Update for 3.3.2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
2017-06-06 22:11:21 +02:00 · 2017-06-06 16:56:47 +02:00 · 2017-06-06 16:56:38 +02:00 · 2017-06-06 16:56:23 +02:00 · 2017-06-06 03:44:35 +02:00 · 2017-06-06 03:44:35 +02:00
178 changed files with 1889 additions and 949 deletions
@@ -1,7 +1,250 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

-version <next>:
+
+version 3.3.2:
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
+- avcodec/pafvideo: Fix assertion failure
+- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'
+- avcodec/mjpegdec: Check that reference frame matches the current frame
+- avcodec/tiff: Avoid loosing allocated geotag values
+- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'
+- avformat/hls: Check local file extensions
+- avcodec/qdrw: Fix null pointer dereference
+- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
+- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
+- avcodec/dxv: Check remaining bytes in dxv_decompress_raw()
+- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
+- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'
+- avformat/options: log filename on open
+- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')
+- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
+- avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int'
+- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'
+- avcodec/cinepak: Check input packet size before frame reallocation
+- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'
+- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'
+- avcodec/pnm: Use ff_set_dimensions()
+- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'
+- avcodec/nvenc: fix hw accelerated transcode with bframes
+- libavformat/hls: Observe Set-Cookie headers
+- libavformat/http: Ignore expired cookies
+- avformat/avidec: Limit formats in gab2 to srt and ass/ssa
+- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'
+- avcodec/wavpack: Check float_shift
+- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'
+- avcodec/ansi: Fix frame memleak
+- avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int'
+- avcodec/jpeg2000dec: Use ff_set_dimensions()
+- avcodec/truemotion2: Fix passing null pointer to memset()
+- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'
+- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'
+- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro
+- avcodec/webp: Fixes null pointer dereference
+- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/ylc: Check count in build_vlc()
+- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'
+- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'
+- avcodec/jpeg2000dec: Check tile offsets more completely
+- avcodec/sheervideo: Check input buffer size before allocating and decoding
+- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int'
+- avcodec/wnv1: More strict buffer size check
+- avcodec/libfdk-aacdec: Correct buffer_size parameter
+- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
+- doc/filters: Clarify scale2ref example
+- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
+- avcodec/ra144dec: Fix runtime error: left shift of negative value -17
+- avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
+- avformat/mux: Fix copy an paste typo
+- avutil/internal: Do not enable CHECKED with DEBUG
+- avcodec/clearvideo: Check buf_size before decoding frame
+- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
+- avcodec/smc: Check remaining input
+- avcodec/diracdec: Fix off by 1 error in quant check
+- avcodec/jpeg2000dec: Fix copy and paste error
+- avcodec/jpeg2000dec: Check tile offsets
+- avcodec/sanm: Fix uninitialized reference frames
+- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
+- avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe
+- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int'
+- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int'
+- avcodec/mpeg4videodec: Check for multiple VOL headers
+- avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int'
+- avcodec/vmnc: Check location before use
+- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int'
+- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2
+- avcodec/takdec: Fix runtime error: left shift of negative value -63
+- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int'
+- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int'
+- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context
+- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int'
+- avcodec/mimic: Use ff_set_dimensions() to set the dimensions
+- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int'
+- avcodec/pixlet: Fix reading invalid numbers of bits
+- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
+- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
+- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
+- avcodec/aacdec_template: Fix fixed point scale in decode_cce()
+- avcodec/fmvc: Fix off by 1 error
+- avcodec/flicvideo: Check frame_size before decrementing
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix  runtime error: left shift of negative value -42
+- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int'
+- avcodec/scpr: mask bits to prevent out of array read
+- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
+- avcodec/svq3: Fix runtime error: left shift of negative value -6
+- avcodec/tiff: reset sampling[] if its invalid
+- configure: Fix the msvcrt version check for mingw32
+- lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out
+- lavc/ffjni: add missing '\n'
+- lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack
+- lavc/mediacodec_wrapper: fix local reference leaks
+- avcodec/nvenc: remove unnecessary alignment
+- Use AVOnce as a static variable consistently
+- avfilter: take_samples: do not directly return frame when samples are skipped
+- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects
+
+version 3.3.1:
+- libswscale/tests/swscale: Fix uninitialized variables
+- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int'
+- avcodec/webp: Fix signedness in prefix_code check
+- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int'
+- avcodec/mlpdec: Check that there is enough data for headers
+- avcodec/ac3dec: Keep track of band structure
+- avcodec/webp: Add missing input padding
+- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1
+- avcodec/aacsbr_template: Do not change bs_num_env before its checked
+- avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned int [256]'
+- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1
+- avcodec/xpmdec: Fix multiple pointer/memory issues
+- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int'
+- avcodec/avcodec: Limit the number of side data elements per packet
+- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int'
+- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610
+- avcodec/msmpeg4dec: Check for cbpy VLC errors
+- avcodec/cllc: Check num_bits
+- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers
+- avcodec/scpr: Check y in first line loop in decompress_i()
+- avcodec/dvbsubdec: Check entry_id
+- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int'
+- avcodec/mpeg12dec: Fixes runtime error: division by zero
+- avcodec/pixlet: Fix runtime error: signed integer overflow: 436207616 * -5160230545260541 cannot be represented in type 'long'
+- avcodec/webp: Always set pix_fmt
+- avfilter/vf_uspp: Fix currently unused input frame dimensions
+- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1
+- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int'
+- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int'
+- avformat/wavdec: Check chunk_size
+- avcodec/cavs: Check updated MV
+- avcodec/y41pdec: Fix width in input buffer size check
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int'
+- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int'
+- avcodec/lagarith: Check scale_factor
+- avcodec/lagarith: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix multiple  runtime error: left shift of negative value -1
+- avcodec/indeo2: Check for invalid VLCs
+- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour
+- avcodec/htmlsubtitles: Check for string truncation and return error
+- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int'
+- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int'
+- avcodec/dvbsubdec: check region dimensions
+- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int'
+- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col()
+- avcodec/cavsdec: Check sym_factor
+- avcodec/cdxl: Check format for BGR24
+- avcodec/ffv1dec: Fix copying planes of paletted formats
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int'
+- avcodec/xwddec: Check bpp more completely
+- avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure
+- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int'
+- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int'
+- avcodec/g726: Fix runtime error: left shift of negative value -2
+- avcodec/magicyuv: Check len to be supported
+- avcodec/ra144: Fix runtime error: left shift of negative value -798
+- avcodec/mss34dsp: Fix multiple signed integer overflow
+- avcodec/targa_y216dec: Fix width type
+- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix multiple left shift of negative value -2
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int'
+- avcodec/msmpeg4dec: Correct table depth
+- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/cdxl: Check format parameter
+- avutil/softfloat: Fix overflow in av_div_sf()
+- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207
+- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from
+- avcodec/shorten: Check k in get_uint()
+- avcodec/webp: Fix null pointer dereference
+- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
+- avcodec/g723_1: Fix multiple runtime error: left shift of negative value
+- avcodec/mimic: Fix runtime error: left shift of negative value -1
+- avcodec/clearvideo: Fix multiple runtime error: left shift of negative value -1024
+- avcodec/fic: Fix multiple left shift of negative value -15
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -22
+- avcodec/snowdec: Check qbias
+- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8
+- avcodec/aacsbr_template: Do not leave bs_num_env invalid
+- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int'
+- avcodec/dfa: Fix off by 1 error
+- avcodec/nellymoser: Fix multiple left shift of negative value -8591
+- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int'
+- avcodec/g722: Fix multiple runtime error: left shift of negative value -1
+- avcodec/dss_sp: Fix multiple left shift of negative value -466
+- avcodec/wnv1: Fix runtime error: left shift of negative value -1
+- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'
+- avcodec/cavsdec: Fix undefined behavior from integer overflow
+- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int'
+- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit
+- avcodec/pngdec: Use ff_set_dimensions()
+- avcodec/msvideo1: Check buffer size before re-getting the frame
+- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow
+- avcodec/dcadsp: Fix runtime error: signed integer overflow
+- avcodec/svq3: Reject dx/dy beyond 16bit
+- avcodec/svq3: Increase offsets to prevent integer overflows
+- avcodec/indeo2: Check remaining bits in ir2_decode_plane()
+- avcodec/vp3: Check remaining bits in unpack_dct_coeffs()
+- doc/developer: Add terse documentation of assumed C implementation defined behavior
+- avcodec/bmp: Use ff_set_dimensions()
+- avcodec/mdec: Fix runtime error: left shift of negative value -127
+- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang
+- libavcodec/exr : fix float to uint16 conversion for negative float value
+- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter
+- avformat/webmdashenc: Require the 'adaptation_sets' option to be set
+- lavfi/avfiltergraph: only return EOF in avfilter_graph_request_oldest if all sinks EOFed
+- ffmpeg: check for unconnected outputs
+- avformat/utils: free AVStream.codec properly in free_stream()
+- avcodec/options: do a more thorough clean up in avcodec_copy_context()
+- avcodec/options: factorize avcodec_copy_context() cleanup code
+- ffmpeg: count packets when queued
+- avformat/concatdec: fix the h264 annexb extradata check
+- avcodec/dnxhd_parser: fix parsing interlaced video, simplify code
+- ffmpeg; check return code of avcodec_send_frame when flushing encoders
+- avcodec/g723_1dec: Fix LCG type
+- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int'
+- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]'
+- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode
+- avcodec/pixlet: Fixes: runtime error: signed integer overflow: 9203954323419769657 + 29897660706736950 cannot be represented in type 'long'
+- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int'
+- avcodec/rscc: Check pixel_size for overflow
+- avcodec/fmvc: Check nb_blocks
+- avcodec/cllc: Check prefix
+- avcodec/webp: Factor update_canvas_size() out
+- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame()
+- avcodec/snowdec: Check width
+- avcodec/flacdec: Return error code instead of 0 for failures
+- avcodec/opus_silk: Fix integer overflow and out of array read
+- avcodec/aacps: Fix undefined behavior
+- avcodec/pixlet: Fix shift exponent 4294967268 is too large for 32-bit type 'int'
+- doc/general: fix project name after 2b1a6b1ae
+
+
+version 3.3:
 - CrystalHD decoder moved to new decode API
 - add internal ebur128 library, remove external libebur128 dependency
 - Pro-MPEG CoP #3-R2 FEC protocol
@@ -22,6 +265,7 @@ version <next>:
 - threshold filter
 - midequalizer filter
 - Optimal Huffman tables for (M)JPEG encoding
+- VAAPI-accelerated MPEG-2 and VP8 encoding
 - FM Screen Capture Codec decoder
 - native Opus encoder
 - ScreenPressor decoder
@@ -32,6 +276,7 @@ version <next>:
 - Removed the legacy X11 screen grabber, use XCB instead
 - MPEG-7 Video Signature filter
 - Removed asyncts filter (use af_aresample instead)
+- Intel QSV-accelerated VP8 video decoding


