->id_aac) {
+        av_log(ac->avctx, AV_LOG_ERROR,
+            "element type mismatch %d != %d\n", id_aac, sbr->id_aac);
+        sbr_turnoff(sbr);
+    }
+
    if (!sbr->kx_and_m_pushed) {
        sbr->kx[0] = sbr->kx[1];
        sbr->m[0] = sbr->m[1];
@@ -1717,6 +1725,7 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac,
            sbr->c.sbr_hf_inverse_filter(&sbr->dsp, sbr->alpha0, sbr->alpha1,
                                         (const float (*)[40][2]) sbr->X_low, sbr->k[0]);
            sbr_chirp(sbr, &sbr->data[ch]);
+            av_assert0(sbr->data[ch].bs_num_env > 0);
            sbr_hf_gen(ac, sbr, sbr->X_high,
                       (const float (*)[40][2]) sbr->X_low,
                       (const float (*)[2]) sbr->alpha0,
@@ -578,6 +578,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
    case AV_CODEC_ID_ADPCM_IMA_DK4:
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
        nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch;
        break;
    case AV_CODEC_ID_ADPCM_IMA_RAD:
@@ -591,13 +593,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
        int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2];
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
+        if (buf_size < 4 * ch)
+            return AVERROR_INVALIDDATA;
        nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples;
        break;
    }
    case AV_CODEC_ID_ADPCM_MS:
        if (avctx->block_align > 0)
            buf_size = FFMIN(buf_size, avctx->block_align);
-        nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch;
+        nb_samples = (buf_size - 6 * ch) * 2 / ch;
        break;
    case AV_CODEC_ID_ADPCM_SBPRO_2:
    case AV_CODEC_ID_ADPCM_SBPRO_3:
@@ -610,6 +614,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
        case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break;
        }
        if (!s->status[0].step_index) {
+            if (buf_size < ch)
+                return AVERROR_INVALIDDATA;
            nb_samples++;
            buf_size -= ch;
        }
@@ -1528,6 +1534,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

    *got_frame_ptr = 1;

+    if (avpkt->size < bytestream2_tell(&gb)) {
+        av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb));
+        return avpkt->size;
+    }
+
    return bytestream2_tell(&gb);
 }

@@ -533,6 +533,12 @@ static int allocate_buffers(ALACContext *alac)
    int ch;
    int buf_size = alac->max_samples_per_frame * sizeof(int32_t);

+    for (ch = 0; ch < 2; ch++) {
+        alac->predict_error_buffer[ch]  = NULL;
+        alac->output_samples_buffer[ch] = NULL;
+        alac->extra_bits_buffer[ch]     = NULL;
+    }
+
    for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) {
        FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch],
                         buf_size, buf_alloc_fail);
@@ -1493,6 +1493,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

    // TODO: read_diff_float_data

+    if (get_bits_left(gb) < 0) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb));
+        return AVERROR_INVALIDDATA;
+    }
+
    return 0;
 }

@@ -381,7 +381,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data,

    *got_frame_ptr = 1;

-    return avctx->block_align;
+    return FFMIN(avctx->block_align, avpkt->size);
 }

 AVCodec ff_atrac3p_decoder = {
@@ -69,6 +69,8 @@ void avpriv_copy_bits(PutBitContext *pb, const uint8_t *src, int length)
    if (length == 0)
        return;

+    av_assert0(length <= put_bits_left(pb));
+
    if (CONFIG_SMALL || words < 16 || put_bits_count(pb) & 7) {
        for (i = 0; i < words; i++)
            put_bits(pb, 16, AV_RB16(src + 2 * i));
@@ -71,8 +71,10 @@ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g)  \
 }                                                                              \
 static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)       \
 {                                                                              \
-    if (g->buffer_end - g->buffer < bytes)                                     \
+    if (g->buffer_end - g->buffer < bytes) {                                   \
+        g->buffer = g->buffer_end;                                             \
        return 0;                                                              \
+    }                                                                          \
    return bytestream2_get_ ## name ## u(g);                                   \
 }                                                                              \
 static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)      \
@@ -939,6 +939,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
    for (i = 0; i < SUBFRAMES; i++)
        put_subframe(c, i);

+
+    for (i = put_bits_count(&c->pb); i < 8*c->frame_size; i++)
+        put_bits(&c->pb, 1, 0);
+
    flush_put_bits(&c->pb);

    avpkt->pts      = frame->pts;
@@ -123,7 +123,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
    DiracParseContext *pc = s->priv_data;

    if (pc->overread_index) {
-        memcpy(pc->buffer, pc->buffer + pc->overread_index,
+        memmove(pc->buffer, pc->buffer + pc->overread_index,
               pc->index - pc->overread_index);
        pc->index         -= pc->overread_index;
        pc->overread_index = 0;
@@ -1564,7 +1564,7 @@ static void select_dsp_funcs(DiracContext *s, int width, int height, int xblen,
    }
 }

-static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height)
+static int interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height)
 {
    /* chroma allocates an edge of 8 when subsampled
       which for 4:2:2 means an h edge of 16 and v edge of 8
@@ -1576,11 +1576,14 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in

    /* no need for hpel if we only have fpel vectors */
    if (!s->mv_precision)
-        return;
+        return 0;

    for (i = 1; i < 4; i++) {
        if (!ref->hpel_base[plane][i])
            ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32);
+        if (!ref->hpel_base[plane][i]) {
+            return AVERROR(ENOMEM);
+        }
        /* we need to be 16-byte aligned even for chroma */
        ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16;
    }
@@ -1594,6 +1597,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in
        s->mpvencdsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
    }
    ref->interpolated[plane] = 1;
+
+    return 0;
 }

 /**
@@ -1646,8 +1651,11 @@ static int dirac_decode_frame_internal(DiracContext *s)

            select_dsp_funcs(s, p->width, p->height, p->xblen, p->yblen);

-            for (i = 0; i < s->num_refs; i++)
-                interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height);
+            for (i = 0; i < s->num_refs; i++) {
+                int ret = interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height);
+                if (ret < 0)
+                    return ret;
+            }

            memset(s->mctmp, 0, 4*p->yoffset*p->stride);

@@ -348,11 +348,11 @@ static int decode_frame(AVCodecContext *avctx,
                // For 12 bit, ignore alpha
                if (elements == 4)
                    buf += 2;
-                // Jump to next aligned position
-                buf += need_align;
            }
            for (i = 0; i < 3; i++)
                ptr[i] += p->linesize[i];
+            // Jump to next aligned position
+            buf += need_align;
        }
        break;
    case 16:
@@ -75,17 +75,20 @@ static av_cold int encode_init(AVCodecContext *avctx)
    return 0;
 }

-#define write16(p, value) \
-do { \
-    if (s->big_endian) AV_WB16(p, value); \
-    else               AV_WL16(p, value); \
-} while(0)
+static av_always_inline void write16_internal(int big_endian, void *p, int value)
+{
+    if (big_endian) AV_WB16(p, value);
+    else            AV_WL16(p, value);
+}

-#define write32(p, value) \
-do { \
-    if (s->big_endian) AV_WB32(p, value); \
-    else               AV_WL32(p, value); \
-} while(0)
+static av_always_inline void write32_internal(int big_endian, void *p, int value)
+{
+    if (big_endian) AV_WB32(p, value);
+    else            AV_WL32(p, value);
+}
+
+#define write16(p, value) write16_internal(s->big_endian, p, value)
+#define write32(p, value) write32_internal(s->big_endian, p, value)

 static void encode_rgb48_10bit(AVCodecContext *avctx, const AVPicture *pic, uint8_t *dst)
 {
@@ -1503,10 +1503,10 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx,
        avctx->height = display_def->height;
    }

-    if (buf_size < 13)
-        return AVERROR_INVALIDDATA;
-
    if (info_byte & 1<<3) { // display_window_flag
+        if (buf_size < 13)
+            return AVERROR_INVALIDDATA;
+
        display_def->x = bytestream_get_be16(&buf);
        display_def->width  = bytestream_get_be16(&buf) - display_def->x + 1;
        display_def->y = bytestream_get_be16(&buf);
@@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic,
    uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V;
    int ret;

-    if (src_size < avctx->width * avctx->height * 9LL / 8) {
+    if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL / 8) {
        av_log(avctx, AV_LOG_ERROR, "packet too small\n");
        return AVERROR_INVALIDDATA;
    }
@@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic,
    uint8_t *Y1, *Y2, *U, *V;
    int ret;

-    if (src_size < avctx->width * avctx->height * 3LL / 2) {
+    if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL / 2) {
        av_log(avctx, AV_LOG_ERROR, "packet too small\n");
        return AVERROR_INVALIDDATA;
    }
@@ -378,14 +378,19 @@ static void guess_mv(ERContext *s)
 #define MV_UNCHANGED 1
    const int mb_stride = s->mb_stride;
    const int mb_width  = s->mb_width;
-    const int mb_height = s->mb_height;
+    int mb_height = s->mb_height;
    int i, depth, num_avail;
    int mb_x, mb_y, mot_step, mot_stride;

+    if (s->last_pic.f && s->last_pic.f->data[0])
+        mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4);
+    if (s->next_pic.f && s->next_pic.f->data[0])
+        mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4);
+
    set_mv_strides(s, &mot_step, &mot_stride);

    num_avail = 0;
-    for (i = 0; i < s->mb_num; i++) {
+    for (i = 0; i < mb_width * mb_height; i++) {
        const int mb_xy = s->mb_index2xy[i];
        int f = 0;
        int error = s->error_status_table[mb_xy];
@@ -410,7 +415,7 @@ static void guess_mv(ERContext *s)

    if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) ||
        num_avail <= mb_width / 2) {
-        for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+        for (mb_y = 0; mb_y < mb_height; mb_y++) {
            for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                const int mb_xy = mb_x + mb_y * s->mb_stride;
                int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? MV_DIR_FORWARD : MV_DIR_BACKWARD;
@@ -439,7 +444,7 @@ static void guess_mv(ERContext *s)
            int score_sum = 0;

            changed = 0;
-            for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+            for (mb_y = 0; mb_y < mb_height; mb_y++) {
                for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                    const int mb_xy        = mb_x + mb_y * s->mb_stride;
                    int mv_predictor[8][2] = { { 0 } };
@@ -672,7 +677,7 @@ skip_last_mv:
        if (none_left)
            return;

