Update for 3.0.8

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
2017-05-18 12:36:32 +02:00 · 2017-05-18 12:36:32 +02:00 · 2017-05-18 12:36:32 +02:00 · 2017-05-17 16:58:59 -03:00 · 2017-05-17 16:57:38 -03:00 · 2017-05-17 16:27:25 -03:00
122 changed files with 1078 additions and 478 deletions
@@ -1,6 +1,200 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.0.8
+- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
+- avcodec/aacdec_template: Fix fixed point scale in decode_cce()
+- avcodec/flicvideo: Check frame_size before decrementing
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix  runtime error: left shift of negative value -42
+- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int'
+- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
+- avcodec/svq3: Fix runtime error: left shift of negative value -6
+- avcodec/tiff: reset sampling[] if its invalid
+- avcodec/aacps: Fix undefined behavior
+- avcodec/opus_silk: Fix integer overflow and out of array read
+- avcodec/flacdec: Return error code instead of 0 for failures
+- avcodec/snowdec: Check width
+- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame()
+- avcodec/webp: Factor update_canvas_size() out
+- avcodec/cllc: Check prefix
+- avcodec/rscc: Check pixel_size for overflow
+- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int'
+- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode
+- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]'
+- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix LCG type
+- libswscale/tests/swscale: Fix uninitialized variables
+- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int'
+- avcodec/webp: Fix signedness in prefix_code check
+- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int'
+- avcodec/mlpdec: Check that there is enough data for headers
+- avcodec/ac3dec: Keep track of band structure
+- avcodec/webp: Add missing input padding
+- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1
+- avcodec/aacsbr_template: Do not change bs_num_env before its checked
+- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1
+- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int'
+- avcodec/avcodec: Limit the number of side data elements per packet
+- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int'
+- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610
+- avcodec/msmpeg4dec: Check for cbpy VLC errors
+- avcodec/cllc: Check num_bits
+- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers
+- avcodec/dvbsubdec: Check entry_id
+- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int'
+- avcodec/mpeg12dec: Fixes runtime error: division by zero
+- avcodec/webp: Always set pix_fmt
+- avfilter/vf_uspp: Fix currently unused input frame dimensions
+- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1
+- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int'
+- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int'
+- avformat/wavdec: Check chunk_size
+- avcodec/cavs: Check updated MV
+- avcodec/y41pdec: Fix width in input buffer size check
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int'
+- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int'
+- avcodec/lagarith: Check scale_factor
+- avcodec/lagarith: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix multiple  runtime error: left shift of negative value -1
+- avcodec/indeo2: Check for invalid VLCs
+- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour
+- avcodec/htmlsubtitles: Check for string truncation and return error
+- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int'
+- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int'
+- avcodec/dvbsubdec: check region dimensions
+- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int'
+- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col()
+- avcodec/cavsdec: Check sym_factor
+- avcodec/cdxl: Check format for BGR24
+- avcodec/ffv1dec: Fix copying planes of paletted formats
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int'
+- avcodec/xwddec: Check bpp more completely
+- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int'
+- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int'
+- avcodec/g726: Fix runtime error: left shift of negative value -2
+- avcodec/ra144: Fix runtime error: left shift of negative value -798
+- avcodec/mss34dsp: Fix multiple signed integer overflow
+- avcodec/targa_y216dec: Fix width type
+- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix multiple left shift of negative value -2
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int'
+- avcodec/msmpeg4dec: Correct table depth
+- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/cdxl: Check format parameter
+- avutil/softfloat: Fix overflow in av_div_sf()
+- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207
+- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from
+- avcodec/shorten: Check k in get_uint()
+- avcodec/webp: Fix null pointer dereference
+- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
+- avcodec/g723_1: Fix multiple runtime error: left shift of negative value
+- avcodec/mimic: Fix runtime error: left shift of negative value -1
+- avcodec/fic: Fix multiple left shift of negative value -15
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -22
+- avcodec/snowdec: Check qbias
+- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8
+- avcodec/aacsbr_template: Do not leave bs_num_env invalid
+- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int'
+- avcodec/dfa: Fix off by 1 error
+- avcodec/nellymoser: Fix multiple left shift of negative value -8591
+- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int'
+- avcodec/g722: Fix multiple runtime error: left shift of negative value -1
+- avcodec/dss_sp: Fix multiple left shift of negative value -466
+- avcodec/wnv1: Fix runtime error: left shift of negative value -1
+- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'
+- avcodec/cavsdec: Fix undefined behavior from integer overflow
+- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int'
+- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit
+- avcodec/pngdec: Use ff_set_dimensions()
+- avcodec/msvideo1: Check buffer size before re-getting the frame
+- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow
+- avcodec/dcadsp: Fix runtime error: signed integer overflow
+- avcodec/svq3: Increase offsets to prevent integer overflows
+- avcodec/indeo2: Check remaining bits in ir2_decode_plane()
+- avcodec/vp3: Check remaining bits in unpack_dct_coeffs()
+- doc/developer: Add terse documentation of assumed C implementation defined behavior
+- avcodec/mdec: Fix runtime error: left shift of negative value -127
+- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang
+- libavcodec/exr : fix float to uint16 conversion for negative float value
+- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter
+- avformat/webmdashenc: Require the 'adaptation_sets' option to be set
+- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int'
+- avformat/oggparsedaala: Do not leave an invalid value in gpshift
+- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE
+- avfilter/af_sofalizer: Fix bad shift
+- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter()
+- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit
+- avcodec/vdpau_hevc: Fix potential out-of-bounds write
+- avcodec/tiff: Check geotag count for being non zero
+- avcodec/vp56: Check avctx->error_concealment before enabling EC
+- avcodec/tiff: Check stripsize strippos for overflow
+- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0
+- avcodec/tiff: Check for multiple geo key directories
+- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
+- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int'
+- avcodec/amrwbdec: Fix  runtime error: left shift of negative value -1
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int'
+- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127
+- avcodec/wavpack: Fix runtime error: left shift of negative value -5
+- avcodec/wavpack: Fix runtime error: left shift of negative value -2
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int'
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13
+- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value
+- avcodec/adxdec: Fix runtime error: left shift of negative value -1
+- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory()
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511
+- avcodec/h264_direct: Fix runtime error: left shift of negative value -14
+- avcodec/pictordec: Check plane value before doing value/mask computations
+- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650
+- avcodec/eac3dec: Fix runtime error: left shift of negative value -3
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2
+- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows
+- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts
+- avcodec/mpeg4video: Fix runtime error: left shift of negative value
+- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22
+- avcodec/rv40: Fix runtime error: left shift of negative value
+- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int'
+- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507
+- avcodec/eac3dec: Fix runtime error: left shift of negative value
+- avcodec/htmlsubtitles: Fix reading one byte beyond the array
+- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header()
+- avcodec/vp56: Reset have_undamaged_frame on resolution changes
+- avcodec/vp8: Fix hang with slice threads
+- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter()
+- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder()
+- avcodec/vp8: remove redundant check
+- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb()
+- avcodec/vp3: Do not return random positive values but the buf size
+- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter()
+- avcodec/vp56: Factorize vp56_render_mb() out
+- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int'
+- Add CHECK/SUINT code
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1
+- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change
+- avcodec/vp56: Implement very basic error concealment
+- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1
+- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int'
+- avcodec/vp56: Fix sign typo
+- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding
+- avcodec/rv34: Simplify and factor get_slice_offset() code
+- avcodec/pictordec: Do not read more than nb_planes
+- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int'
+- avcodec/pngdec: Check bit depth for validity
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value
+- avcodec/wavpacl: Fix runtime error: left shift of negative value -1
+- avformat/http: Check for truncated buffers in http_connect()
+- avformat/apng: fix setting frame delay when max_fps is set to no limit
+- swresample/resample: free existing ResampleContext on reinit
+- swresample/resample: move resample_free() higher in the file
+- lavf/mpeg: Initialize a stack variable used by memcmp().
+- lavc/avpacket: Initialize a variable in error path.
+
 version 3.0.7
 - avcodec/h264_slice: Clear ref_counts on redundant slices
 - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
@@ -1 +1 @@
-3.0.7
+3.0.8
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 3.0.7
+PROJECT_NUMBER         = 3.0.8

 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
@@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};});

@item
 compound literals (@samp{x = (struct s) @{ 17, 23 @};}).
+
+@item
+Implementation defined behavior for signed integers is assumed to match the
+expected behavior for two's complement. Non representable values in integer
+casts are binary truncated. Shift right of signed values uses sign extension.
@end itemize

 These features are supported by all compilers we care about, so we will not
@@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
    if (ctx->frame_length_type == 0) {
        int mux_slot_length = 0;
        do {
+            if (get_bits_left(gb) < 8)
+                return AVERROR_INVALIDDATA;
            tmp = get_bits(gb, 8);
            mux_slot_length += tmp;
        } while (tmp == 255);
@@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
    }
    if (latmctx->audio_mux_version_A == 0) {
        int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
-        if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
+        if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
            av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
            return AVERROR_INVALIDDATA;
        } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {
@@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx)
 static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign)
 {
    dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE));
-    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1));
+    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2));

    return dst + 2;
 }
@@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign)
 {
    unsigned nz = idx >> 12;

-    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2));

    return dst + 4;
 }
@@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)

    s = offset - (s >> 2);

-    if (s > 0) {
+    if (s > 31) {
+        for (i=0; i<len; i++) {
+            dst[i] = 0;
+        }
+    } else if (s > 0) {
        round = 1 << (s-1);
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)src[i] * c) >> 32);
@@ -2155,7 +2155,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
    coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1);

    sign  = get_bits(gb, 1);
-    scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)];
+#if USE_FIXED
+    scale = get_bits(gb, 2);
+#else
+    scale = cce_scale[get_bits(gb, 2)];
+#endif

    if ((ret = decode_ics(ac, sce, gb, 0, 0)))
        return ret;
@@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
                h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width);
            }
            ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd](
-                l[k] + start + 1, r[k] + start + 1,
+                l[k] + 1 + start, r[k] + 1 + start,
                h, h_step, stop - start);
        }
    }
@@ -623,24 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
    int abs_bord_trail = 16;
    int num_rel_lead, num_rel_trail;
    unsigned bs_num_env_old = ch_data->bs_num_env;
+    int bs_frame_class, bs_num_env;

    ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env];
    ch_data->bs_amp_res = sbr->bs_amp_res_header;
    ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old];

-    switch (ch_data->bs_frame_class = get_bits(gb, 2)) {
+    switch (bs_frame_class = get_bits(gb, 2)) {
    case FIXFIX:
-        ch_data->bs_num_env                 = 1 << get_bits(gb, 2);
+        bs_num_env = 1 << get_bits(gb, 2);
+        if (bs_num_env > 4) {
+            av_log(ac->avctx, AV_LOG_ERROR,
+                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
+                   bs_num_env);
+            return -1;
+        }
+        ch_data->bs_num_env = bs_num_env;
        num_rel_lead                        = ch_data->bs_num_env - 1;
        if (ch_data->bs_num_env == 1)
            ch_data->bs_amp_res = 0;

-        if (ch_data->bs_num_env > 4) {
-            av_log(ac->avctx, AV_LOG_ERROR,
-                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
-                   ch_data->bs_num_env);
-            return -1;
-        }

        ch_data->t_env[0]                   = 0;
        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;
@@ -688,14 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        abs_bord_trail                     += get_bits(gb, 2);
        num_rel_lead                        = get_bits(gb, 2);
        num_rel_trail                       = get_bits(gb, 2);
-        ch_data->bs_num_env                 = num_rel_lead + num_rel_trail + 1;
+        bs_num_env                          = num_rel_lead + num_rel_trail + 1;

-        if (ch_data->bs_num_env > 5) {
+        if (bs_num_env > 5) {
            av_log(ac->avctx, AV_LOG_ERROR,
                   "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
-                   ch_data->bs_num_env);
+                   bs_num_env);
            return -1;
        }
+        ch_data->bs_num_env = bs_num_env;

        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;

@@ -710,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env);
        break;
    }
+    ch_data->bs_frame_class = bs_frame_class;

    av_assert0(bs_pointer >= 0);
    if (bs_pointer > ch_data->bs_num_env + 1) {
@@ -744,30 +744,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s)
 * @param[in] default_band_struct default band structure table
 * @param[out] num_bands number of bands (optionally NULL)
 * @param[out] band_sizes array containing the number of bins in each band (optionally NULL)
+ * @param[in,out] band_struct current band structure
 */
 static void decode_band_structure(GetBitContext *gbc, int blk, int eac3,
                                  int ecpl, int start_subband, int end_subband,
                                  const uint8_t *default_band_struct,
-                                  int *num_bands, uint8_t *band_sizes)
+                                  int *num_bands, uint8_t *band_sizes,
+                                  uint8_t *band_struct, int band_struct_size)
 {
    int subbnd, bnd, n_subbands, n_bands=0;
    uint8_t bnd_sz[22];
-    uint8_t coded_band_struct[22];
-    const uint8_t *band_struct;

    n_subbands = end_subband - start_subband;

+    if (!blk)
+        memcpy(band_struct, default_band_struct, band_struct_size);
+
+    av_assert0(band_struct_size >= start_subband + n_subbands);
+
+    band_struct += start_subband + 1;
+
    /* decode band structure from bitstream or use default */
    if (!eac3 || get_bits1(gbc)) {
        for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) {
-            coded_band_struct[subbnd] = get_bits1(gbc);
+            band_struct[subbnd] = get_bits1(gbc);
        }
-        band_struct = coded_band_struct;
-    } else if (!blk) {
-        band_struct = &default_band_struct[start_subband+1];
-    } else {
-        /* no change in band structure */
-        return;
    }