 version 3.2:
@@ -119,7 +364,6 @@ version 3.1:
 - libutvideo wrapper removed
 - YUY2 Lossless Codec decoder
 - VideoToolbox H.264 encoder
- VAAPI-accelerated MPEG-2 and VP8 encoding


 version 3.0:
@@ -1 +1 @@
-3.3.git
+3.3.2
@@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 3.3 "Hilbert" │
+              └────────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 3.3 "Hilbert", about 5
+   months after the release of FFmpeg 3.2.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on http://source.ffmpeg.org.
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   on the mailing-lists.
@@ -1513,6 +1513,7 @@ EXTERNAL_LIBRARY_GPL_LIST="
 "

 EXTERNAL_LIBRARY_NONFREE_LIST="
+    decklink
    libfdk_aac
    openssl
 "
@@ -1536,7 +1537,6 @@ EXTERNAL_LIBRARY_LIST="
    $EXTERNAL_LIBRARY_GPLV3_LIST
    chromaprint
    crystalhd
-    decklink
    gcrypt
    gnutls
    jni
@@ -5067,7 +5067,7 @@ probe_libc(){
        add_${pfx}cppflags -U__STRICT_ANSI__ -D__USE_MINGW_ANSI_STDIO=1
        check_${pfx}cpp_condition _mingw.h "defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0502" ||
            add_${pfx}cppflags -D_WIN32_WINNT=0x0502
-        check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700__" &&
+        check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700" &&
            add_${pfx}cppflags -D__MSVCRT_VERSION__=0x0700
        eval test \$${pfx_no_}cc_type = "gcc" &&
            add_${pfx}cppflags -D__printf__=__gnu_printf__
@@ -15,11 +15,11 @@ libavutil:     2015-08-28

 API changes, most recent first:

-2017-03-31 - xxxxxxx - lavu 55.57.100 - spherical.h
+2017-03-31 - 9033e8723c - lavu 55.57.100 - spherical.h
  Add av_spherical_projection_name().
  Add av_spherical_from_name().

-2017-03-30 - xxxxxxx - lavu 55.53.100 / 55.27.0 - hwcontext.h
+2017-03-30 - 4cda23f1f1 - lavu 55.53.100 / 55.27.0 - hwcontext.h
  Add av_hwframe_map() and associated AV_HWFRAME_MAP_* flags.
  Add av_hwframe_ctx_create_derived().

@@ -44,7 +44,7 @@ API changes, most recent first:
  Add AVCodecContext.hwaccel_flags field. This will control some hwaccels at
  a later point.

-2017-03-21 - xxxxxxx - lavf 57.67.100 / 57.08.0 - avio.h
+2017-03-21 - fc9f14c7de - lavf 57.67.100 / 57.08.0 - avio.h
  Add AVIO_SEEKABLE_TIME flag.

 2017-03-21 - d682ae70b4 - lavf 57.66.105, lavc 57.83.101 - avformat.h, avcodec.h
@@ -52,7 +52,7 @@ API changes, most recent first:
  bump, and libavformat will behave as if it were always set.
  Deprecate av_packet_merge_side_data() and av_packet_split_side_data().

-2016-03-20 - xxxxxxx - lavu 55.50.100 / 55.21.0 - imgutils.h
+2016-03-20 - 8200b16a9c - lavu 55.50.100 / 55.21.0 - imgutils.h
  Add av_image_copy_uc_from(), a version of av_image_copy() for copying
  from GPU mapped memory.

@@ -63,7 +63,7 @@ API changes, most recent first:
  Deprecate AVFilterGraph.resample_lavr_opts
  It's never been used by avfilter nor passed to anything.

