avformat/rpl: Fix check for negative values

Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow <kasper93@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit eab65379bf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/mlvdec: Check avio_read()
2024-12-31 20:49:27 +01:00 · 2024-12-31 20:48:35 +01:00 · 2024-12-31 20:44:38 +01:00 · 2024-12-24 02:39:26 +01:00 · 2024-12-24 00:36:20 +01:00 · 2024-12-24 00:32:32 +01:00
126 changed files with 686 additions and 271 deletions
@@ -1,6 +1,6 @@
-See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to
+See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to
 get the names of people who have contributed to FFmpeg.

 To check the log, you can type the command "git log" in the FFmpeg
 source directory, or browse the online repository at
-http://source.ffmpeg.org.
+https://git.ffmpeg.org/ffmpeg
@@ -1,6 +1,75 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+2.8.22:
+ avformat/rtsp: Use rtsp_st->stream_index
+ avcodec/jpeg2000dec: Check image offset
+ Update for FFmpeg 2.8.22
+ avcodec/xvididct: Make c* unsigned to avoid undefined overflows
+ avformat/tmv: Check video chunk size
+ avformat/matroskadec: Check prebuffered_ns for overflow
+ avformat/wavdec: Check left avio_tell for overflow
+ avformat/tta: Better totalframes check
+ avformat/rpl: Check for number_of_chunks overflow
+ avformat/jacosubdec: Check timeres
+ avcodec/escape124: Do not return random numbers
+ avformat/avs: Check if return code is representable
+ avcodec/lcldec: Make PNG filter addressing match the code afterwards
+ avformat/westwood_vqa: Check chunk size
+ avformat/sbgdec: Check for period overflow
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avcodec/celp_math: avoid overflow in shift
+ avformat/format: Stop reading data at EOF during probing
+ avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure
+ avcodec/mpeg4videodec: more unsigned in amv computation
+ avcodec/tta: fix signed overflow in decorrelate
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avcodec/jpeg2000dec: Check for reduction factor and image offset
+ avutil/softfloat: Basic documentation for av_sincos_sf()
+ avutil/softfloat: fix av_sincos_sf()
+ avcodec/utils: fix 2 integer overflows in get_audio_frame_duration()
+ avcodec/hevcdec: Avoid null pointer dereferences in MC
+ avcodec: Ignoring errors is only possible before the input end
+ avformat/wavdec: Check that smv block fits in available space
+ avcodec/tak: Check remaining bits in ff_tak_decode_frame_header()
+ avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated
+ avcodec/pngdec: Do not pass AVFrame into global header decode
+ avcodec/vorbisdec: Check codebook float values to be finite
+ avcodec/lcldec: More space for rgb24
+ avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width
+ libavcodec/lcldec: width and height should not be unsigned
+ avcodec/escape124: Check that blocks are allocated before use
+ avcodec/huffyuvdec: Fix undefined behavior with shift
+ avcodec/vp3: Check width to avoid assertion failure
+ avcodec/g729postfilter: Limit shift in long term filter
+ configure: update copyright year
+ avcodec/vp3: Add missing check for av_malloc
+ avcodec/escape124: Fix some return codes
+ avcodec/escape124: fix signdness of end of input check
+ Use https for repository links
+ avcodec/motionpixels: Mask pixels to valid values
+ avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane()
+ avcodec/bink: Fix off by 1 error in ref end
+ avcodec/utils: Ensure linesize for SVQ3
+ avcodec/utils: allocate a line more for VC1 and WMV3
+ avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things
+ avcodec/pngdec: Check deloco index more exactly
+ avcodec/ffv1dec: Check that num h/v slices is supported
+ avformat/mov: Check samplesize and offset to avoid integer overflow
+ avcodec/pictordec: Remove mid exit branch
+ avcodec/utils: use 32pixel alignment for bink
+ avcodec/012v: Order operations for odd size handling
+ avcodec/eatgq: : Check index increments in tgq_decode_block()
+ avcodec/sunrast: Fix maplength check
+ avcodec/wavpack: Avoid undefined shift in get_tail()
+ avformat/id3v2: Check taglen in read_uslt()
+ avcodec/ffv1dec: restructure slice coordinate reading a bit
+ avcodec/mlpdec: Check max matrix instead of max channel in noise check
+ swscale/input: Use more unsigned intermediates
+ avcodec/alsdec: The minimal block is at least 7 bits
+ avformat/replaygain: avoid undefined / negative abs
+ avcodec/ffv1dec: Fail earlier if prior context is corrupted
+
 version 2.8.21:
 avformat/rmdec: check tag_size
 avformat/nutdec: Check fields
@@ -15,3 +15,11 @@ NOTICE
 ------

 - Non system dependencies (e.g. libx264, libvpx) are disabled by default.
+
+NOTICE for Package Maintainers
+------------------------------
+
+ - It is recommended to build FFmpeg twice, first with minimal external dependencies so
+   that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat
+   can then be built. And last build FFmpeg with full dependancies (which may in turn depend on
+   some of these 3rd party packages). This avoids circular dependencies during build.
@@ -1 +1 @@
-2.8.21
+2.8.22
@@ -4301,6 +4301,7 @@ case $target_os in
        ;;
    netbsd)
        disable symver
+        enable section_data_rel_ro
        oss_indev_extralibs="-lossaudio"
        oss_outdev_extralibs="-lossaudio"
        enabled gcc || check_ldflags -Wl,-zmuldefs
@@ -4317,6 +4318,7 @@ case $target_os in
        disable symver
        ;;
    freebsd)
+        enable section_data_rel_ro
        ;;
    bsd/os)
        add_extralibs -lpoll -lgnugetopt
@@ -6144,7 +6146,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2022
+#define CONFIG_THIS_YEAR 2024
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 2.8.21
+PROJECT_NUMBER         = 2.8.22

 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
@@ -3,9 +3,9 @@
 The FFmpeg developers.

 For details about the authorship, see the Git history of the project
-(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command
+(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command
@command{git log} in the FFmpeg source directory, or browsing the
-online repository at @url{http://source.ffmpeg.org}.
+online repository at @url{https://git.ffmpeg.org/ffmpeg}.

 Maintainers for the specific components are listed in the file
@file{MAINTAINERS} in the source code tree.
@@ -734,6 +734,25 @@ In case you need finer control over how valgrind is invoked, use the
@code{--target-exec='valgrind <your_custom_valgrind_options>} option in
 your configure line instead.

+@anchor{Maintenance}
+@chapter Maintenance process
+
+@anchor{MAINTAINERS}
+@section MAINTAINERS
+
+The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}.
+Being listed in @file{MAINTAINERS}, gives one the right to have git write access to
+the specific repository.
+
+@anchor{Becoming a maintainer}
+@section Becoming a maintainer
+
+People add themselves to @file{MAINTAINERS} by sending a patch like any other code
+change. These get reviewed by the community like any other patch. It is expected
+that, if someone has an objection to a new maintainer, she is willing to object
+in public with her full name and is willing to take over maintainership for the area.
+
+
@anchor{Release process}
@section Release process

@@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it.
@section Cloning the source tree

@example
-git clone git://source.ffmpeg.org/ffmpeg <target>
+git clone https://git.ffmpeg.org/ffmpeg.git <target>
@end example

 This will put the FFmpeg sources into the directory @var{<target>}.
@@ -38,6 +38,28 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/samplefmt.h"

+
+static const enum AVPixelFormat *get_compliance_unofficial_pix_fmts(enum AVCodecID codec_id, const enum AVPixelFormat default_formats[])
+{
+    static const enum AVPixelFormat mjpeg_formats[] =
+        { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P,
+          AV_PIX_FMT_YUV420P,  AV_PIX_FMT_YUV422P,
+          AV_PIX_FMT_NONE };
+    static const enum AVPixelFormat ljpeg_formats[] =
+        { AV_PIX_FMT_BGRA    ,
+          AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUVJ422P,
+          AV_PIX_FMT_YUV420P , AV_PIX_FMT_YUV444P , AV_PIX_FMT_YUV422P,
+          AV_PIX_FMT_NONE};
+
+    if (codec_id == AV_CODEC_ID_MJPEG) {
+        return mjpeg_formats;
+    } else if (codec_id == AV_CODEC_ID_LJPEG) {
+        return ljpeg_formats;
+    } else {
+        return default_formats;
+    }
+}
+
 enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodecContext *enc_ctx, AVCodec *codec, enum AVPixelFormat target)
 {
    if (codec && codec->pix_fmts) {
@@ -45,18 +67,9 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodecContext *enc_ctx, AVCod
        const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target);
        int has_alpha = desc ? desc->nb_components % 2 == 0 : 0;
        enum AVPixelFormat best= AV_PIX_FMT_NONE;
-        static const enum AVPixelFormat mjpeg_formats[] =
-            { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
-        static const enum AVPixelFormat ljpeg_formats[] =
-            { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-              AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };

        if (enc_ctx->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
-            if (enc_ctx->codec_id == AV_CODEC_ID_MJPEG) {
-                p = mjpeg_formats;
-            } else if (enc_ctx->codec_id == AV_CODEC_ID_LJPEG) {
-                p =ljpeg_formats;
-            }
+            p = get_compliance_unofficial_pix_fmts(enc_ctx->codec_id, p);
        }
        for (; *p != AV_PIX_FMT_NONE; p++) {
            best= avcodec_find_best_pix_fmt_of_2(best, *p, target, has_alpha, NULL);
@@ -126,12 +139,7 @@ static char *choose_pix_fmts(OutputStream *ost)

        p = ost->enc->pix_fmts;
        if (ost->enc_ctx->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
-            if (ost->enc_ctx->codec_id == AV_CODEC_ID_MJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
-            } else if (ost->enc_ctx->codec_id == AV_CODEC_ID_LJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-                                                    AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
-            }
+            p = get_compliance_unofficial_pix_fmts(ost->enc_ctx->codec_id, p);
        }

        for (; *p != AV_PIX_FMT_NONE; p++) {
@@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
            u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
            v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
            memcpy(y, y_temp, sizeof(*y) * (width - x));
-            memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
-            memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
+            memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2));
+            memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2));
        }

        line_end += stride;
@@ -884,6 +884,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        }

        if (i >= CFRAME_BUFFER_COUNT) {
+            if (free_index < 0)
+                return AVERROR_INVALIDDATA;
            i             = free_index;
            f->cfrm[i].id = id;
        }
@@ -458,8 +458,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx)
        }
    }