    /* calculate number of bands and band sizes based on band structure.
@@ -894,7 +895,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                                  start_subband, end_subband,
                                  ff_eac3_default_spx_band_struct,
                                  &s->num_spx_bands,
-                                  s->spx_band_sizes);
+                                  s->spx_band_sizes,
+                                  s->spx_band_struct, sizeof(s->spx_band_struct));
        }
    }
    if (!s->eac3 || !s->spx_in_use) {
@@ -1028,7 +1030,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
            decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband,
                                  cpl_end_subband,
                                  ff_eac3_default_cpl_band_struct,
-                                  &s->num_cpl_bands, s->cpl_band_sizes);
+                                  &s->num_cpl_bands, s->cpl_band_sizes,
+                                  s->cpl_band_struct, sizeof(s->cpl_band_struct));
        } else {
            /* coupling not in use */
            for (ch = 1; ch <= fbw_channels; ch++) {
@@ -1328,7 +1331,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
    for (ch = 1; ch <= s->channels; ch++) {
        int audio_channel = 0;
        INTFLOAT gain;
-        if (s->channel_mode == AC3_CHMODE_DUALMONO)
+        if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2)
            audio_channel = 2-ch;
        if (s->heavy_compression && s->compression_exists[audio_channel])
            gain = s->heavy_dynamic_range[audio_channel];
@@ -126,6 +126,7 @@ typedef struct AC3DecodeContext {
    int phase_flags_in_use;                 ///< phase flags in use                     (phsflginu)
    int phase_flags[AC3_MAX_CPL_BANDS];     ///< phase flags                            (phsflg)
    int num_cpl_bands;                      ///< number of coupling bands               (ncplbnd)
+    uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS];
    uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band
    int firstchincpl;                       ///< first channel in coupling
    int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states      (firstcplcos)
@@ -142,6 +143,7 @@ typedef struct AC3DecodeContext {
    int spx_dst_start_freq;                     ///< spx starting frequency bin for copying (copystartmant)
                                                ///< the copy region ends at the start of the spx region.
    int num_spx_bands;                          ///< number of spx bands                    (nspxbnds)
+    uint8_t spx_band_struct[SPX_MAX_BANDS];
    uint8_t spx_band_sizes[SPX_MAX_BANDS];      ///< number of bins in each spx band
    uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states           (firstspxcos)
    INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor  (nblendfact)
@@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset,
    s2 = prev->s2;
    for (i = 0; i < BLOCK_SAMPLES; i++) {
        d  = get_sbits(&gb, 4);
-        s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+        s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
        s2 = s1;
        s1 = av_clip_int16(s0);
        *out++ = s1;
@@ -265,7 +265,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index,
            *lag_frac = pitch_index - (*lag_int << 2) + 136;
        } else if (pitch_index < 440) {
            *lag_int  = (pitch_index + 257 - 376) >> 1;
-            *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1;
+            *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2;
            /* the actual resolution is 1/2 but expressed as 1/4 */
        } else {
            *lag_int  = pitch_index - 280;
@@ -295,7 +295,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index,
    if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) {
        if (pitch_index < 116) {
            *lag_int  = (pitch_index + 69) >> 1;
-            *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1;
+            *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2;
        } else {
            *lag_int  = pitch_index - 24;
            *lag_frac = 0;
@@ -305,7 +305,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index,
                                AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15);
    } else {
        *lag_int  = (pitch_index + 1) >> 1;
-        *lag_frac = (pitch_index - (*lag_int << 1)) << 1;
+        *lag_frac = (pitch_index - (*lag_int << 1)) * 2;
        *lag_int += *base_lag_int;
    }
 }
@@ -1403,6 +1403,16 @@ enum AVPacketSideDataType {
     * side data includes updated metadata which appeared in the stream.
     */
    AV_PKT_DATA_METADATA_UPDATE,
+
+    /**
+     * The number of side data elements (in fact a bit more than it).
+     * This is not part of the public API/ABI in the sense that it may
+     * change when new side data types are added.
+     * This must stay the last enum value.
+     * If its value becomes huge, some code using it
+     * needs to be updated as it assumes it to be smaller than other limits.
+     */
+    AV_PKT_DATA_NB
 };

 #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED
@@ -283,7 +283,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
    AVPacketSideData *tmp;
    int elems = pkt->side_data_elems;

-    if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
+    if ((unsigned)elems + 1 > AV_PKT_DATA_NB)
        return AVERROR(ERANGE);

    tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
@@ -333,6 +333,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
            return pkt->side_data[i].data;
        }
    }
+    if (size)
+        *size = 0;
    return NULL;
 }

@@ -414,6 +416,9 @@ int av_packet_split_side_data(AVPacket *pkt){
            p-= size+5;
        }

+        if (i > AV_PKT_DATA_NB)
+            return AVERROR(ERANGE);
+
        pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data));
        if (!pkt->side_data)
            return AVERROR(ENOMEM);
@@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
                    if (src < source || src >= source_end)
                        return AVERROR_INVALIDDATA;
                    shift += 2;
-                    val |= *src << shift;
+                    val |= (unsigned)*src << shift;
                    if (*src & 0xC)
                        break;
                }
@@ -614,8 +614,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC,
        mv_pred_median(h, mvP, mvA, mvB, mvC);

    if (mode < MV_PRED_PSKIP) {
-        mvP->x += get_se_golomb(&h->gb);
-        mvP->y += get_se_golomb(&h->gb);
+        int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x;
+        int my = get_se_golomb(&h->gb) + (unsigned)mvP->y;
+
+        if (mx != (int16_t)mx || my != (int16_t)my) {
+            av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my);
+        } else {
+            mvP->x = mx;
+            mvP->y = my;
+        }
    }
    set_mvs(mvP, size);
 }
@@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw,
                                  cavs_vector *col_mv)
 {
    cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS;
-    int den = h->direct_den[col_mv->ref];
+    unsigned den = h->direct_den[col_mv->ref];
    int m = FF_SIGNBIT(col_mv->x);

    pmv_fw->dist = h->dist[1];
@@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h)
    h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0;
    if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) {
        h->sym_factor = h->dist[0] * h->scale_den[1];
+        if (FFABS(h->sym_factor) > 32768) {
+            av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor);
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0;
        h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;
@@ -252,11 +252,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,

    aligned_width = FFALIGN(c->avctx->width, 16);
    c->padded_bits  = aligned_width - c->avctx->width;
-    if (c->video_size < aligned_width * avctx->height * c->bpp / 8)
+    if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
        return AVERROR_INVALIDDATA;
-    if (!encoding && c->palette_size && c->bpp <= 8) {
+    if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
        avctx->pix_fmt = AV_PIX_FMT_PAL8;
-    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
+    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) {
        if (c->palette_size != (1 << (c->bpp - 1)))
            return AVERROR_INVALIDDATA;
        avctx->pix_fmt = AV_PIX_FMT_BGR24;
@@ -29,6 +29,10 @@
 #include "avcodec.h"
 #include "internal.h"

+#define VLC_BITS 7
+#define VLC_DEPTH 2
+
+
 typedef struct CLLCContext {
    AVCodecContext *avctx;
    BswapDSPContext bdsp;
@@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

    num_lens = get_bits(gb, 5);

+    if (num_lens > VLC_BITS * VLC_DEPTH) {
+        vlc->table = NULL;
+
+        av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens);
+        return AVERROR_INVALIDDATA;
+    }
+
    for (i = 0; i < num_lens; i++) {
        num_codes      = get_bits(gb, 9);
        num_codes_sum += num_codes;
@@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

            count++;
        }
+        if (prefix > (65535 - 256)/2) {
+            vlc->table = NULL;
+            return AVERROR_INVALIDDATA;
+        }

        prefix <<= 1;
    }

-    return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1,
+    return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1,
                              codes, 2, 2, symbols, 1, 1, 0);
 }

@@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
    for (i = 0; i < ctx->avctx->width; i++) {
        /* Always get the alpha component */
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc[0].table, 7, 2);
+        GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH);

        pred[0] += code;
        dst[0]   = pred[0];
@@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
        if (dst[0]) {
            /* Red */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[1].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH);

            pred[1] += code;
            dst[1]   = pred[1];

            /* Green */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[2].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH);

            pred[2] += code;
            dst[2]   = pred[2];

            /* Blue */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[3].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH);

            pred[3] += code;
            dst[3]   = pred[3];
@@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred  += code;
        dst[0] = pred;
@@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width >> is_chroma; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred     += code;
        outbuf[i] = pred;
@@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
    int i;

    for (i = 0; i < len; i++)
-        dst[i] -= mul15(src[i], coeff);
+        dst[i] -= (unsigned)mul15(src[i], coeff);
 }

 static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
@@ -39,7 +39,7 @@

 #define DDPF_FOURCC    (1 <<  2)
 #define DDPF_PALETTE   (1 <<  5)
-#define DDPF_NORMALMAP (1 << 31)
+#define DDPF_NORMALMAP (1U << 31)

 enum DDSPostProc {
    DDS_NONE = 0,
@@ -676,7 +676,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
                        (frame->data[1][2+i*4]<<0)+
                        (frame->data[1][1+i*4]<<8)+
                        (frame->data[1][0+i*4]<<16)+
-                        (frame->data[1][3+i*4]<<24)
+                        ((unsigned)frame->data[1][3+i*4]<<24)
                );

            frame->palette_has_changed = 1;
@@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height
    const uint8_t *frame_start = frame;
    const uint8_t *frame_end   = frame + width * height;
    int mask = 0x10000, bitbuf = 0;
-    int v, count, segments;
+    int v, count;
+    unsigned segments;
    unsigned offset;

    segments = bytestream2_get_le32(gb);
@@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                return AVERROR_INVALIDDATA;
            frame += v;
        } else {
-            if (frame_end - frame < width + 3)
+            if (frame_end - frame < width + 4)
                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
@@ -249,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
        segments = bytestream2_get_le16u(gb);
        while ((segments & 0xC000) == 0xC000) {
            unsigned skip_lines = -(int16_t)segments;
-            unsigned delta = -((int16_t)segments * width);
+            int64_t delta = -((int16_t)segments * (int64_t)width);
            if (frame_end - frame <= delta || y + lines + skip_lines > height)
                return AVERROR_INVALIDDATA;
            frame    += delta;
@@ -1966,9 +1966,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)

    if (out) {
        out->reference ^= DELAYED_PIC_REF;
-        *got_frame = 1;
        if((ret = av_frame_ref(picture, out->avframe)) < 0)
            return ret;
+        *got_frame = 1;
    }

    return 0;
@@ -33,7 +33,7 @@

 #define DSS_SP_FRAME_SIZE        42
 #define DSS_SP_SAMPLE_COUNT     (66 * SUBFRAMES)
-#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15)
+#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15)

 typedef struct DssSpSubframe {
    int16_t gain;
@@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size)
            vec[i] = vec[i] >> -bits;
    else
        for (i = 0; i < size; i++)
-            vec[i] = vec[i] << bits;
+            vec[i] = vec[i] * (1 << bits);
 }

 static void dss_sp_update_buf(int32_t *hist, int32_t *vector)
@@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf,
        tmp = dst[a] * filter_buf[0];

        for (i = 14; i > 0; i--)
-            tmp -= error_buf[i] * filter_buf[i];
+            tmp -= error_buf[i] * (unsigned)filter_buf[i];

        for (i = 14; i > 0; i--)
            error_buf[i] = error_buf[i - 1];

-        tmp = (tmp + 4096) >> 13;
+        tmp = (int)(tmp + 4096U) >> 13;

        error_buf[1] = tmp;

@@ -24,6 +24,7 @@
 #include "bytestream.h"
 #include "internal.h"
 #include "libavutil/colorspace.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/opt.h"

 #define DVBSUB_PAGE_SEGMENT     0x10
@@ -1214,9 +1215,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx,
                return AVERROR_INVALIDDATA;
        }

-        if (depth & 0x80)
+        if (depth & 0x80 && entry_id < 4)
            clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha);
-        else if (depth & 0x40)
+        else if (depth & 0x40 && entry_id < 16)
            clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha);
        else if (depth & 0x20)
            clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha);
@@ -1239,6 +1240,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    DVBSubObject *object;
    DVBSubObjectDisplay *display;
    int fill;
+    int ret;

    if (buf_size < 10)
        return AVERROR_INVALIDDATA;
@@ -1267,6 +1269,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    region->height = AV_RB16(buf);
    buf += 2;

+    ret = av_image_check_size(region->width, region->height, 0, avctx);
+    if (ret < 0) {
+        region->width= region->height= 0;
+        return ret;
+    }
+
    if (region->width * region->height != region->buf_size) {
        av_free(region->pbuf);

@@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t *
        cb = *ycbcr++;
        YUV_TO_RGB1_CCIR(cb, cr);
        YUV_TO_RGB2_CCIR(r, g, b, y);
-        *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b;
+        *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b;
    }
 }

