swscale: aarch64: Fix yuv2rgb with negative strides

Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit cb803a0072) Signed-off-by: Martin Storsjö <martin@martin.st>
Update for 3.2.19
2022-11-04 14:33:49 +02:00 · 2022-10-21 22:54:56 +02:00 · 2022-10-21 22:19:37 +02:00 · 2022-10-21 22:19:37 +02:00 · 2022-10-21 22:19:37 +02:00 · 2022-10-21 22:19:37 +02:00
247 changed files with 2042 additions and 704 deletions
@@ -1,6 +1,485 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.2.19:
+ avcodec/dstdec: Check for overflow in build_filter()
+ avformat/spdifdec: Use 64bit to compute bit rate
+ avformat/xwma: Use av_rescale() for duration computation
+ avformat/rmdec: check tag_size
+ avformat/nutdec: Check fields
+ avformat/dxa: avoid bpc overflows
+ avformat/cafdec: Check that nb_frasmes fits within 64bit
+ avformat/asfdec_o: Limit packet offset
+ avformat/ape: Check frames size
+ avformat/icodec: Check nb_pal
+ avformat/aiffdec: Use 64bit for block_duration use
+ avformat/aiffdec: Check block_duration
+ avcodec/apedec: Fix integer overflow in filter_3800()
+ avcodec/tta: Check 24bit scaling for overflow
+ libavformat/hls: Free keys
+ avcodec/bink: disallow odd positioned scaled blocks
+ avformat/asfdec_o: limit recursion depth in asf_read_unknown()
+ doc/git-howto.texi: Document commit signing
+ libavcodec/8bps: Check that line lengths fit within the buffer
+ libavformat/iff: Check for overflow in body_end calculation
+ avcodec/h263dec: Sanity check against minimal I/P frame size
+ MAINTAINERS: Add ED25519 key for signing my commits in the future
+ avcodec/hevc_filter: copy_CTB() only within width&height
+ avformat/flvdec: Check for EOF in index reading
+ avformat/nutdec: Check get_packetheader() in mainheader
+ avformat/asfdec_f: Use 64bit for packet start time
+ avcodec/lagarith: Check dst/src in zero run code
+ avcodec/h264dec: Skip late SEI
+ avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c()
+ avformat/rtsp: break on unknown protocols
+ avcodec/hevcdsp_template: stay within tables in sao_band_filter()
+ avcodec/qpeldsp: copy less for the mc0x cases
+ avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
+ avformat/iff: simplify duration calculation
+ avcodec/wnv1: Check for width =1
+ avformat/sctp: close socket on errors
+ avcodec/aasc: Fix indention
+ avcodec/qdrw: adjust max colors to array size
+ avcodec/alacdsp: Make intermediates unsigned
+ avformat/aiffdec: cleanup size handling for extreem cases
+ avcodec/jpeglsdec: fix end check for xfrm
+ avcodec/cdgraphics: limit scrolling to the line
+ avformat/aiffdec: avoid integer overflow in get_meta()
+ avformat/ape: more bits in size for less overflows
+ avformat/bfi: Check offsets better
+ avformat/asfdec_f: Check packet_frag_timestamp
+ avcodec/texturedspenc: Fix indexing in color distribution determination
+ avformat/act: Check ff_get_wav_header() for failure
+ avfilter/vsrc_mandelbrot: Check for malloc failure
+ avformat/genh: Check sample rate
+
+version 3.2.18:
+ avfilter/vf_colorspace: fix memmory leaks
+ avcodec/ac3enc: Fix memleak
+ avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written
+ avfilter/vf_random: fix memory leaks
+ avfilter/vf_bwdif: fix heap-buffer overflow
+ fftools/ffmpeg_opt: Fix leak of options when parsing options fails
+ avfilter/vf_edgedetect: fix heap-buffer overflow
+ avfilter/vf_w3fdif: deny processing small videos
+ avfilter/vf_avgblur: fix heap-buffer overflow
+ avfilter/af_tremolo: fix heap-buffer overflow
+ avfilter/vf_edgedetect: check if height is big enough
+ avfilter/vf_bitplanenoise: fix overreads
+ avfilter/vf_fieldorder: fix heap-buffer overflow
+ avfilter/vf_fieldmatch: fix heap-buffer overflow
+ aformat/movenc: add missing padding to output track extradata
+ avcodec/pngenc: remove monowhite from apng formats
+
+version 3.2.17:
+ configure: bump year
+ avfilter/vf_lenscorrection: make width/height int
+ avcodec/diracdec: avoid signed integer overflow in global mv
+ avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+ avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+ avformat/aqtitledec: Skip unrepresentable durations
+ avformat/cafdec: Do not store empty keys in read_info_chunk()
+ avformat/hls: Check target_duration
+ avformat/matroskadec: Check pre_ns
+ avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+ avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+ avformat/avidec: Check height
+ avformat/rmdec: Better duplicate tags check
+ avformat/mov: Disallow empty sidx
+ avformat/matroskadec: Check duration
+ avcodec/jpeglsdec: Fix if( code style
+ avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+ avcodec/motion_est: fix indention of ff_get_best_fcode()
+ avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+ avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
+ avformat/matroskadec: Check desc_bytes
+ avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+ avformat/matroskadec: Fix infinite loop with bz decompression
+ avformat/mov: Check size before subtraction
+ avcodec/apedec: Fix integer overflows in predictor_update_3930()
+ avcodec/apedec: fix integer overflow in 8bit samples
+ avformat/flvdec: timestamps cannot use the full int64 range
+ avcodec/vqavideo: reset accounting on error
+ avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+ avformat/4xm: Check for duplicate track ids
+ avformat/4xm: Consider max_streams on reallocating tracks array
+ avformat/mov: Check next offset in mov_read_dref()
+ avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+ avcodec/apedec: Change avg to uint32_t
+ avformat/mov: Check for EOF in mov_read_glbl()
+ avformat/aiffdec: sanity check block_align
+ avformat/aiffdec: Check sample_rate
+ avfilter/vf_gblur: fix heap-buffer overflow
+ avfilter/vf_lenscorrection: fix division by zero
+ avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum()
+ avformat/movenc: Fix segfault when remuxing rtp hint stream
+ avformat/tty: add probe function
+ avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+ avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
+ avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
+
+version 3.2.16:
+ configure: update copyright year
+ avformat/wavdec: Check smv_block_size
+ avformat/rmdec: Check for multiple audio_stream_info
+ avcodec/apedec: Use 64bit to avoid overflow
+ avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+ oavformat/avidec: Check offset in odml
+ avformat/mpegts: use actually read packet size in mpegts_resync special case
+ swscale/alphablend: Fix slice handling
+ avcodec/mxpegdec: Check for AVDISCARD_ALL
+ avcodec/flicvideo: Check remaining bytes in FLI*COPY
+ avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return
+ avcodec/apedec: Fix integer overflow in intermediate
+ avformat/mvdec: Do not set invalid sample rate
+ avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
+ avformat/jacosubdec: Check for min in t overflow in get_shift()
+ avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
+ avcodec/utils: don't return negative values in av_get_audio_frame_duration()
+ avcodec/jpeg2000dec: Check that atom header is within bytsetream
+ avcodec/apedec: Fix 2 integer overflows in filter_3800()
+ network: Define ENOTCONN as WSAENOTCONN if not defined
+ avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac()
+ avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata
+ avcodec/webp: Check available space in loop in decode_entropy_coded_image()
+ avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode
+ avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init
+ avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line()
+ avcodec/vc1dec: Disable error concealment for *IMAGE
+ avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c()
+ avformat/wtvdec: Check for EOF before seeking back in parse_media_type()
+ avformat/wavdec: Use 64bit in new_pos computation
+ avformat/sbgdec: Check for overflow in timestamp preparation
+ avformat/dsicin: Check packet size for overflow
+ avformat/bfi: check nframes
+ avformat/avidec: fix position overflow in avi_load_index()
+ avformat/asfdec_f: Check sizeX against padding
+ avformat/aiffdec: Check for size overflow in header parsing
+ avcodec/aaccoder: Add minimal bias in search_for_ms()
+ avfilter/vf_mestimate: Check b_count
+ avformat/mov: do not ignore errors in mov_metadata_hmmt()
+ avformat/mxfdec: Check size for shrinking
+ avcodec/dnxhddec: check and propagate function return value
+ swscale/slice: Fix wrong return on error
+ swscale/slice: Check slice for allocation failure
+ avformat/matroskadec: Fix handling of huge default durations
+ avcodec/lpc: check for zero err in normalization in compute_lpc_coefs()
+ avformat/ftp: Check for av_strtok() failure
+ tools/cws2fws: Check read() for failure
+ avcodec/cpia: Fix missing src_size update
+ avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation
+ avformat/rmdec: Check old_format len for overflow
+ avformat/realtextdec: Check the pts difference before using it for the duration computation
+ avformat/qcp: Avoid negative nb_rates
+ avformat/nutdec: Check tmp_size
+ avformat/msf: Check that channels doesnt overflow during extradata construction
+ avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
+ avformat/iff: Use 64bit in duration computation
+ avformat/dxa: Check fps to be within the supported range more precissely
+ avcodec/iff: Only write palette to plane 1 if its PAL8
+ avformat/tta: Check for EOF in index reading loop
+ Update missed irc links
+ avformat/rpl: The associative law doesnt hold for signed integers in C
+ avcodec/faxcompr: Check available bits in decode_uncompressed()
+ avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10
+ avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit
+ avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
+ avfilter/vf_dctdnoiz: Check threads
+ avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black
+ avformat/rpl: Check for EOF and zero framesize
+ avcodec/vc2enc: Check for non negative slice bounds
+ avformat/rpl: Use 64bit in bitrate computation and check it
+ avcodec/svq1enc: Do not print debug RD value before it has been computed
+ avcodec/aacpsy: Check bandwidth
+ avcodec/aacenc: Do not divide by lambda_count if it is 0
+ avcodec/aacenc: Use FLT_EPSILON for lambda minimum
+ avfilter/vf_yadif: Fix handing of tiny images
+ avformat/cinedec: Fix index_entries size check
+ avformat/movenc: Check pal_size before use
+ avcodec/lpc: Avoid floating point division by 0
+ avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
+ avcodec/aacenc: Avoid 0 lambda
+ avcodec/exr: x/ymax cannot be INT_MAX
+ avformat/avio: Check av_opt_copy() for failure
+ avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header()
+ avformat/mov: Limit nb_chapter_tracks to input size
+ avformat/mvdec: Check sample rate in parse_audio_var()
+ avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line()
+ avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
+ avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
+ avformat/id3v2: Check end for overflow in id3v2_parse()
+ avformat/wtvdec: Improve size overflow checks in parse_chunks()
+ avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
+ avcodec/utils: Check ima wav duration for overflow
+ avformat/cafdec: Check channels
+ avcodec/dpx: Check bits_per_color earlier
+ avcodec/pnm_parser: Check image size addition for overflow
+ avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check
+ avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context()
+ avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change()
+ avformat/mov: Ignore multiple STSC / STCO
+ avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields()
+ avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice()
+ avutil/common: Add FF_PTR_ADD()
+ avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid
+ avformat/cafdec: Do not build an index if all packets are the same
+ avcodec/sonic: Use unsigned temporary in predictor_calc_error()
+ avformat/flvdec: Check array entry number
+ avcodec/h264_slice: Check sps in h264_slice_header_init()
+ avformat/movenc: Avoid loosing cluster array on failure
+ avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb
+ avformat/mov: Check sample size for overflow in mov_parse_stsd_audio()
+ avcodec/ffwavesynth: Avoid signed integer overflow in phi_at()
+ avcodec/mpeg4videoenc: Check extradata malloc()
+ avformat/matroskadec: Check for EOF in resync loop
+ avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS
+ avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular()
+ avutil/timecode: Avoid fps overflow
+ avformat/mvi: Check audio size for more overflows
+ avcodec/ffv1dec: Check if trailer is available
+ avcodec/4xm: Check pre_gb in decode_i_block()
+ avcodec/dcadsp: Fix integer overflow in dmix_add_c()
+ avformat/flvdec: Check double before cast in parse_keyframes_index()
+ avformat/paf: Check for EOF before allocation in read_header()
+ avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld()
+ avformat/lxfdec: Fix multiple integer overflows related to track_size
+ avformat/aiffdec: Check that SSND is at least 8 bytes
+ avformat/dcstr: Check sample rate
+ avcodec/alsdec: Check bitstream input in read_block()
+ avformat/mov: Extend data_size check in mov_read_udta_string()
+ avformat/voc_packet: Add a basic check on max_size
