Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/g729dec: require buf_size to be non 0
2019-12-01 18:24:40 +01:00 · 2019-12-01 18:00:10 +01:00 · 2019-12-01 17:55:30 +01:00 · 2019-12-01 17:54:56 +01:00 · 2019-12-01 17:54:30 +01:00 · 2019-12-01 17:54:07 +01:00
176 changed files with 1473 additions and 579 deletions
@@ -1,6 +1,334 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.4.7:
+- avcodec/g729dec: require buf_size to be non 0
+- avcodec/alac: Fix integer overflow in lpc_prediction() with sign
+- avcodec/wmaprodec: Fix buflen computation in save_bits()
+- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()
+- avcodec/vmdaudio: Check chunk counts to avoid integer overflow
+- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
+- avcodec/nuv: Use ff_set_dimensions()
+- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next
+- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
+- avcodec/g729dec: Use 64bit and clip in scalar product
+- avcodec/mxpegdec: Check for multiple SOF
+- avcodec/nuv: Move comptype check up
+- avcodec/wmavoice: Fix integer overflow in synth_frame()
+- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases
+- avutil/lfg: Correct index increment type to avoid undefined behavior
+- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY
+- avcodec/iff: Move index use after check in decodeplane8()
+- avcodec/atrac3: Check for huge block aligns
+- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block()
+- avcodec/wmadec: Require previous exponents for reuse
+- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling
+- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid
+- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter()
+- avcodec/sonic: Fix integer overflow in predictor_calc_error()
+- avformat/mp3dec: Check that the frame fits within the probe buffe
+- lavc/tableprint_vlc: Remove avpriv_request_sample() from included files.
+- avcodec/wmaprodec: get frame during frame decode
+- avcodec/interplayacm: Fix overflow of last unused value
+- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI
+- avcodec/cook: Move up and extend block_align check
+- avcodec/twinvq: Check block_align
+- avcodec/cook: Enlarge gain table
+- avcodec/cook: Check samples_per_channel earlier
+- avcodec/atrac3plus: Check split point in fill mode 3
+- avcodec/wmavoice: Check sample_rate
+- avcodec/xsubdec: fix overflow in alpha handling
+- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta()
+- avcodec/apedec: Fix integer overflow in filter_3800()
+- avutil/lfg: Document the AVLFG struct
+- avcodec/ffv1dec: Use a different error message for the slice level CRC
+- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+- avcodec/dstdec: Check that AC probabilities are within range
+- avcodec/dstdec: Check read_table() for failure
+- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0
+- avcodec/snowenc: Fix 2 undefined shifts
+- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags()
+- avcodec/aacdec_template: Check samplerate
+- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block()
+- avcodec/utils: Check block_align
+- avcodec/wmalosslessdec: Fix some integer anomalies
+- avcodec/adpcm: Fix invalid shifts in ADPCM DTK
+- avcodec/apedec: Only clear the needed buffer space, instead of all
+- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads
+- avcodec/g723_1dec: fix invalid shift with negative sid_gain
+- avcodec/vp5: Check render_x/y
+- avcodec/qdrw: Check input for header/skiped space before get_buffer()
+- avcodec/ralf: Skip initializing unused filter variables
+- avcodec/takdec: Fix overflow with large sample rates
+- avcodec/alsdec: Check that input space for header exists in read_diff_float_data()
+- avformat/pjsdec: Check duration for overflow
+- avcodec/ptx: Check that the input contains at least one line
+- avcodec/alac: Fix integer overflow in LPC
+- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame()
+- avcodec/aliaspixdec: Check input size against minimal picture size
+- avcodec/ffwavesynth: Fix integer overflows in pink noise addition
+- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv()
+- avcodec/wmalosslessdec: Check block_align
+- avcodec/g729postfilter: Fix left shift of negative value
+- avcodec/binkaudio: Check sample rate
+- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS
+- avcodec/g723_1dec: Fix overflow in shift
+- avcodec/apedec: Fix integer overflow in predictor_update_3930()
+- avcodec/g729postfilter: Fix undefined intermediate pointers
+- avcodec/g729postfilter: Fix undefined shifts
+- avcodec/lsp: Fix undefined shifts in lsp2poly()
+- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA
+- avformat/shortendec: Check k in probe
+- avfilter/vf_geq: Use av_clipd() instead of av_clipf()
+- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels
+- avcodec/qdmc: Check input space in qdmc_get_vlc()
+- avcodec/pcm: Check bits_per_coded_sample
+- avcodec/exr: Allow duplicate use of channel indexes
+- avcodec/fitsdec: Fail on 0 naxisn
+- avcodec/ituh263dec: Check input for minimal frame size
+- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream
+- avformat/mpsubdec: Clear queue on error
+- avcodec/sunrast: Check that the input is large enough for the maximally compressed image
+- avcodec/sunrast: Check for availability of maplength before allocating image
+- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize()
+- avcodec/wmaprodec: Check if there is a stream
+- avcodec/g2meet: Check for end of input in jpg_decode_block()
+- avcodec/g2meet: Check if adjusted pixel was on the stack
+- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet
+- avcodec/utils: Check sample_rate before opening the decoder
+- avcodec/fitsdec: fix use of uninitialised values
+- avcodec/motionpixels: Mark 2 functions as always_inline
+- avcodec/ralf: Fix integer overflow in decode_channel()
+- vcodec/vc1: compute rangex/y only for P/B frames
+- avcodec/vc1_pred: Fix invalid shifts in scaleforopp()
+- avcodec/vc1_block: Fix invalid shift with rangeredfrm
+- avcodec/vc1: Check for excessive resolution
+- avcodec/vc1: check REFDIST
+- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter()
+- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs()
+- avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
+- avcodec/atrac3: Check block_align
+- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop
+- avcodec/fitsdec: Prevent division by 0 with huge data_max
+- avcodec/dstdec: Fix integer overflow in samples_per_frame computation
+- avcodec/g729_parser: Check block_size
+- avcodec/utils: Optimize ff_color_frame() using memcpy()
+- avcodec/aacdec: Check if we run out of input in read_stream_mux_config()
+- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame()
+- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL
+- avcodec/alac: Fix invalid shifts in 20/24 bps
+- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction()
+- avcodec/ffwavesynth: Fix integer overflow in timestamps
+- avcodec/adpcm: Check number of channels for MTAF
+- avcodec/sunrast: Fix indention
+- avcodec/sunrast: Fix return type for "unsupported (compression) type"
+- avformat/mov: Check for EOF in mov_read_meta()
+- avcodec/hevcdec: Fix memleak of a53_caption
+- avformat/cdxl: Fix integer overflow in intermediate
+- avcodec/hevcdec: repeat character in skiped
+- avcodec/gdv: Replace assert() checking bitstream by if()
+- libavcodec/utils: Free threads on init failure
+- avcodec/htmlsubtitles: Avoid locale dependant isdigit()
+- avcodec/alsdec: Check k from being outside what our implementation can handle
+- avcodec/takdec: Fix integer overflow in decorrelate()
+- avcodec/aacps: Fix integer overflows in hybrid_synthesis()
+- avcodec/vp56rac: delay signaling an error on truncated input
+- avcodec/vp5/6/8: use vpX_rac_is_end()
+- avcodec/vp56: Add vpX_rac_is_end() to check for the end of input
+- avcodec/qdm2: Check frame size
+- avcodec/vc1_pred: Fix refdist in scaleforopp()
+- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2
+- avcodec/iff: Check for overlap in cmap_read_palette()
+- avcodec/apedec: Fix 32bit int overflow in do_apply_filter()
+- avcodec/ralf: fix undefined shift in extend_code()
+- avcodec/ralf: fix undefined shift
+- avcodec/bgmc: Check input space in ff_bgmc_decode_init()
+- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block()
+- avcodec/vc1dec: Require res_sprite for wmv3images
+- avcodec/vc1_block: Check for double escapes
+- avcodec/vorbisdec: Check get_vlc2() failure
+- avcodec/tta: Fix integer overflow in prediction
+- avcodec/vb: Check input packet size to be large enough to contain flags
+- avcodec/cavsdec: Limit the number of access units per packet to 2
+- avcodec/alac: Check for bps of 0
+- avcodec/alac: Fix multiple integer overflows in lpc_prediction()
+- avcodec/rl2: set dimensions
+- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP
+- avcodec/idcinvideo: Add 320x240 default maximum resolution
+- avformat/realtextdec: free queue on error
+- avcodec/alsdec: Fix integer overflow in decode_var_block_data()
+- avcodec/alsdec: Limit maximum channels to 512
+- avcodec/anm: Check input size for a frame with just a stop code
+- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer()
+- avcodec/loco: Check left column value
+- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking
+- avcodec/ffwavesynth: Fix integer overflow for some corner case values
+- avcodec/indeo2: Check remaining input more often
+- avcodec/diracdec: Check that slices are fewer than pixels
+- avcodec/vp56: Consider the alpha start as end of the prior header
+- avcodec/4xm: Check for end of input in decode_p_block()
+- avcodec/hevcdec: Check delta_luma_weight_l0/1
+- avcodec/hnm4video: Optimize postprocess_current_frame()
+- avcodec/hevc_refs: Optimize 16bit generate_missing_ref()
+- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33
+- avcodec/dds: Use ff_set_dimensions()
+- avcodec/mpc8: Fix 32bit mask/enum
+- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data()
+- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks()
+- avcodec/alsdec: fix mantisse shift
+- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing()
+- libavcodec/iff: Use unsigned to avoid undefined behaviour
+- avcodec/alsdec: Check for block_length <= 0 in read_var_block_data()
+- avcodec/vqavideo: Set video size
+- avcodec/sanm: Check extradata_size before allocations
+- avcodec/mss1: check for overread and forward errors
+- avcodec/dirac_parser: Fix overflow in dts
+- avcodec/ralf: Fix undefined pointer in decode_channel()
+- avcodec/ralf: Fix integer overflow in apply_lpc()
+- avcodec/vorbisdec: Implement vr->classifications = 1
+- avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide
+- avformat/realtextdec: Check for duplicate extradata in realtext_read_header()
+- avcodec/apedec: Fix 2 signed overflows
+- avcodec/mss3: Check for the rac stream being invalid in rac_normalize()
+- avcodec/vc1_block: Check get_vlc2() return before use
+- avcodec/apedec: Do not partially clear data array
+- avcodec/hnm4video: Forward errors of decode_interframe_v4()
+- avcodec/vp3: Check that theora is theora
+- avcodec/vc1_pred: Fix invalid shift in scaleforsame()
+- avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc()
+- avcodec/truemotion2: Fix several integer overflows in tm2_motion_block()
+- avcodec/apedec: make left/right unsigned to avoid undefined behavior
+- avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800()
+- avformat/mpc: deallocate frames array on errors
+- avcodec/eatqi: Check for minimum frame size
+- avcodec/eatgv: Check remaining size after the keyframe header
+- avcodec/assdec: undefined use of memcpy()
+- avcodec/brenderpix: Check input size before allocating image
+- lafv/wavdec: Fail bext parsing on incomplete reads
+- avcodec/utils: fix leak of subtitle_header on error path
+- avcodec/utils: Check close before calling it
+- avcodec/vorbisdec: Check vlc for floor0 dec vector offset
+- avcodec/vorbisdec: amplitude bits can be more than 25 bits
+- avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754()
+- avcodec/apedec: Fix various integer overflows
+- avcodec/apedec: Fix multiple integer overflows in predictor_update_filter()
+- avcodec/alsdec: fix undefined shift in multiply()
+- avcodec/alsdec: Fix 2 integer overflows
+- avcodec/flicvideo: Make line_packets int
+- avcodec/dvbsubdec: Use ff_set_dimensions()
+- avcodec/ffwavesynth: Check if there is enough extradata before allocation
+- avcodec/ffwavesynth: More correct cast in wavesynth_seek()
+- avcodec/ffwavesynth: Check sample rate before use
+- avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets
+- avcodec/dnxhd_parser: remove unneeded code
+- avformat/utils: Check rfps_duration_sum for overflow
+- avcodec/h264_refs: Also check reference in ff_h264_build_ref_list()
+- avcodec/parser: Check next index validity in ff_combine_frame()
+- avcodec/ivi: Ask for samples with odd tiles
+- avformat/xmv: Make bitrate 64bit
+- avcodec/pngdec: Check that previous_picture has same w/h/format
+- avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation)
+- avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame()
+- avcodec/utils, avcodec_open2: close codec on failure
+- avcodec/golomb: Correct the doxy about get_ue_golomb() and errors
+- avformat/utils: Check timebase before use in estimate_timings()
+- avcodec/hq_hqa: Use ff_set_dimensions()
+- avcodec/rv10: Fix integer overflow in aspect ratio compare
+- avcodec/4xm: Fix signed integer overflows in idct()
+- avcodec/qdm2: Check checksum_size for 0
+- avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop
+- avcodec/qdm2: Do not read out of array in fix_coding_method_array()
+- avcodec/svq3: Use ff_set_dimension()
+- avcodec/iff: Check ham vs bpp
+- avcodec/ffwavesynth: use uint32_t to compute difference, it is enough
+- avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case
+- avcodec/ffwavesynth: Fix backward lcg_seek()
+- avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP()
+- avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()
+- avcodec/alac: Check lpc_quant
+- avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP
+- avcodec/alsdec: Fix integer overflow with buffer number
+- avcodec/alsdec: Fixes signed integer overflow in LSB addition
+- avcodec/alsdec: Check opt_order / sb_length in ra_block handling
+- avcodec/alsdec: Fix integer overflow with shifting samples
+- avcodec/alsdec: Fix undefined behavior in decode_rice()
+- avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()
+- avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight
+- avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns
+- avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check
+- avformat/aviobuf: Delay buffer downsizing until asserts are met
+- avcodec/fitsdec: Check data_min/max
+- avcodec/m101: Fix off be 2 error
+- avcodec/qdm2: Move fft_order check up
+- avcodec/libvorbisdec: Check extradata size
+- avformat/vqf: Check header_size
+- avcodec/utils: Check bits_per_coded_sample
+- avcodec/videodsp_template: Fix overflow of addition
+- avcodec/alsdec: Fix invalid shift in multiply()
+- avcodec/ffwavesynth: Check ts_end - ts_start for overflow
+- avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c
+- avcodec/tta: Fix undefined shift
+- avcodec/qdmc: Fix integer overflows in PRNG
+- avcodec/bintext: Check font height
+- avcodec/binkdsp: Fix integer overflows in idct
+- avcodec/motionpixels: Check for vlc error in mp_get_vlc()
+- avcodec/loco: Limit lossy parameter so it is sane and does not overflow
+- avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed
+- avcodec/xpmdec: Do not use context dimensions as temporary variables
+- avcodec/fitsdec: Fix division by 0 in size check
+- avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()
+- avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()
+- avcodec/iff: finetune the palette size check in the mask case
+- avcodec/iff: Fix mask_buf / mask_palbuf leak
+- avformat/icodec: Free ico->images on error paths
+- avformat/wsddec: Fix undefined shift
+- avcodec/fmvc: Check if header fields are available before allocating the image
+- avcodec/bink: Reorder operations in init to avoid memleak on error
+- avformat/wtvdec: Avoid (32bit signed) sectors
+- avcodec/bitstream: Check for more conflicting codes in build_table()
+- avcodec/bitstream: Check for integer code truncation in build_table()
+- avformat/sbgdec: Fixes integer overflow in str_to_time() with hours
+- avformat/vpk: Check offset for validity
+- avformat/vpk: Fix integer overflow in samples_per_block computation
+- avcodec/mjpegdec: Check for non ls PAL8
+- avcodec/interplayvideo: check decoding_map_size with video_data_size
+- avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle
+- avcodec/mss4: Check input size against skip bits
+- avcodec/diracdec: Fix integer overflow in global_mv()
+- avcodec/vmnc: Check available space against chunks before reget_buffer()
+- avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)
+- avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
+- avcodec/aacdec_template: Merge 3 #ifs related to noise handling
+- avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
+- avformat/mp3enc: Avoid SEEK_END as it is unsupported
+- avcodec/truemotion2: Fix several integer overflows in tm2_update_block()
+- avformat/webm_chunk: Specify expected argument length of get_chunk_filename()
+- avformat/webm_chunk: Check header filename length
+- avcodec/cpia: Check input size also against linesizes and EOL
+- swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes
+- libswcale: Fix possible string overflow in test.
+- avcodec/hq_hqa: Check available space before reading slice offsets
+- lavf/webm_chunk: Respect buffer size
+- avcodec/fits: Check bitpix
+- avcodec/jvdec: Use ff_get_buffer() when the content is not reused
+- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
+- avcodec/jpeg2000: Check stepsize before using it
+- avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
+- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp()
+- avformat/mov: Skip stsd adjustment without chunks
+- avformat/aadec: Check for scanf() failure
+- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
+- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
+- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
+- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
+- avcodec/rscc: Check that the to be uncompressed input is large enough
+- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it
+- lavf/rawenc: Only accept the appropriate stream type for raw muxers.
+- avcodec/h263dec: fix hwaccel decoding
+- avutil/mem: Fix invalid use of av_alloc_size
+- avformat/aacdec: resync to the next adts frame on invalid data instead of aborting
+- avformat/aacdec: factorize the adts frame resync code
+
 version 3.4.6:
 - avcodec/hevcdec: Avoid only partly skiping duplicate first slices
 - lavc/bmp: Avoid a heap buffer overwrite for 1bpp input.
@@ -1 +1 @@
-3.4.6
+3.4.7
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.4.6
+PROJECT_NUMBER         = 3.4.7