@@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx,
                r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
                g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
                b = (((subtitle_color >> 0) & 0xff) * level) >> 8;
-                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24);
+                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24);
                color_used[colormap[i]] = (i + 1);
                j++;
            } else {
                rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) |
-                                    ((alpha[i] * 17) << 24);
+                                    ((alpha[i] * 17U) << 24);
            }
        }
    }
@@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
            /* Vector Quantization */
            int v = get_bits(gbc, bits);
            for (blk = 0; blk < 6; blk++) {
-                s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8;
+                s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8);
            }
        } else {
            /* Gain Adaptive Quantization */
@@ -271,16 +271,16 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
                    int b;
                    int mbits = bits - (2 - log_gain);
                    mant = get_sbits(gbc, mbits);
-                    mant <<= (23 - (mbits - 1));
+                    mant = ((unsigned)mant) << (23 - (mbits - 1));
                    /* remap mantissa value to correct for asymmetric quantization */
                    if (mant >= 0)
                        b = 1 << (23 - log_gain);
                    else
-                        b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8;
+                        b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8);
                    mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b;
                } else {
                    /* small mantissa, no GAQ, or Gk=1 */
-                    mant <<= 24 - bits;
+                    mant *= (1 << 24 - bits);
                    if (!log_gain) {
                        /* remap mantissa value for no GAQ or Gk=1 */
                        mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15;
@@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx,

    if (avctx->width != width || avctx->height != height) {
        av_frame_unref(s->last_frame);
-        if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb))
+        if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb))
            return AVERROR_INVALIDDATA;
        if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
            return ret;
@@ -93,7 +93,7 @@ static inline void tqi_idct_put(TqiContext *t, AVFrame *frame, int16_t (*block)[

 static void tqi_calculate_qtable(MpegEncContext *s, int quant)
 {
-    const int qscale = (215 - 2*quant)*5;
+    const int64_t qscale = (215 - 2*quant)*5;
    int i;
    s->intra_matrix[0] = (ff_inv_aanscales[0]*ff_mpeg1_default_intra_matrix[0])>>11;
    for(i=1; i<64; i++)
@@ -186,9 +186,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf)
 *
 * @return normalized 16-bit unsigned int
 */
-static inline uint16_t exr_flt2uint(uint32_t v)
+static inline uint16_t exr_flt2uint(int32_t v)
 {
-    unsigned int exp = v >> 23;
+    int32_t exp = v >> 23;
    // "HACK": negative values result in exp<  0, so clipping them to 0
    // is also handled by this condition, avoids explicit check for sign bit.
    if (exp <= 127 + 7 - 24) // we would shift out all bits anyway
@@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
    if (get_rac(c, state + 0))
        return 0;
    else {
-        int i, e, a;
+        int i, e;
+        unsigned a;
        e = 0;
        while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
            e++;
@@ -1002,7 +1003,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            const uint8_t *src[4];
            uint8_t *dst[4];
            ff_thread_await_progress(&f->last_picture, INT_MAX, 0);
-            for (j = 0; j < 4; j++) {
+            for (j = 0; j < desc->nb_components; j++) {
                int pixshift = desc->comp[j].depth > 8;
                int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0;
                int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0;
@@ -1010,6 +1011,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
                src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] *
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
+
+            }
+            if (desc->flags & AV_PIX_FMT_FLAG_PAL ||
+                desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) {
+                dst[1] = p->data[1];
+                src[1] = f->last_picture.f->data[1];
            }
            av_image_copy(dst, p->linesize, src,
                          f->last_picture.f->linesize,
@@ -94,8 +94,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd
    const int t7 = t3 - t1;
    const int t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
    const int t9 =  17734 * blk[6 * step] + 42814 * blk[2 * step];
-    const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd;
-    const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd;
+    const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
+    const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
    blk[0 * step] = (  t4       + t9 + tB) >> shift;
    blk[1 * step] = (  t6 + t7  + t8 + tA) >> shift;
    blk[2 * step] = (  t6 - t7  - t8 + tA) >> shift;
@@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
    buf += 4;
    do {
        if (buf_end - buf < 4)
-            return 0;
+            return AVERROR_INVALIDDATA;
        flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
        buf += 4;
        if (buf_end - buf < metadata_size) {
            /* need more data in order to read the complete header */
-            return 0;
+            return AVERROR_INVALIDDATA;
        }
        buf += metadata_size;
    } while (!metadata_last);
@@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    num_chunks = bytestream2_get_le16(&g2);
    bytestream2_skip(&g2, 8);  /* skip padding */

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
+
    frame_size -= 16;

    /* iterate through the chunks */
@@ -520,6 +523,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
    if (frame_size > buf_size)
        frame_size = buf_size;

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
    frame_size -= 16;

    /* iterate through the chunks */
@@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band)
        ACCUM(3, band->diff_mem[2], 1);
        ACCUM(2, band->diff_mem[1], 1);
        ACCUM(1, band->diff_mem[0], 1);
-        ACCUM(0, cur_diff << 1, 1);
+        ACCUM(0, cur_diff * 2, 1);
    } else {
        ACCUM(5, band->diff_mem[4], 0);
        ACCUM(4, band->diff_mem[3], 0);
        ACCUM(3, band->diff_mem[2], 0);
        ACCUM(2, band->diff_mem[1], 0);
        ACCUM(1, band->diff_mem[0], 0);
-        ACCUM(0, cur_diff << 1, 0);
+        ACCUM(0, cur_diff * 2, 0);
    }
    #undef ACCUM
    band->s_zero = s_zero;
@@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff)
    band->part_reconst_mem[0] = cur_part_reconst;

    band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) +
-                                (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);
+                                (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);

    limit = 15360 - band->pole_mem[1];
    band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit);

    s_zero(cur_diff, band);

-    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1);
+    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2);
    band->s_predictor = av_clip_int16(band->s_zero +
                                      (band->pole_mem[0] * cur_qtzd_reconst >> 15) +
                                      (band->pole_mem[1] * band->prev_qtzd_reconst >> 15));
@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
    bits= FFMAX(bits, 0);

    for (i = 0; i < length; i++)
-        dst[i] = vector[i] << bits >> 3;
+        dst[i] = (vector[i] * (1 << bits)) >> 3;

    return bits - 3;
 }
@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
    for (j = 0; j < LPC_ORDER; j++) {
        int index     = (lpc[j] >> 7) & 0x1FF;
        int offset    = lpc[j] & 0x7f;
-        int temp1     = cos_tab[index] << 16;
+        int temp1     = cos_tab[index] * (1 << 16);
        int temp2     = (cos_tab[index + 1] - cos_tab[index]) *
-                          ((offset << 8) + 0x80) << 1;
+                          (((offset << 8) + 0x80) << 1);

        lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
    }
@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
     */
    /* Initialize with values in Q28 */
    f1[0] = 1 << 28;
-    f1[1] = (lpc[0] << 14) + (lpc[2] << 14);
+    f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
    f1[2] = lpc[0] * lpc[2] + (2 << 28);

    f2[0] = 1 << 28;
-    f2[1] = (lpc[1] << 14) + (lpc[3] << 14);
+    f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
    f2[2] = lpc[1] * lpc[3] + (2 << 28);

    /*
@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)

        f1[0] >>= 1;
        f2[0] >>= 1;
-        f1[1] = ((lpc[2 * i]     << 16 >> i) + f1[1]) >> 1;
-        f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1;
+        f1[1] = ((lpc[2 * i]     * 65536 >> i) + f1[1]) >> 1;
+        f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
    }

    /* Convert polynomial coefficients to LPC coefficients */
@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
        int64_t ff1 = f1[i + 1] + f1[i];
        int64_t ff2 = f2[i + 1] - f2[i];

-        lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16;
-        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) +
+        lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
+        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
                                                (1 << 15)) >> 16;
    }
 }
@@ -55,7 +55,7 @@
 * @param b 16 bit multiplier
 */
 #define MULL2(a, b) \
-        ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15))
+        ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))

 /**
 * G723.1 frame types
@@ -487,7 +487,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                          (FRAME_LEN - lag) * sizeof(*out));
    } else {  /* Unvoiced */
        for (i = 0; i < FRAME_LEN; i++) {
-            *rseed = *rseed * 521 + 259;
+            *rseed = (int16_t)(*rseed * 521 + 259);
            out[i] = gain * *rseed >> 15;
        }
        memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf));
@@ -516,7 +516,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                      (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
        }\
 \
-        (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\
+        (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
                                   (1 << 15)) >> res_shift;\
    }\
 }
@@ -663,7 +663,7 @@ static int estimate_sid_gain(G723_1_Context *p)
        t = p->sid_gain << shift;
    else
        t = p->sid_gain >> -shift;
-    x = t * cng_filt[0] >> 16;
+    x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);

    if (x >= cng_bseg[2])
        return 0x3F;
@@ -694,13 +694,13 @@ static int estimate_sid_gain(G723_1_Context *p)
    if (y <= 0) {
        t = seg * 32 + (val + 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val++;
    } else {
        t = seg * 32 + (val - 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val--;
    }
@@ -732,7 +732,7 @@ static void generate_noise(G723_1_Context *p)
        off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN;
        t >>= 2;
        for (j = 0; j < 11; j++) {
-            signs[i * 11 + j] = (t & 1) * 2 - 1 << 14;
+            signs[i * 11 + j] = ((t & 1) * 2 - 1)  * (1 << 14);
            t >>= 1;
        }
    }
@@ -776,7 +776,7 @@ static void generate_noise(G723_1_Context *p)
        sum = 0;
        if (shift < 0) {
           for (j = 0; j < SUBFRAME_LEN * 2; j++) {
-               t      = vector_ptr[j] << -shift;
+               t      = vector_ptr[j] * (1 << -shift);
               sum   += t * t;
               tmp[j] = t;
           }
@@ -814,7 +814,7 @@ static void generate_noise(G723_1_Context *p)
        if (shift < 0)
           x >>= -shift;
        else
-           x <<= shift;
+           x *= 1 << shift;
        x = av_clip(x, -10000, 10000);

        for (j = 0; j < 11; j++) {
@@ -903,7 +903,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
                                             &p->subframe[i], p->cur_rate);
                /* Get the total excitation */
                for (j = 0; j < SUBFRAME_LEN; j++) {
-                    int v = av_clip_int16(vector_ptr[j] << 1);
+                    int v = av_clip_int16(vector_ptr[j] * 2);
                    vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
                }
                vector_ptr += SUBFRAME_LEN;
@@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I)
        c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]);
    c->se >>= 1;

-    return av_clip(re_signal << 2, -0xffff, 0xffff);
+    return av_clip(re_signal * 4, -0xffff, 0xffff);
 }

 static av_cold int g726_reset(G726Context *c)
@@ -1744,7 +1744,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl,
                while( j-- ) { \
                    coeff_abs += coeff_abs + get_cabac_bypass( CC ); \
                } \
-                coeff_abs+= 14; \
+                coeff_abs+= 14U; \
            } \
 \
            if( is_dc ) { \
@@ -1114,7 +1114,7 @@ decode_intra_mb:

        dquant= get_se_golomb(&sl->gb);

-        sl->qscale += dquant;
+        sl->qscale += (unsigned)dquant;

        if (((unsigned)sl->qscale) > max_qp){
            if (sl->qscale < 0) sl->qscale += max_qp + 1;
@@ -613,7 +613,7 @@ single_col:

                {
                    const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride];
-                    int my_col            = (mv_col[1] << y_shift) / 2;
+                    int my_col            = (mv_col[1] * (1 << y_shift)) / 2;
                    int mx                = (scale * mv_col[0] + 128) >> 8;
                    int my                = (scale * my_col    + 128) >> 8;
                    fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8,
@@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon
            }
            if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) {
                // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK.
-                SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3);
+                SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3);
            }
        }
 #undef SET_DIAG_MV
@@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h,
            if (IS_INTERLACED(type)) {          \
                refn >>= 1;                     \
                AV_COPY32(mvbuf[idx], mvn);     \
-                mvbuf[idx][1] <<= 1;            \
+                mvbuf[idx][1] *= 2;             \
                mvn = mvbuf[idx];               \
            }                                   \
        }                                       \
@@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s)
    return 0;
 }

-static int decode_pic_timing(HEVCContext *s)
+static int decode_pic_timing(HEVCContext *s, int size)
 {
    GetBitContext *gb = &s->HEVClc->gb;
    HEVCSPS *sps;
@@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s)
        }
        get_bits(gb, 2);                   // source_scan_type
        get_bits(gb, 1);                   // duplicate_flag
+        skip_bits1(gb);
+        size--;
    }
-    return 1;
+    skip_bits_long(gb, 8 * size);
+
+    return 0;
 }

 static int decode_registered_user_data_closed_caption(HEVCContext *s, int size)
@@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size)
        return decode_nal_sei_display_orientation(s);
    case SEI_TYPE_PICTURE_TIMING:
        {
-            int ret = decode_pic_timing(s);
+            int ret = decode_pic_timing(s, size);
            av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type);
-            skip_bits(gb, 8 * size);
            return ret;
        }
    case SEI_TYPE_MASTERING_DISPLAY_INFO:
@@ -67,11 +67,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
    memset(block, 0, 64 * sizeof(*block));

    if (!is_hqa) {
-        block[0] = get_sbits(gb, 9) << 6;
+        block[0] = get_sbits(gb, 9) * 64;
        q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
    } else {
        q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
-        block[0] = get_sbits(gb, 9) << 6;
+        block[0] = get_sbits(gb, 9) * 64;
    }

    for (;;) {
@@ -82,7 +82,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
        pos += ff_hq_ac_skips[val];
        if (pos >= 64)
            break;
-        block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12;
+        block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12;
        pos++;
    }

@@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant)
    s6 = (int) blk[6 * 8] * quant[6 * 8];
    s7 = (int) blk[7 * 8] * quant[7 * 8];