+ avformat/microdvddec: use 64bit for durations
+ avcodec/hapdec: Change compressed_offset to unsigned 32bit
+ avformat/rmdec: Check codec_length without overflow
+ avformat/mov: Check element count in mov_metadata_hmmt()
+ avformat/nutdec: Check timebase count against main header length
+ avformat/electronicarts: Clear partial_packet on error
+ avformat/r3d: Check samples before computing duration
+ avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()
+ avcodec/pnm_parser: Check av_image_get_buffer_size() for failure
+ avformat/rmdec: Check remaining space in debug av_log() loop
+ avformat/flvdec: Treat high ts byte as unsigned
+ avformat/samidec: Sanity check pts
+ avformat/avidec: Use 64bit in get_duration()
+ avformat/mvdec: Check for EOF in read_index()
+ avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular()
+ avformat/id3v2: Check the return from avio_get_str()
+ avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
+ libavutil/eval: Remove CONFIG_TRAPV special handling
+ avformat/wtvdec: Check len in parse_chunks() to avoid overflow
+ avformat/asfdec_f: Add an additional check for the extradata size
+ avformat/3dostr: Check sample_rate
+ avformat/4xm: Make audio_frame_count 64bit
+ avformat/mov: Use av_mul_q() to avoid integer overflows
+ avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper
+ avformat/rmdec: Reorder operations to avoid overflow
+ avcodec/mxpegdec: fix SOF counting
+ avcodec/rscc: Check inflated_buf size whan it is used
+ avformat/mvdec: Sanity check SAMPLE_WIDTH
+ avformat/rmdec: Fix codecdata_length overflow check
+ avcodec/simple_idct: Fix undefined integer overflow in idct4row()
+ avformat/tta: Use 64bit intermediate for index
+ avformat/soxdec: Check channels to be positive
+ avcodec/vp3: Check input amount in theora_decode_header()
+ avformat/wavdec: Check avio_get_str16le() for failure
+ avformat/flvdec: Check for EOF in amf_skip_tag()
+ avformat/aiffdec: Check size before subtraction in get_aiff_header()
+ avformat/electronicarts: More chunk_size checks
+ avformat/tedcaptionsdec: Check for overflow in parse_int()
+ avformat/mpc8: Check size before implicitly converting to int
+ avformat/nutdec: Fix integer overflow in count computation
+ avformat/mvi: Use 64bit for testing dimensions
+ avformat/utils: Check dts in update_initial_timestamps() more
+ avformat/flvdec: Check for avio_read() failure in amf_get_string()
+ avformat/flvdec: Check for nesting depth in amf_skip_tag()
+ avformat/flvdec: Check for nesting depth in amf_parse_object()
+ avformat/asfdec_o: Check for EOF in asf_read_marker()
+ avformat/utils: Check dts - (1<<pts_wrap_bits) overflow
+ avformat/bfi: Check chunk_header
+ avformat/ads: Check size
+ avformat/iff: Check block align also for ID_MAUD
+ avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
+ avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()
+ avformat/avidec: dv does not support palettes
+ libavformat/utils: consider avio_size() failure in ffio_limit()
+ avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
+ avformat/utils: check for integer overflow in av_get_frame_filename2()
+ avutil/timecode: Avoid undefined behavior with large framenum
+ avformat/sbgdec: Reduce the amount of floating point in str_to_time()
+ avformat/mxfdec: Free all types for both Descriptors
+ uavformat/rsd: check for EOF in extradata
+ avcodec/wmaprodec: Check packet size
+ avformat/mpegts: Fix argument type for av_log
+ avformat/cafdec: clip sample rate
+ avcodec/ffv1dec: Fix off by 1 error with quant tables
+ avformat/mpegts: Increase pcr_incr width to 64bit
+ avformat/mov: Check if hoov is at the end
+ avcodec/hevc_ps: check scaling_list_dc_coef
+ avformat/iff: Check data_size
+ avformat/matroskadec: Sanity check codec_id/track type
+ avformat/rpl: Check the number of streams
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avformat/dsfdec: Check block_align more completely
+ avformat/mpc8: Check remaining space in mpc8_parse_seektable()
+ avformat/id3v2: Sanity check tlen before alloc and uncompress
+ avformat/vqf: Check len for COMM chunks
+ avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
+ avformat/cafdec: Check the return code from av_add_index_entry()
+ avformat/cafdec: Check for EOF in index read loop
+ avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative
+ avformat/mpc8: correct integer overflow in mpc8_parse_seektable()
+ avformat/mpc8: correct 32bit timestamp truncation
+ avcodec/exr: Check ymin vs. h
+ avformat/avs: Use 64bit for the avio_tell() output
+ avformat/wavdec: More complete size check in find_guid()
+ avformat/iff: Check size before skip
+ avformat/rmdec: Check for EOF in index packet reading
+ avformat/icodec: Check for zero streams and stream creation failure
+ avformat/icodec: Factor failure code out in read_header()
+ avformat/bintext: Check width
+ avformat/sbgdec: Check that end is not before start
+ avformat/lvfdec: Check stream_index before use
+ avformat/au: cleanup on EOF return in au_read_annotation()
+ avformat/mpegts: Limit copied data to space
+ avformat/bintext: Check width in idf_read_header()
+ avformat/iff: check size against INT64_MAX
+ avformat/paf: Check for EOF in read_table()
+ avformat/gxf: Check pkt_len
+ avformat/aiffdec: Check packet size
+ avformat/concatdec: use av_strstart()
+ avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header()
+ avformat/iff: More completely check body_size
+ avformat/xwma: Check for EOF in dpds_table read code
+ avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration()
+ avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET
+ avformat/rmdec: Make expected_len 64bit
+ avformat/lrcdec: Clip timestamps
+ avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet()
+ avcodec/vp9dsp_template: Fix some overflows in iadst8_1d()
+ avformat/jacosubdec: Use 64bit inside get_shift()
+ avformat/genh: Check block_align
+ avformat/mvi: Check count for overflow
+ avcodec/magicyuv: Check slice size before reading flags and pred
+ avformat/asfdec_f: Check for negative ext_len
+ avformat/bethsoftvid: Check image dimensions before use
+ avformat/genh: Check block_align for how it will be used in SDX2_DPCM
+ avformat/au: Check for EOF in au_read_annotation()
+ avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0
+ avformat/segafilm: Check that there is a stream
+ avformat/wtvdec: Check dir_length
+ avcodec/exr: Check limits to avoid overflow in delta computation
+ avformat/asfdec_f: Check name_len for overflow
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avcodec/aacdec_fixed: Limit index in vector_pow43()
+ avformat/rmdec: sanity check coded_framesize
+ avformat/flvdec: Check for EOF in amf_parse_object()
+ avcodec/smacker: Check remaining bits in SMK_BLK_FULL
+ avcodec/cook: Check subpacket index against max
+ avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred
+ avformat/icodec: Change order of operations to avoid NULL dereference
+ avcodec/exr: Fix overflow with many blocks
+ avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
+ avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset
+ avformat/subviewerdec: fail on AV_NOPTS_VALUE
+ avcodec/exr: Check line size for overflow
+ avcodec/exr: Check xdelta, ydelta
+ avcodec/takdsp: Fix negative shift in decorrelate_sf()
+ avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420()
+ avformat/asfdec_f: Change order or operations slightly
+ avformat/dxa: Use av_rescale() for duration computation
+ avcodec/vc1_block: Fix integer overflow in ac value
+ avformat/iff: Check data_size not overflowing int64
+ avcodec/dxtory: Fix negative shift in dx2_decode_slice_410()
+ avcodec/sonic: Check channels before deallocating
+ avcodec/ansi: Check nb_args for overflow
+ avformat/wc3movie: Move wc3_read_close() up
+ avcodec/diracdsp: Fix integer anomaly in dequant_subband_*
+ avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c()
+ avcodec/wmalosslessdec: Check remaining space before padding and channel residue
+ avformat/cdg: Fix integer overflow in duration computation
+ avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()
+ avformat/electronicarts: Check if there are any streams
+ avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE
+ avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()
+ avformat/avidec: Fix io_fsize overflow
+ avcodec/cfhd: Check transform type
+ avcodec/tiff: Restrict tag order based on specification
+ avformat/siff: Reject audio packets without audio stream
+ avformat/mpeg: Check avio_read() return value in get_pts()
+ avcodec/tiff: Check bpp/bppcount for 0
+ avcodec/snowdec: Sanity check hcoeff
+ avformat/mov: Check comp_brand_size
+ avcodec/alac: Check decorr_shift to avoid invalid shift
+ avcodec/tdsc: Fix tile checks
+ avformat/mm: Check for existence of audio stream
+ avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default
+ avcodec/apedec: Fix undefined integer overflow with 24bit
+ avcodec/loco: Fix integer overflow with large values from loco_get_rice()
+ avformat/smjpegdec: Check the existence of referred streams
+ avcodec/pnmdec: Fix misaligned reads
+ avcodec/utils: Check close before calling it
+ avformat/tls_schannel: immediately return decrypted data if available
+ avformat/tls_schannel: always decrypt all received data
+ avformat/tls_schannel: Fix use of uninitialized variable
+ avcodec/ttaenc: Fix undefined shift
+ fftools/ffmpeg: Free swresample dictionary during cleanup
+ avfilter/vf_xbr: Fix left shift of negative number
+ avfilter/vf_hqx: Fix undefined left shifts of negative numbers
+ avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers
+ avcodec/ituh263dec: Fix undefined left shift of negative number
+ avcodec/dnxhdenc: Fix undefined left shifts of negative numbers
+ swscale/utils: Fix invalid left shifts of negative numbers
+ swscale/x86/swscale: Fix undefined left shifts of negative numbers
+ avformat/movenc: Fix undefined shift
+ avcodec/pcm: Fix undefined shifts
+ avcodec/wavpackenc: Fix undefined shifts
+ avcodec/ac3enc: Fix invalid shift
+ avcodec/tdsc: Fix undefined shifts
+ fftools/ffmpeg_opt: Fix signed integer overflow
+ avformat/mov: Fix reel_name size check
+ avformat/mov: Fix memleak upon encountering repeating tags
+ avformat/matroskaenc: Don't use NULL for %s format string
+ avformat/webvttdec: Fix memleak upon read header failure
+ avformat/vplayerdec: Fix memleak upon read header failure
+ avformat/tedcaptionsdec: Fix memleak upon read header failure
+ avformat/subviewerdec: Fix memleak upon read header failure
+ avformat/subviewer1dec: Fix memleak upon read header failure
+ avformat/stldec: Fix memleak upon read header failure
+ avformat/srtdec: Fix memleak upon read header failure
+ avformat/samidec: Fix memleak upon read header failure
+ avformat/pjsdec: Fix memleak upon read header failure
+ avformat/mpsubdec: Fix memleak upon read header failure
+ avformat/mpl2dec: Fix memleak upon read header failure
+ avformat/microdvddec: Fix memleak upon read header failure
+ avformat/lrcdec: Fix memleak upon read header failure
+ avformat/jacosubdec: Fix memleak upon read header failure
+ avformat/assdec: Fix memleak upon read header failure
+ avformat/aqtitledec: Fix memleak upon read header failure
+ avformat/omadec: Fix memleaks upon read_header failure
+ avformat/matroskadec: Use right number of tracks
+ avformat/matroskadec: Fix handling gigantic durations
+ avformat/aviobuf: Don't check for overflow after it happened
+ avformat/matroskaenc: Fix memleak upon encountering bogus chapter
+ fftools/ffmpeg_opt: Check attachment filesize
+ avformat/webmdashenc: Check codec types
+ avformat/webmdashenc: Fix memleak upon realloc failure
+ avformat/matroskadec: Don't discard the upper 32bits of TrackNumber
+ avformat/hnm: Check for extradata allocation failure
+ avformat/subtitles: Don't increment packet counter prematurely
+ avformat/bethsoftvid: Fix potential memleak upon reallocation failure
+ avformat/smoothstreaming: Fix memleaks on errors
+ avformat/matroskaenc: Check BlockAdditional size before use
+ avformat/utils: Fix memleaks in avformat_open_input()
+ avcodec/cavsdsp: Fix undefined left shifts of negative numbers
+ avformat/matroskaenc: Check for reformatting errors
+ avcodec/ra144enc: Fix invalid left shift of negative number
+ avcodec/adxenc: Avoid undefined left shift of negative numbers
+ avcodec/adpcm: Fix undefined left shifts of negative numbers
+ avcodec/proresenc_anatoliy: Fix invalid left shift of negative number
+ avformat/wtvdec: Fix memleak when reading header fails
+ avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input
+ avcodec/bitstream: Don't check for undefined behaviour after it happened
+
 version 3.2.15:
 avcodec/dstdec: Replace AC overread check by sample rate check
 avformat/mov: fix memleaks
@@ -554,6 +554,7 @@ Jean Delvare                  7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A
 Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
 Lou Logan                     7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A
 Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
+                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
 Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
 Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
 Panagiotis Issaris            6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029
@@ -1 +1 @@
-3.2.15
+3.2.19
@@ -11,5 +11,5 @@