-2017-02-10 - xxxxxxx - lavu 55.48.100 / 55.33.0 - spherical.h
+2017-02-10 - 1b7ffddb3a - lavu 55.48.100 / 55.33.0 - spherical.h
  Add AV_SPHERICAL_EQUIRECTANGULAR_TILE, av_spherical_tile_bounds(),
  and projection-specific properties (bound_left, bound_top, bound_right,
  bound_bottom, padding) to AVSphericalMapping.
@@ -83,7 +83,7 @@ API changes, most recent first:
 2017-02-11 - e3af49b14b - lavu 55.47.100 - frame.h
  Add AVFrame.opaque_ref.

-2017-01-31 - xxxxxxx - lavu 55.46.100 / 55.20.0 - cpu.h
+2017-01-31 - 2eab48177d - lavu 55.46.100 / 55.20.0 - cpu.h
  Add AV_CPU_FLAG_SSSE3SLOW.

 2017-01-24 - c4618f842a - lavu 55.45.100 - channel_layout.h
@@ -96,20 +96,20 @@ API changes, most recent first:
  Deprecate struct vaapi_context and the vaapi.h installed header.
  Callers should set AVCodecContext.hw_frames_ctx instead.

-2017-01-12 - dbe9dbed31 - lavfi 6.69.100- buffersink.h
+2017-01-12 - dbe9dbed31 - lavfi 6.69.100 - buffersink.h
  Add av_buffersink_get_*() functions.

-2017-01-06 - 9488032e10 - lavf 57.62.100- avio.h
+2017-01-06 - 9488032e10 - lavf 57.62.100 - avio.h
  Add avio_get_dyn_buf()

-2016-12-10 - xxxxxxx - lavu xx.xx.100- imgutils.h
+2016-12-10 - f542b152aa - lavu 55.43.100 - imgutils.h
  Add av_image_check_size2()

-2016-xx-xx - xxxxxxx - lavc 57.67.100 / 57.29.0 - avcodec.h
+2016-12-07 - e7a6f8c972 - lavc 57.67.100 / 57.29.0 - avcodec.h
  Add AV_PKT_DATA_SPHERICAL packet side data to export AVSphericalMapping
  information from containers.

-2016-xx-xx - xxxxxxx - lavu 55.42.100 / 55.30.0 - spherical.h
+2016-12-07 - 8f58ecc344 - lavu 55.42.100 / 55.30.0 - spherical.h
  Add AV_FRAME_DATA_SPHERICAL value, av_spherical_alloc() API and
  AVSphericalMapping type to export and describe spherical video properties.

@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 3.3.2

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};});

@item
 compound literals (@samp{x = (struct s) @{ 17, 23 @};}).
+
+@item
+Implementation defined behavior for signed integers is assumed to match the
+expected behavior for two's complement. Non representable values in integer
+casts are binary truncated. Shift right of signed values uses sign extension.
@end itemize

 These features are supported by all compilers we care about, so we will not
@@ -64,7 +64,7 @@ static int decode_write_frame(const char *outfilename, AVCodecContext *avctx,
        fflush(stdout);

        /* the picture is allocated by the decoder, no need to free it */
-        snprintf(buf, sizeof(buf), outfilename, *frame_count);
+        snprintf(buf, sizeof(buf), "%s-%d", outfilename, *frame_count);
        pgm_save(frame->data[0], frame->linesize[0],
                 frame->width, frame->height, buf);
        (*frame_count)++;
@@ -12077,7 +12077,7 @@ uses the reference video instead of the main input as basis.

@itemize
@item
-Scale a subtitle stream to match the main video in size before overlaying
+Scale a subtitle stream (b) to match the main video (a) in size before overlaying
@example
 'scale2ref[b][a];[a][b]overlay'
@end example
@@ -188,7 +188,7 @@ For Linux and OS X, the supported AviSynth variant is

@float NOTE
 There is currently a regression in AviSynth+'s @code{capi.h} header as of
-October 2016, which interferes with the ability for builds of Libav to use
+October 2016, which interferes with the ability for builds of FFmpeg to use
 MSVC-built binaries of AviSynth. Until this is resolved, you can make sure
 a known good version is installed by checking out a version from before
 the regression occurred:
@@ -30,6 +30,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <limits.h>
+#include <stdatomic.h>
 #include <stdint.h>

 #if HAVE_IO_H
@@ -319,7 +320,7 @@ void term_exit(void)

 static volatile int received_sigterm = 0;
 static volatile int received_nb_signals = 0;
-static volatile int transcode_init_done = 0;
+static atomic_int transcode_init_done = ATOMIC_VAR_INIT(0);
 static volatile int ffmpeg_exited = 0;
 static int main_return_code = 0;

@@ -457,7 +458,7 @@ static int read_key(void)

 static int decode_interrupt_cb(void *ctx)
 {
-    return received_nb_signals > transcode_init_done;
+    return received_nb_signals > atomic_load(&transcode_init_done);
 }

 const AVIOInterruptCB int_cb = { decode_interrupt_cb, NULL };
@@ -612,7 +613,7 @@ static void ffmpeg_cleanup(int ret)
    if (received_sigterm) {
        av_log(NULL, AV_LOG_INFO, "Exiting normally, received signal %d.\n",
               (int) received_sigterm);
-    } else if (ret && transcode_init_done) {
+    } else if (ret && atomic_load(&transcode_init_done)) {
        av_log(NULL, AV_LOG_INFO, "Conversion failed!\n");
    }
    term_exit();
@@ -668,12 +669,28 @@ static void close_all_output_streams(OutputStream *ost, OSTFinished this_stream,
    }
 }

-static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
+static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost, int unqueue)
 {
    AVFormatContext *s = of->ctx;
    AVStream *st = ost->st;
    int ret;

+    /*
+     * Audio encoders may split the packets --  #frames in != #packets out.
+     * But there is no reordering, so we can limit the number of output packets
+     * by simply dropping them here.
+     * Counting encoded video frames needs to be done separately because of
+     * reordering, see do_video_out().
+     * Do not count the packet when unqueued because it has been counted when queued.
+     */
+    if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed) && !unqueue) {
+        if (ost->frame_number >= ost->max_frames) {
+            av_packet_unref(pkt);
+            return;
+        }
+        ost->frame_number++;
+    }
+
    if (!of->header_written) {
        AVPacket tmp_pkt = {0};
        /* the muxer is not initialized yet, buffer the packet */
@@ -702,20 +719,6 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
        (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && audio_sync_method < 0))
        pkt->pts = pkt->dts = AV_NOPTS_VALUE;

-    /*
-     * Audio encoders may split the packets --  #frames in != #packets out.
-     * But there is no reordering, so we can limit the number of output packets
-     * by simply dropping them here.
-     * Counting encoded video frames needs to be done separately because of
-     * reordering, see do_video_out()
-     */
-    if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed)) {
-        if (ost->frame_number >= ost->max_frames) {
-            av_packet_unref(pkt);
-            return;
-        }
-        ost->frame_number++;
-    }
    if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) {
        int i;
        uint8_t *sd = av_packet_get_side_data(pkt, AV_PKT_DATA_QUALITY_STATS,
@@ -860,10 +863,10 @@ static void output_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
                    goto finish;
                idx++;
            } else
-                write_packet(of, pkt, ost);
+                write_packet(of, pkt, ost, 0);
        }
    } else
-        write_packet(of, pkt, ost);
+        write_packet(of, pkt, ost, 0);

 finish:
    if (ret < 0 && ret != AVERROR_EOF) {
@@ -1903,8 +1906,6 @@ static void flush_encoders(void)
        if (enc->codec_type != AVMEDIA_TYPE_VIDEO && enc->codec_type != AVMEDIA_TYPE_AUDIO)
            continue;