-        for (i = 0; i < s->mb_num; i++) {
+        for (i = 0; i < mb_width * mb_height; i++) {
            int mb_xy = s->mb_index2xy[i];
            if (fixed[mb_xy])
                fixed[mb_xy] = MV_FROZEN;
@@ -1010,6 +1010,22 @@ static int decode_header(EXRContext *s)
    int current_channel_offset = 0;
    int magic_number, version, flags, i;

+    s->xmin               = ~0;
+    s->xmax               = ~0;
+    s->ymin               = ~0;
+    s->ymax               = ~0;
+    s->xdelta             = ~0;
+    s->ydelta             = ~0;
+    s->channel_offsets[0] = -1;
+    s->channel_offsets[1] = -1;
+    s->channel_offsets[2] = -1;
+    s->channel_offsets[3] = -1;
+    s->pixel_type         = EXR_UNKNOWN;
+    s->compression        = EXR_UNKN;
+    s->nb_channels        = 0;
+    s->w                  = 0;
+    s->h                  = 0;
+
    if (bytestream2_get_bytes_left(&s->gb) < 10) {
        av_log(s->avctx, AV_LOG_ERROR, "Header too short to parse.\n");
        return AVERROR_INVALIDDATA;
@@ -1350,21 +1366,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    float one_gamma = 1.0f / s->gamma;

    s->avctx              = avctx;
-    s->xmin               = ~0;
-    s->xmax               = ~0;
-    s->ymin               = ~0;
-    s->ymax               = ~0;
-    s->xdelta             = ~0;
-    s->ydelta             = ~0;
-    s->channel_offsets[0] = -1;
-    s->channel_offsets[1] = -1;
-    s->channel_offsets[2] = -1;
-    s->channel_offsets[3] = -1;
-    s->pixel_type         = EXR_UNKNOWN;
-    s->compression        = EXR_UNKN;
-    s->nb_channels        = 0;
-    s->w                  = 0;
-    s->h                  = 0;

    if (one_gamma > 0.9999f && one_gamma < 1.0001f) {
        for (i = 0; i < 65536; ++i)
@@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx)

 av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
 {
-    int j;
+    int j, i;

    fs->plane_count  = f->plane_count;
    fs->transparency = f->transparency;
@@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
            if (!p->state)
                return AVERROR(ENOMEM);
        } else {
-            if (!p->vlc_state)
-                p->vlc_state = av_malloc_array(p->context_count, sizeof(VlcState));
-            if (!p->vlc_state)
-                return AVERROR(ENOMEM);
+            if (!p->vlc_state) {
+                p->vlc_state = av_mallocz_array(p->context_count, sizeof(VlcState));
+                if (!p->vlc_state)
+                    return AVERROR(ENOMEM);
+                for (i = 0; i < p->context_count; i++) {
+                    p->vlc_state[i].error_sum = 4;
+                    p->vlc_state[i].count     = 1;
+                }
+            }
        }
    }

@@ -101,7 +106,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
 av_cold int ffv1_init_slices_state(FFV1Context *f)
 {
    int i, ret;
-    for (i = 0; i < f->slice_count; i++) {
+    for (i = 0; i < f->max_slice_count; i++) {
        FFV1Context *fs = f->slice_context[i];
        if ((ret = ffv1_init_slice_state(f, fs)) < 0)
            return AVERROR(ENOMEM);
@@ -113,10 +118,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f)
 {
    int i;

-    f->slice_count = f->num_h_slices * f->num_v_slices;
-    av_assert0(f->slice_count > 0);
+    f->max_slice_count = f->num_h_slices * f->num_v_slices;
+    av_assert0(f->max_slice_count > 0);

-    for (i = 0; i < f->slice_count; i++) {
+    for (i = 0; i < f->max_slice_count; i++) {
        FFV1Context *fs = av_mallocz(sizeof(*fs));
        int sx          = i % f->num_h_slices;
        int sy          = i / f->num_h_slices;
@@ -201,7 +206,7 @@ av_cold int ffv1_close(AVCodecContext *avctx)
        ff_thread_release_buffer(avctx, &s->last_picture);
    av_frame_free(&s->last_picture.f);

-    for (j = 0; j < s->slice_count; j++) {
+    for (j = 0; j < s->max_slice_count; j++) {
        FFV1Context *fs = s->slice_context[j];
        for (i = 0; i < s->plane_count; i++) {
            PlaneContext *p = &fs->plane[i];
@@ -215,14 +220,14 @@ av_cold int ffv1_close(AVCodecContext *avctx)
    av_freep(&avctx->stats_out);
    for (j = 0; j < s->quant_table_count; j++) {
        av_freep(&s->initial_states[j]);
-        for (i = 0; i < s->slice_count; i++) {
+        for (i = 0; i < s->max_slice_count; i++) {
            FFV1Context *sf = s->slice_context[i];
            av_freep(&sf->rc_stat2[j]);
        }
        av_freep(&s->rc_stat2[j]);
    }

-    for (i = 0; i < s->slice_count; i++)
+    for (i = 0; i < s->max_slice_count; i++)
        av_freep(&s->slice_context[i]);

    return 0;
@@ -117,6 +117,7 @@ typedef struct FFV1Context {

    struct FFV1Context *slice_context[MAX_SLICES];
    int slice_count;
+    int max_slice_count;
    int num_v_slices;
    int num_h_slices;
    int slice_width;
@@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
    else {
        int i, e, a;
        e = 0;
-        while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
+        while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
            e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
+        }

        a = 1;
        for (i = e - 1; i >= 0; i--)
@@ -303,7 +306,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
    for (i = 0; i < f->plane_count; i++) {
        PlaneContext * const p = &fs->plane[i];
        int idx = get_symbol(c, state, 0);
-        if (idx > (unsigned)f->quant_table_count) {
+        if (idx >= (unsigned)f->quant_table_count) {
            av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n");
            return -1;
        }
@@ -406,6 +409,7 @@ static int decode_slice(AVCodecContext *c, void *arg)
        if (ffv1_init_slice_state(f, fs) < 0)
            return AVERROR(ENOMEM);
        if (decode_slice_header(f, fs) < 0) {
+            fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0;
            fs->slice_damaged = 1;
            return AVERROR_INVALIDDATA;
        }
@@ -500,7 +504,10 @@ static int read_quant_tables(RangeCoder *c,
    int context_count = 1;

    for (i = 0; i < 5; i++) {
-        context_count *= read_quant_table(c, quant_table[i], context_count);
+        int ret = read_quant_table(c, quant_table[i], context_count);
+        if (ret < 0)
+            return ret;
+        context_count *= ret;
        if (context_count > 32768U) {
            return AVERROR_INVALIDDATA;
        }
@@ -560,7 +567,7 @@ static int read_extra_header(FFV1Context *f)
    }

    f->quant_table_count = get_symbol(c, state, 0);
-    if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES)
+    if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count)
        return AVERROR_INVALIDDATA;

    for (i = 0; i < f->quant_table_count; i++) {
@@ -770,6 +777,7 @@ static int read_header(FFV1Context *f)
            av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n");
            return AVERROR_INVALIDDATA;
        }
+        f->slice_count = f->max_slice_count;
    } else if (f->version < 3) {
        f->slice_count = get_symbol(c, state, 0);
    } else {
@@ -784,8 +792,8 @@ static int read_header(FFV1Context *f)
            p -= size + trailer;
        }
    }
-    if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) {
-        av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count);
+    if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) {
+        av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count);
        return AVERROR_INVALIDDATA;
    }

@@ -927,6 +935,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        else                     v = buf_p - c->bytestream_start;
        if (buf_p - c->bytestream_start < v) {
            av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n");
+            ff_thread_report_progress(&f->picture, INT_MAX, 0);
            return AVERROR_INVALIDDATA;
        }
        buf_p -= v;
@@ -1008,6 +1017,7 @@ static int init_thread_copy(AVCodecContext *avctx)
    f->picture.f      = NULL;
    f->last_picture.f = NULL;
    f->sample_buffer  = NULL;
+    f->max_slice_count = 0;
    f->slice_count = 0;

    for (i = 0; i < f->quant_table_count; i++) {
@@ -1083,7 +1093,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src)
        av_assert0(!fdst->sample_buffer);
    }

-    av_assert1(fdst->slice_count == fsrc->slice_count);
+    av_assert1(fdst->max_slice_count == fsrc->max_slice_count);


    ff_thread_release_buffer(dst, &fdst->picture);
@@ -962,6 +962,7 @@ slices_ok:

    if ((ret = ffv1_init_slice_contexts(s)) < 0)
        return ret;
+    s->slice_count = s->max_slice_count;
    if ((ret = ffv1_init_slices_state(s)) < 0)
        return ret;

@@ -971,7 +972,7 @@ slices_ok:
        if (!avctx->stats_out)
            return AVERROR(ENOMEM);
        for (i = 0; i < s->quant_table_count; i++)
-            for (j = 0; j < s->slice_count; j++) {
+            for (j = 0; j < s->max_slice_count; j++) {
                FFV1Context *sf = s->slice_context[j];
                av_assert0(!sf->rc_stat2[i]);
                sf->rc_stat2[i] = av_mallocz(s->context_count[i] *
@@ -1195,6 +1196,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
            for (i = 0; i < f->quant_table_count; i++)
                memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i]));