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -158,7 +158,7 @@ typedef struct FourXContext {
 #define FIX_1_847759065 121095
 #define FIX_2_613125930 171254

-#define MULTIPLY(var, const) (((var) * (const)) >> 16)
+#define MULTIPLY(var, const) ((int)((var) * (unsigned)(const)) >> 16)

 static void idct(int16_t block[64])
 {
@@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src,
    index = size2index[log2h][log2w];
    av_assert0(index >= 0);

+    if (get_bits_left(&f->gb) < 1)
+        return AVERROR_INVALIDDATA;
    h     = 1 << log2h;
    code  = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table,
                     BLOCK_TYPE_VLC_BITS, 1);
@@ -523,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block)
            break;
        if (code == 0xf0) {
            i += 16;
+            if (i >= 64) {
+                av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
+                return 0;
+            }
        } else {
            if (code & 0xf) {
                level = get_xbits(&f->gb, code & 0xf);
@@ -411,6 +411,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx,
            } else {
                int esc;
                do {
+                    if (get_bits_left(gb) < 9)
+                        return AVERROR_INVALIDDATA;
                    esc = get_bits(gb, 1);
                    skip_bits(gb, 8);
                } while (esc);
@@ -561,7 +563,7 @@ AVCodec ff_aac_decoder = {
        AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE
    },
    .capabilities    = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1,
-    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE,
+    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP,
    .channel_layouts = aac_channel_layout,
    .flush = flush,
    .priv_class      = &aac_decoder_class,
@@ -586,7 +588,7 @@ AVCodec ff_aac_latm_decoder = {
        AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE
    },
    .capabilities    = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1,
-    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE,
+    .caps_internal   = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP,
    .channel_layouts = aac_channel_layout,
    .flush = flush,
    .profiles        = NULL_IF_CONFIG_SMALL(ff_aac_profiles),
@@ -195,12 +195,12 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)

 static void noise_scale(int *coefs, int scale, int band_energy, int len)
 {
-    int ssign = scale < 0 ? -1 : 1;
-    int s = FFABS(scale);
+    int s = -scale;
    unsigned int round;
    int i, out, c = exp2tab[s & 3];
    int nlz = 0;

+    av_assert0(s >= 0);
    while (band_energy > 0x7fff) {
        band_energy >>= 1;
        nlz++;
@@ -216,15 +216,20 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
        round = s ? 1 << (s-1) : 0;
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)coefs[i] * c) >> 32);
-            coefs[i] = ((int)(out+round) >> s) * ssign;
+            coefs[i] = -((int)(out+round) >> s);
        }
    }
    else {
        s = s + 32;
-        round = 1 << (s-1);
-        for (i=0; i<len; i++) {
-            out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
-            coefs[i] = out * ssign;
+        if (s > 0) {
+            round = 1 << (s-1);
+            for (i=0; i<len; i++) {
+                out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
+                coefs[i] = -out;
+            }
+        } else {
+            for (i=0; i<len; i++)
+                coefs[i] = -(int64_t)coefs[i] * c * (1 << -s);
        }
    }
 }
@@ -1156,6 +1156,9 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
    AACContext *ac = avctx->priv_data;
    int ret;

+    if (avctx->sample_rate > 96000)
+        return AVERROR_INVALIDDATA;
+
    ret = ff_thread_once(&aac_table_init, &aac_static_table_init);
    if (ret != 0)
        return AVERROR_UNKNOWN;
@@ -1672,25 +1675,24 @@ static int decode_spectrum_and_dequant(AACContext *ac, INTFLOAT coef[1024],
                }
            } else if (cbt_m1 == NOISE_BT - 1) {
                for (group = 0; group < (AAC_SIGNE)g_len; group++, cfo+=128) {
-#if !USE_FIXED
-                    float scale;
-#endif /* !USE_FIXED */
                    INTFLOAT band_energy;
-
+#if USE_FIXED
                    for (k = 0; k < off_len; k++) {
                        ac->random_state  = lcg_random(ac->random_state);
-#if USE_FIXED
                        cfo[k] = ac->random_state >> 3;
-#else
-                        cfo[k] = ac->random_state;
-#endif /* USE_FIXED */
                    }

-#if USE_FIXED
                    band_energy = ac->fdsp->scalarproduct_fixed(cfo, cfo, off_len);
                    band_energy = fixed_sqrt(band_energy, 31);
                    noise_scale(cfo, sf[idx], band_energy, off_len);
 #else
+                    float scale;
+
+                    for (k = 0; k < off_len; k++) {
+                        ac->random_state  = lcg_random(ac->random_state);
+                        cfo[k] = ac->random_state;
+                    }
+
                    band_energy = ac->fdsp->scalarproduct_float(cfo, cfo, off_len);
                    scale = sf[idx] / sqrtf(band_energy);
                    ac->fdsp->vector_fmul_scalar(cfo, cfo, scale, off_len);
@@ -2463,6 +2465,9 @@ static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns,
    INTFLOAT tmp[TNS_MAX_ORDER+1];
    UINTFLOAT *coef = coef_param;

+    if(!mmm)
+        return;
+
    for (w = 0; w < ics->num_windows; w++) {
        bottom = ics->num_swb;
        for (filt = 0; filt < tns->n_filt[w]; filt++) {
@@ -2627,7 +2632,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce)
        ac->mdct.imdct_half(&ac->mdct, buf, in);
 #if USE_FIXED
        for (i=0; i<1024; i++)
-          buf[i] = (buf[i] + 4) >> 3;
+          buf[i] = (buf[i] + 4LL) >> 3;
 #endif /* USE_FIXED */
    }

@@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64],
            memset(out[0][n], 0, 5*sizeof(out[0][n][0]));
            memset(out[1][n], 0, 5*sizeof(out[1][n][0]));
            for (i = 0; i < 12; i++) {
-                out[0][n][0] += in[   i][n][0];
-                out[1][n][0] += in[   i][n][1];
+                out[0][n][0] += (UINTFLOAT)in[   i][n][0];
+                out[1][n][0] += (UINTFLOAT)in[   i][n][1];
            }
            for (i = 0; i < 8; i++) {
-                out[0][n][1] += in[12+i][n][0];
-                out[1][n][1] += in[12+i][n][1];
+                out[0][n][1] += (UINTFLOAT)in[12+i][n][0];
+                out[1][n][1] += (UINTFLOAT)in[12+i][n][1];
            }
            for (i = 0; i < 4; i++) {
-                out[0][n][2] += in[20+i][n][0];
-                out[1][n][2] += in[20+i][n][1];
-                out[0][n][3] += in[24+i][n][0];
-                out[1][n][3] += in[24+i][n][1];
-                out[0][n][4] += in[28+i][n][0];
-                out[1][n][4] += in[28+i][n][1];
+                out[0][n][2] += (UINTFLOAT)in[20+i][n][0];
+                out[1][n][2] += (UINTFLOAT)in[20+i][n][1];
+                out[0][n][3] += (UINTFLOAT)in[24+i][n][0];
+                out[1][n][3] += (UINTFLOAT)in[24+i][n][1];
+                out[0][n][4] += (UINTFLOAT)in[28+i][n][0];
+                out[1][n][4] += (UINTFLOAT)in[28+i][n][1];
            }
        }
        dsp->hybrid_synthesis_deint(out, in + 27, 5, len);
    } else {
        for (n = 0; n < len; n++) {
-            out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] +
-                           in[3][n][0] + in[4][n][0] + in[5][n][0];
-            out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] +
-                           in[3][n][1] + in[4][n][1] + in[5][n][1];
-            out[0][n][1] = in[6][n][0] + in[7][n][0];
-            out[1][n][1] = in[6][n][1] + in[7][n][1];
-            out[0][n][2] = in[8][n][0] + in[9][n][0];
-            out[1][n][2] = in[8][n][1] + in[9][n][1];
+            out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] +
+                           (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0];
+            out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] +
+                           (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1];
+            out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0];
+            out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1];
+            out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0];
+            out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1];
        }
        dsp->hybrid_synthesis_deint(out, in + 7, 3, len);
    }
@@ -54,10 +54,10 @@ static void ps_hybrid_analysis_c(INTFLOAT (*out)[2], INTFLOAT (*in)[2],
        INT64FLOAT sum_im = (INT64FLOAT)filter[i][6][0] * in[6][1];

        for (j = 0; j < 6; j++) {
-            INTFLOAT in0_re = in[j][0];
-            INTFLOAT in0_im = in[j][1];
-            INTFLOAT in1_re = in[12-j][0];
-            INTFLOAT in1_im = in[12-j][1];
+            INT64FLOAT in0_re = in[j][0];
+            INT64FLOAT in0_im = in[j][1];
+            INT64FLOAT in1_re = in[12-j][0];
+            INT64FLOAT in1_im = in[12-j][1];
            sum_re += (INT64FLOAT)filter[i][j][0] * (in0_re + in1_re) -
                      (INT64FLOAT)filter[i][j][1] * (in0_im - in1_im);
            sum_im += (INT64FLOAT)filter[i][j][0] * (in0_im + in1_im) +
@@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
    case AV_CODEC_ID_ADPCM_MTAF:
        min_channels = 2;
        max_channels = 8;
+        if (avctx->channels & 1) {
+            avpriv_request_sample(avctx, "channel count %d\n", avctx->channels);
+            return AVERROR_PATCHWELCOME;
+        }
        break;
    case AV_CODEC_ID_ADPCM_PSX:
        max_channels = 8;
@@ -289,7 +293,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib
    c->predictor = av_clip_intp2(predictor, 11);
    c->step_index = step_index;

-    return c->predictor << 4;
+    return c->predictor * 16;
 }

 static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble)
@@ -1134,8 +1138,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                return AVERROR_INVALIDDATA;
            }
        }
-        for (i=0; i<=st; i++)
+        for (i=0; i<=st; i++) {
            c->status[i].predictor  = bytestream2_get_le32u(&gb);
+            if (FFABS(c->status[i].predictor) > (1<<16))
+                return AVERROR_INVALIDDATA;
+        }

        for (n = nb_samples >> (1 - st); n > 0; n--) {
            int byte   = bytestream2_get_byteu(&gb);
@@ -1283,10 +1290,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

                    for (count2=0; count2<28; count2++) {
                        if (count2 & 1)
-                            next_sample = sign_extend(byte,    4) << shift;
+                            next_sample = (unsigned)sign_extend(byte,    4) << shift;
                        else {
                            byte = bytestream2_get_byte(&gb);
-                            next_sample = sign_extend(byte >> 4, 4) << shift;
+                            next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift;
                        }