-    t0  =  (s3 * 19266 + s5 * 12873) >> 15;
-    t1  =  (s5 * 19266 - s3 * 12873) >> 15;
-    t2  = ((s7 * 4520  + s1 * 22725) >> 15) - t0;
-    t3  = ((s1 * 4520  - s7 * 22725) >> 15) - t1;
+    t0  =  (int)(s3 * 19266U + s5 * 12873U) >> 15;
+    t1  =  (int)(s5 * 19266U - s3 * 12873U) >> 15;
+    t2  = ((int)(s7 * 4520U  + s1 * 22725U) >> 15) - t0;
+    t3  = ((int)(s1 * 4520U  - s7 * 22725U) >> 15) - t1;
    t4  = t0 * 2 + t2;
    t5  = t1 * 2 + t3;
    t6  = t2 - t3;
    t7  = t3 * 2 + t6;
-    t8  = (t6 * 11585) >> 14;
-    t9  = (t7 * 11585) >> 14;
-    tA  = (s2 * 8867 - s6 * 21407) >> 14;
-    tB  = (s6 * 8867 + s2 * 21407) >> 14;
+    t8  = (int)(t6 * 11585U) >> 14;
+    t9  = (int)(t7 * 11585U) >> 14;
+    tA  = (int)(s2 * 8867U - s6 * 21407U) >> 14;
+    tB  = (int)(s6 * 8867U + s2 * 21407U) >> 14;
    tC  = (s0 >> 1) - (s4 >> 1);
    tD  = (s4 >> 1) * 2 + tC;
    tE  = tC - (tA >> 1);
@@ -46,11 +46,12 @@ typedef struct SrtStack {

 static void rstrip_spaces_buf(AVBPrint *buf)
 {
-    while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
-        buf->str[--buf->len] = 0;
+    if (av_bprint_is_complete(buf))
+        while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
+            buf->str[--buf->len] = 0;
 }

-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
 {
    char *param, buffer[128], tmp[128];
    int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0;
@@ -146,7 +147,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
                                if (stack[sptr].param[i][0])
                                    av_bprintf(dst, "%s", stack[sptr].param[i]);
                        }
-                    } else if (!tagname[1] && strspn(tagname, "bisu") == 1) {
+                    } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) {
                        av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close);
                    } else {
                        unknown = 1;
@@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
            line_start = 0;
    }

+    if (!av_bprint_is_complete(dst))
+        return AVERROR(ENOMEM);
+
    while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2))
        dst->len -= 2;
    dst->str[dst->len] = 0;
    rstrip_spaces_buf(dst);
+
+    return 0;
 }
@@ -23,6 +23,6 @@

 #include "libavutil/bprint.h"

-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);

 #endif /* AVCODEC_HTMLSUBTITLES_H */
@@ -68,6 +68,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
            for (i = 0; i < c * 2; i++)
                dst[out++] = 0x80;
        } else { /* copy two values from table */
+            if (c <= 0)
+                return AVERROR_INVALIDDATA;
            dst[out++] = table[c * 2];
            dst[out++] = table[(c * 2) + 1];
        }
@@ -76,6 +78,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst

    for (j = 1; j < height; j++) {
        out = 0;
+        if (get_bits_left(&ctx->gb) <= 0)
+            return AVERROR_INVALIDDATA;
        while (out < width) {
            int c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
@@ -87,7 +91,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
                    out++;
                }
            } else { /* add two deltas from table */
-                int t    = dst[out - pitch] + (table[c * 2] - 128);
+                int t;
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
+                t        = dst[out - pitch] + (table[c * 2] - 128);
                t        = av_clip_uint8(t);
                dst[out] = t;
                out++;
@@ -115,12 +122,16 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_

    for (j = 0; j < height; j++) {
        out = 0;
+        if (get_bits_left(&ctx->gb) <= 0)
+            return AVERROR_INVALIDDATA;
        while (out < width) {
            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c   -= 0x7F;
                out += c * 2;
            } else { /* add two deltas from table */
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
                t        = dst[out] + (((table[c * 2] - 128)*3) >> 2);
                t        = av_clip_uint8(t);
                dst[out] = t;
@@ -524,7 +524,7 @@ retry:
                    }else{
                        level = SHOW_UBITS(re, &s->gb, 5);
                        SKIP_CACHE(re, &s->gb, 5);
-                        level |= SHOW_SBITS(re, &s->gb, 6)<<5;
+                        level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5);
                        SKIP_COUNTER(re, &s->gb, 5 + 6);
                    }
                }
@@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst,
 #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\
                  d1, d2, d3, d4, d5, d6, d7, d8,\
                  t0, t1, t2, t3, t4, t5, t6, t7, t8) {\
-    t1 = (s1) << 1; t5 = (s5) << 1;\
+    t1 = (s1) * 2; t5 = (s5) * 2;\
    IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\
    IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\
    IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\
@@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch,
        if (flags[i]) {
            /* pre-scaling */
            shift = !(i & 4);
-            sp1 = src[ 0] << shift;
-            sp2 = src[ 8] << shift;
-            sp3 = src[16] << shift;
-            sp4 = src[24] << shift;
+            sp1 = src[ 0] * (1 << shift);
+            sp2 = src[ 8] * (1 << shift);
+            sp3 = src[16] * (1 << shift);
+            sp4 = src[24] * (1 << shift);
            INV_HAAR8(    sp1,     sp2,     sp3,     sp4,
                      src[32], src[40], src[48], src[56],
                      dst[ 0], dst[ 8], dst[16], dst[24],
@@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa)

 static uint8_t lag_calc_zero_run(int8_t x)
 {
-    return (x << 1) ^ (x >> 7);
+    return (x * 2) ^ (x >> 7);
 }

 static int lag_decode_prob(GetBitContext *gb, uint32_t *value)
@@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
        }

        scale_factor++;
-        cumulative_target = 1 << scale_factor;
+        if (scale_factor >= 32U)
+            return AVERROR_INVALIDDATA;
+        cumulative_target = 1U << scale_factor;

        if (scaled_cumul_prob > cumulative_target) {
            av_log(rac->avctx, AV_LOG_ERROR,
@@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
        if (diff >= 0xffff)
            return AVERROR_INVALIDDATA;
        a->last_dc[component] += diff;
-        block[0] = a->last_dc[component] << 3;
+        block[0] = a->last_dc[component] * (1 << 3);
    }

    i = 0;
@@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
                j = scantable[i];
                if (level < 0) {
                    level = -level;
-                    level = (level * qscale * quant_matrix[j]) >> 3;
+                    level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
                    level = (level - 1) | 1;
                    level = -level;
                } else {
-                    level = (level * qscale * quant_matrix[j]) >> 3;
+                    level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
                    level = (level - 1) | 1;
                }
            }
@@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale)

        coeff = vlcdec_lookup[num_bits][value];
        if (pos < 3)
-            coeff <<= 4;
+            coeff *= 16;
        else /* TODO Use >> 10 instead of / 1001 */
            coeff = (coeff * qscale) / 1001;

@@ -747,7 +747,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
                                    int16_t *quant_matrix,
                                    int ss, int se, int Al, int *EOBRUN)
 {
-    int code, i, j, level, val, run;
+    int code, i, j, val, run;
+    unsigned level;

    if (*EOBRUN) {
        (*EOBRUN)--;
@@ -1131,7 +1132,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                        if (s->interlaced && s->bottom_field)
                            ptr += linesize >> 1;
                        pred &= mask;
-                        *ptr= pred + (dc << point_transform);
+                        *ptr= pred + ((unsigned)dc << point_transform);
                        }else{
                            ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
                            if(y==0 && toprow){
@@ -1151,7 +1152,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                            if (s->interlaced && s->bottom_field)
                                ptr16 += linesize >> 1;
                            pred &= mask;
-                            *ptr16= pred + (dc << point_transform);
+                            *ptr16= pred + ((unsigned)dc << point_transform);
                        }
                        if (++x == h) {
                            x = 0;
@@ -1190,13 +1191,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                            PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor);

                            pred &= mask;
-                            *ptr = pred + (dc << point_transform);
+                            *ptr = pred + ((unsigned)dc << point_transform);
                        }else{
                            ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
                            PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor);

                            pred &= mask;
-                            *ptr16= pred + (dc << point_transform);
+                            *ptr16= pred + ((unsigned)dc << point_transform);
                        }

                        if (++x == h) {
@@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp,
            result = (result << lsb_bits) + get_bits(gbp, lsb_bits);

        result  += cp->sign_huff_offset;
-        result <<= quant_step_size;
+        result *= 1 << quant_step_size;

        m->sample_buffer[pos + s->blockpos][channel] = result;
    }
@@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
        }

        for (i = 0; i < order; i++)
-            fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift;
+            fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift);

        if (get_bits1(gbp)) {
            int state_bits, state_shift;
@@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
            /* TODO: Check validity of state data. */

            for (i = 0; i < order; i++)
-                fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0;
+                fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0;
        }
    }

@@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
            if (get_bits1(gbp))
                coeff_val = get_sbits(gbp, frac_bits + 2);

-            s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits);
+            s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits));
        }

        if (s->noise_type)
@@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr)

    for (i = 0; i < s->blockpos; i++) {
        uint16_t seed_shr7 = seed >> 7;
-        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift;
-        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   << s->noise_shift;
+        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift);
+        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   * (1 << s->noise_shift);

        seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5);
    }
@@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
            substr_header_size += 2;
        }

+        if (length < header_size + substr_header_size) {
+            av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n");
+            goto error;
+        }
+
        if (!(nonrestart_substr ^ m->is_major_sync_unit)) {
            av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n");
            goto error;
@@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
    for (i = 0; i < blockpos; i++) {
        for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
            int mat_ch = ch_assign[out_ch];
-            int32_t sample = sample_buffer[i][mat_ch]
-                          << output_shift[mat_ch];
+            int32_t sample = sample_buffer[i][mat_ch] *
+                          (1 << output_shift[mat_ch]);
            lossless_check_data ^= (sample & 0xffffff) << mat_ch;
            if (is32)
                *data_32++ = sample << 8;
@@ -563,7 +563,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s,
    dc  = s->last_dc[component];
    dc += diff;
    s->last_dc[component] = dc;
-    block[0] = dc << (3 - s->intra_dc_precision);
+    block[0] = dc * (1 << (3 - s->intra_dc_precision));
    ff_tlog(s->avctx, "dc=%d\n", block[0]);
    mismatch = block[0] ^ 1;
    i = 0;
@@ -914,8 +914,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])
                                                   s->last_mv[i][0][1]);
                            /* full_pel: only for MPEG-1 */
                            if (s->full_pel[i]) {
-                                s->mv[i][0][0] <<= 1;
-                                s->mv[i][0][1] <<= 1;
+                                s->mv[i][0][0] *= 2;
+                                s->mv[i][0][1] *= 2;
                            }
                        }
                    }
@@ -997,8 +997,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])
                        dmy = get_dmv(s);


-                        s->last_mv[i][0][1] = my << my_shift;
-                        s->last_mv[i][1][1] = my << my_shift;
+                        s->last_mv[i][0][1] = my * (1 << my_shift);
+                        s->last_mv[i][1][1] = my * (1 << my_shift);

                        s->mv[i][0][0] = mx;
                        s->mv[i][0][1] = my;
@@ -1043,7 +1043,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])

            cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1);
            if (mb_block_count > 6) {
-                cbp <<= mb_block_count - 6;
+                cbp *= 1 << mb_block_count - 6;
                cbp  |= get_bits(&s->gb, mb_block_count - 6);
                s->bdsp.clear_blocks(s->block[6]);
            }
@@ -1291,7 +1291,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx)

    if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) {
        // MPEG-1 aspect
-        avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+        AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+        avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num };
    } else { // MPEG-2
        // MPEG-2 aspect
        if (s->aspect_ratio_info > 1) {
@@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
    int min_ab, i, w2, h2, w3, h3;
    int sprite_ref[4][2];
    int virtual_ref[2][2];
+    int64_t sprite_offset[2][2];

