avformat/rpl: Fix check for negative values

Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376
Found-by: ossfuzz
Reported-by: Kacper Michajlow <kasper93@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eab65379bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

INSTALL.md

@@ -15,3 +15,11 @@ NOTICE
 ------
 
  - Non system dependencies (e.g. libx264, libvpx) are disabled by default.
+
+NOTICE for Package Maintainers
+------------------------------
+
+ - It is recommended to build FFmpeg twice, first with minimal external dependencies so
+   that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat
+   can then be built. And last build FFmpeg with full dependancies (which may in turn depend on
+   some of these 3rd party packages). This avoids circular dependencies during build.

configure

@@ -4301,6 +4301,7 @@ case $target_os in
         ;;
     netbsd)
         disable symver
+        enable section_data_rel_ro
         oss_indev_extralibs="-lossaudio"
         oss_outdev_extralibs="-lossaudio"
         enabled gcc || check_ldflags -Wl,-zmuldefs
@@ -4317,6 +4318,7 @@ case $target_os in
         disable symver
         ;;
     freebsd)
+        enable section_data_rel_ro
         ;;
     bsd/os)
         add_extralibs -lpoll -lgnugetopt
@@ -6144,7 +6146,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2023
+#define CONFIG_THIS_YEAR 2024
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"

doc/developer.texi

@@ -734,6 +734,25 @@ In case you need finer control over how valgrind is invoked, use the
 @code{--target-exec='valgrind <your_custom_valgrind_options>} option in
 your configure line instead.
 
+@anchor{Maintenance}
+@chapter Maintenance process
+
+@anchor{MAINTAINERS}
+@section MAINTAINERS
+
+The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}.
+Being listed in @file{MAINTAINERS}, gives one the right to have git write access to
+the specific repository.
+
+@anchor{Becoming a maintainer}
+@section Becoming a maintainer
+
+People add themselves to @file{MAINTAINERS} by sending a patch like any other code
+change. These get reviewed by the community like any other patch. It is expected
+that, if someone has an objection to a new maintainer, she is willing to object
+in public with her full name and is willing to take over maintainership for the area.
+
+
 @anchor{Release process}
 @section Release process
 

ffmpeg_filter.c

@@ -38,6 +38,28 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/samplefmt.h"
 
+
+static const enum AVPixelFormat *get_compliance_unofficial_pix_fmts(enum AVCodecID codec_id, const enum AVPixelFormat default_formats[])
+{
+    static const enum AVPixelFormat mjpeg_formats[] =
+        { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P,
+          AV_PIX_FMT_YUV420P,  AV_PIX_FMT_YUV422P,
+          AV_PIX_FMT_NONE };
+    static const enum AVPixelFormat ljpeg_formats[] =
+        { AV_PIX_FMT_BGRA    ,
+          AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUVJ422P,
+          AV_PIX_FMT_YUV420P , AV_PIX_FMT_YUV444P , AV_PIX_FMT_YUV422P,
+          AV_PIX_FMT_NONE};
+
+    if (codec_id == AV_CODEC_ID_MJPEG) {
+        return mjpeg_formats;
+    } else if (codec_id == AV_CODEC_ID_LJPEG) {
+        return ljpeg_formats;
+    } else {
+        return default_formats;
+    }
+}
+
 enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodecContext *enc_ctx, AVCodec *codec, enum AVPixelFormat target)
 {
     if (codec && codec->pix_fmts) {
@@ -45,18 +67,9 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodecContext *enc_ctx, AVCod
         const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target);
         int has_alpha = desc ? desc->nb_components % 2 == 0 : 0;
         enum AVPixelFormat best= AV_PIX_FMT_NONE;
-        static const enum AVPixelFormat mjpeg_formats[] =
-            { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
-        static const enum AVPixelFormat ljpeg_formats[] =
-            { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-              AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
 
         if (enc_ctx->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
-            if (enc_ctx->codec_id == AV_CODEC_ID_MJPEG) {
-                p = mjpeg_formats;
-            } else if (enc_ctx->codec_id == AV_CODEC_ID_LJPEG) {
-                p =ljpeg_formats;
-            }
+            p = get_compliance_unofficial_pix_fmts(enc_ctx->codec_id, p);
         }
         for (; *p != AV_PIX_FMT_NONE; p++) {
             best= avcodec_find_best_pix_fmt_of_2(best, *p, target, has_alpha, NULL);
@@ -126,12 +139,7 @@ static char *choose_pix_fmts(OutputStream *ost)
 
         p = ost->enc->pix_fmts;
         if (ost->enc_ctx->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
-            if (ost->enc_ctx->codec_id == AV_CODEC_ID_MJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
-            } else if (ost->enc_ctx->codec_id == AV_CODEC_ID_LJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-                                                    AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
-            }
+            p = get_compliance_unofficial_pix_fmts(ost->enc_ctx->codec_id, p);
         }
 
         for (; *p != AV_PIX_FMT_NONE; p++) {

libavcodec/4xm.c

@@ -884,6 +884,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         }
 
         if (i >= CFRAME_BUFFER_COUNT) {
+            if (free_index < 0)
+                return AVERROR_INVALIDDATA;
             i             = free_index;
             f->cfrm[i].id = id;
         }

libavcodec/aic.c

@@ -458,8 +458,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx)
         }
     }
 
-    ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS
-                                * sizeof(*ctx->slice_data));
+    ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data));
     if (!ctx->slice_data) {
         av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n");
 

libavcodec/avcodec.h

@@ -2486,6 +2486,10 @@ typedef struct AVCodecContext {
      *   this callback and filled with the extra buffers if there are more
      *   buffers than buf[] can hold. extended_buf will be freed in
      *   av_frame_unref().
+     *   Decoders will generally initialize the whole buffer before it is output
+     *   but it can in rare error conditions happen that uninitialized data is passed
+     *   through. \important The buffers returned by get_buffer* should thus not contain sensitive
+     *   data.
      *
      * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call
      * avcodec_default_get_buffer2() instead of providing buffers allocated by

libavcodec/dxva2.c

@@ -56,7 +56,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx,
                            unsigned type, const void *data, unsigned size,
                            unsigned mb_count)
 {
-    void     *dxva_data;
+    void     *dxva_data = NULL;
     unsigned dxva_size;
     int      result;
     HRESULT hr = 0;
@@ -78,7 +78,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx,
                type, hr);
         return -1;
     }
-    if (size <= dxva_size) {
+    if (dxva_data && size <= dxva_size) {
         memcpy(dxva_data, data, size);
 