+            av_assert0(f->slice_count == f->max_slice_count);
            for (j = 0; j < f->slice_count; j++) {
                FFV1Context *fs = f->slice_context[j];
                for (i = 0; i < 256; i++) {
@@ -663,7 +663,7 @@ static uint64_t calc_rice_params(RiceContext *rc, int pmin, int pmax,
    bits[pmin] = UINT32_MAX;
    for (i = pmax; ; ) {
        bits[i] = calc_optimal_rice_params(&tmp_rc, i, sums, n, pred_order);
-        if (bits[i] < bits[opt_porder]) {
+        if (bits[i] < bits[opt_porder] || pmax == pmin) {
            opt_porder = i;
            *rc = tmp_rc;
        }
@@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                }

                if (has_diff) {
+                    if (size < 3) {
+                        av_log(avctx, AV_LOG_ERROR, "size too small for diff\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    if (!s->keyframe) {
                        av_log(avctx, AV_LOG_ERROR,
                               "Inter frame without keyframe\n");
@@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    int row = get_bits(&gb, 8);
                    av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n",
                           i, j, col, row);
+                    if (size < 3) {
+                        av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    size -= 2;
                    avpriv_request_sample(avctx, "zlibprime_curr");
                    return AVERROR_PATCHWELCOME;
@@ -111,7 +111,7 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx)

    if (avctx->width > 4095 || avctx->height > 4095) {
        av_log(avctx, AV_LOG_ERROR,
-               "Input dimensions too large, input must be max 4096x4096 !\n");
+               "Input dimensions too large, input must be max 4095x4095 !\n");
        return AVERROR_INVALIDDATA;
    }

@@ -738,7 +738,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,
            c->tile_height = bytestream2_get_be32(&bc);
            if (c->tile_width <= 0 || c->tile_height <= 0 ||
                ((c->tile_width | c->tile_height) & 0xF) ||
-                c->tile_width * 4LL * c->tile_height >= INT_MAX
+                c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4
            ) {
                av_log(avctx, AV_LOG_ERROR,
                       "Invalid tile dimensions %dx%d\n",
@@ -869,6 +869,8 @@ header_fail:
    c->height  = 0;
    c->tiles_x =
    c->tiles_y = 0;
+    c->tile_width =
+    c->tile_height = 0;
    return ret;
 }

@@ -337,8 +337,16 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit,

        if (i < limit - 1) {
            if (k) {
-                buf = SHOW_UBITS(re, gb, k);
-                LAST_SKIP_BITS(re, gb, k);
+                if (k > MIN_CACHE_BITS - 1) {
+                    buf = SHOW_UBITS(re, gb, 16) << (k-16);
+                    LAST_SKIP_BITS(re, gb, 16);
+                    UPDATE_CACHE(re, gb);
+                    buf |= SHOW_UBITS(re, gb, k-16);
+                    LAST_SKIP_BITS(re, gb, k-16);
+                } else {
+                    buf = SHOW_UBITS(re, gb, k);
+                    LAST_SKIP_BITS(re, gb, k);
+                }
            } else {
                buf = 0;
            }
@@ -182,7 +182,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
        buf      += ctx->length_size;
        unit_type = *buf & 0x1f;

-        if (buf + nal_size > buf_end || nal_size < 0)
+        if (nal_size > buf_end - buf || nal_size < 0)
            goto fail;

        if (unit_type == 7)
@@ -242,11 +242,11 @@ static int alloc_picture(H264Context *h, H264Picture *pic)
        av_pix_fmt_get_chroma_sub_sample(pic->f.format,
                                         &h_chroma_shift, &v_chroma_shift);

-        for(i=0; i<FF_CEIL_RSHIFT(h->avctx->height, v_chroma_shift); i++) {
+        for(i=0; i<FF_CEIL_RSHIFT(pic->f.height, v_chroma_shift); i++) {
            memset(pic->f.data[1] + pic->f.linesize[1]*i,
-                   0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift));
+                   0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift));
            memset(pic->f.data[2] + pic->f.linesize[2]*i,
-                   0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift));
+                   0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift));
        }
    }

@@ -1454,6 +1454,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)

    if (h->context_initialized &&
        (must_reinit || needs_reinit)) {
+        h->context_initialized = 0;
        if (h != h0) {
            av_log(h->avctx, AV_LOG_ERROR,
                   "changing width %d -> %d / height %d -> %d on "
@@ -1668,14 +1669,17 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
             * vectors.  Given we are concealing a lost frame, this probably
             * is not noticeable by comparison, but it should be fixed. */
            if (h->short_ref_count) {
-                if (prev) {
+                if (prev &&
+                    h->short_ref[0]->f.width == prev->f.width &&
+                    h->short_ref[0]->f.height == prev->f.height &&
+                    h->short_ref[0]->f.format == prev->f.format) {
                    av_image_copy(h->short_ref[0]->f.data,
                                  h->short_ref[0]->f.linesize,
                                  (const uint8_t **)prev->f.data,
                                  prev->f.linesize,
-                                  h->avctx->pix_fmt,
-                                  h->mb_width  * 16,
-                                  h->mb_height * 16);
+                                  prev->f.format,
+                                  prev->f.width,
+                                  prev->f.height);
                    h->short_ref[0]->poc = prev->poc + 2;
                }
                h->short_ref[0]->frame_num = h->prev_frame_num;
@@ -440,7 +440,7 @@ static int hls_slice_header(HEVCContext *s)

        slice_address_length = av_ceil_log2(s->sps->ctb_width *
                                            s->sps->ctb_height);
-        sh->slice_segment_addr = get_bits(gb, slice_address_length);
+        sh->slice_segment_addr = slice_address_length ? get_bits(gb, slice_address_length) : 0;
        if (sh->slice_segment_addr >= s->sps->ctb_width * s->sps->ctb_height) {
            av_log(s->avctx, AV_LOG_ERROR,
                   "Invalid slice segment address: %u.\n",
@@ -789,6 +789,8 @@ static int hls_slice_header(HEVCContext *s)
    s->HEVClc->tu.cu_qp_offset_cb = 0;
    s->HEVClc->tu.cu_qp_offset_cr = 0;

+    s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos);
+
    return 0;
 }

@@ -2379,6 +2381,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int

        if (more_data < 0) {
            s->tab_slice_address[ctb_addr_rs] = -1;
+            avpriv_atomic_int_set(&s1->wpp_err,  1);
+            ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
            return more_data;
        }

@@ -3356,6 +3360,7 @@ static int hevc_update_thread_context(AVCodecContext *dst,
    s->pocTid0    = s0->pocTid0;
    s->max_ra     = s0->max_ra;
    s->eos        = s0->eos;
+    s->no_rasl_output_flag = s0->no_rasl_output_flag;

    s->is_nalff        = s0->is_nalff;
    s->nal_length_size = s0->nal_length_size;
@@ -3450,6 +3455,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx)

    s->enable_parallel_tiles = 0;
    s->picture_struct = 0;
+    s->eos = 1;

    if(avctx->active_thread_type & FF_THREAD_SLICE)
        s->threads_number = avctx->thread_count;
@@ -3491,6 +3497,7 @@ static void hevc_decode_flush(AVCodecContext *avctx)
    HEVCContext *s = avctx->priv_data;
    ff_hevc_flush_dpb(s);
    s->max_ra = INT_MAX;
+    s->eos = 1;
 }

 #define OFFSET(x) offsetof(HEVCContext, x)
@@ -844,6 +844,7 @@ typedef struct HEVCContext {
    int bs_height;

    int is_decoded;
+    int no_rasl_output_flag;

    HEVCPredContext hpc;
    HEVCDSPContext hevcdsp;
@@ -200,7 +200,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx

                slice_address_length = av_ceil_log2_c(h->sps->ctb_width *
                                                      h->sps->ctb_height);
-                sh->slice_segment_addr = get_bits(gb, slice_address_length);
+                sh->slice_segment_addr = slice_address_length ? get_bits(gb, slice_address_length) : 0;
                if (sh->slice_segment_addr >= h->sps->ctb_width * h->sps->ctb_height) {
                    av_log(h->avctx, AV_LOG_ERROR, "Invalid slice segment address: %u.\n",
                           sh->slice_segment_addr);
@@ -461,7 +461,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s)
    if (get_bits_left(gb) < 0) {
        av_log(s->avctx, AV_LOG_ERROR,
               "Overread VPS by %d bits\n", -get_bits_left(gb));
-        goto err;
+        if (s->vps_list[vps_id])
+            goto err;
    }

    av_buffer_unref(&s->vps_list[vps_id]);
@@ -761,6 +762,9 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
    }

    sps->chroma_format_idc = get_ue_golomb_long(gb);
+    if (sps->chroma_format_idc > 3U) {
+        return AVERROR_INVALIDDATA;
+    }

    if (sps->chroma_format_idc == 3)
        sps->separate_colour_plane_flag = get_bits1(gb);
@@ -174,7 +174,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush)
        int min_poc   = INT_MAX;
        int i, min_idx, ret;

-        if (s->sh.no_output_of_prior_pics_flag == 1) {
+        if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) {
            for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) {
                HEVCFrame *frame = &s->DPB[i];
                if (!(frame->flags & HEVC_FRAME_FLAG_BUMPING) && frame->poc != s->poc &&
@@ -37,6 +37,7 @@
 #include "huffyuv.h"
 #include "huffyuvdsp.h"
 #include "thread.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/pixdesc.h"

 #define classic_shift_luma_table_size 42
@@ -291,6 +292,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
    HYuvContext *s = avctx->priv_data;
    int ret;

+    ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
+    if (ret < 0)
+        return ret;
+
    ff_huffyuvdsp_init(&s->hdsp);
    memset(s->vlc, 0, 4 * sizeof(VLC));

@@ -426,7 +426,7 @@ static void imc_decode_level_coefficients_raw(IMCContext *q, int *levlCoeffBuf,

    pos = q->coef0_pos;
    flcoeffs1[pos] = 20000.0 / pow (2, levlCoeffBuf[0] * 0.18945); // 0.18945 = log2(10) * 0.05703125
-    flcoeffs2[pos] = log2f(flcoeffs1[0]);
+    flcoeffs2[pos] = log2f(flcoeffs1[pos]);
    tmp  = flcoeffs1[pos];
    tmp2 = flcoeffs2[pos];