-        avcodec_send_frame(enc, NULL);
-
        for (;;) {
            const char *desc = NULL;
            AVPacket pkt;
@@ -1926,7 +1927,17 @@ static void flush_encoders(void)
                pkt.size = 0;

                update_benchmark(NULL);
-                ret = avcodec_receive_packet(enc, &pkt);
+
+                while ((ret = avcodec_receive_packet(enc, &pkt)) == AVERROR(EAGAIN)) {
+                    ret = avcodec_send_frame(enc, NULL);
+                    if (ret < 0) {
+                        av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n",
+                               desc,
+                               av_err2str(ret));
+                        exit_program(1);
+                    }
+                }
+
                update_benchmark("flush_%s %d.%d", desc, ost->file_index, ost->index);
                if (ret < 0 && ret != AVERROR_EOF) {
                    av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n",
@@ -2962,7 +2973,7 @@ static int check_init_output_file(OutputFile *of, int file_index)
        while (av_fifo_size(ost->muxing_queue)) {
            AVPacket pkt;
            av_fifo_generic_read(ost->muxing_queue, &pkt, sizeof(pkt), NULL);
-            write_packet(of, &pkt, ost);
+            write_packet(of, &pkt, ost, 1);
        }
    }

@@ -3758,7 +3769,7 @@ static int transcode_init(void)
        return ret;
    }

-    transcode_init_done = 1;
+    atomic_store(&transcode_init_done, 1);

    return 0;
 }
@@ -638,6 +638,7 @@ void choose_sample_fmt(AVStream *st, AVCodec *codec);

 int configure_filtergraph(FilterGraph *fg);
 int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOut *out);
+void check_filter_outputs(void);
 int ist_in_filtergraph(FilterGraph *fg, InputStream *ist);
 int filtergraph_is_simple(FilterGraph *fg);
 int init_simple_filtergraph(InputStream *ist, OutputStream *ost);
@@ -678,6 +678,21 @@ int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOu
    }
 }

+void check_filter_outputs(void)
+{
+    int i;
+    for (i = 0; i < nb_filtergraphs; i++) {
+        int n;
+        for (n = 0; n < filtergraphs[i]->nb_outputs; n++) {
+            OutputFilter *output = filtergraphs[i]->outputs[n];
+            if (!output->ost) {
+                av_log(NULL, AV_LOG_FATAL, "Filter %s has an unconnected output\n", output->name);
+                exit_program(1);
+            }
+        }
+    }
+}
+
 static int sub2video_prepare(InputStream *ist, InputFilter *ifilter)
 {
    AVFormatContext *avf = input_files[ist->file_index]->ctx;
@@ -3260,6 +3260,8 @@ int ffmpeg_parse_options(int argc, char **argv)
        goto fail;
    }

+    check_filter_outputs();
+
 fail:
    uninit_parse_context(&octx);
    if (ret < 0) {
@@ -3442,8 +3442,6 @@ int main(int argc, char **argv)
        goto end;
    }
 #endif
-    av_log_set_callback(log_callback);
-
    av_log_set_flags(AV_LOG_SKIP_REPEATED);
    register_exit(ffprobe_cleanup);

@@ -3459,6 +3457,9 @@ int main(int argc, char **argv)
    show_banner(argc, argv, options);
    parse_options(NULL, argc, argv, options, opt_input_file);

+    if (do_show_log)
+        av_log_set_callback(log_callback);
+
    /* mark things to show, based on -show_entries */
    SET_DO_SHOW(CHAPTERS, chapters);
    SET_DO_SHOW(ERROR, error);
@@ -973,7 +973,8 @@ OBJS-$(CONFIG_AAC_ADTSTOASC_BSF)          += aac_adtstoasc_bsf.o aacadtsdec.o \
 OBJS-$(CONFIG_CHOMP_BSF)                  += chomp_bsf.o
 OBJS-$(CONFIG_DUMP_EXTRADATA_BSF)         += dump_extradata_bsf.o
 OBJS-$(CONFIG_DCA_CORE_BSF)               += dca_core_bsf.o
-OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF)      += extract_extradata_bsf.o
+OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF)      += extract_extradata_bsf.o    \
+                                             h2645_parse.o
 OBJS-$(CONFIG_H264_MP4TOANNEXB_BSF)       += h264_mp4toannexb_bsf.o
 OBJS-$(CONFIG_HEVC_MP4TOANNEXB_BSF)       += hevc_mp4toannexb_bsf.o
 OBJS-$(CONFIG_IMX_DUMP_HEADER_BSF)        += imx_dump_header_bsf.o
@@ -49,14 +49,14 @@ static int aac_adtstoasc_filter(AVBSFContext *bsfc, AVPacket *out)
    if (ret < 0)
        return ret;

+    if (bsfc->par_in->extradata && in->size >= 2 && (AV_RB16(in->data) >> 4) != 0xfff)
+        goto finish;
+
    if (in->size < AAC_ADTS_HEADER_SIZE)
        goto packet_too_small;

    init_get_bits(&gb, in->data, AAC_ADTS_HEADER_SIZE * 8);

-    if (bsfc->par_in->extradata && show_bits(&gb, 12) != 0xfff)
-        goto finish;
-
    if (avpriv_aac_parse_header(&gb, &hdr) < 0) {
        av_log(bsfc, AV_LOG_ERROR, "Error parsing ADTS frame header!\n");
        ret = AVERROR_INVALIDDATA;
@@ -45,7 +45,7 @@ typedef int                 AAC_SIGNE;
 #define Q30(x)              (int)((x)*1073741824.0 + 0.5)
 #define Q31(x)              (int)((x)*2147483648.0 + 0.5)
 #define RANGE15(x)          x
-#define GET_GAIN(x, y)      (-(y) << (x)) + 1024
+#define GET_GAIN(x, y)      (-(y) * (1 << (x))) + 1024
 #define AAC_MUL16(x, y)     (int)(((int64_t)(x) * (y) + 0x8000) >> 16)
 #define AAC_MUL26(x, y)     (int)(((int64_t)(x) * (y) + 0x2000000) >> 26)
 #define AAC_MUL30(x, y)     (int)(((int64_t)(x) * (y) + 0x20000000) >> 30)
@@ -72,7 +72,7 @@ typedef int                 AAC_SIGNE;
 #define AAC_MSUB31_V3(x, y, z)    (int)((((int64_t)(x) * (z)) - \
                                      ((int64_t)(y) * (z)) + \
                                        0x40000000) >> 31)
-#define AAC_HALF_SUM(x, y)  (x) >> 1 + (y) >> 1
+#define AAC_HALF_SUM(x, y)  (((x) >> 1) + ((y) >> 1))
 #define AAC_SRA_R(x, y)     (int)(((x) + (1 << ((y) - 1))) >> (y))

 #else
@@ -431,6 +431,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
    if (ctx->frame_length_type == 0) {
        int mux_slot_length = 0;
        do {
+            if (get_bits_left(gb) < 8)
+                return AVERROR_INVALIDDATA;
            tmp = get_bits(gb, 8);
            mux_slot_length += tmp;
        } while (tmp == 255);
@@ -460,7 +462,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
    }
    if (latmctx->audio_mux_version_A == 0) {
        int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
-        if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
+        if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
            av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
            return AVERROR_INVALIDDATA;
        } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {
@@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx)
 static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign)
 {
    dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE));
-    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1));
+    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2));

    return dst + 2;
 }
@@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign)
 {
    unsigned nz = idx >> 12;