 #if CONFIG_D3D11VA
@@ -140,7 +140,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame,
 #endif
     DECODER_BUFFER_DESC             *buffer = NULL, *buffer_slice = NULL;
     int result, runs = 0;
-    HRESULT hr;
+    HRESULT hr = -1;
     unsigned type;
 
     do {

libavcodec/ffv1dec.c

@@ -466,7 +466,7 @@ static int decode_slice(AVCodecContext *c, void *arg)
     if (fs->ac && f->version > 2) {
         int v;
         get_rac(&fs->c, (uint8_t[]) { 129 });
-        v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec;
+        v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec;
         if (v) {
             av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v);
             fs->slice_damaged = 1;

libavcodec/ffv1enc.c

@@ -695,7 +695,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
         s->version = FFMAX(s->version, 3);
 
     if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
-        av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
+        av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n");
         return AVERROR_INVALIDDATA;
     }
 
@@ -1011,8 +1011,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs)
 
     put_symbol(c, state, (fs->slice_x     +1)*f->num_h_slices / f->width   , 0);
     put_symbol(c, state, (fs->slice_y     +1)*f->num_v_slices / f->height  , 0);
-    put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0);
-    put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0);
+    put_symbol(c, state, 0, 0);
+    put_symbol(c, state, 0, 0);
     for (j=0; j<f->plane_count; j++) {
         put_symbol(c, state, f->plane[j].quant_table_index, 0);
         av_assert0(f->plane[j].quant_table_index == f->avctx->context_model);

libavcodec/flac_parser.c

@@ -367,6 +367,8 @@ static int check_header_mismatch(FLACParseContext  *fpc,
         for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++)
             curr = curr->next;
 
+        av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS);
+
         if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY ||
             header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) {
             FLACHeaderMarker *start, *end;

libavcodec/golomb.h

@@ -280,6 +280,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit,
     log = av_log2(buf);
 
     if (log > 31 - limit) {
+        av_assert2(log >= k);
         buf >>= log - k;
         buf  += (30U - log) << k;
         LAST_SKIP_BITS(re, gb, 32 + k - log);
@@ -301,6 +302,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit,
 
 /**
  * read unsigned golomb rice code (jpegls).
+ *
+ * @returns -1 on error
  */
 static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit,
                                        int esc_len)
@@ -373,6 +376,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit,
 
 /**
  * read signed golomb rice code (flac).
+ *
+ * @returns INT_MIN on error
  */
 static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit,
                                      int esc_len)

libavcodec/hevc.c

@@ -476,6 +476,10 @@ static int hls_slice_header(HEVCContext *s)
 
         if (s->ps.pps->dependent_slice_segments_enabled_flag)
             sh->dependent_slice_segment_flag = get_bits1(gb);
+        if (sh->dependent_slice_segment_flag && !s->slice_initialized) {
+            av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         slice_address_length = av_ceil_log2(s->ps.sps->ctb_width *
                                             s->ps.sps->ctb_height);
@@ -733,9 +737,6 @@ static int hls_slice_header(HEVCContext *s)
         } else {
             sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag;
         }
-    } else if (!s->slice_initialized) {
-        av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n");
-        return AVERROR_INVALIDDATA;
     }
 
     sh->num_entry_point_offsets = 0;
@@ -1749,13 +1750,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0,
 
     if (current_mv.pred_flag & PF_L0) {
         ref0 = refPicList[0].ref[current_mv.ref_idx[0]];
-        if (!ref0 || !ref0->frame->data[0])
+        if (!ref0 || !ref0->frame)
             return;
         hevc_await_progress(s, ref0, &current_mv.mv[0], y0, nPbH);
     }
     if (current_mv.pred_flag & PF_L1) {
         ref1 = refPicList[1].ref[current_mv.ref_idx[1]];
-        if (!ref1 || !ref1->frame->data[0])
+        if (!ref1 || !ref1->frame)
             return;
         hevc_await_progress(s, ref1, &current_mv.mv[1], y0, nPbH);
     }
@@ -2703,8 +2704,11 @@ static int decode_nal_unit(HEVCContext *s, const HEVCNAL *nal)
     case NAL_RASL_N:
     case NAL_RASL_R:
         ret = hls_slice_header(s);
-        if (ret < 0)
+        if (ret < 0) {
+            // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices
+            s->slice_initialized = 0;
             return ret;
+        }
         if (ret == 1) {
             ret = AVERROR_INVALIDDATA;
             goto fail;

libavcodec/indeo3.c

@@ -168,6 +168,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx,
     int p, chroma_width, chroma_height;
     int luma_pitch, chroma_pitch, luma_size, chroma_size;
 
+    luma_width  = FFALIGN(luma_width , 2);
+    luma_height = FFALIGN(luma_height, 2);
+
     if (luma_width  < 16 || luma_width  > 640 ||
         luma_height < 16 || luma_height > 480 ||
         luma_width  &  3 || luma_height &   3) {

libavcodec/jfdctint_template.c

@@ -188,7 +188,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data)
 {
   int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7;
   int tmp10, tmp11, tmp12, tmp13;
-  int z1, z2, z3, z4, z5;
+  unsigned z1, z2, z3, z4, z5;
   int16_t *dataptr;
   int ctr;
 

libavcodec/jpeg2000dec.c

@@ -819,9 +819,6 @@ static uint8_t get_tlm(Jpeg2000DecoderContext *s, int n)
         case 2:
             bytestream2_get_be16(&s->g);
             break;
-        case 3:
-            bytestream2_get_be32(&s->g);
-            break;
         }
         if (SP == 0) {
             bytestream2_get_be16(&s->g);

libavcodec/jpeglsdec.c

@@ -373,6 +373,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
     state->T3     = s->t3;
     state->reset  = s->reset;
     ff_jpegls_reset_coding_parameters(state, 0);
+
+    /* Testing parameters here, we cannot test in LSE or SOF because
+     * these interdepend and are allowed in either order
+     */
+    if (state->maxval >= (1<<state->bpp) ||
+        state->T1 > state->T2 ||
+        state->T2 > state->T3 ||
+        state->T3 > state->maxval ||
+        state->reset > FFMAX(255, state->maxval)) {
+        ret = AVERROR_INVALIDDATA;
+        goto end;
+    }
+
     ff_jpegls_init_state(state);
 
     if (s->bits <= 8)

libavcodec/loco.c

@@ -89,10 +89,15 @@ static inline int loco_get_rice(RICEContext *r)
         return 0;
     }
     v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0);
+    if (v == -1)
+        return INT_MIN;
     loco_update_rice_param(r, (v + 1) >> 1);
     if (!v) {
         if (r->save >= 0) {
-            r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0);
+            int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0);
+            if (run == -1)
+                return INT_MIN;
+            r->run = run;
             if (r->run > 1)
                 r->save += r->run + 1;
             else
@@ -149,6 +154,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
 