-    ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS
-                                * sizeof(*ctx->slice_data));
+    ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data));
    if (!ctx->slice_data) {
        av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n");

@@ -1013,7 +1013,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)

    *bd->shift_lsbs = 0;

-    if (get_bits_left(gb) < 1)
+    if (get_bits_left(gb) < 7)
        return AVERROR_INVALIDDATA;

    // read block type flag and read the samples accordingly
@@ -2486,6 +2486,10 @@ typedef struct AVCodecContext {
     *   this callback and filled with the extra buffers if there are more
     *   buffers than buf[] can hold. extended_buf will be freed in
     *   av_frame_unref().
+     *   Decoders will generally initialize the whole buffer before it is output
+     *   but it can in rare error conditions happen that uninitialized data is passed
+     *   through. \important The buffers returned by get_buffer* should thus not contain sensitive
+     *   data.
     *
     * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call
     * avcodec_default_get_buffer2() instead of providing buffers allocated by
@@ -825,7 +825,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,

    binkb_init_bundles(c);
    ref_start = frame->data[plane_idx];
-    ref_end   = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8;
+    ref_end   = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8;

    for (i = 0; i < 64; i++)
        coordmap[i] = (i & 7) + (i >> 3) * stride;
@@ -879,7 +879,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8*stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                    av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                    c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -895,7 +895,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8 * stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                    av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                    c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -925,7 +925,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8 * stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                    av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                    c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -68,7 +68,7 @@ int ff_log2_q15(uint32_t value);
 *
 * @return value << offset, if offset>=0; value >> -offset - otherwise
 */
-static inline int bidir_sal(int value, int offset)
+static inline unsigned bidir_sal(unsigned value, int offset)
 {
    if(offset < 0) return value >> -offset;
    else           return value <<  offset;
@@ -56,7 +56,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx,
                           unsigned type, const void *data, unsigned size,
                           unsigned mb_count)
 {
-    void     *dxva_data;
+    void     *dxva_data = NULL;
    unsigned dxva_size;
    int      result;
    HRESULT hr = 0;
@@ -78,7 +78,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx,
               type, hr);
        return -1;
    }
-    if (size <= dxva_size) {
+    if (dxva_data && size <= dxva_size) {
        memcpy(dxva_data, data, size);

 #if CONFIG_D3D11VA
@@ -140,7 +140,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame,
 #endif
    DECODER_BUFFER_DESC             *buffer = NULL, *buffer_slice = NULL;
    int result, runs = 0;
-    HRESULT hr;
+    HRESULT hr = -1;
    unsigned type;

    do {
@@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
+static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
 {
    uint8_t *perm = s->scantable.permutated;
    int i, j, value;
@@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
    for (i = 1; i < 64;) {
        switch (show_bits(gb, 3)) {
        case 4:
+            if (i >= 63)
+                return AVERROR_INVALIDDATA;
            block[perm[i++]] = 0;
        case 0:
            block[perm[i++]] = 0;
@@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
        case 1:
            skip_bits(gb, 2);
            value = get_bits(gb, 6);
+            if (value > 64 - i)
+                return AVERROR_INVALIDDATA;
            for (j = 0; j < value; j++)
                block[perm[i++]] = 0;
            break;
@@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
        }
    }
    block[0] += 128 << 4;
+    return 0;
 }

 static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
@@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x)
        if (ret < 0)
            return ret;

-        for (i = 0; i < 6; i++)
-            tgq_decode_block(s, s->block[i], &gb);
+        for (i = 0; i < 6; i++) {
+            int ret = tgq_decode_block(s, s->block[i], &gb);
+            if (ret < 0)
+                return ret;
+        }
        tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y);
        bytestream2_skip(&s->gb, mode);
    } else {
@@ -89,11 +89,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth,
    unsigned i, j;
    CodeBook cb = { 0 };

-    if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34)
-        return cb;
-
-    if (size >= INT_MAX / sizeof(MacroBlock))
-        return cb;
    cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1);
    if (!cb.blocks)
        return cb;
@@ -163,7 +158,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb,

    // This condition can occur with invalid bitstreams and
    // *codebook_index == 2
-    if (block_index >= s->codebooks[*codebook_index].size)
+    if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks)
        return (MacroBlock) { { 0 } };

    return s->codebooks[*codebook_index].blocks[block_index];
@@ -227,7 +222,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,
    // represent a lower bound of the space needed for skipped superblocks. Non
    // skipped SBs need more space.
    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
-        return -1;
+        return AVERROR_INVALIDDATA;

    frame_flags = get_bits_long(&gb, 32);
    frame_size  = get_bits_long(&gb, 32);
@@ -244,7 +239,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,
        if ((ret = av_frame_ref(frame, s->frame)) < 0)
            return ret;

-        return frame_size;
+        return 0;
    }

    for (i = 0; i < 3; i++) {
@@ -273,9 +268,14 @@ static int escape124_decode_frame(AVCodecContext *avctx,
                }
            }
            av_freep(&s->codebooks[i].blocks);
+            if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34)
+                return AVERROR_INVALIDDATA;
+
+            if (cb_size >= INT_MAX / sizeof(MacroBlock))
+                return AVERROR_INVALIDDATA;
            s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size);
            if (!s->codebooks[i].blocks)
-                return -1;
+                return AVERROR(ENOMEM);
        }
    }

@@ -368,7 +368,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    *got_frame = 1;

-    return frame_size;
+    return 0;
 }


@@ -284,24 +284,31 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
    RangeCoder *c = &fs->c;
    uint8_t state[CONTEXT_SIZE];
    unsigned ps, i, context_count;
+    int sx, sy, sw, sh;
+
    memset(state, 128, sizeof(state));
+    sx = get_symbol(c, state, 0);
+    sy = get_symbol(c, state, 0);
+    sw = get_symbol(c, state, 0) + 1U;
+    sh = get_symbol(c, state, 0) + 1U;

    av_assert0(f->version > 2);

-    fs->slice_x      =  get_symbol(c, state, 0)      * f->width ;
-    fs->slice_y      =  get_symbol(c, state, 0)      * f->height;
-    fs->slice_width  = (get_symbol(c, state, 0) + 1) * f->width  + fs->slice_x;
-    fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y;

-    fs->slice_x /= f->num_h_slices;
-    fs->slice_y /= f->num_v_slices;
-    fs->slice_width  = fs->slice_width /f->num_h_slices - fs->slice_x;
-    fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y;
-    if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height)
-        return -1;
-    if (    (unsigned)fs->slice_x + (uint64_t)fs->slice_width  > f->width
-         || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
-        return -1;
+    if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0)
+        return AVERROR_INVALIDDATA;
+    if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh)
+        return AVERROR_INVALIDDATA;
+
+    fs->slice_x      =  sx       * (int64_t)f->width  / f->num_h_slices;
+    fs->slice_y      =  sy       * (int64_t)f->height / f->num_v_slices;
+    fs->slice_width  = (sx + sw) * (int64_t)f->width  / f->num_h_slices - fs->slice_x;
+    fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y;
+
+    av_assert0((unsigned)fs->slice_width  <= f->width &&
+                (unsigned)fs->slice_height <= f->height);
+    av_assert0 (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  <= f->width
+                && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height);

    for (i = 0; i < f->plane_count; i++) {
        PlaneContext * const p = &fs->plane[i];
@@ -416,8 +423,11 @@ static int decode_slice(AVCodecContext *c, void *arg)
    }
    if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0)
        return ret;
-    if (f->cur->key_frame || fs->slice_reset_contexts)
+    if (f->cur->key_frame || fs->slice_reset_contexts) {
        ff_ffv1_clear_slice_state(f, fs);
+    } else if (fs->slice_damaged) {
+        return AVERROR_INVALIDDATA;
+    }

    width  = fs->slice_width;
    height = fs->slice_height;
@@ -456,7 +466,7 @@ static int decode_slice(AVCodecContext *c, void *arg)
    if (fs->ac && f->version > 2) {
        int v;
        get_rac(&fs->c, (uint8_t[]) { 129 });
-        v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec;
+        v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec;
        if (v) {
            av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v);
            fs->slice_damaged = 1;
@@ -569,6 +579,11 @@ static int read_extra_header(FFV1Context *f)
        return AVERROR_INVALIDDATA;
    }

