Update for 3.2.11

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/movenc: Check input sample count
2018-07-08 21:07:45 +02:00 · 2018-07-08 19:45:47 +02:00 · 2018-07-08 19:45:47 +02:00 · 2018-07-08 19:45:47 +02:00 · 2018-07-08 19:45:47 +02:00 · 2018-07-08 19:45:47 +02:00
136 changed files with 1155 additions and 540 deletions
@@ -1,6 +1,154 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.2.11:
+- avformat/mov: Fix extradata memleak
+- lavc/libopusdec: Allow avcodec_open2 to call .close
+- avcodec/movtextdec: Check style_start/end
+- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
+- libavcodec/rv34: error out earlier on missing references
+- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
+- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
+- avcodec/cscd: Error out when LZ* decompression fails
+- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
+- avcodec/utvideodec: Set pro flag based on fourcc
+- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
+- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
+- avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()
+- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
+- avformat/mov: Check STSC and remove invalid entries
+- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
+- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
+- avcodec/wmalosslessdec: Reset num_saved_bits on error path
+- avformat/mov: Fix integer overflows related to sample_duration
+- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
+- avformat/oggparseogm: Check lb against psize
+- avformat/oggparseogm: Fix undefined shift in ogm_packet()
+- avformat/avidec: Fix integer overflow in cum_len check
+- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
+- avformat/utils: Fix integer overflow of fps_first/last_dts
+- libavformat/oggparsevorbis: Fix memleak on multiple headers
+- avcodec/truemotion2rt: Check input buffer size
+- avcodec/exr: fix invalid shift in unpack_14()
+- avcodec/bintext: sanity check dimensions
+- avcodec/utvideodec: Check subsample factors
+- avcodec/smc: Check input packet size
+- avcodec/cavsdec: Check alpha/beta offset
+- avcodec/diracdec: Fix integer overflow in mv computation
+- avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table()
+- avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
+- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
+- avcodec/diracdec: Use int64 in global mv to prevent overflow
+- avcodec/dxtory: Remove code that corrupts dimensions
+- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
+- avcodec/vp8: Check for bitstream end before vp7_fade_frame()
+- avcodec/exr: Check remaining bits in last get code loop
+- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
+- avcodec/h264_cabac: Tighten allowed coeff_abs range
+- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
+- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
+- avcodec/mpeg4videodec: Ignore multiple VOL headers
+- avcodec/vp3: Check eob_run
+- avcodec/mpeg2dec: Fix field selection for skipped macroblocks
+- avcodec/huffyuvdec: Check input buffer size
+- avcodec/utvideodec: Fix bytes left check in decode_frame()
+- avcodec/wavpack: Fix integer overfversion 3.2.10:low in FFABS
+- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
+- avcodec/dirac_dwt: Fix several integer overflows
+- avcodec/indeo5: Do not leave frame_type set to an invalid value
+- avcodec/hevc_ps: Check log2_sao_offset_scale_*
+- avcodec/hevc_ps: extract one SPS fields required for hvcC construction
+- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
+- avcodec/get_bits: Document the return code of get_vlc2()
+- avcodec/mpeg4videodec: Check mb_num also against 0
+- avfilter/vf_transpose: Fix used plane count.
+- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
+- avcodec/mjpegdec: Fix integer overflow in DC dequantization
+- avcodec/dxtory: Fix bits left checks
+- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
+- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
+- avcodec/snowdec: Fix integer overflow before htaps check
+- avcodec/ulti: Check number of blocks at init
+- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
+- avformat/lrcdec: Fix memory leak in lrc_read_header()
+- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
+- avdevice/iec61883: free the private context at the end
+- avdevice/iec61883: return reference counted packets
+- avdevice/iec61883: free packet on buffer allocation error
+- avformat/hvcc: zero initialize the nal buffers past the last written byte
+- swresample/rematrix: fix update of channel matrix if input or output layout is undefined
+
+version 3.2.10:
+- avcodec/utils: Avoid hardcoding duplicated types in sizeof()
+- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
+- avformat/libssh: check the user provided a password before trying to use it
+- avcodec/h264addpx_template: Fixes integer overflows
+- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
+- avcodec/diracdec: Fix integer overflow with quant
+- avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
+- avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
+- avcodec/h264_slice: Do not attempt to render into frames already output
+- avcodec/dnxhddec: Check dc vlc
+- x264: Support version 153
+- avcodec/exr: Check buf_size more completely
+- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
+- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
+- avcodec/flacdec: avoid undefined shift
+- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
+- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
+- tests/audiomatch: Add missing return code at the end of main()
+- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
+- libavfilter/af_dcshift.c: Fixed repeated spelling error
+- avfilter/formats: fix wrong function name in error message
+- avcodec/amrwbdec: Fix division by 0 in voice_factor()
+- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
+- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
+- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
+- Don't manipulate duration when it's AV_NOPTS_VALUE.
+- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
+- avformat/utils: Prevent undefined shift with wrap_bits > 64.
+- avcodec/j2kenc: Fix out of array access in encode_cblk()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
+- avcodec/mlpdsp: Fix signed integer overflow, 2nd try
+- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
+- avcodec/mpeg4videodec: Check also for negative versions in the validity check
+- Close ogg stream upon error when using AV_EF_EXPLODE.
+- Fix undefined shift on assumed 8-bit input.
+- Use ff_thread_once for fixed, float table init.
+- avformat/mov: Propagate errors in mov_switch_root.
+- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
+- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
+- avcodec/zmbv: Check that the buffer is large enough for mvec
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
+- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()
+- avcodec/snowdec: Check for remaining bitstream in decode_blocks()
+- avcodec/snowdec: Check intra block dc differences.
+- avformat/mov: Check size of STSC allocation
+- avcodec/vc2enc: Clear coef_buf on allocation
+- avcodec/h264dec: Fix potential array overread
+- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
+- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
+- avcodec/aacdec_fixed: Fix undefined shift
+- avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
+- avcodec/snowdec: Fix integer overflow in header parsing
+- avcodec/cngdec: Fix integer clipping
+- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
+- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
+- avutil/softfloat: Add FLOAT_MIN
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Check for bitstream end in xan_huffman_decode()
+- avcodec/exr: fix undefined shift in pxr24_uncompress()
+- avformat: Free the internal codec context at the end
+- avcodec/xan: Improve overlapping check
+- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()
+- avcodec/aacdec_fixed: Fix integer overflow in predict()
+- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
+- avcodec/jpeglsdec: Check ilv for being a supported value
+- vc2enc_dwt: pad the temporary buffer by the slice size
+
 version 3.2.9:
 - avcodec/snowdec: Check mv_scale
 - avcodec/pafvideo: Check for bitstream end in decode_0()
@@ -1 +1 @@
-3.2.9
+3.2.11
@@ -6703,7 +6703,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2017
+#define CONFIG_THIS_YEAR 2018
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -515,7 +515,7 @@ API changes, most recent first:
  Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support
  dictionary types being set as options.

-2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h
+2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h
  Add AVFormatContext.event_flags and AVStream.event_flags for signaling to
  the user when events happen in the file/stream.

@@ -532,7 +532,7 @@ API changes, most recent first:
 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h
  Add avio_feof() and deprecate url_feof().

-2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h
+2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h
  sws_getContext is not going to be removed in the future.

 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.2.9
+PROJECT_NUMBER         = 3.2.11

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -2548,8 +2548,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo
        ist->dts = ist->next_dts;
        switch (ist->dec_ctx->codec_type) {
        case AVMEDIA_TYPE_AUDIO:
-            ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
-                             ist->dec_ctx->sample_rate;
+            if (ist->dec_ctx->sample_rate) {
+                ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
+                                  ist->dec_ctx->sample_rate;
+            } else {
+                ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q);
+            }
            break;
        case AVMEDIA_TYPE_VIDEO:
            if (ist->framerate.num) {
@@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, int *coef,

        if (shift < 31) {
            if (shift > 0) {
-                *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+                *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
            } else
-                *coef += pv.mant << -shift;
+                *coef += (unsigned)pv.mant << -shift;
        }
    }

@@ -385,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                        for (k = offsets[i]; k < offsets[i + 1]; k++) {
                            tmp = (int)(((int64_t)src[group * 128 + k] * c + \
                                       (int64_t)0x1000000000) >> 37);
-                            dest[group * 128 + k] += (tmp + round) >> shift;
+                            dest[group * 128 + k] += (tmp + (int64_t)round) >> shift;
                        }
                    }
                }
@@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                        for (k = offsets[i]; k < offsets[i + 1]; k++) {
                            tmp = (int)(((int64_t)src[group * 128 + k] * c + \
                                        (int64_t)0x1000000000) >> 37);
-                            dest[group * 128 + k] += tmp * (1 << shift);
+                            dest[group * 128 + k] += tmp * (1U << shift);
                        }
                    }
                }
@@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
    int i, c, shift, round, tmp;
    const int gain = cce->coup.gain[index][0];
    const int *src = cce->ch[0].ret;
-    int *dest = target->ret;
+    unsigned int *dest = target->ret;
    const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);

    c = cce_scale_fixed[gain & 7];
@@ -434,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
    else {
      for (i = 0; i < len; i++) {
          tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37);
-          dest[i] += tmp * (1 << shift);
+          dest[i] += tmp * (1U << shift);
      }
    }
 }
@@ -2500,7 +2500,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce)
        for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++)
            if (ltp->used[sfb])
                for (i = offsets[sfb]; i < offsets[sfb + 1]; i++)
-                    sce->coeffs[i] += predFreq[i];
+                    sce->coeffs[i] += (UINTFLOAT)predFreq[i];
    }
 }