     /* restore top left pixel */
     val     = loco_get_rice(&rc);
+    if (val == INT_MIN)
+        return AVERROR_INVALIDDATA;
     data[0] = 128 + val;
     /* restore top line */
     for (i = 1; i < width; i++) {

libavcodec/lpc.c

@@ -239,8 +239,10 @@ int ff_lpc_calc_coefs(LPCContext *s,
         double av_uninit(weight);
         memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var));
 
-        for(j=0; j<max_order; j++)
-            m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];
+        /* Avoids initializing with an unused value when lpc_passes == 1 */
+        if (lpc_passes > 1)
+            for(j=0; j<max_order; j++)
+                m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];
 
         for(; pass<lpc_passes; pass++){
             avpriv_init_lls(&m[pass&1], max_order);

libavcodec/motion_est.c

@@ -1461,7 +1461,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y)
         s->b_direct_mv_table[mot_xy][0]= 0;
         s->b_direct_mv_table[mot_xy][1]= 0;
 
-        return 256*256*256*64;
+        return 256*256*256*64-1;
     }
 
     c->xmin= xmin;

libavcodec/mpeg4videodec.c

@@ -340,6 +340,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
         ctx->sprite_shift[0]  = alpha + beta + rho - min_ab;
         ctx->sprite_shift[1]  = alpha + beta + rho - min_ab + 2;
         break;
+    default:
+        av_assert0(0);
     }
     /* try to simplify the situation */
     if (sprite_delta[0][0] == a << ctx->sprite_shift[0] &&

libavcodec/mpegvideo_enc.c

@@ -1201,12 +1201,12 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                                                  &v_chroma_shift);
 
                 for (i = 0; i < 3; i++) {
-                    int src_stride = pic_arg->linesize[i];
-                    int dst_stride = i ? s->uvlinesize : s->linesize;
+                    ptrdiff_t src_stride = pic_arg->linesize[i];
+                    ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize;
                     int h_shift = i ? h_chroma_shift : 0;
                     int v_shift = i ? v_chroma_shift : 0;
-                    int w = s->width  >> h_shift;
-                    int h = s->height >> v_shift;
+                    int w = FF_CEIL_RSHIFT(s->width , h_shift);
+                    int h = FF_CEIL_RSHIFT(s->height, v_shift);
                     uint8_t *src = pic_arg->data[i];
                     uint8_t *dst = pic->f->data[i];
                     int vpad = 16;
@@ -1220,7 +1220,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                         dst += INPLACE_OFFSET;
 
                     if (src_stride == dst_stride)
-                        memcpy(dst, src, src_stride * h);
+                        memcpy(dst, src, src_stride * h - src_stride + w);
                     else {
                         int h2 = h;
                         uint8_t *dst2 = dst;

libavcodec/parser.c

@@ -264,6 +264,7 @@ int ff_combine_frame(ParseContext *pc, int next,
         }
         pc->buffer = new_buffer;
         memcpy(&pc->buffer[pc->index], *buf, *buf_size);
+        memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE);
         pc->index += *buf_size;
         return -1;
     }

libavcodec/proresdec2.c

@@ -335,7 +335,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex
 
     for (pos = block_mask;;) {
         bits_left = gb->size_in_bits - re_index;
-        if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left)))
+        if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left)))
             break;
 
         DECODE_CODEWORD(run, run_to_cb[FFMIN(run,  15)]);

libavcodec/proresenc_kostya.c

@@ -3,9 +3,6 @@
  *
  * Copyright (c) 2012 Konstantin Shishkov
  *
- * This encoder appears to be based on Anatoliy Wassermans considering
- * similarities in the bugs.
- *
  * This file is part of FFmpeg.
  *
  * FFmpeg is free software; you can redistribute it and/or

libavcodec/rangecoder.h

@@ -52,7 +52,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p);
 static inline void renorm_encoder(RangeCoder *c)
 {
     // FIXME: optimize
-    while (c->range < 0x100) {
         if (c->outstanding_byte < 0) {
             c->outstanding_byte = c->low >> 8;
         } else if (c->low <= 0xFF00) {
@@ -71,7 +70,6 @@ static inline void renorm_encoder(RangeCoder *c)
 
         c->low     = (c->low & 0xFF) << 8;
         c->range <<= 8;
-    }
 }
 
 static inline int get_rac_count(RangeCoder *c)
@@ -98,7 +96,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit)
         *state   = c->one_state[*state];
     }
 
-    renorm_encoder(c);
+    while (c->range < 0x100)
+        renorm_encoder(c);
 }
 
 static inline void refill(RangeCoder *c)

libavcodec/snow.c

@@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){
     FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer,  width, height * sizeof(DWTELEM),  fail); //FIXME this does not belong here
     FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer,     width, sizeof(DWTELEM),  fail);
     FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer,    width, sizeof(IDWTELEM), fail);
-    FF_ALLOC_ARRAY_OR_GOTO(avctx,  s->run_buffer,          ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail);
+    FF_ALLOC_ARRAY_OR_GOTO(avctx,  s->run_buffer,          ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail);
 
     for(i=0; i<MAX_REF_FRAMES; i++) {
         for(j=0; j<MAX_REF_FRAMES; j++)

libavcodec/snowenc.c

@@ -257,6 +257,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
     int my_context= av_log2(2*FFABS(left->my - top->my));
     int s_context= 2*left->level + 2*top->level + tl->level + tr->level;
     int ref, best_ref, ref_score, ref_mx, ref_my;
+    int range = MAX_MV >> (1 + qpel);
 
     av_assert0(sizeof(s->block_state) >= 256);
     if(s->keyframe){
@@ -298,6 +299,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
     c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;
     c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3;
 
+    c->xmin = FFMAX(c->xmin,-range);
+    c->xmax = FFMIN(c->xmax, range);
+    c->ymin = FFMAX(c->ymin,-range);
+    c->ymax = FFMIN(c->ymax, range);
+
     if(P_LEFT[0]     > (c->xmax<<shift)) P_LEFT[0]    = (c->xmax<<shift);
     if(P_LEFT[1]     > (c->ymax<<shift)) P_LEFT[1]    = (c->ymax<<shift);
     if(P_TOP[0]      > (c->xmax<<shift)) P_TOP[0]     = (c->xmax<<shift);

libavcodec/targaenc.c

@@ -21,6 +21,7 @@
 
 #include <string.h>
 
+#include "libavutil/avassert.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/pixdesc.h"
@@ -79,13 +80,14 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
 {
     int bpp, picsize, datasize = -1, ret, i;
     uint8_t *out;
+    int maxpal = 32*32;
 
     if(avctx->width > 0xffff || avctx->height > 0xffff) {
         av_log(avctx, AV_LOG_ERROR, "image dimensions too large\n");
         return AVERROR(EINVAL);
     }
     picsize = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
-    if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0)
+    if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0)
         return ret;
 
