Changelog: update

avcodec/dstdec: Replace AC overread check by sample rate check
Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1. (cherry picked from commit 1679f23beb) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 18:50:40 +02:00 · 2020-07-02 18:49:22 +02:00 · 2020-07-01 15:50:18 +02:00 · 2020-07-01 15:50:17 +02:00 · 2020-07-01 13:10:34 +02:00 · 2020-07-01 12:49:26 +02:00
282 changed files with 2800 additions and 1207 deletions
@@ -1,6 +1,565 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.2.15:
+ avcodec/dstdec: Replace AC overread check by sample rate check
+ avformat/mov: fix memleaks
+ libavformat/mov: Fix memleaks when demuxing DV audio
+ avformat/utils: reorder duration computation to avoid overflow
+ avcodec/pngdec: Check for fctl after idat
+ png: split header state and data state in two separate variables.
+ avformat/hls: Pass a copy of the URL for probing
+ avformat/hls: check segment duration value of EXTINF
+ avutil/common: Fix integer overflow in av_ceil_log2_c()
+ avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
+ avformat/mvdec: Fix integer overflow with billions of channels
+ avformat/microdvddec: skip malformed lines without frame number.
+ avformat/mxfdec: free duplicated utf16 strings
+ avformat/4xm: Check that a video stream was created before returning packets for it
+ avcodec/ffwavesynth: Avoid undefined operation on ts overflow
+ avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()
+ avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c()
+ avcodec/sonic: Fix several integer overflows
+ avcodec/iff: Fix off by x error
+ avcodec/wmalosslessdec: Check block_align maximum
+ avcodec/loco: Fix signed integer overflow in loco_get_rice()
+ avformat/thp: Check fps
+ avformat/mpl2dec: Fix integer overflow with duration
+ avcodec/mpeg12dec: remove outdated comments
+ avcodec/snowdec: Avoid integer overflow with huge qlog
+ avcodec/mpeg12dec: Fix got_output
+ avformat/4xm: Cleanup on GET_LIST_HEADER() failure
+ avcodec/lzf: Consider the needed size in reallocation
+ avformat/mlvdec: fail reading a packet with 0 streams
+ avformat/thp: Check compcount
+ avcodec/adpcm: XA: Check shift similar to filter
+ avcodec/huffyuvdec: Test vertical coordinate more often
+ avcodec/hq_hqa: Check info size
+ avcodec/wmalosslessdec: Fix integer overflow in mclms_predict()
+ avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d()
+ avcodec/h264dec: Disable forced small_padding on flag2 fast
+ avformat/oggparsevorbis: Error out on double init of vp
+ avcodec/pnmdec: Use unsigned for maxval rescaling
+ avcodec/ivi: Clear got_p_frame before decoding a new frame using it
+ avcodec/dsddec: Check channels
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr()
+ avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE
+ avformat/swfenc: Fix integer overflow in frame rate handling
+ avformat/aadec: Check toc_size to contain the minimum to demuxer uses
+ avformat/mov: Don't allow negative sample sizes.
+ mpeg4videoenc: Don't crash with -fsanitize=bounds
+ avcodec/binkaudio: Fix 2Ghz sample_rate
+ avcodec/adpcm: Fix integer overflow in ADPCM THP
+ avcodec/ralf: Check num_blocks before use
+ avcodec/iff: Test video_size being non zero
+ avcodec/utvideodec: Fix integer overflow in decode_plane()
+ avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c()
+ avcodec/ralf: Fix integer overflow in decode_block()
+ avcodec/nuv: widen buf_size type
+ avcodec/iff: Fix several integer overflows
+ avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1
+ avcodec/alac: Fix integer overflow with 24/20bps samples
+ avcodec/dstdec: Check sample rate
+ avformat/thp: Require a video stream
+ avformat/mpeg: Decrease score by 1 for files with very little valid data
+ avcodec/pngdec: Check length in fdAT
+ avcodec/g2meet: Check tile_width in epic_jb_decode_tile()
+ avcodec/vp9dsp_template: Fix integer overflows in idct32_1d()
+ avcodec/alacdsp: Fix invalid shift in append_extra_bits()
+ libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative
+ avcodec/dstdec: Fix integer overflow in read_table()
+ avcodec/txd: Check for input size against the header size.
+ avcodec/svq1dec: Check that there is data left after the header
+ avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture()
+ avformat/mpegts: Shuffle avio_seek
+ rtmpdh: Don't use the OpenSSL DH struct
+ avcodec/hevc_mp4toannexb_bsf: Check nalu_size
+ avcodec/iff: Check length before memcpy() in decode_deep_rle32()
+ avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32()
+ avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*()
+ avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()
+ avcodec/flac_parser: Do not lose header count in find_headers_search()
+ avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c()
+ avformat/oggdec: Check for EOF after page header
+ swscale/yuv2rgb: Fix vertical dither offset with slices
+ avcodec/dpcm: clip exponent into supported range in XAN DPCM
+ avcodec/flacdsp_template: Fix invalid shifts in decorrelate
+ avcodec/xvididct: Fix integer overflow in MULT()
+ avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT
+ swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input
+ libavformat/amr.c: Check return value from avio_read()
+ libavformat/mov.c: Free aes_decrypt to avoid leaking memory
+ libavformat/oggdec.c: Check return value from avio_read()
+ avformat/asfdec_f: Fix overflow check in get_tag()
+ avformat/nsvdec: Fix memleaks on errors while reading the header
+ avcodec/ffwavesynth: Fix integer overflow in computation of ddphi
+ avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX
+ avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra()
+ avcodec/mpegaudioenc_template: fix invalid shift of sample
+ avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search()
+ libavformat/avienc: Check bits per sample for PAL8
+ avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
+ avcodec/magicyuv: Check that there are enough lines for interlacing to be possible
+ avformat/mvdec: Check stream numbers
+ avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF
+ avcodec/qdm2: Check fft_coefs_index
+ avformat/avidec: Avoid integer overflow in NI switch check
+ fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start()
+ avfilter/vf_aspect: Fix integer overflow in compute_dar()
+ avcodec/apedec: Fix invalid shift with 24 bps
+ avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
+ avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits
+ avcodec/wmalosslessdec: Fix loop in revert_acfilter()
+ avcodec/lagarith: Sanity check scale
+ avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950()
+ avcodec/ralf: Fix integer overflow in apply_lpc()
+ avcodec/dca_lbr: Fix some error codes and error passing
+ avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response()
+ avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF
+ avcodec/snappy: Sanity check bytestream2_get_levarint()
+ avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel()
+ avcodec/avdct: Clear IDCTDSPContext context
+ avcodec/x86/diracdsp: Fix high bits on Windows x86_64
+ avformat/mov: Check STCO location
+ avcodec/wmalosslessdec: Fix multiple integer overflows
+ avcodec/apedec: Fix undefined integer overflow in decode_array_0000()
+ avcodec/smacker: Check space before decoding type
+ avcodec/rawdec: Use linesize in b64a
+ avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
+ avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32()
+ avfilter/vf_find_rect: Remove assert
+ avfilter/vf_find_rect: Increase worst case score
+ swscale/input: Fix several invalid shifts related to rgb2yuv constants
+ swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template()
+ swscale/swscale: Fix several invalid shifts related to vChrDrop
+ avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow
+ avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy()
+ avcodec/wmalosslessdec: move channel check up
+ avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS
+ avcodec/alac: Fix integer overflow in LPC coefficient adaption
+ avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp()
+ avcodec/vc1dec: Check field_mode for sprites
+ avcodec/vc1dec: Limit bits by the actual bitstream size
+ avcodec/vmdaudio: Check block_align more
+ configure: bump year
+ avcodec/pgssubdec: Free subtitle on error
+ avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample()
+ avcodec/cook: Use 3 stage VLC decoding for channel_coupling
+ avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe()
+ avcodec/sonic: Check e in get_symbol()
+ avcodec/twinvqdec: Correct overflow in block align check
+ avcodec/vc1dec: Fix "return -1" cases
+ avcodec/vc1dec: Free sprite_output_frame on error
+ avcodec/wmadec: Keep track of exponent initialization per channel
+ avcodec/iff: Check that video_size is large enough for the read parameters
+ avcodec/adpcm: Clip predictor for APC
+ avcodec/targa: Check colors vs. available space
+ avcodec/dstdec: Use get_ur_golomb_jpegls()
+ avcodec/wmavoice: Check remaining input in parse_packet_header()
+ avcodec/wmalosslessdec: Fix 2 overflows in mclms
+ avcodec/wmaprodec: Fixes integer overflow with 32bit samples
+ avcodec/adpcm: Fix invalid shift in xa_decode()
+ avcodec/wmalosslessdec: Fix several integer issues
+ avcodec/wmalosslessdec: Check that padding bits is not more than sample bits
+ avcodec/iff: Skip overflowing runs in decode_delta_d()
+ avcodec/pnm: Check that the header is not truncated
+ avcodec/mp3_header_decompress_bsf: Check sample_rate_index
+ avformat/rmdec: Initialize and sanity check offset in ivr_read_header()
+ avcodec/apedec: Fix 2 integer overflows
+ avcodec/wmaprodec: Set packet_loss when we error out on a sanity check
+ avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block()
+ avcodec/g729dec: require buf_size to be non 0
+ avcodec/alac: Fix integer overflow in lpc_prediction() with sign
+ avcodec/wmaprodec: Fix buflen computation in save_bits()
+ avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()
+ avcodec/vmdaudio: Check chunk counts to avoid integer overflow
+ avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
+ avcodec/nuv: Use ff_set_dimensions()
+ avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next
+ avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
+ avcodec/g729dec: Use 64bit and clip in scalar product
+ avcodec/mxpegdec: Check for multiple SOF
+ avcodec/nuv: Move comptype check up
+ avcodec/wmavoice: Fix integer overflow in synth_frame()
+ avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases
+ avutil/lfg: Correct index increment type to avoid undefined behavior
+ avcodec/cngdec: Remove AV_CODEC_CAP_DELAY
+ avcodec/iff: Move index use after check in decodeplane8()
+ avcodec/atrac3: Check for huge block aligns
+ avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block()
+ avcodec/wmadec: Require previous exponents for reuse
+ avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling
+ avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter()
+ avcodec/sonic: Fix integer overflow in predictor_calc_error()
+ avformat/mp3dec: Check that the frame fits within the probe buffer
+ lavc/tableprint_vlc: Remove avpriv_request_sample() from included files.
+ avcodec/interplayacm: Fix overflow of last unused value
+ avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI
+ avcodec/cook: Move up and extend block_align check
+ avcodec/twinvq: Check block_align
+ avcodec/cook: Enlarge gain table
+ avcodec/cook: Check samples_per_channel earlier
+ avcodec/atrac3plus: Check split point in fill mode 3
+ avcodec/wmavoice: Check sample_rate
+ avcodec/xsubdec: fix overflow in alpha handling
+ avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta()
+ avcodec/apedec: Fix integer overflow in filter_3800()
+ avcodec/ffv1dec: Use a different error message for the slice level CRC
+ avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+ avcodec/dstdec: Check that AC probabilities are within range
+ avcodec/dstdec: Check read_table() for failure
+ avcodec/snowenc: Fix 2 undefined shifts
+ avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags()
+ avcodec/aacdec_template: Check samplerate
+ avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block()
+ avcodec/utils: Check block_align
+ avcodec/wmalosslessdec: Fix some integer anomalies
+ avcodec/adpcm: Fix invalid shifts in ADPCM DTK
+ avcodec/apedec: Only clear the needed buffer space, instead of all
+ avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads
+ avcodec/vp5: Check render_x/y
+ avcodec/qdrw: Check input for header/skiped space before get_buffer()
+ avcodec/ralf: Skip initializing unused filter variables
+ avcodec/takdec: Fix overflow with large sample rates
+ avcodec/alsdec: Check that input space for header exists in read_diff_float_data()
+ avformat/pjsdec: Check duration for overflow
+ avcodec/ptx: Check that the input contains at least one line
+ avcodec/alac: Fix integer overflow in LPC
+ avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame()
+ avcodec/aliaspixdec: Check input size against minimal picture size
+ avcodec/ffwavesynth: Fix integer overflows in pink noise addition
+ avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv()
+ avcodec/wmalosslessdec: Check block_align
+ avcodec/g729postfilter: Fix left shift of negative value
+ avcodec/binkaudio: Check sample rate
+ avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS
+ avcodec/apedec: Fix integer overflow in predictor_update_3930()
+ avcodec/g729postfilter: Fix undefined intermediate pointers
+ avcodec/g729postfilter: Fix undefined shifts
+ avcodec/lsp: Fix undefined shifts in lsp2poly()
+ avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA
+ avformat/shortendec: Check k in probe
+ avfilter/vf_geq: Use av_clipd() instead of av_clipf()
+ avcodec/ituh263dec: Check input for minimal frame size
+ avcodec/truemotion1: Check that the input has enough space for a minimal index_stream
+ avformat/mpsubdec: Clear queue on error
+ avcodec/sunrast: Check that the input is large enough for the maximally compressed image
+ avcodec/sunrast: Check for availability of maplength before allocating image
+ avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize()
+ avcodec/g2meet: Check for end of input in jpg_decode_block()
+ avcodec/g2meet: Check if adjusted pixel was on the stack
+ avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet
+ avcodec/utils: Check sample_rate before opening the decoder
+ avcodec/motionpixels: Mark 2 functions as always_inline
+ avcodec/ralf: Fix integer overflow in decode_channel()
+ vcodec/vc1: compute rangex/y only for P/B frames
+ avcodec/vc1_pred: Fix invalid shifts in scaleforopp()
+ avcodec/vc1_block: Fix invalid shift with rangeredfrm
+ avcodec/vc1: Check for excessive resolution
+ avcodec/vc1: check REFDIST
+ avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter()
+ avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs()
+ avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
+ avcodec/atrac3: Check block_align
+ avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop
+ avcodec/dstdec: Fix integer overflow in samples_per_frame computation
+ avcodec/g729_parser: Check block_size
+ avcodec/utils: Optimize ff_color_frame() using memcpy()
+ avcodec/aacdec: Check if we run out of input in read_stream_mux_config()
+ avcodec/utils: Use av_memcpy_backptr() in ff_color_frame()
+ avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL
+ avcodec/alac: Fix invalid shifts in 20/24 bps
+ avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction()
+ avcodec/ffwavesynth: Fix integer overflow in timestamps
+ avcodec/adpcm: Check number of channels for MTAF
+ avcodec/sunrast: Fix indention
+ avcodec/sunrast: Fix return type for "unsupported (compression) type"
+ avformat/mov: Check for EOF in mov_read_meta()
+ avformat/cdxl: Fix integer overflow in intermediate
+ avcodec/hevcdec: repeat character in skiped
+ avcodec/htmlsubtitles: Avoid locale dependant isdigit()
+ avcodec/alsdec: Check k from being outside what our implementation can handle
+ avcodec/aacps: Fix integer overflows in hybrid_synthesis()
+ avcodec/vp56rac: delay signaling an error on truncated input
+ avcodec/vp5/6/8: use vpX_rac_is_end()
+ avcodec/vp56: Add vpX_rac_is_end() to check for the end of input
+ avcodec/qdm2: Check frame size
+ avcodec/vc1_pred: Fix refdist in scaleforopp()
+ avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2
+ avcodec/iff: Check for overlap in cmap_read_palette()
+ avcodec/apedec: Fix 32bit int overflow in do_apply_filter()
+ avcodec/ralf: fix undefined shift in extend_code()
+ avcodec/ralf: fix undefined shift
+ avcodec/bgmc: Check input space in ff_bgmc_decode_init()
+ avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block()
+ avcodec/vc1dec: Require res_sprite for wmv3images
+ avcodec/vc1_block: Check for double escapes
+ avcodec/vorbisdec: Check get_vlc2() failure
+ avcodec/tta: Fix integer overflow in prediction
+ avcodec/vb: Check input packet size to be large enough to contain flags
+ avcodec/cavsdec: Limit the number of access units per packet to 2
+ avcodec/alac: Fix multiple integer overflows in lpc_prediction()
+ avcodec/rl2: set dimensions
+ avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP
+ avformat/realtextdec: free queue on error
+ avcodec/alsdec: Fix integer overflow in decode_var_block_data()
+ avcodec/alsdec: Limit maximum channels to 512
+ avcodec/anm: Check input size for a frame with just a stop code
+ avcodec/loco: Check left column value
+ avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking
+ avcodec/ffwavesynth: Fix integer overflow for some corner case values
+ avcodec/indeo2: Check remaining input more often
+ avcodec/diracdec: Check that slices are fewer than pixels
+ avcodec/vp56: Consider the alpha start as end of the prior header
+ avcodec/4xm: Check for end of input in decode_p_block()
+ avcodec/hnm4video: Optimize postprocess_current_frame()
+ avcodec/hevc_refs: Optimize 16bit generate_missing_ref()
+ avcodec/dds: Use ff_set_dimensions()
+ avcodec/mpc8: Fix 32bit mask/enum
+ avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data()
+ avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks()
+ avcodec/alsdec: fix mantisse shift
+ avcodec/aacdec_template: fix integer overflow in imdct_and_windowing()
+ libavcodec/iff: Use unsigned to avoid undefined behaviour
+ avcodec/alsdec: Check for block_length <= 0 in read_var_block_data()
+ avcodec/vqavideo: Set video size
+ avcodec/sanm: Check extradata_size before allocations
+ avcodec/mss1: check for overread and forward errors
+ avcodec/dirac_parser: Fix overflow in dts
+ avcodec/ralf: Fix undefined pointer in decode_channel()
+ avcodec/ralf: Fix integer overflow in apply_lpc()
+ avcodec/vorbisdec: Implement vr->classifications = 1
+ avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide
+ avformat/realtextdec: Check for duplicate extradata in realtext_read_header()
+ avcodec/apedec: Fix 2 signed overflows
+ avcodec/mss3: Check for the rac stream being invalid in rac_normalize()
+ avcodec/vc1_block: Check get_vlc2() return before use
+ avcodec/apedec: Do not partially clear data array
+ avcodec/hnm4video: Forward errors of decode_interframe_v4()
+ avcodec/vp3: Check that theora is theora
+ avcodec/vc1_pred: Fix invalid shift in scaleforsame()
+ avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc()
+ avcodec/truemotion2: Fix several integer overflows in tm2_motion_block()
+ avcodec/apedec: make left/right unsigned to avoid undefined behavior
+ avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800()
+ avformat/mpc: deallocate frames array on errors
+ avcodec/eatqi: Check for minimum frame size
+ avcodec/eatgv: Check remaining size after the keyframe header
+ avcodec/assdec: undefined use of memcpy()
+ avcodec/brenderpix: Check input size before allocating image
+ lafv/wavdec: Fail bext parsing on incomplete reads
+ avcodec/vorbisdec: Check vlc for floor0 dec vector offset
+ avcodec/vorbisdec: amplitude bits can be more than 25 bits
+ avcodec/apedec: Fix various integer overflows
+ avcodec/apedec: Fix multiple integer overflows in predictor_update_filter()
+ avcodec/alsdec: fix undefined shift in multiply()
+ avcodec/alsdec: Fix 2 integer overflows
+ avcodec/flicvideo: Make line_packets int
+ avcodec/dvbsubdec: Use ff_set_dimensions()
+ avcodec/ffwavesynth: Check if there is enough extradata before allocation
+ avcodec/ffwavesynth: More correct cast in wavesynth_seek()
+ avcodec/ffwavesynth: Check sample rate before use
+ avformat/utils: Check rfps_duration_sum for overflow
+ avcodec/h264_refs: Also check reference in ff_h264_build_ref_list()
+ avcodec/parser: Check next index validity in ff_combine_frame()
+ avcodec/ivi: Ask for samples with odd tiles
+ avformat/xmv: Make bitrate 64bit
+ avcodec/pngdec: Check that previous_picture has same w/h/format
+ avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation)
+ avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame()
+ avcodec/golomb: Correct the doxy about get_ue_golomb() and errors
+ avformat/utils: Check timebase before use in estimate_timings()
+ avcodec/hq_hqa: Use ff_set_dimensions()
+ avcodec/rv10: Fix integer overflow in aspect ratio compare
+ avcodec/4xm: Fix signed integer overflows in idct()
+ avcodec/qdm2: Check checksum_size for 0
+ avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop
+ avcodec/qdm2: Do not read out of array in fix_coding_method_array()
+ avcodec/svq3: Use ff_set_dimension()
+ avcodec/iff: Check ham vs bpp
+ avcodec/ffwavesynth: use uint32_t to compute difference, it is enough
+ avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case
+ avcodec/ffwavesynth: Fix backward lcg_seek()
+ avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()
+ avcodec/alac: Check lpc_quant
+ avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP
+ avcodec/alsdec: Fix integer overflow with buffer number
+ avcodec/alsdec: Check opt_order / sb_length in ra_block handling
+ avcodec/alsdec: Fix integer overflow with shifting samples
+ avcodec/alsdec: Fix undefined behavior in decode_rice()
+ avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()
+ avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check
+ avcodec/m101: Fix off be 2 error
+ avcodec/qdm2: Move fft_order check up
+ avcodec/libvorbisdec: Check extradata size
+ avformat/vqf: Check header_size
+ avcodec/utils: Check bits_per_coded_sample
+ avcodec/videodsp_template: Fix overflow of addition
+ avcodec/alsdec: Fix invalid shift in multiply()
+ avcodec/ffwavesynth: Check ts_end - ts_start for overflow
+ avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c
+ avcodec/tta: Fix undefined shift
+ avcodec/bintext: Check font height
+ avcodec/binkdsp: Fix integer overflows in idct
+ avcodec/motionpixels: Check for vlc error in mp_get_vlc()
+ avcodec/loco: Limit lossy parameter so it is sane and does not overflow
+ avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed
+ avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()
+ avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()
+ avcodec/iff: finetune the palette size check in the mask case
+ avcodec/iff: Fix mask_buf / mask_palbuf leak
+ avformat/icodec: Free ico->images on error paths
+ avformat/wsddec: Fix undefined shift
+ avcodec/bink: Reorder operations in init to avoid memleak on error
+ avformat/wtvdec: Avoid (32bit signed) sectors
+ avcodec/bitstream: Check for more conflicting codes in build_table()
+ avcodec/bitstream: Check for integer code truncation in build_table()
+ avformat/sbgdec: Fixes integer overflow in str_to_time() with hours
+ avformat/vpk: Check offset for validity
+ avformat/vpk: Fix integer overflow in samples_per_block computation
+ avcodec/mjpegdec: Check for non ls PAL8
+ avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle
+ avcodec/mss4: Check input size against skip bits
+ avcodec/diracdec: Fix integer overflow in global_mv()
+ avcodec/vmnc: Check available space against chunks before reget_buffer()
+ avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)
+ avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
+ avcodec/aacdec_template: Merge 3 #ifs related to noise handling
+ avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
+ avformat/mp3enc: Avoid SEEK_END as it is unsupported
+ avcodec/truemotion2: Fix several integer overflows in tm2_update_block()
+ avformat/webm_chunk: Specify expected argument length of get_chunk_filename()
+ avformat/webm_chunk: Check header filename length
+ avcodec/cpia: Check input size also against linesizes and EOL
+ libavcodec/libvpxenc: Don't free user-provided AVPacket
+ libavcodec/libmp3lame: Don't free user-provided AVPacket
+ avcodec/libopusenc: Don't free user-provided AVPacket
+ avformat/matroskadec: Fix default value of BlockAddID
+ avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it
+ lavf/rawenc: Only accept the appropriate stream type for raw muxers.
+ avutil/mem: Fix invalid use of av_alloc_size
+
+
+version 3.2.14:
+- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
+- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning
+- avcodec/htmlsubtitles: Be a bit more picky on syntax
+- libswcale: Fix possible string overflow in test.
+- avcodec/hq_hqa: Check available space before reading slice offsets
+- lavf/webm_chunk: Respect buffer size
+- avcodec/jvdec: Use ff_get_buffer() when the content is not reused
+- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
+- avcodec/jpeg2000: Check stepsize before using it
+- avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
+- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp()
+- avformat/mov: Skip stsd adjustment without chunks
+- avformat/aadec: Check for scanf() failure
+- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
+- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
+- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
+- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
+- avcodec/rscc: Check that the to be uncompressed input is large enough
+- avcodec/hevcdec: Avoid only partly skiping duplicate first slices
+- lavc/bmp: Avoid a heap buffer overwrite for 1bpp input.
+- avcodec/truemotion2: Fix integer overflow in tm2_null_res_block()
+- avcodec/dfa: Check the chunk header is not truncated
+- avcodec/dvbsubdec: Check object position
+- avcodec/cdgraphics: Use ff_set_dimensions()
+- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes
+- avcodec/aic: Check remaining bits in aic_decode_coeffs()
+- avcodec/bethsoftvideo: Check block_type
+- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
+- avcodec/error_resilience: Use a symmetric check for skipping MV estimation
+- avcodec/mlpdec: Insuffient typo
+- avcodec/zmbv: obtain frame later
+- avcodec/jvdec: Check available input space before decode8x8()
+- avcodec/h264_direct: Fix overflow in POC comparission
+- avformat/webmdashenc: Check id in adaption_sets
+- avformat/http: Fix Out-of-Bounds access in process_line()
+- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393
+- avformat/matroskadec: Do not leak queued packets on sync errors
+- avformat/mov: validate chunk_count vs stsc_data
+- avformat/mov.c: require tfhd to begin parsing trun
+- avcodec/pgssubdec: Check for duplicate display segments
+- avformat/rtsp: Check number of streams in sdp_parse_line()
+- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()
+- avcodec/fic: Check that there is input left in fic_decode_block()
+- avutil/mem: Optimize fill32() by unrolling and using 64bit
+- avcodec/hevcdec: decode at most one slice reporting being the first in the picture
+- avfilter/af_silenceremove: fix possible crash if supplied duration is negative
+
+version 3.2.13:
+- avcodec/tests/rangecoder: initialize array to avoid valgrind warning
+- avcodec/h264_slice: Fix integer overflow in implicit_weight_table()
+- avcodec/exr: set layer_match in all branches
+- avcodec/4xm: Fix returned error codes
+- avcodec/mjpegbdec: Fix some misplaced {} and spaces
+- avformat/wvdec: detect and error out on WavPack DSD files
+- avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa
+- avcodec/fic: Fail on invalid slice size/off
+- postproc/postprocess_template: remove FF_REG_sp from clobber list
+- postproc/postprocess_template: Avoid using %4 for the threshold compare
+- avcodec/rpza: Check that there is enough data for all the blocks
+- avcodec/rpza: Move frame allocation to a later point
+- avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID
+- avformat/mpegts: Fix side data type for stream id
+- avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan()
+- lavf/id3v2: fail read_apic on EOF reading mimetype
+- avformat/nutenc: Document trailer index assert better
+- lavf/mov: ensure only one tkhd per trak
+- avcodec/msvideo1: Check for too small dimensions
+- avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size
+- avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size
+- avcodec/truemotion2rt: Fix rounding in input size check
+- avcodec/diracdec: Check component quant
+- avcodec/truemotion2: fix integer overflows in tm2_low_chroma()
+- avcodec/pngdec: Check compression method
+- avcodec/shorten: Fix integer overflow with offset
+- avcodec/cavsdec: Propagate error codes inside decode_mb_i()
+- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
+- avutil/integer: Fix integer overflow in av_mul_i()
+- avcodec/msrle: Check that the input is large enough to contain a end of picture code
+- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
+- avcodec/mpeg4videodec: Fix typo in sprite delta check
+- avcodec/h264_cavlc: Check mb_skip_run
+- avcodec/ra144: Fix integer overflow in add_wav()
+- avformat/utils: Never store negative values in last_IP_duration
+- avformat/utils: Fix integer overflow in discontinuity check
+- avcodec/unary: Improve get_unary() docs
+- avcodec/dvdsubdec: Sanity check len in decode_rle()
+- avcodec/mpeg4videodec: Fix undefined shift in get_amv()
+- avcodec/zmbv: Check that the decompressed data size is correct
+- avcodec/zmbv: Update decomp_len in raw frames
+- avcodec/shorten: Fix bitstream end check in read_header()
+- avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
+- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
+- avcodec/ra144: Fix undefined integer overflow in add_wav()
+- avformat/mov: Error on too large stsd entry counts.
+- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
+- avcodec/vb: Check for end of bytestream before reading blocktype
+- avcodec/snowdec: Fix integer overflow with motion vector residual
+- avformat/nsvdec: Do not parse multiple NSVf
+- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
+- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
+- avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()
+- avcodec/shorten: Fix integer overflow in residual/LPC combination
+- avcodec/shorten: Check verbatim length
+- avcodec/mpegaudio_parser: Initialize poutbuf*
+- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
+- avformat/flvenc: Check audio packet size
+- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
+- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
+- avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions
+- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
+- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
+- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
+- swresample/swresample: Fix input channel count in resample_first computation
+- avutil/pixfmt: Document chroma plane size for odd resolutions
+- avformat/asfdec_o: Check size_bmp more fully
+- asfdec: Account for different Format Data sizes
+- avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL
+
 version 3.2.12:
 - avcodec/dvdsub_parser: Allocate input padding
 - avcodec/dvdsub_parser: Init output buf/size
@@ -1 +1 @@
-3.2.12
+3.2.15
@@ -6703,7 +6703,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2018
+#define CONFIG_THIS_YEAR 2020
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.2.12
+PROJECT_NUMBER         = 3.2.15