@@ -30,6 +30,7 @@

 #define BITSTREAM_READER_LE
 #include "libavutil/attributes.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/timer.h"
 #include "avcodec.h"
 #include "get_bits.h"
@@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg,

    ivi_free_buffers(planes);

-    if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+    if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 ||
        cfg->luma_bands < 1 || cfg->chroma_bands < 1)
        return AVERROR_INVALIDDATA;

@@ -28,6 +28,7 @@
 #include "libavutil/attributes.h"
 #include "libavutil/avassert.h"
 #include "libavutil/common.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "avcodec.h"
 #include "jpeg2000.h"
@@ -210,9 +211,17 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
                                   codsty->nreslevels2decode - 1,
                                   codsty->transform))
        return ret;
-    // component size comp->coord is uint16_t so ir cannot overflow
+
+    if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0],
+                            comp->coord[1][1] - comp->coord[1][0], 0, avctx))
+        return AVERROR_INVALIDDATA;
    csize = (comp->coord[0][1] - comp->coord[0][0]) *
            (comp->coord[1][1] - comp->coord[1][0]);
+    if (comp->coord[0][1] > 32768 ||
+        comp->coord[1][1] > 32768) {
+        av_log(avctx, AV_LOG_ERROR, "component size too large\n");
+        return AVERROR_PATCHWELCOME;
+    }

    if (codsty->transform == FF_DWT97) {
        comp->i_data = NULL;
@@ -252,6 +252,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
        avpriv_request_sample(s->avctx, "Support for image offsets");
        return AVERROR_PATCHWELCOME;
    }
+    if (s->width > 32768U || s->height > 32768U) {
+        avpriv_request_sample(s->avctx, "Large Dimensions");
+        return AVERROR_PATCHWELCOME;
+    }

    if (ncomponents <= 0) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n",
@@ -686,10 +690,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno)
        Jpeg2000QuantStyle  *qntsty = tile->qntsty + compno;
        int ret; // global bandno

-        comp->coord_o[0][0] = FFMAX(tilex       * s->tile_width  + s->tile_offset_x, s->image_offset_x);
-        comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width  + s->tile_offset_x, s->width);
-        comp->coord_o[1][0] = FFMAX(tiley       * s->tile_height + s->tile_offset_y, s->image_offset_y);
-        comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + s->tile_offset_y, s->height);
+        comp->coord_o[0][0] = av_clip(tilex       * (int64_t)s->tile_width  + s->tile_offset_x, s->image_offset_x, s->width);
+        comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width  + s->tile_offset_x, s->image_offset_x, s->width);
+        comp->coord_o[1][0] = av_clip(tiley       * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height);
+        comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height);

        comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor);
        comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor);
@@ -1148,11 +1152,16 @@ static inline void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
    int i, csize = 1;
    void *src[3];

-    for (i = 1; i < 3; i++)
+    for (i = 1; i < 3; i++) {
        if (tile->codsty[0].transform != tile->codsty[i].transform) {
            av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n");
            return;
        }
+        if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) {
+            av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n");
+            return;
+        }
+    }

    for (i = 0; i < 3; i++)
        if (tile->codsty[0].transform == FF_DWT97)
@@ -1351,6 +1360,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s)
    memset(s->codsty, 0, sizeof(s->codsty));
    memset(s->qntsty, 0, sizeof(s->qntsty));
    s->numXtiles = s->numYtiles = 0;
+    s->ncomponents = 0;
 }

 static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
@@ -1405,6 +1415,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)

        switch (marker) {
        case JPEG2000_SIZ:
+            if (s->ncomponents) {
+                av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n");
+                return AVERROR_INVALIDDATA;
+            }
            ret = get_siz(s);
            if (!s->tile)
                s->numXtiles = s->numYtiles = 0;
@@ -358,6 +358,15 @@ static int libopenjpeg_decode_frame(AVCodecContext *avctx,
        goto done;
    }

+    for (i = 0; i < image->numcomps; i++) {
+        if (!image->comps[i].data) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Image component %d contains no data.\n", i);
+            ret = AVERROR_INVALIDDATA;
+            goto done;
+        }
+    }
+
    desc       = av_pix_fmt_desc_get(avctx->pix_fmt);
    pixel_size = desc->comp[0].step_minus1 + 1;
    ispacked   = libopenjpeg_ispacked(avctx->pix_fmt);
@@ -200,6 +200,9 @@ static opj_image_t *mj2_create_image(AVCodecContext *avctx, opj_cparameters_t *p

    img = opj_image_create(numcomps, cmptparm, color_space);

+    if (!img)
+        return NULL;
+
    // x0, y0 is the top left corner of the image
    // x1, y1 is the width, height of the reference grid
    img->x0 = 0;
@@ -326,7 +326,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
        } else
            audio = frame->data[0];
    } else {
-        if (!opus->afq.remaining_samples)
+        if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && !opus->afq.frame_count))
            return 0;
        audio = opus->samples;
        memset(audio, 0, opus->opts.packet_size * sample_size);
@@ -164,6 +164,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, char *s)

        /* Position */
        case 'P':
+            if (!*s)
+                break;
            tag.persistent = MICRODVD_PERSISTENT_ON;
            tag.data1 = (*s++ == '1');
            if (*s != '}')
@@ -96,6 +96,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, int len)
        av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? buf[12] : -1);
 }

+static void init_idct(AVCodecContext *avctx)
+{
+    MJpegDecodeContext *s = avctx->priv_data;
+
+    ff_idctdsp_init(&s->idsp, avctx);
+    ff_init_scantable(s->idsp.idct_permutation, &s->scantable,
+                      ff_zigzag_direct);
+}
+
 av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx)
 {
    MJpegDecodeContext *s = avctx->priv_data;
@@ -110,9 +119,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx)
    s->avctx = avctx;
    ff_blockdsp_init(&s->bdsp, avctx);
    ff_hpeldsp_init(&s->hdsp, avctx->flags);
-    ff_idctdsp_init(&s->idsp, avctx);
-    ff_init_scantable(s->idsp.idct_permutation, &s->scantable,
-                      ff_zigzag_direct);
+    init_idct(avctx);
    s->buffer_size   = 0;
    s->buffer        = NULL;
    s->start_code    = -1;
@@ -254,7 +261,6 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)

    /* XXX: verify len field validity */
    len     = get_bits(&s->gb, 16);
-    s->avctx->bits_per_raw_sample =
    bits    = get_bits(&s->gb, 8);

    if (bits > 16 || bits < 1) {
@@ -262,6 +268,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
        return AVERROR_INVALIDDATA;
    }

+    if (s->avctx->bits_per_raw_sample != bits) {
+        av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits);
+        s->avctx->bits_per_raw_sample = bits;
+        init_idct(s->avctx);
+    }
    if (s->pegasus_rct)
        bits = 9;
    if (bits == 9 && !s->pegasus_rct)
@@ -968,7 +979,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
                skip_bits(&s->gb, 16); /* skip RSTn */
            }
        }
-        if (s->nb_components == 4) {
+        if (s->rct && s->nb_components == 4) {
+            for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+                ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + buffer[mb_x][2] - 0x200) >> 2);
+                ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2];
+                ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2];
+                ptr[4*mb_x + 0] = buffer[mb_x][3];
+            }
+        } else if (s->nb_components == 4) {
            for(i=0; i<nb_components; i++) {
                int c= s->comp_index[i];
                if (s->bits <= 8) {
@@ -1059,7 +1077,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                        dc = mjpeg_decode_dc(s, s->dc_index[i]);
                        if(dc == 0xFFFFF)
                            return -1;
-                        if(bits<=8){
+                        if (   h * mb_x + x >= s->width
+                            || v * mb_y + y >= s->height) {
+                            // Nothing to do
+                        } else if (bits<=8) {
                        ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
                        if(y==0 && toprow){
                            if(x==0 && leftcol){
@@ -1127,7 +1148,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                        dc = mjpeg_decode_dc(s, s->dc_index[i]);
                        if(dc == 0xFFFFF)
                            return -1;
-                        if(bits<=8){
+                        if (   h * mb_x + x >= s->width
+                            || v * mb_y + y >= s->height) {
+                            // Nothing to do
+                        } else if (bits<=8) {
                            ptr = s->picture_ptr->data[c] +
                              (linesize * (v * mb_y + y)) +
                              (h * mb_x + x); //FIXME optimize this crap
@@ -337,20 +337,30 @@ void ff_mjpeg_escape_FF(PutBitContext *pb, int start)
    }
 }

-void ff_mjpeg_encode_stuffing(MpegEncContext *s)
+int ff_mjpeg_encode_stuffing(MpegEncContext *s)
 {
    int i;
    PutBitContext *pbc = &s->pb;
    int mb_y = s->mb_y - !s->mb_x;