   We hope you will like this release as much as we enjoyed working on it, and
   as usual, if you have any questions about it, or any FFmpeg related topic,
-   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
   on the mailing-lists.
@@ -483,7 +483,7 @@ die(){

 If you think configure made a mistake, make sure you are using the latest
 version from Git.  If the latest version fails, report the problem to the
-ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
 EOF
    if disabled logging; then
        cat <<EOF
@@ -6703,7 +6703,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2020
+#define CONFIG_THIS_YEAR 2022
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.2.15
+PROJECT_NUMBER         = 3.2.19

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
 git add [-i|-p|-A] <filenames/dirnames>
@end example

-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key

@example
 git config --global user.name "My Name"
 git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
@end example

 Use @option{--global} to set the global configuration for all your Git checkouts.
@@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1
 where @var{$SHA1} is the commit hash from the @command{git log} output.


+@chapter gpg key generation
+
+If you have no gpg key yet, we recommend that you create a ed25519 based key as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com"
+@end example
+
+When generating a key, make sure the email specified matches the email used in git as some sites like
+github consider mismatches a reason to declare such commits unverified. After generating a key you
+can add it to the MAINTAINER file and upload it to a keyserver.
+
@chapter Pre-push checklist

 Once you have a set of commits that you feel are ready for pushing,
@@ -420,4 +420,4 @@ done:

 When all of this is done, you can submit your patch to the ffmpeg-devel
 mailing-list for review.  If you need any help, feel free to come on our IRC
-channel, #ffmpeg-devel on irc.freenode.net.
+channel, #ffmpeg-devel on irc.libera.chat.
@@ -529,6 +529,7 @@ static void ffmpeg_cleanup(int ret)
        ost->audio_channels_mapped = 0;

        av_dict_free(&ost->sws_dict);
+        av_dict_free(&ost->swr_opts);

        avcodec_free_context(&ost->enc_ctx);
        avcodec_parameters_free(&ost->ref_par);
@@ -1,3 +1,4 @@
+
 /*
 * ffmpeg option parsing
 *
@@ -2300,12 +2301,14 @@ loop_end:
                   o->attachments[i]);
            exit_program(1);
        }
-        if (!(attachment = av_malloc(len))) {
-            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n",
+        if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE ||
+            !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
+            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n",
                   o->attachments[i]);
            exit_program(1);
        }
        avio_read(pb, attachment, len);
+        memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);

        ost = new_attachment_stream(o, oc, -1);
        ost->stream_copy               = 0;
@@ -2632,13 +2635,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
    } else {
        /* Try to determine PAL/NTSC by peeking in the input files */
        if (nb_input_files) {
-            int i, j, fr;
+            int i, j;
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j]->nb_streams; i++) {
                    AVStream *st = input_files[j]->ctx->streams[i];
+                    int64_t fr;
                    if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
                        continue;
-                    fr = st->time_base.den * 1000 / st->time_base.num;
+                    fr = st->time_base.den * 1000LL / st->time_base.num;
                    if (fr == 25000) {
                        norm = PAL;
                        break;
@@ -3128,6 +3132,7 @@ static int open_files(OptionGroupList *l, const char *inout,
        if (ret < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file "
                   "%s.\n", inout, g->arg);
+            uninit_options(&o);
            return ret;
        }

@@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block)
 {
    int code, i, j, level, val;

-    if (get_bits_left(&f->gb) < 2){
-        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb));
+    if (get_bits_left(&f->pre_gb) < 2) {
+        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb));
        return AVERROR_INVALIDDATA;
    }

@@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    unsigned char *planemap = c->planemap;
    int ret;

+    if (buf_size < planes * height *2)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
        return ret;

@@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe)
                                                    sce0->ics.swb_sizes[g],
                                                    sce0->sf_idx[w*16+g],
                                                    sce0->band_type[w*16+g],
-                                                    lambda / band0->threshold, INFINITY, &b1, NULL, 0);
+                                                    lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0);
                        dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128],
                                                    R34,
                                                    sce1->ics.swb_sizes[g],
                                                    sce1->sf_idx[w*16+g],
                                                    sce1->band_type[w*16+g],
-                                                    lambda / band1->threshold, INFINITY, &b2, NULL, 0);
+                                                    lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0);
                        dist2 += quantize_band_cost(s, M,
                                                    M34,
                                                    sce0->ics.swb_sizes[g],
                                                    mididx,
                                                    midcb,
-                                                    lambda / minthr, INFINITY, &b3, NULL, 0);
+                                                    lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0);
                        dist2 += quantize_band_cost(s, S,
                                                    S34,
                                                    sce1->ics.swb_sizes[g],
                                                    sididx,
                                                    sidcb,
-                                                    mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0);
+                                                    mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0);
                        B0 += b1+b2;
                        B1 += b3+b4;
                        dist1 -= b1+b2;
@@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len)
    for (i=0; i<len; i++) {
        coef = coefs[i];
        if (coef < 0)
-            coef = -(int)ff_cbrt_tab_fixed[-coef];
+            coef = -(int)ff_cbrt_tab_fixed[(-coef) & 8191];
        else
-            coef = (int)ff_cbrt_tab_fixed[coef];
+            coef =  (int)ff_cbrt_tab_fixed[  coef  & 8191];
        coefs[i] = coef;
    }
 }
@@ -2650,7 +2650,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce)

 static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce)
 {
-    INTFLOAT *in    = sce->coeffs;
+    UINTFLOAT *in   = sce->coeffs;
    INTFLOAT *out   = sce->ret;
    INTFLOAT *saved = sce->saved;
    INTFLOAT *buf  = ac->buf_mdct;
@@ -28,6 +28,7 @@
 *              TODOs:
 * add sane pulse detection
 ***********************************/
+#include <float.h>

 #include "libavutil/libm.h"
 #include "libavutil/thread.h"
@@ -808,7 +809,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                /* Not so fast though */
                ratio = sqrtf(ratio);
            }
-            s->lambda = FFMIN(s->lambda * ratio, 65536.f);
+            s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f);

            /* Keep iterating if we must reduce and lambda is in the sky */
            if (ratio > 0.9f && ratio < 1.1f) {
@@ -856,7 +857,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx)
 {
    AACEncContext *s = avctx->priv_data;

