Update for 3.2.8

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/hevc_ps: Fix c?_qp_offset_list size
2017-09-17 12:23:15 +02:00 · 2017-09-17 12:21:32 +02:00 · 2017-09-17 12:21:32 +02:00 · 2017-09-17 12:21:32 +02:00 · 2017-09-17 12:21:32 +02:00 · 2017-09-17 12:21:32 +02:00
42 changed files with 315 additions and 120 deletions
@@ -1,6 +1,55 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.2.8:
+- avcodec/hevc_ps: Fix c?_qp_offset_list size
+- avcodec/shorten: Move buffer allocation and offset init to end of read_header()
+- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
+- avcodec/diracdec: Fix overflow in DC computation
+- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
+- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0
+- avformat/asfdec: Fix DoS in asf_build_simple_index()
+- avformat/mov: Fix DoS in read_tfra()
+- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
+- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
+- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
+- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
+- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
+- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
+- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
+- avcodec/hevc_ps: Fix undefined shift in pcm code
+- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
+- avformat/mvdec: Fix DoS due to lack of eof check
+- avformat/rl2: Fix DoS due to lack of eof check
+- avformat/rmdec: Fix DoS due to lack of eof check
+- avformat/cinedec: Fix DoS due to lack of eof check
+- avformat/asfdec: Fix DoS due to lack of eof check
+- avformat/hls: Fix DoS due to infinite loop
+- ffprobe: Fix NULL pointer handling in color parameter printing
+- ffprobe: Fix null pointer dereference with color primaries
+- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
+- avformat/rtpdec_h264: Fix heap-buffer-overflow
+- avformat/aviobuf: Fix signed integer overflow in avio_seek()
+- avformat/mov: Fix signed integer overflows with total_size
+- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
+- avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
+- avcodec/me_cmp: Fix crashes on ARM due to misalignment
+- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
+- avcodec/fic: Fixes signed integer overflow
+- avcodec/snowdec: Fix off by 1 error
+- avcodec/diracdec: Fixes integer overflow
+- avcodec/diracdec: Check perspective_exp and zrs_exp.
+- avcodec/ffv1dec_template: Fix undefined shift
+- avcodec/mpeg4videodec: Clear mcsel before decoding an image
+- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
+- avcodec/aacdec_fixed: fix invalid shift in predict()
+- avcodec/h264_slice: Fix overflow in slice offset
+- avformat/utils: fix memory leak in avformat_free_context
+- avcodec/diracdsp: fix integer overflow
+- avcodec/diracdec: Check weight_log2denom
+- avfilter/vf_ssim: fix temp size calculation
+
 version 3.2.7:
 - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
 - avcodec/diracdec: Fix integer overflow in divide3()
@@ -1 +1 @@
-3.2.7
+3.2.8
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.2.7
+PROJECT_NUMBER         = 3.2.8

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -293,6 +293,24 @@ used to end the output video at the length of the shortest input file,
 which in this case is @file{input.mp4} as the GIF in this example loops
 infinitely.

+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
@section image2

 Image file demuxer.
@@ -1789,6 +1789,56 @@ static void print_pkt_side_data(WriterContext *w,
    writer_print_section_footer(w);
 }