-    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2));

    return dst + 4;
 }
@@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)

    s = offset - (s >> 2);

-    if (s > 0) {
+    if (s > 31) {
+        for (i=0; i<len; i++) {
+            dst[i] = 0;
+        }
+    } else if (s > 0) {
        round = 1 << (s-1);
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)src[i] * c) >> 32);
@@ -183,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)
        round = 1 << (s-1);
        for (i=0; i<len; i++) {
            out = (int)((int64_t)((int64_t)src[i] * c + round) >> s);
-            dst[i] = out * ssign;
+            dst[i] = out * (unsigned)ssign;
        }
    }
 }
@@ -203,8 +207,12 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
    c /= band_energy;
    s = 21 + nlz - (s >> 2);

-    if (s > 0) {
-        round = 1 << (s-1);
+    if (s > 31) {
+        for (i=0; i<len; i++) {
+            coefs[i] = 0;
+        }
+    } else if (s >= 0) {
+        round = s ? 1 << (s-1) : 0;
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)coefs[i] * c) >> 32);
            coefs[i] = ((int)(out+round) >> s) * ssign;
@@ -362,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                    shift = (gain-1024) >> 3;
                }

-                if (shift < 0) {
+                if (shift < -31) {
+                    // Nothing to do
+                } else if (shift < 0) {
                    shift = -shift;
                    round = 1 << (shift - 1);

@@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 /**
 * Save current output configuration if and only if it has been locked.
 */
-static void push_output_configuration(AACContext *ac) {
+static int push_output_configuration(AACContext *ac) {
+    int pushed = 0;
+
    if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
        ac->oc[0] = ac->oc[1];
+        pushed = 1;
    }
    ac->oc[1].status = OC_NONE;
+    return pushed;
 }

 /**
@@ -2177,7 +2181,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
    coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1);

    sign  = get_bits(gb, 1);
-    scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)];
+#if USE_FIXED
+    scale = get_bits(gb, 2);
+#else
+    scale = cce_scale[get_bits(gb, 2)];
+#endif

    if ((ret = decode_ics(ac, sce, gb, 0, 0)))
        return ret;
@@ -3026,7 +3034,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
        case TYPE_PCE: {
            uint8_t layout_map[MAX_ELEM_ID*4][3];
            int tags;
-            push_output_configuration(ac);
+
+            int pushed = push_output_configuration(ac);
+            if (pce_found && !pushed) {
+                err = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+
            tags = decode_pce(avctx, &ac->oc[1].m4ac, layout_map, gb,
                              payload_alignment);
            if (tags < 0) {
@@ -74,8 +74,8 @@ void ff_aac_ltp_insert_new_frame(AACEncContext *s)

 static void get_lag(float *buf, const float *new, LongTermPrediction *ltp)
 {
-    int i, j, lag, max_corr = 0;
-    float max_ratio;
+    int i, j, lag = 0, max_corr = 0;
+    float max_ratio = 0.0f;
    for (i = 0; i < 2048; i++) {
        float corr, s0 = 0.0f, s1 = 0.0f;
        const int start = FFMAX(0, i - 1024);
@@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
            int stop  = ps->border_position[e+1];
            INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1);
 #if USE_FIXED
-            width <<= 1;
+            width = FFMIN(2U*width, INT_MAX);
 #endif
            b = k_to_i[k];
            h[0][0] = H11[0][e][b];
@@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
                h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width);
            }
            ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd](
-                l[k] + start + 1, r[k] + start + 1,
+                l[k] + 1 + start, r[k] + 1 + start,
                h, h_step, stop - start);
        }
    }
@@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a00.exp;
        if (shift >= 3)
            alpha0[k][0] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha0[k][0] = 0;
        else {
            a00.mant <<= 1;
            shift = 2-shift;
@@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a01.exp;
        if (shift >= 3)
            alpha0[k][1] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha0[k][1] = 0;
        else {
            a01.mant <<= 1;
            shift = 2-shift;
@@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a10.exp;
        if (shift >= 3)
            alpha1[k][0] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha1[k][0] = 0;
        else {
            a10.mant <<= 1;
            shift = 2-shift;
@@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a11.exp;
        if (shift >= 3)
            alpha1[k][1] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha1[k][1] = 0;
        else {
            a11.mant <<= 1;
            shift = 2-shift;
@@ -567,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2],

                SoftFloat *in  = sbr->s_m[e];
                for (m = 0; m+1 < m_max; m+=2) {
-                  shift = 22 - in[m  ].exp;
-                  round = 1 << (shift-1);
-                  out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    shift = 22 - in[m  ].exp;
+                    if (shift < 32) {
+                        round = 1 << (shift-1);
+                        out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    }

-                  shift = 22 - in[m+1].exp;
-                  round = 1 << (shift-1);
-                  out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+                    shift = 22 - in[m+1].exp;
+                    if (shift < 32) {
+                        round = 1 << (shift-1);
+                        out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+                    }
                }
                if(m_max&1)
                {
-                  shift = 22 - in[m  ].exp;
-                  round = 1 << (shift-1);
-
-                  out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    shift = 22 - in[m  ].exp;
+                    if (shift < 32) {
+                        round = 1 << (shift-1);
+                        out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    }
                }
            }
            indexnoise = (indexnoise + m_max) & 0x1ff;
@@ -624,24 +624,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
    int abs_bord_trail = 16;
    int num_rel_lead, num_rel_trail;
    unsigned bs_num_env_old = ch_data->bs_num_env;
+    int bs_frame_class, bs_num_env;

    ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env];
    ch_data->bs_amp_res = sbr->bs_amp_res_header;
    ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old];

-    switch (ch_data->bs_frame_class = get_bits(gb, 2)) {
+    switch (bs_frame_class = get_bits(gb, 2)) {
    case FIXFIX:
-        ch_data->bs_num_env                 = 1 << get_bits(gb, 2);
+        bs_num_env = 1 << get_bits(gb, 2);
+        if (bs_num_env > 4) {
+            av_log(ac->avctx, AV_LOG_ERROR,
+                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
+                   bs_num_env);
+            return -1;
+        }
+        ch_data->bs_num_env = bs_num_env;
        num_rel_lead                        = ch_data->bs_num_env - 1;
        if (ch_data->bs_num_env == 1)
            ch_data->bs_amp_res = 0;

-        if (ch_data->bs_num_env > 4) {
-            av_log(ac->avctx, AV_LOG_ERROR,
-                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
-                   ch_data->bs_num_env);
-            return -1;
-        }

        ch_data->t_env[0]                   = 0;
        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;
@@ -689,14 +691,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        abs_bord_trail                     += get_bits(gb, 2);
        num_rel_lead                        = get_bits(gb, 2);
        num_rel_trail                       = get_bits(gb, 2);
-        ch_data->bs_num_env                 = num_rel_lead + num_rel_trail + 1;
+        bs_num_env                          = num_rel_lead + num_rel_trail + 1;

-        if (ch_data->bs_num_env > 5) {
+        if (bs_num_env > 5) {
            av_log(ac->avctx, AV_LOG_ERROR,
                   "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
-                   ch_data->bs_num_env);
+                   bs_num_env);
            return -1;
        }
+        ch_data->bs_num_env = bs_num_env;