     /* zero out the header and only set applicable fields */
@@ -118,6 +120,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
             AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4));
             }
         out += 32 * pal_bpp;        /* skip past the palette we just output */
+        av_assert0(32 * pal_bpp <= maxpal);
         break;
         }
     case AV_PIX_FMT_GRAY8:

libavcodec/truemotion1.c

@@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return AVERROR_PATCHWELCOME;
     }
 
+    if (s->h & 3) {
+        avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4");
+        return AVERROR_PATCHWELCOME;
+    }
+
     if (s->w != s->avctx->width || s->h != s->avctx->height ||
         new_pix_fmt != s->avctx->pix_fmt) {
         av_frame_unref(s->frame);

libavcodec/utils.c

@@ -373,6 +373,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
         if (s->codec_id == AV_CODEC_ID_SVQ1) {
             w_align = 64;
             h_align = 64;
+        } else if (s->codec_id == AV_CODEC_ID_SNOW) {
+            w_align = 16;
+            h_align = 16;
         }
         break;
     case AV_PIX_FMT_RGB555:

libavcodec/utvideoenc.c

@@ -218,7 +218,7 @@ static av_cold int utvideo_encode_init(AVCodecContext *avctx)
      * - Compression mode (none/huff)
      * And write the flags.
      */
-    c->flags  = (c->slices - 1) << 24;
+    c->flags  = (c->slices - 1U) << 24;
     c->flags |= 0 << 11; // bit field to signal interlaced encoding mode
     c->flags |= c->compression;
 

libavcodec/vble.c

@@ -190,6 +190,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx)
     ctx->size = avpicture_get_size(avctx->pix_fmt,
                                    avctx->width, avctx->height);
 
+    if (ctx->size < 0)
+        return ctx->size;
+
     ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val));
 
     if (!ctx->val) {

libavcodec/vorbisdec.c

@@ -1451,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                             unsigned step = FASTDIV(vr->partition_size << 1, dim << 1);
                             vorbis_codebook codebook = vc->codebooks[vqbook];
 
+                            if (get_bits_left(gb) <= 0)
+                                return AVERROR_INVALIDDATA;
+
                             if (vr_type == 0) {
 
                                 voffs = voffset+j*vlen;

libavcodec/vp8.c

@@ -190,8 +190,16 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
             return AVERROR(ENOMEM);
         }
 #if HAVE_THREADS
-        pthread_mutex_init(&s->thread_data[i].lock, NULL);
-        pthread_cond_init(&s->thread_data[i].cond, NULL);
+        ret = pthread_mutex_init(&s->thread_data[i].lock, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
+        ret = pthread_cond_init(&s->thread_data[i].cond, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
 #endif
     }
 

libavcodec/wavpackenc.c

@@ -1990,7 +1990,7 @@ static void encode_flush(WavPackEncodeContext *s)
                 put_bits(pb, 31, 0x7FFFFFFF);
                 cbits -= 31;
             } else {
-                put_bits(pb, cbits, (1 << cbits) - 1);
+                put_bits(pb, cbits, (1U << cbits) - 1);
                 cbits = 0;
             }
         } while (cbits);
@@ -2019,7 +2019,7 @@ static void encode_flush(WavPackEncodeContext *s)
                     put_bits(pb, 31, 0x7FFFFFFF);
                     cbits -= 31;
                 } else {
-                    put_bits(pb, cbits, (1 << cbits) - 1);
+                    put_bits(pb, cbits, (1U << cbits) - 1);
                     cbits = 0;
                 }
             } while (cbits);

libavcodec/webp.c

@@ -738,6 +738,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
             ref_x = FFMAX(0, ref_x);
             ref_y = FFMAX(0, ref_y);
 
+            if (ref_y == y && ref_x >= x)
+                return AVERROR_INVALIDDATA;
+
             /* copy pixels
              * source and dest regions can overlap and wrap lines, so just
              * copy per-pixel */

libavcodec/wmavoice.c

@@ -1465,6 +1465,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
     /* Parse frame type ("frame header"), see frame_descs */
     int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples;
 
+    pitch[0] = INT_MAX;
+
     if (bd_idx < 0) {
         av_log(ctx, AV_LOG_ERROR,
                "Invalid frame type VLC code, skipping\n");
@@ -1582,6 +1584,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
         double i_lsps[MAX_LSPS];
         float lpcs[MAX_LSPS];
 
+        if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX)
+            return AVERROR_INVALIDDATA;
+
         for (n = 0; n < s->lsps; n++) // LSF -> LSP
             i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n]));
         ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1);

libavcodec/xan.c

@@ -613,6 +613,9 @@ static int xan_decode_frame(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     }
 
+    if (buf_size < 9)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
         return ret;
 

libavdevice/dshow.c

@@ -853,7 +853,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum,
         av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n");
         goto error;
     }
-    ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph);
+    r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph);
     if (r != S_OK) {
         av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n");
         goto error;

libavdevice/dshow_filter.c

@@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph,
 
     this->info.pGraph = graph;
     if (name)
-        wcscpy(this->info.achName, name);
+        wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name);
 
     return S_OK;
 }

libavfilter/af_pan.c

@@ -120,6 +120,14 @@ static av_cold int init(AVFilterContext *ctx)
     if (ret < 0)
         goto fail;
 
+    if (pan->nb_output_channels > MAX_CHANNELS) {
+        av_log(ctx, AV_LOG_ERROR,
+               "af_pan supports a maximum of %d channels. "
+               "Feel free to ask for a higher limit.\n", MAX_CHANNELS);
+        ret = AVERROR_PATCHWELCOME;
+        goto fail;
+    }
+
     /* parse channel specifications */
     while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) {
         /* channel name */

libavfilter/vf_gradfun.c

@@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi
     for (y = 0; y < r; y++)
         ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
     for (;;) {
-        if (y < height - r) {
+        if (y + 1 < height - r) {
             int mod = ((y + r) / 2) % r;
             uint16_t *buf0 = buf + mod * bstride;
             uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;

libavfilter/vf_rotate.c

@@ -197,7 +197,9 @@ static int config_props(AVFilterLink *outlink)
     double res;
     char *expr;
 