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -3991,7 +3991,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is)
            ifile->time_base = ist->st->time_base;
        /* the total duration of the stream, max_pts - min_pts is
         * the duration of the stream without the last frame */
-        duration += ist->max_pts - ist->min_pts;
+        if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration)
+            duration += ist->max_pts - ist->min_pts;
        ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base,
                                        ifile->time_base);
    }
@@ -158,7 +158,7 @@ typedef struct FourXContext {
 #define FIX_1_847759065 121095
 #define FIX_2_613125930 171254

-#define MULTIPLY(var, const) (((var) * (const)) >> 16)
+#define MULTIPLY(var, const) ((int)((var) * (unsigned)(const)) >> 16)

 static void idct(int16_t block[64])
 {
@@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src,
    index = size2index[log2h][log2w];
    av_assert0(index >= 0);

+    if (get_bits_left(&f->gb) < 1)
+        return AVERROR_INVALIDDATA;
    h     = 1 << log2h;
    code  = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table,
                     BLOCK_TYPE_VLC_BITS, 1);
@@ -498,7 +500,7 @@ static int decode_i_block(FourXContext *f, int16_t *block)

    if (get_bits_left(&f->gb) < 2){
        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb));
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    /* DC coef */
@@ -523,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block)
            break;
        if (code == 0xf0) {
            i += 16;
+            if (i >= 64) {
+                av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
+                return 0;
+            }
        } else {
            if (code & 0xf) {
                level = get_xbits(&f->gb, code & 0xf);
@@ -732,7 +738,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length)
        for (x = 0; x < width; x += 16) {
            unsigned int color[4] = { 0 }, bits;
            if (buf_end - buf < 8)
-                return -1;
+                return AVERROR_INVALIDDATA;
            // warning following is purely guessed ...
            color[0] = bytestream2_get_le16u(&g3);
            color[1] = bytestream2_get_le16u(&g3);
@@ -404,6 +404,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx,
            } else {
                int esc;
                do {
+                    if (get_bits_left(gb) < 9)
+                        return AVERROR_INVALIDDATA;
                    esc = get_bits(gb, 1);
                    skip_bits(gb, 8);
                } while (esc);
@@ -554,7 +556,7 @@ AVCodec ff_aac_decoder = {
        AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE
    },
    .capabilities    = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1,
-    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE,
+    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP,
    .channel_layouts = aac_channel_layout,
    .flush = flush,
    .priv_class      = &aac_decoder_class,
@@ -579,7 +581,7 @@ AVCodec ff_aac_latm_decoder = {
        AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE
    },
    .capabilities    = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1,
-    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE,
+    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP,
    .channel_layouts = aac_channel_layout,
    .flush = flush,
    .profiles        = NULL_IF_CONFIG_SMALL(ff_aac_profiles),
@@ -195,12 +195,12 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)

 static void noise_scale(int *coefs, int scale, int band_energy, int len)
 {
-    int ssign = scale < 0 ? -1 : 1;
-    int s = FFABS(scale);
+    int s = -scale;
    unsigned int round;
    int i, out, c = exp2tab[s & 3];
    int nlz = 0;

+    av_assert0(s >= 0);
    while (band_energy > 0x7fff) {
        band_energy >>= 1;
        nlz++;
@@ -216,15 +216,20 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
        round = s ? 1 << (s-1) : 0;
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)coefs[i] * c) >> 32);
-            coefs[i] = ((int)(out+round) >> s) * ssign;
+            coefs[i] = -((int)(out+round) >> s);
        }
    }
    else {
        s = s + 32;
-        round = 1 << (s-1);
-        for (i=0; i<len; i++) {
-            out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
-            coefs[i] = out * ssign;
+        if (s > 0) {
+            round = 1 << (s-1);
+            for (i=0; i<len; i++) {
+                out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
+                coefs[i] = -out;
+            }
+        } else {
+            for (i=0; i<len; i++)
+                coefs[i] = -(int64_t)coefs[i] * c * (1 << -s);
        }
    }
 }
@@ -1118,6 +1118,9 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
    AACContext *ac = avctx->priv_data;
    int ret;