@@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2],
            INTFLOAT apd_im = in_im;
            in_re = AAC_MSUB30(link_delay_re, fractional_delay_re,
                    link_delay_im, fractional_delay_im);
-            in_re -= a_re;
+            in_re -= (UINTFLOAT)a_re;
            in_im = AAC_MADD30(link_delay_re, fractional_delay_im,
                    link_delay_im, fractional_delay_re);
-            in_im -= a_im;
-            ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re);
-            ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im);
+            in_im -= (UINTFLOAT)a_im;
+            ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re);
+            ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im);
        }
        out[n][0] = AAC_MUL16(transient_gain[n], in_re);
        out[n][1] = AAC_MUL16(transient_gain[n], in_im);
@@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
    INTFLOAT h01  = h[0][1],      h11  = h[1][1];
    INTFLOAT h02  = h[0][2],      h12  = h[1][2];
    INTFLOAT h03  = h[0][3],      h13  = h[1][3];
-    INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
-    INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
-    INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
-    INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
+    UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
+    UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
+    UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
+    UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
    int n;

    for (n = 0; n < len; n++) {
@@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr,
                                                av_add_sf(FLOAT_1, sbr->e_curr[e][m]),
                                                av_add_sf(FLOAT_1, sbr->q_mapped[e][m]))));
                }
+                sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN);
            }
            for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) {
                sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]);
@@ -570,8 +571,9 @@ static void sbr_hf_assemble(int Y1[38][64][2],
                int idx = indexsine&1;
                int A = (1-((indexsine+(kx & 1))&2));
                int B = (A^(-idx)) + idx;
-                int *out = &Y1[i][kx][idx];
-                int shift, round;
+                unsigned *out = &Y1[i][kx][idx];
+                int shift;
+                unsigned round;

                SoftFloat *in  = sbr->s_m[e];
                for (m = 0; m+1 < m_max; m+=2) {
@@ -584,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2],
                    }
                    if (shift < 32) {
                        round = 1 << (shift-1);
-                        out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                        out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
                    }

                    if (shift2 < 32) {
                        round = 1 << (shift2-1);
-                        out[2*m+2] += (in[m+1].mant * B + round) >> shift2;
+                        out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2;
                    }
                }
                if(m_max&1)
@@ -600,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
                        return;
                    } else if (shift < 32) {
                        round = 1 << (shift-1);
-                        out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                        out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
                    }
                }
            }
@@ -64,8 +64,8 @@ static void scale_coefs (
    int dynrng,
    int len)
 {
-    int i, shift, round;
-    unsigned mul;
+    int i, shift;
+    unsigned mul, round;
    int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;

    mul = (dynrng & 0x1f) + 0x20;
@@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain,
                                                          AMRWB_SFR_SIZE) *
                    f_gain * f_gain;

-    return (p_ener - f_ener) / (p_ener + f_ener);
+    return (p_ener - f_ener) / (p_ener + f_ener + 0.01);
 }

 /**
@@ -862,15 +862,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth,
 {
    int wsp = (vad > 0);
    float tilt;
+    float tmp;

    if (ctx->fr_cur_mode == MODE_23k85)
        return qua_hb_gain[hb_idx] * (1.0f / (1 << 14));

-    tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) /
-           ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1);
+
+    if (tmp > 0) {
+        tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    } else
+        tilt = 0;

    /* return gain bounded by [0.1, 1.0] */
-    return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0);
+    return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0);
 }

 /**
@@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
        vld1.32         {d0},     [r0,:64]
        vld1.32         {d6},     [lr,:64]
        vld1.32         {d2[]},   [r1,:32]!
-        vld1.32         {d3[]},   [r2,:32]!
+        vld1.32         {d18[]},  [r2,:32]!
        vceq.f32        d4,  d2,  #0
        veor            d2,  d2,  d3
        vmov            d1,  d0
-        vmla.f32        d0,  d6,  d3
+        vmla.f32        d0,  d6,  d18
        vadd.f32        s2,  s2,  s4
        vbif            d0,  d1,  d4
        vst1.32         {d0},     [r0,:64]!
@@ -35,6 +35,8 @@
 #include "bintext.h"
 #include "internal.h"

+#define FONT_WIDTH 8
+
 typedef struct XbinContext {
    AVFrame *frame;
    int palette[16];
@@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
            break;
        }
    }
+    if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
+        return AVERROR_INVALIDDATA;
+

    s->frame = av_frame_alloc();
    if (!s->frame)
@@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
    }
 }

-#define FONT_WIDTH 8
-
 /**
 * Draw character to screen
 */
@@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h)
    if (!h->loop_filter_disable && get_bits1(&h->gb)) {
        h->alpha_offset        = get_se_golomb(&h->gb);
        h->beta_offset         = get_se_golomb(&h->gb);
+        if (   h->alpha_offset < -64 || h->alpha_offset > 64
+            || h-> beta_offset < -64 || h-> beta_offset > 64) {
+            h->alpha_offset = h->beta_offset  = 0;
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        h->alpha_offset = h->beta_offset  = 0;
    }
@@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s,
    return AVERROR_INVALIDDATA;
 }

-static int cinepak_decode (CinepakContext *s)
+static int cinepak_predecode_check (CinepakContext *s)
 {
-    const uint8_t  *eod = (s->data + s->size);
-    int           i, result, strip_size, frame_flags, num_strips;
-    int           y0 = 0;
+    int           num_strips;
    int           encoded_buf_size;

-    frame_flags = s->data[0];
    num_strips  = AV_RB16 (&s->data[8]);
    encoded_buf_size = AV_RB24(&s->data[1]);

@@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s)
            s->sega_film_skip_bytes = 0;
    }

+    if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
+        return AVERROR_INVALIDDATA;
+
+    return 0;
+}
+
+static int cinepak_decode (CinepakContext *s)
+{
+    const uint8_t  *eod = (s->data + s->size);
+    int           i, result, strip_size, frame_flags, num_strips;
+    int           y0 = 0;
+
+    frame_flags = s->data[0];
+    num_strips  = AV_RB16 (&s->data[8]);
+
    s->data += 10 + s->sega_film_skip_bytes;

    num_strips = FFMIN(num_strips, MAX_STRIPS);
@@ -432,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int ret = 0, buf_size = avpkt->size;
    CinepakContext *s = avctx->priv_data;
+    int num_strips;

    s->data = buf;
    s->size = buf_size;
@@ -439,6 +452,17 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
    if (s->size < 10)
        return AVERROR_INVALIDDATA;

+    num_strips = AV_RB16 (&s->data[8]);
+
+    //Empty frame, do not waste time
+    if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL)))
+        return buf_size;
+
+    if ((ret = cinepak_predecode_check(s)) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
+        return ret;
+    }
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

@@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data,
        return ret;
    buf_out = (int16_t *)frame->data[0];
    for (i = 0; i < avctx->frame_size; i++)
-        buf_out[i] = p->filter_out[i + p->order];
+        buf_out[i] = av_clip_int16(p->filter_out[i + p->order]);
    memcpy(p->filter_out, p->filter_out + avctx->frame_size,
           p->order * sizeof(*p->filter_out));

@@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    switch ((buf[0] >> 1) & 7) {
        case 0: { // lzo compression
            int outlen = c->decomp_size, inlen = buf_size - 2;
-            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen))
+            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) {
                av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
            break;
        }
        case 1: { // zlib compression
 #if CONFIG_ZLIB
            unsigned long dlen = c->decomp_size;
-            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK)
+            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
                av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
            break;
 #else
            av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");
@@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)

    avctx->pix_fmt = AV_PIX_FMT_PAL8;

-    if (!avctx->width || !avctx->height)
+    if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16))
        return AVERROR_INVALIDDATA;

    av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0);
@@ -93,40 +93,40 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);

 // shared stuff for simd optimizations
 #define COMPOSE_53iL0(b0, b1, b2)\
-    (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2))
+    (b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))

 #define COMPOSE_DIRAC53iH0(b0, b1, b2)\
-    (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
+    (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))

 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-    (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
+    (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 +  8) >> 4)))

 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-    (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5))
+    (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5)))

 #define COMPOSE_HAARiL0(b0, b1)\
-    (b0 - ((b1 + 1) >> 1))
+    ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))

 #define COMPOSE_HAARiH0(b0, b1)\
-    (b0 + b1)
+    ((int)(b0 + (unsigned)(b1)))

 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-    (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
+    ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))

 #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-    (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
+    ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))

 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-    (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
+    ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-    (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
+    ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))

 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-    (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
+    ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-    (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
+    ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))


 #endif /* AVCODEC_DWT_H */
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_
    TYPE *b1 = (TYPE *)_b1;
    TYPE *b2 = (TYPE *)_b2;
    for (i = 0; i < width; i++)
-        b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
+        b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
 }

 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2,
@@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src
 {
    int i;
    for (i = 0; i < w2; i++) {
-        dst[2*i  ] = (src0[i] + add) >> shift;
-        dst[2*i+1] = (src1[i] + add) >> shift;
+        dst[2*i  ] = (src0[i] + (unsigned)add) >> shift;
+        dst[2*i+1] = (src1[i] + (unsigned)add) >> shift;
    }
 }

@@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w)
    tmp[w2+1] = tmp[w2] = tmp[w2-1];

    for (x = 0; x < w2; x++) {
-        b[2*x  ] = (tmp[x] + 1)>>1;
-        b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
+        b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+        b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
    }
 }

@@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w)
    tmp[w2+1] = tmp[w2] = tmp[w2-1];

    for (x = 0; x < w2; x++) {
-        b[2*x  ] = (tmp[x] + 1)>>1;
-        b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
+        b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+        b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
    }
 }

@@ -502,16 +502,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
    }

    if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
-        int quant = b->quant;
+        int quant;
        if (is_arith)
-            quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+            quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
        else
-            quant += dirac_get_se_golomb(gb);
-        if (quant < 0) {
+            quant = dirac_get_se_golomb(gb);
+        if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
            return;
        }
-        b->quant = quant;
+        b->quant += quant;
    }

    if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) {
@@ -1393,8 +1393,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int m       = (1<<ep) - (c[0]*x + c[1]*y);
-    int mx      = m * ((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
-    int my      = m * ((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);
+    int64_t mx  = m * (int64_t)((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
+    int64_t my  = m * (int64_t)((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -1431,8 +1431,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
                global_mv(s, block, x, y, i);
            } else {
                pred_mv(block, stride, x, y, i);
-                block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
-                block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
            }
        }
 }
@@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid
    int32_t *src = (int32_t *)_src;                                                                     \
    for (y = 0; y < height; y++) {                                                                      \
        for (x = 0; x < width; x+=4) {                                                                  \
-            dst[x  ] = av_clip_uintp2(src[x  ] + (1 << (PX - 1)), PX);                                  \
-            dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX);                                  \
-            dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX);                                  \
-            dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX);                                  \
+            dst[x  ] = av_clip_uintp2(src[x  ] + (1U << (PX - 1)), PX);                                  \
+            dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX);                                  \
+            dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX);                                  \
+            dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX);                                  \
        }                                                                                               \
        dst += dst_stride >> 1;                                                                         \
        src += src_stride >> 2;                                                                         \
@@ -372,6 +372,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,