-    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count);
+    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN);

    ff_mdct_end(&s->mdct1024);
    ff_mdct_end(&s->mdct128);
@@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
    const int bandwidth    = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx);
    const float num_bark   = calc_bark((float)bandwidth);

+    if (bandwidth <= 0)
+        return AVERROR(EINVAL);
+
    ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext));
    if (!ctx->model_priv_data)
        return AVERROR(ENOMEM);
@@ -794,7 +797,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,

        if (pe < 1.15f * desired_pe) {
            /* 6.6.1.3.6 "Final threshold modification by linearization" */
-            norm_fac = 1.0f / norm_fac;
+            norm_fac = norm_fac ? 1.0f / norm_fac : 0;
            for (w = 0; w < wi->num_windows*16; w += 16) {
                for (g = 0; g < num_bands; g++) {
                    AacPsyBand *band = &pch->band[w+g];
@@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx,
        ff_msrle_decode(avctx, s->frame, 8, &s->gb);
        break;
    case MKTAG('A', 'A', 'S', 'C'):
-    switch (compr) {
-    case 0:
-        stride = (avctx->width * psize + psize) & ~psize;
-        if (buf_size < stride * avctx->height)
+        switch (compr) {
+        case 0:
+            stride = (avctx->width * psize + psize) & ~psize;
+            if (buf_size < stride * avctx->height)
+                return AVERROR_INVALIDDATA;
+            for (i = avctx->height - 1; i >= 0; i--) {
+                memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
+                buf += stride;
+                buf_size -= stride;
+            }
+            break;
+        case 1:
+            bytestream2_init(&s->gb, buf, buf_size);
+            ff_msrle_decode(avctx, s->frame, 8, &s->gb);
+            break;
+        default:
+            av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
            return AVERROR_INVALIDDATA;
-        for (i = avctx->height - 1; i >= 0; i--) {
-            memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
-            buf += stride;
-            buf_size -= stride;
        }
        break;
-    case 1:
-        bytestream2_init(&s->gb, buf, buf_size);
-        ff_msrle_decode(avctx, s->frame, 8, &s->gb);
-        break;
-    default:
-        av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
-        return AVERROR_INVALIDDATA;
-    }
-        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag);
        return -1;
@@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset)
 {
    int blk, ch;

-    snr_offset = (snr_offset - 240) << 2;
+    snr_offset = (snr_offset - 240) * 4;

    reset_block_bap(s);
    for (blk = 0; blk < s->num_blocks; blk++) {
@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx)
        av_freep(&block->cpl_coord_mant);
    }

-    s->mdct_end(s);
+    if (s->mdct_end)
+        s->mdct_end(s);

    return 0;
 }
@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx)

    ret = validate_options(s);
    if (ret)
-        return ret;
+        goto init_fail;

    avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks;
    avctx->initial_padding = AC3_BLOCK_SIZE;
@@ -1197,8 +1197,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

            for (count2 = 0; count2 < 28; count2++) {
                byte = bytestream2_get_byteu(&gb);
-                next_left_sample  = sign_extend(byte >> 4, 4) << shift_left;
-                next_right_sample = sign_extend(byte,      4) << shift_right;
+                next_left_sample  = sign_extend(byte >> 4, 4) * (1 << shift_left);
+                next_right_sample = sign_extend(byte,      4) * (1 << shift_right);

                next_left_sample = (next_left_sample +
                    (current_left_sample * coeff1l) +
@@ -1237,7 +1237,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            if (st) byte[1] = bytestream2_get_byteu(&gb);
            for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */
                for(channel = 0; channel < avctx->channels; channel++) {
-                    int sample = sign_extend(byte[channel] >> i, 4) << shift[channel];
+                    int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]);
                    sample = (sample +
                             c->status[channel].sample1 * coeff[channel][0] +
                             c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8;
@@ -1352,11 +1352,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    int level, pred;
                    int byte = bytestream2_get_byteu(&gb);

-                    level = sign_extend(byte >> 4, 4) << shift[n];
+                    level = sign_extend(byte >> 4, 4) * (1 << shift[n]);
                    pred  = s[-1] * coeff[0][n] + s[-2] * coeff[1][n];
                    s[0]  = av_clip_int16((level + pred + 0x80) >> 8);

-                    level = sign_extend(byte, 4) << shift[n];
+                    level = sign_extend(byte, 4) * (1 << shift[n]);
                    pred  = s[0] * coeff[0][n] + s[-1] * coeff[1][n];
                    s[1]  = av_clip_int16((level + pred + 0x80) >> 8);
                }
@@ -1513,8 +1513,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                        sampledat = sign_extend(byte >> 4, 4);
                    }

-                    sampledat = ((prev1 * factor1 + prev2 * factor2) +
-                                 ((sampledat * scale) << 11)) >> 11;
+                    sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) +
+                                sampledat * scale;
                    *samples = av_clip_int16(sampledat);
                    prev2 = prev1;
                    prev1 = *samples++;
@@ -1591,7 +1591,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    }

                    sampledat = ((c->status[ch].sample1 * factor1
-                                + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp);
+                                + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp);
                    *samples = av_clip_int16(sampledat);
                    c->status[ch].sample2 = c->status[ch].sample1;
                    c->status[ch].sample1 = *samples++;
@@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
        s0 = wav[i];
-        d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);
        if (max < d)
            max = d;
        if (min > d)
@@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s1 = prev->s1;
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
-        d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);

        d = av_clip_intp2(ROUNDED_DIV(d, scale), 3);

        put_sbits(&pb, 4, d);

-        s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+        s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS);
        s2 = s1;
        s1 = s0;
    }
@@ -299,6 +299,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
        decorr_shift       = get_bits(&alac->gb, 8);
        decorr_left_weight = get_bits(&alac->gb, 8);

+        if (channels == 2 && decorr_left_weight && decorr_shift > 31)
+            return AVERROR_INVALIDDATA;
+
        for (ch = 0; ch < channels; ch++) {
            prediction_type[ch]   = get_bits(&alac->gb, 4);
            lpc_quant[ch]         = get_bits(&alac->gb, 4);
@@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples,
    int i;

    for (i = 0; i < nb_samples; i++) {
-        int32_t a, b;
+        uint32_t a, b;

        a = buffer[0][i];
        b = buffer[1][i];

-        a -= (b * decorr_left_weight) >> decorr_shift;
+        a -= (int)(b * decorr_left_weight) >> decorr_shift;
        b += a;

        buffer[0][i] = b;
@@ -1021,6 +1021,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
    ALSSpecificConfig *sconf = &ctx->sconf;

    *bd->shift_lsbs = 0;
+
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
    // read block type flag and read the samples accordingly
    if (get_bits1(gb)) {
        ret = read_var_block_data(ctx, bd);
@@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx,
                    s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                break;
            case ';':
-                s->nb_args++;
+                if (s->nb_args < MAX_NB_ARGS)
+                    s->nb_args++;
                if (s->nb_args < MAX_NB_ARGS)
                    s->args[s->nb_args] = 0;
                break;
@@ -101,7 +101,7 @@ typedef struct APEFilter {
    int16_t *historybuffer; ///< filter memory
    int16_t *delay;         ///< filtered values

-    int avg;
+    uint32_t avg;
 } APEFilter;

 typedef struct APERice {
@@ -859,8 +859,8 @@ static av_always_inline int filter_3800(APEPredictor *p,
        return predictionA;
    }
    d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U);
+    d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8);
    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
    d4 =  p->buf[delayB];

@@ -880,7 +880,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
    p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign;
    p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;

-    p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
+    p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift);
    p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);

    return p->filterA[filter];
@@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
-        buffer[i] -= dotprod >> shift;
+        buffer[i] -= (unsigned)(dotprod >> shift);
        for (j = 0; j < order - 1; j++)
            delay[j] = delay[j + 1];
        delay[order - 1] = buffer[i];
@@ -929,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
        for (j = 7; j > 0; j--)
            delay[j] = delay[j - 1];
        delay[0] = buffer[i];
-        buffer[i] -= dotprod >> 9;
+        buffer[i] -= (unsigned)(dotprod >> 9);
    }
 }

@@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                                                  const int delayA)
 {
    int32_t predictionA, sign;
-    int32_t d0, d1, d2, d3;
+    uint32_t d0, d1, d2, d3;

    p->buf[delayA]     = p->lastA[filter];
    d0 = p->buf[delayA    ];
-    d1 = p->buf[delayA    ] - p->buf[delayA - 1];
-    d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-    d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+    d1 = p->buf[delayA    ] - (unsigned)p->buf[delayA - 1];
+    d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+    d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];

    predictionA = d0 * p->coeffsA[filter][0] +
                  d1 * p->coeffsA[filter][1] +
@@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
-    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;

    return p->filterA[filter];
 }
@@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            absres = res < 0 ? -(unsigned)res : res;
            if (absres)
                *f->adaptcoeffs = APESIGN(res) *
-                                  (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3)));
+                                  (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3))));
                /* equivalent to the following code
                    if (absres <= f->avg * 4 / 3)
                        *f->adaptcoeffs = APESIGN(res) * 8;
@@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample8 = (uint8_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+                *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
        }
        break;
    case 16:
@@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] * 256;
+                *sample24++ = s->decoded[ch][i] * 256U;
        }
        break;
    }
@@ -1026,7 +1026,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
        for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
            blk = get_value(c, BINK_SRC_BLOCK_TYPES);
            // 16x16 block type on odd line means part of the already decoded block, so skip it
-            if ((by & 1) && blk == SCALED_BLOCK) {
+            if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) {
                bx++;
                dst  += 8;
                prev += 8;
@@ -169,9 +169,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    uint32_t code;
    volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2

-    table_size = 1 << table_nb_bits;
    if (table_nb_bits > 30)
       return -1;
+    table_size = 1 << table_nb_bits;
    table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC);
    ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size);
    if (table_index < 0)
@@ -192,20 +192,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) {
    src[0][0] += 8;

    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[i][1] - (src[i][7]<<1);
-        const int a1 =  3*src[i][3] + (src[i][5]<<1);
-        const int a2 =  (src[i][3]<<1) - 3*src[i][5];
-        const int a3 =  (src[i][1]<<1) + 3*src[i][7];
+        const int a0 = 3 * src[i][1] - 2 * src[i][7];
+        const int a1 = 3 * src[i][3] + 2 * src[i][5];
+        const int a2 = 2 * src[i][3] - 3 * src[i][5];
+        const int a3 = 2 * src[i][1] + 3 * src[i][7];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[i][2]<<2) - 10*src[i][6];
-        const int a6 = (src[i][6]<<2) + 10*src[i][2];
-        const int a5 = ((src[i][0] - src[i][4]) << 3) + 4;
-        const int a4 = ((src[i][0] + src[i][4]) << 3) + 4;
+        const int a7 = 4 * src[i][2] - 10 * src[i][6];
+        const int a6 = 4 * src[i][6] + 10 * src[i][2];
+        const int a5 = 8 * (src[i][0] - src[i][4]) + 4;
+        const int a4 = 8 * (src[i][0] + src[i][4]) + 4;