    // only true for rectangle shapes
    const int vop_ref[4][2] = { { 0, 0 },         { s->width, 0 },
@@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g

    switch (ctx->num_sprite_warping_points) {
    case 0:
-        s->sprite_offset[0][0] =
-        s->sprite_offset[0][1] =
-        s->sprite_offset[1][0] =
-        s->sprite_offset[1][1] = 0;
+        sprite_offset[0][0]    =
+        sprite_offset[0][1]    =
+        sprite_offset[1][0]    =
+        sprite_offset[1][1]    = 0;
        s->sprite_delta[0][0]  = a;
        s->sprite_delta[0][1]  =
        s->sprite_delta[1][0]  = 0;
@@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[1]   = 0;
        break;
    case 1:     // GMC only
-        s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0];
-        s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1];
-        s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
+        sprite_offset[0][0]    = sprite_ref[0][0] - a * vop_ref[0][0];
+        sprite_offset[0][1]    = sprite_ref[0][1] - a * vop_ref[0][1];
+        sprite_offset[1][0]    = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
                                 a * (vop_ref[0][0] / 2);
-        s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
+        sprite_offset[1][1]    = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
                                 a * (vop_ref[0][1] / 2);
        s->sprite_delta[0][0]  = a;
        s->sprite_delta[0][1]  =
@@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[1]   = 0;
        break;
    case 2:
-        s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) +
+        sprite_offset[0][0]    = (sprite_ref[0][0] * (1 << alpha + rho)) +
                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                 (-vop_ref[0][0]) +
                                 (r * sprite_ref[0][1] - virtual_ref[0][1]) *
                                 (-vop_ref[0][1]) + (1 << (alpha + rho - 1));
-        s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) +
+        sprite_offset[0][1]    = (sprite_ref[0][1] * (1 << alpha + rho)) +
                                 (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
                                 (-vop_ref[0][0]) +
                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                 (-vop_ref[0][1]) + (1 << (alpha + rho - 1));
-        s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
+        sprite_offset[1][0]    = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                  (-2 * vop_ref[0][0] + 1) +
                                  (r * sprite_ref[0][1] - virtual_ref[0][1]) *
                                  (-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
                                  sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1)));
-        s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
+        sprite_offset[1][1]    = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
                                  (-2 * vop_ref[0][0] + 1) +
                                  (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                  (-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
@@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        min_ab = FFMIN(alpha, beta);
        w3     = w2 >> min_ab;
        h3     = h2 >> min_ab;
-        s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
-                                 h3 * (-vop_ref[0][0]) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
-                                 w3 * (-vop_ref[0][1]) +
-                                 (1 << (alpha + beta + rho - min_ab - 1));
-        s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
-                                 h3 * (-vop_ref[0][0]) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
-                                 w3 * (-vop_ref[0][1]) +
-                                 (1 << (alpha + beta + rho - min_ab - 1));
-        s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
-                                 h3 * (-2 * vop_ref[0][0] + 1) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
-                                 w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
-                                 r * sprite_ref[0][0] - 16 * w2 * h3 +
-                                 (1 << (alpha + beta + rho - min_ab + 1));
-        s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
-                                 h3 * (-2 * vop_ref[0][0] + 1) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
-                                 w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
-                                 r * sprite_ref[0][1] - 16 * w2 * h3 +
-                                 (1 << (alpha + beta + rho - min_ab + 1));
+        sprite_offset[0][0]    = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+        sprite_offset[0][1]    = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+        sprite_offset[1][0]    = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) +
+                                  (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
+        sprite_offset[1][1]    = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) +
+                                  (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
        s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3;
        s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3;
        s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3;
@@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        s->sprite_delta[0][1] == 0 &&
        s->sprite_delta[1][0] == 0 &&
        s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
-        s->sprite_offset[0][0] >>= ctx->sprite_shift[0];
-        s->sprite_offset[0][1] >>= ctx->sprite_shift[0];
-        s->sprite_offset[1][0] >>= ctx->sprite_shift[1];
-        s->sprite_offset[1][1] >>= ctx->sprite_shift[1];
+        sprite_offset[0][0] >>= ctx->sprite_shift[0];
+        sprite_offset[0][1] >>= ctx->sprite_shift[0];
+        sprite_offset[1][0] >>= ctx->sprite_shift[1];
+        sprite_offset[1][1] >>= ctx->sprite_shift[1];
        s->sprite_delta[0][0] = a;
        s->sprite_delta[0][1] = 0;
        s->sprite_delta[1][0] = 0;
@@ -367,17 +360,59 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
    } else {
        int shift_y = 16 - ctx->sprite_shift[0];
        int shift_c = 16 - ctx->sprite_shift[1];
+
+        if (shift_c < 0 || shift_y < 0 ||
+            FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y  ||
+            FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c  ||
+            FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y  ||
+            FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c
+        ) {
+            avpriv_request_sample(s->avctx, "Too large sprite shift or offset");
+            goto overflow;
+        }
+
        for (i = 0; i < 2; i++) {
-            s->sprite_offset[0][i] *= 1 << shift_y;
-            s->sprite_offset[1][i] *= 1 << shift_c;
+            sprite_offset[0][i]    *= 1 << shift_y;
+            sprite_offset[1][i]    *= 1 << shift_c;
            s->sprite_delta[0][i]  *= 1 << shift_y;
            s->sprite_delta[1][i]  *= 1 << shift_y;
            ctx->sprite_shift[i]     = 16;
+
+        }
+        for (i = 0; i < 2; i++) {
+            int64_t sd[2] = {
+                s->sprite_delta[i][0] - a * (1LL<<16),
+                s->sprite_delta[i][1] - a * (1LL<<16)
+            };
+
+            if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+                llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+                llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+                llabs(sd[0]) >= INT_MAX ||
+                llabs(sd[1]) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX
+            ) {
+                avpriv_request_sample(s->avctx, "Overflow on sprite points");
+                goto overflow;
+            }
        }
        s->real_sprite_warping_points = ctx->num_sprite_warping_points;
    }

+    s->sprite_offset[0][0] = sprite_offset[0][0];
+    s->sprite_offset[0][1] = sprite_offset[0][1];
+    s->sprite_offset[1][0] = sprite_offset[1][0];
+    s->sprite_offset[1][1] = sprite_offset[1][1];
+
    return 0;
+overflow:
+    memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+    memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+    return AVERROR_PATCHWELCOME;
 }

 static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) {
@@ -503,7 +538,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
        if (ctx->divx_version == 500 && ctx->divx_build == 413)
            sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
        else
-            sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a);
+            sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);
    } else {
        dx    = s->sprite_delta[n][0];
        dy    = s->sprite_delta[n][1];
@@ -2403,16 +2438,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
        ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan);
    }

-    if (s->pict_type == AV_PICTURE_TYPE_S &&
-        (ctx->vol_sprite_usage == STATIC_SPRITE ||
-         ctx->vol_sprite_usage == GMC_SPRITE)) {
-        if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
-            return AVERROR_INVALIDDATA;
-        if (ctx->sprite_brightness_change)
-            av_log(s->avctx, AV_LOG_ERROR,
-                   "sprite_brightness_change not supported\n");
-        if (ctx->vol_sprite_usage == STATIC_SPRITE)
-            av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+    if (s->pict_type == AV_PICTURE_TYPE_S) {
+        if((ctx->vol_sprite_usage == STATIC_SPRITE ||
+            ctx->vol_sprite_usage == GMC_SPRITE)) {
+            if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
+                return AVERROR_INVALIDDATA;
+            if (ctx->sprite_brightness_change)
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "sprite_brightness_change not supported\n");
+            if (ctx->vol_sprite_usage == STATIC_SPRITE)
+                av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+        } else {
+            memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+            memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+        }
    }

    if (ctx->shape != BIN_ONLY_SHAPE) {
@@ -252,7 +252,7 @@ static inline int l3_unscale(int value, int exponent)
 #endif
    if (e > 31)
        return 0;
-    m = (m + (1 << (e - 1))) >> e;
+    m = (m + ((1U << e)>>1)) >> e;

    return m;
 }
@@ -1663,7 +1663,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
    header = AV_RB32(buf);
    if (header>>8 == AV_RB32("TAG")>>8) {
        av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n");
-        return buf_size;
+        return buf_size + skipped;
    }
    ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header);
    if (ret < 0) {
@@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s,
    motion_y   = s->sprite_offset[0][1];
    src_x      = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1));
    src_y      = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1));
-    motion_x <<= (3 - s->sprite_warping_accuracy);
-    motion_y <<= (3 - s->sprite_warping_accuracy);
+    motion_x *= 1 << (3 - s->sprite_warping_accuracy);
+    motion_y *= 1 << (3 - s->sprite_warping_accuracy);
    src_x      = av_clip(src_x, -16, s->width);
    if (src_x == s->width)
        motion_x = 0;
@@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s,
    motion_y   = s->sprite_offset[1][1];
    src_x      = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1));
    src_y      = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1));
-    motion_x <<= (3 - s->sprite_warping_accuracy);
-    motion_y <<= (3 - s->sprite_warping_accuracy);
+    motion_x  *= 1 << (3 - s->sprite_warping_accuracy);
+    motion_y  *= 1 << (3 - s->sprite_warping_accuracy);
    src_x      = av_clip(src_x, -8, s->width >> 1);
    if (src_x == s->width >> 1)
        motion_x = 0;
@@ -141,7 +141,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
        if(s->msmpeg4_version==2)
            cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1);
        else
-            cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1);
+            cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2);
        if(cbp<0 || cbp>3){
            av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y);
            return -1;
@@ -170,12 +170,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
        s->mv[0][0][1] = my;
        *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16;
    } else {
+        int v;
        if(s->msmpeg4_version==2){
            s->ac_pred = get_bits1(&s->gb);
-            cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+            v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+            if (v < 0) {
+                av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+                return -1;
+            }
+            cbp|= v<<2;
        } else{
            s->ac_pred = 0;
-            cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+            v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+            if (v < 0) {
+                av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+                return -1;
+            }
+            cbp|= v<<2;
            if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C;
        }
        *mb_type_ptr = MB_TYPE_INTRA;
@@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m)

 static int rac_get_model_sym(RangeCoder *c, Model *m)
 {
-    int prob, prob2, helper, val;
+    int val;
    int end, end2;
+    unsigned prob, prob2, helper;

    prob       = 0;
    prob2      = c->range;
@@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma)
 }

 #define DCT_TEMPLATE(blk, step, SOP, shift)                         \
-    const int t0 = -39409 * blk[7 * step] -  58980 * blk[1 * step]; \
-    const int t1 =  39410 * blk[1 * step] -  58980 * blk[7 * step]; \
-    const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \
-    const int t3 =  33410 * blk[3 * step] - 167963 * blk[5 * step]; \
-    const int t4 =          blk[3 * step] +          blk[7 * step]; \
-    const int t5 =          blk[1 * step] +          blk[5 * step]; \
-    const int t6 =  77062 * t4            +  51491 * t5;            \
-    const int t7 =  77062 * t5            -  51491 * t4;            \
-    const int t8 =  35470 * blk[2 * step] -  85623 * blk[6 * step]; \
-    const int t9 =  35470 * blk[6 * step] +  85623 * blk[2 * step]; \
-    const int tA = SOP(blk[0 * step] - blk[4 * step]);              \
-    const int tB = SOP(blk[0 * step] + blk[4 * step]);              \
+    const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \
+    const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \
+    const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \
+    const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \
+    const unsigned t4 =          blk[3 * step] +          blk[7 * step]; \
+    const unsigned t5 =          blk[1 * step] +          blk[5 * step]; \
+    const unsigned t6 = 77062U * t4            + 51491U * t5;            \
+    const unsigned t7 = 77062U * t5            - 51491U * t4;            \
+    const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \
+    const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \
+    const unsigned tA = SOP(blk[0 * step] - blk[4 * step]);              \
+    const unsigned tB = SOP(blk[0 * step] + blk[4 * step]);              \
                                                                    \
-    blk[0 * step] = (  t1 + t6  + t9 + tB) >> shift;                \
-    blk[1 * step] = (  t3 + t7  + t8 + tA) >> shift;                \
-    blk[2 * step] = (  t2 + t6  - t8 + tA) >> shift;                \
-    blk[3 * step] = (  t0 + t7  - t9 + tB) >> shift;                \
-    blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift;                \
-    blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift;                \
-    blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift;                \
-    blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift;                \
+    blk[0 * step] = (int)(  t1 + t6  + t9 + tB) >> shift;                \
+    blk[1 * step] = (int)(  t3 + t7  + t8 + tA) >> shift;                \
+    blk[2 * step] = (int)(  t2 + t6  - t8 + tA) >> shift;                \
+    blk[3 * step] = (int)(  t0 + t7  - t9 + tB) >> shift;                \
+    blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift;                \
+    blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift;                \
+    blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift;                \
+    blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift;                \

-#define SOP_ROW(a) (((a) << 16) + 0x2000)
-#define SOP_COL(a) (((a) + 32) << 16)
+#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000)
+#define SOP_COL(a) (((a) + 32) * (1U << 16))

 void ff_mss34_dct_put(uint8_t *dst, int stride, int *block)
 {
@@ -302,6 +302,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx,
    s->buf = buf;
    s->size = buf_size;

+    // Discard frame if its smaller than the minimum frame size
+    if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

@@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = {

 static inline int signed_shift(int i, int shift) {
    if (shift > 0)
-        return i << shift;
+        return (unsigned)i << shift;
    return i >> -shift;
 }

@@ -109,7 +109,7 @@ static int headroom(int *la)
        return 31;
    }
    l = 30 - av_log2(FFABS(*la));
-    *la <<= l;
+    *la *= 1<<l;
    return l;
 }

@@ -179,6 +179,29 @@ void avcodec_free_context(AVCodecContext **pavctx)
    av_freep(pavctx);
 }

+static void copy_context_reset(AVCodecContext *avctx)
+{
+    int i;
+
+    av_opt_free(avctx);
+#if FF_API_CODED_FRAME
+FF_DISABLE_DEPRECATION_WARNINGS
+    av_frame_free(&avctx->coded_frame);
+FF_ENABLE_DEPRECATION_WARNINGS
+#endif
+    av_freep(&avctx->rc_override);
+    av_freep(&avctx->intra_matrix);
+    av_freep(&avctx->inter_matrix);
+    av_freep(&avctx->extradata);
+    av_freep(&avctx->subtitle_header);
+    for (i = 0; i < avctx->nb_coded_side_data; i++)
+        av_freep(&avctx->coded_side_data[i].data);
+    av_freep(&avctx->coded_side_data);
+    avctx->subtitle_header_size = 0;
+    avctx->nb_coded_side_data = 0;
+    avctx->extradata_size = 0;
+}
+
 int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src)
 {
    const AVCodec *orig_codec = dest->codec;
@@ -191,12 +214,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src)
        return AVERROR(EINVAL);
    }