                        next_sample += (current_sample  * coeff1) +
@@ -1623,7 +1630,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    else
                        sampledat = sign_extend(byte >> 4, 4);

-                    sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev;
+                    sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev;
                    *samples++ = av_clip_int16(sampledat >> 6);
                    c->status[channel].sample2 = c->status[channel].sample1;
                    c->status[channel].sample1 = sampledat;
@@ -171,12 +171,12 @@ static inline int sign_only(int v)
    return v ? FFSIGN(v) : 0;
 }

-static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
+static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out,
                           int nb_samples, int bps, int16_t *lpc_coefs,
                           int lpc_order, int lpc_quant)
 {
    int i;
-    int32_t *pred = buffer_out;
+    uint32_t *pred = buffer_out;

    /* first sample always copies */
    *buffer_out = *error_buffer;
@@ -208,26 +208,26 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
    for (; i < nb_samples; i++) {
        int j;
        int val = 0;
-        int error_val = error_buffer[i];
+        unsigned error_val = error_buffer[i];
        int error_sign;
        int d = *pred++;

        /* LPC prediction */
        for (j = 0; j < lpc_order; j++)
            val += (pred[j] - d) * lpc_coefs[j];
-        val = (val + (1 << (lpc_quant - 1))) >> lpc_quant;
+        val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant;
        val += d + error_val;
        buffer_out[i] = sign_extend(val, bps);

        /* adapt LPC coefficients */
        error_sign = sign_only(error_val);
        if (error_sign) {
-            for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) {
+            for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) {
                int sign;
                val  = d - pred[j];
                sign = sign_only(val) * error_sign;
                lpc_coefs[j] -= sign;
-                val *= sign;
+                val *= (unsigned)sign;
                error_val -= (val >> lpc_quant) * (j + 1);
            }
        }
@@ -250,10 +250,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,

    alac->extra_bits = get_bits(&alac->gb, 2) << 3;
    bps = alac->sample_size - alac->extra_bits + channels - 1;
-    if (bps > 32U) {
+    if (bps > 32) {
        avpriv_report_missing_feature(avctx, "bps %d", bps);
        return AVERROR_PATCHWELCOME;
    }
+    if (bps < 1)
+        return AVERROR_INVALIDDATA;

    /* whether the frame is compressed */
    is_compressed = !get_bits1(&alac->gb);
@@ -306,7 +308,7 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
            rice_history_mult[ch] = get_bits(&alac->gb, 3);
            lpc_order[ch]         = get_bits(&alac->gb, 5);

-            if (lpc_order[ch] >= alac->max_samples_per_frame)
+            if (lpc_order[ch] >= alac->max_samples_per_frame || !lpc_quant[ch])
                return AVERROR_INVALIDDATA;

            /* read the predictor table */
@@ -395,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
    case 20: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] <<= 12;
+                alac->output_samples_buffer[ch][i] *= 1 << 12;
        }}
        break;
    case 24: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] <<= 8;
+                alac->output_samples_buffer[ch][i] *= 1 << 8;
        }}
        break;
    }
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    if (ret < 0)
        return ret;

+    if (bytestream2_get_bytes_left(&gb) < width*height / 255)
+        return AVERROR_INVALIDDATA;
+
    ret = ff_get_buffer(avctx, f, 0);
    if (ret < 0)
        return ret;
@@ -348,6 +348,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    if (als_id != MKBETAG('A','L','S','\0'))
        return AVERROR_INVALIDDATA;

+    if (avctx->channels > FF_SANE_NB_CHANNELS) {
+        avpriv_request_sample(avctx, "Huge number of channels\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    ctx->cur_frame_length = sconf->frame_length;

    // read channel config
@@ -487,7 +492,7 @@ static void parse_bs_info(const uint32_t bs_info, unsigned int n,
 static int32_t decode_rice(GetBitContext *gb, unsigned int k)
 {
    int max = get_bits_left(gb) - k;
-    int q   = get_unary(gb, 0, max);
+    unsigned q = get_unary(gb, 0, max);
    int r   = k ? get_bits1(gb) : !(q & 1);

    if (k > 1) {
@@ -507,7 +512,7 @@ static void parcor_to_lpc(unsigned int k, const int32_t *par, int32_t *cof)
    int i, j;

    for (i = 0, j = k - 1; i < j; i++, j--) {
-        int tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
+        unsigned tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
        cof[j]  += ((MUL64(par[k], cof[i]) + (1 << 19)) >> 20);
        cof[i]  += tmp1;
    }
@@ -657,7 +662,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // do not continue in case of a damaged stream since
    // block_length must be evenly divisible by sub_blocks
-    if (bd->block_length & (sub_blocks - 1)) {
+    if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) {
        av_log(avctx, AV_LOG_WARNING,
               "Block length is not evenly divisible by the number of subblocks.\n");
        return AVERROR_INVALIDDATA;
@@ -772,8 +777,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        if (*bd->use_ltp) {
            int r, c;

-            bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
-            bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;
+            bd->ltp_gain[0]   = decode_rice(gb, 1) * 8;
+            bd->ltp_gain[1]   = decode_rice(gb, 2) * 8;

            r                 = get_unary(gb, 0, 4);
            c                 = get_bits(gb, 2);
@@ -784,8 +789,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

            bd->ltp_gain[2]   = ltp_gain_values[r][c];

-            bd->ltp_gain[3]   = decode_rice(gb, 2) << 3;
-            bd->ltp_gain[4]   = decode_rice(gb, 1) << 3;
+            bd->ltp_gain[3]   = decode_rice(gb, 2) * 8;
+            bd->ltp_gain[4]   = decode_rice(gb, 1) * 8;

            *bd->ltp_lag      = get_bits(gb, ctx->ltp_lag_length);
            *bd->ltp_lag     += FFMAX(4, opt_order + 1);
@@ -794,14 +799,20 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // read first value and residuals in case of a random access block
    if (bd->ra_block) {
+        start = FFMIN(opt_order, 3);
+        av_assert0(sb_length <= sconf->frame_length);
+        if (sb_length <= start) {
+            // opt_order or sb_length may be corrupted, either way this is unsupported and not well defined in the specification
+            av_log(avctx, AV_LOG_ERROR, "Sub block length smaller or equal start\n");
+            return AVERROR_PATCHWELCOME;
+        }
+
        if (opt_order)
            bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4);
        if (opt_order > 1)
            bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max));
        if (opt_order > 2)
            bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max));
-
-        start = FFMIN(opt_order, 3);
    }

    // read all residuals
@@ -815,7 +826,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        unsigned int low;
        unsigned int value;

-        ff_bgmc_decode_init(gb, &high, &low, &value);
+        int ret = ff_bgmc_decode_init(gb, &high, &low, &value);
+        if (ret < 0)
+            return ret;

        current_res = bd->raw_samples + start;

@@ -825,6 +838,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            k    [sb] = s[sb] > b ? s[sb] - b : 0;
            delta[sb] = 5 - s[sb] + k[sb];

+            if (k[sb] >= 32)
+                return AVERROR_INVALIDDATA;
+
            ff_bgmc_decode(gb, sb_len, current_res,
                        delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);

@@ -866,7 +882,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
                    res >>= 1;

                    if (cur_k) {
-                        res  *= 1 << cur_k;
+                        res  *= 1U << cur_k;
                        res  |= get_bits_long(gb, cur_k);
                    }
                }
@@ -917,7 +933,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            y = 1 << 6;

            for (base = begin; base < end; base++, tab++)
-                y += MUL64(bd->ltp_gain[tab], raw_samples[base]);
+                y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]);

            raw_samples[ltp_smp] += y >> 7;
        }
@@ -929,7 +945,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            y = 1 << 19;

            for (sb = 0; sb < smp; sb++)
-                y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);
+                y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);

            *raw_samples++ -= y >> 20;
            parcor_to_lpc(smp, quant_cof, lpc_cof);
@@ -945,7 +961,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

        // reconstruct difference signal for prediction (joint-stereo)
        if (bd->js_blocks && bd->raw_other) {
-            int32_t *left, *right;
+            uint32_t *left, *right;

            if (bd->raw_other > raw_samples) {  // D = R - L
                left  = raw_samples;
@@ -979,7 +995,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        y = 1 << 19;

        for (sb = -opt_order; sb < 0; sb++)
-            y += MUL64(lpc_cof[sb], raw_samples[sb]);
+            y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[sb]);

        *raw_samples -= y >> 20;
    }
@@ -1038,7 +1054,7 @@ static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)

    if (*bd->shift_lsbs)
        for (smp = 0; smp < bd->block_length; smp++)
-            bd->raw_samples[smp] <<= *bd->shift_lsbs;
+            bd->raw_samples[smp] = (unsigned)bd->raw_samples[smp] << *bd->shift_lsbs;

    return 0;
 }
@@ -1174,10 +1190,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
                av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n");

            for (s = 0; s < div_blocks[b]; s++)
-                bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s];
+                bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s];
        } else if (bd[1].js_blocks) {
            for (s = 0; s < div_blocks[b]; s++)
-                bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s];
+                bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s];
        }

        offset  += div_blocks[b];
@@ -1384,6 +1400,9 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
    mantissa_temp = (uint64_t)a.mant * (uint64_t)b.mant;
    mask_64       = (uint64_t)0x1 << 47;

+    if (!mantissa_temp)
+        return FLOAT_0;
+
    // Count the valid bit count
    while (!(mantissa_temp & mask_64) && mask_64) {
        bit_count--;
@@ -1400,7 +1419,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
        }
    }

-    mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count);
+    if (cutoff_bit_count >= 0) {
+        mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count);
+    } else {
+        mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count);
+    }

    // Need one more shift?
    if (mantissa & 0x01000000ul) {
@@ -1412,7 +1435,7 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) {
        return_val = 0x80000000U;
    }

-    return_val |= (a.exp + b.exp + bit_count - 47) << 23;
+    return_val |= ((unsigned)av_clip(a.exp + b.exp + bit_count - 47, -126, 127) << 23) & 0x7F800000;
    return_val |= mantissa;
    return av_bits2sf_ieee754(return_val);
 }
@@ -1457,6 +1480,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) {
        ff_mlz_flush_dict(ctx->mlz);
    }

+    if (avctx->channels * 8 > get_bits_left(gb))
+        return AVERROR_INVALIDDATA;
+
    for (c = 0; c < avctx->channels; ++c) {
        if (use_acf) {
            //acf_flag
@@ -1797,15 +1823,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
    #define INTERLEAVE_OUTPUT(bps)                                                   \
    {                                                                                \
        int##bps##_t *dest = (int##bps##_t*)frame->data[0];                          \
+        int channels = avctx->channels;                                              \
+        int32_t **raw_samples = ctx->raw_samples;                                    \
        shift = bps - ctx->avctx->bits_per_raw_sample;                               \
        if (!ctx->cs_switch) {                                                       \
            for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[c][sample] << shift;                  \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[c][sample] * (1U << shift);                \
        } else {                                                                     \
            for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] << shift; \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\
        }                                                                            \
    }

@@ -1989,6 +2017,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate quantized parcor coefficient buffer
    num_buffers = sconf->mc_coding ? avctx->channels : 1;
+    if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation
+        return AVERROR_INVALIDDATA;

    ctx->quant_cof        = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof));
    ctx->lpc_cof          = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));
@@ -2121,7 +2151,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    return 0;

 fail:
-    decode_end(avctx);
    return ret;
 }

@@ -2147,4 +2176,5 @@ AVCodec ff_als_decoder = {
    .decode         = decode_frame,
    .flush          = flush,
    .capabilities   = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 };
@@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx,
    uint8_t *dst, *dst_end;
    int count, ret;

+    if (buf_size < 7)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;
    dst     = s->frame->data[0];
@@ -460,7 +460,7 @@ static inline void update_rice(APERice *rice, unsigned int x)

    if (rice->ksum < lim)
        rice->k--;
-    else if (rice->ksum >= (1 << (rice->k + 5)))
+    else if (rice->ksum >= (1 << (rice->k + 5)) && rice->k < 24)
        rice->k++;
 }

@@ -554,7 +554,7 @@ static inline int ape_decode_value_3990(APEContext *ctx, APERice *rice)
    overflow = range_get_symbol(ctx, counts_3980, counts_diff_3980);

    if (overflow == (MODEL_ELEMENTS - 1)) {
-        overflow  = range_decode_bits(ctx, 16) << 16;
+        overflow  = (unsigned)range_decode_bits(ctx, 16) << 16;
        overflow |= range_decode_bits(ctx, 16);
    }

@@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
                              int32_t *out, APERice *rice, int blockstodecode)
 {
    int i;
-    int ksummax, ksummin;
+    unsigned ksummax, ksummin;

    rice->ksum = 0;
    for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
@@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p,
    else
        p->coeffsA[filter][0]--;

-    p->filterA[filter] += p->lastA[filter];
+    p->filterA[filter] += (unsigned)p->lastA[filter];

    return p->filterA[filter];
 }
@@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p,
        return predictionA;
    }
    d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3);
-    d3 =  p->buf[delayB] * 2 - p->buf[delayB - 1];
+    d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U);
+    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
    d4 =  p->buf[delayB];

    predictionA = d0 * p->coeffsA[filter][0] +
@@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
    p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;

    p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
-    p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);

    return p->filterA[filter];
 }
@@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
        dotprod = 0;
        sign = APESIGN(buffer[i]);
        for (j = 0; j < order; j++) {
-            dotprod += delay[j] * coeffs[j];
+            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
        buffer[i] -= dotprod >> shift;
@@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
 {
    int i, j;
    int32_t dotprod, sign;
-    int32_t coeffs[8] = { 0 }, delay[8] = { 0 };
+    int32_t delay[8] = { 0 };
+    uint32_t coeffs[8] = { 0 };

    for (i = 0; i < length; i++) {
        dotprod = 0;
@@ -1051,7 +1052,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                  d3 * p->coeffsA[filter][3];

    p->lastA[filter] = decoded + (predictionA >> 9);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
@@ -1121,7 +1122,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,

    p->buf[delayA]     = p->lastA[filter];
    p->buf[adaptA]     = APESIGN(p->buf[delayA]);
-    p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1];
+    p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1];
    p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]);

    predictionA = p->buf[delayA    ] * p->coeffsA[filter][0] +
@@ -1130,9 +1131,9 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                  p->buf[delayA - 3] * p->coeffsA[filter][3];