+    int ret = ff_mpv_reallocate_putbitbuffer(s, put_bits_count(&s->pb) / 8 + 100,
+                                                put_bits_count(&s->pb) / 4 + 1000);
+    if (ret < 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "Buffer reallocation failed\n");
+        goto fail;
+    }
+
    ff_mjpeg_escape_FF(pbc, s->esc_pos);

    if((s->avctx->active_thread_type & FF_THREAD_SLICE) && mb_y < s->mb_height)
        put_marker(pbc, RST0 + (mb_y&7));
    s->esc_pos = put_bits_count(pbc) >> 3;
+fail:

    for(i=0; i<3; i++)
        s->last_dc[i] = 128 << s->intra_dc_precision;
+
+    return ret;
 }

 void ff_mjpeg_encode_picture_trailer(PutBitContext *pb, int header_bits)
@@ -34,7 +34,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb,
                                    uint16_t chroma_intra_matrix[64]);
 void ff_mjpeg_encode_picture_trailer(PutBitContext *pb, int header_bits);
 void ff_mjpeg_escape_FF(PutBitContext *pb, int start);
-void ff_mjpeg_encode_stuffing(MpegEncContext *s);
+int ff_mjpeg_encode_stuffing(MpegEncContext *s);
 void ff_mjpeg_init_hvsample(AVCodecContext *avctx, int hsample[3], int vsample[3]);

 void ff_mjpeg_encode_dc(PutBitContext *pb, int val,
@@ -1917,7 +1917,7 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y,
                    (left && show_bits(&s->gb, FFMIN(left, 23)) && !is_d10) ||
                    ((avctx->err_recognition & (AV_EF_BITSTREAM | AV_EF_AGGRESSIVE)) && left > 8)) {
                    av_log(avctx, AV_LOG_ERROR, "end mismatch left=%d %0X\n",
-                           left, show_bits(&s->gb, FFMIN(left, 23)));
+                           left, left>0 ? show_bits(&s->gb, FFMIN(left, 23)) : 0);
                    return AVERROR_INVALIDDATA;
                } else
                    goto eos;
@@ -2142,8 +2142,6 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "Marker in sequence header missing\n");
        return AVERROR_INVALIDDATA;
    }
-    s->width  = width;
-    s->height = height;

    s->avctx->rc_buffer_size = get_bits(&s->gb, 10) * 1024 * 16;
    skip_bits(&s->gb, 1);
@@ -2175,6 +2173,9 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx,
        return AVERROR_INVALIDDATA;
    }

+    s->width  = width;
+    s->height = height;
+
    /* We set MPEG-2 parameters so that it emulates MPEG-1. */
    s->progressive_sequence = 1;
    s->progressive_frame    = 1;
@@ -1657,9 +1657,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
    uint32_t header;
    int ret;

+    int skipped = 0;
    while(buf_size && !*buf){
        buf++;
        buf_size--;
+        skipped++;
    }

    if (buf_size < HEADER_SIZE)
@@ -1714,7 +1716,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
            return ret;
    }
    s->frame_size = 0;
-    return buf_size;
+    return buf_size + skipped;
 }

 static void mp_flush(MPADecodeContext *ctx)
@@ -1893,6 +1895,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx)
        s->mp3decctx[i]->adu_mode = 1;
        s->mp3decctx[i]->avctx = avctx;
        s->mp3decctx[i]->mpadsp = s->mp3decctx[0]->mpadsp;
+        s->mp3decctx[i]->fdsp = s->mp3decctx[0]->fdsp;
    }

    return 0;
@@ -1288,6 +1288,82 @@ fail:
    return AVERROR(ENOMEM);
 }

+static void clear_context(MpegEncContext *s)
+{
+    int i, j, k;
+
+    memset(&s->next_picture, 0, sizeof(s->next_picture));
+    memset(&s->last_picture, 0, sizeof(s->last_picture));
+    memset(&s->current_picture, 0, sizeof(s->current_picture));
+    memset(&s->new_picture, 0, sizeof(s->new_picture));
+
+    memset(s->thread_context, 0, sizeof(s->thread_context));
+
+    s->me.map = NULL;
+    s->me.score_map = NULL;
+    s->dct_error_sum = NULL;
+    s->block = NULL;
+    s->blocks = NULL;
+    memset(s->pblocks, 0, sizeof(s->pblocks));
+    s->ac_val_base = NULL;
+    s->ac_val[0] =
+    s->ac_val[1] =
+    s->ac_val[2] =NULL;
+    s->edge_emu_buffer = NULL;
+    s->me.scratchpad = NULL;
+    s->me.temp =
+    s->rd_scratchpad =
+    s->b_scratchpad =
+    s->obmc_scratchpad = NULL;
+
+    s->parse_context.buffer = NULL;
+    s->parse_context.buffer_size = 0;
+    s->bitstream_buffer = NULL;
+    s->allocated_bitstream_buffer_size = 0;
+    s->picture          = NULL;
+    s->mb_type          = NULL;
+    s->p_mv_table_base  = NULL;
+    s->b_forw_mv_table_base = NULL;
+    s->b_back_mv_table_base = NULL;
+    s->b_bidir_forw_mv_table_base = NULL;
+    s->b_bidir_back_mv_table_base = NULL;
+    s->b_direct_mv_table_base = NULL;
+    s->p_mv_table            = NULL;
+    s->b_forw_mv_table       = NULL;
+    s->b_back_mv_table       = NULL;
+    s->b_bidir_forw_mv_table = NULL;
+    s->b_bidir_back_mv_table = NULL;
+    s->b_direct_mv_table     = NULL;
+    for (i = 0; i < 2; i++) {
+        for (j = 0; j < 2; j++) {
+            for (k = 0; k < 2; k++) {
+                s->b_field_mv_table_base[i][j][k] = NULL;
+                s->b_field_mv_table[i][j][k] = NULL;
+            }
+            s->b_field_select_table[i][j] = NULL;
+            s->p_field_mv_table_base[i][j] = NULL;
+            s->p_field_mv_table[i][j] = NULL;
+        }
+        s->p_field_select_table[i] = NULL;
+    }
+
+    s->dc_val_base = NULL;
+    s->coded_block_base = NULL;
+    s->mbintra_table = NULL;
+    s->cbp_table = NULL;
+    s->pred_dir_table = NULL;
+
+    s->mbskip_table = NULL;
+
+    s->er.error_status_table = NULL;
+    s->er.er_temp_buffer = NULL;
+    s->mb_index2xy = NULL;
+    s->lambda_table = NULL;
+
+    s->cplx_tab = NULL;
+    s->bits_tab = NULL;
+}
+
 /**
 * init common structure for both encoder and decoder.
 * this assumes that some variables like width/height are already set
@@ -1299,6 +1375,8 @@ av_cold int ff_mpv_common_init(MpegEncContext *s)
                     s->avctx->active_thread_type & FF_THREAD_SLICE) ?
                    s->avctx->thread_count : 1;

+    clear_context(s);
+
    if (s->encoding && s->avctx->slices)
        nb_slices = s->avctx->slices;

@@ -1346,10 +1424,6 @@ av_cold int ff_mpv_common_init(MpegEncContext *s)
        if (!s->picture[i].f)
            goto fail;
    }
-    memset(&s->next_picture, 0, sizeof(s->next_picture));
-    memset(&s->last_picture, 0, sizeof(s->last_picture));
-    memset(&s->current_picture, 0, sizeof(s->current_picture));
-    memset(&s->new_picture, 0, sizeof(s->new_picture));
    s->next_picture.f = av_frame_alloc();
    if (!s->next_picture.f)
        goto fail;
@@ -770,6 +770,7 @@ void ff_mpv_encode_init_x86(MpegEncContext *s);
 int ff_mpv_encode_end(AVCodecContext *avctx);
 int ff_mpv_encode_picture(AVCodecContext *avctx, AVPacket *pkt,
                          const AVFrame *frame, int *got_packet);
+int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t size_increase);

 void ff_clean_intra_table_entries(MpegEncContext *s);
 void ff_mpeg_draw_horiz_band(MpegEncContext *s, int y, int h);
@@ -2721,6 +2721,35 @@ static void update_mb_info(MpegEncContext *s, int startcode)
    write_mb_info(s);
 }

+int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t size_increase)
+{
+    if (   s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < threshold
+        && s->slice_context_count == 1
+        && s->pb.buf == s->avctx->internal->byte_buffer) {
+        int lastgob_pos = s->ptr_lastgob - s->pb.buf;
+        int vbv_pos     = s->vbv_delay_ptr - s->pb.buf;
+
+        uint8_t *new_buffer = NULL;
+        int new_buffer_size = 0;
+
+        av_fast_padded_malloc(&new_buffer, &new_buffer_size,
+                              s->avctx->internal->byte_buffer_size + size_increase);
+        if (!new_buffer)
+            return AVERROR(ENOMEM);
+
+        memcpy(new_buffer, s->avctx->internal->byte_buffer, s->avctx->internal->byte_buffer_size);
+        av_free(s->avctx->internal->byte_buffer);
+        s->avctx->internal->byte_buffer      = new_buffer;
+        s->avctx->internal->byte_buffer_size = new_buffer_size;
+        rebase_put_bits(&s->pb, new_buffer, new_buffer_size);
+        s->ptr_lastgob   = s->pb.buf + lastgob_pos;
+        s->vbv_delay_ptr = s->pb.buf + vbv_pos;
+    }
+    if (s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < threshold)
+        return AVERROR(EINVAL);
+    return 0;
+}
+
 static int encode_thread(AVCodecContext *c, void *arg){
    MpegEncContext *s= *(void**)arg;
    int mb_x, mb_y, pdif = 0;
@@ -2797,30 +2826,10 @@ static int encode_thread(AVCodecContext *c, void *arg){
 //            int d;
            int dmin= INT_MAX;
            int dir;
+            int size_increase =  s->avctx->internal->byte_buffer_size/4
+                               + s->mb_width*MAX_MB_BYTES;

-            if (   s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < MAX_MB_BYTES
-                && s->slice_context_count == 1
-                && s->pb.buf == s->avctx->internal->byte_buffer) {
-                int new_size =  s->avctx->internal->byte_buffer_size
-                              + s->avctx->internal->byte_buffer_size/4
-                              + s->mb_width*MAX_MB_BYTES;
-                int lastgob_pos = s->ptr_lastgob - s->pb.buf;
-                int vbv_pos     = s->vbv_delay_ptr - s->pb.buf;
-
-                uint8_t *new_buffer = NULL;
-                int new_buffer_size = 0;
-
-                av_fast_padded_malloc(&new_buffer, &new_buffer_size, new_size);
-                if (new_buffer) {
-                    memcpy(new_buffer, s->avctx->internal->byte_buffer, s->avctx->internal->byte_buffer_size);
-                    av_free(s->avctx->internal->byte_buffer);
-                    s->avctx->internal->byte_buffer      = new_buffer;
-                    s->avctx->internal->byte_buffer_size = new_buffer_size;
-                    rebase_put_bits(&s->pb, new_buffer, new_buffer_size);
-                    s->ptr_lastgob   = s->pb.buf + lastgob_pos;
-                    s->vbv_delay_ptr = s->pb.buf + vbv_pos;
-                }
-            }
+            ff_mpv_reallocate_putbitbuffer(s, MAX_MB_BYTES, size_increase);
            if(s->pb.buf_end - s->pb.buf - (put_bits_count(&s->pb)>>3) < MAX_MB_BYTES){
                av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
                return -1;
@@ -3733,6 +3742,8 @@ static int encode_picture(MpegEncContext *s, int picture_number)
    }
    s->avctx->execute(s->avctx, encode_thread, &s->thread_context[0], NULL, context_count, sizeof(void*));
    for(i=1; i<context_count; i++){
+        if (s->pb.buf_end == s->thread_context[i]->pb.buf)
+            set_put_bits_buffer_size(&s->pb, FFMIN(s->thread_context[i]->pb.buf_end - s->pb.buf, INT_MAX/8-32));
        merge_context_after_encode(s, s->thread_context[i]);
    }
    emms_c();
@@ -538,7 +538,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data,
            memset(frame->extended_data[i], 0, frame->linesize[0]);
        }