+    if (f->num_h_slices > MAX_SLICES / f->num_v_slices) {
+        av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    f->quant_table_count = get_symbol(c, state, 0);
    if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) {
        av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count);
@@ -814,21 +829,25 @@ static int read_header(FFV1Context *f)
        fs->slice_damaged = 0;

        if (f->version == 2) {
-            fs->slice_x      =  get_symbol(c, state, 0)      * f->width ;
-            fs->slice_y      =  get_symbol(c, state, 0)      * f->height;
-            fs->slice_width  = (get_symbol(c, state, 0) + 1) * f->width  + fs->slice_x;
-            fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y;
+            int sx = get_symbol(c, state, 0);
+            int sy = get_symbol(c, state, 0);
+            int sw = get_symbol(c, state, 0) + 1U;
+            int sh = get_symbol(c, state, 0) + 1U;

-            fs->slice_x     /= f->num_h_slices;
-            fs->slice_y     /= f->num_v_slices;
-            fs->slice_width  = fs->slice_width  / f->num_h_slices - fs->slice_x;
-            fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y;
-            if ((unsigned)fs->slice_width  > f->width ||
-                (unsigned)fs->slice_height > f->height)
+            if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0)
                return AVERROR_INVALIDDATA;
-            if (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  > f->width
-                || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
+            if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh)
                return AVERROR_INVALIDDATA;
+
+            fs->slice_x      =  sx       * (int64_t)f->width  / f->num_h_slices;
+            fs->slice_y      =  sy       * (int64_t)f->height / f->num_v_slices;
+            fs->slice_width  = (sx + sw) * (int64_t)f->width  / f->num_h_slices - fs->slice_x;
+            fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y;
+
+            av_assert0((unsigned)fs->slice_width  <= f->width &&
+                       (unsigned)fs->slice_height <= f->height);
+            av_assert0 (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  <= f->width
+                        && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height);
        }

        for (i = 0; i < f->plane_count; i++) {
@@ -695,7 +695,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
        s->version = FFMAX(s->version, 3);

    if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
-        av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
+        av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n");
        return AVERROR_INVALIDDATA;
    }

@@ -1011,8 +1011,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs)

    put_symbol(c, state, (fs->slice_x     +1)*f->num_h_slices / f->width   , 0);
    put_symbol(c, state, (fs->slice_y     +1)*f->num_v_slices / f->height  , 0);
-    put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0);
-    put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0);
+    put_symbol(c, state, 0, 0);
+    put_symbol(c, state, 0, 0);
    for (j=0; j<f->plane_count; j++) {
        put_symbol(c, state, f->plane[j].quant_table_index, 0);
        av_assert0(f->plane[j].quant_table_index == f->avctx->context_model);
@@ -367,6 +367,8 @@ static int check_header_mismatch(FLACParseContext  *fpc,
        for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++)
            curr = curr->next;

+        av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS);
+
        if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY ||
            header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) {
            FLACHeaderMarker *start, *end;
@@ -347,7 +347,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        if (tmp > 0)
            L_temp0 >>= tmp;
        else
-            L_temp1 >>= -tmp;
+            L_temp1 >>= FFMIN(-tmp, 31);

        /* Check if longer filter increases the values of R'(k). */
        if (L_temp1 > L_temp0) {
@@ -574,7 +574,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici
 int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech,
                                   int subframe_size, int16_t gain_prev)
 {
-    int gain; // (3.12)
+    unsigned gain; // (3.12)
    int n;
    int exp_before, exp_after;

@@ -596,7 +596,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
            gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
            gain = bidir_sal(gain, exp_after - exp_before);
        }
-        gain = av_clip_int16(gain);
+        gain = FFMIN(gain, 32767);
        gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
    } else
        gain = 0;
@@ -280,6 +280,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit,
    log = av_log2(buf);

    if (log > 31 - limit) {
+        av_assert2(log >= k);
        buf >>= log - k;
        buf  += (30U - log) << k;
        LAST_SKIP_BITS(re, gb, 32 + k - log);
@@ -301,6 +302,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit,

 /**
 * read unsigned golomb rice code (jpegls).
+ *
+ * @returns -1 on error
 */
 static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit,
                                       int esc_len)
@@ -373,6 +376,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit,

 /**
 * read signed golomb rice code (flac).
+ *
+ * @returns INT_MIN on error
 */
 static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit,
                                     int esc_len)
@@ -289,7 +289,7 @@ static int decode_slice(MpegEncContext *s)
                ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y,
                                s->mb_x, s->mb_y, ER_MB_ERROR & part_mask);

-                if (s->avctx->err_recognition & AV_EF_IGNORE_ERR)
+                if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0)
                    continue;
                return AVERROR_INVALIDDATA;
            }
@@ -476,6 +476,10 @@ static int hls_slice_header(HEVCContext *s)

        if (s->ps.pps->dependent_slice_segments_enabled_flag)
            sh->dependent_slice_segment_flag = get_bits1(gb);
+        if (sh->dependent_slice_segment_flag && !s->slice_initialized) {
+            av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n");
+            return AVERROR_INVALIDDATA;
+        }

        slice_address_length = av_ceil_log2(s->ps.sps->ctb_width *
                                            s->ps.sps->ctb_height);
@@ -733,9 +737,6 @@ static int hls_slice_header(HEVCContext *s)
        } else {
            sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag;
        }
-    } else if (!s->slice_initialized) {
-        av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n");
-        return AVERROR_INVALIDDATA;
    }

    sh->num_entry_point_offsets = 0;
@@ -1749,13 +1750,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0,

    if (current_mv.pred_flag & PF_L0) {
        ref0 = refPicList[0].ref[current_mv.ref_idx[0]];
-        if (!ref0)
+        if (!ref0 || !ref0->frame)
            return;
        hevc_await_progress(s, ref0, &current_mv.mv[0], y0, nPbH);
    }
    if (current_mv.pred_flag & PF_L1) {
        ref1 = refPicList[1].ref[current_mv.ref_idx[1]];
-        if (!ref1)
+        if (!ref1 || !ref1->frame)
            return;
        hevc_await_progress(s, ref1, &current_mv.mv[1], y0, nPbH);
    }
@@ -2703,8 +2704,11 @@ static int decode_nal_unit(HEVCContext *s, const HEVCNAL *nal)
    case NAL_RASL_N:
    case NAL_RASL_R:
        ret = hls_slice_header(s);
-        if (ret < 0)
+        if (ret < 0) {
+            // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices
+            s->slice_initialized = 0;
            return ret;
+        }
        if (ret == 1) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
@@ -685,9 +685,9 @@ static void decode_422_bitstream(HYuvContext *s, int count)
 /* TODO instead of restarting the read when the code isn't in the first level
 * of the joint table, jump into the 2nd level of the individual table. */
 #define READ_2PIX_PLANE16(dst0, dst1, plane){\
-    dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\
+    dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\
    dst0 += get_bits(&s->gb, 2);\
-    dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\
+    dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\
    dst1 += get_bits(&s->gb, 2);\
 }
 static void decode_plane_bitstream(HYuvContext *s, int width, int plane)
@@ -745,7 +745,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane)
            }
        }
        if( width&1 && get_bits_left(&s->gb)>0 ) {
-            int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;
+            int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;
            s->temp16[0][width-1] = dst + get_bits(&s->gb, 2);
        }
    }
@@ -168,6 +168,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx,
    int p, chroma_width, chroma_height;
    int luma_pitch, chroma_pitch, luma_size, chroma_size;

+    luma_width  = FFALIGN(luma_width , 2);
+    luma_height = FFALIGN(luma_height, 2);
+
    if (luma_width  < 16 || luma_width  > 640 ||
        luma_height < 16 || luma_height > 480 ||
        luma_width  &  3 || luma_height &   3) {
@@ -188,7 +188,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data)
 {
  int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7;
  int tmp10, tmp11, tmp12, tmp13;
-  int z1, z2, z3, z4, z5;
+  unsigned z1, z2, z3, z4, z5;
  int16_t *dataptr;
  int ctr;

@@ -308,6 +308,16 @@ static int get_siz(Jpeg2000DecoderContext *s)
        return AVERROR_INVALIDDATA;
    }