+    if (avctx->sample_rate > 96000)
+        return AVERROR_INVALIDDATA;
+
    ret = ff_thread_once(&aac_table_init, &aac_static_table_init);
    if (ret != 0)
        return AVERROR_UNKNOWN;
@@ -1618,25 +1621,24 @@ static int decode_spectrum_and_dequant(AACContext *ac, INTFLOAT coef[1024],
                }
            } else if (cbt_m1 == NOISE_BT - 1) {
                for (group = 0; group < (AAC_SIGNE)g_len; group++, cfo+=128) {
-#if !USE_FIXED
-                    float scale;
-#endif /* !USE_FIXED */
                    INTFLOAT band_energy;
-
+#if USE_FIXED
                    for (k = 0; k < off_len; k++) {
                        ac->random_state  = lcg_random(ac->random_state);
-#if USE_FIXED
                        cfo[k] = ac->random_state >> 3;
-#else
-                        cfo[k] = ac->random_state;
-#endif /* USE_FIXED */
                    }

-#if USE_FIXED
                    band_energy = ac->fdsp->scalarproduct_fixed(cfo, cfo, off_len);
                    band_energy = fixed_sqrt(band_energy, 31);
                    noise_scale(cfo, sf[idx], band_energy, off_len);
 #else
+                    float scale;
+
+                    for (k = 0; k < off_len; k++) {
+                        ac->random_state  = lcg_random(ac->random_state);
+                        cfo[k] = ac->random_state;
+                    }
+
                    band_energy = ac->fdsp->scalarproduct_float(cfo, cfo, off_len);
                    scale = sf[idx] / sqrtf(band_energy);
                    ac->fdsp->vector_fmul_scalar(cfo, cfo, scale, off_len);
@@ -2402,6 +2404,9 @@ static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns,
    INTFLOAT tmp[TNS_MAX_ORDER+1];
    UINTFLOAT *coef = coef_param;

+    if(!mmm)
+        return;
+
    for (w = 0; w < ics->num_windows; w++) {
        bottom = ics->num_swb;
        for (filt = 0; filt < tns->n_filt[w]; filt++) {
@@ -2566,7 +2571,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce)
        ac->mdct.imdct_half(&ac->mdct, buf, in);
 #if USE_FIXED
        for (i=0; i<1024; i++)
-          buf[i] = (buf[i] + 4) >> 3;
+          buf[i] = (buf[i] + 4LL) >> 3;
 #endif /* USE_FIXED */
    }

@@ -409,33 +409,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64],
            memset(out[0][n], 0, 5*sizeof(out[0][n][0]));
            memset(out[1][n], 0, 5*sizeof(out[1][n][0]));
            for (i = 0; i < 12; i++) {
-                out[0][n][0] += in[   i][n][0];
-                out[1][n][0] += in[   i][n][1];
+                out[0][n][0] += (UINTFLOAT)in[   i][n][0];
+                out[1][n][0] += (UINTFLOAT)in[   i][n][1];
            }
            for (i = 0; i < 8; i++) {
-                out[0][n][1] += in[12+i][n][0];
-                out[1][n][1] += in[12+i][n][1];
+                out[0][n][1] += (UINTFLOAT)in[12+i][n][0];
+                out[1][n][1] += (UINTFLOAT)in[12+i][n][1];
            }
            for (i = 0; i < 4; i++) {
-                out[0][n][2] += in[20+i][n][0];
-                out[1][n][2] += in[20+i][n][1];
-                out[0][n][3] += in[24+i][n][0];
-                out[1][n][3] += in[24+i][n][1];
-                out[0][n][4] += in[28+i][n][0];
-                out[1][n][4] += in[28+i][n][1];
+                out[0][n][2] += (UINTFLOAT)in[20+i][n][0];
+                out[1][n][2] += (UINTFLOAT)in[20+i][n][1];
+                out[0][n][3] += (UINTFLOAT)in[24+i][n][0];
+                out[1][n][3] += (UINTFLOAT)in[24+i][n][1];
+                out[0][n][4] += (UINTFLOAT)in[28+i][n][0];
+                out[1][n][4] += (UINTFLOAT)in[28+i][n][1];
            }
        }
        dsp->hybrid_synthesis_deint(out, in + 27, 5, len);
    } else {
        for (n = 0; n < len; n++) {
-            out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] +
-                           in[3][n][0] + in[4][n][0] + in[5][n][0];
-            out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] +
-                           in[3][n][1] + in[4][n][1] + in[5][n][1];
-            out[0][n][1] = in[6][n][0] + in[7][n][0];
-            out[1][n][1] = in[6][n][1] + in[7][n][1];
-            out[0][n][2] = in[8][n][0] + in[9][n][0];
-            out[1][n][2] = in[8][n][1] + in[9][n][1];
+            out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] +
+                           (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0];
+            out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] +
+                           (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1];
+            out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0];
+            out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1];
+            out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0];
+            out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1];
        }
        dsp->hybrid_synthesis_deint(out, in + 7, 3, len);
    }
@@ -54,10 +54,10 @@ static void ps_hybrid_analysis_c(INTFLOAT (*out)[2], INTFLOAT (*in)[2],
        INT64FLOAT sum_im = (INT64FLOAT)filter[i][6][0] * in[6][1];

        for (j = 0; j < 6; j++) {
-            INTFLOAT in0_re = in[j][0];
-            INTFLOAT in0_im = in[j][1];
-            INTFLOAT in1_re = in[12-j][0];
-            INTFLOAT in1_im = in[12-j][1];
+            INT64FLOAT in0_re = in[j][0];
+            INT64FLOAT in0_im = in[j][1];
+            INT64FLOAT in1_re = in[12-j][0];
+            INT64FLOAT in1_im = in[12-j][1];
            sum_re += (INT64FLOAT)filter[i][j][0] * (in0_re + in1_re) -
                      (INT64FLOAT)filter[i][j][1] * (in0_im - in1_im);
            sum_im += (INT64FLOAT)filter[i][j][0] * (in0_im + in1_im) +
@@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
    INTFLOAT h1 = h[0][1];
    INTFLOAT h2 = h[0][2];
    INTFLOAT h3 = h[0][3];
-    INTFLOAT hs0 = h_step[0][0];
-    INTFLOAT hs1 = h_step[0][1];
-    INTFLOAT hs2 = h_step[0][2];
-    INTFLOAT hs3 = h_step[0][3];
+    UINTFLOAT hs0 = h_step[0][0];
+    UINTFLOAT hs1 = h_step[0][1];
+    UINTFLOAT hs2 = h_step[0][2];
+    UINTFLOAT hs3 = h_step[0][3];
    int n;

    for (n = 0; n < len; n++) {
@@ -107,29 +107,30 @@ static void scale_coefs (
      }
    } else {
      shift = -shift;
+      mul <<= shift;
      for (i=0; i<len; i+=8) {

          temp = src[i] * mul;
          temp1 = src[i+1] * mul;
          temp2 = src[i+2] * mul;

-          dst[i] = temp << shift;
+          dst[i] = temp;
          temp3 = src[i+3] * mul;

-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
          temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;

          temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
          temp6 = src[i+6] * mul;

-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
          temp7 = src[i+7] * mul;

-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;

      }
    }
@@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
    case AV_CODEC_ID_ADPCM_MTAF:
        min_channels = 2;
        max_channels = 8;
+        if (avctx->channels & 1) {
+            avpriv_request_sample(avctx, "channel count %d\n", avctx->channels);
+            return AVERROR_PATCHWELCOME;
+        }
        break;
    case AV_CODEC_ID_ADPCM_PSX:
        max_channels = 8;
@@ -135,8 +139,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
        break;
    case AV_CODEC_ID_ADPCM_IMA_APC:
        if (avctx->extradata && avctx->extradata_size >= 8) {
-            c->status[0].predictor = AV_RL32(avctx->extradata);
-            c->status[1].predictor = AV_RL32(avctx->extradata + 4);
+            c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata    ), 18);
+            c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18);
        }
        break;
    case AV_CODEC_ID_ADPCM_IMA_WS:
@@ -289,7 +293,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib
    c->predictor = av_clip_intp2(predictor, 11);
    c->step_index = step_index;

-    return c->predictor << 4;
+    return c->predictor * 16;
 }

 static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble)
@@ -378,6 +382,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
            avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
            filter=0;
        }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }
        f0 = xa_adpcm_table[filter][0];
        f1 = xa_adpcm_table[filter][1];

@@ -388,7 +396,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
            d = in[16+i+j*4];

            t = sign_extend(d, 4);
-            s = ( t<<shift ) + ((s_1*f0 + s_2*f1+32)>>6);
+            s = t*(1<<shift) + ((s_1*f0 + s_2*f1+32)>>6);
            s_2 = s_1;
            s_1 = av_clip_int16(s);
            out0[j] = s_1;
@@ -403,10 +411,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,

        shift  = 12 - (in[5+i*2] & 15);
        filter = in[5+i*2] >> 4;
-        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) {
+        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) {
            avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
            filter=0;
        }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }

        f0 = xa_adpcm_table[filter][0];
        f1 = xa_adpcm_table[filter][1];
@@ -415,7 +427,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
            d = in[16+i+j*4];

            t = sign_extend(d >> 4, 4);
-            s = ( t<<shift ) + ((s_1*f0 + s_2*f1+32)>>6);
+            s = t*(1<<shift) + ((s_1*f0 + s_2*f1+32)>>6);
            s_2 = s_1;
            s_1 = av_clip_int16(s);
            out1[j] = s_1;
@@ -1134,8 +1146,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                return AVERROR_INVALIDDATA;
            }
        }
-        for (i=0; i<=st; i++)
+        for (i=0; i<=st; i++) {
            c->status[i].predictor  = bytestream2_get_le32u(&gb);
+            if (FFABS((int64_t)c->status[i].predictor) > (1<<16))
+                return AVERROR_INVALIDDATA;
+        }

        for (n = nb_samples >> (1 - st); n > 0; n--) {
            int byte   = bytestream2_get_byteu(&gb);
@@ -1283,10 +1298,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

                    for (count2=0; count2<28; count2++) {
                        if (count2 & 1)
-                            next_sample = sign_extend(byte,    4) << shift;
+                            next_sample = (unsigned)sign_extend(byte,    4) << shift;
                        else {
                            byte = bytestream2_get_byte(&gb);
-                            next_sample = sign_extend(byte >> 4, 4) << shift;
+                            next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift;
                        }

                        next_sample += (current_sample  * coeff1) +
@@ -1561,8 +1576,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                int byte = bytestream2_get_byteu(&gb);
                int index = (byte >> 4) & 7;
                unsigned int exp = byte & 0x0F;
-                int factor1 = table[ch][index * 2];
-                int factor2 = table[ch][index * 2 + 1];
+                int64_t factor1 = table[ch][index * 2];
+                int64_t factor2 = table[ch][index * 2 + 1];

                /* Decode 14 samples.  */
                for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) {
@@ -1623,7 +1638,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    else
                        sampledat = sign_extend(byte >> 4, 4);

-                    sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev;
+                    sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev;
                    *samples++ = av_clip_int16(sampledat >> 6);
                    c->status[channel].sample2 = c->status[channel].sample1;
                    c->status[channel].sample1 = sampledat;
@@ -1660,7 +1675,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                            scale = sign_extend(byte, 4);
                        }

-                        scale  = scale << 12;
+                        scale  = scale * (1 << 12);
                        sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64);
                    }
                    *samples++ = av_clip_int16(sample);
@@ -208,6 +208,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
    int mb, idx;
    unsigned val;

+    if (get_bits_left(gb) < 5)
+        return AVERROR_INVALIDDATA;
+
    has_skips  = get_bits1(gb);
    coeff_type = get_bits1(gb);
    coeff_bits = get_bits(gb, 3);
@@ -170,12 +170,12 @@ static inline int sign_only(int v)
    return v ? FFSIGN(v) : 0;
 }

-static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
+static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out,
                           int nb_samples, int bps, int16_t *lpc_coefs,
                           int lpc_order, int lpc_quant)
 {
    int i;
-    int32_t *pred = buffer_out;
+    uint32_t *pred = buffer_out;

    /* first sample always copies */
    *buffer_out = *error_buffer;
@@ -207,27 +207,27 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
    for (; i < nb_samples; i++) {
        int j;
        int val = 0;
-        int error_val = error_buffer[i];
+        unsigned error_val = error_buffer[i];
        int error_sign;
        int d = *pred++;

        /* LPC prediction */
        for (j = 0; j < lpc_order; j++)
            val += (pred[j] - d) * lpc_coefs[j];
-        val = (val + (1 << (lpc_quant - 1))) >> lpc_quant;
+        val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant;
        val += d + error_val;
        buffer_out[i] = sign_extend(val, bps);

        /* adapt LPC coefficients */
        error_sign = sign_only(error_val);
        if (error_sign) {
-            for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) {
+            for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) {
                int sign;
                val  = d - pred[j];
                sign = sign_only(val) * error_sign;
                lpc_coefs[j] -= sign;
-                val *= sign;
-                error_val -= (val >> lpc_quant) * (j + 1);
+                val *= (unsigned)sign;
+                error_val -= (val >> lpc_quant) * (j + 1U);
            }
        }
    }
@@ -305,7 +305,7 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
            rice_history_mult[ch] = get_bits(&alac->gb, 3);
            lpc_order[ch]         = get_bits(&alac->gb, 5);

-            if (lpc_order[ch] >= alac->max_samples_per_frame)
+            if (lpc_order[ch] >= alac->max_samples_per_frame || !lpc_quant[ch])
                return AVERROR_INVALIDDATA;

            /* read the predictor table */
@@ -394,13 +394,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
    case 20: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] <<= 12;
+                alac->output_samples_buffer[ch][i] *= 1U << 12;
        }}
        break;
    case 24: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] <<= 8;
+                alac->output_samples_buffer[ch][i] *= 1U << 8;
        }}
        break;
    }
@@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2],

    for (ch = 0; ch < channels; ch++)
        for (i = 0; i < nb_samples; i++)
-            buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
+            buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
 }

 av_cold void ff_alacdsp_init(ALACDSPContext *c)
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    if (ret < 0)
        return ret;

+    if (bytestream2_get_bytes_left(&gb) < width*height / 255)
+        return AVERROR_INVALIDDATA;
+
    ret = ff_get_buffer(avctx, f, 0);
    if (ret < 0)
        return ret;
@@ -349,6 +349,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    if (als_id != MKBETAG('A','L','S','\0'))
        return AVERROR_INVALIDDATA;

+    if (avctx->channels > FF_SANE_NB_CHANNELS) {
+        avpriv_request_sample(avctx, "Huge number of channels\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    ctx->cur_frame_length = sconf->frame_length;

    // read channel config
@@ -488,7 +493,7 @@ static void parse_bs_info(const uint32_t bs_info, unsigned int n,
 static int32_t decode_rice(GetBitContext *gb, unsigned int k)
 {
    int max = get_bits_left(gb) - k;
-    int q   = get_unary(gb, 0, max);
+    unsigned q = get_unary(gb, 0, max);
    int r   = k ? get_bits1(gb) : !(q & 1);

    if (k > 1) {
@@ -508,7 +513,7 @@ static void parcor_to_lpc(unsigned int k, const int32_t *par, int32_t *cof)
    int i, j;

    for (i = 0, j = k - 1; i < j; i++, j--) {
-        int tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
+        unsigned tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
        cof[j]  += ((MUL64(par[k], cof[i]) + (1 << 19)) >> 20);
        cof[i]  += tmp1;
    }
@@ -658,7 +663,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // do not continue in case of a damaged stream since
    // block_length must be evenly divisible by sub_blocks
-    if (bd->block_length & (sub_blocks - 1)) {
+    if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) {
        av_log(avctx, AV_LOG_WARNING,
               "Block length is not evenly divisible by the number of subblocks.\n");
        return AVERROR_INVALIDDATA;
@@ -773,8 +778,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        if (*bd->use_ltp) {
            int r, c;

-            bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
-            bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;
+            bd->ltp_gain[0]   = decode_rice(gb, 1) * 8;
+            bd->ltp_gain[1]   = decode_rice(gb, 2) * 8;

            r                 = get_unary(gb, 0, 4);
            c                 = get_bits(gb, 2);
@@ -785,8 +790,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

            bd->ltp_gain[2]   = ltp_gain_values[r][c];