-    av_opt_free(dest);
-    av_freep(&dest->rc_override);
-    av_freep(&dest->intra_matrix);
-    av_freep(&dest->inter_matrix);
-    av_freep(&dest->extradata);
-    av_freep(&dest->subtitle_header);
+    copy_context_reset(dest);

    memcpy(dest, src, sizeof(*dest));
    av_opt_copy(dest, src);
@@ -221,10 +239,12 @@ FF_ENABLE_DEPRECATION_WARNINGS

    /* reallocate values that should be allocated separately */
    dest->extradata       = NULL;
+    dest->coded_side_data = NULL;
    dest->intra_matrix    = NULL;
    dest->inter_matrix    = NULL;
    dest->rc_override     = NULL;
    dest->subtitle_header = NULL;
+    dest->nb_coded_side_data = 0;

 #define alloc_and_copy_or_fail(obj, size, pad) \
    if (src->obj && size > 0) { \
@@ -248,14 +268,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
    return 0;

 fail:
-    av_freep(&dest->rc_override);
-    av_freep(&dest->intra_matrix);
-    av_freep(&dest->inter_matrix);
-    av_freep(&dest->extradata);
-    av_freep(&dest->subtitle_header);
-    dest->subtitle_header_size = 0;
-    dest->extradata_size = 0;
-    av_opt_free(dest);
+    copy_context_reset(dest);
    return AVERROR(ENOMEM);
 }

@@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
    if (nlsf[0] < min_delta[0])
        nlsf[0] = min_delta[0];
    for (i = 1; i < order; i++)
-        if (nlsf[i] < nlsf[i - 1] + min_delta[i])
-            nlsf[i] = nlsf[i - 1] + min_delta[i];
+        nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767));

    /* push backwards to increase distance */
    if (nlsf[order-1] > 32768 - min_delta[order])
@@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run,
                if (*y < 0) {
                   *y = s->height - 1;
                   *plane += 1;
+                   if (*plane >= s->nb_planes)
+                       return;
                   value <<= bits_per_plane;
                   mask  <<= bits_per_plane;
-                   if (*plane >= s->nb_planes)
-                       break;
                }
            }
        }
@@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
            }
        }

-        if (x < avctx->width) {
+        if (plane < s->nb_planes && x < avctx->width) {
            int run = (y + 1) * avctx->width - x;
            if (bits_per_plane == 8)
                picmemset_8bpp(s, frame, val, run, &x, &y);
@@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
        return AVERROR_INVALIDDATA;
    }
    s->bit_depth        = bytestream2_get_byte(&s->gb);
+    if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 &&
+        s->bit_depth != 8 && s->bit_depth != 16) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n");
+        goto error;
+    }
    s->color_type       = bytestream2_get_byte(&s->gb);
    s->compression_type = bytestream2_get_byte(&s->gb);
    s->filter_type      = bytestream2_get_byte(&s->gb);
@@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
                s->compression_type, s->filter_type, s->interlace_type);

    return 0;
+error:
+    s->cur_w = s->cur_h = s->width = s->height = 0;
+    s->bit_depth = 8;
+    return AVERROR_INVALIDDATA;
 }

 static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s)
@@ -602,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
    }
    if (!(s->state & PNG_IDAT)) {
        /* init image info */
-        avctx->width  = s->width;
-        avctx->height = s->height;
+        ret = ff_set_dimensions(avctx, s->width, s->height);
+        if (ret < 0)
+            return ret;

        s->channels       = ff_png_get_nb_channels(s->color_type);
        s->bits_per_pixel = s->bit_depth * s->channels;
@@ -787,7 +797,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
            return AVERROR_INVALIDDATA;

        for (i = 0; i < length; i++) {
-            v = bytestream2_get_byte(&s->gb);
+            unsigned v = bytestream2_get_byte(&s->gb);
            s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24);
        }
    } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) {
@@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl)
    int i, j;

    for (i=0; i < LPC_ORDER; i++) {
-        b1[i] = refl[i] << 4;
+        b1[i] = refl[i] * 16;

        for (j=0; j < i; j++)
            b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j];
@@ -184,6 +184,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
        ctx->tiles[i].y = bytestream2_get_le16(gbc);
        ctx->tiles[i].h = bytestream2_get_le16(gbc);

+        if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * 4 > INT_MAX) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n");
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
+
        pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * 4;

        ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i,
@@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte
    return ff_mpeg_update_thread_context(dst, src);
 }

-static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n)
+static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size)
 {
-    if(avctx->slice_count) return avctx->slice_offset[n];
-    else                   return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) :  AV_RB32(buf + n*8);
+    if (n < slice_count) {
+        if(avctx->slice_count) return avctx->slice_offset[n];
+        else                   return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) :  AV_RB32(buf + n*8);
+    } else
+        return buf_size;
 }

 static int finish_frame(AVCodecContext *avctx, AVFrame *pict)
@@ -1627,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in
    if (!sar.num)
        sar = (AVRational){1, 1};

-    sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h});
+    sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h}));
    return sar;
 }

@@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
    const uint8_t *slices_hdr = NULL;
    int last = 0;
    int faulty_b = 0;
+    int offset;

    /* no supplementary picture */
    if (buf_size == 0) {
@@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
    }else
        slice_count = avctx->slice_count;

+    offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size);
    //parse first slice header to check whether this frame can be decoded
-    if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
-       get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+    if(offset < 0 || offset > buf_size){
        av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
        return AVERROR_INVALIDDATA;
    }
-    init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
+    init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8);
    if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){
        av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n");
        return AVERROR_INVALIDDATA;
@@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
        return AVERROR_INVALIDDATA;

    for(i = 0; i < slice_count; i++){
-        int offset = get_slice_offset(avctx, slices_hdr, i);
+        int offset  = get_slice_offset(avctx, slices_hdr, i  , slice_count, buf_size);
+        int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size);
        int size;
-        if(i+1 == slice_count)
-            size = buf_size - offset;
-        else
-            size = get_slice_offset(avctx, slices_hdr, i+1) - offset;

-        if(offset < 0 || offset > buf_size){
+        if(offset < 0 || offset > offset1 || offset1 > buf_size){
            av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
            break;
        }
+        size = offset1 - offset;

        r->si.end = s->mb_width * s->mb_height;
        s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;

        if(i+1 < slice_count){
-            if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
-                get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
+            int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size);
+            if (offset2 < offset1 || offset2 > buf_size) {
                av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
                break;
            }
-            init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
+            init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8);
            if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
-                if(i+2 < slice_count)
-                    size = get_slice_offset(avctx, slices_hdr, i+2) - offset;
-                else
-                    size = buf_size - offset;
+                size = offset2 - offset;
            }else
                r->si.end = si.start;
        }
-        if (size < 0 || size > buf_size - offset) {
-            av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
-            break;
-        }
+        av_assert0 (size >= 0 && size <= buf_size - offset);
        last = rv34_decode_slice(r, r->si.end, buf + offset, size);
        if(last)
            break;
@@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t
            A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row
            B = ptr[-r->intra_types_stride];
            C = ptr[-1];
-            pattern = A + (B << 4) + (C << 8);
+            pattern = A + B * (1 << 4) + C * (1 << 8);
            for(k = 0; k < MODE2_PATTERNS_NUM; k++)
                if(pattern == rv40_aic_table_index[k])
                    break;
@@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src,
        if (u > 3 - (filter_p1 && filter_q1))
            continue;

-        t <<= 2;
+        t *= 1 << 2;
        if (filter_p1 && filter_q1)
            t += src[-2*step] - src[1*step];

@@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data,
    if (avctx->bits_per_raw_sample == 24) {
        uint32_t *o = (uint32_t *)frame->data[0];
        for (; buf_size > 6; buf_size -= 7) {
-            *o++ = (ff_reverse[buf[2]]        << 24) |
+            *o++ = ((unsigned)ff_reverse[buf[2]]        << 24) |
                   (ff_reverse[buf[1]]        << 16) |
                   (ff_reverse[buf[0]]        <<  8);
-            *o++ = (ff_reverse[buf[6] & 0xf0] << 28) |
+            *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) |
                   (ff_reverse[buf[5]]        << 20) |
                   (ff_reverse[buf[4]]        << 12) |
                   (ff_reverse[buf[3] & 0x0f] <<  4);
@@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data,
    } else if (avctx->bits_per_raw_sample == 20) {
        uint32_t *o = (uint32_t *)frame->data[0];
        for (; buf_size > 5; buf_size -= 6) {
-            *o++ = (ff_reverse[buf[2] & 0xf0] << 28) |
+            *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) |
                   (ff_reverse[buf[1]]        << 20) |
                   (ff_reverse[buf[0]]        << 12);
-            *o++ = (ff_reverse[buf[5] & 0xf0] << 28) |
+            *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) |
                   (ff_reverse[buf[4]]        << 20) |
                   (ff_reverse[buf[3]]        << 12);
            buf += 6;
@@ -156,8 +156,11 @@ static int allocate_buffers(ShortenContext *s)

 static inline unsigned int get_uint(ShortenContext *s, int k)
 {
-    if (s->version != 0)
+    if (s->version != 0) {
        k = get_ur_golomb_shorten(&s->gb, ULONGSIZE);
+        if (k > 31U)
+            return AVERROR_INVALIDDATA;
+    }
    return get_ur_golomb_shorten(&s->gb, k);
 }

@@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){
        av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count);
        return AVERROR_INVALIDDATA;
    }
+    if (s->avctx->width > 65536-4) {
+        av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width);
+        return AVERROR_INVALIDDATA;
+    }


    s->qlog           += get_symbol(&s->c, s->header_state, 1);
@@ -395,6 +399,11 @@ static int decode_header(SnowContext *s){
        s->block_max_depth= 0;
        return AVERROR_INVALIDDATA;
    }
+    if (FFABS(s->qbias) > 127) {
+        av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias);
+        s->qbias = 0;
+        return AVERROR_INVALIDDATA;
+    }

    return 0;
 }
@@ -38,13 +38,13 @@ static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst,
            /* text rectangle defined, write the text at the center of the rectangle */
            const int cx = x1 + (x2 - x1)/2;
            const int cy = y1 + (y2 - y1)/2;
-            const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720;
-            const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480;
+            const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720;
+            const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480;
            av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y);
        } else {
            /* only the top left corner, assume the text starts in that corner */
-            const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720;
-            const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480;
+            const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720;
+            const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480;
            av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y);
        }
    }
@@ -166,7 +166,7 @@ static int svq3_decode_end(AVCodecContext *avctx);

 void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp)
 {
-    const int qmul = svq3_dequant_coeff[qp];
+    const unsigned qmul = svq3_dequant_coeff[qp];
 #define stride 16
    int i;
    int temp[16];
@@ -191,10 +191,10 @@ void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp)
        const int z2     =  7 *  temp[4 * 1 + i] - 17 * temp[4 * 3 + i];
        const int z3     = 17 *  temp[4 * 1 + i] +  7 * temp[4 * 3 + i];

-        output[stride *  0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20;
-        output[stride *  2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20;
-        output[stride *  8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20;
-        output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20;
+        output[stride *  0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20;
+        output[stride *  2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20;
+        output[stride *  8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20;
+        output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20;
    }
 }
 #undef stride
@@ -206,7 +206,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block,
    int i;

    if (dc) {
-        dc       = 13 * 13 * (dc == 1 ? 1538 * block[0]
+        dc       = 13 * 13 * (dc == 1 ? 1538U* block[0]
                                      : qmul * (block[0] >> 3) / 2);
        block[0] = 0;
    }
@@ -224,16 +224,16 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block,
    }

    for (i = 0; i < 4; i++) {
-        const int z0 = 13 * (block[i + 4 * 0] +      block[i + 4 * 2]);
-        const int z1 = 13 * (block[i + 4 * 0] -      block[i + 4 * 2]);
-        const int z2 =  7 *  block[i + 4 * 1] - 17 * block[i + 4 * 3];
-        const int z3 = 17 *  block[i + 4 * 1] +  7 * block[i + 4 * 3];
+        const unsigned z0 = 13 * (block[i + 4 * 0] +      block[i + 4 * 2]);
+        const unsigned z1 = 13 * (block[i + 4 * 0] -      block[i + 4 * 2]);
+        const unsigned z2 =  7 *  block[i + 4 * 1] - 17 * block[i + 4 * 3];
+        const unsigned z3 = 17 *  block[i + 4 * 1] +  7 * block[i + 4 * 3];
        const int rr = (dc + 0x80000);