+    if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) {
+        av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image");
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){
+        av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented");
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->ncomponents = ncomponents;

    if (s->tile_width <= 0 || s->tile_height <= 0) {
@@ -809,9 +819,6 @@ static uint8_t get_tlm(Jpeg2000DecoderContext *s, int n)
        case 2:
            bytestream2_get_be16(&s->g);
            break;
-        case 3:
-            bytestream2_get_be32(&s->g);
-            break;
        }
        if (SP == 0) {
            bytestream2_get_be16(&s->g);
@@ -373,6 +373,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
    state->T3     = s->t3;
    state->reset  = s->reset;
    ff_jpegls_reset_coding_parameters(state, 0);
+
+    /* Testing parameters here, we cannot test in LSE or SOF because
+     * these interdepend and are allowed in either order
+     */
+    if (state->maxval >= (1<<state->bpp) ||
+        state->T1 > state->T2 ||
+        state->T2 > state->T3 ||
+        state->T3 > state->maxval ||
+        state->reset > FFMAX(255, state->maxval)) {
+        ret = AVERROR_INVALIDDATA;
+        goto end;
+    }
+
    ff_jpegls_init_state(state);

    if (s->bits <= 8)
@@ -151,6 +151,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i
    if (expected != (unsigned int)c->zstream.total_out) {
        av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n",
               expected, c->zstream.total_out);
+        if (expected > (unsigned int)c->zstream.total_out)
+            return (unsigned int)c->zstream.total_out;
        return AVERROR_UNKNOWN;
    }
    return c->zstream.total_out;
@@ -173,8 +175,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
    int row, col;
    unsigned char *encoded = avpkt->data, *outptr;
    uint8_t *y_out, *u_out, *v_out;
-    unsigned int width = avctx->width; // Real image width
-    unsigned int height = avctx->height; // Real image height
+    int width = avctx->width; // Real image width
+    int height = avctx->height; // Real image height
    unsigned int mszh_dlen;
    unsigned char yq, y1q, uq, vq;
    int uqvq, ret;
@@ -232,16 +234,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            break;
        case COMP_MSZH_NOCOMP: {
            int bppx2;
+            int aligned_width = width;
            switch (c->imgtype) {
            case IMGTYPE_YUV111:
            case IMGTYPE_RGB24:
                bppx2 = 6;
                break;
            case IMGTYPE_YUV422:
+                aligned_width &= ~3;
            case IMGTYPE_YUV211:
                bppx2 = 4;
                break;
            case IMGTYPE_YUV411:
+                aligned_width &= ~3;
            case IMGTYPE_YUV420:
                bppx2 = 3;
                break;
@@ -249,7 +254,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                bppx2 = 0; // will error out below
                break;
            }
-            if (len < ((width * height * bppx2) >> 1))
+            if (len < ((aligned_width * height * bppx2) >> 1))
                return AVERROR_INVALIDDATA;
            break;
        }
@@ -281,12 +286,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen,
                              mthread_outlen, mthread_outlen);
            if (ret < 0) return ret;
+            len = c->decomp_size;
        } else {
            int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size);
            if (ret < 0) return ret;
+            len = ret;
        }
        encoded = c->decomp_buf;
-        len = c->decomp_size;
        break;
 #endif
    default:
@@ -314,8 +320,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            }
            break;
        case IMGTYPE_YUV422:
+            pixel_ptr = 0;
            for (row = 0; row < height; row++) {
-                pixel_ptr = row * width * 2;
                yq = uq = vq =0;
                for (col = 0; col < width/4; col++) {
                    encoded[pixel_ptr] = yq -= encoded[pixel_ptr];
@@ -331,8 +337,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            }
            break;
        case IMGTYPE_YUV411:
+            pixel_ptr = 0;
            for (row = 0; row < height; row++) {
-                pixel_ptr = row * width / 2 * 3;
                yq = uq = vq =0;
                for (col = 0; col < width/4; col++) {
                    encoded[pixel_ptr] = yq -= encoded[pixel_ptr];
@@ -406,6 +412,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                v_out[ col >> 1     ] = *encoded++ + 128;
                v_out[(col >> 1) + 1] = *encoded++ + 128;
            }
+            if (col && col < width) {
+                u_out[ col >> 1     ] = u_out[(col>>1) - 1];
+                v_out[ col >> 1     ] = v_out[(col>>1) - 1];
+            }
+
            y_out -= frame->linesize[0];
            u_out -= frame->linesize[1];
            v_out -= frame->linesize[2];
@@ -427,6 +438,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                u_out[col >> 2] = *encoded++ + 128;
                v_out[col >> 2] = *encoded++ + 128;
            }
+            if (col && col < width) {
+                u_out[col >> 2] = u_out[(col>>2) - 1];
+                v_out[col >> 2] = v_out[(col>>2) - 1];
+            }
            y_out -= frame->linesize[0];
            u_out -= frame->linesize[1];
            v_out -= frame->linesize[2];
@@ -486,6 +501,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                FFALIGN(avctx->height, 4);
    unsigned int max_decomp_size;
    int subsample_h, subsample_v;
+    int partial_h_supported = 0;

    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
@@ -507,26 +523,24 @@ static av_cold int decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n");
        break;
    case IMGTYPE_YUV422:
-        c->decomp_size = basesize * 2;
+        c->decomp_size = (avctx->width & ~3) * avctx->height * 2;
        max_decomp_size = max_basesize * 2;
        avctx->pix_fmt = AV_PIX_FMT_YUV422P;
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n");
-        if (avctx->width % 4) {
-            avpriv_request_sample(avctx, "Unsupported dimensions");
-            return AVERROR_INVALIDDATA;
-        }
+        partial_h_supported = 1;
        break;
    case IMGTYPE_RGB24:
-        c->decomp_size = basesize * 3;
+        c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height;
        max_decomp_size = max_basesize * 3;
        avctx->pix_fmt = AV_PIX_FMT_BGR24;
        av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n");
        break;
    case IMGTYPE_YUV411:
-        c->decomp_size = basesize / 2 * 3;
+        c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3;
        max_decomp_size = max_basesize / 2 * 3;
        avctx->pix_fmt = AV_PIX_FMT_YUV411P;
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n");
+        partial_h_supported = 1;
        break;
    case IMGTYPE_YUV211:
        c->decomp_size = basesize * 2;
@@ -546,7 +560,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }

    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v);
-    if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) {
+    if ((avctx->width % (1<<subsample_h) && !partial_h_supported) || avctx->height % (1<<subsample_v)) {
        avpriv_request_sample(avctx, "Unsupported dimensions");
        return AVERROR_INVALIDDATA;
    }
@@ -89,10 +89,15 @@ static inline int loco_get_rice(RICEContext *r)
        return 0;
    }
    v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0);
+    if (v == -1)
+        return INT_MIN;
    loco_update_rice_param(r, (v + 1) >> 1);
    if (!v) {
        if (r->save >= 0) {
-            r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0);
+            int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0);
+            if (run == -1)
+                return INT_MIN;
+            r->run = run;
            if (r->run > 1)
                r->save += r->run + 1;
            else
@@ -149,6 +154,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh

    /* restore top left pixel */
    val     = loco_get_rice(&rc);
+    if (val == INT_MIN)
+        return AVERROR_INVALIDDATA;
    data[0] = 128 + val;
    /* restore top line */
    for (i = 1; i < width; i++) {
@@ -239,8 +239,10 @@ int ff_lpc_calc_coefs(LPCContext *s,
        double av_uninit(weight);
        memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var));

-        for(j=0; j<max_order; j++)
-            m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];
+        /* Avoids initializing with an unused value when lpc_passes == 1 */
+        if (lpc_passes > 1)
+            for(j=0; j<max_order; j++)
+                m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];

        for(; pass<lpc_passes; pass++){
            avpriv_init_lls(&m[pass&1], max_order);
@@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,

    /* This should happen for TrueHD streams with >6 channels and MLP's noise
     * type. It is not yet known if this is allowed. */
-    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
+    if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
        avpriv_request_sample(m->avctx,
                              "%d channels (more than the "
                              "maximum supported by the decoder)",
@@ -1461,7 +1461,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y)
        s->b_direct_mv_table[mot_xy][0]= 0;
        s->b_direct_mv_table[mot_xy][1]= 0;

-        return 256*256*256*64;
+        return 256*256*256*64-1;
    }

    c->xmin= xmin;
@@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y)
    int color;

    color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2];
-    return mp_rgb_yuv_table[color];
+    return mp_rgb_yuv_table[color & 0x7FFF];
 }

 static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p)
@@ -340,6 +340,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[0]  = alpha + beta + rho - min_ab;
        ctx->sprite_shift[1]  = alpha + beta + rho - min_ab + 2;
        break;
+    default:
+        av_assert0(0);
    }
    /* try to simplify the situation */
    if (sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
@@ -555,7 +557,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
        for (y = 0; y < 16; y++) {
            int v;

-            v = mb_v + dy * y;
+            v = mb_v + (unsigned)dy * y;
            // FIXME optimize
            for (x = 0; x < 16; x++) {
                sum += v >> shift;
@@ -1126,7 +1128,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block,
                                if (SHOW_UBITS(re, &s->gb, 1) == 0) {
                                    av_log(s->avctx, AV_LOG_ERROR,
                                           "1. marker bit missing in 3. esc\n");
-                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR))
+                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0)
                                        return -1;
                                }
                                SKIP_CACHE(re, &s->gb, 1);
@@ -1137,7 +1139,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block,
                                if (SHOW_UBITS(re, &s->gb, 1) == 0) {
                                    av_log(s->avctx, AV_LOG_ERROR,
                                           "2. marker bit missing in 3. esc\n");
-                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR))
+                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0)
                                        return -1;
                                }