    /*  Apply a scaled first-order filter compression */
-    p->buf[delayB]     = p->filterA[filter ^ 1] - ((p->filterB[filter] * 31) >> 5);
+    p->buf[delayB]     = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5);
    p->buf[adaptB]     = APESIGN(p->buf[delayB]);
-    p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1];
+    p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1];
    p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]);
    p->filterB[filter] = p->filterA[filter ^ 1];

@@ -1142,8 +1143,8 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                  p->buf[delayB - 3] * p->coeffsB[filter][3] +
                  p->buf[delayB - 4] * p->coeffsB[filter][4];

-    p->lastA[filter] = decoded + ((predictionA + (predictionB >> 1)) >> 10);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
    p->coeffsA[filter][0] += p->buf[adaptA    ] * sign;
@@ -1229,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
            p->buf = p->historybuffer;
        }

-        p->filterA[0] = currentA + ((p->filterA[0] * 31) >> 5);
+        p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5);
        *(decoded0++) = p->filterA[0];
    }

@@ -1266,8 +1267,8 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
                                                     f->delay - order,
                                                     f->adaptcoeffs - order,
                                                     order, APESIGN(*data));
-        res = (res + (1 << (fracbits - 1))) >> fracbits;
-        res += *data;
+        res = (int)(res + (1U << (fracbits - 1))) >> fracbits;
+        res += (unsigned)*data;
        *data++ = res;

        /* Update the output history */
@@ -1282,7 +1283,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            /* Version 3.98 and later files */

            /* Update the adaption coefficients */
-            absres = FFABS(res);
+            absres = res < 0 ? -(unsigned)res : res;
            if (absres)
                *f->adaptcoeffs = APESIGN(res) *
                                  (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3)));
@@ -1376,7 +1377,7 @@ static void ape_unpack_mono(APEContext *ctx, int count)

 static void ape_unpack_stereo(APEContext *ctx, int count)
 {
-    int32_t left, right;
+    unsigned left, right;
    int32_t *decoded0 = ctx->decoded[0];
    int32_t *decoded1 = ctx->decoded[1];

@@ -1393,7 +1394,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count)

    /* Decorrelate and scale to output depth */
    while (count--) {
-        left = *decoded1 - (*decoded0 / 2);
+        left = *decoded1 - (unsigned)(*decoded0 / 2);
        right = left + *decoded0;

        *(decoded0++) = left;
@@ -1451,7 +1452,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        if (s->fileversion >= 3900) {
            if (offset > 3) {
                av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
-                s->data = NULL;
+                av_freep(&s->data);
+                s->data_size = 0;
                return AVERROR_INVALIDDATA;
            }
            if (s->data_end - s->ptr < offset) {
@@ -1499,7 +1501,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
    if (!s->decoded_buffer)
        return AVERROR(ENOMEM);
-    memset(s->decoded_buffer, 0, s->decoded_size);
+    memset(s->decoded_buffer, 0, decoded_buffer_size);
    s->decoded[0] = s->decoded_buffer;
    s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8);

@@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx)
    avctx->subtitle_header = av_malloc(avctx->extradata_size + 1);
    if (!avctx->subtitle_header)
        return AVERROR(ENOMEM);
-    memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
+    if (avctx->extradata_size)
+        memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
    avctx->subtitle_header[avctx->extradata_size] = 0;
    avctx->subtitle_header_size = avctx->extradata_size;
    return 0;
@@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
        return AVERROR_INVALIDDATA;
    }

-    if (avctx->block_align >= UINT_MAX / 2)
+    if (avctx->block_align > 1024 || avctx->block_align <= 0)
        return AVERROR(EINVAL);

    q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) +
@@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx,
    } else if (chan->fill_mode == 3) {
        pos = ch_num ? chan->num_coded_vals + chan->split_point
                     : ctx->num_quant_units - chan->split_point;
+        if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) {
+            av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n");
+            pos = FF_ARRAY_ELEMS(chan->qu_wordlen);
+        }
        for (i = chan->num_coded_vals; i < pos; i++)
            chan->qu_wordlen[i] = 1;
    }
@@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status)


 /** Initialize decoding and reads the first value */
-void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
+int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
                         unsigned int *l, unsigned int *v)
 {
+    if (get_bits_left(gb) < VALUE_BITS)
+        return AVERROR_INVALIDDATA;
+
    *h = TOP_VALUE;
    *l = 0;
    *v = get_bits_long(gb, VALUE_BITS);
+
+    return 0;
 }


@@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status);
 void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status);


-void ff_bgmc_decode_init(GetBitContext *gb,
+int ff_bgmc_decode_init(GetBitContext *gb,
                      unsigned int *h, unsigned int *l, unsigned int *v);


@@ -1299,13 +1299,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }
    c->avctx = avctx;

+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
    c->last = av_frame_alloc();
    if (!c->last)
        return AVERROR(ENOMEM);

-    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
-        return ret;
-
    avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;

    ff_blockdsp_init(&c->bdsp, avctx);
@@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
        // audio is already interleaved for the RDFT format variant
        avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+        if (sample_rate > INT_MAX / avctx->channels)
+            return AVERROR_INVALIDDATA;
        sample_rate  *= avctx->channels;
        s->channels = 1;
        if (!s->version_b)
@@ -33,20 +33,22 @@
 #define A3  3784
 #define A4 -5352

+#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11)
+
 #define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\
    const int a0 = (src)[s0] + (src)[s4]; \
    const int a1 = (src)[s0] - (src)[s4]; \
    const int a2 = (src)[s2] + (src)[s6]; \
-    const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \
+    const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \
    const int a4 = (src)[s5] + (src)[s3]; \
    const int a5 = (src)[s5] - (src)[s3]; \
    const int a6 = (src)[s1] + (src)[s7]; \
    const int a7 = (src)[s1] - (src)[s7]; \
    const int b0 = a4 + a6; \
-    const int b1 = (A3*(a5 + a7)) >> 11; \
-    const int b2 = ((A4*a5) >> 11) - b0 + b1; \
-    const int b3 = (A1*(a6 - a4) >> 11) - b2; \
-    const int b4 = ((A2*a7) >> 11) + b3 - b1; \
+    const int b1 = MUL(A3, a5 + a7); \
+    const int b2 = MUL(A4, a5) - b0 + b1; \
+    const int b3 = MUL(A1, a6 - a4) - b2; \
+    const int b4 = MUL(A2, a7) + b3 - b1; \
    (dest)[d0] = munge(a0+a2   +b0); \
    (dest)[d1] = munge(a1+a3-a2+b2); \
    (dest)[d2] = munge(a1-a3+a2+b3); \
@@ -63,6 +63,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
            av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
            return AVERROR_INVALIDDATA;
        }
+        if (!s->font_height) {
+            av_log(avctx, AV_LOG_ERROR, "invalid font height\n");
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        s->font_height = 8;
        s->flags = 0;
@@ -188,8 +188,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
            }
            for (k = 0; k < nb; k++) {
                int bits = table[j][1];
+                int oldsym  = table[j][0];
                ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
-                if (bits != 0 && bits != n) {
+                if ((bits || oldsym) && (bits != n || oldsym != symbol)) {
                    av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
                    return AVERROR_INVALIDDATA;
                }
@@ -226,6 +227,10 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
            /* note: realloc has been done, so reload tables */
            table = (volatile VLC_TYPE (*)[2])&vlc->table[table_index];
            table[j][0] = index; //code
+            if (table[j][0] != index) {
+                avpriv_request_sample(NULL, "strange codes");
+                return AVERROR_PATCHWELCOME;
+            }
            i = k-1;
        }
    }
@@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        avpriv_request_sample(avctx, "Format %d", hdr.format);
        return AVERROR_PATCHWELCOME;
    }
+    bytes_per_scanline = bytes_pp * hdr.width;
+
+    if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline)
+        return AVERROR_INVALIDDATA;

    if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0)
        return ret;
@@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    bytestream2_skip(&gb, 8);

    // read the image data to the buffer
-    bytes_per_scanline = bytes_pp * hdr.width;
    bytes_left = bytestream2_get_bytes_left(&gb);

    if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left ||
@@ -47,7 +47,8 @@ void av_bsf_free(AVBSFContext **pctx)

    av_opt_free(ctx);

-    av_packet_free(&ctx->internal->buffer_pkt);
+    if (ctx->internal)
+        av_packet_free(&ctx->internal->buffer_pkt);
    av_freep(&ctx->internal);
    av_freep(&ctx->priv_data);

@@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int input_size, ret;
    const uint8_t *buf_end;
    const uint8_t *buf_ptr;
+    int frame_start = 0;

    if (buf_size == 0) {
        if (!h->low_delay && h->DPB[0].f->data[0]) {
@@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                h->got_keyframe = 1;
            }
        case PIC_PB_START_CODE:
+            if (frame_start > 1)
+                return AVERROR_INVALIDDATA;
+            frame_start ++;
            if (*got_frame)
                av_frame_unref(data);
            *got_frame = 0;
@@ -212,10 +212,10 @@ static const unsigned char pac2_attribs[32][3] = // Color, font, ident

 struct Screen {
    /* +1 is used to compensate null character of string */
-    uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t charsets[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1];
+    uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t charsets[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
    /*
     * Bitmask of used rows; if a bit is not set, the
     * corresponding row is not used.
@@ -174,5 +174,5 @@ AVCodec ff_comfortnoise_decoder = {
    .close          = cng_decode_close,
    .sample_fmts    = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16,
                                                     AV_SAMPLE_FMT_NONE },
-    .capabilities   = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1,
+    .capabilities   = AV_CODEC_CAP_DR1,
 };
@@ -143,7 +143,7 @@ typedef struct cook {

    /* generate tables and related variables */
    int                 gain_size_factor;
-    float               gain_table[23];
+    float               gain_table[31];

    /* data buffers */

@@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q)
 {
    int i;
    q->gain_size_factor = q->samples_per_channel / 8;
-    for (i = 0; i < 23; i++)
-        q->gain_table[i] = pow(pow2tab[i + 52],
+    for (i = 0; i < 31; i++)
+        q->gain_table[i] = pow(pow2tab[i + 48],
                               (1.0 / (double) q->gain_size_factor));
 }

@@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer,
        for (i = 0; i < q->gain_size_factor; i++)
            buffer[i] *= fc1;
    } else {                                        // smooth gain
-        fc2 = q->gain_table[11 + (gain_index_next - gain_index)];
+        fc2 = q->gain_table[15 + (gain_index_next - gain_index)];
        for (i = 0; i < q->gain_size_factor; i++) {
            buffer[i] *= fc1;
            fc1       *= fc2;
@@ -1075,6 +1075,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
        return AVERROR_INVALIDDATA;
    }

+    if (avctx->block_align >= INT_MAX / 8)
+        return AVERROR(EINVAL);
+
    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);

@@ -1217,6 +1220,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
            return AVERROR_PATCHWELCOME;
        }
    }
+
+    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
+    if (q->samples_per_channel != 256 && q->samples_per_channel != 512 &&
+        q->samples_per_channel != 1024) {
+        avpriv_request_sample(avctx, "samples_per_channel = %d",
+                              q->samples_per_channel);
+        return AVERROR_PATCHWELCOME;
+    }
+
    /* Generate tables */
    init_pow2table();
    init_gain_table(q);
@@ -1225,10 +1237,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    if ((ret = init_cook_vlc_tables(q)))
        return ret;

-
-    if (avctx->block_align >= UINT_MAX / 2)
-        return AVERROR(EINVAL);
-
    /* Pad the databuffer with:
       DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(),
       AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */
@@ -1252,14 +1260,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
        q->saturate_output = saturate_output_float;
    }

-    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
-    if (q->samples_per_channel != 256 && q->samples_per_channel != 512 &&
-        q->samples_per_channel != 1024) {
-        avpriv_request_sample(avctx, "samples_per_channel = %d",
-                              q->samples_per_channel);
-        return AVERROR_PATCHWELCOME;
-    }
-
    avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
    if (channel_mask)
        avctx->channel_layout = channel_mask;
@@ -63,7 +63,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
    uint8_t *y, *u, *v, *y_end, *u_end, *v_end;

    // Check header
-    if ( avpkt->size < FRAME_HEADER_SIZE
+    if ( avpkt->size < FRAME_HEADER_SIZE + avctx->height * 3
      || header[0] != MAGIC_0 || header[1] != MAGIC_1
      || (header[17] != SUBSAMPLE_420 && header[17] != SUBSAMPLE_422)
      || (header[18] != YUVORDER_YUYV && header[18] != YUVORDER_UYVY)
@@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
    AVFrame *frame = data;
    int mipmap;
    int ret;
+    int width, height;

    ff_texturedsp_init(&ctx->texdsp);
    bytestream2_init(gbc, avpkt->data, avpkt->size);
@@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data,

    bytestream2_skip(gbc, 4); // flags

-    avctx->height = bytestream2_get_le32(gbc);
-    avctx->width  = bytestream2_get_le32(gbc);
-    ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
+    height = bytestream2_get_le32(gbc);
+    width  = bytestream2_get_le32(gbc);
+    ret = ff_set_dimensions(avctx, width, height);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n",
               avctx->width, avctx->height);
@@ -212,7 +212,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
        if (parse_timing_info && pu1.prev_pu_offset >= 13) {
            uint8_t *cur_pu = pc->buffer +
                              pc->index - 13 - pu1.prev_pu_offset;
-            int pts = AV_RB32(cur_pu + 13);
+            int64_t pts = AV_RB32(cur_pu + 13);
            if (s->last_pts == 0 && s->last_dts == 0)
                s->dts = pts - 1;
            else
@@ -1252,7 +1252,9 @@ static int dirac_unpack_idwt_params(DiracContext *s)
        s->num_y        = get_interleaved_ue_golomb(gb);
        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX ||
            s->num_x * (uint64_t)s->avctx->width  > INT_MAX ||
-            s->num_y * (uint64_t)s->avctx->height > INT_MAX
+            s->num_y * (uint64_t)s->avctx->height > INT_MAX ||
+            s->num_x > s->avctx->width ||
+            s->num_y > s->avctx->height
        ) {
            av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
            s->num_x = s->num_y = 0;
@@ -1408,9 +1410,9 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *b      = s->globalmc[ref].pan_tilt;
    int *c      = s->globalmc[ref].perspective;