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -222,20 +222,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) {
        src[i][7] = (b0 - b4) >> 3;
    }
    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[1][i] - (src[7][i]<<1);
-        const int a1 =  3*src[3][i] + (src[5][i]<<1);
-        const int a2 =  (src[3][i]<<1) - 3*src[5][i];
-        const int a3 =  (src[1][i]<<1) + 3*src[7][i];
+        const int a0 = 3 * src[1][i] - 2 * src[7][i];
+        const int a1 = 3 * src[3][i] + 2 * src[5][i];
+        const int a2 = 2 * src[3][i] - 3 * src[5][i];
+        const int a3 = 2 * src[1][i] + 3 * src[7][i];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[2][i]<<2) - 10*src[6][i];
-        const int a6 = (src[6][i]<<2) + 10*src[2][i];
-        const int a5 = (src[0][i] - src[4][i]) << 3;
-        const int a4 = (src[0][i] + src[4][i]) << 3;
+        const int a7 = 4 * src[2][i] - 10 * src[6][i];
+        const int a6 = 4 * src[6][i] + 10 * src[2][i];
+        const int a5 = 8 * (src[0][i] - src[4][i]);
+        const int a4 = 8 * (src[0][i] + src[4][i]);

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -238,7 +238,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
    for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++)
        memcpy(out + FFMAX(0, hinc) + stride * y,
               in + FFMAX(0, hinc) - hinc + (y - vinc) * stride,
-               FFMIN(stride + hinc, stride));
+               FFABS(stride) - FFABS(hinc));

    if (vinc > 0)
        cdg_fill_wrapper(0, 0, out,
@@ -345,6 +345,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data);
                ret = AVERROR_PATCHWELCOME;
                break;
+            } else if (data == 1) {
+                av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n");
+                ret = AVERROR_PATCHWELCOME;
+                break;
            }
            av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data);
        } else if (abstag >= 0x4000 && abstag <= 0x40ff) {
@@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    ff_audiodsp_init(&q->adsp);

    while (edata_ptr < edata_ptr_end) {
+        if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
+            return AVERROR_PATCHWELCOME;
+        }
        /* 8 for mono, 16 for stereo, ? for multichannel
           Swap to right endianness so we don't need to care later on. */
        if (extradata_size >= 8) {
@@ -1223,10 +1227,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)

        q->num_subpackets++;
        s++;
-        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
-            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
-            return AVERROR_PATCHWELCOME;
-        }
    }

    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
@@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
        // Read line length, two byte little endian
        linelength = AV_RL16(src);
        src += 2;
+        src_size -= 2;

        if (src_size < linelength) {
            av_frame_set_decode_error_flags(frame, FF_DECODE_ERROR_INVALID_BITSTREAM);
@@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
    int i;

    for (i = 0; i < len; i++)
-        dst[i] += mul15(src[i], coeff);
+        dst[i] += (unsigned)mul15(src[i], coeff);
 }

 static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len)
@@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
            int64_t pts = AV_RB32(cur_pu + 13);
            if (s->last_pts == 0 && s->last_dts == 0)
                s->dts = pts - 1;
-            else
+            else if (s->last_dts != AV_NOPTS_VALUE)
                s->dts = s->last_dts + 1;
            s->pts = pts;
            if (!avctx->has_b_frames && (cur_pu[4] & 0x03))
@@ -1406,8 +1406,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
+    int64_t mx  = m * (uint64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (uint64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
        PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst;                                \
        for (i = 0; i < tot_h; i++) {                                                      \
            c = *src_r++;                                                                  \
-            sign = FFSIGN(c)*(!!c);                                                        \
-            c = (FFABS(c)*(unsigned)qf + qs) >> 2;                                                   \
-            *dst_r++ = c*sign;                                                             \
+            if     (c < 0) c = -((-(unsigned)c*qf + qs) >> 2);                             \
+            else if(c > 0) c =  (( (unsigned)c*qf + qs) >> 2);                             \
+            *dst_r++ = c;                                                                  \
        }                                                                                  \
        src += tot_h << (sizeof(PX) >> 1);                                                 \
        dst += stride;                                                                     \
@@ -107,6 +107,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx)

 static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
 {
+    int ret;
    if (cid != ctx->cid) {
        int index;

@@ -126,19 +127,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
        ff_free_vlc(&ctx->dc_vlc);
        ff_free_vlc(&ctx->run_vlc);

-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
                 ctx->cid_table->ac_bits, 1, 1,
-                 ctx->cid_table->ac_codes, 2, 2, 0);
-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
                 ctx->cid_table->dc_bits, 1, 1,
-                 ctx->cid_table->dc_codes, 1, 1, 0);
-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
                 ctx->cid_table->run_bits, 1, 1,
-                 ctx->cid_table->run_codes, 2, 2, 0);
+                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
+            goto out;

        ctx->cid = cid;
    }
-    return 0;
+    ret = 0;
+out:
+    if (ret < 0)
+        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
+    return ret;
 }

 static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx)
@@ -161,7 +161,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx)
    ctx->vlc_bits  += max_level * 2;
    for (level = -max_level; level < max_level; level++) {
        for (run = 0; run < 2; run++) {
-            int index = (level << 1) | run;
+            int index = level * (1 << 1) | run;
            int sign, offset = 0, alevel = level;

            MASK_ABS(sign, alevel);
@@ -535,7 +535,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block,
        slevel = block[j];
        if (slevel) {
            int run_level = i - last_non_zero - 1;
-            int rlevel = (slevel << 1) | !!run_level;
+            int rlevel = slevel * (1 << 1) | !!run_level;
            put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]);
            if (run_level)
                put_bits(&ctx->m.pb, ctx->run_bits[run_level],
@@ -610,7 +610,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index)
        level = block[j];
        if (level) {
            int run_level = i - last_non_zero - 1;
-            bits += ctx->vlc_bits[(level << 1) |
+            bits += ctx->vlc_bits[level * (1 << 1) |
                    !!run_level] + ctx->run_bits[run_level];
            last_non_zero = i;
        }
@@ -147,6 +147,9 @@ static int decode_frame(AVCodecContext *avctx,
        return AVERROR_PATCHWELCOME;
    }

+    if (bits_per_color > 32)
+        return AVERROR_INVALIDDATA;
+
    buf += 820;
    avctx->sample_aspect_ratio.num = read32(&buf, endian);
    avctx->sample_aspect_ratio.den = read32(&buf, endian);
@@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c)
    return (ff_reverse[c & 127] >> 1) + 1;
 }

-static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
+static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
 {
    int i, j, k, l;

@@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *
            int total = av_clip(length - j * 8, 0, 8);

            for (k = 0; k < 256; k++) {
-                int v = 0;
+                int64_t v = 0;

                for (l = 0; l < total; l++)
                    v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l];
+                if ((int16_t)v != v)
+                    return AVERROR_INVALIDDATA;
                table[i][j][k] = v;
            }
        }
    }
+    return 0;
 }

 static int decode_frame(AVCodecContext *avctx, void *data,
@@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    ac_init(ac, gb);

-    build_filter(s->filter, &s->fsets);
+    ret = build_filter(s->filter, &s->fsets);
+    if (ret < 0)
+        return ret;

    memset(s->status, 0xAA, sizeof(s->status));
    memset(dsd, 0, frame->nb_samples * 4 * avctx->channels);
@@ -442,7 +442,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
            V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 2;
+        Y += ystride * 4;
        U += ustride;
        V += vstride;
    }
@@ -487,7 +487,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
            V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 1;
+        Y += ystride * 2;
        U += ustride;
        V += vstride;
    }
@@ -1085,6 +1085,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */
            axmax = 0; /* doesn't add pixel at the right of the datawindow */

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
    } else {
@@ -1104,6 +1107,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
        td->xsize          = s->xdelta;

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */

@@ -1477,13 +1483,25 @@ static int decode_header(EXRContext *s)
            continue;
        } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
                                                     31)) >= 0) {
+            int xmin, ymin, xmax, ymax;
            if (!var_size)
                return AVERROR_INVALIDDATA;

-            s->xmin   = bytestream2_get_le32(&s->gb);
-            s->ymin   = bytestream2_get_le32(&s->gb);
-            s->xmax   = bytestream2_get_le32(&s->gb);
-            s->ymax   = bytestream2_get_le32(&s->gb);
+            xmin   = bytestream2_get_le32(&s->gb);
+            ymin   = bytestream2_get_le32(&s->gb);
+            xmax   = bytestream2_get_le32(&s->gb);
+            ymax   = bytestream2_get_le32(&s->gb);
+
+            if (xmin > xmax || ymin > ymax ||
+                ymax == INT_MAX || xmax == INT_MAX ||
+                (unsigned)xmax - xmin >= INT_MAX ||
+                (unsigned)ymax - ymin >= INT_MAX) {
+                return AVERROR_INVALIDDATA;
+            }
+            s->xmin = xmin;
+            s->xmax = xmax;
+            s->ymin = ymin;
+            s->ymax = ymax;
            s->xdelta = (s->xmax - s->xmin) + 1;
            s->ydelta = (s->ymax - s->ymin) + 1;

@@ -1671,7 +1689,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        s->ymin > s->ymax                  ||
        s->xdelta != s->xmax - s->xmin + 1 ||
        s->xmax >= s->w                    ||
-        s->ymax >= s->h) {
+        s->ymax >= s->h                    ||
+        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF
+    ) {
        av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n");
        return AVERROR_INVALIDDATA;
    }
@@ -1695,7 +1715,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)
        return ret;

-    if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8)
+    if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks)
        return AVERROR_INVALIDDATA;

    // save pointer we are going to use in decode_block
@@ -1704,7 +1724,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    ptr         = picture->data[0];