-        dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20));
-        dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20));
-        dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20));
-        dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20));
+        dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20));
+        dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20));
+        dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20));
+        dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20));
    }

    memset(block, 0, 16 * sizeof(int16_t));
@@ -397,8 +397,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
            if (mode != PREDICT_MODE) {
                pred_motion(h, sl, k, part_width >> 2, dir, 1, &mx, &my);
            } else {
-                mx = s->next_pic->motion_val[0][b_xy][0] << 1;
-                my = s->next_pic->motion_val[0][b_xy][1] << 1;
+                mx = s->next_pic->motion_val[0][b_xy][0] * 2;
+                my = s->next_pic->motion_val[0][b_xy][1] * 2;

                if (dir == 0) {
                    mx = mx * h->frame_num_offset /
@@ -435,8 +435,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
                int fx, fy;
                mx  = (mx + 1 >> 1) + dx;
                my  = (my + 1 >> 1) + dy;
-                fx  = (unsigned)(mx + 0x3000) / 3 - 0x1000;
-                fy  = (unsigned)(my + 0x3000) / 3 - 0x1000;
+                fx  = (unsigned)(mx + 0x30000) / 3 - 0x10000;
+                fy  = (unsigned)(my + 0x30000) / 3 - 0x10000;
                dxy = (mx - 3 * fx) + 4 * (my - 3 * fy);

                svq3_mc_dir_part(s, x, y, part_width, part_height,
@@ -444,8 +444,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
                mx += mx;
                my += my;
            } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) {
-                mx  = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000;
-                my  = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000;
+                mx  = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000;
+                my  = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000;
                dxy = (mx & 1) + 2 * (my & 1);

                svq3_mc_dir_part(s, x, y, part_width, part_height,
@@ -453,8 +453,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
                mx *= 3;
                my *= 3;
            } else {
-                mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000;
-                my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000;
+                mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000;
+                my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000;

                svq3_mc_dir_part(s, x, y, part_width, part_height,
                                 mx, my, 0, 0, dir, avg);
@@ -422,19 +422,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,

    s->predictors[0] = get_sbits(gb, 10);
    s->predictors[1] = get_sbits(gb, 10);
-    s->predictors[2] = get_sbits(gb, size) << (10 - size);
-    s->predictors[3] = get_sbits(gb, size) << (10 - size);
+    s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size));
+    s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size));
    if (filter_order > 4) {
        int tmp = size - get_bits1(gb);

        for (i = 4; i < filter_order; i++) {
            if (!(i & 3))
                x = tmp - get_bits(gb, 2);
-            s->predictors[i] = get_sbits(gb, x) << (10 - size);
+            s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size));
        }
    }

-    tfilter[0] = s->predictors[0] << 6;
+    tfilter[0] = s->predictors[0] * 64;
    for (i = 1; i < filter_order; i++) {
        int32_t *p1 = &tfilter[0];
        int32_t *p2 = &tfilter[i - 1];
@@ -446,7 +446,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
            p2--;
        }

-        tfilter[i] = s->predictors[i] << 6;
+        tfilter[i] = s->predictors[i] * 64;
    }

    x = 1 << (32 - (15 - filter_quant));
@@ -480,7 +480,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
                     s->residues[i + j + 1] * s->filter[j + 1] +
                     s->residues[i + j    ] * s->filter[j    ];
            }
-            v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded;
+            v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded;
            *decoded++ = v;
            s->residues[filter_order + i] = v >> dshift;
        }
@@ -893,7 +893,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
        for (chan = 0; chan < avctx->channels; chan++) {
            int32_t *samples = (int32_t *)frame->extended_data[chan];
            for (i = 0; i < s->nb_samples; i++)
-                samples[i] <<= 8;
+                samples[i] *= 1 << 8;
        }
        break;
    }
@@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data,
 {
    AVFrame *pic = data;
    const uint16_t *src = (uint16_t *)avpkt->data;
-    uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4);
+    uint16_t *y, *u, *v;
+    int aligned_width = FFALIGN(avctx->width, 4);
    int i, j, ret;

    if (avpkt->size < 4 * avctx->height * aligned_width) {
@@ -35,7 +35,7 @@
 #define RGBA(r, g, b, a) (((uint8_t)(r) <<  0) | \
                          ((uint8_t)(g) <<  8) | \
                          ((uint8_t)(b) << 16) | \
-                          ((uint8_t)(a) << 24))
+                          ((unsigned)(uint8_t)(a) << 24))

 static av_always_inline void extract_color(uint32_t colors[4],
                                           uint16_t color0,
@@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride,

        for (x = 0; x < 4; x++) {
            uint8_t alpha = alpha_values[x];
-            uint32_t pixel = colors[code & 3] | (alpha << 24);
+            uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24);
            code >>= 2;

            AV_WL32(dst + x * 4, pixel);
@@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride,
                    }
                }
            }
-            pixel = colors[code & 3] | (alpha << 24);
+            pixel = colors[code & 3] | ((unsigned)alpha << 24);
            code >>= 2;
            AV_WL32(dst + x * 4, pixel);
        }
@@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int
 static av_cold int seqvideo_decode_init(AVCodecContext *avctx)
 {
    SeqVideoContext *seq = avctx->priv_data;
+    int ret;

    seq->avctx = avctx;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;

+    ret = ff_set_dimensions(avctx, 256, 128);
+    if (ret < 0)
+        return ret;
+
    seq->frame = av_frame_alloc();
    if (!seq->frame)
        return AVERROR(ENOMEM);
@@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride
                            const uint8_t *src, int size, int width, int lines,
                            int strip_start, int is_yuv)
 {
-    uint64_t outlen = width * lines;
+    uint64_t outlen = width * (uint64_t)lines;
    int ret, line;
    uint8_t *buf = av_malloc(outlen);
    if (!buf)
@@ -904,6 +904,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
        break;
    case TIFF_STRIP_OFFS:
        if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "strippos %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
            s->strippos = 0;
            s->stripoff = value;
        } else
@@ -915,6 +920,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
        break;
    case TIFF_STRIP_SIZE:
        if (count == 1) {
+            if (value > INT_MAX) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "stripsize %u too large\n", value);
+                return AVERROR_INVALIDDATA;
+            }
            s->stripsizesoff = 0;
            s->stripsize     = value;
            s->strips        = 1;
@@ -1008,6 +1018,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
            s->subsampling[i] = ff_tget(&s->gb, type, s->le);
            if (s->subsampling[i] <= 0) {
                av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]);
+                s->subsampling[i] = 1;
                return AVERROR_INVALIDDATA;
            }
        }
@@ -1035,6 +1046,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
        ADD_METADATA(count, "ModelTiepointTag", NULL);
        break;
    case TIFF_GEO_KEY_DIRECTORY:
+        if (s->geotag_count) {
+            avpriv_request_sample(s->avctx, "Multiple geo key directories\n");
+            return AVERROR_INVALIDDATA;
+        }
        ADD_METADATA(1, "GeoTIFF_Version", NULL);
        ADD_METADATA(2, "GeoTIFF_Key_Revision", ".");
        s->geotag_count   = ff_tget_short(&s->gb, s->le);
@@ -1042,7 +1057,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
            s->geotag_count = count / 4 - 1;
            av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n");
        }
-        if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) {
+        if (   bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4
+            || s->geotag_count == 0) {
            s->geotag_count = 0;
            return -1;
        }
@@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt)
    int lo, hi;

    lo = ydt[p1];
-    lo += (lo << 5) + (lo << 10);
+    lo += (lo * 32) + (lo * 1024);
    hi = ydt[p2];
-    hi += (hi << 5) + (hi << 10);
-    return (lo + (hi << 16)) << 1;
+    hi += (hi * 32) + (hi * 1024);
+    return (lo + (hi * (1U << 16))) * 2;
 }

 static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
@@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
    int r, b, lo;

    b = cdt[p2];
-    r = cdt[p1] << 10;
+    r = cdt[p1] * 1024;
    lo = b + r;
-    return (lo + (lo << 16)) << 1;
+    return (lo + (lo * (1U << 16))) * 2;
 }

 #if HAVE_BIGENDIAN
@@ -245,7 +245,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx,
        const HEVCFrame *frame = &h->DPB[i];
        if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF |
                                                HEVC_FRAME_FLAG_SHORT_REF))) {
-            if (j > 16) {
+            if (j > 15) {
                av_log(avctx, AV_LOG_WARNING,
                     "VDPAU only supports up to 16 references in the DPB. "
                     "This frame may not be decoded correctly.\n");
@@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)

    s->dct_tokens[0][0] = s->dct_tokens_base;

+    if (get_bits_left(gb) < 16)
+        return AVERROR_INVALIDDATA;
+
    /* fetch the DC table indexes */
    dc_y_table = get_bits(gb, 4);
    dc_c_table = get_bits(gb, 4);
@@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
                                   0, residual_eob_run);
    if (residual_eob_run < 0)
        return residual_eob_run;
+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;

    /* reverse prediction of the Y-plane DC coefficients */
    reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
                              s->fragment_width[1], s->fragment_height[1]);
    }

+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;
    /* fetch the AC table indexes */
    ac_y_table = get_bits(gb, 4);
    ac_c_table = get_bits(gb, 4);
@@ -2022,8 +2029,9 @@ static int vp3_decode_frame(AVCodecContext *avctx,
                ret = vp3_decode_init(avctx);
            if (ret < 0) {
                vp3_decode_end(avctx);
+                return ret;
            }
-            return ret;
+            return buf_size;
        } else if (type == 2) {
            vp3_decode_end(avctx);
            ret = theora_decode_tables(avctx, &gb);
@@ -2031,8 +2039,9 @@ static int vp3_decode_frame(AVCodecContext *avctx,
                ret = vp3_decode_init(avctx);
            if (ret < 0) {
                vp3_decode_end(avctx);
+                return ret;
            }
-            return ret;
+            return buf_size;
        }

        av_log(avctx, AV_LOG_ERROR,
@@ -41,7 +41,7 @@
 #define xC6S2 25080
 #define xC7S1 12785

-#define M(a, b) (((a) * (b)) >> 16)
+#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16)

 static av_always_inline void idct(uint8_t *dst, int stride,
                                  int16_t *input, int type)
@@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
 {
    VP56RangeCoder *c = &s->c;
    int rows, cols;
+    int ret;

-    ff_vp56_init_range_decoder(&s->c, buf, buf_size);
+    ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size);
+    if (ret < 0)
+        return ret;
    s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c);
    vp56_rac_get(c);
    ff_vp56_init_dequant(s, vp56_rac_gets(c, 6));
@@ -181,7 +184,7 @@ static int vp5_parse_coeff(VP56Context *s)
    int b, i, cg, idx, ctx, ctx_last;
    int pt = 0;    /* plane type (0 for Y, 1 for U or V) */

-    if (c->end >= c->buffer && c->bits >= 0) {
+    if (c->end <= c->buffer && c->bits >= 0) {
        av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n");
        return AVERROR_INVALIDDATA;
    }
@@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col)
    return s->mb_type;
 }

+static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col)
+{
+    VP56mv *mv, vect = {0,0};
+    int b;
+
+    s->mb_type = VP56_MB_INTER_NOVEC_PF;
+    s->macroblocks[row * s->mb_width + col].type = s->mb_type;
+
+    mv = &vect;
+
+    s->macroblocks[row*s->mb_width + col].mv = *mv;
+
+    /* same vector for all blocks */
+    for (b=0; b<6; b++)
+        s->mv[b] = *mv;
+
+    return s->mb_type;
+}
+
 static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame)
 {
    int idx = s->idct_scantable[0];
@@ -381,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src,
    }
 }

-static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type)
 {
-    AVFrame *frame_current, *frame_ref;
-    VP56mb mb_type;
-    VP56Frame ref_frame;
    int b, ab, b_max, plane, off;
-    int ret;
-
-    if (s->frames[VP56_FRAME_CURRENT]->key_frame)
-        mb_type = VP56_MB_INTRA;
-    else
-        mb_type = vp56_decode_mv(s, row, col);
-    ref_frame = ff_vp56_reference_frame[mb_type];
-
-    ret = s->parse_coeff(s);
-    if (ret < 0)
-        return ret;
+    AVFrame *frame_current, *frame_ref;
+    VP56Frame ref_frame = ff_vp56_reference_frame[mb_type];

    vp56_add_predictors_dc(s, ref_frame);

    frame_current = s->frames[VP56_FRAME_CURRENT];
    frame_ref = s->frames[ref_frame];
    if (mb_type != VP56_MB_INTRA && !frame_ref->data[0])
-        return 0;
+        return;

    ab = 6*is_alpha;
    b_max = 6 - 2*is_alpha;
@@ -454,6 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
        s->block_coeff[4][0] = 0;
        s->block_coeff[5][0] = 0;
    }
+}
+
+static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+{
+    VP56mb mb_type;
+    int ret;
+
+    if (s->frames[VP56_FRAME_CURRENT]->key_frame)
+        mb_type = VP56_MB_INTRA;
+    else
+        mb_type = vp56_decode_mv(s, row, col);
+
+    ret = s->parse_coeff(s);
+    if (ret < 0)
+        return ret;
+
+    vp56_render_mb(s, row, col, is_alpha, mb_type);
+
+    return 0;
+}
+
+static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha)
+{
+    VP56mb mb_type;
+
+    if (s->frames[VP56_FRAME_CURRENT]->key_frame)
+        mb_type = VP56_MB_INTRA;
+    else
+        mb_type = vp56_conceal_mv(s, row, col);
+
+    vp56_render_mb(s, row, col, is_alpha, mb_type);
+
    return 0;
 }

@@ -468,6 +507,8 @@ static int vp56_size_changed(VP56Context *s)
    s->plane_height[0] = s->plane_height[3] = avctx->coded_height;
    s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2;

+    s->have_undamaged_frame = 0;
+
    for (i=0; i<4; i++)
        s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i];

@@ -533,13 +574,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    }

    ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF);
-    if (ret < 0)
+    if (ret < 0) {
+        if (res == VP56_SIZE_CHANGE)
+            ff_set_dimensions(avctx, 0, 0);
        return ret;
+    }

    if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) {
        av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]);
        if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) {
            av_frame_unref(p);
+            if (res == VP56_SIZE_CHANGE)
+                ff_set_dimensions(avctx, 0, 0);
            return ret;
        }
    }
@@ -573,8 +619,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        }
    }

+    s->discard_frame = 0;
    avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1);