-        if (c->gain_i) {
+        if (c->gain_i && decoded_samples > 0) {
            c->fdsp->vector_fmul_scalar((float*)frame->extended_data[i],
                                       (float*)frame->extended_data[i],
                                       c->gain, FFALIGN(decoded_samples, 8));
@@ -539,6 +539,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
        return AVERROR_INVALIDDATA;
    }

+    if (s->state & PNG_IHDR) {
+        av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    s->width  = s->cur_w = bytestream2_get_be32(&s->gb);
    s->height = s->cur_h = bytestream2_get_be32(&s->gb);
    if (av_image_check_size(s->width, s->height, 0, avctx)) {
@@ -805,28 +810,34 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
                             uint32_t length)
 {
    uint32_t sequence_number;
+    int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op;

    if (length != 26)
        return AVERROR_INVALIDDATA;

+    if (!(s->state & PNG_IHDR)) {
+        av_log(avctx, AV_LOG_ERROR, "fctl before IHDR\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    sequence_number = bytestream2_get_be32(&s->gb);
-    s->cur_w        = bytestream2_get_be32(&s->gb);
-    s->cur_h        = bytestream2_get_be32(&s->gb);
-    s->x_offset     = bytestream2_get_be32(&s->gb);
-    s->y_offset     = bytestream2_get_be32(&s->gb);
+    cur_w           = bytestream2_get_be32(&s->gb);
+    cur_h           = bytestream2_get_be32(&s->gb);
+    x_offset        = bytestream2_get_be32(&s->gb);
+    y_offset        = bytestream2_get_be32(&s->gb);
    bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */
-    s->dispose_op   = bytestream2_get_byte(&s->gb);
-    s->blend_op     = bytestream2_get_byte(&s->gb);
+    dispose_op      = bytestream2_get_byte(&s->gb);
+    blend_op        = bytestream2_get_byte(&s->gb);
    bytestream2_skip(&s->gb, 4); /* crc */

    if (sequence_number == 0 &&
-        (s->cur_w != s->width ||
-         s->cur_h != s->height ||
-         s->x_offset != 0 ||
-         s->y_offset != 0) ||
-        s->cur_w <= 0 || s->cur_h <= 0 ||
-        s->x_offset < 0 || s->y_offset < 0 ||
-        s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset)
+        (cur_w != s->width ||
+         cur_h != s->height ||
+         x_offset != 0 ||
+         y_offset != 0) ||
+        cur_w <= 0 || cur_h <= 0 ||
+        x_offset < 0 || y_offset < 0 ||
+        cur_w > s->width - x_offset|| cur_h > s->height - y_offset)
            return AVERROR_INVALIDDATA;

    /* always (re)start with a clean frame */
@@ -840,6 +851,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
            s->dispose_op = APNG_DISPOSE_OP_NONE;
    }

+    s->cur_w      = cur_w;
+    s->cur_h      = cur_h;
+    s->x_offset   = x_offset;
+    s->y_offset   = y_offset;
+    s->dispose_op = dispose_op;
+    s->blend_op   = blend_op;
+
    return 0;
 }

@@ -453,6 +453,9 @@ int ff_thread_decode_frame(AVCodecContext *avctx,
        *got_picture_ptr = p->got_frame;
        picture->pkt_dts = p->avpkt.dts;

+        if (p->result < 0)
+            err = p->result;
+
        /*
         * A later call with avkpt->size == 0 may loop over all threads,
         * including this one, searching for a frame to return before being
@@ -470,6 +473,14 @@ int ff_thread_decode_frame(AVCodecContext *avctx,

    fctx->next_finished = finished;

+    /*
+     * When no frame was found while flushing, but an error occured in
+     * any thread, return it instead of 0.
+     * Otherwise the error can get lost.
+     */
+    if (!avpkt->size && !*got_picture_ptr)
+        return err;
+
    /* return the size of the consumed packet if no error occurred */
    return (p->result >= 0) ? avpkt->size : p->result;
 }
@@ -571,7 +582,7 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
            pthread_join(p->thread, NULL);
        p->thread_init=0;

-        if (codec->close)
+        if (codec->close && p->avctx)
            codec->close(p->avctx);

        avctx->codec = NULL;
@@ -591,12 +602,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
        av_packet_unref(&p->avpkt);
        av_freep(&p->released_buffers);

-        if (i) {
+        if (i && p->avctx) {
            av_freep(&p->avctx->priv_data);
            av_freep(&p->avctx->slice_offset);
        }

-        av_freep(&p->avctx->internal);
+        if (p->avctx)
+            av_freep(&p->avctx->internal);
        av_freep(&p->avctx);
    }

@@ -668,6 +680,7 @@ int ff_frame_thread_init(AVCodecContext *avctx)

        copy->internal = av_malloc(sizeof(AVCodecInternal));
        if (!copy->internal) {
+            copy->priv_data = NULL;
            err = AVERROR(ENOMEM);
            goto error;
        }
@@ -229,6 +229,7 @@ static inline void skip_put_bytes(PutBitContext *s, int n)
 {
    av_assert2((put_bits_count(s) & 7) == 0);
    av_assert2(s->bit_left == 32);
+    av_assert0(n <= s->buf_end - s->buf_ptr);
    s->buf_ptr += n;
 }

@@ -252,6 +253,7 @@ static inline void skip_put_bits(PutBitContext *s, int n)
 static inline void set_put_bits_buffer_size(PutBitContext *s, int size)
 {
    s->buf_end = s->buf + size;
+    s->size_in_bits = 8*size;
 }

 #endif /* AVCODEC_PUT_BITS_H */
@@ -51,7 +51,7 @@ static int raw_encode(AVCodecContext *avctx, AVPacket *pkt,
    if (ret < 0)
        return ret;

-    if ((ret = ff_alloc_packet2(avctx, pkt, ret)) < 0)
+    if ((ret = ff_alloc_packet(pkt, ret)) < 0)
        return ret;
    if ((ret = avpicture_layout((const AVPicture *)frame, avctx->pix_fmt, avctx->width,
                                avctx->height, pkt->data, pkt->size)) < 0)
@@ -1534,7 +1534,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx)

    if (avctx->internal->is_copy) {
        r->tmp_b_block_base = NULL;
+        r->cbp_chroma       = NULL;
+        r->cbp_luma         = NULL;
+        r->deblock_coefs    = NULL;
+        r->intra_types_hist = NULL;
+        r->mb_type          = NULL;
+
        ff_mpv_idct_init(&r->s);
+
        if ((err = ff_mpv_common_init(&r->s)) < 0)
            return err;
        if ((err = rv34_decoder_alloc(r)) < 0) {
@@ -457,6 +457,7 @@ static void destroy_buffers(SANMVideoContext *ctx)
    ctx->frm0_size =
    ctx->frm1_size =
    ctx->frm2_size = 0;
+    init_sizes(ctx, 0, 0);
 }

 static av_cold int init_buffers(SANMVideoContext *ctx)
@@ -137,6 +137,7 @@ typedef struct AACSBRContext {
 struct SpectralBandReplication {
    int                sample_rate;
    int                start;
+    int                id_aac;
    int                reset;
    SpectrumParameters spectrum_params;
    int                bs_amp_res_header;
@@ -668,6 +668,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    frame->nb_samples = unp_size / (avctx->channels * (bits + 1));
+    if (unp_size % (avctx->channels * (bits + 1))) {
+        av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size);
+        return AVERROR(EINVAL);
+    }
    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
        return ret;
    samples  = (int16_t *)frame->data[0];
@@ -303,6 +303,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
    BlockNode *lb= lt+b_stride;
    BlockNode *rb= lb+1;
    uint8_t *block[4];
+    // When src_stride is large enough, it is possible to interleave the blocks.
+    // Otherwise the blocks are written sequentially in the tmp buffer.
    int tmp_step= src_stride >= 7*MB_SIZE ? MB_SIZE : MB_SIZE*src_stride;
    uint8_t *tmp = s->scratchbuf;
    uint8_t *ptmp;
@@ -346,8 +348,6 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer

    if(b_w<=0 || b_h<=0) return;

-    av_assert2(src_stride > 2*MB_SIZE + 5);
-
    if(!sliced && offset_dst)
        dst += src_x + src_y*dst_stride;
    dst8+= src_x + src_y*src_stride;
@@ -562,6 +562,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
        e= 0;
        while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
            e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
        }

        a= 1;
@@ -900,6 +900,7 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n");
        return AVERROR_INVALIDDATA;
    }
+    avctx->channels = s->channels;

    s->lossless = get_bits1(&gb);
    if (!s->lossless)
@@ -616,9 +616,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
    uint8_t *current;
    int result, i, x, y, width, height;
    svq1_pmv *pmv;
+    int ret;

    /* initialize bit buffer */
-    init_get_bits8(&s->gb, buf, buf_size);
+    ret = init_get_bits8(&s->gb, buf, buf_size);
+    if (ret < 0)
+        return ret;