    UPDATE_CACHE(bs, &row->gb);
    GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+    if (len < 0) {
+        ret = len;
+        goto error;
+    }
    if (len) {
        level = GET_CACHE(bs, &row->gb);
        LAST_SKIP_BITS(bs, &row->gb, len);
@@ -425,7 +429,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
        GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
                DNXHD_VLC_BITS, 2);
    }
-
+error:
    CLOSE_READER(bs, &row->gb);
    return ret;
 }
@@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size,
        }
    }

+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
    return 0;
 }

@@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size,
        }
        dst += len;
    }
+
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
    return 0;
 }

@@ -226,27 +233,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
     * surface.width = surface.pitch */
    switch (bitmap_frame_type) {
    case 9:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 34:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 35:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res =  cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 36:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                                               cin->bitmap_table[CIN_INT_BMP],
                                               cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
@@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic,
    }

    if (avctx->height - line) {
-        av_log(avctx, AV_LOG_VERBOSE,
-               "Not enough slice data available, "
-               "cropping the frame by %d pixels\n",
-                avctx->height - line);
-        avctx->height = line;
+        avpriv_request_sample(avctx, "Not enough slice data available");
    }

    return 0;
@@ -326,7 +322,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame,
    int stride   = frame->linesize[0];
    uint8_t *dst = frame->data[0] + stride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            b = decode_sym_565(gb, lru[0], 5);
            g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@@ -392,7 +388,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame,
    int stride   = frame->linesize[0];
    uint8_t *dst = frame->data[0] + stride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            dst[x * 3 + 0] = decode_sym(gb, lru[0]);
            dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@@ -437,7 +433,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
    uint8_t *U  = frame->data[1] + (ustride >> 2) * line;
    uint8_t *V  = frame->data[2] + (vstride >> 2) * line;

-    for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
+    for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
        for (x = 0; x < width; x += 4) {
            for (j = 0; j < 4; j++)
                for (i = 0; i < 4; i++)
@@ -481,7 +477,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
    uint8_t *V  = frame->data[2] + (vstride >> 1) * line;


-    for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
+    for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
        for (x = 0; x < width; x += 2) {
            Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
            Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@@ -524,7 +520,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame,
    uint8_t *U  = frame->data[1] + ustride * line;
    uint8_t *V  = frame->data[2] + vstride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            Y[x] = decode_sym(gb, lru[0]);
            U[x] = decode_sym(gb, lru[1]) ^ 0x80;
@@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size)

 void ff_els_decoder_uninit(ElsUnsignedRung *rung)
 {
-    av_free(rung->rem_rung_list);
+    av_freep(&rung->rem_rung_list);
 }

 static int els_import_byte(ElsDecCtx *ctx)
@@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur)
                if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) {
                    // remember rung_node position
                    ptrdiff_t pos     = rung_node - ur->rem_rung_list;
-                    ur->rem_rung_list = av_realloc(ur->rem_rung_list,
+                    ctx->err = av_reallocp(&ur->rem_rung_list,
                                                   ur->rung_list_size +
                                                   RUNG_SPACE);
-                    if (!ur->rem_rung_list) {
-                        av_free(ur->rem_rung_list);
-                        ctx->err = AVERROR(ENOMEM);
+                    if (ctx->err < 0) {
                        return 0;
                    }
                    memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0,
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
            dc = -prev_dc +
                 data[x     + y * stride] * 8 -
                 data[x + 1 + y * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
            prev_dc = data[x + y * stride];
            data[x + y * stride] = dc;
        }
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
            dc = -prev_dc +
                 data[x +  y      * stride] * 8 -
                 data[x + (y + 1) * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
            prev_dc = data[x + y * stride];
            data[x + y * stride] = dc;
        }
@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    // This call also guards the potential depth reads for the
    // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immediately next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skipped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
        return -1;

    frame_flags = get_bits_long(&gb, 32);
@@ -572,7 +572,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
    while (lc > 0) {
        const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK];

-        if (pl.len) {
+        if (pl.len && lc >= pl.len) {
            lc -= pl.len;
            get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
        } else {
@@ -864,7 +864,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
                in     = ptr[2] + td->xsize;

                for (j = 0; j < td->xsize; ++j) {
-                    uint32_t diff = (*(ptr[0]++) << 24) |
+                    uint32_t diff = ((unsigned)*(ptr[0]++) << 24) |
                                    (*(ptr[1]++) << 16) |
                                    (*(ptr[2]++) << 8);
                    pixel += diff;
@@ -892,7 +892,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,

 static void unpack_14(const uint8_t b[14], uint16_t s[16])
 {
-    unsigned short shift = (b[ 2] >> 2);
+    unsigned short shift = (b[ 2] >> 2) & 15;
    unsigned short bias = (0x20 << shift);
    int i;

@@ -1044,7 +1044,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
    line_offset = AV_RL64(s->gb.buffer + jobnr * 8);

    if (s->is_tile) {
-        if (line_offset > buf_size - 20)
+        if (buf_size < 20 || line_offset > buf_size - 20)
            return AVERROR_INVALIDDATA;

        src  = buf + line_offset + 20;
@@ -1055,7 +1055,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        tileLevelY = AV_RL32(src - 8);

        data_size = AV_RL32(src - 4);
-        if (data_size <= 0 || data_size > buf_size)
+        if (data_size <= 0 || data_size > buf_size - line_offset - 20)
            return AVERROR_INVALIDDATA;

        if (tileLevelX || tileLevelY) { /* tile level, is not the full res level */
@@ -1088,7 +1088,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
    } else {
-        if (line_offset > buf_size - 8)
+        if (buf_size < 8 || line_offset > buf_size - 8)
            return AVERROR_INVALIDDATA;

        src  = buf + line_offset + 8;
@@ -1098,7 +1098,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
            return AVERROR_INVALIDDATA;

        data_size = AV_RL32(src - 4);
-        if (data_size <= 0 || data_size > buf_size)
+        if (data_size <= 0 || data_size > buf_size - line_offset - 8)
            return AVERROR_INVALIDDATA;

        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
@@ -546,6 +546,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
        s->ec = (s->version >= 3);
    }

+    // CRC requires version 3+
+    if (s->ec)
+        s->version = FFMAX(s->version, 3);
+
    if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
        av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
        return AVERROR_INVALIDDATA;
@@ -81,6 +81,7 @@ static const uint8_t fic_qmat_lq[64] = {
 static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };

 #define FIC_HEADER_SIZE 27
+#define CURSOR_OFFSET 59

 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
 {
@@ -334,6 +335,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
        skip_cursor = 1;
    }

+    if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
+        skip_cursor = 1;
+    }
+
    /* Slice height for all but the last slice. */
    ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
    if (ctx->slice_h % 16)
@@ -413,7 +418,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,

    /* Draw cursor. */
    if (!skip_cursor) {
-        memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4);
+        memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf));
        fic_draw_cursor(avctx, cur_x, cur_y);
    }

@@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
    }

    for (curr = fpc->headers; curr; curr = curr->next) {
-        if (curr->max_score > 0 &&
-            (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) {
+        if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) {
            fpc->best_header = curr;
        }
    }

+    if (fpc->best_header && fpc->best_header->max_score <= 0) {
+        // Only accept a bad header if there is no other option to continue
+        if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS)
+            fpc->best_header = NULL;
+    }
+
    if (fpc->best_header) {
        fpc->best_header_valid = 1;
        if (fpc->best_header->offset > 0) {
@@ -287,7 +287,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
    if (pred_order > 2)
        c = b - decoded[pred_order-2] + decoded[pred_order-3];
    if (pred_order > 3)
-        d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4];
+        d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4];

    switch (pred_order) {
    case 0:
@@ -445,7 +445,7 @@ static inline int decode_subframe(FLACContext *s, int channel)
        return AVERROR_INVALIDDATA;
    }

-    if (wasted) {
+    if (wasted && wasted < 32) {
        int i;
        for (i = 0; i < s->blocksize; i++)
            decoded[i] = (unsigned)decoded[i] << wasted;
@@ -555,8 +555,8 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y,
        B     = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
    }

-    if (R<0 || G<0 || B<0) {
-        av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
+    if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
+        avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B);
        return 0;
    }

@@ -926,6 +926,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
        if (c->ec.els_ctx.err != 0) {
            av_log(avctx, AV_LOG_ERROR,
                   "ePIC: couldn't decode transparency pixel!\n");
+            ff_els_decoder_uninit(&c->ec.unsigned_rung);
            return AVERROR_INVALIDDATA;
        }

@@ -1354,14 +1355,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride)
    } else {
        dst    +=  x * 3;
    }
-    if (y < 0) {
+
+    if (y < 0)
        h      +=  y;
+    if (w < 0 || h < 0)
+        return;
+    if (y < 0) {
        cursor += -y * c->cursor_stride;
    } else {
        dst    +=  y * stride;
    }
-    if (w < 0 || h < 0)
-        return;

    for (j = 0; j < h; j++) {
        for (i = 0; i < w; i++) {
@@ -549,7 +549,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy)
        denom <<= bits2;

        bits2 = 5 + bits1 - bits2;
-        bits2 = FFMAX(0, bits2);
+        bits2 = av_clip_uintp2(bits2, 5);

        gain = (num >> 1) / (denom >> 16);
        gain = square_root(gain << 16 >> bits2);
@@ -32,6 +32,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/avassert.h"
+#include "avcodec.h"
 #include "mathops.h"
 #include "vlc.h"

@@ -413,7 +414,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
    int buffer_size;
    int ret = 0;