+static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback)
+{
+    const char *val = av_color_range_name(color_range);
+    if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
+        print_str_opt("color_range", fallback);
+    } else {
+        print_str("color_range", val);
+    }
+}
+
+static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
+{
+    const char *val = av_color_space_name(color_space);
+    if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
+        print_str_opt("color_space", "unknown");
+    } else {
+        print_str("color_space", val);
+    }
+}
+
+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
+{
+    const char *val = av_color_primaries_name(color_primaries);
+    if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+        print_str_opt("color_primaries", "unknown");
+    } else {
+        print_str("color_primaries", val);
+    }
+}
+
+static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc)
+{
+    const char *val = av_color_transfer_name(color_trc);
+    if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
+        print_str_opt("color_transfer", "unknown");
+    } else {
+        print_str("color_transfer", val);
+    }
+}
+
+static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location)
+{
+    const char *val = av_chroma_location_name(chroma_location);
+    if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
+        print_str_opt("chroma_location", "unspecified");
+    } else {
+        print_str("chroma_location", val);
+    }
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx)
 {
    char val_str[128];
@@ -2244,29 +2294,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
        if (s) print_str    ("pix_fmt", s);
        else   print_str_opt("pix_fmt", "unknown");
        print_int("level",   par->level);
-        if (par->color_range != AVCOL_RANGE_UNSPECIFIED)
-            print_str    ("color_range", av_color_range_name(par->color_range));
-        else
-            print_str_opt("color_range", "N/A");

-        s = av_get_colorspace_name(par->color_space);
-        if (s) print_str    ("color_space", s);
-        else   print_str_opt("color_space", "unknown");
-
-        if (par->color_trc != AVCOL_TRC_UNSPECIFIED)
-            print_str("color_transfer", av_color_transfer_name(par->color_trc));
-        else
-            print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
-
-        if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
-            print_str("color_primaries", av_color_primaries_name(par->color_primaries));
-        else
-            print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
-
-        if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
-            print_str("chroma_location", av_chroma_location_name(par->chroma_location));
-        else
-            print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location));
+        print_color_range(w, par->color_range, "N/A");
+        print_color_space(w, par->color_space);
+        print_color_trc(w, par->color_trc);
+        print_primaries(w, par->color_primaries);
+        print_chroma_location(w, par->chroma_location);

        if (par->field_order == AV_FIELD_PROGRESSIVE)
            print_str("field_order", "progressive");
@@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef,
    if (output_enable) {
        int shift = 28 - pv.exp;

-        if (shift < 31)
-            *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+        if (shift < 31) {
+            if (shift > 0) {
+                *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+            } else
+                *coef += pv.mant << -shift;
+        }
    }

    e0 = av_int2sf(*coef, 2);
@@ -1259,6 +1259,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
    const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac;
    const int aot = m4ac->object_type;
    const int sampling_index = m4ac->sampling_index;
+    int ret_fail = AVERROR_INVALIDDATA;
+
    if (aot != AOT_ER_AAC_ELD) {
        if (get_bits1(gb)) {
            av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@@ -1309,8 +1311,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
                ics->num_swb       =    ff_aac_num_swb_512[sampling_index];
                ics->tns_max_bands =  ff_tns_max_bands_512[sampling_index];
            }
-            if (!ics->num_swb || !ics->swb_offset)
-                return AVERROR_BUG;
+            if (!ics->num_swb || !ics->swb_offset) {
+                ret_fail = AVERROR_BUG;
+                goto fail;
+            }
        } else {
            ics->swb_offset    =    ff_swb_offset_1024[sampling_index];
            ics->num_swb       =   ff_aac_num_swb_1024[sampling_index];
@@ -1334,7 +1338,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
                if (aot == AOT_ER_AAC_LD) {
                    av_log(ac->avctx, AV_LOG_ERROR,
                           "LTP in ER AAC LD not yet implemented.\n");
-                    return AVERROR_PATCHWELCOME;
+                    ret_fail = AVERROR_PATCHWELCOME;
+                    goto fail;
                }
                if ((ics->ltp.present = get_bits(gb, 1)))
                    decode_ltp(&ics->ltp, gb, ics->max_sfb);
@@ -1353,7 +1358,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
    return 0;
 fail:
    ics->max_sfb = 0;
-    return AVERROR_INVALIDDATA;
+    return ret_fail;
 }

 /**
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
    (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))

 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-    (b1 - ((1817*(b0 + b2) + 2048) >> 12))
+    (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-    (b1 - (( 113*(b0 + b2) + 64) >> 7))
+    (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))