@@ -1201,12 +1201,12 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                                                 &v_chroma_shift);

                for (i = 0; i < 3; i++) {
-                    int src_stride = pic_arg->linesize[i];
-                    int dst_stride = i ? s->uvlinesize : s->linesize;
+                    ptrdiff_t src_stride = pic_arg->linesize[i];
+                    ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize;
                    int h_shift = i ? h_chroma_shift : 0;
                    int v_shift = i ? v_chroma_shift : 0;
-                    int w = s->width  >> h_shift;
-                    int h = s->height >> v_shift;
+                    int w = FF_CEIL_RSHIFT(s->width , h_shift);
+                    int h = FF_CEIL_RSHIFT(s->height, v_shift);
                    uint8_t *src = pic_arg->data[i];
                    uint8_t *dst = pic->f->data[i];
                    int vpad = 16;
@@ -1220,7 +1220,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                        dst += INPLACE_OFFSET;

                    if (src_stride == dst_stride)
-                        memcpy(dst, src, src_stride * h);
+                        memcpy(dst, src, src_stride * h - src_stride + w);
                    else {
                        int h2 = h;
                        uint8_t *dst2 = dst;
@@ -264,6 +264,7 @@ int ff_combine_frame(ParseContext *pc, int next,
        }
        pc->buffer = new_buffer;
        memcpy(&pc->buffer[pc->index], *buf, *buf_size);
+        memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE);
        pc->index += *buf_size;
        return -1;
    }
@@ -223,8 +223,6 @@ static int decode_frame(AVCodecContext *avctx,
                        run = bytestream2_get_le16(&s->g);
                    val = bytestream2_get_byte(&s->g);
                }
-                if (!bytestream2_get_bytes_left(&s->g))
-                    break;

                if (bits_per_plane == 8) {
                    picmemset_8bpp(s, frame, val, run, &x, &y);
@@ -306,7 +306,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
 static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \
 { \
    int i; \
-    for (i = 0; i < size; i += 3 + alpha) { \
+    for (i = 0; i < size - 2; i += 3 + alpha) { \
        int g = dst [i + 1]; \
        dst[i + 0] += g; \
        dst[i + 2] += g; \
@@ -618,6 +618,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
    int ret;
    size_t byte_depth = s->bit_depth > 8 ? 2 : 1;

+    if (!p)
+        return AVERROR_INVALIDDATA;
    if (!(s->hdr_state & PNG_IHDR)) {
        av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
        return AVERROR_INVALIDDATA;
@@ -1226,6 +1228,10 @@ skip_tag:
    }
 exit_loop:

+    if (!p)
+        return AVERROR_INVALIDDATA;
+
+
    if (s->bits_per_pixel <= 4)
        handle_small_bpp(s, p);

@@ -1362,7 +1368,7 @@ static int decode_frame_apng(AVCodecContext *avctx,
        s->zstream.zfree  = ff_png_zfree;

        bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size);
-        if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
+        if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0)
            goto end;
    }

@@ -335,7 +335,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex

    for (pos = block_mask;;) {
        bits_left = gb->size_in_bits - re_index;
-        if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left)))
+        if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left)))
            break;

        DECODE_CODEWORD(run, run_to_cb[FFMIN(run,  15)]);
@@ -3,9 +3,6 @@
 *
 * Copyright (c) 2012 Konstantin Shishkov
 *
- * This encoder appears to be based on Anatoliy Wassermans considering
- * similarities in the bugs.
- *
 * This file is part of FFmpeg.
 *
 * FFmpeg is free software; you can redistribute it and/or
@@ -52,7 +52,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p);
 static inline void renorm_encoder(RangeCoder *c)
 {
    // FIXME: optimize
-    while (c->range < 0x100) {
        if (c->outstanding_byte < 0) {
            c->outstanding_byte = c->low >> 8;
        } else if (c->low <= 0xFF00) {
@@ -71,7 +70,6 @@ static inline void renorm_encoder(RangeCoder *c)

        c->low     = (c->low & 0xFF) << 8;
        c->range <<= 8;
-    }
 }

 static inline int get_rac_count(RangeCoder *c)
@@ -98,7 +96,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit)
        *state   = c->one_state[*state];
    }

-    renorm_encoder(c);
+    while (c->range < 0x100)
+        renorm_encoder(c);
 }

 static inline void refill(RangeCoder *c)
@@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){
    FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer,  width, height * sizeof(DWTELEM),  fail); //FIXME this does not belong here
    FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer,     width, sizeof(DWTELEM),  fail);
    FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer,    width, sizeof(IDWTELEM), fail);
-    FF_ALLOC_ARRAY_OR_GOTO(avctx,  s->run_buffer,          ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail);
+    FF_ALLOC_ARRAY_OR_GOTO(avctx,  s->run_buffer,          ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail);

    for(i=0; i<MAX_REF_FRAMES; i++) {
        for(j=0; j<MAX_REF_FRAMES; j++)
@@ -257,6 +257,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
    int my_context= av_log2(2*FFABS(left->my - top->my));
    int s_context= 2*left->level + 2*top->level + tl->level + tr->level;
    int ref, best_ref, ref_score, ref_mx, ref_my;
+    int range = MAX_MV >> (1 + qpel);

    av_assert0(sizeof(s->block_state) >= 256);
    if(s->keyframe){
@@ -298,6 +299,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
    c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;
    c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;

+    c->xmin = FFMAX(c->xmin,-range);
+    c->xmax = FFMIN(c->xmax, range);
+    c->ymin = FFMAX(c->ymin,-range);
+    c->ymax = FFMIN(c->ymax, range);
+
    if(P_LEFT[0]     > (c->xmax<<shift)) P_LEFT[0]    = (c->xmax<<shift);
    if(P_LEFT[1]     > (c->ymax<<shift)) P_LEFT[1]    = (c->ymax<<shift);
    if(P_TOP[0]      > (c->xmax<<shift)) P_TOP[0]     = (c->xmax<<shift);
@@ -19,6 +19,7 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

+#include "libavutil/avassert.h"
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/imgutils.h"
@@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_PATCHWELCOME;
    }

+    if (maplength > 768) {
+        av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // This also checks depth to be valid
    switch (depth) {
        case 1:
            avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE;
@@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
    }

+    // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int
    ret = ff_set_dimensions(avctx, w, h);
    if (ret < 0)
        return ret;

+    // ensured by ff_set_dimensions()
+    av_assert0(w <= (INT32_MAX - 7) / depth);
+
    /* scanlines are aligned on 16 bit boundaries */
    len  = (depth * w + 7) >> 3;
    alen = len + (len & 1);

-    if (buf_end - buf < maplength + (len * h) * 3 / 256)
+    // ensured by ff_set_dimensions()
+    av_assert0(h  <= INT32_MAX / (3 * len));
+
+    // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check
+    if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256)
        return AVERROR_INVALIDDATA;

    if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
@@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
    } else if (maplength) {
        unsigned int len = maplength / 3;

-        if (maplength % 3 || maplength > 768) {
+        if (maplength % 3) {
            av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
            return AVERROR_INVALIDDATA;
        }
@@ -152,6 +152,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb,
    if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA)
        return AVERROR_INVALIDDATA;

+    if (get_bits_left(gb) < 24)
+        return AVERROR_INVALIDDATA;
+
    skip_bits(gb, 24);

    return 0;
@@ -21,6 +21,7 @@

 #include <string.h>

+#include "libavutil/avassert.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/pixdesc.h"
@@ -79,13 +80,14 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
 {
    int bpp, picsize, datasize = -1, ret, i;
    uint8_t *out;
+    int maxpal = 32*32;

    if(avctx->width > 0xffff || avctx->height > 0xffff) {
        av_log(avctx, AV_LOG_ERROR, "image dimensions too large\n");
        return AVERROR(EINVAL);
    }
    picsize = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
-    if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0)
+    if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0)
        return ret;

    /* zero out the header and only set applicable fields */
@@ -118,6 +120,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
            AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4));
            }
        out += 32 * pal_bpp;        /* skip past the palette we just output */
+        av_assert0(32 * pal_bpp <= maxpal);
        break;
        }
    case AV_PIX_FMT_GRAY8:
@@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
        return AVERROR_PATCHWELCOME;
    }

+    if (s->h & 3) {
+        avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4");
+        return AVERROR_PATCHWELCOME;
+    }
+
    if (s->w != s->avctx->width || s->h != s->avctx->height ||
        new_pix_fmt != s->avctx->pix_fmt) {
        av_frame_unref(s->frame);
@@ -333,7 +333,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
            if (s->channels > 1) {
                int32_t *r = p - 1;
                for (*p += *r / 2; r > (int32_t*)p - s->channels; r--)
-                    *r = *(r + 1) - *r;
+                    *r = *(r + 1) - (unsigned)*r;
            }
            cur_chan = 0;
            i++;
@@ -360,6 +360,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
    case AV_PIX_FMT_GBRP16BE:
        w_align = 16; //FIXME assume 16 pixel per macroblock
        h_align = 16 * 2; // interlaced needs 2 macroblocks height
+        if (s->codec_id == AV_CODEC_ID_BINKVIDEO)
+            w_align = 16*2;
        break;
    case AV_PIX_FMT_YUV411P:
    case AV_PIX_FMT_YUVJ411P:
@@ -371,6 +373,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
        if (s->codec_id == AV_CODEC_ID_SVQ1) {
            w_align = 64;
            h_align = 64;
+        } else if (s->codec_id == AV_CODEC_ID_SNOW) {
+            w_align = 16;
+            h_align = 16;
        }
        break;
    case AV_PIX_FMT_RGB555:
@@ -425,12 +430,13 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
    }

    if (s->codec_id == AV_CODEC_ID_IFF_ILBM || s->codec_id == AV_CODEC_ID_IFF_BYTERUN1) {
-        w_align = FFMAX(w_align, 8);
+        w_align = FFMAX(w_align, 16);
    }