    /* decode frame header */
    s->frame_code = get_bits(&s->gb, 22);
@@ -516,6 +516,11 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx)
    SVQ1EncContext *const s = avctx->priv_data;
    int ret;

+    if (avctx->width >= 4096 || avctx->height >= 4096) {
+        av_log(avctx, AV_LOG_ERROR, "Dimensions too large, maximum is 4095x4095\n");
+        return AVERROR(EINVAL);
+    }
+
    ff_hpeldsp_init(&s->hdsp, avctx->flags);
    ff_me_cmp_init(&s->mecc, avctx);
    ff_mpegvideoencdsp_init(&s->m.mpvencdsp, avctx);
@@ -632,7 +632,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length)
        for (; length2 > 0; length2 -= tmp) {
            tmp = FFMIN(length2, x);

-            for (i = 0; i < tmp; i++)
+            for (i = 0; i < tmp - (tmp == length2); i++)
                s->residues[filter_order + i] = *p2++ >> dshift;

            for (i = 0; i < tmp; i++) {
@@ -801,6 +801,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
                    if (s->mcdparams[i].present) {
                        s->mcdparams[i].index = get_bits(gb, 2);
                        s->mcdparams[i].chan2 = get_bits(gb, 4);
+                        if (s->mcdparams[i].chan2 >= avctx->channels) {
+                            av_log(avctx, AV_LOG_ERROR,
+                                   "invalid channel 2 (%d) for %d channel(s)\n",
+                                   s->mcdparams[i].chan2, avctx->channels);
+                            return AVERROR_INVALIDDATA;
+                        }
                        if (s->mcdparams[i].index == 1) {
                            if ((nbit == s->mcdparams[i].chan2) ||
                                (ch_mask & 1 << s->mcdparams[i].chan2))
@@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
        new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well

    s->w >>= width_shift;
+    if (s->w & 1) {
+        avpriv_request_sample(s->avctx, "Frame with odd width");
+        return AVERROR_PATCHWELCOME;
+    }

    if (s->w != s->avctx->width || s->h != s->avctx->height ||
        new_pix_fmt != s->avctx->pix_fmt) {
@@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
    TTAContext *s = avctx->priv_data;
    GetBitContext gb;
    int total_frames;
+    int ret;

    s->avctx = avctx;

@@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
        return AVERROR_INVALIDDATA;

    s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
-    init_get_bits8(&gb, avctx->extradata, avctx->extradata_size);
+    ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size);
+    if (ret < 0)
+        return ret;
+
    if (show_bits_long(&gb, 32) == AV_RL32("TTA1")) {
        /* signature */
        skip_bits_long(&gb, 32);
@@ -424,10 +424,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,

    *width  = FFALIGN(*width, w_align);
    *height = FFALIGN(*height, h_align);
-    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres)
+    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
        // some of the optimized chroma MC reads one line too much
        // which is also done in mpeg decoders with lowres > 0
        *height += 2;
+        *width = FFMAX(*width, 32);
+    }

    for (i = 0; i < 4; i++)
        linesize_align[i] = STRIDE_ALIGN;
@@ -3393,7 +3395,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
                return frame_bytes * 8 / bps;
        }

-        if (ch > 0) {
+        if (ch > 0 && ch < INT_MAX/16) {
            /* calc from frame_bytes and channels */
            switch (id) {
            case AV_CODEC_ID_ADPCM_AFC:
@@ -465,7 +465,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
        count = avctx->extradata_size*8 - get_bits_count(&gb);
        if (count > 0) {
            av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n",
-                   count, get_bits(&gb, count));
+                   count, get_bits_long(&gb, FFMIN(count, 32)));
        } else if (count < 0) {
            av_log(avctx, AV_LOG_INFO, "Read %i bits in overflow\n", -count);
        }
@@ -2473,6 +2473,7 @@ static av_cold int theora_decode_init(AVCodecContext *avctx)
    const uint8_t *header_start[3];
    int header_len[3];
    int i;
+    int ret;

    avctx->pix_fmt = AV_PIX_FMT_YUV420P;

@@ -2492,7 +2493,9 @@ static av_cold int theora_decode_init(AVCodecContext *avctx)
    for (i = 0; i < 3; i++) {
        if (header_len[i] <= 0)
            continue;
-        init_get_bits8(&gb, header_start[i], header_len[i]);
+        ret = init_get_bits8(&gb, header_start[i], header_len[i]);
+        if (ret < 0)
+            return ret;

        ptype = get_bits(&gb, 8);

@@ -639,6 +639,11 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
    int width  = s->avctx->width;
    int height = s->avctx->height;

+    if (buf_size < 3) {
+        av_log(s->avctx, AV_LOG_ERROR, "Insufficent data (%d) for header\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
+
    s->keyframe  = !(buf[0] & 1);
    s->profile   =  (buf[0]>>1) & 7;
    s->invisible = !(buf[0] & 0x10);
@@ -757,8 +762,10 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
 static av_always_inline
 void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src)
 {
-    dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x);
-    dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y);
+    dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.x, INT16_MIN, INT16_MAX));
+    dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX),
+                             av_clip(s->mv_max.y, INT16_MIN, INT16_MAX));
 }

 /**
@@ -2687,6 +2694,9 @@ av_cold int ff_vp8_decode_free(AVCodecContext *avctx)
    VP8Context *s = avctx->priv_data;
    int i;

+    if (!s)
+        return 0;
+
    vp8_decode_flush_impl(avctx, 1);
    for (i = 0; i < FF_ARRAY_ELEMS(s->frames); i++)
        av_frame_free(&s->frames[i].tf.f);
@@ -134,6 +134,11 @@ typedef struct VP8Frame {
    AVBufferRef *seg_map;
 } VP8Frame;

+typedef struct VP8intmv {
+    int x;
+    int y;
+} VP8intmv;
+
 #define MAX_THREADS 8
 typedef struct VP8Context {
    VP8ThreadData *thread_data;
@@ -152,8 +157,8 @@ typedef struct VP8Context {
    uint8_t deblock_filter;
    uint8_t mbskip_enabled;
    uint8_t profile;
-    VP56mv mv_min;
-    VP56mv mv_max;
+    VP8intmv mv_min;
+    VP8intmv mv_max;

    int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type
    int ref_count[3];
@@ -410,7 +410,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
 // differential forward probability updates
 static int update_prob(VP56RangeCoder *c, int p)
 {
-    static const int inv_map_table[254] = {
+    static const int inv_map_table[255] = {
          7,  20,  33,  46,  59,  72,  85,  98, 111, 124, 137, 150, 163, 176,
        189, 202, 215, 228, 241, 254,   1,   2,   3,   4,   5,   6,   8,   9,
         10,  11,  12,  13,  14,  15,  16,  17,  18,  19,  21,  22,  23,  24,
@@ -429,7 +429,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
        222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
        237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
-        252, 253,
+        252, 253, 253,
    };
    int d;

@@ -459,6 +459,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        if (d >= 65)
            d = (d << 1) - 65 + vp8_rac_get(c);
        d += 64;
+        av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
    }

    return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :
@@ -3868,7 +3869,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame,
                            tile_row, s->tiling.log2_tile_rows, s->sb_rows);
            if (s->pass != 2) {
                for (tile_col = 0; tile_col < s->tiling.tile_cols; tile_col++) {
-                    unsigned tile_size;
+                    int64_t tile_size;

                    if (tile_col == s->tiling.tile_cols - 1 &&
                        tile_row == s->tiling.tile_rows - 1) {
@@ -155,7 +155,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
            if (t >= 2) {
                if (get_bits_left(gb) < t - 1)
                    goto error;
-                t = get_bits(gb, t - 1) | (1 << (t - 1));
+                t = get_bits_long(gb, t - 1) | (1 << (t - 1));
            } else {
                if (get_bits_left(gb) < 0)
                    goto error;
@@ -186,7 +186,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
            } else {
                if (get_bits_left(gb) < t2 - 1)
                    goto error;
-                t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+                t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1));
            }
        }

@@ -271,7 +271,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc,

        if (s->got_extra_bits &&
            get_bits_left(&s->gb_extra_bits) >= s->extra_bits) {
-            S   |= get_bits(&s->gb_extra_bits, s->extra_bits);
+            S   |= get_bits_long(&s->gb_extra_bits, s->extra_bits);
            *crc = *crc * 9 + (S & 0xffff) * 3 + ((unsigned)S >> 16);
        }
    }
@@ -835,7 +835,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
                continue;
            }
            bytestream2_get_buffer(&gb, val, 4);
-            if (val[0]) {
+            if (val[0] > 32) {
+                av_log(avctx, AV_LOG_ERROR,
+                       "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]);
+                continue;
+            } else if (val[0]) {
                s->extra_bits = val[0];
            } else if (val[1]) {
                s->shift = val[1];
@@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    }

    av_dict_free(&s->exif_metadata);
-    while (bytestream2_get_bytes_left(&gb) > 0) {
+    while (bytestream2_get_bytes_left(&gb) > 8) {
        char chunk_str[5] = { 0 };

        chunk_type = bytestream2_get_le32(&gb);
@@ -488,7 +488,7 @@ static int decode_cdlms(WmallDecodeCtx *s)
                if ((1 << cbits) < s->cdlms[c][i].scaling + 1)
                    cbits++;

-                s->cdlms[c][i].bitsend = get_bits(&s->gb, cbits) + 2;
+                s->cdlms[c][i].bitsend = (cbits ? get_bits(&s->gb, cbits) : 0) + 2;
                shift_l = 32 - s->cdlms[c][i].bitsend;
                shift_r = 32 - s->cdlms[c][i].scaling - 2;
                for (j = 0; j < s->cdlms[c][i].coefsend; j++)
@@ -1005,6 +1005,7 @@ static int decode_frame(WmallDecodeCtx *s)
    if ((ret = ff_get_buffer(s->avctx, s->frame, 0)) < 0) {
        /* return an error if no frame could be decoded at all */
        s->packet_loss = 1;
+        s->frame->nb_samples = 0;
        return ret;
    }
    for (i = 0; i < s->num_channels; i++) {
@@ -1623,6 +1623,11 @@ static int decode_packet(AVCodecContext *avctx, void *data,
            s->packet_done = 1;
    }