-    ff_draw_init(&rot->draw, inlink->format, 0);
+    ret = ff_draw_init(&rot->draw, inlink->format, 0);
+    if (ret < 0)
+        return ret;
     ff_draw_color(&rot->draw, &rot->color, rot->fillcolor);
 
     rot->hsub = pixdesc->log2_chroma_w;

libavfilter/vf_vidstabdetect.c

@@ -175,7 +175,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
     }
     if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) {
         av_log(ctx, AV_LOG_ERROR, "motion detection failed");
-        return AVERROR(AVERROR_EXTERNAL);
+        return AVERROR_EXTERNAL;
     } else {
         if (vsWriteToFile(md, sd->f, &localmotions) != VS_OK) {
             int ret = AVERROR(errno);

libavformat/ape.c

@@ -317,7 +317,7 @@ static int ape_read_header(AVFormatContext * s)
         final_size -= final_size & 3;
     }
     if (file_size <= 0 || final_size <= 0)
-        final_size = ape->finalframeblocks * 8;
+        final_size = ape->finalframeblocks * 8LL;
     ape->frames[ape->totalframes - 1].size = final_size;
 
     for (i = 0; i < ape->totalframes; i++) {

libavformat/apetag.c

@@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
 
     avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET);
 
-    avio_read(pb, buf, 8);     /* APETAGEX */
+    if(avio_read(pb, buf, 8) != 8)     /* APETAGEX */
+        return 0;
     if (strncmp(buf, APE_TAG_PREAMBLE, 8)) {
         return 0;
     }

libavformat/asfdec_o.c

@@ -985,6 +985,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g)
     int i, ret;
     uint64_t size = avio_rl64(pb);
 
+    if (size < 24)
+        return AVERROR_INVALIDDATA;
+
     // simple index objects should be ordered by stream number, this loop tries to find
     // the first not indexed video stream
     for (i = 0; i < asf->nb_streams; i++) {

libavformat/cafdec.c

@@ -214,7 +214,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
         }
     }
 
-    if (avio_tell(pb) - ccount > size) {
+    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
         av_log(s, AV_LOG_ERROR, "error reading packet table\n");
         return AVERROR_INVALIDDATA;
     }

libavformat/flacdec.c

@@ -50,7 +50,7 @@ static int flac_read_header(AVFormatContext *s)
     /* process metadata blocks */
     while (!avio_feof(s->pb) && !metadata_last) {
         if (avio_read(s->pb, header, 4) != 4)
-            return AVERROR(AVERROR_INVALIDDATA);
+            return AVERROR_INVALIDDATA;
         flac_parse_block_header(header, &metadata_last, &metadata_type,
                                    &metadata_size);
         switch (metadata_type) {

libavformat/hnm.c

@@ -140,6 +140,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (hnm->superchunk_remaining == 0) {
         /* parse next superchunk */
         superchunk_size = avio_rl24(pb);
+        if (superchunk_size < 4)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, 1);
 
         hnm->superchunk_remaining = superchunk_size - 4;
@@ -150,7 +152,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     chunk_id = avio_rl16(pb);
     avio_skip(pb, 2);
 
-    if (chunk_size > hnm->superchunk_remaining || !chunk_size) {
+    if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) {
         av_log(s, AV_LOG_ERROR,
                "invalid chunk size: %"PRIu32", offset: %"PRId64"\n",
                chunk_size, avio_tell(pb));

libavformat/icodec.c

@@ -172,7 +172,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
             AV_WL32(buf + 32, image->nb_pal);
         }
 
-        if (image->nb_pal > INT_MAX / 4 - 14 - 40)
+        if (image->nb_pal > INT_MAX / 4 - 14 - 40U)
             return AVERROR_INVALIDDATA;
 
         AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4);

libavformat/id3v2.c

@@ -364,7 +364,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen,
     int encoding;
     int ok = 0;
 
-    if (taglen < 1)
+    if (taglen < 4)
         goto error;
 
     encoding = avio_r8(pb);

libavformat/ilbc.c

@@ -74,7 +74,8 @@ static int ilbc_read_header(AVFormatContext *s)
     AVStream *st;
     uint8_t header[9];
 
-    avio_read(pb, header, 9);
+    if (avio_read(pb, header, 9) != 9)
+        return AVERROR_INVALIDDATA;
 
     st = avformat_new_stream(s, NULL);
     if (!st)

libavformat/img2dec.c

@@ -22,6 +22,7 @@
 
 #define _BSD_SOURCE
 #include <sys/stat.h>
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/log.h"
 #include "libavutil/opt.h"
@@ -462,6 +463,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
     pkt->flags       |= AV_PKT_FLAG_KEY;
     if (s->ts_from_file) {
         struct stat img_stat;
+        av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers
         if (stat(filename, &img_stat)) {
             res = AVERROR(EIO);
             goto fail;
@@ -509,6 +511,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
         goto fail;
     } else {
+        memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
         s->img_count++;
         s->img_number++;
         s->pts++;

libavformat/lmlm4.c

@@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) {
         av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n");
-        return AVERROR(EIO);
+        return AVERROR_INVALIDDATA;
     }
     if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) {
         av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size);
-        return AVERROR(EIO);
+        return AVERROR_INVALIDDATA;
     }
 
     if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0)
-        return AVERROR(EIO);
+        return ret < 0 ? ret : AVERROR(EIO);
 
     avio_skip(pb, padding);
 

libavformat/matroskadec.c

@@ -1992,6 +1992,10 @@ static int matroska_parse_tracks(AVFormatContext *s)
 
         if (track->time_scale < 0.01)
             track->time_scale = 1.0;
+
+        if (matroska->time_scale * track->time_scale > UINT_MAX)
+            return AVERROR_INVALIDDATA;
+
         avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale,
                             1000 * 1000 * 1000);    /* 64 bit pts in ns */
 
@@ -3371,9 +3375,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
             // The prebuffer ends in the last Cue. Estimate how much data was
             // prebuffered.
             pre_bytes = desc_end.end_offset - desc_end.start_offset;
-            pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
-            if (pre_ns <= 0)
+            if (desc_end.end_time_ns <= desc_end.start_time_ns ||
+                desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX)
                 return -1;
+            pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
             pre_sec = pre_ns / nano_seconds_per_second;
             prebuffer_bytes +=
                 pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec);
@@ -3386,7 +3391,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
                 int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
                 int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
                 double desc_sec, calc_bits_per_second, percent, mod_bits_per_second;
-                if (desc_bytes <= 0)
+                if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8)
                     return -1;
 
                 desc_sec = desc_ns / nano_seconds_per_second;

libavformat/mlvdec.c

@@ -79,13 +79,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
 static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size)
 {
     char * value = av_malloc(size + 1);
+    int ret;
+
     if (!value) {
         avio_skip(pb, size);
         return;
     }
 