 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-    (b1 + (( 217*(b0 + b2) + 2048) >> 12))
+    (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-    (b1 + ((6497*(b0 + b2) + 2048) >> 12))
+    (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))


 #endif /* AVCODEC_DWT_H */
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_
    TYPE *b1 = (TYPE *)_b1;
    TYPE *b2 = (TYPE *)_b2;
    for (i = 0; i < width; i++)
-        b1[i] -= (b0[i] + b2[i] + 2) >> 2;
+        b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
 }

 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2,
@@ -37,7 +37,7 @@

 #define APPEND_RESIDUE(N, M)                                                   \
    N          |= M >> (N ## _bits);                                           \
-    N ## _bits +=      (M ## _bits)
+    N ## _bits  = (N ## _bits + (M ## _bits)) & 0x3F

 int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
                               int bytes, uint8_t *_dst, int coeffs)
@@ -436,7 +436,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx)
 static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset)
 {
    int coeff = dirac_get_se_golomb(gb);
-    const int sign = FFSIGN(coeff);
+    const unsigned sign = FFSIGN(coeff);
    if (coeff)
        coeff = sign*((sign * coeff * qfactor + qoffset) >> 2);
    return coeff;
@@ -580,7 +580,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
    } \

 INTRA_DC_PRED(8, int16_t)
-INTRA_DC_PRED(10, int32_t)
+INTRA_DC_PRED(10, uint32_t)

 /**
 * Dirac Specification ->
@@ -1155,6 +1155,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
                s->globalmc[ref].perspective[0]  = dirac_get_se_golomb(gb);
                s->globalmc[ref].perspective[1]  = dirac_get_se_golomb(gb);
            }
+            if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) {
+                return AVERROR_INVALIDDATA;
+            }
+
        }
    }

@@ -1173,6 +1177,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)

    if (get_bits1(gb)) {
        s->weight_log2denom = get_interleaved_ue_golomb(gb);
+        if (s->weight_log2denom < 1 || s->weight_log2denom > 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n");
+            s->weight_log2denom = 1;
+            return AVERROR_INVALIDDATA;
+        }
        s->weight[0] = dirac_get_se_golomb(gb);
        if (s->num_refs == 2)
            s->weight[1] = dirac_get_se_golomb(gb);
@@ -1407,7 +1416,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
    if (!block->ref) {
        pred_block_dc(block, stride, x, y);
        for (i = 0; i < 3; i++)
-            block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
+            block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
        return;
    }

@@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
        for (i = 0; i < tot_h; i++) {                                                      \
            c = *src_r++;                                                                  \
            sign = FFSIGN(c)*(!!c);                                                        \
-            c = (FFABS(c)*qf + qs) >> 2;                                                   \
+            c = (FFABS(c)*(unsigned)qf + qs) >> 2;                                                   \
            *dst_r++ = c*sign;                                                             \
        }                                                                                  \
        src += tot_h << (sizeof(PX) >> 1);                                                 \
@@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int
            }

            if (lbd)
-                *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24);
+                *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24);
            else if (sizeof(TYPE) == 4) {
                *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g;
                *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b;
@@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };

 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
 {
-    const int t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
-    const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
-    const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
-    const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-    const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
-    const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+    const unsigned t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
+    const unsigned t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
+    const unsigned t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
+    const unsigned t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
+    const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+    const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
    const unsigned t6 = t2 - t0;
    const unsigned t7 = t3 - t1;
    const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
@@ -34,21 +34,22 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,

    pwt->use_weight             = 0;
    pwt->use_weight_chroma      = 0;
-    pwt->luma_log2_weight_denom = get_ue_golomb(gb);
-    if (sps->chroma_format_idc)
-        pwt->chroma_log2_weight_denom = get_ue_golomb(gb);