-    int m       = (1<<ep) - (c[0]*x + c[1]*y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1<<ez) * b[1]);
+    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
+    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -79,10 +79,9 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                    if (remaining <= 0)
                        continue;
                }
+                remaining += i - 47;
                dctx->remaining = remaining;
-                if (buf_size - i + 47 >= dctx->remaining) {
-                    int remaining = dctx->remaining;
-
+                if (buf_size >= dctx->remaining) {
                    pc->frame_start_found = 0;
                    pc->state64 = -1;
                    dctx->cur_byte = 0;
@@ -37,7 +37,7 @@
 #define DST_MAX_CHANNELS 6
 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS)

-#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100)
+#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100)

 #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate))

@@ -161,6 +161,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
                    c -= (x + 4) / 8;
                else
                    c += (-x + 3) / 8;
+                if (!is_signed) {
+                    if (c < offset || c >= offset + (1<<coeff_bits))
+                        return AVERROR_INVALIDDATA;
+                }
                t->coeff[i][j] = c;
            }
        }
@@ -298,11 +302,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,

    /* Filter Coef Sets (10.12) */

-    read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0);
+    ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0);
+    if (ret < 0)
+        return ret;

    /* Probability Tables (10.13) */

-    read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1);
+    ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1);
+    if (ret < 0)
+        return ret;

    /* Arithmetic Coded Data (10.11) */

@@ -1553,8 +1553,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx,
    display_def->width   = bytestream_get_be16(&buf) + 1;
    display_def->height  = bytestream_get_be16(&buf) + 1;
    if (!avctx->width || !avctx->height) {
-        avctx->width  = display_def->width;
-        avctx->height = display_def->height;
+        int ret = ff_set_dimensions(avctx, display_def->width, display_def->height);
+        if (ret < 0)
+            return ret;
    }

    if (info_byte & 1<<3) { // display_window_flag
@@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx,
            s->palette[i] = 0xFFU << 24 | AV_RB24(buf);
            buf += 3;
        }
+        if (buf_end - buf < 5) {
+            return AVERROR_INVALIDDATA;
+        }
    }

    if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
@@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    AVFrame *frame = data;
    int ret, w, h;

+    if (buf_size < 12)
+        return AVERROR_INVALIDDATA;
+
    t->avctx = avctx;

    w = AV_RL16(&buf[0]);
@@ -1307,6 +1307,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
    int magic_number, version, i, flags, sar = 0;
    int layer_match = 0;
    int ret;
+    int dup_channels = 0;

    s->current_channel_offset = 0;
    s->xmin               = ~0;
@@ -1463,10 +1464,12 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                    s->pixel_type                     = current_pixel_type;
                    s->channel_offsets[channel_index] = s->current_channel_offset;
                } else if (channel_index >= 0) {
-                    av_log(s->avctx, AV_LOG_ERROR,
+                    av_log(s->avctx, AV_LOG_WARNING,
                            "Multiple channels with index %d.\n", channel_index);
-                    ret = AVERROR_INVALIDDATA;
-                    goto fail;
+                    if (++dup_channels > 10) {
+                        ret = AVERROR_INVALIDDATA;
+                        goto fail;
+                    }
                }

                s->channels = av_realloc(s->channels,
@@ -878,7 +878,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v);
            if (crc) {
                int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts;
-                av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc);
+                av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc);
                if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) {
                    av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase));
                } else if (ts != AV_NOPTS_VALUE) {
@@ -113,18 +113,12 @@ static uint32_t lcg_next(uint32_t *s)
    return *s;
 }

-static void lcg_seek(uint32_t *s, int64_t dt)
+static void lcg_seek(uint32_t *s, uint32_t dt)
 {
    uint32_t a, c, t = *s;

-    if (dt >= 0) {
-        a = LCG_A;
-        c = LCG_C;
-    } else { /* coefficients for a step backward */
-        a = LCG_AI;
-        c = (uint32_t)(LCG_AI * LCG_C);
-        dt = -dt;
-    }
+    a = LCG_A;
+    c = LCG_C;
    while (dt) {
        if (dt & 1)
            t = a * t + c;
@@ -221,12 +215,12 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
    ws->next_inter = i;
    ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS;
    *last = -1;
-    lcg_seek(&ws->dither_state, ts - ws->cur_ts);
+    lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
    if (ws->pink_need) {
-        int64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
-        int64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
        int pos = ts & (PINK_UNIT - 1);
-        lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1);
+        lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
        if (pos) {
            pink_fill(ws);
            ws->pink_pos = pos;
@@ -253,7 +247,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
    edata_end = edata + avc->extradata_size;
    ws->nb_inter = AV_RL32(edata);
    edata += 4;
-    if (ws->nb_inter < 0)
+    if (ws->nb_inter < 0 || (edata_end - edata) / 24 < ws->nb_inter)
        return AVERROR(EINVAL);
    ws->inter = av_calloc(ws->nb_inter, sizeof(*ws->inter));
    if (!ws->inter)
@@ -267,13 +261,16 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
        in->type     = AV_RL32(edata + 16);
        in->channels = AV_RL32(edata + 20);
        edata += 24;
-        if (in->ts_start < cur_ts || in->ts_end <= in->ts_start)
+        if (in->ts_start < cur_ts ||
+            in->ts_end <= in->ts_start ||
+            (uint64_t)in->ts_end - in->ts_start > INT64_MAX
+        )
            return AVERROR(EINVAL);
        cur_ts = in->ts_start;
        dt = in->ts_end - in->ts_start;
        switch (in->type) {
            case WS_SINE:
-                if (edata_end - edata < 20)
+                if (edata_end - edata < 20 || avc->sample_rate <= 0)
                    return AVERROR(EINVAL);
                f1  = AV_RL32(edata +  0);
                f2  = AV_RL32(edata +  4);
@@ -304,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
            default:
                return AVERROR(EINVAL);
        }
-        in->amp0 = (int64_t)a1 << 32;
-        in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt;
+        in->amp0 = (uint64_t)a1 << 32;
+        in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt;
    }
    if (edata != edata_end)
        return AVERROR(EINVAL);
@@ -380,7 +377,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
                in->dphi += in->ddphi;
                break;
            case WS_NOISE:
-                val = amp * pink;
+                val = amp * (unsigned)pink;
                break;
            default:
                val = 0;
@@ -388,7 +385,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
        all_ch |= in->channels;
        for (c = in->channels, cv = channels; c; c >>= 1, cv++)
            if (c & 1)
-                *cv += val;
+                *cv += (unsigned)val;
    }
    val = (int32_t)lcg_next(&ws->dither_state) >> 16;
    for (c = all_ch, cv = channels; c; c >>= 1, cv++)
@@ -138,6 +138,17 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t
    case STATE_BITPIX:
        CHECK_KEYWORD("BITPIX");
        CHECK_VALUE("BITPIX", bitpix);
+
+        switch(header->bitpix) {
+        case   8:
+        case  16:
+        case  32: case -32:
+        case  64: case -64: break;
+        default:
+            av_log(avcl, AV_LOG_ERROR, "invalid value of BITPIX %d\n", header->bitpix); \
+            return AVERROR_INVALIDDATA;
+        }
+
        dict_set_if_not_null(metadata, keyword, value);

        header->state = STATE_NAXIS;
@@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead

    size = abs(header->bitpix) >> 3;
    for (i = 0; i < header->naxis; i++) {
-        if (header->naxisn[i] > SIZE_MAX / size) {
+        if (size == 0 || header->naxisn[i] > SIZE_MAX / size) {
            av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image");
            return AVERROR_INVALIDDATA;
        }
@@ -168,6 +168,14 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead
        header->data_min = (header->data_min - header->bzero) / header->bscale;
        header->data_max = (header->data_max - header->bzero) / header->bscale;
    }
+    if (!header->rgb && header->data_min >= header->data_max) {
+        if (header->data_min > header->data_max) {
+            av_log(avctx, AV_LOG_ERROR, "data min/max (%g %g) is invalid\n", header->data_min, header->data_max);
+            return AVERROR_INVALIDDATA;
+        }
+        av_log(avctx, AV_LOG_WARNING, "data min/max indicates a blank image\n");
+        header->data_max ++;
+    }

    return 0;
 }
@@ -256,6 +264,13 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            CASE_RGB(16, dst16, uint16_t, AV_RB16);
        }
    } else {
+        double scale = header.data_max - header.data_min;
+
+        if (scale <= 0 || !isfinite(scale)) {
+            scale = 1;
+        }
+        scale = 1/scale;
+
        switch (header.bitpix) {
 #define CASE_GRAY(cas, dst, type, t, rd) \
    case cas: \
@@ -264,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            for (j = 0; j < avctx->width; j++) { \
                t = rd; \
                if (!header.blank_found || t != header.blank) { \
-                    *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \
+                    *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \
                } else { \
                    *dst++ = fitsctx->blank_val; \
                } \
@@ -175,7 +175,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    int lines;
    int compressed_lines;
    int starting_line;
-    signed short line_packets;
+    int line_packets;
    int y_ptr;
    int byte_run;
    int pixel_skip;
@@ -274,7 +274,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    break;
                if (y_ptr > pixel_limit)
                    return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                if ((line_packets & 0xC000) == 0xC000) {
                    // line skip opcode
                    line_packets = -line_packets;
@@ -508,7 +508,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,

    int lines;
    int compressed_lines;
-    signed short line_packets;
+    int line_packets;
    int y_ptr;
    int byte_run;
    int pixel_skip;
@@ -572,7 +572,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                    break;
                if (y_ptr > pixel_limit)
                    return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                if (line_packets < 0) {
                    line_packets = -line_packets;
                    if (line_packets > s->avctx->height)
@@ -806,7 +806,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,

    int lines;
    int compressed_lines;
-    signed short line_packets;
+    int line_packets;
    int y_ptr;
    int byte_run;
    int pixel_skip;
@@ -870,7 +870,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
                    break;
                if (y_ptr > pixel_limit)
                    return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                if (line_packets < 0) {
                    line_packets = -line_packets;
                    if (line_packets > s->avctx->height)
@@ -900,7 +900,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
                        } else {
                            if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk)
                                break;
-                            CHECK_PIXEL_PTR(2 * byte_run);
+                            CHECK_PIXEL_PTR(3 * byte_run);
                            for (j = 0; j < byte_run; j++, pixel_countdown--) {
                                pixel = bytestream2_get_le24(&g2);
                                AV_WL24(&pixels[pixel_ptr], pixel);
@@ -1024,14 +1024,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
                     y_ptr += s->frame->linesize[0]) {

-                    pixel_countdown = s->avctx->width;
-                    pixel_ptr = 0;
-                    while (pixel_countdown > 0) {
-                        pixel = bytestream2_get_le24(&g2);
-                        AV_WL24(&pixels[y_ptr + pixel_ptr], pixel);
-                        pixel_ptr += 3;
-                        pixel_countdown--;
-                    }
+                    bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width);
                    if (s->avctx->width & 1)
                        bytestream2_skip(&g2, 3);
                }
@@ -403,6 +403,9 @@ static int decode_frame(AVCodecContext *avctx,
    AVFrame *frame = data;
    int ret, y, x;

+    if (avpkt->size < 8)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
        return ret;

@@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb,
    const int is_chroma = !!plane;
    const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant;

+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
    c->bdsp.clear_block(block);
    dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3);
    if (dc < 0)
@@ -854,6 +857,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height,
                    uint32_t ref_pix = curr_row[x - 1];
                    if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) {
                        pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row);
+                        if (is_pixel_on_stack(dc, pix))
+                            return AVERROR_INVALIDDATA;
+
                        if (x) {
                            int ret = epic_add_pixel_to_cache(&dc->hash,
                                                              ref_pix,
@@ -667,7 +667,9 @@ static int estimate_sid_gain(G723_1_Context *p)
            if (p->sid_gain < 0) t = INT32_MIN;
            else                 t = INT32_MAX;
        } else
-            t = p->sid_gain << shift;
+            t = p->sid_gain * (1 << shift);
+    } else if(shift < -31) {
+        t = (p->sid_gain < 0) ? -1 : 0;
    }else
        t = p->sid_gain >> -shift;
    x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);
@@ -51,6 +51,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx,
        s->duration   = avctx->frame_size;
    }

+    if (!s->block_size) {
+        *poutbuf      = buf;
+        *poutbuf_size = buf_size;
+        return buf_size;
+    }
+
    if (!s->remaining)
        s->remaining = s->block_size;
    if (s->remaining <= buf_size) {
@@ -328,11 +328,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in

 static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order)
 {
-    int res = 0;
+    int64_t res = 0;

    while (order--)
        res += *v1++ * *v2++;

+    if      (res > INT32_MAX) return INT32_MAX;
+    else if (res < INT32_MIN) return INT32_MIN;
+
    return res;
 }

@@ -413,7 +416,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
        return ret;
    out_frame = (int16_t*) frame->data[0];

-    if (buf_size % 10 == 0) {
+    if (buf_size && buf_size % 10 == 0) {
        packet_type = FORMAT_G729_8K;
        format = &format_g729_8k;
        //Reset voice decision
@@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
            sig_scaled[i] = residual[i] >> shift;
    else
        for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++)
-            sig_scaled[i] = residual[i] << -shift;
+            sig_scaled[i] = (unsigned)residual[i] << -shift;

    /* Start of best delay searching code */
    gain_num = 0;
@@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        }
        if (corr_int_num) {
            /* Compute denominator of pseudo-normalized correlation R'(0). */
-            corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
-                                                    sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
+            corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
+                                                     sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
                                                    subframe_size);