    *width  = FFALIGN(*width, w_align);
    *height = FFALIGN(*height, h_align);
    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+        s->codec_id == AV_CODEC_ID_VC1  || s->codec_id == AV_CODEC_ID_WMV3 ||
        s->codec_id == AV_CODEC_ID_VP5  || s->codec_id == AV_CODEC_ID_VP6 ||
        s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
    ) {
@@ -444,6 +450,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
        // the next rounded up width is 32
        *width = FFMAX(*width, 32);
    }
+    if (s->codec_id == AV_CODEC_ID_SVQ3) {
+        *width = FFMAX(*width, 32);
+    }

    for (i = 0; i < 4; i++)
        linesize_align[i] = STRIDE_ALIGN;
@@ -3479,7 +3488,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
    if (sr > 0) {
        /* calc from sample rate */
        if (id == AV_CODEC_ID_TTA)
-            return 256 * sr / 245;
+            return 256ll * sr / 245;

        if (ch > 0) {
            /* calc from sample rate and channels */
@@ -218,7 +218,7 @@ static av_cold int utvideo_encode_init(AVCodecContext *avctx)
     * - Compression mode (none/huff)
     * And write the flags.
     */
-    c->flags  = (c->slices - 1) << 24;
+    c->flags  = (c->slices - 1U) << 24;
    c->flags |= 0 << 11; // bit field to signal interlaced encoding mode
    c->flags |= c->compression;

@@ -190,6 +190,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx)
    ctx->size = avpicture_get_size(avctx->pix_fmt,
                                   avctx->width, avctx->height);

+    if (ctx->size < 0)
+        return ctx->size;
+
    ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val));

    if (!ctx->val) {
@@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
    av_assert2(start_x < end_x && block_w);

    w    = end_x - start_x;
-    src += start_y * src_linesize + start_x * sizeof(pixel);
+    src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel);
    buf += start_x * sizeof(pixel);

    // top
@@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
        buf += buf_linesize;
    }

-    buf -= block_h * buf_linesize + start_x * sizeof(pixel);
+    buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel);
    while (block_h--) {
        pixel *bufp = (pixel *) buf;

@@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc)
            unsigned codebook_value_bits = get_bits(gb, 4) + 1;
            unsigned codebook_sequence_p = get_bits1(gb);

+            if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) {
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
            ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n",
                    codebook_lookup_values);
            ff_dlog(NULL, "  delta %f minmum %f \n",
@@ -1447,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                            unsigned step = FASTDIV(vr->partition_size << 1, dim << 1);
                            vorbis_codebook codebook = vc->codebooks[vqbook];

+                            if (get_bits_left(gb) <= 0)
+                                return AVERROR_INVALIDDATA;
+
                            if (vr_type == 0) {

                                voffs = voffset+j*vlen;
@@ -1747,6 +1747,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx)
    s->avctx  = avctx;
    s->width  = FFALIGN(avctx->coded_width, 16);
    s->height = FFALIGN(avctx->coded_height, 16);
+    if (s->width < 18)
+        return AVERROR_PATCHWELCOME;
    if (avctx->codec_id != AV_CODEC_ID_THEORA)
        avctx->pix_fmt = AV_PIX_FMT_YUV420P;
    avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
@@ -2095,8 +2097,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
    if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
        goto error;

-    if (!s->edge_emu_buffer)
+    if (!s->edge_emu_buffer) {
        s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
+        if (!s->edge_emu_buffer) {
+            ret = AVERROR(ENOMEM);
+            goto error;
+        }
+    }

    if (s->keyframe) {
        if (!s->theora) {
@@ -2302,7 +2309,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
    /* sanity check */
    if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 ||
        visible_width  + offset_x > s->width ||
-        visible_height + offset_y > s->height) {
+        visible_height + offset_y > s->height ||
+        visible_width < 18
+    ) {
        av_log(avctx, AV_LOG_ERROR,
               "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n",
               visible_width, visible_height, offset_x, offset_y,
@@ -2348,6 +2357,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
    } else
        avctx->pix_fmt = AV_PIX_FMT_YUV420P;

+    if (s->width < 18)
+        return AVERROR_PATCHWELCOME;
    ret = ff_set_dimensions(avctx, s->width, s->height);
    if (ret < 0)
        return ret;
@@ -190,8 +190,16 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
            return AVERROR(ENOMEM);
        }
 #if HAVE_THREADS
-        pthread_mutex_init(&s->thread_data[i].lock, NULL);
-        pthread_cond_init(&s->thread_data[i].cond, NULL);
+        ret = pthread_mutex_init(&s->thread_data[i].lock, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
+        ret = pthread_cond_init(&s->thread_data[i].cond, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
 #endif
    }

@@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k)
    e   = (1 << (p + 1)) - k - 1;
    res = p ? get_bits(gb, p) : 0;
    if (res >= e)
-        res = (res << 1) - e + get_bits1(gb);
+        res = res * 2U - e + get_bits1(gb);
    return res;
 }

@@ -1990,7 +1990,7 @@ static void encode_flush(WavPackEncodeContext *s)
                put_bits(pb, 31, 0x7FFFFFFF);
                cbits -= 31;
            } else {
-                put_bits(pb, cbits, (1 << cbits) - 1);
+                put_bits(pb, cbits, (1U << cbits) - 1);
                cbits = 0;
            }
        } while (cbits);
@@ -2019,7 +2019,7 @@ static void encode_flush(WavPackEncodeContext *s)
                    put_bits(pb, 31, 0x7FFFFFFF);
                    cbits -= 31;
                } else {
-                    put_bits(pb, cbits, (1 << cbits) - 1);
+                    put_bits(pb, cbits, (1U << cbits) - 1);
                    cbits = 0;
                }
            } while (cbits);
@@ -738,6 +738,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
            ref_x = FFMAX(0, ref_x);
            ref_y = FFMAX(0, ref_y);

+            if (ref_y == y && ref_x >= x)
+                return AVERROR_INVALIDDATA;
+
            /* copy pixels
             * source and dest regions can overlap and wrap lines, so just
             * copy per-pixel */
@@ -1465,6 +1465,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
    /* Parse frame type ("frame header"), see frame_descs */
    int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples;

+    pitch[0] = INT_MAX;
+
    if (bd_idx < 0) {
        av_log(ctx, AV_LOG_ERROR,
               "Invalid frame type VLC code, skipping\n");
@@ -1582,6 +1584,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
        double i_lsps[MAX_LSPS];
        float lpcs[MAX_LSPS];

+        if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        for (n = 0; n < s->lsps; n++) // LSF -> LSP
            i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n]));
        ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1);
@@ -613,6 +613,9 @@ static int xan_decode_frame(AVCodecContext *avctx,
        return AVERROR_INVALIDDATA;
    }

+    if (buf_size < 9)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
        return ret;

@@ -56,37 +56,37 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 };

 static int idct_row(short *in, const int *const tab, int rnd)
 {
-    const int c1 = tab[0];
-    const int c2 = tab[1];
-    const int c3 = tab[2];
-    const int c4 = tab[3];
-    const int c5 = tab[4];
-    const int c6 = tab[5];
-    const int c7 = tab[6];
+    const unsigned c1 = tab[0];
+    const unsigned c2 = tab[1];
+    const unsigned c3 = tab[2];
+    const unsigned c4 = tab[3];
+    const unsigned c5 = tab[4];
+    const unsigned c6 = tab[5];
+    const unsigned c7 = tab[6];

    const int right = in[5] | in[6] | in[7];
    const int left  = in[1] | in[2] | in[3];
    if (!(right | in[4])) {
        const int k = c4 * in[0] + rnd;
        if (left) {
-            const int a0 = k + c2 * in[2];
-            const int a1 = k + c6 * in[2];
-            const int a2 = k - c6 * in[2];
-            const int a3 = k - c2 * in[2];
+            const unsigned a0 = k + c2 * in[2];
+            const unsigned a1 = k + c6 * in[2];
+            const unsigned a2 = k - c6 * in[2];
+            const unsigned a3 = k - c2 * in[2];

            const int b0 = c1 * in[1] + c3 * in[3];
            const int b1 = c3 * in[1] - c7 * in[3];
            const int b2 = c5 * in[1] - c1 * in[3];
            const int b3 = c7 * in[1] - c5 * in[3];

-            in[0] = (a0 + b0) >> ROW_SHIFT;
-            in[1] = (a1 + b1) >> ROW_SHIFT;
-            in[2] = (a2 + b2) >> ROW_SHIFT;
-            in[3] = (a3 + b3) >> ROW_SHIFT;
-            in[4] = (a3 - b3) >> ROW_SHIFT;
-            in[5] = (a2 - b2) >> ROW_SHIFT;
-            in[6] = (a1 - b1) >> ROW_SHIFT;
-            in[7] = (a0 - b0) >> ROW_SHIFT;
+            in[0] = (int)(a0 + b0) >> ROW_SHIFT;
+            in[1] = (int)(a1 + b1) >> ROW_SHIFT;
+            in[2] = (int)(a2 + b2) >> ROW_SHIFT;
+            in[3] = (int)(a3 + b3) >> ROW_SHIFT;
+            in[4] = (int)(a3 - b3) >> ROW_SHIFT;
+            in[5] = (int)(a2 - b2) >> ROW_SHIFT;
+            in[6] = (int)(a1 - b1) >> ROW_SHIFT;
+            in[7] = (int)(a0 - b0) >> ROW_SHIFT;
        } else {
            const int a0 = k >> ROW_SHIFT;
            if (a0) {
@@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd)
                return 0;
        }
    } else if (!(left | right)) {
-        const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT;
-        const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT;
+        const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT;
+        const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT;

        in[0] = a0;
        in[3] = a0;
@@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd)
        in[5] = a1;
        in[6] = a1;
    } else {
-        const int k  = c4 * in[0] + rnd;
+        const unsigned int k  = c4 * in[0] + rnd;
        const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
        const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
        const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
@@ -853,7 +853,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum,
        av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n");
        goto error;
    }
-    ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph);
+    r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph);
    if (r != S_OK) {
        av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n");
        goto error;
@@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph,

    this->info.pGraph = graph;
    if (name)
-        wcscpy(this->info.achName, name);
+        wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name);

    return S_OK;
 }
@@ -120,6 +120,14 @@ static av_cold int init(AVFilterContext *ctx)
    if (ret < 0)
        goto fail;