+    pwt->luma_log2_weight_denom = get_ue_golomb(gb);
    if (pwt->luma_log2_weight_denom > 7U) {
        av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom);
        pwt->luma_log2_weight_denom = 0;
    }
-    if (pwt->chroma_log2_weight_denom > 7U) {
-        av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom);
-        pwt->chroma_log2_weight_denom = 0;
-    }
+    luma_def = 1 << pwt->luma_log2_weight_denom;

-    luma_def   = 1 << pwt->luma_log2_weight_denom;
-    chroma_def = 1 << pwt->chroma_log2_weight_denom;
+    if (sps->chroma_format_idc) {
+        pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
+        if (pwt->chroma_log2_weight_denom > 7U) {
+            av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom);
+            pwt->chroma_log2_weight_denom = 0;
+        }
+        chroma_def = 1 << pwt->chroma_log2_weight_denom;
+    }

    for (list = 0; list < 2; list++) {
        pwt->luma_weight_flag[list]   = 0;
@@ -102,9 +103,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
            if (picture_structure == PICT_FRAME) {
                pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0];
                pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1];
-                for (j = 0; j < 2; j++) {
-                    pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0];
-                    pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1];
+                if (sps->chroma_format_idc) {
+                    for (j = 0; j < 2; j++) {
+                        pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0];
+                        pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1];
+                    }
                }
            }
        }
@@ -1739,17 +1739,19 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
            sl->deblocking_filter ^= 1;  // 1<->0

        if (sl->deblocking_filter) {
-            sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2;
-            sl->slice_beta_offset     = get_se_golomb(&sl->gb) * 2;
-            if (sl->slice_alpha_c0_offset >  12 ||
-                sl->slice_alpha_c0_offset < -12 ||
-                sl->slice_beta_offset >  12     ||
-                sl->slice_beta_offset < -12) {
+            int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb);
+            int slice_beta_offset_div2     = get_se_golomb(&sl->gb);
+            if (slice_alpha_c0_offset_div2 >  6 ||
+                slice_alpha_c0_offset_div2 < -6 ||
+                slice_beta_offset_div2 >  6     ||
+                slice_beta_offset_div2 < -6) {
                av_log(h->avctx, AV_LOG_ERROR,
                       "deblocking filter parameters %d %d out of range\n",
-                       sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+                       slice_alpha_c0_offset_div2, slice_beta_offset_div2);
                return AVERROR_INVALIDDATA;
            }
+            sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+            sl->slice_beta_offset     = slice_beta_offset_div2 * 2;
        }
    }

@@ -545,8 +545,8 @@ typedef struct HEVCPPS {
    uint8_t chroma_qp_offset_list_enabled_flag;
    uint8_t diff_cu_chroma_qp_offset_depth;
    uint8_t chroma_qp_offset_list_len_minus1;
-    int8_t  cb_qp_offset_list[5];
-    int8_t  cr_qp_offset_list[5];
+    int8_t  cb_qp_offset_list[6];
+    int8_t  cr_qp_offset_list[6];
    uint8_t log2_sao_offset_scale_luma;
    uint8_t log2_sao_offset_scale_chroma;

@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
            prev = 0;
            for (i = 0; i < rps->num_negative_pics; i++) {
                delta_poc = get_ue_golomb_long(gb) + 1;
+                if (delta_poc < 1 || delta_poc > 32768) {
+                    av_log(avctx, AV_LOG_ERROR,
+                        "Invalid value of delta_poc: %d\n",
+                        delta_poc);
+                    return AVERROR_INVALIDDATA;
+                }
                prev -= delta_poc;
                rps->delta_poc[i] = prev;
                rps->used[i]      = get_bits1(gb);
@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
            prev = 0;
            for (i = 0; i < nb_positive_pics; i++) {
                delta_poc = get_ue_golomb_long(gb) + 1;
+                if (delta_poc < 1 || delta_poc > 32768) {
+                    av_log(avctx, AV_LOG_ERROR,
+                        "Invalid value of delta_poc: %d\n",
+                        delta_poc);
+                    return AVERROR_INVALIDDATA;
+                }
                prev += delta_poc;
                rps->delta_poc[rps->num_negative_pics + i] = prev;
                rps->used[rps->num_negative_pics + i]      = get_bits1(gb);
@@ -1014,10 +1026,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
        sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3;
        sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size +
                                        get_ue_golomb_long(gb);
-        if (sps->pcm.bit_depth > sps->bit_depth) {
+        if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) {
            av_log(avctx, AV_LOG_ERROR,
-                   "PCM bit depth (%d) is greater than normal bit depth (%d)\n",
-                   sps->pcm.bit_depth, sps->bit_depth);
+                   "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n",
+                   sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth);
            return AVERROR_INVALIDDATA;
        }