-    avio_read(pb, value, size);
-    if (!value[0]) {
+    ret = avio_read(pb, value, size);
+    if (ret != size || !value[0]) {
         av_free(value);
         return;
     }

libavformat/mm.c

@@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s)
     type = avio_rl16(pb);
     length = avio_rl32(pb);
 
-    if (type != MM_TYPE_HEADER)
+    if (type != MM_TYPE_HEADER || length < 10)
         return AVERROR_INVALIDDATA;
 
     /* read header */

libavformat/mov.c

@@ -262,7 +262,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     char *str = NULL;
     const char *key = NULL;
     uint16_t langcode = 0;
-    uint32_t data_type = 0, str_size, str_size_alloc;
+    uint32_t data_type = 0, str_size_alloc;
+    uint64_t str_size;
     int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL;
     int raw = 0;
 
@@ -945,6 +946,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     int ret = ffio_read_size(pb, type, 4);
     if (ret < 0)
         return ret;
+    if (c->fc->nb_streams) {
+        if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT)
+            return AVERROR_INVALIDDATA;
+        av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n");
+        return 0;
+    }
 
     if (strcmp(type, "qt  "))
         c->isom = 1;
@@ -1610,8 +1617,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         for (i = 0; i < entries && !pb->eof_reached; i++)
             sc->chunk_offsets[i] = avio_rb32(pb);
     else if (atom.type == MKTAG('c','o','6','4'))
-        for (i = 0; i < entries && !pb->eof_reached; i++)
+        for (i = 0; i < entries && !pb->eof_reached; i++) {
             sc->chunk_offsets[i] = avio_rb64(pb);
+            if (sc->chunk_offsets[i] < 0) {
+                av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n");
+                sc->chunk_offsets[i] = 0;
+            }
+        }
     else
         return AVERROR_INVALIDDATA;
 

libavformat/movenc.c

@@ -4342,6 +4342,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
     if (ret < 0)
         return ret;
 
+    if (pkt->pts != AV_NOPTS_VALUE &&
+        (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) {
+        av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     if (mov->flags & FF_MOV_FLAG_FRAGMENT) {
         int ret;
         if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) {

libavformat/mp3dec.c

@@ -118,9 +118,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration
     int fill_index = mp3->usetoc == 1 && duration > 0;
 
     if (!filesize &&
-        !(filesize = avio_size(s->pb))) {
+        (filesize = avio_size(s->pb)) <= 0) {
         av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n");
         fill_index = 0;
+        filesize = 0;
     }
 
     for (i = 0; i < XING_TOC_COUNT; i++) {

libavformat/mpeg.c

@@ -78,6 +78,9 @@ static int mpegps_probe(AVProbeData *p)
             int pes  = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size);
             int pack = check_pack_header(p->buf + i);
 
+            if (len > INT_MAX - i)
+                break;
+
             if (code == SYSTEM_HEADER_START_CODE)
                 sys++;
             else if (code == PACK_START_CODE && pack)
@@ -537,7 +540,9 @@ redo:
         static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 };
         unsigned char buf[8];
 
-        avio_read(s->pb, buf, 8);
+        ret = avio_read(s->pb, buf, 8);
+        if (ret != 8)
+            return AVERROR_INVALIDDATA;
         avio_seek(s->pb, -8, SEEK_CUR);
         if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1))
             codec_id = AV_CODEC_ID_CAVS;

libavformat/mpegts.c

@@ -1463,6 +1463,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size,
     MP4DescrParseContext d;
     int ret;
 
+    d.predefined_SLConfigDescriptor_seen = 0;
+
     ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count);
     if (ret < 0)
         return ret;

libavformat/mxfdec.c

@@ -192,7 +192,7 @@ typedef struct MXFDescriptor {
 typedef struct MXFIndexTableSegment {
     UID uid;
     enum MXFMetadataSetType type;
-    int edit_unit_byte_count;
+    unsigned edit_unit_byte_count;
     int index_sid;
     int body_sid;
     AVRational index_edit_rate;
@@ -938,6 +938,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int
     case 0x3F0B:
         segment->index_edit_rate.num = avio_rb32(pb);
         segment->index_edit_rate.den = avio_rb32(pb);
+        if (segment->index_edit_rate.num <= 0 ||
+            segment->index_edit_rate.den <= 0)
+            return AVERROR_INVALIDDATA;
         av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num,
                 segment->index_edit_rate.den);
         break;
@@ -1305,9 +1308,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t
         if (edit_unit < s->index_start_position + s->index_duration) {
             int64_t index = edit_unit - s->index_start_position;
 
-            if (s->edit_unit_byte_count)
+            if (s->edit_unit_byte_count) {
+                if (index > INT64_MAX / s->edit_unit_byte_count ||
+                    s->edit_unit_byte_count * index > INT64_MAX - offset_temp)
+                    return AVERROR_INVALIDDATA;
+
                 offset_temp += s->edit_unit_byte_count * index;
-            else if (s->nb_index_entries) {
+            } else if (s->nb_index_entries) {
                 if (s->nb_index_entries == 2 * s->index_duration + 1)
                     index *= 2;     /* Avid index */
 
@@ -1330,6 +1337,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t
             return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out);
         } else {
             /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */
+            if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count ||
+                s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp)
+            )
+                return AVERROR_INVALIDDATA;
+
             offset_temp += s->edit_unit_byte_count * s->index_duration;
         }
     }

libavformat/rdt.c

@@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len,
             return -1; /* not followed by a data packet */
 
         pkt_len = AV_RB16(buf+3);
+        if (pkt_len > len)
+            return AVERROR_INVALIDDATA;
         buf += pkt_len;
         len -= pkt_len;
         consumed += pkt_len;

libavformat/rmdec.c

@@ -269,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         case DEINT_ID_INT4:
             if (ast->coded_framesize > ast->audio_framesize ||
                 sub_packet_h <= 1 ||
-                ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
+                ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize)
                 return AVERROR_INVALIDDATA;
-            if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) {
+            if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) {
                 avpriv_request_sample(s, "mismatching interleaver parameters");
                 return AVERROR_INVALIDDATA;
             }

libavformat/rpl.c

@@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error)
         line++;
     for (; *line>='0' && *line<='9'; line++) {
         // Truncate any numerator too large to fit into an int64_t
-        if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10)
+        if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL)
             break;
         num  = 10 * num + (*line - '0');
         den *= 10;
@@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s)
     AVIOContext *pb = s->pb;
     RPLContext *rpl = s->priv_data;
     AVStream *vst = NULL, *ast = NULL;
-    int total_audio_size;
+    int64_t total_audio_size;
     int error = 0;
 