-    if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
+    if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) {
        bit_size    = 0;
        buffer      = NULL;
        ret         = AVERROR_INVALIDDATA;
@@ -535,6 +536,7 @@ static inline const uint8_t *align_get_bits(GetBitContext *s)
 * @param max_depth is the number of times bits bits must be read to completely
 *                  read the longest vlc code
 *                  = (max_vlc_length + bits - 1) / bits
+ * @returns the code parsed or -1 if no vlc matches
 */
 static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2],
                                     int bits, int max_depth)
@@ -637,7 +637,7 @@ retry:
    slice_ret = decode_slice(s);
    while (s->mb_y < s->mb_height) {
        if (s->msmpeg4_version) {
-            if (s->slice_height == 0 || s->mb_x != 0 ||
+            if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 ||
                (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0)
                break;
        } else {
@@ -1735,7 +1735,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl,
 \
            if( coeff_abs >= 15 ) { \
                int j = 0; \
-                while (get_cabac_bypass(CC) && j < 30) { \
+                while (get_cabac_bypass(CC) && j < 16+7) { \
                    j++; \
                } \
 \
@@ -1111,6 +1111,7 @@ decode_intra_mb:
            else                sl->qscale -= max_qp+1;
            if (((unsigned)sl->qscale) > max_qp){
                av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y);
+                sl->qscale = max_qp;
                return -1;
            }
        }
@@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl,

    if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME))
        await_references(h, sl);
-    prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
+    if (USES_LIST(mb_type, 0))
+        prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);

    if (IS_16X16(mb_type)) {
        mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0,
@@ -82,8 +82,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
                        pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb);
                        pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb);
                        if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] ||
-                            (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1])
+                            (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) {
+                            pwt->chroma_weight[i][list][j][0] = chroma_def;
+                            pwt->chroma_weight[i][list][j][1] = 0;
                            goto out_range_weight;
+                        }
                        if (pwt->chroma_weight[i][list][j][0] != chroma_def ||
                            pwt->chroma_weight[i][list][j][1] != 0) {
                            pwt->use_weight_chroma        = 1;
@@ -121,20 +121,23 @@ static int h264_find_frame_end(H264ParseContext *p, const uint8_t *buf,
            }
            state = 7;
        } else {
+            unsigned int mb, last_mb = p->parse_last_mb;
+            GetBitContext gb;
            p->parse_history[p->parse_history_count++] = buf[i];
-            if (p->parse_history_count > 5) {
-                unsigned int mb, last_mb = p->parse_last_mb;
-                GetBitContext gb;

-                init_get_bits(&gb, p->parse_history, 8*p->parse_history_count);
-                p->parse_history_count = 0;
-                mb= get_ue_golomb_long(&gb);
+            init_get_bits(&gb, p->parse_history, 8*p->parse_history_count);
+            mb= get_ue_golomb_long(&gb);
+            if (get_bits_left(&gb) > 0 || p->parse_history_count > 5) {
                p->parse_last_mb = mb;
                if (pc->frame_start_found) {
-                    if (mb <= last_mb)
+                    if (mb <= last_mb) {
+                        i -= p->parse_history_count - 1;
+                        p->parse_history_count = 0;
                        goto found;
+                    }
                } else
                    pc->frame_start_found = 1;
+                p->parse_history_count = 0;
                state = 7;
            }
        }
@@ -149,7 +152,7 @@ found:
    pc->frame_start_found = 0;
    if (p->is_avc)
        return next_avc;
-    return i - (state & 5) - 5 * (state > 7);
+    return i - (state & 5);
 }

 static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb,
@@ -35,7 +35,6 @@
 #include "h264_ps.h"
 #include "golomb.h"

-#define MAX_LOG2_MAX_FRAME_NUM    (12 + 4)
 #define MIN_LOG2_MAX_FRAME_NUM    4

 #define EXTENDED_SAR       255
@@ -36,6 +36,7 @@

 #define MAX_SPS_COUNT          32
 #define MAX_PPS_COUNT         256
+#define MAX_LOG2_MAX_FRAME_NUM    (12 + 4)

 /**
 * Sequence parameter set
@@ -1462,6 +1462,12 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,
                 * one except for reference purposes. */
                h->first_field = 1;
                h->cur_pic_ptr = NULL;
+            } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
+                /* This frame was already output, we cannot draw into it
+                 * anymore.
+                 */
+                h->first_field = 1;
+                h->cur_pic_ptr = NULL;
            } else {
                /* Second field in complementary pair */
                h->first_field = 0;
@@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride)
    stride /= sizeof(pixel);

    for (i = 0; i < 4; i++) {
-        dst[0] += src[0];
-        dst[1] += src[1];
-        dst[2] += src[2];
-        dst[3] += src[3];
+        dst[0] += (unsigned)src[0];
+        dst[1] += (unsigned)src[1];
+        dst[2] += (unsigned)src[2];
+        dst[3] += (unsigned)src[3];

        dst += stride;
        src += 4;
@@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride)
    stride /= sizeof(pixel);

    for (i = 0; i < 8; i++) {
-        dst[0] += src[0];
-        dst[1] += src[1];
-        dst[2] += src[2];
-        dst[3] += src[3];
-        dst[4] += src[4];
-        dst[5] += src[5];
-        dst[6] += src[6];
-        dst[7] += src[7];
+        dst[0] += (unsigned)src[0];
+        dst[1] += (unsigned)src[1];
+        dst[2] += (unsigned)src[2];
+        dst[3] += (unsigned)src[3];
+        dst[4] += (unsigned)src[4];
+        dst[5] += (unsigned)src[5];
+        dst[6] += (unsigned)src[6];
+        dst[7] += (unsigned)src[7];

        dst += stride;
        src += 8;
@@ -422,6 +422,7 @@ typedef struct H264Context {
    uint8_t (*mvd_table[2])[2];
    uint8_t *direct_table;

+    uint8_t scan_padding[16];
    uint8_t zigzag_scan[16];
    uint8_t zigzag_scan8x8[64];
    uint8_t zigzag_scan8x8_cavlc[64];
@@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){
        const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1);
        const int a7 =  block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1);

-        const int b1 = (a7>>2) + a1;
-        const int b3 =  a3 + (a5>>2);
-        const int b5 = (a3>>2) - a5;
-        const int b7 =  a7 - (a1>>2);
+        const int b1 = (a7>>2) + (unsigned)a1;
+        const int b3 =  (unsigned)a3 + (a5>>2);
+        const int b5 = (a3>>2) - (unsigned)a5;
+        const int b7 =  (unsigned)a7 - (a1>>2);

        block[i+0*8] = b0 + b7;
        block[i+7*8] = b0 - b7;
@@ -411,6 +411,7 @@ typedef struct HEVCSPS {
    HEVCWindow pic_conf_win;

    int bit_depth;
+    int bit_depth_chroma;
    int pixel_shift;
    enum AVPixelFormat pix_fmt;

@@ -633,8 +633,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
            suffix_val += 1 << k;
            k++;
        }
-        if (k == CABAC_MAX_BIN)
+        if (k == CABAC_MAX_BIN) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+            return AVERROR_INVALIDDATA;
+        }

        while (k--)
            suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k;
@@ -975,16 +977,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int

    while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc))
        prefix++;
-    if (prefix == CABAC_MAX_BIN) {
-        av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
-        return 0;
-    }
+
    if (prefix < 3) {
        for (i = 0; i < rc_rice_param; i++)
            suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
        last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix;
    } else {
        int prefix_minus3 = prefix - 3;
+
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+            return 0;
+        }
+
        for (i = 0; i < prefix_minus3 + rc_rice_param; i++)
            suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
        last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1)
@@ -933,6 +933,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
               sps->bit_depth, bit_depth_chroma);
        return AVERROR_INVALIDDATA;
    }
+    sps->bit_depth_chroma = bit_depth_chroma;

    ret = map_pixel_format(avctx, sps);
    if (ret < 0)
@@ -1308,6 +1309,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx,
    pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
    pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);

+    if (   pps->log2_sao_offset_scale_luma   > FFMAX(sps->bit_depth        - 10, 0)
+        || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0)
+    )
+        return AVERROR_INVALIDDATA;
+
    return(0);
 }

@@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
    av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");

    while (byte == 0xFF) {
+        if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
+            return AVERROR_INVALIDDATA;
        byte          = get_bits(gb, 8);
        payload_type += byte;
    }
    byte = 0xFF;
    while (byte == 0xFF) {
+        if (get_bits_left(gb) < 8 + 8LL*payload_size)
+            return AVERROR_INVALIDDATA;
        byte          = get_bits(gb, 8);
        payload_size += byte;
    }
@@ -125,7 +125,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t log2_size)
    } else {
        for (y = 0; y < size; y++) {
            for (x = 0; x < size; x++) {
-                *coeffs = *coeffs << -shift;
+                *coeffs = *(uint16_t*)coeffs << -shift;
                coeffs++;
            }
        }
@@ -921,7 +921,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
            dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
-                                    ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+                                    ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
        src  += srcstride;
        dst  += dststride;
        src2 += MAX_PB_SIZE;
@@ -976,7 +976,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
            dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
-                                    ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+                                    ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
        src  += srcstride;
        dst  += dststride;
        src2 += MAX_PB_SIZE;
@@ -1057,7 +1057,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
            dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 +
-                                    ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+                                    ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
        tmp  += MAX_PB_SIZE;
        dst  += dststride;
        src2 += MAX_PB_SIZE;
@@ -1361,7 +1361,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
            dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
-                                    ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+                                    ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
        src  += srcstride;
        dst  += dststride;
        src2 += MAX_PB_SIZE;
@@ -1413,7 +1413,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
            dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 +
-                                    ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+                                    ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1));
        src  += srcstride;
        dst  += dststride;
        src2 += MAX_PB_SIZE;
@@ -915,6 +915,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    AVFrame *const p = data;
    int table_size = 0, ret;

+    if (buf_size < (width * height + 7)/8)
+        return AVERROR_INVALIDDATA;
+
    av_fast_padded_malloc(&s->bitstream_buffer,
                   &s->bitstream_buffer_size,
                   buf_size);
@@ -69,10 +69,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p
    int i;

    enum AVPixelFormat best = AV_PIX_FMT_NONE;
+    int loss;

-    for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++)
-        best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr);
+    for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) {
+        loss = *loss_ptr;
+        best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss);
+    }