    // Zero out the start if ymin is not 0
-    for (y = 0; y < s->ymin; y++) {
+    for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
        memset(ptr, 0, out_line_size);
        ptr += picture->linesize[0];
    }
@@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb,
                return AVERROR_INVALIDDATA;
            }
            cwi = 10 - av_log2(cwi);
+            if (get_bits_left(gb) < cwi + 1)
+                return AVERROR_INVALIDDATA;
            skip_bits(gb, cwi + 1);
            if (cwi > 5) {
                newmode = get_bits1(gb);
@@ -206,6 +208,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int run = 0;
    unsigned int t;
    for (;;) {
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
        t    = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
        run += t;
        if (t < 64) {
@@ -224,7 +228,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
            run       = 0;
            mode      = !mode;
        } else if ((int)t == -1) {
-            if (show_bits(gb, 12) == 15) {
+            if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
                int ret;
                skip_bits(gb, 12);
                ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode);
@@ -251,7 +255,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int offs = 0, run = 0;

    while (offs < width) {
-        int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
+        int cmode;
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
+        cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
        if (cmode == -1) {
            av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n");
            return AVERROR_INVALIDDATA;
@@ -273,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
            for (k = 0; k < 2; k++) {
                run = 0;
                for (;;) {
+                    if (get_bits_left(gb) <= 0)
+                        return AVERROR_INVALIDDATA;
                    t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
                    if (t == -1) {
                        av_log(avctx, AV_LOG_ERROR, "Incorrect code\n");
@@ -296,7 +305,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
                mode = !mode;
            }
        } else if (cmode == 9 || cmode == 10) {
-            int xxx = get_bits(gb, 3);
+            int xxx;
+            if (get_bits_left(gb) < 3)
+                return AVERROR_INVALIDDATA;
+            xxx = get_bits(gb, 3);
            if (cmode == 9 && xxx == 7) {
                int ret;
                int pix_left = width - offs;
@@ -175,6 +175,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
         || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
        return -1;

+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
+
    for (i = 0; i < f->plane_count; i++) {
        PlaneContext * const p = &fs->plane[i];
        int idx = get_symbol(c, state, 0);
@@ -728,7 +731,7 @@ static int read_header(FFV1Context *f)

            if (f->version == 2) {
                int idx = get_symbol(c, state, 0);
-                if (idx > (unsigned)f->quant_table_count) {
+                if (idx >= (unsigned)f->quant_table_count) {
                    av_log(f->avctx, AV_LOG_ERROR,
                           "quant_table_index out of range\n");
                    return AVERROR_INVALIDDATA;
@@ -832,8 +835,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        int trailer = 3 + 5*!!f->ec;
        int v;

-        if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer;
-        else                     v = buf_p - c->bytestream_start;
+        if (i || f->version > 2) {
+            if (trailer > buf_p - buf) v = INT_MAX;
+            else                       v = AV_RB24(buf_p-trailer) + trailer;
+        } else                         v = buf_p - c->bytestream_start;
        if (buf_p - c->bytestream_start < v) {
            av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n");
            ff_thread_report_progress(&f->picture, INT_MAX, 0);
@@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b)

 static uint64_t phi_at(struct ws_interval *in, int64_t ts)
 {
-    uint64_t dt = ts - in->ts_start;
+    uint64_t dt = ts - (uint64_t)in->ts_start;
    uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */
                   dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1);
    return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi;
@@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
        in->amp  += in->damp;
        switch (in->type) {
            case WS_SINE:
-                val = amp * ws->sin[in->phi >> (64 - SIN_BITS)];
+                val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)];
                in->phi  += in->dphi;
                in->dphi += in->ddphi;
                break;
@@ -55,6 +55,7 @@

 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)

 typedef struct FLACHeaderMarker {
    int offset;       /**< byte offset from start of FLACParseContext->buffer */
@@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset)
    uint8_t *header_buf;
    int size = 0;
    header_buf = flac_fifo_read_wrap(fpc, offset,
-                                     MAX_FRAME_HEADER_SIZE,
+                                     MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE,
                                     &fpc->wrap_buf,
                                     &fpc->wrap_buf_allocated_size);
    if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) {
@@ -734,6 +734,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                bytestream2_skip(&g2, chunk_size - 6);
            } else {

+                if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
+                    return AVERROR_INVALIDDATA;
                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
                     y_ptr += s->frame->linesize[0]) {

@@ -114,7 +114,7 @@ end:
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
    int i=0;
    ThreadContext *c;
-
+    AVCodecContext *thread_avctx = NULL;

    if(   !(avctx->thread_type & FF_THREAD_FRAME)
       || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY))
@@ -190,13 +190,14 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
    for(i=0; i<avctx->thread_count ; i++){
        AVDictionary *tmp = NULL;
        void *tmpv;
-        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
+        thread_avctx = avcodec_alloc_context3(avctx->codec);
        if(!thread_avctx)
            goto fail;
        tmpv = thread_avctx->priv_data;
        *thread_avctx = *avctx;
        thread_avctx->priv_data = tmpv;
        thread_avctx->internal = NULL;
+        thread_avctx->hw_frames_ctx = NULL;
        memcpy(thread_avctx->priv_data, avctx->priv_data, avctx->codec->priv_data_size);
        thread_avctx->thread_count = 1;
        thread_avctx->active_thread_type &= ~FF_THREAD_FRAME;
@@ -219,6 +220,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){

    return 0;
 fail:
+    avcodec_close(thread_avctx);
+    av_freep(&thread_avctx);
    avctx->thread_count = i;
    av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
    ff_frame_thread_encoder_free(avctx);
@@ -23,6 +23,10 @@

 #include "avcodec.h"

+/**
+ * Initialize frame thread encoder.
+ * @note hardware encoders are not supported
+ */
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options);
 void ff_frame_thread_encoder_free(AVCodecContext *avctx);
 int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr);
@@ -536,12 +536,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
          fc_v[i] = <
                     \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay
        */
-        ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i],
-                                     fc + pitch_delay_int[i],
-                                     fc, 1 << 14,
-                                     av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX),
-                                     0, 14,
-                                     SUBFRAME_SIZE - pitch_delay_int[i]);
+        if (SUBFRAME_SIZE > pitch_delay_int[i])
+            ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i],
+                                         fc + pitch_delay_int[i],
+                                         fc, 1 << 14,
+                                         av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX),
+                                         0, 14,
+                                         SUBFRAME_SIZE - pitch_delay_int[i]);

        memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t));
        ctx->past_gain_code[1] = ctx->past_gain_code[0];
@@ -532,6 +532,8 @@ retry:
    avctx->has_b_frames = !s->low_delay;

    if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) {
+        if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
        if (ff_mpeg4_workaround_bugs(avctx) == 1)
            goto retry;
    }
@@ -309,9 +309,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst,
    if (dst == src)
        return 0;

-    // We can't fail if SPS isn't set at it breaks current skip_frame code
-    //if (!h1->ps.sps)
-    //    return AVERROR_INVALIDDATA;
+    if (inited && !h1->ps.sps)
+        return AVERROR_INVALIDDATA;

    if (inited &&
        (h->width                 != h1->width                 ||
@@ -908,6 +907,11 @@ static int h264_slice_header_init(H264Context *h)
    const SPS *sps = h->ps.sps;
    int i, ret;

+    if (!sps) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
    ff_set_sar(h->avctx, sps->sar);
    av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt,
                                     &h->chroma_x_shift, &h->chroma_y_shift);
@@ -842,6 +842,10 @@ again:
            avpriv_request_sample(avctx, "data partitioning");
            break;
        case H264_NAL_SEI:
+            if (h->setup_finished) {
+                avpriv_request_sample(avctx, "Late SEI");
+                break;
+            }
            ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx);
            h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1;
            if (avctx->debug & FF_DEBUG_GREEN_MD)
@@ -278,13 +278,13 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){
    const int stride= 16*2;
    const int xStride= 16;
    int i;
-    int temp[8];
+    unsigned temp[8];
    static const uint8_t x_offset[2]={0, 16};
    dctcoef *block = (dctcoef*)_block;

    for(i=0; i<4; i++){
-        temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1];
-        temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1];
+        temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1];
+        temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1];
    }

    for(i=0; i<2; i++){
@@ -51,7 +51,7 @@ enum HapSectionType {

 typedef struct HapChunk {
    enum HapCompressor compressor;
-    int compressed_offset;
+    uint32_t compressed_offset;
    size_t compressed_size;
    int uncompressed_offset;
    size_t uncompressed_size;
@@ -128,6 +128,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size)
        size_t running_size = 0;
        for (i = 0; i < ctx->chunk_count; i++) {
            ctx->chunks[i].compressed_offset = running_size;
+            if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size)
+                return AVERROR_INVALIDDATA;
            running_size += ctx->chunks[i].compressed_size;
        }
    }
@@ -206,7 +208,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx)
        HapChunk *chunk = &ctx->chunks[i];

        /* Check the compressed buffer is valid */
-        if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc))
+        if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc))
            return AVERROR_INVALIDDATA;

        /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed
@@ -703,6 +703,11 @@ static int hls_slice_header(HEVCContext *s)
        if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
            sh->slice_cb_qp_offset = get_se_golomb(gb);
            sh->slice_cr_qp_offset = get_se_golomb(gb);
+            if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
+                sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            sh->slice_cb_qp_offset = 0;
            sh->slice_cr_qp_offset = 0;
@@ -985,7 +985,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
    } else {
        int prefix_minus3 = prefix - 3;

-        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
            return 0;
        }
@@ -145,11 +145,22 @@ int i, j;

    if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) {
        for (i = 0; i < height; i++) {
-            for (j = 0; j < width; j+=8)
+            for (j = 0; j < width - 7; j+=8)
                AV_COPY64U(dst+j, src+j);
            dst += stride_dst;
            src += stride_src;
        }
+        if (width&7) {
+            dst += ((width>>3)<<3) - stride_dst * height;
+            src += ((width>>3)<<3) - stride_src * height;
+            width &= 7;
+            for (i = 0; i < height; i++) {
+                for (j = 0; j < width; j++)
+                    dst[j] = src[j];
+                dst += stride_dst;
+                src += stride_src;
+            }
+        }
    } else {
        for (i = 0; i < height; i++) {
            for (j = 0; j < width; j+=16)
@@ -141,10 +141,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        int      nalu_type;
        int is_irap, add_extradata, extra_size, prev_size;

+        if (bytestream2_get_bytes_left(&gb) < s->length_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