     uint32_t i;
@@ -270,6 +270,8 @@ static int rpl_read_header(AVFormatContext *s)
         if (ast)
             av_add_index_entry(ast, offset + video_size, total_audio_size,
                                audio_size, audio_size * 8, 0);
+        if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8)
+            return AVERROR_INVALIDDATA;
         total_audio_size += audio_size * 8;
     }
 

libavformat/rtmppkt.c

@@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb)
 {
     AMFDataType type;
     unsigned nb   = -1;
-    int parse_key = 1;
 
     if (bytestream2_get_bytes_left(gb) < 1)
         return -1;
@@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb)
         bytestream2_skip(gb, 10);
         return 0;
     case AMF_DATA_TYPE_ARRAY:
-        parse_key = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
         nb = bytestream2_get_be32(gb);
     case AMF_DATA_TYPE_OBJECT:
-        while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) {
+        while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) {
             int t;
-            if (parse_key) {
+            if (type != AMF_DATA_TYPE_ARRAY) {
                 int size = bytestream2_get_be16(gb);
                 if (!size) {
                     bytestream2_get_byte(gb);

libavformat/rtsp.c

@@ -1370,7 +1370,7 @@ retry:
     cur_auth_type = rt->auth_state.auth_type;
     if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header,
                                                 send_content,
-                                                send_content_length)))
+                                                send_content_length)) < 0)
         return ret;
 
     if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0)
@@ -1403,6 +1403,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port,
     char cmd[2048];
     const char *trans_pref;
 
+    memset(&reply1, 0, sizeof(reply1));
+
     if (rt->transport == RTSP_TRANSPORT_RDT)
         trans_pref = "x-pn-tng";
     else if (rt->transport == RTSP_TRANSPORT_RAW)
@@ -1513,7 +1515,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port,
         else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) {
             snprintf(transport, sizeof(transport) - 1,
                      "%s/UDP;multicast", trans_pref);
+        } else {
+            err = AVERROR(EINVAL);
+            goto fail; // transport would be uninitialized
         }
+
         if (s->oformat) {
             av_strlcat(transport, ";mode=record", sizeof(transport));
         } else if (rt->server_type == RTSP_SERVER_REAL ||

libavformat/sapdec.c

@@ -194,6 +194,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt)
     struct pollfd p = {fd, POLLIN, 0};
     uint8_t recvbuf[RTP_MAX_PACKET_LENGTH];
 
+    if (fd < 0)
+        return fd;
+
     if (sap->eof)
         return AVERROR_EOF;
 

libavformat/sauce.c

@@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g
     AVIOContext *pb = avctx->pb;
     char buf[36];
     int datatype, filetype, t1, t2, nb_comments;
-    uint64_t start_pos = avio_size(pb) - 128;
+    int64_t start_pos = avio_size(pb);
+
+    if (start_pos < 128)
+        return AVERROR_INVALIDDATA;
+
+    start_pos -= 128;
 
     avio_seek(pb, start_pos, SEEK_SET);
     if (avio_read(pb, buf, 7) != 7)

libavformat/sbgdec.c

@@ -384,7 +384,7 @@ static int parse_options(struct sbg_parser *p)
                 case 'L':
                     FORWARD_ERROR(parse_optarg(p, opt, &oarg));
                     r = str_to_time(oarg.s, &p->scs.opt_duration);
-                    if (oarg.e != oarg.s + r) {
+                    if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
                         snprintf(p->err_msg, sizeof(p->err_msg),
                                  "syntax error for option -L");
                         return AVERROR_INVALIDDATA;

libavformat/sdp.c

@@ -195,6 +195,8 @@ static char *extradata2psets(AVCodecContext *c)
             continue;
         }
         if (p != (psets + strlen(pset_string))) {
+            if (p - psets >= MAX_PSET_SIZE)
+                goto fail_in_loop;
             *p = ',';
             p++;
         }
@@ -204,6 +206,7 @@ static char *extradata2psets(AVCodecContext *c)
         }
         if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) {
             av_log(c, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r);
+fail_in_loop:
             av_free(psets);
             av_free(tmpbuf);
 

libavformat/segafilm.c

@@ -238,6 +238,7 @@ static int film_read_header(AVFormatContext *s)
             else if (film->audio_type != AV_CODEC_ID_NONE)
                 audio_frame_counter += (film->sample_table[i].sample_size /
                     (film->audio_channels * film->audio_bits / 8));
+            film->sample_table[i].keyframe = 1;
         } else {
             film->sample_table[i].stream = film->video_stream_index;
             film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF;

libavformat/siff.c

@@ -198,7 +198,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt)
         if (c->cur_frame >= c->frames)
             return AVERROR_EOF;
         if (c->curstrm == -1) {
-            c->pktsize = avio_rl32(s->pb) - 4;
+            unsigned pktsize = avio_rl32(s->pb);
+            if (pktsize < 4)
+                return AVERROR_INVALIDDATA;
+            c->pktsize = pktsize - 4;
             c->flags   = avio_rl16(s->pb);
             if (c->flags & VB_HAS_AUDIO && !c->has_audio)
                 return AVERROR_INVALIDDATA;

libavformat/subfile.c

@@ -127,6 +127,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence)
     case SEEK_END:
         new_pos = c->end + c->pos;
         break;
+    default:
+        av_assert0(0);
     }
     if (new_pos < c->start)
         return AVERROR(EINVAL);

libavformat/utils.c

@@ -1870,7 +1870,7 @@ int ff_seek_frame_binary(AVFormatContext *s, int stream_index,
                          int64_t target_ts, int flags)
 {
     AVInputFormat *avif = s->iformat;
-    int64_t av_uninit(pos_min), av_uninit(pos_max), pos, pos_limit;
+    int64_t pos_min = 0, pos_max = 0, pos, pos_limit;
     int64_t ts_min, ts_max, ts;
     int index;
     int64_t ret;

libavformat/wavdec.c

@@ -691,8 +691,7 @@ static int w64_read_header(AVFormatContext *s)
     uint8_t guid[16];
     int ret;
 
-    avio_read(pb, guid, 16);
-    if (memcmp(guid, ff_w64_guid_riff, 16))
+    if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16))
         return AVERROR_INVALIDDATA;
 
     /* riff + wave + fmt + sizes */

libavformat/westwood_vqa.c

@@ -233,7 +233,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
                     break;
                 case SND2_TAG:
                     /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
-                    pkt->duration = (chunk_size * 2) / wsvqa->channels;
+                    pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
                     break;
                 }
                 break;

libavformat/wtvdec.c

@@ -185,7 +185,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length,
         int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4);
         int i;
 