        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;

@@ -711,6 +714,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env);
        break;
    }
+    ch_data->bs_frame_class = bs_frame_class;

    av_assert0(bs_pointer >= 0);
    if (bs_pointer > ch_data->bs_num_env + 1) {
@@ -61,37 +61,37 @@ endconst
        br              x10
 .endm

-.macro smull1 a b c
+.macro smull1 a, b, c
        smull           \a, \b, \c
 .endm

-.macro smlal1 a b c
+.macro smlal1 a, b, c
        smlal           \a, \b, \c
 .endm

-.macro smlsl1 a b c
+.macro smlsl1 a, b, c
        smlsl           \a, \b, \c
 .endm

-.macro idct_col4_top y1 y2 y3 y4 i l
-        smull\i         v7.4S,  \y3\().\l, z2
-        smull\i         v16.4S, \y3\().\l, z6
-        smull\i         v17.4S, \y2\().\l, z1
+.macro idct_col4_top y1, y2, y3, y4, i, l
+        smull\i         v7.4S,  \y3\l, z1
+        smull\i         v16.4S, \y3\l, z6
+        smull\i         v17.4S, \y2\l, z1
        add             v19.4S, v23.4S, v7.4S
-        smull\i         v18.4S, \y2\().\l, z3
+        smull\i         v18.4S, \y2\l, z3
        add             v20.4S, v23.4S, v16.4S
-        smull\i         v5.4S,  \y2\().\l, z5
+        smull\i         v5.4S,  \y2\l, z5
        sub             v21.4S, v23.4S, v16.4S
-        smull\i         v6.4S,  \y2\().\l, z7
+        smull\i         v6.4S,  \y2\l, z7
        sub             v22.4S, v23.4S, v7.4S

-        smlal\i         v17.4S, \y4\().\l, z3
-        smlsl\i         v18.4S, \y4\().\l, z7
-        smlsl\i         v5.4S,  \y4\().\l, z1
-        smlsl\i         v6.4S,  \y4\().\l, z5
+        smlal\i         v17.4S, \y4\l, z3
+        smlsl\i         v18.4S, \y4\l, z7
+        smlsl\i         v5.4S,  \y4\l, z1
+        smlsl\i         v6.4S,  \y4\l, z5
 .endm

-.macro idct_row4_neon y1 y2 y3 y4 pass
+.macro idct_row4_neon y1, y2, y3, y4, pass
        ld1             {\y1\().2D-\y2\().2D}, [x2], #32
        movi            v23.4S, #1<<2, lsl #8
        orr             v5.16B, \y1\().16B, \y2\().16B
@@ -101,7 +101,7 @@ endconst
        mov             x3, v5.D[1]
        smlal           v23.4S, \y1\().4H, z4

-        idct_col4_top   \y1 \y2 \y3 \y4 1 4H
+        idct_col4_top   \y1, \y2, \y3, \y4, 1, .4H

        cmp             x3, #0
        beq             \pass\()f
@@ -153,7 +153,7 @@ endconst
        trn2            \y4\().4S, v17.4S, v19.4S
 .endm

-.macro declare_idct_col4_neon i l
+.macro declare_idct_col4_neon i, l
 function idct_col4_neon\i
        dup             v23.4H, z4c
 .if \i == 1
@@ -164,14 +164,14 @@ function idct_col4_neon\i
 .endif
        smull           v23.4S, v23.4H, z4

-        idct_col4_top   v24 v25 v26 v27 \i \l
+        idct_col4_top   v24, v25, v26, v27, \i, \l

        mov             x4, v28.D[\i - 1]
        mov             x5, v29.D[\i - 1]
        cmp             x4, #0
        beq             1f

-        smull\i         v7.4S,  v28.\l, z4
+        smull\i         v7.4S,  v28\l,  z4
        add             v19.4S, v19.4S, v7.4S
        sub             v20.4S, v20.4S, v7.4S
        sub             v21.4S, v21.4S, v7.4S
@@ -181,17 +181,17 @@ function idct_col4_neon\i
        cmp             x5, #0
        beq             2f

-        smlal\i         v17.4S, v29.\l, z5
-        smlsl\i         v18.4S, v29.\l, z1
-        smlal\i         v5.4S,  v29.\l, z7
-        smlal\i         v6.4S,  v29.\l, z3
+        smlal\i         v17.4S, v29\l, z5
+        smlsl\i         v18.4S, v29\l, z1
+        smlal\i         v5.4S,  v29\l, z7
+        smlal\i         v6.4S,  v29\l, z3

 2:      mov             x5, v31.D[\i - 1]
        cmp             x4, #0
        beq             3f

-        smull\i         v7.4S,  v30.\l, z6
-        smull\i         v16.4S, v30.\l, z2
+        smull\i         v7.4S,  v30\l, z6
+        smull\i         v16.4S, v30\l, z2
        add             v19.4S, v19.4S, v7.4S
        sub             v22.4S, v22.4S, v7.4S
        sub             v20.4S, v20.4S, v16.4S
@@ -200,10 +200,10 @@ function idct_col4_neon\i
 3:      cmp             x5, #0
        beq             4f

-        smlal\i         v17.4S, v31.\l, z7
-        smlsl\i         v18.4S, v31.\l, z5
-        smlal\i         v5.4S,  v31.\l, z3
-        smlsl\i         v6.4S,  v31.\l, z1
+        smlal\i         v17.4S, v31\l, z7
+        smlsl\i         v18.4S, v31\l, z5
+        smlal\i         v5.4S,  v31\l, z3
+        smlsl\i         v6.4S,  v31\l, z1

 4:      addhn           v7.4H, v19.4S, v17.4S
        addhn2          v7.8H, v20.4S, v18.4S
@@ -219,14 +219,14 @@ function idct_col4_neon\i
 endfunc
 .endm

-declare_idct_col4_neon 1 4H
-declare_idct_col4_neon 2 8H
+declare_idct_col4_neon 1, .4H
+declare_idct_col4_neon 2, .8H

 function ff_simple_idct_put_neon, export=1
        idct_start      x2

-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        bl              idct_col4_neon1

        sqshrun         v1.8B,  v7.8H, #COL_SHIFT-16
@@ -263,8 +263,8 @@ endfunc
 function ff_simple_idct_add_neon, export=1
        idct_start      x2

-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        bl              idct_col4_neon1

        sshr            v1.8H, V7.8H, #COL_SHIFT-16
@@ -328,8 +328,8 @@ function ff_simple_idct_neon, export=1
        idct_start      x0

        mov             x2,  x0
-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        add             x2, x2, #-128
        bl              idct_col4_neon1

@@ -761,30 +761,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s)
 * @param[in] default_band_struct default band structure table
 * @param[out] num_bands number of bands (optionally NULL)
 * @param[out] band_sizes array containing the number of bins in each band (optionally NULL)
+ * @param[in,out] band_struct current band structure
 */
 static void decode_band_structure(GetBitContext *gbc, int blk, int eac3,
                                  int ecpl, int start_subband, int end_subband,
                                  const uint8_t *default_band_struct,
-                                  int *num_bands, uint8_t *band_sizes)
+                                  int *num_bands, uint8_t *band_sizes,
+                                  uint8_t *band_struct, int band_struct_size)
 {
    int subbnd, bnd, n_subbands, n_bands=0;
    uint8_t bnd_sz[22];
-    uint8_t coded_band_struct[22];
-    const uint8_t *band_struct;

    n_subbands = end_subband - start_subband;