+    *loss_ptr = loss;
    return best;
 }

@@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
 *  @param[in]     avctx     pointer to the AVCodecContext
 *  @return        result code: 0 = OK, negative number = error
 */
-static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
+static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
                           AVCodecContext *avctx)
 {
    int plane, band_num, indx, transform_id, scan_indx;
    int i;
    int quant_mat;
+    IVIBandDesc temp_band, *band = &temp_band;
+    memcpy(&temp_band, arg_band, sizeof(temp_band));

    plane    = get_bits(&ctx->gb, 2);
    band_num = get_bits(&ctx->gb, 4);
@@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,

        /* decode block huffman codebook */
        if (!get_bits1(&ctx->gb))
-            band->blk_vlc.tab = ctx->blk_vlc.tab;
+            arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
        else
            if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF,
-                                     &band->blk_vlc, avctx))
+                                     &arg_band->blk_vlc, avctx))
                return AVERROR_INVALIDDATA;

        /* select appropriate rvmap table for this band */
@@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
        return AVERROR_INVALIDDATA;
    }

+    band->blk_vlc = arg_band->blk_vlc;
+    memcpy(arg_band, band, sizeof(*arg_band));
+
    return 0;
 }

@@ -487,6 +492,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
            mb->b_mv_x   =
            mb->b_mv_y   = 0;

+            if (get_bits_left(&ctx->gb) < 1) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            if (get_bits1(&ctx->gb)) {
                if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) {
                    av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n");
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
    ctx->frame_type      = get_bits(&ctx->gb, 3);
    if (ctx->frame_type >= 5) {
        av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type);
+        ctx->frame_type = FRAMETYPE_INTRA;
        return AVERROR_INVALIDDATA;
    }

@@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20
    cblk->npasses = passno;
    cblk->ninclpasses = passno;

-    cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
+    if (passno)
+        cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
 }

 /* tier-2 routines: */
@@ -340,7 +340,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
    s->numXtiles = ff_jpeg2000_ceildiv(s->width  - s->tile_offset_x, s->tile_width);
    s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height);

-    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
+    // There must be at least a SOT and SOD per tile, their minimum size is 14
+    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) ||
+        s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g)
+    ) {
        s->numXtiles = s->numYtiles = 0;
        return AVERROR(EINVAL);
    }
@@ -1125,6 +1128,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
            step_x = 32;
            step_y = 32;

+            if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+                continue;
+
            for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) {
                uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; //  ==> N_L - r
                Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
@@ -1144,10 +1150,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                        int xc = x / s->cdx[compno];
                        int yc = y / s->cdy[compno];

-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                            continue;

-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                            continue;

                        // check if a precinct exists
@@ -1214,10 +1220,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                        if (reslevelno >= codsty->nreslevels)
                            continue;

-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                            continue;

-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                            continue;

                        // check if a precinct exists
@@ -1285,10 +1291,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                        uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; //  ==> N_L - r
                        Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;

-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                            continue;

-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                            continue;

                        // check if a precinct exists
@@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)
    int i;

    for (i = 0; i < csize; i++) {
-        i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
+        i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16);
        i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16)
-                   - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
+                   - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16);
        i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16);
        *src0++ = i0;
        *src1++ = i1;
@@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t)
        t[i] = (t[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
 }

-static void sr_1d53(int *p, int i0, int i1)
+static void sr_1d53(unsigned *p, int i0, int i1)
 {
    int i;

    if (i1 <= i0 + 1) {
        if (i0 == 1)
-            p[1] >>= 1;
+            p[1] = (int)p[1] >> 1;
        return;
    }

    extend53(p, i0, i1);

    for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++)
-        p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
+        p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
    for (i = (i0 >> 1); i < (i1 >> 1); i++)
-        p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1;
+        p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1;
 }

 static void dwt_decode53(DWTContext *s, int *t)
@@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s,
    while (x < w) {
        int err, pred;

+        if (get_bits_left(&s->gb) <= 0)
+            return;
+
        /* compute gradients */
        Ra = x ? R(dst, x - stride) : R(last, x);
        Rb = R(last, x);
@@ -438,6 +441,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
        avpriv_report_missing_feature(s->avctx, "Sample interleaved images");
        ret = AVERROR_PATCHWELCOME;
        goto end;
+    } else { /* unknown interleaving */
+        avpriv_report_missing_feature(s->avctx, "Unknown interleaved images");
+        ret = AVERROR_PATCHWELCOME;
+        goto end;
    }

    if (s->xfrm && s->nb_components == 3) {
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    h = (buf[1] + 1) * 8;
    buf += 2;

+    if (avpkt->size < 2 + w*h / 513)
+        return AVERROR_INVALIDDATA;
+
    if (w != avctx->width || h != avctx->height) {
        av_freep(&c->frame_buffer);
        av_freep(&c->last_frame_buffer);
@@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc)
 {
    struct libopus_context *opus = avc->priv_data;

-    opus_multistream_decoder_destroy(opus->dec);
+    if (opus->dec) {
+        opus_multistream_decoder_destroy(opus->dec);
+        opus->dec = NULL;
+    }
    return 0;
 }

@@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = {
    .decode         = libopus_decode,
    .flush          = libopus_flush,
    .capabilities   = AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
    .sample_fmts    = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT,
                                                     AV_SAMPLE_FMT_S16,
                                                     AV_SAMPLE_FMT_NONE },
@@ -279,7 +279,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame,

    x264_picture_init( &x4->pic );
    x4->pic.img.i_csp   = x4->params.i_csp;
+#if X264_BUILD >= 153
+    if (x4->params.i_bitdepth > 8)
+#else
    if (x264_bit_depth > 8)
+#endif
        x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH;
    x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt);

@@ -490,6 +494,9 @@ static av_cold int X264_init(AVCodecContext *avctx)
    x4->params.p_log_private        = avctx;
    x4->params.i_log_level          = X264_LOG_DEBUG;
    x4->params.i_csp                = convert_pix_fmt(avctx->pix_fmt);
+#if X264_BUILD >= 153
+    x4->params.i_bitdepth           = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth;
+#endif

    PARSE_X264_OPT("weightp", wpredp);

@@ -878,6 +885,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = {
    AV_PIX_FMT_NV20,
    AV_PIX_FMT_NONE
 };
+static const enum AVPixelFormat pix_fmts_all[] = {
+    AV_PIX_FMT_YUV420P,
+    AV_PIX_FMT_YUVJ420P,
+    AV_PIX_FMT_YUV422P,
+    AV_PIX_FMT_YUVJ422P,
+    AV_PIX_FMT_YUV444P,
+    AV_PIX_FMT_YUVJ444P,
+    AV_PIX_FMT_NV12,
+    AV_PIX_FMT_NV16,
+#ifdef X264_CSP_NV21
+    AV_PIX_FMT_NV21,
+#endif
+    AV_PIX_FMT_YUV420P10,
+    AV_PIX_FMT_YUV422P10,
+    AV_PIX_FMT_YUV444P10,
+    AV_PIX_FMT_NV20,
+    AV_PIX_FMT_NONE
+};
 #if CONFIG_LIBX264RGB_ENCODER
 static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {
    AV_PIX_FMT_BGR0,
@@ -889,12 +914,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {

 static av_cold void X264_init_static(AVCodec *codec)
 {
+#if X264_BUILD < 153
    if (x264_bit_depth == 8)
        codec->pix_fmts = pix_fmts_8bit;
    else if (x264_bit_depth == 9)
        codec->pix_fmts = pix_fmts_9bit;
    else if (x264_bit_depth == 10)
        codec->pix_fmts = pix_fmts_10bit;
+#else
+    codec->pix_fmts = pix_fmts_all;
+#endif
 }

 #define OFFSET(x) offsetof(X264Context, x)
@@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input)

    /* pre rotation */
    for(i=0;i<n8;i++) {
-        re = RSCALE(-input[2*i+n3] - input[n3-1-2*i]);
-        im = RSCALE(-input[n4+2*i] + input[n4-1-2*i]);
+        re = RSCALE(-input[2*i+n3], - input[n3-1-2*i]);
+        im = RSCALE(-input[n4+2*i], + input[n4-1-2*i]);
        j = revtab[i];
        CMUL(x[j].re, x[j].im, re, im, -tcos[i], tsin[i]);

-        re = RSCALE( input[2*i]    - input[n2-1-2*i]);
-        im = RSCALE(-input[n2+2*i] - input[ n-1-2*i]);
+        re = RSCALE( input[2*i]   , - input[n2-1-2*i]);
+        im = RSCALE(-input[n2+2*i], - input[ n-1-2*i]);
        j = revtab[n8 + i];
        CMUL(x[j].re, x[j].im, re, im, -tcos[n8 + i], tsin[n8 + i]);
    }
@@ -33,12 +33,12 @@
 */

 #if FFT_FLOAT
-#   define RSCALE(x) (x)
+#   define RSCALE(x, y) ((x) + (y))
 #else
 #if FFT_FIXED_32
-#   define RSCALE(x) (((x) + 32) >> 6)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6)
 #else /* FFT_FIXED_32 */
-#   define RSCALE(x) ((x) >> 1)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1)
 #endif /* FFT_FIXED_32 */
 #endif

@@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input)

    /* pre rotation */
    for(i=0;i<n8;i++) {
-        re = RSCALE(-input[2*i+n3] - input[n3-1-2*i]);
-        im = RSCALE(-input[n4+2*i] + input[n4-1-2*i]);
+        re = RSCALE(-input[2*i+n3], - input[n3-1-2*i]);
+        im = RSCALE(-input[n4+2*i], + input[n4-1-2*i]);
        j = revtab[i];
        CMUL(x[j].re, x[j].im, re, im, -tcos[i], tsin[i]);