@@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride,
    ox1     = ox1 * (1 << (BIT_DEPTH - 8));
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++) {
-            dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+            dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1));
        }
        src  += srcstride;
        dst  += dststride;
@@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)

    for (i = 0; i < csize; i++) {
        i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
-        i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
+        i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16)
                   - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
-        i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
+        i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16);
        *src0++ = i0;
        *src1++ = i1;
        *src2++ = i2;
@@ -628,7 +628,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1,

    av_assert2(h == 8);

-    s->pdsp.diff_pixels(temp, src1, src2, stride);
+    s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
    s->fdsp.fdct(temp);
    return s->mecc.sum_abs_dctelem(temp);
 }
@@ -668,7 +668,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1,
    int16_t dct[8][8];
    int i, sum = 0;

-    s->pdsp.diff_pixels(dct[0], src1, src2, stride);
+    s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride);

 #define SRC(x) dct[i][x]
 #define DST(x, v) dct[i][x] = v
@@ -695,7 +695,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1,

    av_assert2(h == 8);

-    s->pdsp.diff_pixels(temp, src1, src2, stride);
+    s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
    s->fdsp.fdct(temp);

    for (i = 0; i < 64; i++)
@@ -714,7 +714,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1,
    av_assert2(h == 8);
    s->mb_intra = 0;

-    s->pdsp.diff_pixels(temp, src1, src2, stride);
+    s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);

    memcpy(bak, temp, 64 * sizeof(int16_t));

@@ -817,7 +817,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2,

    av_assert2(h == 8);

-    s->pdsp.diff_pixels(temp, src1, src2, stride);
+    s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);

    s->block_last_index[0 /* FIXME */] =
    last                               =
@@ -2290,6 +2290,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
    int time_incr, time_increment;
    int64_t pts;

+    s->mcsel       = 0;
    s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I;        /* pict type: I = 0 , P = 1 */
    if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay &&
        ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) {
@@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx)
 {
    const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8;

+    c->diff_pixels_unaligned =
    c->diff_pixels = diff_pixels_c;

    switch (avctx->bits_per_raw_sample) {
@@ -31,6 +31,11 @@ typedef struct PixblockDSPContext {
                        const uint8_t *s1 /* align 8 */,
                        const uint8_t *s2 /* align 8 */,
                        int stride);
+    void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */,
+                        const uint8_t *s1,
+                        const uint8_t *s2,
+                        int stride);
+
 } PixblockDSPContext;

 void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx);
@@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][

    if (lag) {
        for (i = 1; i < 38; i++) {
-            accu_re += (int64_t)x[i][0] * x[i+lag][0];
-            accu_re += (int64_t)x[i][1] * x[i+lag][1];
-            accu_im += (int64_t)x[i][0] * x[i+lag][1];
-            accu_im -= (int64_t)x[i][1] * x[i+lag][0];
+            accu_re += (uint64_t)x[i][0] * x[i+lag][0];
+            accu_re += (uint64_t)x[i][1] * x[i+lag][1];
+            accu_im += (uint64_t)x[i][0] * x[i+lag][1];
+            accu_im -= (uint64_t)x[i][1] * x[i+lag][0];
        }

        real_sum = accu_re;
        imag_sum = accu_im;