            /* Compute signals with non-integer delay k (with 1/8 precision),
@@ -346,7 +346,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        L_temp1 = gain_long_num * gain_long_num;
        L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS);

-        tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den);
+        tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den);
        if (tmp > 0)
            L_temp0 >>= tmp;
        else
@@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
        /* Rescale selected signal to original value. */
        if (shift > 0)
            for (i = 0; i < subframe_size; i++)
-                selected_signal[i] <<= shift;
+                selected_signal[i] *= 1 << shift;
        else
            for (i = 0; i < subframe_size; i++)
                selected_signal[i] >>= -shift;
@@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn,
            speech[i] = (speech[i] * temp + 0x4000) >> 15;
    }

-    return -(rh1 << 15) / rh0;
+    return -(rh1 * (1 << 15)) / rh0;
 }

 /**
@@ -500,14 +500,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,
    tmp = res_pst[subframe_size - 1];

    for (i = subframe_size - 1; i >= 1; i--) {
-        tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1);
-        tmp2 = (tmp2 + 0x4000) >> 15;
+        tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000;
+        tmp2 = res_pst[i] + (tmp2 >> 15);

        tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
        out[i] = tmp2;
    }
-    tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1);
-    tmp2 = (tmp2 + 0x4000) >> 15;
+    tmp2 = (gt * ht_prev_data) * 2 + 0x4000;
+    tmp2 = res_pst[0] + (tmp2 >> 15);
    tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
    out[0] = tmp2;

@@ -306,7 +306,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8)
                    if (val != ((1 << lbits) - 1)) {
                        break;
                    }
-                    assert(lbits < 16);
+                    if (lbits >= 16)
+                        return AVERROR_INVALIDDATA;
                }
                for (i = 0; i < len; i++) {
                    bytestream2_put_byte(pb, bytestream2_get_byte(gb));
@@ -49,6 +49,8 @@ extern const uint8_t ff_interleaved_dirac_golomb_vlc_code[256];

 /**
 * Read an unsigned Exp-Golomb code in the range 0 to 8190.
+ *
+ * @returns the read value or a negative error code.
 */
 static inline int get_ue_golomb(GetBitContext *gb)
 {
@@ -600,7 +600,7 @@ retry:
    if ((ret = ff_mpv_frame_start(s, avctx)) < 0)
        return ret;

-    if (!s->divx_packed)
+    if (!s->divx_packed && !avctx->hwaccel)
        ff_thread_finish_setup(avctx);

 #if FF_API_CAP_VDPAU
@@ -296,7 +296,8 @@ int ff_h264_init_poc(int pic_field_poc[2], int *pic_poc,
        if (picture_structure == PICT_FRAME)
            field_poc[1] += pc->delta_poc_bottom;
    } else if (sps->poc_type == 1) {
-        int abs_frame_num, expected_delta_per_poc_cycle, expectedpoc;
+        int abs_frame_num;
+        int64_t expected_delta_per_poc_cycle, expectedpoc;
        int i;

        if (sps->poc_cycle_length != 0)
@@ -373,9 +373,11 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl)
                av_assert0(0);
            }

-            if (i < 0) {
+            if (i < 0 || mismatches_ref(h, ref)) {
                av_log(h->avctx, AV_LOG_ERROR,
-                       "reference picture missing during reorder\n");
+                       i < 0 ? "reference picture missing during reorder\n" :
+                               "mismatching reference\n"
+                      );
                memset(&sl->ref_list[list][index], 0, sizeof(sl->ref_list[0][0])); // FIXME
            } else {
                for (i = index; i + 1 < sl->ref_count[list]; i++) {
@@ -642,11 +642,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
    }
    if (prefix_val >= 5) {
        int k = 0;
-        while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) {
+        while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) {
            suffix_val += 1 << k;
            k++;
        }
-        if (k == CABAC_MAX_BIN) {
+        if (k == 7) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
            return AVERROR_INVALIDDATA;
        }
@@ -1582,22 +1582,25 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
    pps->entropy_coding_sync_enabled_flag = get_bits1(gb);

    if (pps->tiles_enabled_flag) {
-        pps->num_tile_columns = get_ue_golomb_long(gb) + 1;
-        pps->num_tile_rows    = get_ue_golomb_long(gb) + 1;
-        if (pps->num_tile_columns <= 0 ||
-            pps->num_tile_columns >= sps->width) {
+        int num_tile_columns_minus1 = get_ue_golomb(gb);
+        int num_tile_rows_minus1    = get_ue_golomb(gb);
+
+        if (num_tile_columns_minus1 < 0 ||
+            num_tile_columns_minus1 >= sps->ctb_width - 1) {
            av_log(avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n",
-                   pps->num_tile_columns - 1);
-            ret = AVERROR_INVALIDDATA;
+                   num_tile_columns_minus1);
+            ret = num_tile_columns_minus1 < 0 ? num_tile_columns_minus1 : AVERROR_INVALIDDATA;
            goto err;
        }
-        if (pps->num_tile_rows <= 0 ||
-            pps->num_tile_rows >= sps->height) {
+        if (num_tile_rows_minus1 < 0 ||
+            num_tile_rows_minus1 >= sps->ctb_height - 1) {
            av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n",
-                   pps->num_tile_rows - 1);
-            ret = AVERROR_INVALIDDATA;
+                   num_tile_rows_minus1);
+            ret = num_tile_rows_minus1 < 0 ? num_tile_rows_minus1 : AVERROR_INVALIDDATA;
            goto err;
        }
+        pps->num_tile_columns = num_tile_columns_minus1 + 1;
+        pps->num_tile_rows    = num_tile_rows_minus1    + 1;

        pps->column_width = av_malloc_array(pps->num_tile_columns, sizeof(*pps->column_width));
        pps->row_height   = av_malloc_array(pps->num_tile_rows,    sizeof(*pps->row_height));
@@ -343,8 +343,8 @@ typedef struct HEVCPPS {
    uint8_t tiles_enabled_flag;
    uint8_t entropy_coding_sync_enabled_flag;

-    int num_tile_columns;   ///< num_tile_columns_minus1 + 1
-    int num_tile_rows;      ///< num_tile_rows_minus1 + 1
+    uint16_t num_tile_columns;   ///< num_tile_columns_minus1 + 1
+    uint16_t num_tile_rows;      ///< num_tile_rows_minus1 + 1
    uint8_t uniform_spacing_flag;
    uint8_t loop_filter_across_tiles_enabled_flag;

@@ -397,7 +397,7 @@ static void mark_ref(HEVCFrame *frame, int flag)
 static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
 {
    HEVCFrame *frame;
-    int i, x, y;
+    int i, y;

    frame = alloc_frame(s);
    if (!frame)
@@ -410,11 +410,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
                       frame->frame->buf[i]->size);
        } else {
            for (i = 0; frame->frame->data[i]; i++)
-                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++)
-                    for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) {
-                        AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x,
-                                1 << (s->ps.sps->bit_depth - 1));
-                    }
+                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) {
+                    uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i];
+                    AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1));
+                    av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2);
+                }
        }
    }

@@ -181,6 +181,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb)
    for (i = 0; i < s->sh.nb_refs[L0]; i++) {
        if (luma_weight_l0_flag[i]) {
            int delta_luma_weight_l0 = get_se_golomb(gb);
+            if ((int8_t)delta_luma_weight_l0 != delta_luma_weight_l0)
+                return AVERROR_INVALIDDATA;
            s->sh.luma_weight_l0[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l0;
            s->sh.luma_offset_l0[i] = get_se_golomb(gb);
        }
@@ -223,6 +225,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb)
        for (i = 0; i < s->sh.nb_refs[L1]; i++) {
            if (luma_weight_l1_flag[i]) {
                int delta_luma_weight_l1 = get_se_golomb(gb);
+                if ((int8_t)delta_luma_weight_l1 != delta_luma_weight_l1)
+                    return AVERROR_INVALIDDATA;
                s->sh.luma_weight_l1[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l1;
                s->sh.luma_offset_l1[i] = get_se_golomb(gb);
            }
@@ -474,7 +478,7 @@ static int hls_slice_header(HEVCContext *s)
    sh->first_slice_in_pic_flag = get_bits1(gb);
    if (s->ref && sh->first_slice_in_pic_flag) {
        av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
-        return 1; // This slice will be skiped later, do not corrupt state
+        return 1; // This slice will be skipped later, do not corrupt state
    }

    if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
@@ -3250,6 +3254,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)

    ff_h2645_packet_uninit(&s->pkt);

+    ff_hevc_reset_sei(&s->sei);
+
    return 0;
 }

@@ -3439,6 +3445,7 @@ static void hevc_decode_flush(AVCodecContext *avctx)
 {
    HEVCContext *s = avctx->priv_data;
    ff_hevc_flush_dpb(s);
+    ff_hevc_reset_sei(&s->sei);
    s->max_ra = INT_MAX;
    s->eos = 1;
 }
@@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src,
 static void postprocess_current_frame(AVCodecContext *avctx)
 {
    Hnm4VideoContext *hnm = avctx->priv_data;
-    uint32_t x, y, src_x, src_y;
+    uint32_t x, y, src_y;
+    int width = hnm->width;

    for (y = 0; y < hnm->height; y++) {
+        uint8_t *dst = hnm->processed + y * width;
+        const uint8_t *src = hnm->current;
        src_y = y - (y % 2);
-        src_x = src_y * hnm->width + (y % 2);
-        for (x = 0; x < hnm->width; x++) {
-            hnm->processed[(y * hnm->width) + x] = hnm->current[src_x];
-            src_x += 2;
+        src += src_y * width + (y % 2);
+        for (x = 0; x < width; x++) {
+            dst[x] = *src;
+            src += 2;
        }
    }
 }
@@ -143,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
    }
 }

-static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
+static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
 {
    Hnm4VideoContext *hnm = avctx->priv_data;
    GetByteContext gb;
@@ -162,7 +165,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            if (tag == 0) {
                if (writeoffset + 2 > hnm->width * hnm->height) {
                    av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
                hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
                hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
@@ -176,7 +179,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
                count = bytestream2_get_byte(&gb) * 2;
                if (writeoffset + count > hnm->width * hnm->height) {
                    av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
                while (count > 0) {
                    hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
@@ -188,7 +191,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            }
            if (writeoffset > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            }
        } else {
            previous = bytestream2_peek_byte(&gb) & 0x20;
@@ -204,24 +207,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s

            if (!backward && offset + 2*count > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            } else if (backward && offset + 1 >= hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
            } else if (writeoffset + 2*count > hnm->width * hnm->height) {
                av_log(avctx, AV_LOG_ERROR,
                       "Attempting to write out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
+
            }
            if(backward) {
                if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
            } else {
                if (offset < (!!backline)*(2 * hnm->width - 1)) {
                    av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                }
            }

@@ -268,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
            }
        }
    }
+    return 0;
 }

 static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
@@ -434,7 +439,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
            decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
            memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
        } else {
-            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            if (ret < 0)
+                return ret;
            postprocess_current_frame(avctx);
        }
        copy_processed_frame(avctx, frame);
@@ -248,13 +248,18 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
    int width, height, quant;
    const uint8_t *src = ctx->gbc.buffer;

+    if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+        return AVERROR_INVALIDDATA;
+
    width  = bytestream2_get_be16(&ctx->gbc);
    height = bytestream2_get_be16(&ctx->gbc);

+    ret = ff_set_dimensions(ctx->avctx, width, height);
+    if (ret < 0)
+        return ret;
+
    ctx->avctx->coded_width         = FFALIGN(width,  16);
    ctx->avctx->coded_height        = FFALIGN(height, 16);
-    ctx->avctx->width               = width;
-    ctx->avctx->height              = height;
    ctx->avctx->bits_per_raw_sample = 8;
    ctx->avctx->pix_fmt             = AV_PIX_FMT_YUVA422P;

@@ -55,7 +55,7 @@ static int scanbraces(const char* in) {
    if (strncmp(in, "{\\an", 4) != 0) {
        return 0;
    }
-    if (!isdigit(in[4])) {
+    if (!av_isdigit(in[4])) {
        return 0;
    }
    if (in[5] != '}') {
@@ -418,9 +418,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
        case 0x0F0:
            avctx->pix_fmt = AV_PIX_FMT_GRAY16;
            break;
-        case 0x170:
-            avctx->pix_fmt = AV_PIX_FMT_GRAY8A;
-            break;
        case 0x470:
            avctx->pix_fmt = AV_PIX_FMT_GBRP;
            break;
@@ -279,7 +279,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
    case AV_PIX_FMT_YUVA420P:
    case AV_PIX_FMT_YUVA422P:
    case AV_PIX_FMT_GBRAP:
-    case AV_PIX_FMT_GRAY8A:
    case AV_PIX_FMT_YUV420P9:
    case AV_PIX_FMT_YUV420P10:
    case AV_PIX_FMT_YUV420P12:
@@ -1133,7 +1132,6 @@ AVCodec ff_ffvhuff_encoder = {
        AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY16,
        AV_PIX_FMT_YUVA420P, AV_PIX_FMT_YUVA422P, AV_PIX_FMT_YUVA444P,
        AV_PIX_FMT_GBRAP,
-        AV_PIX_FMT_GRAY8A,
        AV_PIX_FMT_YUV420P9, AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV420P12, AV_PIX_FMT_YUV420P14, AV_PIX_FMT_YUV420P16,
        AV_PIX_FMT_YUV422P9, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV422P14, AV_PIX_FMT_YUV422P16,
        AV_PIX_FMT_YUV444P9, AV_PIX_FMT_YUV444P10, AV_PIX_FMT_YUV444P12, AV_PIX_FMT_YUV444P14, AV_PIX_FMT_YUV444P16,
@@ -243,6 +243,11 @@ static int idcin_decode_frame(AVCodecContext *avctx,
    return buf_size;
 }