+    if (!blk)
+        memcpy(band_struct, default_band_struct, band_struct_size);
+
+    av_assert0(band_struct_size >= start_subband + n_subbands);
+
+    band_struct += start_subband + 1;
+
    /* decode band structure from bitstream or use default */
    if (!eac3 || get_bits1(gbc)) {
        for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) {
-            coded_band_struct[subbnd] = get_bits1(gbc);
+            band_struct[subbnd] = get_bits1(gbc);
        }
-        band_struct = coded_band_struct;
-    } else if (!blk) {
-        band_struct = &default_band_struct[start_subband+1];
-    } else {
-        /* no change in band structure */
-        return;
    }

    /* calculate number of bands and band sizes based on band structure.
@@ -863,7 +864,8 @@ static inline int spx_strategy(AC3DecodeContext *s, int blk)
                          start_subband, end_subband,
                          ff_eac3_default_spx_band_struct,
                          &s->num_spx_bands,
-                          s->spx_band_sizes);
+                          s->spx_band_sizes,
+                          s->spx_band_struct, sizeof(s->spx_band_struct));
    return 0;
 }

@@ -1000,7 +1002,8 @@ static inline int coupling_strategy(AC3DecodeContext *s, int blk,
        decode_band_structure(bc, blk, s->eac3, 0, cpl_start_subband,
                              cpl_end_subband,
                              ff_eac3_default_cpl_band_struct,
-                              &s->num_cpl_bands, s->cpl_band_sizes);
+                              &s->num_cpl_bands, s->cpl_band_sizes,
+                              s->cpl_band_struct, sizeof(s->cpl_band_struct));
    } else {
        /* coupling not in use */
        for (ch = 1; ch <= fbw_channels; ch++) {
@@ -1386,7 +1389,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
    for (ch = 1; ch <= s->channels; ch++) {
        int audio_channel = 0;
        INTFLOAT gain;
-        if (s->channel_mode == AC3_CHMODE_DUALMONO)
+        if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2)
            audio_channel = 2-ch;
        if (s->heavy_compression && s->compression_exists[audio_channel])
            gain = s->heavy_dynamic_range[audio_channel];
@@ -128,6 +128,7 @@ typedef struct AC3DecodeContext {
    int phase_flags_in_use;                 ///< phase flags in use                     (phsflginu)
    int phase_flags[AC3_MAX_CPL_BANDS];     ///< phase flags                            (phsflg)
    int num_cpl_bands;                      ///< number of coupling bands               (ncplbnd)
+    uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS];
    uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band
    int firstchincpl;                       ///< first channel in coupling
    int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states      (firstcplcos)
@@ -144,6 +145,7 @@ typedef struct AC3DecodeContext {
    int spx_dst_start_freq;                     ///< spx starting frequency bin for copying (copystartmant)
                                                ///< the copy region ends at the start of the spx region.
    int num_spx_bands;                          ///< number of spx bands                    (nspxbnds)
+    uint8_t spx_band_struct[SPX_MAX_BANDS];
    uint8_t spx_band_sizes[SPX_MAX_BANDS];      ///< number of bins in each spx band
    uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states           (firstspxcos)
    INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor  (nblendfact)
@@ -69,7 +69,7 @@ static void scale_coefs (
    int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;

    mul = (dynrng & 0x1f) + 0x20;
-    shift = 4 - ((dynrng << 23) >> 28);
+    shift = 4 - (sign_extend(dynrng, 9) >> 5);
    if (shift > 0 ) {
      round = 1 << (shift-1);
      for (i=0; i<len; i+=8) {
@@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy,
        ff_exp10(0.05 *
              (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) +
               energy_mean)) /
-        sqrtf(fixed_mean_energy);
+        sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0);

    // update quantified prediction error energy history
    memmove(&prediction_error[0], &prediction_error[1],
@@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    AnsiContext *s = avctx->priv_data;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;

-    s->frame = av_frame_alloc();
-    if (!s->frame)
-        return AVERROR(ENOMEM);
-
    /* defaults */
    s->font        = avpriv_vga16_font;
    s->font_height = 16;
@@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height);
        return AVERROR(EINVAL);
    }
+
+    s->frame = av_frame_alloc();
+    if (!s->frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

@@ -1583,6 +1583,16 @@ enum AVPacketSideDataType {
     * to the AVSphericalMapping structure.
     */
    AV_PKT_DATA_SPHERICAL,
+
+    /**
+     * The number of side data elements (in fact a bit more than it).
+     * This is not part of the public API/ABI in the sense that it may
+     * change when new side data types are added.
+     * This must stay the last enum value.
+     * If its value becomes huge, some code using it
+     * needs to be updated as it assumes it to be smaller than other limits.
+     */
+    AV_PKT_DATA_NB
 };

 #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED
@@ -296,9 +296,20 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
                            uint8_t *data, size_t size)
 {
    AVPacketSideData *tmp;
-    int elems = pkt->side_data_elems;
+    int i, elems = pkt->side_data_elems;

-    if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
+    for (i = 0; i < elems; i++) {
+        AVPacketSideData *sd = &pkt->side_data[i];
+
+        if (sd->type == type) {
+            av_free(sd->data);
+            sd->data = data;
+            sd->size = size;
+            return 0;
+        }
+    }
+
+    if ((unsigned)elems + 1 > AV_PKT_DATA_NB)
        return AVERROR(ERANGE);

    tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
@@ -436,6 +447,9 @@ int av_packet_split_side_data(AVPacket *pkt){
            p-= size+5;
        }

+        if (i > AV_PKT_DATA_NB)
+            return AVERROR(ERANGE);
+
        pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data));
        if (!pkt->side_data)
            return AVERROR(ENOMEM);
@@ -133,8 +133,11 @@ static int bmp_decode_frame(AVCodecContext *avctx,
        alpha = bytestream_get_le32(&buf);
    }

-    avctx->width  = width;
-    avctx->height = height > 0 ? height : -(unsigned)height;
+    ret = ff_set_dimensions(avctx, width, height > 0 ? height : -(unsigned)height);
+    if (ret < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Failed to set dimensions %d %d\n", width, height);
+        return AVERROR_INVALIDDATA;
+    }

    avctx->pix_fmt = AV_PIX_FMT_NONE;

@@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
                    if (src < source || src >= source_end)
                        return AVERROR_INVALIDDATA;
                    shift += 2;
-                    val |= *src << shift;
+                    val |= (unsigned)*src << shift;
                    if (*src & 0xC)
                        break;
                }
@@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type)
 static inline void scale_mv(AVSContext *h, int *d_x, int *d_y,
                            cavs_vector *src, int distp)
 {
-    int den = h->scale_den[FFMAX(src->ref, 0)];
-
+    int64_t den = h->scale_den[FFMAX(src->ref, 0)];
    *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9;
    *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9;
 }
@@ -613,8 +612,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC,
        mv_pred_median(h, mvP, mvA, mvB, mvC);

    if (mode < MV_PRED_PSKIP) {
-        mvP->x += get_se_golomb(&h->gb);
-        mvP->y += get_se_golomb(&h->gb);
+        int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x;
+        int my = get_se_golomb(&h->gb) + (unsigned)mvP->y;
+
+        if (mx != (int16_t)mx || my != (int16_t)my) {
+            av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my);
+        } else {
+            mvP->x = mx;
+            mvP->y = my;
+        }
    }
    set_mvs(mvP, size);
 }
@@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw,
                                  cavs_vector *col_mv)
 {
    cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS;
-    int den = h->direct_den[col_mv->ref];
+    unsigned den = h->direct_den[col_mv->ref];
    int m = FF_SIGNBIT(col_mv->x);

    pmv_fw->dist = h->dist[1];
@@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h)