-            bd->ltp_gain[3]   = decode_rice(gb, 2) << 3;
-            bd->ltp_gain[4]   = decode_rice(gb, 1) << 3;
+            bd->ltp_gain[3]   = decode_rice(gb, 2) * 8;
+            bd->ltp_gain[4]   = decode_rice(gb, 1) * 8;

            *bd->ltp_lag      = get_bits(gb, ctx->ltp_lag_length);
            *bd->ltp_lag     += FFMAX(4, opt_order + 1);
@@ -795,14 +800,20 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // read first value and residuals in case of a random access block
    if (bd->ra_block) {
+        start = FFMIN(opt_order, 3);
+        av_assert0(sb_length <= sconf->frame_length);
+        if (sb_length <= start) {
+            // opt_order or sb_length may be corrupted, either way this is unsupported and not well defined in the specification
+            av_log(avctx, AV_LOG_ERROR, "Sub block length smaller or equal start\n");
+            return AVERROR_PATCHWELCOME;
+        }
+
        if (opt_order)
            bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4);
        if (opt_order > 1)
            bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max));
        if (opt_order > 2)
            bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max));
-
-        start = FFMIN(opt_order, 3);
    }

    // read all residuals
@@ -816,7 +827,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        unsigned int low;
        unsigned int value;

-        ff_bgmc_decode_init(gb, &high, &low, &value);
+        int ret = ff_bgmc_decode_init(gb, &high, &low, &value);
+        if (ret < 0)
+            return ret;

        current_res = bd->raw_samples + start;

@@ -826,6 +839,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            k    [sb] = s[sb] > b ? s[sb] - b : 0;
            delta[sb] = 5 - s[sb] + k[sb];

+            if (k[sb] >= 32)
+                return AVERROR_INVALIDDATA;
+
            ff_bgmc_decode(gb, sb_len, current_res,
                        delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);

@@ -918,7 +934,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            y = 1 << 6;

            for (base = begin; base < end; base++, tab++)
-                y += MUL64(bd->ltp_gain[tab], raw_samples[base]);
+                y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]);

            raw_samples[ltp_smp] += y >> 7;
        }
@@ -930,7 +946,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            y = 1 << 19;

            for (sb = 0; sb < smp; sb++)
-                y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);
+                y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);

            *raw_samples++ -= y >> 20;
            parcor_to_lpc(smp, quant_cof, lpc_cof);
@@ -946,7 +962,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

        // reconstruct difference signal for prediction (joint-stereo)
        if (bd->js_blocks && bd->raw_other) {
-            int32_t *left, *right;
+            uint32_t *left, *right;

            if (bd->raw_other > raw_samples) {  // D = R - L
                left  = raw_samples;
@@ -980,7 +996,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        y = 1 << 19;

        for (sb = -opt_order; sb < 0; sb++)
-            y += MUL64(lpc_cof[sb], raw_samples[sb]);
+            y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[sb]);

        *raw_samples -= y >> 20;
    }
@@ -1039,7 +1055,7 @@ static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)

    if (*bd->shift_lsbs)
        for (smp = 0; smp < bd->block_length; smp++)
-            bd->raw_samples[smp] <<= *bd->shift_lsbs;
+            bd->raw_samples[smp] = (unsigned)bd->raw_samples[smp] << *bd->shift_lsbs;

    return 0;
 }
@@ -1175,10 +1191,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
                av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n");

            for (s = 0; s < div_blocks[b]; s++)
-                bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s];
+                bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s];
        } else if (bd[1].js_blocks) {
            for (s = 0; s < div_blocks[b]; s++)
-                bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s];
+                bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s];
        }

        offset  += div_blocks[b];
@@ -1385,6 +1401,9 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
    mantissa_temp = (uint64_t)a.mant * (uint64_t)b.mant;
    mask_64       = (uint64_t)0x1 << 47;

+    if (!mantissa_temp)
+        return FLOAT_0;
+
    // Count the valid bit count
    while (!(mantissa_temp & mask_64) && mask_64) {
        bit_count--;
@@ -1401,7 +1420,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
        }
    }

-    mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count);
+    if (cutoff_bit_count >= 0) {
+        mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count);
+    } else {
+        mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count);
+    }

    // Need one more shift?
    if (mantissa & 0x01000000ul) {
@@ -1413,7 +1436,7 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
        return_val = 0x80000000U;
    }

-    return_val |= (a.exp + b.exp + bit_count - 47) << 23;
+    return_val |= ((unsigned)av_clip(a.exp + b.exp + bit_count - 47, -126, 127) << 23) & 0x7F800000;
    return_val |= mantissa;
    return av_bits2sf_ieee754(return_val);
 }
@@ -1458,6 +1481,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) {
        ff_mlz_flush_dict(ctx->mlz);
    }

+    if (avctx->channels * 8 > get_bits_left(gb))
+        return AVERROR_INVALIDDATA;
+
    for (c = 0; c < avctx->channels; ++c) {
        if (use_acf) {
            //acf_flag
@@ -1798,15 +1824,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
    #define INTERLEAVE_OUTPUT(bps)                                                   \
    {                                                                                \
        int##bps##_t *dest = (int##bps##_t*)frame->data[0];                          \
+        int channels = avctx->channels;                                              \
+        int32_t **raw_samples = ctx->raw_samples;                                    \
        shift = bps - ctx->avctx->bits_per_raw_sample;                               \
        if (!ctx->cs_switch) {                                                       \
            for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[c][sample] << shift;                  \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[c][sample] * (1U << shift);                \
        } else {                                                                     \
            for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] << shift; \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\
        }                                                                            \
    }

@@ -1990,6 +2018,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate quantized parcor coefficient buffer
    num_buffers = sconf->mc_coding ? avctx->channels : 1;
+    if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation
+        return AVERROR_INVALIDDATA;

    ctx->quant_cof        = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof));
    ctx->lpc_cof          = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));
@@ -2122,7 +2152,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    return 0;

 fail:
-    decode_end(avctx);
    return ret;
 }

@@ -2148,4 +2177,5 @@ AVCodec ff_als_decoder = {
    .decode         = decode_frame,
    .flush          = flush,
    .capabilities   = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 };
@@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx,
    uint8_t *dst, *dst_end;
    int count, ret;

+    if (buf_size < 7)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;
    dst     = s->frame->data[0];
@@ -460,7 +460,7 @@ static inline void update_rice(APERice *rice, unsigned int x)

    if (rice->ksum < lim)
        rice->k--;
-    else if (rice->ksum >= (1 << (rice->k + 5)))
+    else if (rice->ksum >= (1 << (rice->k + 5)) && rice->k < 24)
        rice->k++;
 }

@@ -554,7 +554,7 @@ static inline int ape_decode_value_3990(APEContext *ctx, APERice *rice)
    overflow = range_get_symbol(ctx, counts_3980, counts_diff_3980);

    if (overflow == (MODEL_ELEMENTS - 1)) {
-        overflow  = range_decode_bits(ctx, 16) << 16;
+        overflow  = (unsigned)range_decode_bits(ctx, 16) << 16;
        overflow |= range_decode_bits(ctx, 16);
    }

@@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
                              int32_t *out, APERice *rice, int blockstodecode)
 {
    int i;
-    int ksummax, ksummin;
+    unsigned ksummax, ksummin;

    rice->ksum = 0;
    for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
@@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
    ksummin = rice->k ? (1 << rice->k + 6) : 0;
    for (; i < blockstodecode; i++) {
        out[i] = get_rice_ook(&ctx->gb, rice->k);
-        rice->ksum += out[i] - out[i - 64];
+        rice->ksum += out[i] - (unsigned)out[i - 64];
        while (rice->ksum < ksummin) {
            rice->k--;
            ksummin = rice->k ? ksummin >> 1 : 0;
@@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p,
    else
        p->coeffsA[filter][0]--;

-    p->filterA[filter] += p->lastA[filter];
+    p->filterA[filter] += (unsigned)p->lastA[filter];

    return p->filterA[filter];
 }
@@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p,
        return predictionA;
    }
    d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3);
-    d3 =  p->buf[delayB] * 2 - p->buf[delayB - 1];
+    d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U);
+    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
    d4 =  p->buf[delayB];

    predictionA = d0 * p->coeffsA[filter][0] +
@@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
    p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;

    p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
-    p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);

    return p->filterA[filter];
 }
@@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
        dotprod = 0;
        sign = APESIGN(buffer[i]);
        for (j = 0; j < order; j++) {
-            dotprod += delay[j] * coeffs[j];
+            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
        buffer[i] -= dotprod >> shift;
@@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
 {
    int i, j;
    int32_t dotprod, sign;
-    int32_t coeffs[8] = { 0 }, delay[8] = { 0 };
+    int32_t delay[8] = { 0 };
+    uint32_t coeffs[8] = { 0 };

    for (i = 0; i < length; i++) {
        dotprod = 0;
@@ -1051,7 +1052,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                  d3 * p->coeffsA[filter][3];

    p->lastA[filter] = decoded + (predictionA >> 9);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
@@ -1121,7 +1122,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,

    p->buf[delayA]     = p->lastA[filter];
    p->buf[adaptA]     = APESIGN(p->buf[delayA]);
-    p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1];
+    p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1];
    p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]);

    predictionA = p->buf[delayA    ] * p->coeffsA[filter][0] +
@@ -1130,9 +1131,9 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                  p->buf[delayA - 3] * p->coeffsA[filter][3];

    /*  Apply a scaled first-order filter compression */
-    p->buf[delayB]     = p->filterA[filter ^ 1] - ((p->filterB[filter] * 31) >> 5);
+    p->buf[delayB]     = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5);
    p->buf[adaptB]     = APESIGN(p->buf[delayB]);
-    p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1];
+    p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1];
    p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]);
    p->filterB[filter] = p->filterA[filter ^ 1];

@@ -1142,8 +1143,8 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                  p->buf[delayB - 3] * p->coeffsB[filter][3] +
                  p->buf[delayB - 4] * p->coeffsB[filter][4];

-    p->lastA[filter] = decoded + ((predictionA + (predictionB >> 1)) >> 10);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
    p->coeffsA[filter][0] += p->buf[adaptA    ] * sign;
@@ -1202,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
        A = *decoded0;

        p->buf[YDELAYA] = currentA;
-        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1];
+        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1];

        predictionA = p->buf[YDELAYA    ] * p->coeffsA[0][0] +
                      p->buf[YDELAYA - 1] * p->coeffsA[0][1] +
                      p->buf[YDELAYA - 2] * p->coeffsA[0][2] +
                      p->buf[YDELAYA - 3] * p->coeffsA[0][3];

-        currentA = A + (predictionA >> 10);
+        currentA = A + (unsigned)(predictionA >> 10);

        p->buf[YADAPTCOEFFSA]     = APESIGN(p->buf[YDELAYA    ]);
        p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]);
@@ -1229,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
            p->buf = p->historybuffer;
        }

-        p->filterA[0] = currentA + ((p->filterA[0] * 31) >> 5);
+        p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5);
        *(decoded0++) = p->filterA[0];
    }

@@ -1266,8 +1267,8 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
                                                     f->delay - order,
                                                     f->adaptcoeffs - order,
                                                     order, APESIGN(*data));
-        res = (res + (1 << (fracbits - 1))) >> fracbits;
-        res += *data;
+        res = (int)(res + (1U << (fracbits - 1))) >> fracbits;
+        res += (unsigned)*data;
        *data++ = res;

        /* Update the output history */
@@ -1282,7 +1283,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            /* Version 3.98 and later files */

            /* Update the adaption coefficients */
-            absres = FFABS(res);
+            absres = res < 0 ? -(unsigned)res : res;
            if (absres)
                *f->adaptcoeffs = APESIGN(res) *
                                  (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3)));
@@ -1297,7 +1298,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            else
                *f->adaptcoeffs = 0;

-            f->avg += (absres - f->avg) / 16;
+            f->avg += (int)(absres - (unsigned)f->avg) / 16;

            f->adaptcoeffs[-1] >>= 1;
            f->adaptcoeffs[-2] >>= 1;
@@ -1376,7 +1377,7 @@ static void ape_unpack_mono(APEContext *ctx, int count)

 static void ape_unpack_stereo(APEContext *ctx, int count)
 {
-    int32_t left, right;
+    unsigned left, right;
    int32_t *decoded0 = ctx->decoded[0];
    int32_t *decoded1 = ctx->decoded[1];

@@ -1393,7 +1394,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count)

    /* Decorrelate and scale to output depth */
    while (count--) {
-        left = *decoded1 - (*decoded0 / 2);
+        left = *decoded1 - (unsigned)(*decoded0 / 2);
        right = left + *decoded0;

        *(decoded0++) = left;
@@ -1451,7 +1452,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        if (s->fileversion >= 3900) {
            if (offset > 3) {
                av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
-                s->data = NULL;
+                av_freep(&s->data);
+                s->data_size = 0;
                return AVERROR_INVALIDDATA;
            }
            if (s->data_end - s->ptr < offset) {
@@ -1499,7 +1501,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
    if (!s->decoded_buffer)
        return AVERROR(ENOMEM);
-    memset(s->decoded_buffer, 0, s->decoded_size);
+    memset(s->decoded_buffer, 0, decoded_buffer_size);
    s->decoded[0] = s->decoded_buffer;
    s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8);

@@ -1541,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] << 8;
+                *sample24++ = s->decoded[ch][i] * 256;
        }
        break;
    }
@@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx)
    avctx->subtitle_header = av_malloc(avctx->extradata_size + 1);
    if (!avctx->subtitle_header)
        return AVERROR(ENOMEM);
-    memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
+    if (avctx->extradata_size)
+        memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
    avctx->subtitle_header[avctx->extradata_size] = 0;
    avctx->subtitle_header_size = avctx->extradata_size;
    return 0;
@@ -882,7 +882,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
        return AVERROR_INVALIDDATA;
    }

-    if (avctx->block_align >= UINT_MAX / 2)
+    if (avctx->block_align > 1024 || avctx->block_align <= 0)
        return AVERROR(EINVAL);

    q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) +
@@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx,
    } else if (chan->fill_mode == 3) {
        pos = ch_num ? chan->num_coded_vals + chan->split_point
                     : ctx->num_quant_units - chan->split_point;
+        if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) {
+            av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n");
+            pos = FF_ARRAY_ELEMS(chan->qu_wordlen);
+        }
        for (i = chan->num_coded_vals; i < pos; i++)
            chan->qu_wordlen[i] = 1;
    }
@@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src,
 static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2,
                                     int order)
 {
-    int res = 0;
+    unsigned res = 0;

    while (order--)
        res += *v1++ **v2++;
@@ -1526,7 +1526,7 @@ enum AVPacketSideDataType {
    AV_PKT_DATA_METADATA_UPDATE,

    /**
-     * MPEGTS stream ID, this is required to pass the stream ID
+     * MPEGTS stream ID as uint8_t, this is required to pass the stream ID
     * information from the demuxer to the corresponding muxer.
     */
    AV_PKT_DATA_MPEGTS_STREAM_ID,
@@ -109,7 +109,7 @@ int avcodec_dct_init(AVDCT *dsp)

 #if CONFIG_IDCTDSP
    {
-        IDCTDSPContext idsp;
+        IDCTDSPContext idsp = {0};
        ff_idctdsp_init(&idsp, avctx);
        COPY(idsp, idct);
        COPY(idsp, idct_permutation);
@@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
            if(yoffset >= avctx->height)
                return AVERROR_INVALIDDATA;
            dst += vid->frame->linesize[0] * yoffset;
+        case VIDEO_P_FRAME:
+        case VIDEO_I_FRAME:
+            break;
+        default:
+            return AVERROR_INVALIDDATA;
    }

    // main code
@@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status)


 /** Initialize decoding and reads the first value */
-void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
+int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
                         unsigned int *l, unsigned int *v)
 {
+    if (get_bits_left(gb) < VALUE_BITS)
+        return AVERROR_INVALIDDATA;
+
    *h = TOP_VALUE;
    *l = 0;
    *v = get_bits_long(gb, VALUE_BITS);
+
+    return 0;
 }


@@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status);
 void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status);


-void ff_bgmc_decode_init(GetBitContext *gb,
+int ff_bgmc_decode_init(GetBitContext *gb,
                      unsigned int *h, unsigned int *l, unsigned int *v);


@@ -1299,13 +1299,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }
    c->avctx = avctx;

+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
    c->last = av_frame_alloc();
    if (!c->last)
        return AVERROR(ENOMEM);