+    if (pan->nb_output_channels > MAX_CHANNELS) {
+        av_log(ctx, AV_LOG_ERROR,
+               "af_pan supports a maximum of %d channels. "
+               "Feel free to ask for a higher limit.\n", MAX_CHANNELS);
+        ret = AVERROR_PATCHWELCOME;
+        goto fail;
+    }
+
    /* parse channel specifications */
    while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) {
        /* channel name */
@@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi
    for (y = 0; y < r; y++)
        ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
    for (;;) {
-        if (y < height - r) {
+        if (y + 1 < height - r) {
            int mod = ((y + r) / 2) % r;
            uint16_t *buf0 = buf + mod * bstride;
            uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;
@@ -197,7 +197,9 @@ static int config_props(AVFilterLink *outlink)
    double res;
    char *expr;

-    ff_draw_init(&rot->draw, inlink->format, 0);
+    ret = ff_draw_init(&rot->draw, inlink->format, 0);
+    if (ret < 0)
+        return ret;
    ff_draw_color(&rot->draw, &rot->color, rot->fillcolor);

    rot->hsub = pixdesc->log2_chroma_w;
@@ -175,7 +175,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    }
    if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) {
        av_log(ctx, AV_LOG_ERROR, "motion detection failed");
-        return AVERROR(AVERROR_EXTERNAL);
+        return AVERROR_EXTERNAL;
    } else {
        if (vsWriteToFile(md, sd->f, &localmotions) != VS_OK) {
            int ret = AVERROR(errno);
@@ -317,7 +317,7 @@ static int ape_read_header(AVFormatContext * s)
        final_size -= final_size & 3;
    }
    if (file_size <= 0 || final_size <= 0)
-        final_size = ape->finalframeblocks * 8;
+        final_size = ape->finalframeblocks * 8LL;
    ape->frames[ape->totalframes - 1].size = final_size;

    for (i = 0; i < ape->totalframes; i++) {
@@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)

    avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET);

-    avio_read(pb, buf, 8);     /* APETAGEX */
+    if(avio_read(pb, buf, 8) != 8)     /* APETAGEX */
+        return 0;
    if (strncmp(buf, APE_TAG_PREAMBLE, 8)) {
        return 0;
    }
@@ -985,6 +985,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g)
    int i, ret;
    uint64_t size = avio_rl64(pb);

+    if (size < 24)
+        return AVERROR_INVALIDDATA;
+
    // simple index objects should be ordered by stream number, this loop tries to find
    // the first not indexed video stream
    for (i = 0; i < asf->nb_streams; i++) {
@@ -135,6 +135,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt)
        return 0;    /* this indicate EOS */
    if (ret < 0)
        return ret;
+    if (size != (int)size) {
+        av_packet_unref(pkt);
+        return AVERROR(EDOM);
+    }

    pkt->stream_index = avs->st_audio->index;
    pkt->flags |= AV_PKT_FLAG_KEY;
@@ -214,7 +214,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
        }
    }

-    if (avio_tell(pb) - ccount > size) {
+    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
        av_log(s, AV_LOG_ERROR, "error reading packet table\n");
        return AVERROR_INVALIDDATA;
    }
@@ -50,7 +50,7 @@ static int flac_read_header(AVFormatContext *s)
    /* process metadata blocks */
    while (!avio_feof(s->pb) && !metadata_last) {
        if (avio_read(s->pb, header, 4) != 4)
-            return AVERROR(AVERROR_INVALIDDATA);
+            return AVERROR_INVALIDDATA;
        flac_parse_block_header(header, &metadata_last, &metadata_type,
                                   &metadata_size);
        switch (metadata_type) {
@@ -251,6 +251,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt,
    int ret = 0, probe_size, buf_offset = 0;
    int score = 0;
    int ret2;
+    int eof = 0;

    if (!max_probe_size)
        max_probe_size = PROBE_BUF_MAX;
@@ -277,7 +278,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt,
    }
 #endif

-    for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt;
+    for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof;
         probe_size = FFMIN(probe_size << 1,
                            FFMAX(max_probe_size, probe_size + 1))) {
        score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0;
@@ -293,6 +294,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt,

            score = 0;
            ret   = 0;          /* error was end of file, nothing read */
+            eof   = 1;
        }
        buf_offset += ret;
        if (buf_offset < offset)
@@ -140,6 +140,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
    if (hnm->superchunk_remaining == 0) {
        /* parse next superchunk */
        superchunk_size = avio_rl24(pb);
+        if (superchunk_size < 4)
+            return AVERROR_INVALIDDATA;
        avio_skip(pb, 1);

        hnm->superchunk_remaining = superchunk_size - 4;
@@ -150,7 +152,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
    chunk_id = avio_rl16(pb);
    avio_skip(pb, 2);

-    if (chunk_size > hnm->superchunk_remaining || !chunk_size) {
+    if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) {
        av_log(s, AV_LOG_ERROR,
               "invalid chunk size: %"PRIu32", offset: %"PRId64"\n",
               chunk_size, avio_tell(pb));
@@ -172,7 +172,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
            AV_WL32(buf + 32, image->nb_pal);
        }

-        if (image->nb_pal > INT_MAX / 4 - 14 - 40)
+        if (image->nb_pal > INT_MAX / 4 - 14 - 40U)
            return AVERROR_INVALIDDATA;

        AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4);
@@ -364,7 +364,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen,
    int encoding;
    int ok = 0;

-    if (taglen < 1)
+    if (taglen < 4)
        goto error;

    encoding = avio_r8(pb);
@@ -375,10 +375,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen,
    lang[3] = '\0';
    taglen -= 3;

-    if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0)
+    if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0)
        goto error;

-    if (decode_str(s, pb, encoding, &text, &taglen) < 0)
+    if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0)
        goto error;

    // FFmpeg does not support hierarchical metadata, so concatenate the keys.
@@ -74,7 +74,8 @@ static int ilbc_read_header(AVFormatContext *s)
    AVStream *st;
    uint8_t header[9];

-    avio_read(pb, header, 9);
+    if (avio_read(pb, header, 9) != 9)
+        return AVERROR_INVALIDDATA;

    st = avformat_new_stream(s, NULL);
    if (!st)
@@ -22,6 +22,7 @@

 #define _BSD_SOURCE
 #include <sys/stat.h>
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/log.h"
 #include "libavutil/opt.h"
@@ -462,6 +463,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
    pkt->flags       |= AV_PKT_FLAG_KEY;
    if (s->ts_from_file) {
        struct stat img_stat;
+        av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers
        if (stat(filename, &img_stat)) {
            res = AVERROR(EIO);
            goto fail;
@@ -509,6 +511,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
        }
        goto fail;
    } else {
+        memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
        s->img_count++;
        s->img_number++;
        s->pts++;
@@ -226,14 +226,17 @@ static int jacosub_read_header(AVFormatContext *s)
            }
            av_bprintf(&header, "#S %s", p);
            break;
-        case 'T': // ...but must be placed after TIMERES
-            jacosub->timeres = strtol(p, NULL, 10);
-            if (!jacosub->timeres)
+        case 'T': { // ...but must be placed after TIMERES
+            int64_t timeres = strtol(p, NULL, 10);
+            if (timeres <= 0 || timeres > UINT32_MAX) {
                jacosub->timeres = 30;
-            else
+            } else {
+                jacosub->timeres = timeres;
                av_bprintf(&header, "#T %s", p);
+            }
            break;
        }
+        }
    }

    /* general/essential directives in the extradata */
@@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt)

    if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) {
        av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n");
-        return AVERROR(EIO);
+        return AVERROR_INVALIDDATA;
    }
    if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) {
        av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size);
-        return AVERROR(EIO);
+        return AVERROR_INVALIDDATA;
    }

    if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0)
-        return AVERROR(EIO);
+        return ret < 0 ? ret : AVERROR(EIO);

    avio_skip(pb, padding);

@@ -1992,6 +1992,10 @@ static int matroska_parse_tracks(AVFormatContext *s)

        if (track->time_scale < 0.01)
            track->time_scale = 1.0;
+
+        if (matroska->time_scale * track->time_scale > UINT_MAX)
+            return AVERROR_INVALIDDATA;
+
        avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale,
                            1000 * 1000 * 1000);    /* 64 bit pts in ns */

@@ -3341,16 +3345,19 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
        int64_t prebuffer_ns = 1000000000;
        int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale;
        double nano_seconds_per_second = 1000000000.0;
-        int64_t prebuffered_ns = time_ns + prebuffer_ns;
+        int64_t prebuffered_ns;
        double prebuffer_bytes = 0.0;
        int64_t temp_prebuffer_ns = prebuffer_ns;
        int64_t pre_bytes, pre_ns;
        double pre_sec, prebuffer, bits_per_second;
        CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start);
-
        // Start with the first Cue.
        CueDesc desc_end = desc_beg;