-        wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS);
+        wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS);
         if (!wf->sectors) {
             av_free(wf);
             return NULL;
@@ -867,7 +867,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 }
 
                 buf_size = FFMIN(len - consumed, sizeof(buf));
-                avio_read(pb, buf, buf_size);
+                if (avio_read(pb, buf, buf_size) != buf_size)
+                    return AVERROR_INVALIDDATA;
                 consumed += buf_size;
                 ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL);
             }

libavformat/xmv.c

@@ -251,6 +251,8 @@ static int xmv_read_header(AVFormatContext *s)
     /* Initialize the packet context */
 
     xmv->next_packet_offset = avio_tell(pb);
+    if (this_packet_size < xmv->next_packet_offset)
+        return AVERROR_INVALIDDATA;
     xmv->next_packet_size   = this_packet_size - xmv->next_packet_offset;
     xmv->stream_count       = xmv->audio_track_count + 1;
 

libavutil/base64.c

@@ -120,10 +120,12 @@ int av_base64_decode(uint8_t *out, const char *in_str, int out_size)
     }
 
 out3:
-    *dst++ = v >> 10;
+    if (end - dst)
+        *dst++ = v >> 10;
     v <<= 2;
 out2:
-    *dst++ = v >> 4;
+    if (end - dst)
+        *dst++ = v >> 4;
 out1:
 out0:
     return bits & 1 ? AVERROR_INVALIDDATA : dst - out;

libavutil/imgutils.c

@@ -246,7 +246,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu
         stride = 8LL*w;
     stride += 128*8;
 
-    if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) {
+    if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) {
         av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h);
         return AVERROR(EINVAL);
     }

libavutil/timecode.c

@@ -171,7 +171,7 @@ static int fps_from_frame_rate(AVRational rate)
 {
     if (!rate.den || !rate.num)
         return -1;
-    return (rate.num + rate.den/2) / rate.den;
+    return (rate.num + rate.den/2LL) / rate.den;
 }
 
 int av_timecode_check_frame_rate(AVRational rate)

libswscale/output.c

@@ -848,8 +848,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
             Y2 += 1 << 13;
 
             if (hasAlpha) {
-                A1 = abuf0[i * 2    ] << 11;
-                A2 = abuf0[i * 2 + 1] << 11;
+                A1 = abuf0[i * 2    ] * (1 << 11);
+                A2 = abuf0[i * 2 + 1] * (1 << 11);
 
                 A1 += 1 << 13;
                 A2 += 1 << 13;
@@ -894,8 +894,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
             Y2 += 1 << 13;
 
             if (hasAlpha) {
-                A1 = abuf0[i * 2    ] << 11;
-                A2 = abuf0[i * 2 + 1] << 11;
+                A1 = abuf0[i * 2    ] * (1 << 11);
+                A2 = abuf0[i * 2 + 1] * (1 << 11);
 
                 A1 += 1 << 13;
                 A2 += 1 << 13;
@@ -1060,7 +1060,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
             Y += 1 << 13;
 
             if (hasAlpha) {
-                A = abuf0[i] << 11;
+                A = abuf0[i] * (1 << 11);
 
                 A += 1 << 13;
             }
@@ -1093,7 +1093,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
             Y += 1 << 13;
 
             if (hasAlpha) {
-                A = abuf0[i] << 11;
+                A = abuf0[i] * (1 << 11);
 
                 A += 1 << 13;
             }
@@ -1531,9 +1531,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c,
     Y -= c->yuv2rgb_y_offset;
     Y *= c->yuv2rgb_y_coeff;
     Y += 1 << 21;
-    R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff;
-    G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff;
-    B = (unsigned)Y +                          U*c->yuv2rgb_u2b_coeff;
+    R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff;
+    G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff;
+    B = (unsigned)Y +                                    U*(unsigned)c->yuv2rgb_u2b_coeff;
     if ((R | G | B) & 0xC0000000) {
         R = av_clip_uintp2(R, 30);
         G = av_clip_uintp2(G, 30);

libswscale/slice.c

@@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width)
         for (j = 0; j < n; ++j) {
             // chroma plane line U and V are expected to be contiguous in memory
             // by mmx vertical scaler code
-            s->plane[i].line[j] = av_malloc(size * 2 + 32);
+            s->plane[i].line[j] = av_mallocz(size * 2 + 32);
             if (!s->plane[i].line[j]) {
                 free_lines(s);
                 return AVERROR(ENOMEM);

libswscale/swscale.c

@@ -235,7 +235,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width)
     int i;
     int32_t *dst = (int32_t *) _dst;
     for (i = 0; i < width; i++)
-        dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12;
+        dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12;
 }
 
 // *** horizontal scale Y line to temp buffer
@@ -1053,7 +1053,8 @@ int attribute_align_arg sws_scale(struct SwsContext *c,
 
     if ((srcSliceY & (macro_height-1)) ||
         ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) ||
-        srcSliceY + srcSliceH > c->srcH) {
+        srcSliceY + srcSliceH > c->srcH ||
+        (isBayer(c->srcFormat) && srcSliceH <= 1)) {
         av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH);
         return AVERROR(EINVAL);
     }

libswscale/utils.c

@@ -474,7 +474,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos,
                 filter[i * filterSize + j] = coeff;
                 xx++;
             }
-            xDstInSrc += 2 * xInc;
+            xDstInSrc += 2LL * xInc;
         }
     }
 
@@ -1676,7 +1676,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter,
     }
 
     for (i = 0; i < 4; i++)
-        FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+2) * sizeof(int), fail);
+        FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+3) * sizeof(int), fail);
 
     /* Allocate pixbufs (we use dynamic allocation because otherwise we would
      * need to allocate several megabytes to handle all possible cases) */
@@ -1787,7 +1787,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter,
 
     /* unscaled special cases */
     if (unscaled && !usesHFilter && !usesVFilter &&
-        (c->srcRange == c->dstRange || isAnyRGB(dstFormat))) {
+        (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || isBayer(srcFormat))) {
         ff_get_unscaled_swscale(c);
 
         if (c->swscale) {

libswscale/yuv2rgb.c

@@ -803,7 +803,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4],
     cbu  = (cbu * contrast * saturation) >> 32;
     cgu  = (cgu * contrast * saturation) >> 32;
     cgv  = (cgv * contrast * saturation) >> 32;
-    oy  -= 256 * brightness;
+    oy  -= 256LL * brightness;
 
     c->uOffset = 0x0400040004000400LL;
     c->vOffset = 0x0400040004000400LL;