+static const AVCodecDefault idcin_defaults[] = {
+    { "max_pixels", "320*240" },
+    { NULL },
+};
+
 AVCodec ff_idcin_decoder = {
    .name           = "idcinvideo",
    .long_name      = NULL_IF_CONFIG_SMALL("id Quake II CIN video"),
@@ -252,4 +257,5 @@ AVCodec ff_idcin_decoder = {
    .init           = idcin_decode_init,
    .decode         = idcin_decode_frame,
    .capabilities   = AV_CODEC_CAP_DR1,
+    .defaults       = idcin_defaults,
 };
@@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = {
    LUT8(4), LUT8(5), LUT8(6), LUT8(7),
 };

-#define LUT32(plane) {                                \
-             0,          0,          0,          0,   \
-             0,          0,          0, 1 << plane,   \
-             0,          0, 1 << plane,          0,   \
-             0,          0, 1 << plane, 1 << plane,   \
-             0, 1 << plane,          0,          0,   \
-             0, 1 << plane,          0, 1 << plane,   \
-             0, 1 << plane, 1 << plane,          0,   \
-             0, 1 << plane, 1 << plane, 1 << plane,   \
-    1 << plane,          0,          0,          0,   \
-    1 << plane,          0,          0, 1 << plane,   \
-    1 << plane,          0, 1 << plane,          0,   \
-    1 << plane,          0, 1 << plane, 1 << plane,   \
-    1 << plane, 1 << plane,          0,          0,   \
-    1 << plane, 1 << plane,          0, 1 << plane,   \
-    1 << plane, 1 << plane, 1 << plane,          0,   \
-    1 << plane, 1 << plane, 1 << plane, 1 << plane,   \
+#define LUT32(plane) {                                    \
+              0,           0,           0,           0,   \
+              0,           0,           0, 1U << plane,   \
+              0,           0, 1U << plane,           0,   \
+              0,           0, 1U << plane, 1U << plane,   \
+              0, 1U << plane,           0,           0,   \
+              0, 1U << plane,           0, 1U << plane,   \
+              0, 1U << plane, 1U << plane,           0,   \
+              0, 1U << plane, 1U << plane, 1U << plane,   \
+    1U << plane,           0,           0,           0,   \
+    1U << plane,           0,           0, 1U << plane,   \
+    1U << plane,           0, 1U << plane,           0,   \
+    1U << plane,           0, 1U << plane, 1U << plane,   \
+    1U << plane, 1U << plane,           0,           0,   \
+    1U << plane, 1U << plane,           0, 1U << plane,   \
+    1U << plane, 1U << plane, 1U << plane,           0,   \
+    1U << plane, 1U << plane, 1U << plane, 1U << plane,   \
 }

 // 32 planes * 4-bit mask * 4 lookup tables each
@@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal)
            pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample);
    }
    if (s->masking == MASK_HAS_MASK) {
+        if ((1 << avctx->bits_per_coded_sample) < count) {
+            avpriv_request_sample(avctx, "overlapping mask");
+            return AVERROR_PATCHWELCOME;
+        }
        memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4);
        for (i = 0; i < count; i++)
            pal[i] &= 0xFFFFFF;
@@ -280,6 +284,16 @@ static int extract_header(AVCodecContext *const avctx,
        for (i = 0; i < 16; i++)
            s->tvdc[i] = bytestream_get_be16(&buf);

+        if (s->ham) {
+            if (s->bpp > 8) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
+                return AVERROR_INVALIDDATA;
+            } if (s->ham != (s->bpp > 6 ? 6 : 4)) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u, BPP: %u\n", s->ham, s->bpp);
+                return AVERROR_INVALIDDATA;
+            }
+        }
+
        if (s->masking == MASK_HAS_MASK) {
            if (s->bpp >= 8 && !s->ham) {
                avctx->pix_fmt = AV_PIX_FMT_RGB32;
@@ -307,9 +321,6 @@ static int extract_header(AVCodecContext *const avctx,
        if (!s->bpp || s->bpp > 32) {
            av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp);
            return AVERROR_INVALIDDATA;
-        } else if (s->ham >= 8) {
-            av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
-            return AVERROR_INVALIDDATA;
        }

        av_freep(&s->ham_buf);
@@ -371,6 +382,8 @@ static av_cold int decode_end(AVCodecContext *avctx)
    av_freep(&s->planebuf);
    av_freep(&s->ham_buf);
    av_freep(&s->ham_palbuf);
+    av_freep(&s->mask_buf);
+    av_freep(&s->mask_palbuf);
    av_freep(&s->video[0]);
    av_freep(&s->video[1]);
    av_freep(&s->pal);
@@ -443,11 +456,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
 */
 static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane)
 {
-    const uint64_t *lut = plane8_lut[plane];
+    const uint64_t *lut;
    if (plane >= 8) {
        av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n");
        return;
    }
+    lut = plane8_lut[plane];
    do {
        uint64_t v = AV_RN64A(dst) | lut[*buf++];
        AV_WN64A(dst, v);
@@ -1130,6 +1144,9 @@ static void decode_long_vertical_delta(uint8_t *dst,
                        x = bytestream2_get_be32(&dgb);
                    }

+                    if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb))
+                        return;
+
                    while (opcode) {
                        bytestream2_seek_p(&pb, ofsdst, SEEK_SET);
                        if (h && (j == (ncolumns - 1))) {
@@ -1270,6 +1287,9 @@ static void decode_long_vertical_delta2(uint8_t *dst,
                        x = bytestream2_get_be32(&gb);
                    }

+                    if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb))
+                        return;
+
                    while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) {
                        bytestream2_seek_p(&pb, ofsdst, SEEK_SET);
                        if (h && (j == ncolumns - 1))
@@ -1512,7 +1532,7 @@ static int decode_frame(AVCodecContext *avctx,
    buf_size -= bytestream2_tell(gb);
    desc = av_pix_fmt_desc_get(avctx->pix_fmt);

-    if (!s->init && avctx->bits_per_coded_sample <= 8 &&
+    if (!s->init && avctx->bits_per_coded_sample <= 8 - (s->masking == MASK_HAS_MASK) &&
        avctx->pix_fmt == AV_PIX_FMT_PAL8) {
        if ((res = cmap_read_palette(avctx, (uint32_t *)frame->data[1])) < 0)
            return res;
@@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst

    for (j = 1; j < height; j++) {
        out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
        while (out < width) {
-            int c = ir2_get_code(&ctx->gb);
+            int c;
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
+            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c -= 0x7F;
                if (out + c*2 > width)
@@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_

    for (j = 0; j < height; j++) {
        out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
        while (out < width) {
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c   -= 0x7F;
@@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s)

    for (i = 1, x = -val; i <= count; i++) {
        s->midbuf[-i] = x;
-        x -= val;
+        x -= (unsigned)val;
    }

    ret = fill_block(s);
@@ -1260,7 +1260,7 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
            s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2;
            s->decoding_map = buf + 8 + 14; /* 14 bits of op data */
            video_data_size -= s->decoding_map_size + 14;
-            if (video_data_size <= 0)
+            if (video_data_size <= 0 || s->decoding_map_size == 0)
                return AVERROR_INVALIDDATA;

            if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size)
@@ -1203,6 +1203,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
    if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0)
        return ret;

+    if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) {
+        if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
+    }
+
    s->mb_width = (s->width  + 15) / 16;
    s->mb_height = (s->height  + 15) / 16;
    s->mb_num = s->mb_width * s->mb_height;
@@ -429,6 +429,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes,
        t_height = !p ? tile_height : (tile_height + 3) >> 2;

        if (!p && planes[0].num_bands == 4) {
+            if (t_width % 2 || t_height % 2) {
+                avpriv_request_sample(NULL, "Odd tiles");
+                return AVERROR_PATCHWELCOME;
+            }
            t_width  >>= 1;
            t_height >>= 1;
        }
@@ -488,12 +492,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb)
 static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
                            int blk_size)
 {
-    int buf_size = band->pitch * band->aheight - buf_offs;
-    int min_size = (blk_size - 1) * band->pitch + blk_size;
-
-    if (min_size > buf_size)
-        return AVERROR_INVALIDDATA;
-
    band->dc_transform(prev_dc, band->buf + buf_offs,
                       band->pitch, blk_size);

@@ -724,6 +722,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                if (ret < 0)
                    return ret;
            } else {
+                int buf_size = band->pitch * band->aheight - buf_offs;
+                int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+                if (min_size > buf_size)
+                    return AVERROR_INVALIDDATA;
                /* block not coded */
                /* for intra blocks apply the dc slant transform */
                /* for inter - perform the motion compensation without delta */
@@ -247,6 +247,11 @@ static void init_band_stepsize(AVCodecContext *avctx,
        }
    }

+    if (band->f_stepsize > (INT_MAX >> 15)) {
+        band->f_stepsize = 0;
+        av_log(avctx, AV_LOG_ERROR, "stepsize out of range\n");
+    }
+
    band->i_stepsize = band->f_stepsize * (1 << 15);

    /* FIXME: In OpenJPEG code stepsize = stepsize * 0.5. Why?
@@ -163,13 +163,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
            return AVERROR_INVALIDDATA;
        }
-        if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
-            return ret;

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
            init_get_bits(&gb, buf, 8 * video_size);

+            if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
+                return ret;
+
            if (avctx->height/8 * (avctx->width/8) > 4 * video_size) {
                av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n");
                return AVERROR_INVALIDDATA;
@@ -184,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            buf += video_size;
        } else if (video_type == 2) {
            int v = *buf++;
+
+            av_frame_unref(s->frame);
+            if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0)
+                return ret;
+
            for (j = 0; j < avctx->height; j++)
                memset(s->frame->data[0] + j * s->frame->linesize[0],
                       v, avctx->width);
@@ -49,29 +49,40 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
    vorbis_comment_init(&context->vc) ;

    if(p[0] == 0 && p[1] == 30) {
+        int sizesum = 0;
        for(i = 0; i < 3; i++){
            hsizes[i] = bytestream_get_be16((const uint8_t **)&p);
+            sizesum += 2 + hsizes[i];
+            if (sizesum > avccontext->extradata_size) {
+                av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n");
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
+
            headers[i] = p;
            p += hsizes[i];
        }
    } else if(*p == 2) {
        unsigned int offset = 1;
+        unsigned int sizesum = 1;
        p++;
        for(i=0; i<2; i++) {
            hsizes[i] = 0;
-            while((*p == 0xFF) && (offset < avccontext->extradata_size)) {
+            while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) {
                hsizes[i] += 0xFF;
                offset++;
+                sizesum += 1 + 0xFF;
                p++;
            }
-            if(offset >= avccontext->extradata_size - 1) {
+            hsizes[i] += *p;
+            offset++;
+            sizesum += 1 + *p;
+            if(sizesum > avccontext->extradata_size) {
                av_log(avccontext, AV_LOG_ERROR,
                       "vorbis header sizes damaged\n");
                ret = AVERROR_INVALIDDATA;
                goto error;
            }
-            hsizes[i] += *p;
-            offset++;
            p++;
        }
        hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;
@@ -159,6 +159,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
    for (j = 1; j < height; j++) {
        /* restore left column */
        val = loco_get_rice(&rc);
+        if (val == INT_MIN)
+           return AVERROR_INVALIDDATA;
        data[0] = data[-stride] + val;
        /* restore all other pixels */
        for (i = 1; i < width; i++) {
@@ -293,6 +295,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
        avpriv_request_sample(avctx, "LOCO codec version %i", version);
    }

+    if (l->lossy > 65536U) {
+        av_log(avctx, AV_LOG_ERROR, "lossy %i is too large\n", l->lossy);
+        return AVERROR_INVALIDDATA;
+    }
+
    l->mode = AV_RL32(avctx->extradata + 4);
    switch (l->mode) {
    case LOCO_CYUY2:
@@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
    int i, j;

    f[0] = 0x400000;          // 1.0 in (3.22)
-    f[1] = -lsp[0] << 8;      // *2 and (0.15) -> (3.22)
+    f[1] = -lsp[0] * 256;     // *2 and (0.15) -> (3.22)

    for(i=2; i<=lp_half_order; i++)
    {
@@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
        for(j=i; j>1; j--)
            f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2];

-        f[1] -= lsp[2*i-2] << 8;
+        f[1] -= lsp[2*i-2] * 256;
    }
 }

@@ -61,7 +61,7 @@ static int m101_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    stride = AV_RL32(avctx->extradata + 5*4);

    if (avctx->pix_fmt == AV_PIX_FMT_YUV422P10)
-        min_stride = (avctx->width + 15) / 16 * 20;
+        min_stride = (avctx->width + 15) / 16 * 40;

    if (stride < min_stride || avpkt->size < stride * (uint64_t)avctx->height) {
        av_log(avctx, AV_LOG_ERROR, "stride (%d) is invalid for packet sized %d\n",
@@ -668,7 +668,9 @@ unk_pixfmt:
    }

    if ((s->rgb && !s->lossless && !s->ls) ||
-        (!s->rgb && s->ls && s->nb_components > 1)) {
+        (!s->rgb && s->ls && s->nb_components > 1) ||
+        (s->avctx->pix_fmt == AV_PIX_FMT_PAL8 && !s->ls)
+    ) {
        av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n");
        return AVERROR_PATCHWELCOME;
    }
@@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb)
   return 0;
 }

-static int mp_gradient(MotionPixelsContext *mp, int component, int v)
+static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v)
 {
    int delta;

@@ -196,11 +196,13 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv
    *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color;
 }

-static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
+static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
 {
    int i;

    i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1);
+    if (i < 0)
+        return i;
    return mp->codes[i].delta;
 }