+        if (time_ns > INT64_MAX - prebuffer_ns)
+            return -1;
+        prebuffered_ns = time_ns + prebuffer_ns;
+
        // Figure out how much data we have downloaded for the prebuffer. This will
        // be used later to adjust the bits per sample to try.
        while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) {
@@ -3368,9 +3375,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
            // The prebuffer ends in the last Cue. Estimate how much data was
            // prebuffered.
            pre_bytes = desc_end.end_offset - desc_end.start_offset;
-            pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
-            if (pre_ns <= 0)
+            if (desc_end.end_time_ns <= desc_end.start_time_ns ||
+                desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX)
                return -1;
+            pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
            pre_sec = pre_ns / nano_seconds_per_second;
            prebuffer_bytes +=
                pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec);
@@ -3383,7 +3391,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
                int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
                int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
                double desc_sec, calc_bits_per_second, percent, mod_bits_per_second;
-                if (desc_bytes <= 0)
+                if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8)
                    return -1;

                desc_sec = desc_ns / nano_seconds_per_second;
@@ -79,13 +79,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
 static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size)
 {
    char * value = av_malloc(size + 1);
+    int ret;
+
    if (!value) {
        avio_skip(pb, size);
        return;
    }

-    avio_read(pb, value, size);
-    if (!value[0]) {
+    ret = avio_read(pb, value, size);
+    if (ret != size || !value[0]) {
        av_free(value);
        return;
    }
@@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s)
    type = avio_rl16(pb);
    length = avio_rl32(pb);

-    if (type != MM_TYPE_HEADER)
+    if (type != MM_TYPE_HEADER || length < 10)
        return AVERROR_INVALIDDATA;

    /* read header */
@@ -262,7 +262,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    char *str = NULL;
    const char *key = NULL;
    uint16_t langcode = 0;
-    uint32_t data_type = 0, str_size, str_size_alloc;
+    uint32_t data_type = 0, str_size_alloc;
+    uint64_t str_size;
    int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL;
    int raw = 0;

@@ -945,6 +946,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    int ret = ffio_read_size(pb, type, 4);
    if (ret < 0)
        return ret;
+    if (c->fc->nb_streams) {
+        if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT)
+            return AVERROR_INVALIDDATA;
+        av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n");
+        return 0;
+    }

    if (strcmp(type, "qt  "))
        c->isom = 1;
@@ -1610,8 +1617,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        for (i = 0; i < entries && !pb->eof_reached; i++)
            sc->chunk_offsets[i] = avio_rb32(pb);
    else if (atom.type == MKTAG('c','o','6','4'))
-        for (i = 0; i < entries && !pb->eof_reached; i++)
+        for (i = 0; i < entries && !pb->eof_reached; i++) {
            sc->chunk_offsets[i] = avio_rb64(pb);
+            if (sc->chunk_offsets[i] < 0) {
+                av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n");
+                sc->chunk_offsets[i] = 0;
+            }
+        }
    else
        return AVERROR_INVALIDDATA;

@@ -2750,6 +2762,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
                if (keyframe)
                    distance = 0;
                sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample];
+                if (current_offset > INT64_MAX - sample_size) {
+                    av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n",
+                           current_offset,
+                           sample_size);
+                    return;
+                }
+
                if (sc->pseudo_stream_id == -1 ||
                   sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) {
                    AVIndexEntry *e;
@@ -4342,6 +4342,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
    if (ret < 0)
        return ret;

+    if (pkt->pts != AV_NOPTS_VALUE &&
+        (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) {
+        av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    if (mov->flags & FF_MOV_FLAG_FRAGMENT) {
        int ret;
        if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) {
@@ -118,9 +118,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration
    int fill_index = mp3->usetoc == 1 && duration > 0;

    if (!filesize &&
-        !(filesize = avio_size(s->pb))) {
+        (filesize = avio_size(s->pb)) <= 0) {
        av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n");
        fill_index = 0;
+        filesize = 0;
    }

    for (i = 0; i < XING_TOC_COUNT; i++) {
@@ -78,6 +78,9 @@ static int mpegps_probe(AVProbeData *p)
            int pes  = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size);
            int pack = check_pack_header(p->buf + i);

+            if (len > INT_MAX - i)
+                break;
+
            if (code == SYSTEM_HEADER_START_CODE)
                sys++;
            else if (code == PACK_START_CODE && pack)
@@ -537,7 +540,9 @@ redo:
        static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 };
        unsigned char buf[8];

-        avio_read(s->pb, buf, 8);
+        ret = avio_read(s->pb, buf, 8);
+        if (ret != 8)
+            return AVERROR_INVALIDDATA;
        avio_seek(s->pb, -8, SEEK_CUR);
        if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1))
            codec_id = AV_CODEC_ID_CAVS;
@@ -1463,6 +1463,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size,
    MP4DescrParseContext d;
    int ret;

+    d.predefined_SLConfigDescriptor_seen = 0;
+
    ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count);
    if (ret < 0)
        return ret;
@@ -192,7 +192,7 @@ typedef struct MXFDescriptor {
 typedef struct MXFIndexTableSegment {
    UID uid;
    enum MXFMetadataSetType type;
-    int edit_unit_byte_count;
+    unsigned edit_unit_byte_count;
    int index_sid;
    int body_sid;
    AVRational index_edit_rate;
@@ -938,6 +938,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int
    case 0x3F0B:
        segment->index_edit_rate.num = avio_rb32(pb);
        segment->index_edit_rate.den = avio_rb32(pb);
+        if (segment->index_edit_rate.num <= 0 ||
+            segment->index_edit_rate.den <= 0)
+            return AVERROR_INVALIDDATA;
        av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num,
                segment->index_edit_rate.den);
        break;
@@ -1305,9 +1308,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t
        if (edit_unit < s->index_start_position + s->index_duration) {
            int64_t index = edit_unit - s->index_start_position;

-            if (s->edit_unit_byte_count)
+            if (s->edit_unit_byte_count) {
+                if (index > INT64_MAX / s->edit_unit_byte_count ||
+                    s->edit_unit_byte_count * index > INT64_MAX - offset_temp)
+                    return AVERROR_INVALIDDATA;
+
                offset_temp += s->edit_unit_byte_count * index;
-            else if (s->nb_index_entries) {
+            } else if (s->nb_index_entries) {
                if (s->nb_index_entries == 2 * s->index_duration + 1)
                    index *= 2;     /* Avid index */

@@ -1330,6 +1337,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t
            return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out);
        } else {
            /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */
+            if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count ||
+                s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp)
+            )
+                return AVERROR_INVALIDDATA;
+
            offset_temp += s->edit_unit_byte_count * s->index_duration;
        }
    }
@@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len,
            return -1; /* not followed by a data packet */

        pkt_len = AV_RB16(buf+3);
+        if (pkt_len > len)
+            return AVERROR_INVALIDDATA;
        buf += pkt_len;
        len -= pkt_len;
        consumed += pkt_len;
@@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min)
        }
    }

-    if (abs(db) > (INT32_MAX - mb) / 100000)
+    if (llabs(db) > (INT32_MAX - mb) / 100000)
        return min;

    return db * 100000 + sign * mb;
@@ -269,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
        case DEINT_ID_INT4:
            if (ast->coded_framesize > ast->audio_framesize ||
                sub_packet_h <= 1 ||
-                ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
+                ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize)
                return AVERROR_INVALIDDATA;
-            if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) {
+            if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) {
                avpriv_request_sample(s, "mismatching interleaver parameters");
                return AVERROR_INVALIDDATA;
            }
@@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error)
        line++;
    for (; *line>='0' && *line<='9'; line++) {
        // Truncate any numerator too large to fit into an int64_t
-        if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10)
+        if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL)
            break;
        num  = 10 * num + (*line - '0');
        den *= 10;
@@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s)
    AVIOContext *pb = s->pb;
    RPLContext *rpl = s->priv_data;
    AVStream *vst = NULL, *ast = NULL;
-    int total_audio_size;
+    int64_t total_audio_size;
    int error = 0;

    uint32_t i;
@@ -240,6 +240,9 @@ static int rpl_read_header(AVFormatContext *s)
               "Video stream will be broken!\n", vst->codec->codec_tag);

    number_of_chunks = read_line_and_int(pb, &error);  // number of chunks in the file
+    if (number_of_chunks == INT_MAX)
+        return AVERROR_INVALIDDATA;
+
    // The number in the header is actually the index of the last chunk.
    number_of_chunks++;

@@ -267,6 +270,8 @@ static int rpl_read_header(AVFormatContext *s)
        if (ast)
            av_add_index_entry(ast, offset + video_size, total_audio_size,
                               audio_size, audio_size * 8, 0);
+        if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8)
+            return AVERROR_INVALIDDATA;
        total_audio_size += audio_size * 8;
    }

@@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb)
 {
    AMFDataType type;
    unsigned nb   = -1;
-    int parse_key = 1;

    if (bytestream2_get_bytes_left(gb) < 1)
        return -1;
@@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb)
        bytestream2_skip(gb, 10);
        return 0;
    case AMF_DATA_TYPE_ARRAY:
-        parse_key = 0;
    case AMF_DATA_TYPE_MIXEDARRAY:
        nb = bytestream2_get_be32(gb);
    case AMF_DATA_TYPE_OBJECT:
-        while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) {
+        while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) {
            int t;
-            if (parse_key) {
+            if (type != AMF_DATA_TYPE_ARRAY) {
                int size = bytestream2_get_be16(gb);
                if (!size) {
                    bytestream2_get_byte(gb);
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .8.21
 .8.22