-        accu_re += (int64_t)x[ 0][0] * x[lag][0];
-        accu_re += (int64_t)x[ 0][1] * x[lag][1];
-        accu_im += (int64_t)x[ 0][0] * x[lag][1];
-        accu_im -= (int64_t)x[ 0][1] * x[lag][0];
+        accu_re += (uint64_t)x[ 0][0] * x[lag][0];
+        accu_re += (uint64_t)x[ 0][1] * x[lag][1];
+        accu_im += (uint64_t)x[ 0][0] * x[lag][1];
+        accu_im -= (uint64_t)x[ 0][1] * x[lag][0];

        phi[2-lag][1][0] = autocorr_calc(accu_re);
        phi[2-lag][1][1] = autocorr_calc(accu_im);
@@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][
        if (lag == 1) {
            accu_re = real_sum;
            accu_im = imag_sum;
-            accu_re += (int64_t)x[38][0] * x[39][0];
-            accu_re += (int64_t)x[38][1] * x[39][1];
-            accu_im += (int64_t)x[38][0] * x[39][1];
-            accu_im -= (int64_t)x[38][1] * x[39][0];
+            accu_re += (uint64_t)x[38][0] * x[39][0];
+            accu_re += (uint64_t)x[38][1] * x[39][1];
+            accu_im += (uint64_t)x[38][0] * x[39][1];
+            accu_im -= (uint64_t)x[38][1] * x[39][0];

            phi[0][0][0] = autocorr_calc(accu_re);
            phi[0][0][1] = autocorr_calc(accu_im);
        }
    } else {
        for (i = 1; i < 38; i++) {
-            accu_re += (int64_t)x[i][0] * x[i][0];
-            accu_re += (int64_t)x[i][1] * x[i][1];
+            accu_re += (uint64_t)x[i][0] * x[i][0];
+            accu_re += (uint64_t)x[i][1] * x[i][1];
        }
        real_sum = accu_re;
-        accu_re += (int64_t)x[ 0][0] * x[ 0][0];
-        accu_re += (int64_t)x[ 0][1] * x[ 0][1];
+        accu_re += (uint64_t)x[ 0][0] * x[ 0][0];
+        accu_re += (uint64_t)x[ 0][1] * x[ 0][1];

        phi[2][1][0] = autocorr_calc(accu_re);

        accu_re = real_sum;
-        accu_re += (int64_t)x[38][0] * x[38][0];
-        accu_re += (int64_t)x[38][1] * x[38][1];
+        accu_re += (uint64_t)x[38][0] * x[38][0];
+        accu_re += (uint64_t)x[38][1] * x[38][1];

        phi[1][0][0] = autocorr_calc(accu_re);
    }
@@ -453,12 +453,6 @@ static int read_header(ShortenContext *s)
    }
    s->nwrap = FFMAX(NWRAP, maxnlpc);

-    if ((ret = allocate_buffers(s)) < 0)
-        return ret;
-
-    if ((ret = init_offset(s)) < 0)
-        return ret;
-
    if (s->version > 1)
        s->lpcqoffset = V2LPCQOFFSET;

@@ -494,6 +488,13 @@ static int read_header(ShortenContext *s)
    }

 end:
+
+    if ((ret = allocate_buffers(s)) < 0)
+        return ret;
+
+    if ((ret = init_offset(s)) < 0)
+        return ret;
+
    s->cur_chan = 0;
    s->bitshift = 0;

@@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli
        v = b->x_coeff[new_index].coeff;
        x = b->x_coeff[new_index++].x;
        while(x < w){
-            register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT;
+            register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT;
            register int u= -(v&1);
            line[x] = (t^u) - u;