-    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
-        return ret;
-
    avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;

    ff_blockdsp_init(&c->bdsp, avctx);
@@ -94,6 +94,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
        // audio is already interleaved for the RDFT format variant
        avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+        if (sample_rate > INT_MAX / avctx->channels)
+            return AVERROR_INVALIDDATA;
        sample_rate  *= avctx->channels;
        s->channels = 1;
        if (!s->version_b)
@@ -106,7 +108,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->frame_len     = 1 << frame_len_bits;
    s->overlap_len   = s->frame_len / 16;
    s->block_size    = (s->frame_len - s->overlap_len) * s->channels;
-    sample_rate_half = (sample_rate + 1) / 2;
+    sample_rate_half = (sample_rate + 1LL) / 2;
    if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT)
        s->root = 2.0 / (sqrt(s->frame_len) * 32768.0);
    else
@@ -33,20 +33,22 @@
 #define A3  3784
 #define A4 -5352

+#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11)
+
 #define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\
    const int a0 = (src)[s0] + (src)[s4]; \
    const int a1 = (src)[s0] - (src)[s4]; \
    const int a2 = (src)[s2] + (src)[s6]; \
-    const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \
+    const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \
    const int a4 = (src)[s5] + (src)[s3]; \
    const int a5 = (src)[s5] - (src)[s3]; \
    const int a6 = (src)[s1] + (src)[s7]; \
    const int a7 = (src)[s1] - (src)[s7]; \
    const int b0 = a4 + a6; \
-    const int b1 = (A3*(a5 + a7)) >> 11; \
-    const int b2 = ((A4*a5) >> 11) - b0 + b1; \
-    const int b3 = (A1*(a6 - a4) >> 11) - b2; \
-    const int b4 = ((A2*a7) >> 11) + b3 - b1; \
+    const int b1 = MUL(A3, a5 + a7); \
+    const int b2 = MUL(A4, a5) - b0 + b1; \
+    const int b3 = MUL(A1, a6 - a4) - b2; \
+    const int b4 = MUL(A2, a7) + b3 - b1; \
    (dest)[d0] = munge(a0+a2   +b0); \
    (dest)[d1] = munge(a1+a3-a2+b2); \
    (dest)[d2] = munge(a1-a3+a2+b3); \
@@ -63,6 +63,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
            av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
            return AVERROR_INVALIDDATA;
        }
+        if (!s->font_height) {
+            av_log(avctx, AV_LOG_ERROR, "invalid font height\n");
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        s->font_height = 8;
        s->flags = 0;
@@ -195,8 +195,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
            }
            for (k = 0; k < nb; k++) {
                int bits = table[j][1];
+                int oldsym  = table[j][0];
                ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
-                if (bits != 0 && bits != n) {
+                if ((bits || oldsym) && (bits != n || oldsym != symbol)) {
                    av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
                    return AVERROR_INVALIDDATA;
                }
@@ -233,6 +234,10 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
            /* note: realloc has been done, so reload tables */
            table = (volatile VLC_TYPE (*)[2])&vlc->table[table_index];
            table[j][0] = index; //code
+            if (table[j][0] != index) {
+                avpriv_request_sample(NULL, "strange codes");
+                return AVERROR_PATCHWELCOME;
+            }
            i = k-1;
        }
    }
@@ -58,6 +58,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name)
 {
    int i;

+    if (!name)
+        return NULL;
+
    for (i = 0; bitstream_filters[i]; i++) {
        const AVBitStreamFilter *f = bitstream_filters[i];
        if (!strcmp(f->name, name))
@@ -286,7 +286,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
        case 1:
            for (i = 0; i < avctx->height; i++) {
                int j;
-                for (j = 0; j < n; j++) {
+                for (j = 0; j < avctx->width >> 3; j++) {
                    ptr[j*8+0] =  buf[j] >> 7;
                    ptr[j*8+1] = (buf[j] >> 6) & 1;
                    ptr[j*8+2] = (buf[j] >> 5) & 1;
@@ -296,6 +296,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,
                    ptr[j*8+6] = (buf[j] >> 1) & 1;
                    ptr[j*8+7] =  buf[j]       & 1;
                }
+                for (j = 0; j < (avctx->width & 7); j++) {
+                    ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1;
+                }
                buf += n;
                ptr += linesize;
            }
@@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        avpriv_request_sample(avctx, "Format %d", hdr.format);
        return AVERROR_PATCHWELCOME;
    }
+    bytes_per_scanline = bytes_pp * hdr.width;
+
+    if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline)
+        return AVERROR_INVALIDDATA;

    if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0)
        return ret;
@@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    bytestream2_skip(&gb, 8);

    // read the image data to the buffer
-    bytes_per_scanline = bytes_pp * hdr.width;
    bytes_left = bytestream2_get_bytes_left(&gb);

    if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left ||
@@ -48,7 +48,8 @@ void av_bsf_free(AVBSFContext **pctx)

    av_opt_free(ctx);

-    av_packet_free(&ctx->internal->buffer_pkt);
+    if (ctx->internal)
+        av_packet_free(&ctx->internal->buffer_pkt);
    av_freep(&ctx->internal);
    av_freep(&ctx->priv_data);

@@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
 }


-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-    if (h->cbp & (1 << 4))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+    if (h->cbp & (1 << 4)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                              ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-    if (h->cbp & (1 << 5))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+        if (ret < 0)
+            return ret;
+    }
+    if (h->cbp & (1 << 5)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                              ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+        if (ret < 0)
+            return ret;
+    }
+    return 0;
 }

 static inline int decode_residual_inter(AVSContext *h)
@@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
    uint8_t top[18];
    uint8_t *left = NULL;
    uint8_t *d;
+    int ret;

    ff_cavs_init_mb(h);

@@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
        ff_cavs_load_intra_pred_luma(h, top, &left, block);
        h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
            (d, top, left, h->l_stride);
-        if (h->cbp & (1<<block))
-            decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+        if (h->cbp & (1<<block)) {
+            ret = decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+            if (ret < 0)
+                return ret;
+        }
    }

    /* chroma intra prediction */
@@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
    h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10],
                                  h->left_border_v, h->c_stride);

-    decode_residual_chroma(h);
+    ret = decode_residual_chroma(h);
+    if (ret < 0)
+        return ret;
    ff_cavs_filter(h, I_8X8);
    set_mv_intra(h);
    return 0;
@@ -1194,6 +1207,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int input_size, ret;
    const uint8_t *buf_end;
    const uint8_t *buf_ptr;
+    int frame_start = 0;

    if (buf_size == 0) {
        if (!h->low_delay && h->DPB[0].f->data[0]) {
@@ -1227,6 +1241,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                h->got_keyframe = 1;
            }
        case PIC_PB_START_CODE:
+            if (frame_start > 1)
+                return AVERROR_INVALIDDATA;
+            frame_start ++;
            if (*got_frame)
                av_frame_unref(data);
            *got_frame = 0;
@@ -212,10 +212,10 @@ static const unsigned char pac2_attribs[32][3] = // Color, font, ident

 struct Screen {
    /* +1 is used to compensate null character of string */
-    uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t charsets[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1];
+    uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t charsets[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
    /*
     * Bitmask of used rows; if a bit is not set, the
     * corresponding row is not used.
@@ -80,11 +80,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx)
        return AVERROR(ENOMEM);
    cc->transparency = -1;

-    avctx->width   = CDG_FULL_WIDTH;
-    avctx->height  = CDG_FULL_HEIGHT;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;
-
-    return 0;
+    return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT);
 }

 static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data)
@@ -168,5 +168,5 @@ AVCodec ff_comfortnoise_decoder = {
    .close          = cng_decode_close,
    .sample_fmts    = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16,
                                                     AV_SAMPLE_FMT_NONE },
-    .capabilities   = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1,
+    .capabilities   = AV_CODEC_CAP_DR1,
 };
@@ -143,7 +143,7 @@ typedef struct cook {

    /* generate tables and related variables */
    int                 gain_size_factor;
-    float               gain_table[23];
+    float               gain_table[31];

    /* data buffers */

@@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q)
 {
    int i;
    q->gain_size_factor = q->samples_per_channel / 8;
-    for (i = 0; i < 23; i++)
-        q->gain_table[i] = pow(pow2tab[i + 52],
+    for (i = 0; i < 31; i++)
+        q->gain_table[i] = pow(pow2tab[i + 48],
                               (1.0 / (double) q->gain_size_factor));
 }

@@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer,
        for (i = 0; i < q->gain_size_factor; i++)
            buffer[i] *= fc1;
    } else {                                        // smooth gain
-        fc2 = q->gain_table[11 + (gain_index_next - gain_index)];
+        fc2 = q->gain_table[15 + (gain_index_next - gain_index)];
        for (i = 0; i < q->gain_size_factor; i++) {
            buffer[i] *= fc1;
            fc1       *= fc2;
@@ -759,7 +759,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab)
        for (i = 0; i < length; i++)
            decouple_tab[start + i] = get_vlc2(&q->gb,
                                               p->channel_coupling.table,
-                                               p->channel_coupling.bits, 2);
+                                               p->channel_coupling.bits, 3);
    else
        for (i = 0; i < length; i++) {
            int v = get_bits(&q->gb, p->js_vlc_bits);
@@ -1075,6 +1075,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
        return AVERROR_INVALIDDATA;
    }

+    if (avctx->block_align >= INT_MAX / 8)
+        return AVERROR(EINVAL);
+
    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);

@@ -1225,6 +1228,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
            return AVERROR_PATCHWELCOME;
        }
    }
+
+    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
+    if (q->samples_per_channel != 256 && q->samples_per_channel != 512 &&
+        q->samples_per_channel != 1024) {
+        avpriv_request_sample(avctx, "samples_per_channel = %d",
+                              q->samples_per_channel);
+        return AVERROR_PATCHWELCOME;
+    }
+
    /* Generate tables */
    init_pow2table();
    init_gain_table(q);
@@ -1233,10 +1245,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    if ((ret = init_cook_vlc_tables(q)))
        return ret;

-
-    if (avctx->block_align >= UINT_MAX / 2)
-        return AVERROR(EINVAL);
-
    /* Pad the databuffer with:
       DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(),
       AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */
@@ -1260,14 +1268,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
        q->saturate_output = saturate_output_float;
    }

-    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
-    if (q->samples_per_channel != 256 && q->samples_per_channel != 512 &&
-        q->samples_per_channel != 1024) {
-        avpriv_request_sample(avctx, "samples_per_channel = %d",
-                              q->samples_per_channel);
-        return AVERROR_PATCHWELCOME;
-    }
-
    avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
    if (channel_mask)
        avctx->channel_layout = channel_mask;
@@ -63,7 +63,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
    uint8_t *y, *u, *v, *y_end, *u_end, *v_end;

    // Check header
-    if ( avpkt->size < FRAME_HEADER_SIZE
+    if ( avpkt->size < FRAME_HEADER_SIZE + avctx->height * 3
      || header[0] != MAGIC_0 || header[1] != MAGIC_1
      || (header[17] != SUBSAMPLE_420 && header[17] != SUBSAMPLE_422)
      || (header[18] != YUVORDER_YUYV && header[18] != YUVORDER_UYVY)
@@ -159,7 +159,7 @@ static int parse_lfe_24(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_24[step_i];
@@ -213,7 +213,7 @@ static int parse_lfe_16(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_16[step_i];
@@ -251,14 +251,17 @@ static int parse_lfe_16(DCALbrDecoder *s)

 static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!(s->flags & LBR_FLAG_LFE_PRESENT))
        return 0;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Determine bit depth from chunk size
    if (chunk->len >= 52)
@@ -267,7 +270,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
        return parse_lfe_16(s);

    av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n");
-    return -1;
+    return AVERROR_INVALIDDATA;
 }

 static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth)
@@ -296,13 +299,13 @@ static int parse_tonal(DCALbrDecoder *s, int group)
        for (freq = 1;; freq++) {
            if (get_bits_left(&s->gb) < 1) {
                av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2);
            if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff];
@@ -312,7 +315,7 @@ static int parse_tonal(DCALbrDecoder *s, int group)
            freq += diff - 2;
            if (freq >> (5 - group) > s->nsubbands * 4 - 6) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            // Main channel
@@ -363,19 +366,21 @@ static int parse_tonal(DCALbrDecoder *s, int group)

 static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
-    int sb, group;
+    int sb, group, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+
+    if (ret < 0)
+        return ret;

    // Scale factors
    if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) {
        if (get_bits_left(&s->gb) < 36) {
            av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
        for (sb = 0; sb < 6; sb++)
            s->tonal_scf[sb] = get_bits(&s->gb, 6);
@@ -383,20 +388,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)

    // Tonal groups
    if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF)
-        for (group = 0; group < 5; group++)
-            if (parse_tonal(s, group) < 0)
-                return -1;
+        for (group = 0; group < 5; group++) {
+            ret = parse_tonal(s, group);
+            if (ret < 0)
+                return ret;
+        }

    return 0;
 }

 static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    return parse_tonal(s, chunk->id);
 }
@@ -409,7 +419,7 @@ static int ensure_bits(GetBitContext *s, int n)
 {
    int left = get_bits_left(s);
    if (left < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
    if (left < n) {
        skip_bits_long(s, left);
        return 1;
@@ -438,7 +448,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf)
        dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1;
        if (dist > 7 - sf) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (ensure_bits(&s->gb, 20))
@@ -503,22 +513,26 @@ static int parse_st_code(GetBitContext *s, int min_v)

 static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
-    int ch, sb, sf, nsubbands;
+    int ch, sb, sf, nsubbands, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0)
-            return -1;
-        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]);
+        if (ret < 0)
+            return ret;
+        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    if (get_bits_left(&s->gb) < 1)
@@ -537,7 +551,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

    if (get_bits_left(&s->gb) < 0) {
        av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    // Stereo image for partial mono mode
@@ -567,14 +581,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

 static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2)
 {
-    int sb, nsubbands;
+    int sb, nsubbands, ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    // Average values for third grid
@@ -714,7 +730,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,
            s->sb_indices[sb] = sb_reorder;
        }
        if (sb_reorder >= s->nsubbands)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Third grid scale factors
        if (sb == 12) {
@@ -736,7 +752,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,

        quant_level = s->quant_levels[ch1 / 2][sb];
        if (!quant_level)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Time samples for one or both channels
        if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) {
@@ -797,13 +813,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s
 static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
    int quant_levels[DCA_LBR_SUBBANDS];
-    int sb, ch, ol, st, max_sb, profile;
+    int sb, ch, ol, st, max_sb, profile, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Quantizer profile
    profile = get_bits(&s->gb, 8);
@@ -837,18 +854,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c
        s->quant_levels[ch1 / 2][sb] = quant_levels[sb];

    // LPC for the first two subbands
-    if (parse_lpc(s, ch1, ch2, 0, 2) < 0)
-        return -1;
+    ret = parse_lpc(s, ch1, ch2, 0, 2);
+    if (ret < 0)
+        return ret;

    // Time-samples for the first two subbands of main channel
-    if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0)
-        return -1;
+    ret = parse_ts(s, ch1, ch2, 0, 2, 0);
+    if (ret < 0)
+        return ret;

    // First two bands of the first grid
    for (sb = 0; sb < 2; sb++)
        for (ch = ch1; ch <= ch2; ch++)
-            if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0)
-                return -1;
+            if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0)
+                return ret;

    return 0;
 }
@@ -897,39 +916,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2,

 static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_lpc(s, ch1, ch2, 2, 3) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0)
+        return ret;
    return 0;
 }

 static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0)
+        return ret;
    if (ch1 != ch2) {
-        if (parse_grid_1_sec_ch(s, ch2) < 0)
-            return -1;
-        if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0)
-            return -1;
+        if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0)
+            return ret;
+        if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0)
+            return ret;
    }
-    if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0)
-        return -1;
+    if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0)
+        return ret;
    return 0;
 }

@@ -937,11 +959,13 @@ static int init_sample_rate(DCALbrDecoder *s)
 {
    double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range));
    int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total;
+    int ret;

    ff_mdct_end(&s->imdct);

-    if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0)
-        return -1;
+    ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale);
+    if (ret < 0)
+        return ret;

    for (i = 0; i < 32 << s->freq_range; i++)
        s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)];
@@ -980,7 +1004,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s)
    // Reallocate time sample buffer
    av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float));
    if (!s->ts_buffer)
-        return -1;
+        return AVERROR(ENOMEM);

    ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY;
    for (ch = 0; ch < s->nchannels; ch++) {
@@ -1801,7 +1825,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s)
    init_tables();

    if (!(s->fdsp = avpriv_float_dsp_alloc(0)))
-        return -1;
+        return AVERROR(ENOMEM);

    s->lbr_rand = 1;
    return 0;
@@ -617,6 +617,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
    AVFrame *frame = data;
    int mipmap;
    int ret;
+    int width, height;

    ff_texturedsp_init(&ctx->texdsp);
    bytestream2_init(gbc, avpkt->data, avpkt->size);
@@ -635,9 +636,9 @@ static int dds_decode(AVCodecContext *avctx, void *data,

    bytestream2_skip(gbc, 4); // flags

-    avctx->height = bytestream2_get_le32(gbc);
-    avctx->width  = bytestream2_get_le32(gbc);
-    ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
+    height = bytestream2_get_le32(gbc);
+    width  = bytestream2_get_le32(gbc);
+    ret = ff_set_dimensions(avctx, width, height);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n",
               avctx->width, avctx->height);
@@ -353,6 +353,8 @@ static int dfa_decode_frame(AVCodecContext *avctx,

    bytestream2_init(&gb, avpkt->data, avpkt->size);
    while (bytestream2_get_bytes_left(&gb) > 0) {
+        if (bytestream2_get_bytes_left(&gb) < 12)
+            return AVERROR_INVALIDDATA;
        bytestream2_skip(&gb, 4);
        chunk_size = bytestream2_get_le32(&gb);
        chunk_type = bytestream2_get_le32(&gb);
@@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int

    // second stage combined with interleave and shift
    b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
-    b[0] = (b0 + 1) >> 1;
+    b[0] = ~((~b0) >> 1);
    for (x = 1; x < w2; x++) {
        b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x     ], temp[x+w2]);
        b1 = COMPOSE_DAUB97iH0(          b0, temp[x+w2-1], b2        );
-        b[2*x-1] = (b1 + 1) >> 1;
-        b[2*x  ] = (b2 + 1) >> 1;
+        b[2*x-1] = ~((~b1) >> 1);
+        b[2*x  ] = ~((~b2) >> 1);
        b0 = b2;
    }
-    b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
+    b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
 }

 static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2,
@@ -212,7 +212,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
        if (parse_timing_info && pu1.prev_pu_offset >= 13) {
            uint8_t *cur_pu = pc->buffer +
                              pc->index - 13 - pu1.prev_pu_offset;
-            int pts = AV_RB32(cur_pu + 13);
+            int64_t pts = AV_RB32(cur_pu + 13);
            if (s->last_pts == 0 && s->last_dts == 0)
                s->dts = pts - 1;
            else
@@ -139,7 +139,7 @@ typedef struct DiracContext {
    GetBitContext gb;
    AVDiracSeqHeader seq;
    int seen_sequence_header;
-    int frame_number;           /* number of the next frame to display       */
+    int64_t frame_number;       /* number of the next frame to display       */
    Plane plane[3];
    int chroma_x_shift;
    int chroma_y_shift;
@@ -661,6 +661,10 @@ static void decode_component(DiracContext *s, int comp)
            b->length = get_interleaved_ue_golomb(&s->gb);
            if (b->length) {
                b->quant = get_interleaved_ue_golomb(&s->gb);
+                if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) {
+                    av_log(s->avctx, AV_LOG_ERROR, "Unsupported quant %d\n", b->quant);
+                    b->quant = 0;
+                }
                align_get_bits(&s->gb);
                b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8;
                b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0));
@@ -979,6 +983,10 @@ static int decode_lowdelay(DiracContext *s)
            for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
                bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den
                       - slice_num    * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den;
+                if (bytes >= INT_MAX || bytes*8 > bufsize) {
+                    av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
+                    return AVERROR_INVALIDDATA;
+                }
                slices[slice_num].bytes   = bytes;
                slices[slice_num].slice_x = slice_x;
                slices[slice_num].slice_y = slice_y;
@@ -1236,7 +1244,12 @@ static int dirac_unpack_idwt_params(DiracContext *s)
    else {
        s->num_x        = get_interleaved_ue_golomb(gb);
        s->num_y        = get_interleaved_ue_golomb(gb);
-        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) {
+        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX ||
+            s->num_x * (uint64_t)s->avctx->width  > INT_MAX ||
+            s->num_y * (uint64_t)s->avctx->height > INT_MAX ||
+            s->num_x > s->avctx->width ||
+            s->num_y > s->avctx->height
+        ) {
            av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
            s->num_x = s->num_y = 0;
            return AVERROR_INVALIDDATA;
@@ -1392,9 +1405,9 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *b      = s->globalmc[ref].pan_tilt;
    int *c      = s->globalmc[ref].perspective;

-    int m       = (1<<ep) - (c[0]*x + c[1]*y);
-    int64_t mx  = m * (int64_t)((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);
+    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
+    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -2294,7 +2307,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    }

    if (*got_frame)
-        s->frame_number = picture->display_picture_number + 1;
+        s->frame_number = picture->display_picture_number + 1LL;

    return buf_idx;
 }
@@ -286,9 +286,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
                shift[ch] -= (2 * n);
            diff = sign_extend((diff &~ 3) << 8, 16);

-            /* saturate the shifter to a lower limit of 0 */
-            if (shift[ch] < 0)
-                shift[ch] = 0;
+            /* saturate the shifter to 0..31 */
+            shift[ch] = av_clip_uintp2(shift[ch], 5);

            diff >>= shift[ch];
            predictor[ch] += diff;
@@ -36,6 +36,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
    DSDContext * s;
    int i;

+    if (!avctx->channels)
+        return AVERROR_INVALIDDATA;
+
    ff_init_dsd_data();

    s = av_malloc_array(sizeof(DSDContext), avctx->channels);
@@ -37,7 +37,7 @@
 #define DST_MAX_CHANNELS 6
 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS)

-#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100)
+#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100)

 #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate))

@@ -85,6 +85,16 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E)
+    // We are a bit more tolerant here, but this check is needed to bound the size and duration
+    if (avctx->sample_rate > 512 * 44100)
+        return AVERROR_INVALIDDATA;
+
+
+    if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) {
+        return AVERROR_PATCHWELCOME;
+    }
+
    avctx->sample_fmt = AV_SAMPLE_FMT_FLT;

    for (i = 0; i < avctx->channels; i++)
@@ -120,7 +130,7 @@ static int read_map(GetBitContext *gb, Table *t, unsigned int map[DST_MAX_CHANNE

 static av_always_inline int get_sr_golomb_dst(GetBitContext *gb, unsigned int k)
 {
-    int v = get_ur_golomb(gb, k, get_bits_left(gb), 0);
+    int v = get_ur_golomb_jpegls(gb, k, get_bits_left(gb), 0);
    if (v && get_bits1(gb))
        v = -v;
    return v;
@@ -155,12 +165,16 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
            for (j = method + 1; j < t->length[i]; j++) {
                int c, x = 0;
                for (k = 0; k < method + 1; k++)
-                    x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1];
+                    x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1];
                c = get_sr_golomb_dst(gb, lsb_size);
                if (x >= 0)
                    c -= (x + 4) / 8;
                else
                    c += (-x + 3) / 8;
+                if (!is_signed) {
+                    if (c < offset || c >= offset + (1<<coeff_bits))
+                        return AVERROR_INVALIDDATA;
+                }
                t->coeff[i][j] = c;
            }
        }
@@ -298,11 +312,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,

    /* Filter Coef Sets (10.12) */

-    read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0);
+    ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0);
+    if (ret < 0)
+        return ret;

    /* Probability Tables (10.13) */

-    read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1);
+    ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1);
+    if (ret < 0)
+        return ret;

    /* Arithmetic Coded Data (10.11) */

@@ -1353,6 +1353,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
        display->y_pos = AV_RB16(buf) & 0xfff;
        buf += 2;

+        if (display->x_pos >= region->width ||
+            display->y_pos >= region->height) {
+            av_log(avctx, AV_LOG_ERROR, "Object outside region\n");
+            av_free(display);
+            return AVERROR_INVALIDDATA;
+        }
+
        if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) {
            display->fgcolor = *buf++;
            display->bgcolor = *buf++;
@@ -1587,8 +1594,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx,
    display_def->width   = bytestream_get_be16(&buf) + 1;
    display_def->height  = bytestream_get_be16(&buf) + 1;
    if (!avctx->width || !avctx->height) {
-        avctx->width  = display_def->width;
-        avctx->height = display_def->height;
+        int ret = ff_set_dimensions(avctx, display_def->width, display_def->height);
+        if (ret < 0)
+            return ret;
    }

    if (info_byte & 1<<3) { // display_window_flag
@@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
    int len;
    int has_run = get_bits1(gb);
-    if (get_bits1(gb))
-        *color = get_bits(gb, 8);
-    else
-        *color = get_bits(gb, 2);
+    *color = get_bits(gb, 2 + 6*get_bits1(gb));
    if (has_run) {
        if (get_bits1(gb)) {
            len = get_bits(gb, 7);
@@ -127,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
            len = decode_run_8bit(&gb, &color);
        else
            len = decode_run_2bit(&gb, &color);
+        if (len != INT_MAX && len > w - x)
+            return AVERROR_INVALIDDATA;
        len = FFMIN(len, w - x);
        memset(d + x, color, len);
        x += len;
@@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx,
            s->palette[i] = 0xFFU << 24 | AV_RB24(buf);
            buf += 3;
        }
+        if (buf_end - buf < 5) {
+            return AVERROR_INVALIDDATA;
+        }
    }

    if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
@@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    AVFrame *frame = data;
    int ret, w, h;

+    if (buf_size < 12)
+        return AVERROR_INVALIDDATA;
+
    t->avctx = avctx;

    w = AV_RL16(&buf[0]);
@@ -419,7 +419,7 @@ static void guess_mv(ERContext *s)
    }

    if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) ||
-        num_avail <= mb_width / 2) {
+        num_avail <= FFMAX(mb_width, mb_height) / 2) {
        for (mb_y = 0; mb_y < mb_height; mb_y++) {
            for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                const int mb_xy = mb_x + mb_y * s->mb_stride;
@@ -1367,6 +1367,7 @@ static int decode_header(EXRContext *s)
                        if (*ch_gb.buffer == '.')
                            ch_gb.buffer++;         /* skip dot if not given */
                    } else {
+                        layer_match = 0;
                        av_log(s->avctx, AV_LOG_INFO,
                               "Channel doesn't match layer : %s.\n", ch_gb.buffer);
                    }
@@ -845,7 +845,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v);
            if (crc) {
                int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts;
-                av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc);
+                av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc);
                if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) {
                    av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase));
                } else if (ts != AV_NOPTS_VALUE) {
@@ -113,18 +113,12 @@ static uint32_t lcg_next(uint32_t *s)
    return *s;
 }

-static void lcg_seek(uint32_t *s, int64_t dt)
+static void lcg_seek(uint32_t *s, uint32_t dt)
 {
    uint32_t a, c, t = *s;

-    if (dt >= 0) {
-        a = LCG_A;
-        c = LCG_C;
-    } else { /* coefficients for a step backward */
-        a = LCG_AI;
-        c = (uint32_t)(LCG_AI * LCG_C);
-        dt = -dt;
-    }
+    a = LCG_A;
+    c = LCG_C;
    while (dt) {
        if (dt & 1)
            t = a * t + c;
@@ -221,12 +215,12 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
    ws->next_inter = i;
    ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS;
    *last = -1;
-    lcg_seek(&ws->dither_state, ts - ws->cur_ts);
+    lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
    if (ws->pink_need) {
-        int64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
-        int64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_cur  = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
        int pos = ts & (PINK_UNIT - 1);
-        lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1);
+        lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
        if (pos) {
            pink_fill(ws);
            ws->pink_pos = pos;
@@ -253,7 +247,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
    edata_end = edata + avc->extradata_size;
    ws->nb_inter = AV_RL32(edata);
    edata += 4;
-    if (ws->nb_inter < 0)
+    if (ws->nb_inter < 0 || (edata_end - edata) / 24 < ws->nb_inter)
        return AVERROR(EINVAL);
    ws->inter = av_calloc(ws->nb_inter, sizeof(*ws->inter));
    if (!ws->inter)
@@ -267,13 +261,16 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
        in->type     = AV_RL32(edata + 16);
        in->channels = AV_RL32(edata + 20);
        edata += 24;
-        if (in->ts_start < cur_ts || in->ts_end <= in->ts_start)
+        if (in->ts_start < cur_ts ||
+            in->ts_end <= in->ts_start ||
+            (uint64_t)in->ts_end - in->ts_start > INT64_MAX
+        )
            return AVERROR(EINVAL);
        cur_ts = in->ts_start;
        dt = in->ts_end - in->ts_start;
        switch (in->type) {
            case WS_SINE:
-                if (edata_end - edata < 20)
+                if (edata_end - edata < 20 || avc->sample_rate <= 0)
                    return AVERROR(EINVAL);
                f1  = AV_RL32(edata +  0);
                f2  = AV_RL32(edata +  4);
@@ -284,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
                dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16);
                dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16);
                in->dphi0 = dphi1;
-                in->ddphi = (dphi2 - dphi1) / dt;
+                in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt;
                if (phi & 0x80000000) {
                    phi &= ~0x80000000;
                    if (phi >= i)
@@ -304,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
            default:
                return AVERROR(EINVAL);
        }
-        in->amp0 = (int64_t)a1 << 32;
-        in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt;
+        in->amp0 = (uint64_t)a1 << 32;
+        in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt;
    }
    if (edata != edata_end)
        return AVERROR(EINVAL);
@@ -353,7 +350,8 @@ fail:
 static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
                                   int32_t *channels)
 {
-    int32_t amp, val, *cv;
+    int32_t amp, *cv;
+    unsigned val;
    struct ws_interval *in;
    int i, *last, pink;
    uint32_t c, all_ch = 0;
@@ -380,7 +378,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
                in->dphi += in->ddphi;
                break;
            case WS_NOISE:
-                val = amp * pink;
+                val = amp * (unsigned)pink;
                break;
            default:
                val = 0;
@@ -388,7 +386,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
        all_ch |= in->channels;
        for (c = in->channels, cv = channels; c; c >>= 1, cv++)
            if (c & 1)
-                *cv += val;
+                *cv += (unsigned)val;
    }
    val = (int32_t)lcg_next(&ws->dither_state) >> 16;
    for (c = all_ch, cv = channels; c; c >>= 1, cv++)
@@ -446,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    if (r < 0)
        return r;
    pcm = (int16_t *)frame->data[0];
-    for (s = 0; s < duration; s++, ts++) {
+    for (s = 0; s < duration; s++, ts+=(uint64_t)1) {
        memset(channels, 0, avc->channels * sizeof(*channels));
        if (ts >= ws->next_ts)
            wavesynth_enter_intervals(ws, ts);
@@ -454,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
        for (c = 0; c < avc->channels; c++)
            *(pcm++) = channels[c] >> 16;
    }
-    ws->cur_ts += duration;
+    ws->cur_ts += (uint64_t)duration;
    *rgot_frame = 1;
    return packet->size;
 }
@@ -138,6 +138,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb,
 {
    int i, num_coeff;

+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;
+
    /* Is it a skip block? */
    if (get_bits1(gb)) {
        /* This is a P-frame. */
@@ -386,6 +389,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
            slice_h      = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16);
        } else {
            slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
+            if (slice_size < slice_off)
+                return AVERROR_INVALIDDATA;
        }

        if (slice_size < slice_off || slice_size > msize)
@@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size
    uint32_t x;

    for (i = 0; i < mod_offset; i++) {
-        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8)
-            size = find_headers_search_validate(fpc, search_start + i);
+        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) {
+            int ret = find_headers_search_validate(fpc, search_start + i);
+            size = FFMAX(size, ret);
+        }
    }

    for (; i < buf_size - 1; i += 4) {
        x = AV_RB32(buf + i);
        if (((x & ~(x + 0x01010101)) & 0x80808080)) {
            for (j = 0; j < 4; j++) {
-                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8)
-                    size = find_headers_search_validate(fpc, search_start + i + j);
+                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) {
+                    int ret = find_headers_search_validate(fpc, search_start + i + j);
+                    size = FFMAX(size, ret);
+                }
            }
        }
    }
@@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) =  a      << shift;
        S(samples, 1, i) = (a - b) << shift;
    }
@@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) = (a + b) << shift;
        S(samples, 1, i) =  b      << shift;
    }
@@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
+        unsigned a = in[0][i];
        int b = in[1][i];
        a -= b >> 1;
        S(samples, 0, i) = (a + b) << shift;
@@ -178,7 +178,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    int lines;
    int compressed_lines;
    int starting_line;
-    signed short line_packets;
+    int line_packets;
    int y_ptr;
    int byte_run;
    int pixel_skip;
@@ -277,7 +277,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    break;
                if (y_ptr > pixel_limit)
                    return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                if ((line_packets & 0xC000) == 0xC000) {
                    // line skip opcode
                    line_packets = -line_packets;
@@ -507,7 +507,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,

    int lines;
    int compressed_lines;
-    signed short line_packets;
+    int line_packets;
    int y_ptr;
    int byte_run;
    int pixel_skip;
@@ -571,7 +571,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                    break;
                if (y_ptr > pixel_limit)
                    return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                if (line_packets < 0) {
                    line_packets = -line_packets;
                    if (line_packets > s->avctx->height)
@@ -243,6 +243,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb,
    const int is_chroma = !!plane;
    const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant;