+    if (remaining_bits(s, gb) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb));
+        s->packet_loss = 1;
+    }
+
    if (s->packet_done && !s->packet_loss &&
        remaining_bits(s, gb) > 0) {
        /** save the rest of the data so that it can be decoded
@@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
                    *got_frame_ptr) {
                    cnt += s->spillover_nbits;
                    s->skip_bits_next = cnt & 7;
-                    return cnt >> 3;
+                    res = cnt >> 3;
+                    if (res > avpkt->size) {
+                        av_log(ctx, AV_LOG_ERROR,
+                               "Trying to skip %d bytes in packet of size %d\n",
+                               res, avpkt->size);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    return res;
                } else
                    skip_bits_long (gb, s->spillover_nbits - cnt +
                                    get_bits_count(gb)); // resync
@@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
    } else if (*got_frame_ptr) {
        int cnt = get_bits_count(gb);
        s->skip_bits_next = cnt & 7;
-        return cnt >> 3;
+        res = cnt >> 3;
+        if (res > avpkt->size) {
+            av_log(ctx, AV_LOG_ERROR,
+                   "Trying to skip %d bytes in packet of size %d\n",
+                   res, avpkt->size);
+            return AVERROR_INVALIDDATA;
+        }
+        return res;
    } else if ((s->sframe_cache_size = pos) > 0) {
        /* rewind bit reader to start of last (incomplete) superframe... */
        init_get_bits(gb, avpkt->data, size << 3);
@@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8
    add  off_regd, 1
    or   off_regd, 1
    add        r4, 1
+    cmp        r6d, 128
+     je .nonnormal
    cmp        r5, 128
     jne .normal
+.nonnormal
    sar        r5, 1
    sar        r6, 1
    sar  off_regd, 1
@@ -382,6 +382,7 @@ apply_noise_main:
 %else
 %define count m_maxq
 %endif
+    movsxdifnidn    noiseq, noised
    dec    noiseq
    shl    count, 2
 %ifdef PIC
@@ -194,8 +194,12 @@ hvar_fn
 %elif (%2-%%off) == 2
    mov            valw, [srcq+%2-2]
 %elifidn %1, body
-    mov            vald, [srcq+%2-3]
-%else
+    mov            valb, [srcq+%2-1]
+    sal            vald, 16
+    mov            valw, [srcq+%2-3]
+%elifidn %1, bottom
+    movd mm %+ %%mmx_idx, [srcq+%2-4]
+%else ; top
    movd mm %+ %%mmx_idx, [srcq+%2-3]
 %endif
 %endif ; (%2-%%off) >= 1
@@ -251,12 +255,15 @@ hvar_fn
    mov     [dstq+%2-2], valw
 %elifidn %1, body
    mov     [dstq+%2-3], valw
-    shr            vald, 16
+    sar            vald, 16
    mov     [dstq+%2-1], valb
 %else
    movd           vald, mm %+ %%mmx_idx
+%ifidn %1, bottom
+    sar            vald, 8
+%endif
    mov     [dstq+%2-3], valw
-    shr            vald, 16
+    sar            vald, 16
    mov     [dstq+%2-1], valb
 %endif
 %endif ; (%2-%%off) >= 1
@@ -411,7 +411,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
            continue;
        } else if (ret < 0)
            return ret;
-        d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q);
+        d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX);
        av_dlog(avctx, "sink_idx:%d time:%f\n", i, d);
        av_frame_unref(frame);

@@ -532,8 +532,8 @@ static int create_stream(AVFormatContext *s)
    gc  = xcb_get_geometry(c->conn, c->screen->root);
    geo = xcb_get_geometry_reply(c->conn, gc, NULL);

-    if (c->x + c->width >= geo->width ||
-        c->y + c->height >= geo->height) {
+    if (c->x + c->width > geo->width ||
+        c->y + c->height > geo->height) {
        av_log(s, AV_LOG_ERROR,
               "Capture area %dx%d at position %d.%d "
               "outside the screen size %dx%d\n",
@@ -87,15 +87,24 @@ static int query_formats(AVFilterContext *ctx)
    AVFilterLink *inlink  = ctx->inputs[0];
    AVFilterLink *outlink = ctx->outputs[0];

-    AVFilterFormats        *in_formats      = ff_all_formats(AVMEDIA_TYPE_AUDIO);
-    AVFilterFormats        *out_formats;
-    AVFilterFormats        *in_samplerates  = ff_all_samplerates();
-    AVFilterFormats        *out_samplerates;
-    AVFilterChannelLayouts *in_layouts      = ff_all_channel_counts();
-    AVFilterChannelLayouts *out_layouts;
+    AVFilterFormats        *in_formats, *out_formats;
+    AVFilterFormats        *in_samplerates, *out_samplerates;
+    AVFilterChannelLayouts *in_layouts, *out_layouts;

+
+    in_formats      = ff_all_formats(AVMEDIA_TYPE_AUDIO);
+    if (!in_formats)
+        return AVERROR(ENOMEM);
    ff_formats_ref  (in_formats,      &inlink->out_formats);
+
+    in_samplerates  = ff_all_samplerates();
+    if (!in_samplerates)
+        return AVERROR(ENOMEM);
    ff_formats_ref  (in_samplerates,  &inlink->out_samplerates);
+
+    in_layouts      = ff_all_channel_counts();
+    if (!in_layouts)
+         return AVERROR(ENOMEM);
    ff_channel_layouts_ref(in_layouts,      &inlink->out_channel_layouts);

    if(out_rate > 0) {
@@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf)
    delta    = pts - s->pts - get_delay(s);
    out_size = avresample_available(s->avr);

-    if (labs(delta) > s->min_delta ||
+    if (llabs(delta) > s->min_delta ||
        (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) {
        av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", delta);
        out_size = av_clipl_int32((int64_t)out_size + delta);
@@ -152,7 +152,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr,
        int hsub    = plane == 1 || plane == 2 ? trans->hsub : 0;
        int vsub    = plane == 1 || plane == 2 ? trans->vsub : 0;
        int pixstep = trans->pixsteps[plane];
-        int inh     = in->height  >> vsub;
+        int inh     = FF_CEIL_RSHIFT(in->height, vsub);
        int outw    = FF_CEIL_RSHIFT(out->width,  hsub);
        int outh    = FF_CEIL_RSHIFT(out->height, vsub);
        int start   = (outh *  jobnr   ) / nb_jobs;
@@ -65,13 +65,13 @@ cglobal store_slice, 2, 7, 0, dst, src, width, dither_height, dither, tmp, tmp2
    mov       tmpq, src_strideq
    and       widthq, ~7
    sub       dst_strideq, widthq
-    movd      m5, ditherq ; log2_scale
+    movd      m5, ditherd ; log2_scale
    xor       ditherq, -1 ; log2_scale
    mov       tmp2q, tmpq
    add       ditherq, 7 ; log2_scale
    neg       tmpq
    sub       tmp2q, widthq
-    movd      m2, ditherq ; log2_scale
+    movd      m2, ditherd ; log2_scale
    add       tmp2q, tmp2q
    lea       ditherq, [pb_dither]
    mov       src_strideq, tmp2q
@@ -132,12 +132,12 @@ cglobal store_slice2, 0, 7, 0, dst, src, width, dither_height, dither, tmp, tmp2
    mov       tmpq, src_strideq
    and       widthq, ~7
    sub       dst_strideq, widthq
-    movd      m5, ditherq ; log2_scale
+    movd      m5, ditherd ; log2_scale
    xor       ditherq, -1 ; log2_scale
    mov       tmp2q, tmpq
    add       ditherq, 7 ; log2_scale
    sub       tmp2q, widthq
-    movd      m2, ditherq ; log2_scale
+    movd      m2, ditherd ; log2_scale
    add       tmp2q, tmp2q
    lea       ditherq, [pb_dither]
    mov       src_strideq, tmp2q
@@ -27,8 +27,8 @@ SECTION .text
 %if lut_bits != 8
    sar    %1q, 8-lut_bits
 %endif
-    movsx  %1d, word [%3q+%1q*2]
-    add    %1d, %2d
+    movsx  %1q, word [%3q+%1q*2]
+    add    %1q, %2q
 %endmacro

 %macro LOAD 3 ; dstreg, x, bitdepth
@@ -1572,7 +1572,8 @@ static int avi_read_idx1(AVFormatContext *s, int size)
        ast = st->priv_data;

        if (first_packet && first_packet_pos) {
-            data_offset  = first_packet_pos - pos;
+            if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos)
+                data_offset  = first_packet_pos - pos;
            first_packet = 0;
        }
        pos += data_offset;
@@ -800,6 +800,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    int max_buffer_size = s->max_packet_size ?
                          s->max_packet_size : IO_BUFFER_SIZE;
    int filled = s->buf_end - s->buffer;
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;

    buf_size += s->buf_ptr - s->buffer + max_buffer_size;

@@ -817,6 +818,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    s->buf_end = buffer + (s->buf_end - s->buffer);
    s->buffer = buffer;
    s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
    return 0;
 }

@@ -371,8 +371,8 @@ static void dump_stream_format(AVFormatContext *ic, int i,
        av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) {
        AVRational display_aspect_ratio;
        av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den,
-                  st->codec->width  * st->sample_aspect_ratio.num,
-                  st->codec->height * st->sample_aspect_ratio.den,
+                  st->codec->width  * (int64_t)st->sample_aspect_ratio.num,
+                  st->codec->height * (int64_t)st->sample_aspect_ratio.den,
                  1024 * 1024);
        av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d",
               st->sample_aspect_ratio.num, st->sample_aspect_ratio.den,
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .6.3
 .6.5