-        re = RSCALE( input[2*i]    - input[n2-1-2*i]);
-        im = RSCALE(-input[n2+2*i] - input[ n-1-2*i]);
+        re = RSCALE( input[2*i]   , - input[n2-1-2*i]);
+        im = RSCALE(-input[n2+2*i], - input[ n-1-2*i]);
        j = revtab[n8 + i];
        CMUL(x[j].re, x[j].im, re, im, -tcos[n8 + i], tsin[n8 + i]);
    }
@@ -305,6 +305,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
    av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
    if (av_image_check_size(width, height, 0, s->avctx))
        return AVERROR_INVALIDDATA;
+    if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL)
+        return AVERROR_INVALIDDATA;

    nb_components = get_bits(&s->gb, 8);
    if (nb_components <= 0 ||
@@ -591,6 +593,10 @@ unk_pixfmt:
        av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird subsampling\n");
        return AVERROR_PATCHWELCOME;
    }
+    if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) {
+        avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling");
+        return AVERROR_PATCHWELCOME;
+    }
    if (s->ls) {
        memset(s->upscale_h, 0, sizeof(s->upscale_h));
        memset(s->upscale_v, 0, sizeof(s->upscale_v));
@@ -692,7 +698,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component,
        av_log(s->avctx, AV_LOG_ERROR, "error dc\n");
        return AVERROR_INVALIDDATA;
    }
-    val = val * quant_matrix[0] + s->last_dc[component];
+    val = val * (unsigned)quant_matrix[0] + s->last_dc[component];
    val = av_clip_int16(val);
    s->last_dc[component] = val;
    block[0] = val;
@@ -983,6 +989,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
        for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
            int modified_predictor = predictor;

+            if (get_bits_left(&s->gb) < 1) {
+                av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            if (s->restart_interval && !s->restart_count){
                s->restart_count = s->restart_interval;
                resync_mb_x = mb_x;
@@ -1006,7 +1017,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
                    return -1;

                left[i] = buffer[mb_x][i] =
-                    mask & (pred + (dc * (1 << point_transform)));
+                    mask & (pred + (unsigned)(dc * (1 << point_transform)));
            }

            if (s->restart_interval && !--s->restart_count) {
@@ -2094,6 +2105,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int ret = 0;
    int is16bit;

+    s->buf_size = buf_size;
+
    av_dict_free(&s->exif_metadata);
    av_freep(&s->stereo3d);
    s->adobe_transform = -1;
@@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext {
    AVClass *class;
    AVCodecContext *avctx;
    GetBitContext gb;
+    int buf_size;

    int start_code; /* current start code */
    int buffer_size;
@@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
    uint8_t checksum;
    uint8_t lossless_check;
    int start_count = get_bits_count(gbp);
-    int min_channel, max_channel, max_matrix_channel;
+    int min_channel, max_channel, max_matrix_channel, noise_type;
    const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP
                                     ? MAX_MATRIX_CHANNEL_MLP
                                     : MAX_MATRIX_CHANNEL_TRUEHD;
@@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
        return AVERROR_INVALIDDATA;
    }

-    s->noise_type = get_bits1(gbp);
+    noise_type = get_bits1(gbp);

-    if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) {
+    if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) {
        av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n");
        return AVERROR_INVALIDDATA;
    }
@@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,

    /* This should happen for TrueHD streams with >6 channels and MLP's noise
     * type. It is not yet known if this is allowed. */
-    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) {
+    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
        avpriv_request_sample(m->avctx,
                              "%d channels (more than the "
                              "maximum supported by the decoder)",
@@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
    s->min_channel        = min_channel;
    s->max_channel        = max_channel;
    s->max_matrix_channel = max_matrix_channel;
+    s->noise_type         = noise_type;

    if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) ==
        m->avctx->request_channel_layout && m->max_decoded_substream > substr) {
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
                          (1U << output_shift[mat_ch]);
            lossless_check_data ^= (sample & 0xffffff) << mat_ch;
            if (is32)
-                *data_32++ = sample << 8;
+                *data_32++ = sample * 256U;
            else
                *data_16++ = sample >> 8;
        }
@@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
        m->s_temp->style_start = AV_RB16(tsmb);
        tsmb += 2;
        m->s_temp->style_end = AV_RB16(tsmb);
+
+        if (   m->s_temp->style_end < m->s_temp->style_start
+            || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
+            av_freep(&m->s_temp);
+            mov_text_cleanup(m);
+            return AVERROR(ENOMEM);
+        }
+
        tsmb += 2;
        m->s_temp->style_fontID = AV_RB16(tsmb);
        tsmb += 2;
@@ -1984,6 +1984,8 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y,
                    s->mv[0][0][1] = s->last_mv[0][0][1];
                    s->mv[1][0][0] = s->last_mv[1][0][0];
                    s->mv[1][0][1] = s->last_mv[1][0][1];
+                    s->field_select[0][0] = (s->picture_structure - 1) & 1;
+                    s->field_select[1][0] = (s->picture_structure - 1) & 1;
                }
            }
        }
@@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx)
    }

    mb_num = get_bits(&s->gb, mb_num_bits);
-    if (mb_num >= s->mb_num) {
+    if (mb_num >= s->mb_num || !mb_num) {
        av_log(s->avctx, AV_LOG_ERROR,
               "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num);
        return -1;
@@ -1251,10 +1251,12 @@ not_coded:
 */
 static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
 {
-    Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+    Mpeg4DecContext *ctx = s->avctx->priv_data;
    int cbp, mb_type;
    const int xy = s->mb_x + s->mb_y * s->mb_stride;

+    av_assert2(s == (void*)ctx);
+
    mb_type = s->current_picture.mb_type[xy];
    cbp     = s->cbp_table[xy];

@@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])

 static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64])
 {
-    Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+    Mpeg4DecContext *ctx = s->avctx->priv_data;
    int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant;
    int16_t *mot_val;
    static const int8_t quant_tab[4] = { -1, -2, 1, 2 };
    const int xy = s->mb_x + s->mb_y * s->mb_stride;

+    av_assert2(s ==  (void*)ctx);
    av_assert2(s->h263_pred);

    if (s->pict_type == AV_PICTURE_TYPE_P ||
@@ -2149,8 +2152,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb)
        e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build);
    if (e != 4) {
        e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1;
-        if (e > 1)
-            build = (ver << 16) + (ver2 << 8) + ver3;
+        if (e > 1) {
+            if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) {
+                av_log(s->avctx, AV_LOG_WARNING,
+                     "Unknown Lavc version string encountered, %d.%d.%d; "
+                     "clamping sub-version values to 8-bits.\n",
+                     ver, ver2, ver3);
+            }
+            build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF);
+        }
    }
    if (e != 4) {
        if (strcmp(buf, "ffmpeg") == 0)
@@ -2660,8 +2670,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)

        if (startcode >= 0x120 && startcode <= 0x12F) {
            if (vol) {
-                av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
-                return AVERROR_INVALIDDATA;
+                av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n");
+                continue;
            }
            vol++;
            if ((ret = decode_vol_header(ctx, gb)) < 0)
@@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s)

 static void mpeg4_encode_gop_header(MpegEncContext *s)
 {
-    int hours, minutes, seconds;
+    int64_t hours, minutes, seconds;
    int64_t time;

    put_bits(&s->pb, 16, 0);
@@ -20,17 +20,21 @@

 #include "config.h"
 #include "libavutil/attributes.h"
+#include "libavutil/thread.h"
 #include "mpegaudiodsp.h"
 #include "dct.h"
 #include "dct32.h"

+static AVOnce mpadsp_float_table_init = AV_ONCE_INIT;
+static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT;
+
 av_cold void ff_mpadsp_init(MPADSPContext *s)
 {
    DCTContext dct;

    ff_dct_init(&dct, 5, DCT_II);
-    ff_init_mpadsp_tabs_float();
-    ff_init_mpadsp_tabs_fixed();
+    ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float);
+    ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed);

    s->apply_window_float = ff_mpadsp_apply_window_float;
    s->apply_window_fixed = ff_mpadsp_apply_window_fixed;
@@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int orig_size      = buf_size;
    int keyframe, ret;
    int size_change = 0;
+    int minsize = 0;
    int result, init_frame = !avctx->frame_number;
    enum {
        NUV_UNCOMPRESSED  = '0',
@@ -198,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    case NUV_RTJPEG_IN_LZO:
    case NUV_RTJPEG:
        keyframe = !buf[2];
+        if (c->width < 16 || c->height < 16) {
+            return AVERROR_INVALIDDATA;
+        }
        break;
    case NUV_COPY_LAST:
        keyframe = 0;
@@ -206,6 +210,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        keyframe = 1;
        break;
    }
+    switch (comptype) {
+    case NUV_UNCOMPRESSED:
+        minsize = c->width * c->height * 3 / 2;
+        break;
+    case NUV_RTJPEG:
+        minsize = c->width/16 * (c->height/16) * 6;
+        break;
+    }
+    if (buf_size < minsize / 4)
+        return AVERROR_INVALIDDATA;
 retry:
    // Skip the rest of the frame header.
    buf       = &buf[12];
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
    const uint8_t *buf = start + 1;
    int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length;
    uint8_t flags;
+    uint64_t payload_len_tmp;

    GetByteContext gb;
    bytestream2_init(&gb, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
    end_trim_flag          = (flags >> 3) & 1;
    control_extension_flag = (flags >> 2) & 1;

-    *payload_len = 0;
+    payload_len_tmp = *payload_len = 0;
    while (bytestream2_peek_byte(&gb) == 0xff)
-        *payload_len += bytestream2_get_byte(&gb);
+        payload_len_tmp += bytestream2_get_byte(&gb);

-    *payload_len += bytestream2_get_byte(&gb);
+    payload_len_tmp += bytestream2_get_byte(&gb);

    if (start_trim_flag)
        bytestream2_skip(&gb, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
        bytestream2_skip(&gb, control_extension_length);
    }

+    if (bytestream2_tell(&gb) + payload_len_tmp > buf_len)
+        return NULL;
+
+    *payload_len = payload_len_tmp;
+
    return buf + bytestream2_tell(&gb);
 }

@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx,
            state = (state << 8) | payload[i];
            if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
                payload = parse_opus_ts_header(payload, &payload_len, buf_size - i);
+                if (!payload) {
+                    av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n");
+                    return AVERROR_INVALIDDATA;
+                }
                *header_len = payload - buf;
                start_found = 1;
                break;
@@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order)

    /* reconstruct A(z) */
    for (k = 0; k < order>>1; k++) {
-        lpc32[k]         = -p[k + 1] - p[k] - q[k + 1] + q[k];
-        lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k];
+        int32_t p_tmp = p[k + 1] + p[k];
+        int32_t q_tmp = q[k + 1] - q[k];
+        lpc32[k]         = -q_tmp - p_tmp;
+        lpc32[order-k-1] =  q_tmp - p_tmp;
    }