@@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){
                Plane *p= &s->plane[plane_index];
                p->diag_mc= get_rac(&s->c, s->header_state);
                htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2;
-                if((unsigned)htaps > HTAPS_MAX || htaps==0)
+                if((unsigned)htaps >= HTAPS_MAX || htaps==0)
                    return AVERROR_INVALIDDATA;
                p->htaps= htaps;
                for(i= htaps/2; i; i--){
@@ -1570,7 +1570,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
        }

        if (!avctx->rc_initial_buffer_occupancy)
-            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4;

        if (avctx->ticks_per_frame && avctx->time_base.num &&
            avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
@@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c,
    if (EXTERNAL_MMX(cpu_flags)) {
        if (!high_bit_depth)
            c->get_pixels = ff_get_pixels_mmx;
+        c->diff_pixels_unaligned =
        c->diff_pixels = ff_diff_pixels_mmx;
    }

    if (EXTERNAL_SSE2(cpu_flags)) {
        if (!high_bit_depth)
            c->get_pixels = ff_get_pixels_sse2;
+        c->diff_pixels_unaligned =
        c->diff_pixels = ff_diff_pixels_sse2;
    }
 }
@@ -147,6 +147,8 @@ static float ssim_endn(const int (*sum0)[4], const int (*sum1)[4], int width)
    return ssim;
 }

+#define SUM_LEN(w) (((w) >> 2) + 3)
+
 static float ssim_plane(SSIMDSPContext *dsp,
                        uint8_t *main, int main_stride,
                        uint8_t *ref, int ref_stride,
@@ -155,7 +157,7 @@ static float ssim_plane(SSIMDSPContext *dsp,
    int z = 0, y;
    float ssim = 0.0;
    int (*sum0)[4] = temp;
-    int (*sum1)[4] = sum0 + (width >> 2) + 3;
+    int (*sum1)[4] = sum0 + SUM_LEN(width);

    width >>= 2;
    height >>= 2;
@@ -297,7 +299,7 @@ static int config_input_ref(AVFilterLink *inlink)
    for (i = 0; i < s->nb_components; i++)
        s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum;

-    s->temp = av_malloc((2 * inlink->w + 12) * sizeof(*s->temp));
+    s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), sizeof(int[4]));
    if (!s->temp)
        return AVERROR(ENOMEM);

@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
    count = avio_rl32(pb);    // markers count
    avio_rl16(pb);            // reserved 2 bytes
    name_len = avio_rl16(pb); // name length
-    for (i = 0; i < name_len; i++)
-        avio_r8(pb); // skip the name
+    avio_skip(pb, name_len);

    for (i = 0; i < count; i++) {
        int64_t pres_time;
        int name_len;

+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
+
        avio_rl64(pb);             // offset, 8 bytes
        pres_time = avio_rl64(pb); // presentation time
        pres_time -= asf->hdr.preroll * 10000;
@@ -1608,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
            int64_t pos       = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
            int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);

+            if (avio_feof(s->pb)) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
            if (pos != last_pos) {
                av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d  pts: %"PRId64"\n",
                       pktnum, pktct, index_pts);
@@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
        offset1 = pos + (s->buf_ptr - s->buffer);
        if (offset == 0)
            return offset1;
+        if (offset > INT64_MAX - offset1)
+            return AVERROR(EINVAL);
        offset += offset1;
    }
    if (offset < 0)
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)

    /* parse image offsets */
    avio_seek(pb, offImageOffsets, SEEK_SET);
-    for (i = 0; i < st->duration; i++)
+    for (i = 0; i < st->duration; i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
+
        av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+    }

    return 0;
 }
@@ -205,6 +205,7 @@ typedef struct HLSContext {
    AVDictionary *avio_opts;
    int strict_std_compliance;
    char *allowed_extensions;
+    int max_reload;
 } HLSContext;