+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
    c->bdsp.clear_block(block);
    dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3);
    if (dc < 0)
@@ -853,6 +856,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height,
                    uint32_t ref_pix = curr_row[x - 1];
                    if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) {
                        pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row);
+                        if (is_pixel_on_stack(dc, pix))
+                            return AVERROR_INVALIDDATA;
+
                        if (x) {
                            int ret = epic_add_pixel_to_cache(&dc->hash,
                                                              ref_pix,
@@ -910,6 +916,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
    awidth      = FFALIGN(tile_width,  16);
    aheight     = FFALIGN(tile_height, 16);

+    if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) {
+        avpriv_request_sample(avctx, "large tile width");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (els_dsize) {
        int ret, i, j, k;
        uint8_t tr_r, tr_g, tr_b, *buf;
@@ -51,6 +51,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx,
        s->duration   = avctx->frame_size;
    }

+    if (!s->block_size) {
+        *poutbuf      = buf;
+        *poutbuf_size = buf_size;
+        return buf_size;
+    }
+
    if (!s->remaining)
        s->remaining = s->block_size;
    if (s->remaining <= buf_size) {
@@ -328,11 +328,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in

 static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order)
 {
-    int res = 0;
+    int64_t res = 0;

    while (order--)
        res += *v1++ * *v2++;

+    if      (res > INT32_MAX) return INT32_MAX;
+    else if (res < INT32_MIN) return INT32_MIN;
+
    return res;
 }

@@ -413,7 +416,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
        return ret;
    out_frame = (int16_t*) frame->data[0];

-    if (buf_size % 10 == 0) {
+    if (buf_size && buf_size % 10 == 0) {
        packet_type = FORMAT_G729_8K;
        format = &format_g729_8k;
        //Reset voice decision
@@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
            sig_scaled[i] = residual[i] >> shift;
    else
        for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++)
-            sig_scaled[i] = residual[i] << -shift;
+            sig_scaled[i] = (unsigned)residual[i] << -shift;

    /* Start of best delay searching code */
    gain_num = 0;
@@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        }
        if (corr_int_num) {
            /* Compute denominator of pseudo-normalized correlation R'(0). */
-            corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
-                                                    sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
+            corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
+                                                     sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
                                                    subframe_size);

            /* Compute signals with non-integer delay k (with 1/8 precision),
@@ -346,7 +346,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        L_temp1 = gain_long_num * gain_long_num;
        L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS);

-        tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den);
+        tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den);
        if (tmp > 0)
            L_temp0 >>= tmp;
        else
@@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        /* Rescale selected signal to original value. */
        if (shift > 0)
            for (i = 0; i < subframe_size; i++)
-                selected_signal[i] <<= shift;
+                selected_signal[i] *= 1 << shift;
        else
            for (i = 0; i < subframe_size; i++)
                selected_signal[i] >>= -shift;
@@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn,
            speech[i] = (speech[i] * temp + 0x4000) >> 15;
    }

-    return -(rh1 << 15) / rh0;
+    return -(rh1 * (1 << 15)) / rh0;
 }

 /**
@@ -486,29 +486,29 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,

    if (refl_coeff > 0) {
        gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15;
-        fact = 0x4000; // 0.5 in (0.15)
-        sh_fact = 15;
+        fact = 0x2000; // 0.5 in (0.15)
+        sh_fact = 14;
    } else {
        gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15;
-        fact = 0x800; // 0.5 in (3.12)
-        sh_fact = 12;
+        fact = 0x400; // 0.5 in (3.12)
+        sh_fact = 11;
    }
-    ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt));
+    ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt));
    gt >>= 1;

    /* Apply tilt compensation filter to signal. */
    tmp = res_pst[subframe_size - 1];

    for (i = subframe_size - 1; i >= 1; i--) {
-        tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1);
-        tmp2 = (tmp2 + 0x4000) >> 15;
+        tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000;
+        tmp2 = res_pst[i] + (tmp2 >> 15);

-        tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+        tmp2 = (tmp2 * ga + fact) >> sh_fact;
        out[i] = tmp2;
    }
-    tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1);
-    tmp2 = (tmp2 + 0x4000) >> 15;
-    tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+    tmp2 = (gt * ht_prev_data) * 2 + 0x4000;
+    tmp2 = res_pst[0] + (tmp2 >> 15);
+    tmp2 = (tmp2 * ga + fact) >> sh_fact;
    out[0] = tmp2;

    return tmp;
@@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
            gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
            gain = bidir_sal(gain, exp_after - exp_before);
        }
+        gain = av_clip_int16(gain);
        gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
    } else
        gain = 0;
@@ -49,6 +49,8 @@ extern const uint8_t ff_interleaved_dirac_golomb_vlc_code[256];

 /**
 * Read an unsigned Exp-Golomb code in the range 0 to 8190.
+ *
+ * @returns the read value or a negative error code.
 */
 static inline int get_ue_golomb(GetBitContext *gb)
 {
@@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
    cbp = 0; /* avoid warning. FIXME: find a solution without slowing
                down the code */
    if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-        if (sl->mb_skip_run == -1)
-            sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
+        if (sl->mb_skip_run == -1) {
+            unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
+            if (mb_skip_run > h->mb_num) {
+                av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
+                return AVERROR_INVALIDDATA;
+            }
+            sl->mb_skip_run = mb_skip_run;
+        }

        if (sl->mb_skip_run--) {
            if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {
@@ -142,8 +142,8 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext *
            av_log(h->avctx, AV_LOG_ERROR, "co located POCs unavailable\n");
            sl->col_parity = 1;
        } else
-        sl->col_parity = (FFABS(col_poc[0] - cur_poc) >=
-                          FFABS(col_poc[1] - cur_poc));
+            sl->col_parity = (FFABS(col_poc[0] - (int64_t)cur_poc) >=
+                              FFABS(col_poc[1] - (int64_t)cur_poc));
        ref1sidx =
        sidx     = sl->col_parity;
    // FL -> FL & differ parity
@@ -296,7 +296,8 @@ int ff_h264_init_poc(int pic_field_poc[2], int *pic_poc,
        if (picture_structure == PICT_FRAME)
            field_poc[1] += pc->delta_poc_bottom;
    } else if (sps->poc_type == 1) {
-        int abs_frame_num, expected_delta_per_poc_cycle, expectedpoc;
+        int abs_frame_num;
+        int64_t expected_delta_per_poc_cycle, expectedpoc;
        int i;

        if (sps->poc_cycle_length != 0)
@@ -373,9 +373,11 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl)
                av_assert0(0);
            }

-            if (i < 0) {
+            if (i < 0 || mismatches_ref(h, ref)) {
                av_log(h->avctx, AV_LOG_ERROR,
-                       "reference picture missing during reorder\n");
+                       i < 0 ? "reference picture missing during reorder\n" :
+                               "mismatching reference\n"
+                      );
                memset(&sl->ref_list[list][index], 0, sizeof(sl->ref_list[0][0])); // FIXME
            } else {
                for (i = index; i + 1 < sl->ref_count[list]; i++) {
@@ -807,6 +809,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h)
        }
    }

+    // Detect unmarked random access points
    if (   err >= 0
        && h->long_ref_count==0
        && (   h->short_ref_count<=2
@@ -682,7 +682,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in
            cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1];
        }
        if (sl->ref_count[0] == 1 && sl->ref_count[1] == 1 && !FRAME_MBAFF(h) &&
-            sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2 * cur_poc) {
+            sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2LL * cur_poc) {
            sl->pwt.use_weight        = 0;
            sl->pwt.use_weight_chroma = 0;
            return;
@@ -749,7 +749,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size)
    }

    ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc,
-                                h->nal_length_size, avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST);
+                                h->nal_length_size, avctx->codec_id, 0);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR,
               "Error splitting the input into NAL units.\n");
@@ -439,6 +439,11 @@ static int hls_slice_header(HEVCContext *s)

    // Coded parameters
    sh->first_slice_in_pic_flag = get_bits1(gb);
+    if (s->ref && sh->first_slice_in_pic_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
+        return 1; // This slice will be skipped later, do not corrupt state
+    }
+
    if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
        s->seq_decode = (s->seq_decode + 1) & 0xff;
        s->max_ra     = INT_MAX;
@@ -2775,6 +2780,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
        ret = hls_slice_header(s);
        if (ret < 0)
            return ret;
+        if (ret == 1) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+

        if (s->max_ra == INT_MAX) {
            if (s->nal_unit_type == NAL_CRA_NUT || IS_BLA(s)) {
@@ -629,11 +629,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
    }
    if (prefix_val >= 5) {
        int k = 0;
-        while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) {
+        while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) {
            suffix_val += 1 << k;
            k++;
        }
-        if (k == CABAC_MAX_BIN) {
+        if (k == 7) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
            return AVERROR_INVALIDDATA;
        }
@@ -144,6 +144,11 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

+        if (nalu_size < 2) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
        nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f;

        /* prepend extradata to IRAP frames */
@@ -152,8 +157,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        extra_size    = add_extradata * ctx->par_out->extradata_size;
        got_irap     |= is_irap;

-        if (SIZE_MAX - nalu_size < 4 ||
-            SIZE_MAX - 4 - nalu_size < extra_size) {
+        if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -164,7 +168,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        if (ret < 0)
            goto fail;

-        if (add_extradata)
+        if (extra_size)
            memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size);
        AV_WB32(out->data + prev_size + extra_size, 1);
        bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size);
@@ -401,7 +401,7 @@ static void mark_ref(HEVCFrame *frame, int flag)
 static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
 {
    HEVCFrame *frame;
-    int i, x, y;
+    int i, y;

    frame = alloc_frame(s);
    if (!frame)
@@ -414,11 +414,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
                       frame->frame->buf[i]->size);
        } else {
            for (i = 0; frame->frame->data[i]; i++)
-                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++)
-                    for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) {
-                        AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x,
-                                1 << (s->ps.sps->bit_depth - 1));
-                    }
+                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) {
+                    uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i];
+                    AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1));
+                    av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2);
+                }
        }
    }

@@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src,
 static void postprocess_current_frame(AVCodecContext *avctx)
 {
    Hnm4VideoContext *hnm = avctx->priv_data;
-    uint32_t x, y, src_x, src_y;
+    uint32_t x, y, src_y;
+    int width = hnm->width;

    for (y = 0; y < hnm->height; y++) {
+        uint8_t *dst = hnm->processed + y * width;
+        const uint8_t *src = hnm->current;
        src_y = y - (y % 2);
-        src_x = src_y * hnm->width + (y % 2);
-        for (x = 0; x < hnm->width; x++) {
-            hnm->processed[(y * hnm->width) + x] = hnm->current[src_x];
-            src_x += 2;
+        src += src_y * width + (y % 2);
+        for (x = 0; x < width; x++) {
+            dst[x] = *src;
+            src += 2;
        }
    }
 }
@@ -143,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
    }
 }

-static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
+static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
 {
    Hnm4VideoContext *hnm = avctx->priv_data;
    GetByteContext gb;
@@ -162,7 +165,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            if (tag == 0) {
                if (writeoffset + 2 > hnm->width * hnm->height) {
                    av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
                hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
                hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
@@ -176,7 +179,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
                count = bytestream2_get_byte(&gb) * 2;
                if (writeoffset + count > hnm->width * hnm->height) {
                    av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
                while (count > 0) {
                    hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
@@ -188,7 +191,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            }
            if (writeoffset > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            }
        } else {
            previous = bytestream2_peek_byte(&gb) & 0x20;
@@ -204,24 +207,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s

            if (!backward && offset + 2*count > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            } else if (backward && offset + 1 >= hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            } else if (writeoffset + 2*count > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR,
                       "Attempting to write out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
+
            }
            if(backward) {
                if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
            } else {
                if (offset < (!!backline)*(2 * hnm->width - 1)) {
                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
            }

@@ -268,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            }
        }
    }
+    return 0;
 }

 static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
@@ -434,7 +439,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
            decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
            memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
        } else {
-            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            if (ret < 0)
+                return ret;
            postprocess_current_frame(avctx);
        }
        copy_processed_frame(avctx, frame);
@@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup,
    int flag = 0;
    int i, ret, cbp;

+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
    cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);

    for (i = 0; i < 12; i++)
@@ -245,13 +248,18 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
    int width, height, quant;
    const uint8_t *src = ctx->gbc.buffer;

+    if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+        return AVERROR_INVALIDDATA;
+
    width  = bytestream2_get_be16(&ctx->gbc);
    height = bytestream2_get_be16(&ctx->gbc);

+    ret = ff_set_dimensions(ctx->avctx, width, height);
+    if (ret < 0)
+        return ret;
+
    ctx->avctx->coded_width         = FFALIGN(width,  16);
    ctx->avctx->coded_height        = FFALIGN(height, 16);
-    ctx->avctx->width               = width;
-    ctx->avctx->height              = height;
    ctx->avctx->bits_per_raw_sample = 8;
    ctx->avctx->pix_fmt             = AV_PIX_FMT_YUVA422P;

@@ -313,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
        int info_size;
        bytestream2_skip(&ctx->gbc, 4);
        info_size = bytestream2_get_le32(&ctx->gbc);
-        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
+        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
            av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
            return AVERROR_INVALIDDATA;
        }
@@ -22,6 +22,7 @@
 #include "libavutil/common.h"
 #include "libavutil/parseutils.h"
 #include "htmlsubtitles.h"
+#include <ctype.h>

 static int html_color_parse(void *log_ctx, const char *str)
 {
@@ -51,6 +52,53 @@ static void rstrip_spaces_buf(AVBPrint *buf)
            buf->str[--buf->len] = 0;
 }

+/*
+ * Fast code for scanning text enclosed in braces. Functionally
+ * equivalent to this sscanf call:
+ *
+ * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
+ */
+static int scanbraces(const char* in) {
+    if (strncmp(in, "{\\an", 4) != 0) {
+        return 0;
+    }
+    if (!av_isdigit(in[4])) {
+        return 0;
+    }
+    if (in[5] != '}') {
+        return 0;
+    }
+    return 1;
+}
+
+/*
+ * Fast code for scanning the rest of a tag. Functionally equivalent to
+ * this sscanf call:
+ *
+ * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
+ */
+static int scantag(const char* in, char* buffer, int* lenp) {
+    int len;
+
+    for (len = 0; len < 128; len++) {
+        const char c = *in++;
+        switch (c) {
+        case '\0':
+            return 0;
+        case '<':
+            return 0;
+        case '>':
+            buffer[len] = '\0';
+            *lenp = len+1;
+            return 1;
+        default:
+            break;
+        }
+        buffer[len] = c;
+    }
+    return 0;
+}
+
 int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
 {
    char *param, buffer[128], tmp[128];
@@ -82,9 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
            break;
        case '{':    /* skip all {\xxx} substrings except for {\an%d}
                        and all microdvd like styles such as {Y:xxx} */
-            len = 0;
-            an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
-
+            an += scanbraces(in);
            if (!closing_brace_missing) {
                if (   (an != 1 && in[1] == '\\')
                    || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) {
@@ -102,13 +148,13 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
        case '<':
            tag_close = in[1] == '/';
            len = 0;
-            if (sscanf(in+tag_close+1, "%127[^>]>%n", buffer, &len) >= 1 && len > 0) {
+            if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
                const char *tagname = buffer;
                while (*tagname == ' ')
                    tagname++;
                if ((param = strchr(tagname, ' ')))
                    *param++ = 0;
-                if ((!tag_close && sptr < FF_ARRAY_ELEMS(stack)) ||
+                if ((!tag_close && sptr < FF_ARRAY_ELEMS(stack) && *tagname) ||
                    ( tag_close && sptr > 0 && !strcmp(stack[sptr-1].tag, tagname))) {
                    int i, j, unknown = 0;
                    in += len + tag_close;
@@ -416,9 +416,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
        case 0x0F0:
            avctx->pix_fmt = AV_PIX_FMT_GRAY16;
            break;
-        case 0x170:
-            avctx->pix_fmt = AV_PIX_FMT_GRAY8A;
-            break;
        case 0x470:
            avctx->pix_fmt = AV_PIX_FMT_GBRP;
            break;
@@ -987,12 +984,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                left= left_prediction(s, p->data[plane], s->temp[0], w, 0);

                y = 1;
+                if (y >= h)
+                    break;