    /* limit the range of the LPC coefficients to each fit within an int16_t */
@@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx)
        b = 0x1000000 / b;
        for (j=0; j <= i; j++) {
 #if CONFIG_FTRAPV
-            int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12);
+            int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12);
            if((int)(a*(unsigned)b) != a*(int64_t)b)
                return 1;
 #endif
-            bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
+            bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
        }

        if ((unsigned) bp1[i] + 0x1000 > 0x1fff)
@@ -1579,7 +1579,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte

    // Do no call ff_mpeg_update_thread_context on a partially initialized
    // decoder context.
-    if (!s1->linesize)
+    if (!s1->context_initialized)
        return 0;

    return ff_mpeg_update_thread_context(dst, src);
@@ -1727,6 +1727,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
            if ((err = rv34_decoder_realloc(r)) < 0)
                return err;
        }
+        if (faulty_b)
+            return AVERROR_INVALIDDATA;
        s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I;
        if (ff_mpv_frame_start(s, s->avctx) < 0)
            return -1;
@@ -1777,8 +1779,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
               "multithreading mode (start MB is %d).\n", si.start);
        return AVERROR_INVALIDDATA;
    }
-    if (faulty_b)
-        return AVERROR_INVALIDDATA;

    for(i = 0; i < slice_count; i++){
        int offset  = get_slice_offset(avctx, slices_hdr, i  , slice_count, buf_size);
@@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2],
    int64_t accu;

    for (m = 0; m < m_max; m++) {
-        int64_t r = 1LL << (22-g_filt[m].exp);
-        accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
-        Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
+        if (22 - g_filt[m].exp < 61) {
+            int64_t r = 1LL << (22-g_filt[m].exp);
+            accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
+            Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));

-        accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
-        Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+            accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
+            Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+        }
    }
 }

@@ -172,7 +172,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer)
            buffer[i] = 0;
    } else if (s->bitshift != 0) {
        for (i = 0; i < s->blocksize; i++)
-            buffer[i] <<= s->bitshift;
+            buffer[i] *= 1U << s->bitshift;
    }
 }

@@ -227,11 +227,11 @@ static int decode_aiff_header(AVCodecContext *avctx, const uint8_t *header,

    while (bytestream2_get_le32(&gb) != MKTAG('C', 'O', 'M', 'M')) {
        len = bytestream2_get_be32(&gb);
-        bytestream2_skip(&gb, len + (len & 1));
-        if (len < 0 || bytestream2_get_bytes_left(&gb) < 18) {
+        if (len < 0 || bytestream2_get_bytes_left(&gb) < 18LL + len + (len&1)) {
            av_log(avctx, AV_LOG_ERROR, "no COMM chunk found\n");
            return AVERROR_INVALIDDATA;
        }
+        bytestream2_skip(&gb, len + (len & 1));
    }
    len = bytestream2_get_be32(&gb);

@@ -380,7 +380,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
    for (i = 0; i < s->blocksize; i++) {
        sum = init_sum;
        for (j = 0; j < pred_order; j++)
-            sum += coeffs[j] * s->decoded[channel][i - j - 1];
+            sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
        s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) +
                                 (sum >> qshift);
    }
@@ -441,6 +441,10 @@ static int read_header(ShortenContext *s)
            return AVERROR_INVALIDDATA;
        }
        s->nmean = get_uint(s, 0);
+        if (s->nmean > 32768U) {
+            av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean);
+            return AVERROR_INVALIDDATA;
+        }

        skip_bytes = get_uint(s, NSKIPSIZE);
        if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) {
@@ -664,7 +668,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
            else {
                int32_t sum = (s->version < 2) ? 0 : s->nmean / 2;
                for (i = 0; i < s->nmean; i++)
-                    sum += s->offset[channel][i];
+                    sum += (unsigned)s->offset[channel][i];
                coffset = sum / s->nmean;
                if (s->version >= 2)
                    coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1;
@@ -682,7 +686,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,

            /* update means with info from the current block */
            if (s->nmean > 0) {
-                int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
+                int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
                for (i = 0; i < s->blocksize; i++)
                    sum += s->decoded[channel][i];

@@ -692,7 +696,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
                if (s->version < 2)
                    s->offset[channel][s->nmean - 1] = sum / s->blocksize;
                else
-                    s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) << s->bitshift;
+                    s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift);
            }

            /* copy wrap samples for use with next block */
@@ -437,6 +437,10 @@ static int smc_decode_frame(AVCodecContext *avctx,
    SmcContext *s = avctx->priv_data;
    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
    int ret;
+    int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4);
+
+    if (total_blocks / 1024 > avpkt->size)
+        return AVERROR_INVALIDDATA;

    bytestream2_init(&s->gb, buf, buf_size);

@@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){
        int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my));

        type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0;
-
        if(type){
+            int ld, cbd, crd;
            pred_mv(s, &mx, &my, 0, left, top, tr);
-            l += get_symbol(&s->c, &s->block_state[32], 1);
+            ld = get_symbol(&s->c, &s->block_state[32], 1);
+            if (ld < -255 || ld > 255) {
+                return AVERROR_INVALIDDATA;
+            }
+            l += ld;
            if (s->nb_planes > 2) {
-                cb+= get_symbol(&s->c, &s->block_state[64], 1);
-                cr+= get_symbol(&s->c, &s->block_state[96], 1);
+                cbd = get_symbol(&s->c, &s->block_state[64], 1);
+                crd = get_symbol(&s->c, &s->block_state[96], 1);
+                if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) {
+                    return AVERROR_INVALIDDATA;
+                }
+                cb += cbd;
+                cr += crd;
            }
        }else{
            if(s->ref_frames > 1)
@@ -354,9 +363,10 @@ static int decode_header(SnowContext *s){
                int htaps, i, sum=0;
                Plane *p= &s->plane[plane_index];
                p->diag_mc= get_rac(&s->c, s->header_state);
-                htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2;
-                if((unsigned)htaps >= HTAPS_MAX || htaps==0)
+                htaps= get_symbol(&s->c, s->header_state, 0);
+                if((unsigned)htaps >= HTAPS_MAX/2 - 1)
                    return AVERROR_INVALIDDATA;
+                htaps = htaps*2 + 2;
                p->htaps= htaps;
                for(i= htaps/2; i; i--){
                    p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1));
@@ -374,7 +384,7 @@ static int decode_header(SnowContext *s){
        }
    }

-    s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1);
+    s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1);
    if(s->spatial_decomposition_type > 1U){
        av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type);
        return AVERROR_INVALIDDATA;
@@ -390,10 +400,10 @@ static int decode_header(SnowContext *s){
    }


-    s->qlog           += get_symbol(&s->c, s->header_state, 1);
-    s->mv_scale       += get_symbol(&s->c, s->header_state, 1);
-    s->qbias          += get_symbol(&s->c, s->header_state, 1);
-    s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
+    s->qlog           += (unsigned)get_symbol(&s->c, s->header_state, 1);
+    s->mv_scale       += (unsigned)get_symbol(&s->c, s->header_state, 1);
+    s->qbias          += (unsigned)get_symbol(&s->c, s->header_state, 1);
+    s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1);
    if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
        av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth);
        s->block_max_depth= 0;
@@ -428,6 +438,8 @@ static int decode_blocks(SnowContext *s){

    for(y=0; y<h; y++){
        for(x=0; x<w; x++){
+            if (s->c.bytestream >= s->c.bytestream_end)
+                return AVERROR_INVALIDDATA;
            if ((res = decode_q_branch(s, 0, x, y)) < 0)
                return res;
        }
@@ -35,6 +35,7 @@
 #define av_freep(p) while(0)
 #define AVCODEC_AVCODEC_H
 #define AVCODEC_INTERNAL_H
+#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this
 #include "tableprint.h"
 #include "get_bits.h"
 #include "mathtables.c"
@@ -63,6 +63,7 @@ typedef struct TM2Context {
    AVFrame *pic;

    GetBitContext gb;
+    int error;
    BswapDSPContext bdsp;

    uint8_t *buffer;
@@ -398,6 +399,7 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 {
    if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) {
        av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]);
+        ctx->error = 1;
        return 0;
    }
    if (type <= TM2_MOT) {
@@ -441,15 +443,15 @@ static inline int GET_TOK(TM2Context *ctx,int type)

 /* recalculate last and delta values for next blocks */
 #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\
-    CD[0] = CHR[1] - last[1];\
-    CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\
+    CD[0] = (unsigned)CHR[         1] - (unsigned)last[1];\
+    CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\
    last[0] = (int)CHR[stride + 0];\
    last[1] = (int)CHR[stride + 1];}

 /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */
 static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last)
 {
-    int ct, d;
+    unsigned ct, d;
    int i, j;

    for (j = 0; j < 4; j++){
@@ -809,6 +811,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p)
            default:
                av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type);
            }
+            if (ctx->error)
+                return AVERROR_INVALIDDATA;
        }
    }

@@ -889,6 +893,8 @@ static int decode_frame(AVCodecContext *avctx,
    int offset           = TM2_HEADER_SIZE;
    int i, t, ret;

+    l->error = 0;
+
    av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size);
    if (!l->buffer) {
        av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
@@ -116,6 +116,9 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data,
    if (ret < 0)
        return ret;

+    if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4)
+        return AVERROR_INVALIDDATA;
+
    ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret);
    if (ret < 0)
        return ret;
@@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx)
    s->width = avctx->width;
    s->height = avctx->height;
    s->blocks = (s->width / 8) * (s->height / 8);
+    if (s->blocks == 0)
+        return AVERROR_INVALIDDATA;
    avctx->pix_fmt = AV_PIX_FMT_YUV410P;
    s->ulti_codebook = ulti_codebook;

@@ -418,7 +418,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,

    *width  = FFALIGN(*width, w_align);
    *height = FFALIGN(*height, h_align);
-    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
+    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+        s->codec_id == AV_CODEC_ID_VP5  || s->codec_id == AV_CODEC_ID_VP6 ||
+        s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
+    ) {
        // some of the optimized chroma MC reads one line too much
        // which is also done in mpeg decoders with lowres > 0
        *height += 2;
@@ -1274,7 +1277,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code
    if (ret < 0)
        return ret;