 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1255,6 +1256,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
    HLSContext *c = v->parent->priv_data;
    int ret, i;
    int just_opened = 0;
+    int reload_count = 0;

 restart:
    if (!v->needed)
@@ -1286,6 +1288,9 @@ restart:
        reload_interval = default_reload_interval(v);

 reload:
+        reload_count++;
+        if (reload_count > c->max_reload)
+            return AVERROR_EOF;
        if (!v->finished &&
            av_gettime_relative() - v->last_load_time >= reload_interval) {
            if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = {
        OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
        {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
        INT_MIN, INT_MAX, FLAGS},
+    {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
+        OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
    {NULL}
 };

@@ -4888,7 +4888,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)

    if (atom.size < 0)
        atom.size = INT64_MAX;
-    while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+    while (total_size <= atom.size - 8 && !avio_feof(pb)) {
        int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
        a.size = atom.size;
        a.type=0;
@@ -5394,6 +5394,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
    }
    for (i = 0; i < index->item_count; i++) {
        int64_t time, offset;
+
+        if (avio_feof(f)) {
+            index->item_count = 0;
+            av_freep(&index->items);
+            return AVERROR_INVALIDDATA;
+        }
+
        if (version == 1) {
            time   = avio_rb64(f);
            offset = avio_rb64(f);
@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
            uint32_t pos   = avio_rb32(pb);
            uint32_t asize = avio_rb32(pb);
            uint32_t vsize = avio_rb32(pb);
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
            avio_skip(pb, 8);
            av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
            av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
        avpriv_request_sample(pb, "Primer pack item length %d", item_len);
        return AVERROR_PATCHWELCOME;
    }
-    if (item_num > 65536) {
+    if (item_num > 65536 || item_num < 0) {
        av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
        return AVERROR_INVALIDDATA;
    }
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
    segment->nb_index_entries = avio_rb32(pb);

    length = avio_rb32(pb);
+    if(segment->nb_index_entries && length < 11)
+        return AVERROR_INVALIDDATA;

    if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
        !(segment->flag_entries          = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
    }

    for (i = 0; i < segment->nb_index_entries; i++) {
+        if(avio_feof(pb))
+            return AVERROR_INVALIDDATA;
        segment->temporal_offset_entries[i] = avio_r8(pb);
        avio_r8(pb);                                        /* KeyFrameOffset */
        segment->flag_entries[i] = avio_r8(pb);
@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
        if (!nsv->nsvs_file_offset)
            return AVERROR(ENOMEM);

-        for(i=0;i<table_entries_used;i++)
+        for(i=0;i<table_entries_used;i++) {
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
            nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
+        }

        if(table_entries > table_entries_used &&
           avio_rl32(pb) == MKTAG('T','O','C','2')) {
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
    }

    /** read offset and size tables */
-    for(i=0; i < frame_count;i++)
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
        chunk_size[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
        chunk_offset[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
        audio_size[i] = avio_rl32(pb) & 0xFFFF;
+    }

    /** build the sample index */
    for(i=0;i<frame_count;i++){
@@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s)
            av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
        } else if (type == 4) {
            av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
-            for (j = 0; j < len; j++)
+            for (j = 0; j < len; j++) {
+                if (avio_feof(pb))
+                    return AVERROR_INVALIDDATA;
                av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+            }
            av_log(s, AV_LOG_DEBUG, "'\n");
        } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
            nb_streams = value = avio_rb32(pb);
@@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s,
            parse_profile_level_id(s, h264_data, value);
    } else if (!strcmp(attr, "sprop-parameter-sets")) {
        int ret;
-        if (value[strlen(value) - 1] == ',') {
+        if (*value == 0 || value[strlen(value) - 1] == ',') {
            av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n");
            return 0;
        }
@@ -4172,8 +4172,8 @@ void avformat_free_context(AVFormatContext *s)
    av_freep(&s->chapters);
    av_dict_free(&s->metadata);
    av_freep(&s->streams);
-    av_freep(&s->internal);
    flush_packet_queue(s);
+    av_freep(&s->internal);
    av_free(s);
 }
@@ -1 +1 @@
 .2.7
 .2.8