+    if (s->discard_frame)
+        return AVERROR_INVALIDDATA;
+
    if ((res = av_frame_ref(data, p)) < 0)
        return res;
    *got_frame = 1;
@@ -593,6 +643,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
    int block, y, uv;
    ptrdiff_t stride_y, stride_uv;
    int res;
+    int damaged = 0;

    if (p->key_frame) {
        p->pict_type = AV_PICTURE_TYPE_I;
@@ -657,9 +708,18 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
        s->block_offset[5] = s->block_offset[4];

        for (mb_col=0; mb_col<s->mb_width; mb_col++) {
-            int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
-            if (ret < 0)
-                return ret;
+            if (!damaged) {
+                int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+                if (ret < 0) {
+                    damaged = 1;
+                    if (!s->have_undamaged_frame || !avctx->error_concealment) {
+                        s->discard_frame = 1;
+                        return AVERROR_INVALIDDATA;
+                    }
+                }
+            }
+            if (damaged)
+                vp56_conceal_mb(s, mb_row, mb_col, is_alpha);

            for (y=0; y<4; y++) {
                s->above_block_idx[y] += 2;
@@ -673,6 +733,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
        }
    }

+    if (!damaged)
+        s->have_undamaged_frame = 1;
+
 next:
    if (p->key_frame || s->golden_frame) {
        av_frame_unref(s->frames[VP56_FRAME_GOLDEN]);
@@ -203,6 +203,9 @@ struct vp56_context {
    VLC runv_vlc[2];
    VLC ract_vlc[2][3][6];
    unsigned int nb_null[2][2];       /* number of consecutive NULL DC/AC */
+
+    int have_undamaged_frame;
+    int discard_frame;
 };


@@ -221,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 */

 extern const uint8_t ff_vp56_norm_shift[256];
-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);

 static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
 {
@@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= {
 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
 };

-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size)
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size)
 {
    c->high = 255;
    c->bits = -16;
    c->buffer = buf;
    c->end = buf + buf_size;
+    if (buf_size < 1)
+        return AVERROR_INVALIDDATA;
    c->code_word = bytestream_get_be24(&c->buffer);
+    return 0;
 }
@@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
    int sub_version;
    int rows, cols;
    int res = 0;
+    int ret;
    int separated_coeff = buf[0] & 1;

    s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80);
@@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
                s->avctx->coded_width  = 16 * cols;
                s->avctx->coded_height = 16 * rows;
            } else {
-                int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
+                ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
                if (ret < 0)
                    return ret;

@@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
            res = VP56_SIZE_CHANGE;
        }

-        ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+        ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+        if (ret < 0)
+            goto fail;
        vp56_rac_gets(c, 2);

        parse_filter_info = s->filter_header;
@@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
            buf += 2;
            buf_size -= 2;
        }
-        ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+        ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+        if (ret < 0)
+            return ret;

        s->golden_frame = vp56_rac_get(c);
        if (s->filter_header) {
@@ -157,15 +162,16 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
        buf      += coeff_offset;
        buf_size -= coeff_offset;
        if (buf_size < 0) {
-            if (s->frames[VP56_FRAME_CURRENT]->key_frame)
-                ff_set_dimensions(s->avctx, 0, 0);
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }
        if (s->use_huffman) {
            s->parse_coeff = vp6_parse_coeff_huffman;
            init_get_bits(&s->gb, buf, buf_size<<3);
        } else {
-            ff_vp56_init_range_decoder(&s->cc, buf, buf_size);
+            ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size);
+            if (ret < 0)
+                goto fail;
            s->ccp = &s->cc;
        }
    } else {
@@ -173,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
    }

    return res;
+fail:
+    if (res == VP56_SIZE_CHANGE)
+        ff_set_dimensions(s->avctx, 0, 0);
+    return ret;
 }

 static void vp6_coeff_order_table_init(VP56Context *s)
@@ -450,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s)
    int b, i, cg, idx, ctx;
    int pt = 0;    /* plane type (0 for Y, 1 for U or V) */

-    if (c->end >= c->buffer && c->bits >= 0) {
+    if (c->end <= c->buffer && c->bits >= 0) {
        av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n");
        return AVERROR_INVALIDDATA;
    }
@@ -260,6 +260,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size)
 {
    const uint8_t *sizes = buf;
    int i;
+    int ret;

    s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2);

@@ -273,13 +274,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size)
        if (buf_size - size < 0)
            return -1;

-        ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size);
+        ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size);
+        if (ret < 0)
+            return ret;
        buf      += size;
        buf_size -= size;
    }
-    ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size);
-
-    return 0;
+    return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size);
 }

 static void vp7_get_quants(VP8Context *s)
@@ -517,7 +518,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si

    memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab));

-    ff_vp56_init_range_decoder(c, buf, part1_size);
+    ret = ff_vp56_init_range_decoder(c, buf, part1_size);
+    if (ret < 0)
+        return ret;
    buf      += part1_size;
    buf_size -= part1_size;

@@ -569,7 +572,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
    s->lf_delta.enabled        = 0;

    s->num_coeff_partitions = 1;
-    ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size);
+    ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size);
+    if (ret < 0)
+        return ret;

    if (!s->macroblocks_base || /* first frame */
        width != s->avctx->width || height != s->avctx->height ||
@@ -698,7 +703,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
        memset(&s->lf_delta, 0, sizeof(s->lf_delta));
    }

-    ff_vp56_init_range_decoder(c, buf, header_size);
+    ret = ff_vp56_init_range_decoder(c, buf, header_size);
+    if (ret < 0)
+        return ret;
    buf      += header_size;
    buf_size -= header_size;

@@ -2274,7 +2281,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame,
 #define update_pos(td, mb_y, mb_x) while(0)
 #endif

-static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
                                        int jobnr, int threadnr, int is_vp7)
 {
    VP8Context *s = avctx->priv_data;
@@ -2290,6 +2297,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
        curframe->tf.f->data[1] +  8 * mb_y * s->uvlinesize,
        curframe->tf.f->data[2] +  8 * mb_y * s->uvlinesize
    };
+
+    if (c->end <= c->buffer && c->bits >= 0)
+         return AVERROR_INVALIDDATA;
+
    if (mb_y == 0)
        prev_td = td;
    else
@@ -2318,6 +2329,8 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
    s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN;

    for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) {
+        if (c->end <= c->buffer && c->bits >= 0)
+            return AVERROR_INVALIDDATA;
        // Wait for previous thread to read mb_x+2, and reach mb_y-1.
        if (prev_td != td) {
            if (threadnr != 0) {
@@ -2393,18 +2406,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
            update_pos(td, mb_y, mb_x);
        }
    }
+    return 0;
 }

-static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
                                        int jobnr, int threadnr)
 {
-    decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1);
+    return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1);
 }

-static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
                                        int jobnr, int threadnr)
 {
-    decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0);
+    return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0);
 }

 static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata,
@@ -2487,13 +2501,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr,
    VP8ThreadData *next_td = NULL, *prev_td = NULL;
    VP8Frame *curframe = s->curframe;
    int mb_y, num_jobs = s->num_jobs;
+    int ret;

    td->thread_nr = threadnr;
    for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) {
-        if (mb_y >= s->mb_height)
-            break;
        td->thread_mb_pos = mb_y << 16;
-        s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr);
+        ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr);
+        if (ret < 0) {
+            update_pos(td, s->mb_height, INT_MAX & 0xFFFF);
+            return ret;
+        }
        if (s->deblock_filter)
            s->filter_mb_row(avctx, tdata, jobnr, threadnr);
        update_pos(td, mb_y, INT_MAX & 0xFFFF);
@@ -2530,6 +2547,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    enum AVDiscard skip_thresh;
    VP8Frame *av_uninit(curframe), *prev_frame;

+    av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P);
+
    if (is_vp7)
        ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
    else
@@ -275,7 +275,7 @@ typedef struct VP8Context {
     */
    int mb_layout;

-    void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);
+    int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);
    void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);

    int vp7;
@@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16],      \
 #if CONFIG_VP7_DECODER
 static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
 {
-    int i, a1, b1, c1, d1;
+    int i;
+    unsigned a1, b1, c1, d1;
    int16_t tmp[16];

    for (i = 0; i < 4; i++) {
@@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
        b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170;
        c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274;
        d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540;
-        tmp[i * 4 + 0] = (a1 + d1) >> 14;
-        tmp[i * 4 + 3] = (a1 - d1) >> 14;
-        tmp[i * 4 + 1] = (b1 + c1) >> 14;
-        tmp[i * 4 + 2] = (b1 - c1) >> 14;
+        tmp[i * 4 + 0] = (int)(a1 + d1) >> 14;
+        tmp[i * 4 + 3] = (int)(a1 - d1) >> 14;
+        tmp[i * 4 + 1] = (int)(b1 + c1) >> 14;
+        tmp[i * 4 + 2] = (int)(b1 - c1) >> 14;
    }

    for (i = 0; i < 4; i++) {
@@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
        c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274;
        d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540;
        AV_ZERO64(dc + i * 4);
-        block[0][i][0] = (a1 + d1 + 0x20000) >> 18;
-        block[3][i][0] = (a1 - d1 + 0x20000) >> 18;
-        block[1][i][0] = (b1 + c1 + 0x20000) >> 18;
-        block[2][i][0] = (b1 - c1 + 0x20000) >> 18;
+        block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18;
+        block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18;
+        block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18;
+        block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18;
    }
 }

@@ -95,7 +96,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16])

 static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
 {
-    int i, a1, b1, c1, d1;
+    int i;
+    unsigned a1, b1, c1, d1;
    int16_t tmp[16];

    for (i = 0; i < 4; i++) {
@@ -104,10 +106,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
        c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274;
        d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540;
        AV_ZERO64(block + i * 4);
-        tmp[i * 4 + 0] = (a1 + d1) >> 14;
-        tmp[i * 4 + 3] = (a1 - d1) >> 14;
-        tmp[i * 4 + 1] = (b1 + c1) >> 14;
-        tmp[i * 4 + 2] = (b1 - c1) >> 14;
+        tmp[i * 4 + 0] = (int)(a1 + d1) >> 14;
+        tmp[i * 4 + 3] = (int)(a1 - d1) >> 14;
+        tmp[i * 4 + 1] = (int)(b1 + c1) >> 14;
+        tmp[i * 4 + 2] = (int)(b1 - c1) >> 14;
    }

    for (i = 0; i < 4; i++) {
@@ -116,13 +118,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
        c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274;
        d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540;
        dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] +
-                                            ((a1 + d1 + 0x20000) >> 18));
+                                            ((int)(a1 + d1 + 0x20000) >> 18));
        dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] +
-                                            ((a1 - d1 + 0x20000) >> 18));
+                                            ((int)(a1 - d1 + 0x20000) >> 18));
        dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] +
-                                            ((b1 + c1 + 0x20000) >> 18));
+                                            ((int)(b1 + c1 + 0x20000) >> 18));
        dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] +
-                                            ((b1 - c1 + 0x20000) >> 18));
+                                            ((int)(b1 - c1 + 0x20000) >> 18));
    }
 }

@@ -842,7 +842,10 @@ static int decode_frame_header(AVCodecContext *ctx,
        av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n");
        return AVERROR_INVALIDDATA;
    }
-    ff_vp56_init_range_decoder(&s->c, data2, size2);
+    res = ff_vp56_init_range_decoder(&s->c, data2, size2);
+    if (res < 0)
+        return res;
+
    if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit
        av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n");
        return AVERROR_INVALIDDATA;
@@ -4126,7 +4129,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame,
                        ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
                        return AVERROR_INVALIDDATA;
                    }
-                    ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+                    res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+                    if (res < 0)
+                        return res;
                    if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit
                        ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
                        return AVERROR_INVALIDDATA;
@@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc,
    int bit;

    if (s->extra_bits) {
-        S <<= s->extra_bits;
+        S *= 1 << s->extra_bits;

        if (s->got_extra_bits &&
            get_bits_left(&s->gb_extra_bits) >= s->extra_bits) {
@@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
    s->hybrid_bitrate =   s->frame_flags & WV_HYBRID_BITRATE;
    s->post_shift     = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f);
    s->hybrid_maxclip =  ((1LL << (orig_bpp - 1)) - 1);
-    s->hybrid_minclip = ((-1LL << (orig_bpp - 1)));
+    s->hybrid_minclip = ((-1UL << (orig_bpp - 1)));
    s->CRC            = bytestream2_get_le32(&gb);

    // parse metadata blocks
@@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
            }
            for (i = 0; i < weights; i++) {
                t = (int8_t)bytestream2_get_byte(&gb);
-                s->decorr[s->terms - i - 1].weightA = t << 3;
+                s->decorr[s->terms - i - 1].weightA = t * (1 << 3);
                if (s->decorr[s->terms - i - 1].weightA > 0)
                    s->decorr[s->terms - i - 1].weightA +=
                        (s->decorr[s->terms - i - 1].weightA + 64) >> 7;
                if (s->stereo_in) {
                    t = (int8_t)bytestream2_get_byte(&gb);
-                    s->decorr[s->terms - i - 1].weightB = t << 3;
+                    s->decorr[s->terms - i - 1].weightB = t * (1 << 3);
                    if (s->decorr[s->terms - i - 1].weightB > 0)
                        s->decorr[s->terms - i - 1].weightB +=
                            (s->decorr[s->terms - i - 1].weightB + 64) >> 7;
@@ -837,7 +837,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
                continue;
            }
            bytestream2_get_buffer(&gb, val, 4);
-            if (val[0] > 32) {
+            if (val[0] > 31) {
                av_log(avctx, AV_LOG_ERROR,
                       "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]);
                continue;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.7
 .0.8