@@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n)
    do {
        n--;
        if (code >= C[n]) {
-            bits |= 1 << n;
+            bits |= 1U << n;
            code -= C[n];
            C -= 32;
            k--;
@@ -364,8 +364,9 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data,
                for(j = 0; j < SAMPLES_PER_BAND; j += SAMPLES_PER_BAND / 2){
                    cnt = get_vlc2(gb, q1_vlc.table, MPC8_Q1_BITS, 2);
                    t = mpc8_get_mask(gb, 18, cnt);
-                    for(k = 0; k < SAMPLES_PER_BAND / 2; k++, t <<= 1)
-                        c->Q[ch][off + j + k] = (t & 0x20000) ? (get_bits1(gb) << 1) - 1 : 0;
+                    for(k = 0; k < SAMPLES_PER_BAND / 2; k++)
+                        c->Q[ch][off + j + k] = t & (1 << (SAMPLES_PER_BAND / 2 - k - 1))
+                                                ? (get_bits1(gb) << 1) - 1 : 0;
                }
                break;
            case 2:
@@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c)
        c->low   <<= 1;
        c->high  <<= 1;
        c->high   |= 1;
+        if (get_bits_left(c->gbc.gb) < 1)
+            c->overread++;
        c->value  |= get_bits1(c->gbc.gb);
    }
 }
@@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb)
    c->low           = 0;
    c->high          = 0xFFFF;
    c->value         = get_bits(gb, 16);
+    c->overread      = 0;
    c->gbc.gb        = gb;
    c->get_model_sym = arith_get_model_sym;
    c->get_number    = arith_get_number;
@@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx,
 {
    int i, val, pix;

+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;
    val = acoder->get_model_sym(acoder, &pctx->cache_model);
    if (val < pctx->num_syms) {
        if (any_ngb) {
@@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic,
            else
                p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                            i, j, width - i - 1);
+            if (p < 0)
+                return p;
            dst[i] = p;

            if (rgb_pic)
@@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder,
                else
                    p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                                i, j, width - i - 1);
+                if (p < 0)
+                    return p;
                dst[i] = p;
                if (c->rgb_pic)
                    AV_WB24(rgb_dst + i * 3, c->pal[p]);
@@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder,
        uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride;

        pix     = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0);
+        if (pix < 0)
+            return pix;
        rgb_pix = c->pal[pix];
        for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) {
            memset(dst, pix, width);
@@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder,

    if (!mode) {
        mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0);
+        if (mode < 0)
+            return mode;

        if (c->avctx->err_recognition & AV_EF_EXPLODE &&
            ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 ||
@@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder,
                         int x, int y, int width, int height)
 {
    int mode, pivot;
+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;

    mode = acoder->get_model_sym(acoder, &sc->split_mode);

@@ -47,6 +47,8 @@ typedef struct Model {

 typedef struct ArithCoder {
    int low, high, value;
+    int overread;
+#define MAX_OVERREAD 16
    union {
        GetBitContext *gb;
        GetByteContext *gB;
@@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB)
    c->low           = 0;
    c->high          = 0xFFFFFF;
    c->value         = bytestream2_get_be24(gB);
+    c->overread      = 0;
    c->gbc.gB        = gB;
    c->get_model_sym = arith2_get_model_sym;
    c->get_number    = arith2_get_number;
@@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c)
            c->got_error = 1;
            c->low = 1;
        }
+        if (c->low > c->range) {
+            c->got_error = 1;
+            c->low = 1;
+        }
        if (c->range >= RAC_BOTTOM)
            return;
    }
@@ -552,6 +552,11 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
               "Empty frame found but it is not a skip frame.\n");
        return AVERROR_INVALIDDATA;
    }
+    mb_width  = FFALIGN(width,  16) >> 4;
+    mb_height = FFALIGN(height, 16) >> 4;
+
+    if (frame_type != SKIP_FRAME && 8*buf_size < 8*HEADER_SIZE + mb_width*mb_height)
+        return AVERROR_INVALIDDATA;

    if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
        return ret;
@@ -574,9 +579,6 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,

    if ((ret = init_get_bits8(&gb, buf + HEADER_SIZE, buf_size - HEADER_SIZE)) < 0)
        return ret;
-
-    mb_width  = FFALIGN(width,  16) >> 4;
-    mb_height = FFALIGN(height, 16) >> 4;
    dst[0] = c->pic->data[0];
    dst[1] = c->pic->data[1];
    dst[2] = c->pic->data[2];
@@ -199,6 +199,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
    buf_end = buf + buf_size;
    jpg->got_picture = 0;
    s->got_mxm_bitmask = 0;
+    s->got_sof_data = !!s->got_sof_data;
    while (buf_ptr < buf_end) {
        start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end,
                                          &unescaped_buf_ptr, &unescaped_buf_size);
@@ -241,6 +242,11 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
                    return ret;
                break;
            case SOF0:
+                if (s->got_sof_data > 1) {
+                    av_log(avctx, AV_LOG_ERROR,
+                           "Multiple SOF in a frame\n");
+                    return AVERROR_INVALIDDATA;
+                }
                s->got_sof_data = 0;
                ret = ff_mjpeg_decode_sof(jpg);
                if (ret < 0) {
@@ -253,7 +259,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
                           "Interlaced mode not supported in MxPEG\n");
                    return AVERROR(EINVAL);
                }
-                s->got_sof_data = 1;
+                s->got_sof_data ++;
                break;
            case SOS:
                if (!s->got_sof_data) {
@@ -131,10 +131,10 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height,
                     + RTJPEG_HEADER_SIZE;
        if (buf_size > INT_MAX/8)
            return -1;
-        if ((ret = av_image_check_size(height, width, 0, avctx)) < 0)
+        if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
            return ret;
-        avctx->width  = c->width  = width;
-        avctx->height = c->height = height;
+        c->width  = width;
+        c->height = height;
        av_fast_malloc(&c->decomp_buf, &c->decomp_size,
                       buf_size);
        if (!c->decomp_buf) {
@@ -217,6 +217,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    case NUV_RTJPEG:
        minsize = c->width/16 * (c->height/16) * 6;
        break;
+    case NUV_BLACK:
+    case NUV_COPY_LAST:
+    case NUV_LZO:
+    case NUV_RTJPEG_IN_LZO:
+        break;
+    default:
+        av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
+        return AVERROR_INVALIDDATA;
    }
    if (buf_size < minsize / 4)
        return AVERROR_INVALIDDATA;
@@ -305,9 +313,6 @@ retry:
    case NUV_COPY_LAST:
        /* nothing more to do here */
        break;
-    default:
-        av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
-        return AVERROR_INVALIDDATA;
    }

    if ((result = av_frame_ref(picture, c->pic)) < 0)
@@ -262,6 +262,9 @@ int ff_combine_frame(ParseContext *pc, int next,
    for (; pc->overread > 0; pc->overread--)
        pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];

+    if (next > *buf_size)
+        return AVERROR(EINVAL);
+
    /* flush remaining if EOF */
    if (!*buf_size && next == END_NOT_FOUND)
        next = 0;
@@ -251,6 +251,9 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx)
        break;
    case AV_CODEC_ID_PCM_F16LE:
    case AV_CODEC_ID_PCM_F24LE:
+        if (avctx->bits_per_coded_sample < 1 || avctx->bits_per_coded_sample > 24)
+            return AVERROR_INVALIDDATA;
+
        s->scale = 1. / (1 << (avctx->bits_per_coded_sample - 1));
        s->fdsp = avpriv_float_dsp_alloc(0);
        if (!s->fdsp)
@@ -1352,6 +1352,9 @@ exit_loop:
            if (CONFIG_PNG_DECODER && avctx->codec_id != AV_CODEC_ID_APNG)
                handle_p_frame_png(s, p);
            else if (CONFIG_APNG_DECODER &&
+                     s->previous_picture.f->width == p->width  &&
+                     s->previous_picture.f->height== p->height &&
+                     s->previous_picture.f->format== p->format &&
                     avctx->codec_id == AV_CODEC_ID_APNG &&
                     (ret = handle_p_frame_apng(avctx, s, p)) < 0)
                goto fail;
@@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,

    buf += offset;

+    if (buf_end - buf < w * bytes_per_pixel)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_set_dimensions(avctx, w, h)) < 0)
        return ret;

@@ -408,7 +408,12 @@ static int fix_coding_method_array(int sb, int channels,
            }
            for (k = 0; k < run; k++) {
                if (j + k < 128) {
-                    if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) {
+                    int sbjk = sb + (j + k) / 64;
+                    if (sbjk > 29) {
+                        SAMPLES_NEEDED
+                        continue;
+                    }
+                    if (coding_method[ch][sbjk][(j + k) % 64] > coding_method[ch][sb][j]) {
                        if (k > 0) {
                            SAMPLES_NEEDED
                            //not debugged, almost never used
@@ -1284,6 +1289,10 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration,
            }
            offset += (n - 2);
        } else {
+            if (local_int_10 <= 2) {
+                av_log(NULL, AV_LOG_ERROR, "qdm2_fft_decode_tones() stuck\n");
+                return;
+            }
            offset += qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2);
            while (offset >= (local_int_10 - 1)) {
                offset       += (1 - (local_int_10 - 1));
@@ -1695,13 +1704,19 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    s->group_size = bytestream2_get_be32(&gb);
    s->fft_size = bytestream2_get_be32(&gb);
    s->checksum_size = bytestream2_get_be32(&gb);
-    if (s->checksum_size >= 1U << 28) {
-        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+    if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) {
+        av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size);
        return AVERROR_INVALIDDATA;
    }

    s->fft_order = av_log2(s->fft_size) + 1;

+    // Fail on unknown fft order
+    if ((s->fft_order < 7) || (s->fft_order > 9)) {
+        avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order);
+        return AVERROR_PATCHWELCOME;
+    }
+
    // something like max decodable tones
    s->group_order = av_log2(s->group_size) + 1;
    s->frame_size = s->group_size / 16; // 16 iterations per super block
@@ -1712,6 +1727,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    s->sub_sampling = s->fft_order - 7;
    s->frequency_range = 255 / (1 << (2 - s->sub_sampling));

+    if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) {
+        avpriv_request_sample(avctx, "large frames");
+        return AVERROR_PATCHWELCOME;
+    }
+
    switch ((s->sub_sampling * 2 + s->channels - 1)) {
        case 0: tmp = 40; break;
        case 1: tmp = 48; break;
@@ -1735,11 +1755,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    else
        s->coeff_per_sb_select = 2;

-    // Fail on unknown fft order
-    if ((s->fft_order < 7) || (s->fft_order > 9)) {
-        avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order);
-        return AVERROR_PATCHWELCOME;
-    }
    if (s->fft_size != (1 << (s->fft_order - 1))) {
        av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size);
        return AVERROR_INVALIDDATA;
@@ -361,6 +361,8 @@ static int qdmc_get_vlc(GetBitContext *gb, VLC *table, int flag)
 {
    int v;

+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
    v = get_vlc2(gb, table->table, table->bits, 1);
    if (v < 0)
        return AVERROR_INVALIDDATA;
@@ -571,9 +573,9 @@ static void add_noise(QDMCContext *s, int ch, int current_subframe)
    for (j = 2; j < s->subframe_size - 1; j++) {
        float rnd_re, rnd_im;

-        s->rndval = 214013 * s->rndval + 2531011;
+        s->rndval = 214013U * s->rndval + 2531011;
        rnd_im = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j];
-        s->rndval = 214013 * s->rndval + 2531011;
+        s->rndval = 214013U * s->rndval + 2531011;
        rnd_re = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j];
        im[j  ] += rnd_im;
        re[j  ] += rnd_re;
@@ -453,6 +453,8 @@ static int decode_frame(AVCodecContext *avctx,
                avpriv_request_sample(avctx, "Pack type %d", pack_type);
                return AVERROR_PATCHWELCOME;
            }
+            if (bytestream2_get_bytes_left(&gbc) < 30)
+                return AVERROR_INVALIDDATA;
            if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
                return ret;

@@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits)
        val -= range;
    }
    if (bits)
-        val = (val << bits) | get_bits(gb, bits);
+        val = ((unsigned)val << bits) | get_bits(gb, bits);
    return val;
 }

@@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
    int *dst = ctx->channel_data[ch];

    ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2);
-    ctx->filter_bits   = (ctx->filter_params - 2) >> 6;
-    ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1;
+    if (ctx->filter_params > 1) {
+        ctx->filter_bits   = (ctx->filter_params - 2) >> 6;
+        ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1;
+    }

    if (ctx->filter_params == FILTER_RAW) {
        for (i = 0; i < length; i++)
@@ -262,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
            t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2);
            t = extend_code(gb, t, 21, add_bits);
            if (!cmode)
-                coeff -= 12 << add_bits;
-            coeff = t - coeff;
+                coeff -= 12U << add_bits;
+            coeff = (unsigned)t - coeff;
            ctx->filter[i] = coeff;

            cmode = coeff >> add_bits;
@@ -286,7 +288,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
            add_bits--;
        range    = 10;
        range2   = 21;
-        code_vlc = set->long_codes + code_params - 15;
+        code_vlc = set->long_codes + (code_params - 15);
    } else {
        add_bits = 0;
        range    = 6;
@@ -300,8 +302,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
        t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2);
        code1 = t / range2;
        code2 = t % range2;
-        dst[i]     = extend_code(gb, code1, range, 0) << add_bits;
-        dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits;
+        dst[i]     = extend_code(gb, code1, range, 0) * (1U << add_bits);
+        dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits);
        if (add_bits) {
            dst[i]     |= get_bits(gb, add_bits);
            dst[i + 1] |= get_bits(gb, add_bits);
@@ -323,7 +325,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits)

        acc = 0;
        for (j = 0; j < flen; j++)
-            acc += ctx->filter[j] * audio[i - j - 1];
+            acc += (unsigned)ctx->filter[j] * audio[i - j - 1];
        if (acc < 0) {
            acc = (acc + bias - 1) >> ctx->filter_bits;
            acc = FFMAX(acc, min_clip);
@@ -406,7 +408,7 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb,
    case 4:
        for (i = 0; i < len; i++) {
            t  =   ch1[i] + ctx->bias[1];
-            t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1);
+            t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1);
            dst0[i] = (t2 + t) / 2;
            dst1[i] = (t2 - t) / 2;
        }
@@ -221,7 +221,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
                                                           FFALIGN(avctx->width, 16),
                                                           avctx->height, 1);
    } else {
-        context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample && avctx->bits_per_coded_sample < 16;
+        context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample > 8 && avctx->bits_per_coded_sample < 16;
        context->frame_size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width,
                                                       avctx->height, 1);
    }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.6
 .4.7