-        if (nalu_size < 2) {
+        if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -755,7 +755,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
                next_coef = 8;
                coef_num  = FFMIN(64, 1 << (4 + (size_id << 1)));
                if (size_id > 1) {
-                    scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8;
+                    int scaling_list_coeff_minus8 = get_se_golomb(gb);
+                    if (scaling_list_coeff_minus8 < -7 ||
+                        scaling_list_coeff_minus8 > 247)
+                        return AVERROR_INVALIDDATA;
+                    scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8;
                    next_coef = scaling_list_dc_coef[size_id - 2][matrix_id];
                    sl->sl_dc[size_id - 2][matrix_id] = next_coef;
                }
@@ -356,6 +356,8 @@ static int decode_nal_sei_message(HEVCContext *s)
        byte          = get_bits(gb, 8);
        payload_size += byte;
    }
+    if (get_bits_left(gb) < 8LL*payload_size)
+        return AVERROR_INVALIDDATA;
    if (s->nal_unit_type == NAL_SEI_PREFIX) {
        return decode_nal_sei_prefix(s, payload_type, payload_size);
    } else { /* nal_unit_type == NAL_SEI_SUFFIX */
@@ -319,7 +319,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src,
        offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1];
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
-            dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]);
+            dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]);
        dst += stride_dst;
        src += stride_src;
    }
@@ -83,6 +83,7 @@ do {                                  \
    int y = y0 >> vshift;
    int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
    int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
+    int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size));

    int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb);

@@ -103,11 +104,11 @@ do {                                  \
    pixel  *top           = top_array  + 1;
    pixel  *filtered_left = filtered_left_array + 1;
    pixel  *filtered_top  = filtered_top_array  + 1;
-    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask);
+    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask);
    int cand_left        = lc->na.cand_left;
    int cand_up_left     = lc->na.cand_up_left;
    int cand_up          = lc->na.cand_up;
-    int cand_up_right    = lc->na.cand_up_right    && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);
+    int cand_up_right    = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);

    int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) -
                           (y0 + size_in_luma_v)) >> vshift;
@@ -1732,7 +1732,8 @@ static int decode_frame(AVCodecContext *avctx,
                    buf += s->planesize;
                }
            }
-            memcpy(frame->data[1], s->pal, 256 * 4);
+            if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
+                memcpy(frame->data[1], s->pal, 256 * 4);
        } else if (s->ham) {
            int i, count = 1 << s->ham;

@@ -1154,7 +1154,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
        for(i=0; i<13; i++){
            for(j=0; j<3; j++){
                int v= get_bits(&s->gb, 8);
-                v |= get_sbits(&s->gb, 8)<<8;
+                v |= get_sbits(&s->gb, 8) * (1 << 8);
                av_log(s->avctx, AV_LOG_DEBUG, " %5d", v);
            }
            av_log(s->avctx, AV_LOG_DEBUG, "\n");
@@ -1997,6 +1997,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                   atom_size >= 16) {
            uint32_t atom2_size, atom2, atom2_end;
            do {
+                if (bytestream2_get_bytes_left(&s->g) < 8)
+                    break;
                atom2_size = bytestream2_get_be32u(&s->g);
                atom2      = bytestream2_get_be32u(&s->g);
                atom2_end  = bytestream2_tell(&s->g) + atom2_size - 8;
@@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t)
    line += 5;

    for (i = 0; i < w * h; i++)
-        t[i] <<= I_PRESHIFT;
+        t[i] *= 1 << I_PRESHIFT;

    for (lev = s->ndeclevels-1; lev >= 0; lev--){
        int lh = s->linelen[lev][0],
@@ -97,7 +97,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q)
 static inline int ff_jpegls_update_state_regular(JLSState *state,
                                                 int Q, int err)
 {
-    if(FFABS(err) > 0xFFFF)
+    if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q])
        return -0x10000;
    state->A[Q] += FFABS(err);
    err         *= state->twonear;
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        s->t3     = get_bits(&s->gb, 16);
        s->reset  = get_bits(&s->gb, 16);

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n",
                   s->maxval, s->t1, s->t2, s->t3, s->reset);
        }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        else
            maxtab = 65530/wt - 1;

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab);
        }
        if (maxtab >= 256) {
@@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
            s->avctx->pix_fmt = AV_PIX_FMT_PAL8;
            for (i=s->palette_index; i<=maxtab; i++) {
                uint8_t k = i << shift;
-                pal[k] = 0;
+                pal[k] = wt < 4 ? 0xFF000000 : 0;
                for (j=0; j<wt; j++) {
                    pal[k] |= get_bits(&s->gb, 8) << (8*(wt-j-1));
                }
@@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q)
 {
    int k, ret;

-    for (k = 0; (state->N[Q] << k) < state->A[Q]; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++)
        ;

 #ifdef JLS_BROKEN
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
    if (RItype)
        temp += state->N[Q] >> 1;

-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
        ;

 #ifdef JLS_BROKEN
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
 #endif
    ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
                               state->qbpp);
+    if (ret < 0)
+        return -0x10000;

    /* decode mapped error */
    map = 0;
@@ -209,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
        ret = ret >> 1;
    }

-    if(FFABS(ret) > 0xFFFF)
+    if (FFABS(ret) > 0xFFFF)
        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
@@ -458,19 +460,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
            for (i = 0; i < s->height; i++) {
                switch(s->xfrm) {
                case 1:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        src[x  ] += src[x+1] + 128;
                        src[x+2] += src[x+1] + 128;
                    }
                    break;
                case 2:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        src[x  ] += src[x+1] + 128;
                        src[x+2] += ((src[x  ] + src[x+1])>>1) + 128;
                    }
                    break;
                case 3:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64;
                        src[x+0] = src[x+2] + g + 128;
                        src[x+2] = src[x+1] + g + 128;
@@ -478,7 +480,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
                    }
                    break;
                case 4:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        int r    = src[x+0] - ((                       359 * (src[x+2]-128) + 490) >> 8);
                        int g    = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) +  30) >> 8);
                        int b    = src[x+0] + ((454 * (src[x+1]-128)                        + 574) >> 8);
@@ -404,6 +404,9 @@ output_zeros:
        if (zero_run) {
            zero_run = 0;
            i += esc_count;
+            if (i >  end - dst ||
+                i >= src_end - src)
+                return AVERROR_INVALIDDATA;
            memcpy(dst, src, i);
            dst += i;
            l->zeros_rem = lag_calc_zero_run(src[i]);
@@ -129,7 +129,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
                             int stride, const uint8_t *buf, int buf_size, int step)
 {
    RICEContext rc;
-    int val;
+    unsigned val;
    int ret;
    int i, j;

@@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len,
    compute_ref_coefs(autoc, order, ref, error);
    for (i = 0; i < order; i++)
        avg_err = (avg_err + error[i])/2.0f;
-    return signal/avg_err;
+    return avg_err ? signal/avg_err : NAN;
 }

 /**
@@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
        gen0[i] = gen1[i] = autoc[i + 1];

    err    = autoc[0];
-    ref[0] = -gen1[0] / err;
+    ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
    err   +=  gen1[0] * ref[0];
    if (error)
        error[0] = err;
@@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
            gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j];
            gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j];
        }
-        ref[i] = -gen1[0] / err;
+        ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
        err   +=  gen1[0] * ref[i];
        if (error)
            error[i] = err;
@@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o
            for(j=0; j<i; j++)
                r -= lpc_last[j] * autoc[i-j-1];

-            r /= err;
+            if (err)
+                r /= err;
            err *= FIXR(1.0) - (r * r);
        }

@@ -373,6 +373,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,

        s->slices[i][j].start = offset + header_size;
        s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
+
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
    }

    if (bytestream2_get_byte(&gbyte) != s->planes)
@@ -1426,6 +1426,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
                else
                    ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0],
                                                   quant_matrix, ss, se, Al, &EOBRUN);
+
+                if (ret >= 0 && get_bits_left(&s->gb) < 0)
+                    ret = AVERROR_INVALIDDATA;
                if (ret < 0) {
                    av_log(s->avctx, AV_LOG_ERROR,
                           "error y=%d x=%d\n", mb_y, mb_x);
@@ -1634,7 +1634,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
        for(y=0; y<s->mb_height; y++){
            int x;
            int xy= y*s->mb_stride;
-            for(x=0; x<s->mb_width; x++){
+            for(x=0; x<s->mb_width; x++, xy++){
                if(s->mb_type[xy] & type){
                    int mx= mv_table[xy][0];
                    int my= mv_table[xy][1];
@@ -1642,16 +1642,15 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
                                     fcode_tab[my + MAX_MV]);
                    int j;

-                        if(mx >= range || mx < -range ||
-                           my >= range || my < -range)
-                            continue;
+                    if (mx >= range || mx < -range ||
+                        my >= range || my < -range)
+                        continue;

                    for(j=0; j<fcode && j<8; j++){
                        if(s->pict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])
                            score[j]-= 170;
                    }
                }
-                xy++;
            }
        }

@@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out,
                j = 0;
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF];
                for(; j < 12; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF];
                for(; j < 24; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF];
                for(; j < 36; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
            }
        }
        if(bands[i].msf){
-            int t1, t2;
+            unsigned t1, t2;
            for(j = 0; j < SAMPLES_PER_BAND; j++){
                t1 = c->sb_samples[0][j][i];
                t2 = c->sb_samples[1][j][i];
@@ -1561,6 +1561,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
    s->mpeg_f_code[0][1] = get_bits(&s->gb, 4);
    s->mpeg_f_code[1][0] = get_bits(&s->gb, 4);
    s->mpeg_f_code[1][1] = get_bits(&s->gb, 4);
+    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
+    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
+    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
+    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];
    if (!s->pict_type && s1->mpeg_enc_ctx_allocated) {
        av_log(s->avctx, AV_LOG_ERROR,
               "Missing picture start code, guessing missing values\n");
@@ -1574,10 +1578,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
        s->current_picture.f->pict_type = s->pict_type;
        s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I;
    }
-    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
-    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
-    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
-    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];

    s->intra_dc_precision         = get_bits(&s->gb, 2);
    s->picture_structure          = get_bits(&s->gb, 2);
@@ -1334,6 +1334,8 @@ static av_cold int encode_init(AVCodecContext *avctx)

    if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
        s->avctx->extradata = av_malloc(1024);
+        if (!s->avctx->extradata)
+            return AVERROR(ENOMEM);
        init_put_bits(&s->pb, s->avctx->extradata, 1024);

        if (!(s->workaround_bugs & FF_BUG_MS))
@@ -1071,6 +1071,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s)
        (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0)
        goto fail;

+    /* set chroma shifts */
+    err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt,
+                                           &s->chroma_x_shift,
+                                           &s->chroma_y_shift);
+    if (err < 0)
+        return err;
+
    if ((err = init_context_frame(s)))
        goto fail;

@@ -195,6 +195,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
    int start_code;
    int ret;