                /* second line is left predicted for interlaced case */
                if (s->interlaced) {
                    decode_plane_bitstream(s, w, plane);
                    left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left);
                    y++;
+                    if (y >= h)
+                        break;
                }

                lefttop = p->data[plane][0];
@@ -1104,6 +1105,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                }

                cy = y = 1;
+                if (y >= height)
+                    break;

                /* second line is left predicted for interlaced case */
                if (s->interlaced) {
@@ -1116,6 +1119,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                    }
                    y++;
                    cy++;
+                    if (y >= height)
+                        break;
                }

                /* next 4 pixels are left predicted too */
@@ -277,7 +277,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
    case AV_PIX_FMT_YUVA420P:
    case AV_PIX_FMT_YUVA422P:
    case AV_PIX_FMT_GBRAP:
-    case AV_PIX_FMT_GRAY8A:
    case AV_PIX_FMT_YUV420P9:
    case AV_PIX_FMT_YUV420P10:
    case AV_PIX_FMT_YUV420P12:
@@ -1131,7 +1130,6 @@ AVCodec ff_ffvhuff_encoder = {
        AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY16,
        AV_PIX_FMT_YUVA420P, AV_PIX_FMT_YUVA422P, AV_PIX_FMT_YUVA444P,
        AV_PIX_FMT_GBRAP,
-        AV_PIX_FMT_GRAY8A,
        AV_PIX_FMT_YUV420P9, AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV420P12, AV_PIX_FMT_YUV420P14, AV_PIX_FMT_YUV420P16,
        AV_PIX_FMT_YUV422P9, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV422P14, AV_PIX_FMT_YUV422P16,
        AV_PIX_FMT_YUV444P9, AV_PIX_FMT_YUV444P10, AV_PIX_FMT_YUV444P12, AV_PIX_FMT_YUV444P14, AV_PIX_FMT_YUV444P16,
@@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = {
    LUT8(4), LUT8(5), LUT8(6), LUT8(7),
 };

-#define LUT32(plane) {                                \
-             0,          0,          0,          0,   \
-             0,          0,          0, 1 << plane,   \
-             0,          0, 1 << plane,          0,   \
-             0,          0, 1 << plane, 1 << plane,   \
-             0, 1 << plane,          0,          0,   \
-             0, 1 << plane,          0, 1 << plane,   \
-             0, 1 << plane, 1 << plane,          0,   \
-             0, 1 << plane, 1 << plane, 1 << plane,   \
-    1 << plane,          0,          0,          0,   \
-    1 << plane,          0,          0, 1 << plane,   \
-    1 << plane,          0, 1 << plane,          0,   \
-    1 << plane,          0, 1 << plane, 1 << plane,   \
-    1 << plane, 1 << plane,          0,          0,   \
-    1 << plane, 1 << plane,          0, 1 << plane,   \
-    1 << plane, 1 << plane, 1 << plane,          0,   \
-    1 << plane, 1 << plane, 1 << plane, 1 << plane,   \
+#define LUT32(plane) {                                    \
+              0,           0,           0,           0,   \
+              0,           0,           0, 1U << plane,   \
+              0,           0, 1U << plane,           0,   \
+              0,           0, 1U << plane, 1U << plane,   \
+              0, 1U << plane,           0,           0,   \
+              0, 1U << plane,           0, 1U << plane,   \
+              0, 1U << plane, 1U << plane,           0,   \
+              0, 1U << plane, 1U << plane, 1U << plane,   \
+    1U << plane,           0,           0,           0,   \
+    1U << plane,           0,           0, 1U << plane,   \
+    1U << plane,           0, 1U << plane,           0,   \
+    1U << plane,           0, 1U << plane, 1U << plane,   \
+    1U << plane, 1U << plane,           0,           0,   \
+    1U << plane, 1U << plane,           0, 1U << plane,   \
+    1U << plane, 1U << plane, 1U << plane,           0,   \
+    1U << plane, 1U << plane, 1U << plane, 1U << plane,   \
 }

 // 32 planes * 4-bit mask * 4 lookup tables each
@@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal)
            pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample);
    }
    if (s->masking == MASK_HAS_MASK) {
+        if ((1 << avctx->bits_per_coded_sample) < count) {
+            avpriv_request_sample(avctx, "overlapping mask");
+            return AVERROR_PATCHWELCOME;
+        }
        memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4);
        for (i = 0; i < count; i++)
            pal[i] &= 0xFFFFFF;
@@ -280,6 +284,16 @@ static int extract_header(AVCodecContext *const avctx,
        for (i = 0; i < 16; i++)
            s->tvdc[i] = bytestream_get_be16(&buf);

+        if (s->ham) {
+            if (s->bpp > 8) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
+                return AVERROR_INVALIDDATA;
+            } if (s->ham != (s->bpp > 6 ? 6 : 4)) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u, BPP: %u\n", s->ham, s->bpp);
+                return AVERROR_INVALIDDATA;
+            }
+        }
+
        if (s->masking == MASK_HAS_MASK) {
            if (s->bpp >= 8 && !s->ham) {
                avctx->pix_fmt = AV_PIX_FMT_RGB32;
@@ -307,10 +321,9 @@ static int extract_header(AVCodecContext *const avctx,
        if (!s->bpp || s->bpp > 32) {
            av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp);
            return AVERROR_INVALIDDATA;
-        } else if (s->ham >= 8) {
-            av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
-            return AVERROR_INVALIDDATA;
        }
+        if (s->video_size && s->planesize * s->bpp * avctx->height > s->video_size)
+            return AVERROR_INVALIDDATA;

        av_freep(&s->ham_buf);
        av_freep(&s->ham_palbuf);
@@ -319,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx,
            int i, count = FFMIN(palette_size / 3, 1 << s->ham);
            int ham_count;
            const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+            int extra_space = 1;
+
+            if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+                extra_space = 4;

            s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_buf)
                return AVERROR(ENOMEM);

            ham_count = 8 * (1 << s->ham);
-            s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+            s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_palbuf) {
                av_freep(&s->ham_buf);
                return AVERROR(ENOMEM);
@@ -371,6 +388,8 @@ static av_cold int decode_end(AVCodecContext *avctx)
    av_freep(&s->planebuf);
    av_freep(&s->ham_buf);
    av_freep(&s->ham_palbuf);
+    av_freep(&s->mask_buf);
+    av_freep(&s->mask_palbuf);
    av_freep(&s->video[0]);
    av_freep(&s->video[1]);
    av_freep(&s->pal);
@@ -421,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) {
        s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp;
+        if (!s->video_size)
+            return AVERROR_INVALIDDATA;
        s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->pal = av_calloc(256, sizeof(*s->pal));
@@ -443,11 +464,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
 */
 static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane)
 {
-    const uint64_t *lut = plane8_lut[plane];
+    const uint64_t *lut;
    if (plane >= 8) {
        av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n");
        return;
    }
+    lut = plane8_lut[plane];
    do {
        uint64_t v = AV_RN64A(dst) | lut[*buf++];
        AV_WN64A(dst, v);
@@ -625,13 +647,15 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
 {
    const uint8_t *src_end = src + src_size;
    int x = 0, y = 0, i;
-    while (src + 5 <= src_end) {
+    while (src_end - src >= 5) {
        int opcode;
        opcode = *(int8_t *)src++;
        if (opcode >= 0) {
            int size = opcode + 1;
            for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
+                if (src_end - src < length * 4)
+                    return;
                memcpy(dst + y*linesize + x * 4, src, length * 4);
                src += length * 4;
                x += length;
@@ -1060,6 +1084,9 @@ static void decode_long_vertical_delta(uint8_t *dst,
                        x = bytestream2_get_be32(&dgb);
                    }

+                    if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb))
+                        return;
+
                    while (opcode) {
                        bytestream2_seek_p(&pb, ofsdst, SEEK_SET);
                        if (h && (j == (ncolumns - 1))) {
@@ -1200,6 +1227,9 @@ static void decode_long_vertical_delta2(uint8_t *dst,
                        x = bytestream2_get_be32(&gb);
                    }

+                    if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb))
+                        return;
+
                    while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) {
                        bytestream2_seek_p(&pb, ofsdst, SEEK_SET);
                        if (h && (j == ncolumns - 1))
@@ -1269,17 +1299,18 @@ static void decode_delta_d(uint8_t *dst,
            bytestream2_seek_p(&pb, (offset / planepitch_byte) * pitch + (offset % planepitch_byte) + k * planepitch, SEEK_SET);
            if (opcode >= 0) {
                uint32_t x = bytestream2_get_be32(&gb);
+                if (opcode && 4 + (opcode - 1LL) * pitch > bytestream2_get_bytes_left_p(&pb))
+                    continue;
                while (opcode && bytestream2_get_bytes_left_p(&pb) > 0) {
                    bytestream2_put_be32(&pb, x);
                    bytestream2_skip_p(&pb, pitch - 4);
                    opcode--;
                }
            } else {
-                opcode = -opcode;
                while (opcode && bytestream2_get_bytes_left(&gb) > 0) {
                    bytestream2_put_be32(&pb, bytestream2_get_be32(&gb));
                    bytestream2_skip_p(&pb, pitch - 4);
-                    opcode--;
+                    opcode++;
                }
            }
            entries--;
@@ -1442,7 +1473,7 @@ static int decode_frame(AVCodecContext *avctx,
    buf_size -= bytestream2_tell(gb);
    desc = av_pix_fmt_desc_get(avctx->pix_fmt);

-    if (!s->init && avctx->bits_per_coded_sample <= 8 &&
+    if (!s->init && avctx->bits_per_coded_sample <= 8 - (s->masking == MASK_HAS_MASK) &&
        avctx->pix_fmt == AV_PIX_FMT_PAL8) {
        if ((res = cmap_read_palette(avctx, (uint32_t *)frame->data[1])) < 0)
            return res;
@@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst

    for (j = 1; j < height; j++) {
        out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
        while (out < width) {
-            int c = ir2_get_code(&ctx->gb);
+            int c;
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
+            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c -= 0x7F;
                if (out + c*2 > width)
@@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_

    for (j = 0; j < height; j++) {
        out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
        while (out < width) {
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c   -= 0x7F;
@@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s)

    for (i = 1, x = -val; i <= count; i++) {
        s->midbuf[-i] = x;
-        x -= val;
+        x -= (unsigned)val;
    }

    ret = fill_block(s);
@@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *const w, Picture *pict,
    for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) {
        x8_init_block_index(w, w->frame);
        mb_xy = (w->mb_y >> 1) * (w->mb_width + 1);
+        if (get_bits_left(gb) < 1)
+            goto error;
        for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) {
            x8_get_prediction(w);
            if (x8_setup_spatial_predictor(w, 0))
@@ -1089,6 +1089,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
    if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0)
        return ret;

+    if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) {
+        if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
+    }
+
    s->mb_width = (s->width  + 15) / 16;
    s->mb_height = (s->height  + 15) / 16;
    s->mb_num = s->mb_width * s->mb_height;
@@ -429,6 +429,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes,
        t_height = !p ? tile_height : (tile_height + 3) >> 2;

        if (!p && planes[0].num_bands == 4) {
+            if (t_width % 2 || t_height % 2) {
+                avpriv_request_sample(NULL, "Odd tiles");
+                return AVERROR_PATCHWELCOME;
+            }
            t_width  >>= 1;
            t_height >>= 1;
        }
@@ -488,12 +492,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb)
 static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
                            int blk_size)
 {
-    int buf_size = band->pitch * band->aheight - buf_offs;
-    int min_size = (blk_size - 1) * band->pitch + blk_size;
-
-    if (min_size > buf_size)
-        return AVERROR_INVALIDDATA;
-
    band->dc_transform(prev_dc, band->buf + buf_offs,
                       band->pitch, blk_size);

@@ -724,6 +722,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                if (ret < 0)
                    return ret;
            } else {
+                int buf_size = band->pitch * band->aheight - buf_offs;
+                int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+                if (min_size > buf_size)
+                    return AVERROR_INVALIDDATA;
                /* block not coded */
                /* for intra blocks apply the dc slant transform */
                /* for inter - perform the motion compensation without delta */
@@ -1169,6 +1172,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            AVPacket pkt;
            pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3);
            pkt.size = get_bits_left(&ctx->gb) >> 3;
+            ctx->got_p_frame = 0;
+            av_frame_unref(ctx->p_frame);
            ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt);
        }
    }
@@ -247,6 +247,11 @@ static void init_band_stepsize(AVCodecContext *avctx,
        }
    }

+    if (band->f_stepsize > (INT_MAX >> 15)) {
+        band->f_stepsize = 0;
+        av_log(avctx, AV_LOG_ERROR, "stepsize out of range\n");
+    }
+
    band->i_stepsize = band->f_stepsize * (1 << 15);

    /* FIXME: In OpenJPEG code stepsize = stepsize * 0.5. Why?
@@ -1128,7 +1128,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
            step_x = 32;
            step_y = 32;

-            if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+            if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
                continue;

            for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) {
@@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t)
    }

    for (i = 0; i < w * h; i++)
-        data[i] = (data[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
+        data[i] = (data[i] + ((1LL<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
 }

 int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2],
@@ -163,13 +163,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
            return AVERROR_INVALIDDATA;
        }
-        if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
-            return ret;

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
            init_get_bits(&gb, buf, 8 * video_size);

+            if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
+                return ret;
+
+            if (avctx->height/8 * (avctx->width/8) > 4 * video_size) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            for (j = 0; j < avctx->height; j += 8)
                for (i = 0; i < avctx->width; i += 8)
                    decode8x8(&gb,
@@ -179,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            buf += video_size;
        } else if (video_type == 2) {
            int v = *buf++;
+
+            av_frame_unref(s->frame);
+            if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0)
+                return ret;
+
            for (j = 0; j < avctx->height; j++)
                memset(s->frame->data[0] + j * s->frame->linesize[0],
                       v, avctx->width);
@@ -222,6 +222,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
        }
    }

+    if (scale_factor > 23)
+        return AVERROR_INVALIDDATA;
+
    rac->scale = scale_factor;

    /* Fill probability array with cumulative probability for each symbol. */
@@ -275,7 +275,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
        if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) {
            av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n");
            av_packet_unref(avpkt);
-            av_free(avpkt);
            return AVERROR(EINVAL);
        }
        if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) {
@@ -284,7 +283,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                                                         10);
            if(!side_data) {
                av_packet_unref(avpkt);
-                av_free(avpkt);
                return AVERROR(ENOMEM);
            }
            if (!s->delay_sent) {
@@ -482,7 +482,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
    // Check if subtraction resulted in an overflow
    if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) {
        av_packet_unref(avpkt);
-        av_free(avpkt);
        return AVERROR(EINVAL);
    }
    if (discard_padding > 0) {
@@ -491,7 +490,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
                                                     10);
        if(!side_data) {
            av_packet_unref(avpkt);
-            av_free(avpkt);
            return AVERROR(ENOMEM);
        }
        AV_WL32(side_data + 4, discard_padding);
@@ -49,29 +49,40 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
    vorbis_comment_init(&context->vc) ;

    if(p[0] == 0 && p[1] == 30) {
+        int sizesum = 0;
        for(i = 0; i < 3; i++){
            hsizes[i] = bytestream_get_be16((const uint8_t **)&p);
+            sizesum += 2 + hsizes[i];
+            if (sizesum > avccontext->extradata_size) {
+                av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n");
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
+
            headers[i] = p;
            p += hsizes[i];
        }
    } else if(*p == 2) {
        unsigned int offset = 1;
+        unsigned int sizesum = 1;
        p++;
        for(i=0; i<2; i++) {
            hsizes[i] = 0;
-            while((*p == 0xFF) && (offset < avccontext->extradata_size)) {
+            while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) {
                hsizes[i] += 0xFF;
                offset++;
+                sizesum += 1 + 0xFF;
                p++;
            }
-            if(offset >= avccontext->extradata_size - 1) {
+            hsizes[i] += *p;
+            offset++;
+            sizesum += 1 + *p;
+            if(sizesum > avccontext->extradata_size) {
                av_log(avccontext, AV_LOG_ERROR,
                       "vorbis header sizes damaged\n");
                ret = AVERROR_INVALIDDATA;
                goto error;
            }
-            hsizes[i] += *p;
-            offset++;
            p++;
        }
        hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;
@@ -812,7 +812,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
                                                cx_frame->sz_alpha + 8);
            if(!side_data) {
                av_packet_unref(pkt);
-                av_free(pkt);
                return AVERROR(ENOMEM);
            }
            AV_WB64(side_data, 1);
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.12
 .2.15