-    avctx->internal = av_mallocz(sizeof(AVCodecInternal));
+    avctx->internal = av_mallocz(sizeof(*avctx->internal));
    if (!avctx->internal) {
        ret = AVERROR(ENOMEM);
        goto end;
@@ -2766,7 +2769,7 @@ void avsubtitle_free(AVSubtitle *sub)

    av_freep(&sub->rects);

-    memset(sub, 0, sizeof(AVSubtitle));
+    memset(sub, 0, sizeof(*sub));
 }

 static int do_decode(AVCodecContext *avctx, AVPacket *pkt)
@@ -28,6 +28,7 @@
 #include <stdlib.h>

 #include "libavutil/intreadwrite.h"
+#include "libavutil/pixdesc.h"
 #include "avcodec.h"
 #include "bswapdsp.h"
 #include "bytestream.h"
@@ -534,7 +535,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            for (j = 0; j < c->slices; j++) {
                slice_end   = bytestream2_get_le32u(&gb);
                if (slice_end < 0 || slice_end < slice_start ||
-                    bytestream2_get_bytes_left(&gb) < slice_end) {
+                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
                    av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                    return AVERROR_INVALIDDATA;
                }
@@ -720,42 +721,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 static av_cold int decode_init(AVCodecContext *avctx)
 {
    UtvideoContext * const c = avctx->priv_data;
+    int h_shift, v_shift;

    c->avctx = avctx;

    ff_bswapdsp_init(&c->bdsp);

-    if (avctx->extradata_size >= 16) {
-        av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
-               avctx->extradata[3], avctx->extradata[2],
-               avctx->extradata[1], avctx->extradata[0]);
-        av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
-               AV_RB32(avctx->extradata + 4));
-        c->frame_info_size = AV_RL32(avctx->extradata + 8);
-        c->flags           = AV_RL32(avctx->extradata + 12);
-
-        if (c->frame_info_size != 4)
-            avpriv_request_sample(avctx, "Frame info not 4 bytes");
-        av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags);
-        c->slices      = (c->flags >> 24) + 1;
-        c->compression = c->flags & 1;
-        c->interlaced  = c->flags & 0x800;
-    } else if (avctx->extradata_size == 8) {
-        av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
-               avctx->extradata[3], avctx->extradata[2],
-               avctx->extradata[1], avctx->extradata[0]);
-        av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
-               AV_RB32(avctx->extradata + 4));
-        c->interlaced  = 0;
-        c->pro         = 1;
-        c->frame_info_size = 4;
-    } else {
-        av_log(avctx, AV_LOG_ERROR,
-               "Insufficient extradata size %d, should be at least 16\n",
-               avctx->extradata_size);
-        return AVERROR_INVALIDDATA;
-    }
-
    c->slice_bits_size = 0;

    switch (avctx->codec_tag) {
@@ -784,14 +755,17 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    case MKTAG('U', 'Q', 'Y', '2'):
        c->planes      = 3;
+        c->pro         = 1;
        avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
        break;
    case MKTAG('U', 'Q', 'R', 'G'):
        c->planes      = 3;
+        c->pro         = 1;
        avctx->pix_fmt = AV_PIX_FMT_GBRP10;
        break;
    case MKTAG('U', 'Q', 'R', 'A'):
        c->planes      = 4;
+        c->pro         = 1;
        avctx->pix_fmt = AV_PIX_FMT_GBRAP10;
        break;
    case MKTAG('U', 'L', 'H', '0'):
@@ -815,6 +789,43 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_INVALIDDATA;
    }

+    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
+    if ((avctx->width  & ((1<<h_shift)-1)) ||
+        (avctx->height & ((1<<v_shift)-1))) {
+        avpriv_request_sample(avctx, "Odd dimensions");
+        return AVERROR_PATCHWELCOME;
+    }
+
+    if (!c->pro && avctx->extradata_size >= 16) {
+        av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
+               avctx->extradata[3], avctx->extradata[2],
+               avctx->extradata[1], avctx->extradata[0]);
+        av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
+               AV_RB32(avctx->extradata + 4));
+        c->frame_info_size = AV_RL32(avctx->extradata + 8);
+        c->flags           = AV_RL32(avctx->extradata + 12);
+
+        if (c->frame_info_size != 4)
+            avpriv_request_sample(avctx, "Frame info not 4 bytes");
+        av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags);
+        c->slices      = (c->flags >> 24) + 1;
+        c->compression = c->flags & 1;
+        c->interlaced  = c->flags & 0x800;
+    } else if (c->pro && avctx->extradata_size == 8) {
+        av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
+               avctx->extradata[3], avctx->extradata[2],
+               avctx->extradata[1], avctx->extradata[0]);
+        av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
+               AV_RB32(avctx->extradata + 4));
+        c->interlaced  = 0;
+        c->frame_info_size = 4;
+    } else {
+        av_log(avctx, AV_LOG_ERROR,
+               "Insufficient extradata size %d, should be at least 16\n",
+               avctx->extradata_size);
+        return AVERROR_INVALIDDATA;
+    }
+
    return 0;
 }

@@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n,
        scale = s->c_dc_scale;
    block[0] = dcdiff * scale;

-    ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val  = s->ac_val[0][s->block_index[n]];
    ac_val2 = ac_val;
    if (dc_pred_dir) // left
        ac_val -= 16;
@@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,

    scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0);

-    ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val  = s->ac_val[0][s->block_index[n]];
    ac_val2 = ac_val;
    if (dc_pred_dir) // left
        ac_val -= 16;
@@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
    if (!a_avail) dc_pred_dir = 1;
    if (!c_avail) dc_pred_dir = 0;
    if (!a_avail && !c_avail) use_pred = 0;
-    ac_val = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val = s->ac_val[0][s->block_index[n]];
    ac_val2 = ac_val;

    scale = mquant * 2 + v->halfpq;
@@ -1171,7 +1171,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx)
        p->dwt_width  = w = FFALIGN(p->width,  (1 << s->wavelet_depth));
        p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth));
        p->coef_stride = FFALIGN(p->dwt_width, 32);
-        p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
+        p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
        if (!p->coef_buf)
            goto alloc_fail;
        for (level = s->wavelet_depth-1; level >= 0; level--) {
@@ -1190,7 +1190,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx)
        /* DWT init */
        if (ff_vc2enc_init_transforms(&s->transform_args[i].t,
                                      s->plane[i].coef_stride,
-                                      s->plane[i].dwt_height))
+                                      s->plane[i].dwt_height,
+                                      s->slice_width, s->slice_height))
            goto alloc_fail;
    }

@@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data,
    dwt_haar(t, data, stride, width, height, 1);
 }

-av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height)
+av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride,
+                                      int p_height, int slice_w, int slice_h)
 {
    s->vc2_subband_dwt[VC2_TRANSFORM_9_7]    = vc2_subband_dwt_97;
    s->vc2_subband_dwt[VC2_TRANSFORM_5_3]    = vc2_subband_dwt_53;
    s->vc2_subband_dwt[VC2_TRANSFORM_HAAR]   = vc2_subband_dwt_haar;
    s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift;

-    s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef));
+    /* Pad by the slice size, only matters for non-Haar wavelets */
+    s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef));
    if (!s->buffer)
        return 1;

+    s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1);
+    s->buffer += s->padding;
+
    return 0;
 }

 av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s)
 {
-    av_freep(&s->buffer);
+    av_free(s->buffer - s->padding);
+    s->buffer = NULL;
 }
@@ -41,12 +41,14 @@ enum VC2TransformType {

 typedef struct VC2TransformContext {
    dwtcoef *buffer;
+    int padding;
    void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t,
                                               dwtcoef *data, ptrdiff_t stride,
                                               int width, int height);
 } VC2TransformContext;

-int  ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height);
+int  ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height,
+                               int slice_w, int slice_h);
 void ff_vc2enc_free_transforms(VC2TransformContext *t);

 #endif /* AVCODEC_VC2ENC_DWT_H */
@@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num)
    if (bits[p] > 32)
        return AVERROR_INVALIDDATA;
    for (i = 0; i < bits[p]; ++i)
-        exit_at_level[i+1] = 1 << i;
+        exit_at_level[i+1] = 1u << i;

    ++p;

@@ -91,7 +91,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num)
        exit_at_level[i] = 0;
        // construct code (append 0s to end) and introduce new exits
        for (j = i + 1 ;j <= bits[p]; ++j)
-            exit_at_level[j] = code + (1 << (j - 1));
+            exit_at_level[j] = code + (1u << (j - 1));
        codes[p] = code;
    }

@@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
    Vp3Fragment *all_fragments = s->all_fragments;
    VLC_TYPE(*vlc_table)[2] = table->table;

-    if (num_coeffs < 0)
+    if (num_coeffs < 0) {
        av_log(s->avctx, AV_LOG_ERROR,
               "Invalid number of coefficients at level %d\n", coeff_index);
+        return AVERROR_INVALIDDATA;
+    }

    if (eob_run > num_coeffs) {
        coeff_i      =
@@ -978,6 +980,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
            if (eob_run_get_bits[token])
                eob_run += get_bits(gb, eob_run_get_bits[token]);

+            if (!eob_run)
+                eob_run = INT_MAX;
+
            // record only the number of blocks ended in this plane,
            // any spill will be recorded in the next plane.
            if (eob_run > num_coeffs - coeff_i) {
@@ -606,6 +606,8 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
            s->fade_present = vp8_rac_get(c);
    }

+    if (c->end <= c->buffer && c->bits >= 0)
+        return AVERROR_INVALIDDATA;
    /* E. Fading information for previous frame */
    if (s->fade_present && vp8_rac_get(c)) {
        if ((ret = vp7_fade_frame(s ,c)) < 0)
@@ -85,7 +85,7 @@ typedef struct WavpackContext {

 #define LEVEL_DECAY(a)  (((a) + 0x80) >> 8)

-static av_always_inline int get_tail(GetBitContext *gb, int k)
+static av_always_inline unsigned get_tail(GetBitContext *gb, int k)
 {
    int p, e, res;

@@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb,
        }

        if (type == AV_SAMPLE_FMT_S16P) {
-            if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) {
+            if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) {
                av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R);
                return AVERROR_INVALIDDATA;
            }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.9
 .2.11