+    if (avctx->skip_frame == AVDISCARD_ALL)
+        return AVERROR_PATCHWELCOME;
+
    buf_ptr = buf;
    buf_end = buf + buf_size;
    jpg->got_picture = 0;
@@ -247,16 +250,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
                           "Multiple SOF in a frame\n");
                    return AVERROR_INVALIDDATA;
                }
-                s->got_sof_data = 0;
                ret = ff_mjpeg_decode_sof(jpg);
                if (ret < 0) {
                    av_log(avctx, AV_LOG_ERROR,
                           "SOF data decode error\n");
+                    s->got_sof_data = 0;
                    return ret;
                }
                if (jpg->interlaced) {
                    av_log(avctx, AV_LOG_ERROR,
                           "Interlaced mode not supported in MxPEG\n");
+                    s->got_sof_data = 0;
                    return AVERROR(EINVAL);
                }
                s->got_sof_data ++;
@@ -271,7 +271,7 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx)
 #define DECODE(size, endian, src, dst, n, shift, offset)                \
    for (; n > 0; n--) {                                                \
        uint ## size ## _t v = bytestream_get_ ## endian(&src);         \
-        AV_WN ## size ## A(dst, (v - offset) << shift);                 \
+        AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \
        dst += size / 8;                                                \
    }

@@ -282,7 +282,7 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx)
        dst = frame->extended_data[c];                                \
        for (i = n; i > 0; i--) {                                       \
            uint ## size ## _t v = bytestream_get_ ## endian(&src);     \
-            AV_WN ## size ## A(dst, (v - offset) << shift);             \
+            AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \
            dst += size / 8;                                            \
        }                                                               \
    }
@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = {
        AV_PIX_FMT_PAL8,
        AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A,
        AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE,
-        AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE
+        AV_PIX_FMT_NONE
    },
    .priv_class     = &apngenc_class,
 };
@@ -69,8 +69,10 @@ retry:
    } else if (pnmctx.type < 4) {
        next = END_NOT_FOUND;
    } else {
-        next = pnmctx.bytestream - pnmctx.bytestream_start
-               + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
+        int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
+        next = pnmctx.bytestream - pnmctx.bytestream_start;
+        if (ret >= 0 && next + (uint64_t)ret <= INT_MAX)
+            next += ret;
        if (pnmctx.bytestream_start != buf)
            next -= pc->index;
        if (next > buf_size)
@@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            } else if (upgrade == 2) {
                unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval;
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
            }
@@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                return AVERROR_INVALIDDATA;
            for (i = 0; i < avctx->height; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            h = avctx->height >> 1;
            for (i = 0; i < h; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr1[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;

                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr2[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -183,7 +183,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook)
 }

 #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind]))
-#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31))
+#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31))
 #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign))
 #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1)
 #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign))
@@ -216,7 +216,7 @@ static int decode_frame(AVCodecContext *avctx,
            bytestream2_skip(&gbc, 18);
            colors = bytestream2_get_be16(&gbc);

-            if (colors < 0 || colors > 256) {
+            if (colors < 0 || colors > 255) {
                av_log(avctx, AV_LOG_ERROR,
                       "Error color count - %i(0x%X)\n", colors, colors);
                return AVERROR_INVALIDDATA;
@@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src,          \
    uint8_t full[16 * 9];                                                     \
    uint8_t half[64];                                                         \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
    OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8);                \
 }                                                                             \
@@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src,          \
 {                                                                             \
    uint8_t full[16 * 9];                                                     \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16);                   \
 }                                                                             \
                                                                              \
@@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src,          \
    uint8_t full[16 * 9];                                                     \
    uint8_t half[64];                                                         \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
    OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8);           \
 }                                                                             \
@@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src,         \
    uint8_t full[24 * 17];                                                    \
    uint8_t half[256];                                                        \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
    OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16);             \
 }                                                                             \
@@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src,         \
 {                                                                             \
    uint8_t full[24 * 17];                                                    \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24);                  \
 }                                                                             \
                                                                              \
@@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src,         \
    uint8_t full[24 * 17];                                                    \
    uint8_t half[256];                                                        \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
    OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16);        \
 }                                                                             \
@@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                      LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON,
                      0, ORDER_METHOD_EST, 0, 12, 0);
    for (i = 0; i < LPC_ORDER; i++)
-        block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] <<
-                                        (12 - shift[LPC_ORDER - 1]));
+        block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i]
+                                       * (1 << (12 - shift[LPC_ORDER - 1]));

    /**
     * TODO: apply perceptual weighting of the input speech through bandwidth
@@ -282,6 +282,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
            ret = AVERROR_INVALIDDATA;
            goto end;
        }
+        if (ctx->inflated_size < pixel_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
        ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size);
        if (ret) {
            av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret);
@@ -73,7 +73,7 @@ static void sbr_neg_odd_64_c(int *x)
 {
    int i;
    for (i = 1; i < 64; i += 2)
-        x[i] = -x[i];
+        x[i] = -(unsigned)x[i];
 }

 static void sbr_qmf_pre_shuffle_c(int *z)
@@ -100,8 +100,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src)
 {
    int i;
    for (i = 0; i < 32; i++) {
-        v[     i] = ( src[63 - 2*i    ] + 0x10) >> 5;
-        v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5;
+        v[     i] = (int)(0x10U + src[63 - 2*i    ]) >> 5;
+        v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5;
    }
 }

@@ -166,7 +166,8 @@ static inline void idct4col_add(uint8_t *dest, int line_size, const int16_t *col
 #define R_SHIFT 11
 static inline void idct4row(int16_t *row)
 {
-    int c0, c1, c2, c3, a0, a1, a2, a3;
+    unsigned c0, c1, c2, c3;
+    int a0, a1, a2, a3;

    a0 = row[0];
    a1 = row[1];
@@ -477,6 +477,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        case SMK_BLK_FULL:
            mode = 0;
            if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes
+                if (get_bits_left(&gb) < 1)
+                    return AVERROR_INVALIDDATA;
                if(get_bits1(&gb)) mode = 1;
                else if(get_bits1(&gb)) mode = 2;
            }
@@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){
                htaps = htaps*2 + 2;
                p->htaps= htaps;
                for(i= htaps/2; i; i--){
-                    p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1));
+                    unsigned hcoeff = get_symbol(&s->c, s->header_state, 0);
+                    if (hcoeff > 127)
+                        return AVERROR_INVALIDDATA;
+                    p->hcoeff[i]= hcoeff * (1-2*(i&1));
                    sum += p->hcoeff[i];
                }
                p->hcoeff[0]= 32-sum;
@@ -475,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
    for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--)
    {
        int k_value = *k_ptr, state_value = *state_ptr;
-        x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT);
+        x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT);
        state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT);
    }
 #else
    for (i = order-2; i >= 0; i--)
    {
-        x -= shift_down(k[i] * state[i], LATTICE_SHIFT);
+        x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT);
        state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT);
    }
 #endif
@@ -980,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx)
    av_freep(&s->int_samples);
    av_freep(&s->tap_quant);
    av_freep(&s->predictor_k);
-
-    for (i = 0; i < s->channels; i++)
-    {
+    for (i = 0; i < MAX_CHANNELS; i++) {
        av_freep(&s->predictor_state[i]);
        av_freep(&s->coded_samples[i]);
    }
@@ -1020,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,

    // dequantize
    for (i = 0; i < s->num_taps; i++)
-        s->predictor_k[i] *= s->tap_quant[i];
+        s->predictor_k[i] *= (unsigned) s->tap_quant[i];

    if (s->lossless)
        quant = 1;
@@ -499,9 +499,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx)
    SVQ1EncContext *const s = avctx->priv_data;
    int i;

-    av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
-           s->rd_total / (double)(avctx->width * avctx->height *
-                                  avctx->frame_number));
+    if (avctx->frame_number)
+        av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
+               s->rd_total / (double)(avctx->width * avctx->height *
+                                      avctx->frame_number));

    s->m.mb_type = NULL;
    ff_mpv_common_end(&s->m);
@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
    for (i = 0; i < length; i++) {
        int32_t a = p1[i];
        int32_t b = p2[i];
-        b         = dfactor * (b >> dshift) + 128 >> 8 << dshift;
+        b         = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
        p1[i]     = b - a;
    }
 }
@@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride)
 static int tdsc_load_cursor(AVCodecContext *avctx)
 {
    TDSCContext *ctx  = avctx->priv_data;
-    int i, j, k, ret, bits, cursor_fmt;
+    int i, j, k, ret, cursor_fmt;
    uint8_t *dst;

    ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc);
@@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx)
    case CUR_FMT_MONO:
        for (j = 0; j < ctx->cursor_h; j++) {
            for (i = 0; i < ctx->cursor_w; i += 32) {
-                bits = bytestream2_get_be32(&ctx->gbc);
+                uint32_t bits = bytestream2_get_be32(&ctx->gbc);
                for (k = 0; k < 32; k++) {
                    dst[0] = !!(bits & 0x80000000);
                    dst   += 4;
@@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx)
        dst = ctx->cursor;
        for (j = 0; j < ctx->cursor_h; j++) {
            for (i = 0; i < ctx->cursor_w; i += 32) {
-                bits = bytestream2_get_be32(&ctx->gbc);
+                uint32_t bits = bytestream2_get_be32(&ctx->gbc);
                for (k = 0; k < 32; k++) {
                    int mask_bit = !!(bits & 0x80000000);
                    switch (dst[0] * 2 + mask_bit) {
@@ -387,7 +387,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
    for (i = 0; i < number_tiles; i++) {
        int tile_size;
        int tile_mode;
-        int x, y, w, h;
+        int x, y, x2, y2, w, h;
        int ret;

        if (bytestream2_get_bytes_left(&ctx->gbc) < 4 ||
@@ -405,20 +405,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
        bytestream2_skip(&ctx->gbc, 4); // unknown
        x = bytestream2_get_le32(&ctx->gbc);
        y = bytestream2_get_le32(&ctx->gbc);
-        w = bytestream2_get_le32(&ctx->gbc) - x;
-        h = bytestream2_get_le32(&ctx->gbc) - y;
+        x2 = bytestream2_get_le32(&ctx->gbc);
+        y2 = bytestream2_get_le32(&ctx->gbc);

-        if (x >= ctx->width || y >= ctx->height) {
+        if (x < 0 || y < 0 || x2 <= x || y2 <= y ||
+            x2 > ctx->width || y2 > ctx->height
+        ) {
            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile position (%d.%d outside %dx%d).\n",
-                   x, y, ctx->width, ctx->height);
-            return AVERROR_INVALIDDATA;
-        }
-        if (x + w > ctx->width || y + h > ctx->height) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile size %dx%d\n", w, h);
+                   "Invalid tile position (%d.%d %d.%d outside %dx%d).\n",
+                   x, y, x2, y2, ctx->width, ctx->height);
            return AVERROR_INVALIDDATA;
        }
+        w = x2 - x;
+        h = y2 - y;

        ret = av_reallocp(&ctx->tilebuffer, tile_size);
        if (!ctx->tilebuffer)
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.15
 .2.19