    /* get quantizer */
    if (h->cbp && !h->qp_fixed)
-        h->qp = (h->qp + get_se_golomb(&h->gb)) & 63;
+        h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63;
    for (block = 0; block < 4; block++)
        if (h->cbp & (1 << block))
            decode_residual_block(h, &h->gb, inter_dec, 0, h->qp,
@@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h)
    h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0;
    if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) {
        h->sym_factor = h->dist[0] * h->scale_den[1];
+        if (FFABS(h->sym_factor) > 32768) {
+            av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor);
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0;
        h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;
@@ -275,11 +275,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,
    else
        aligned_width = FFALIGN(c->avctx->width, 16);
    c->padded_bits  = aligned_width - c->avctx->width;
-    if (c->video_size < aligned_width * avctx->height * c->bpp / 8)
+    if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
        return AVERROR_INVALIDDATA;
-    if (!encoding && c->palette_size && c->bpp <= 8) {
+    if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
        avctx->pix_fmt = AV_PIX_FMT_PAL8;
-    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
+    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) {
        if (c->palette_size != (1 << (c->bpp - 1)))
            return AVERROR_INVALIDDATA;
        avctx->pix_fmt = AV_PIX_FMT_BGR24;
@@ -501,7 +501,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
            int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
            int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
-            int expected = highpass_height * highpass_stride;
+            int expected;
            int a_expected = highpass_a_height * highpass_a_width;
            int level, run, coeff;
            int count = 0, bytes;
@@ -512,11 +512,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                goto end;
            }

-            if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < expected) {
+            if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < highpass_height * (uint64_t)highpass_stride) {
                av_log(avctx, AV_LOG_ERROR, "Too many highpass coefficients\n");
                ret = AVERROR(EINVAL);
                goto end;
            }
+            expected = highpass_height * highpass_stride;

            av_log(avctx, AV_LOG_DEBUG, "Start subband coeffs plane %i level %i codebook %i expected %i\n", s->channel_num, s->level, s->codebook, expected);

@@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s)
    int           y0 = 0;
    int           encoded_buf_size;

-    if (s->size < 10)
-        return AVERROR_INVALIDDATA;
-
    frame_flags = s->data[0];
    num_strips  = AV_RB16 (&s->data[8]);
    encoded_buf_size = AV_RB24(&s->data[1]);
@@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
    s->data = buf;
    s->size = buf_size;

+    if (s->size < 10)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

@@ -185,8 +185,8 @@ static inline int decode_block(CLVContext *ctx, int16_t *blk, int has_ac,
    const int t3 = OP( 2408 * blk[5 * step] - 1609 * blk[3 * step]);    \
    const int t4 = OP( 1108 * blk[2 * step] - 2676 * blk[6 * step]);    \
    const int t5 = OP( 2676 * blk[2 * step] + 1108 * blk[6 * step]);    \
-    const int t6 = ((blk[0 * step] + blk[4 * step]) << dshift) + bias;  \
-    const int t7 = ((blk[0 * step] - blk[4 * step]) << dshift) + bias;  \
+    const int t6 = ((blk[0 * step] + blk[4 * step]) * (1 << dshift)) + bias;  \
+    const int t7 = ((blk[0 * step] - blk[4 * step]) * (1 << dshift)) + bias;  \
    const int t8 = t0 + t2;                                             \
    const int t9 = t0 - t2;                                             \
    const int tA = 181 * (t9 + (t1 - t3)) + 0x80 >> 8;                  \
@@ -297,6 +297,11 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
    c->pic->pict_type = frame_type & 0x20 ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;

    if (frame_type & 0x2) {
+        if (buf_size < c->mb_width * c->mb_height) {
+            av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        bytestream2_get_be32(&gb); // frame size;
        c->ac_quant        = bytestream2_get_byte(&gb);
        c->luma_dc_quant   = 32;
@@ -29,6 +29,10 @@
 #include "avcodec.h"
 #include "internal.h"

+#define VLC_BITS 7
+#define VLC_DEPTH 2
+
+
 typedef struct CLLCContext {
    AVCodecContext *avctx;
    BswapDSPContext bdsp;
@@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

    num_lens = get_bits(gb, 5);

+    if (num_lens > VLC_BITS * VLC_DEPTH) {
+        vlc->table = NULL;
+
+        av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens);
+        return AVERROR_INVALIDDATA;
+    }
+
    for (i = 0; i < num_lens; i++) {
        num_codes      = get_bits(gb, 9);
        num_codes_sum += num_codes;
@@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

            count++;
        }
+        if (prefix > (65535 - 256)/2) {
+            vlc->table = NULL;
+            return AVERROR_INVALIDDATA;
+        }

        prefix <<= 1;
    }

-    return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1,
+    return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1,
                              codes, 2, 2, symbols, 1, 1, 0);
 }

@@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
    for (i = 0; i < ctx->avctx->width; i++) {
        /* Always get the alpha component */
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc[0].table, 7, 2);
+        GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH);

        pred[0] += code;
        dst[0]   = pred[0];
@@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
        if (dst[0]) {
            /* Red */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[1].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH);

            pred[1] += code;
            dst[1]   = pred[1];

            /* Green */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[2].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH);

            pred[2] += code;
            dst[2]   = pred[2];

            /* Blue */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[3].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH);

            pred[3] += code;
            dst[3]   = pred[3];
@@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred  += code;
        dst[0] = pred;
@@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width >> is_chroma; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred     += code;
        outbuf[i] = pred;
@@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
    int i;

    for (i = 0; i < len; i++)
-        dst[i] -= mul15(src[i], coeff);
+        dst[i] -= (unsigned)mul15(src[i], coeff);
 }

 static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
@@ -39,7 +39,7 @@

 #define DDPF_FOURCC    (1 <<  2)
 #define DDPF_PALETTE   (1 <<  5)
-#define DDPF_NORMALMAP (1 << 31)
+#define DDPF_NORMALMAP (1U << 31)

 enum DDSPostProc {
    DDS_NONE = 0,
@@ -687,7 +687,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
                    (frame->data[1][2+i*4]<<0)+
                    (frame->data[1][1+i*4]<<8)+
                    (frame->data[1][0+i*4]<<16)+
-                    (frame->data[1][3+i*4]<<24)
+                    ((unsigned)frame->data[1][3+i*4]<<24)
            );
        }
        frame->palette_has_changed = 1;
@@ -718,7 +718,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
                        (frame->data[1][2+i*4]<<0)+
                        (frame->data[1][1+i*4]<<8)+
                        (frame->data[1][0+i*4]<<16)+
-                        (frame->data[1][3+i*4]<<24)
+                        ((unsigned)frame->data[1][3+i*4]<<24)
                );

            frame->palette_has_changed = 1;
@@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height
    const uint8_t *frame_start = frame;
    const uint8_t *frame_end   = frame + width * height;
    int mask = 0x10000, bitbuf = 0;
-    int v, count, segments;
+    int v, count;
+    unsigned segments;
    unsigned offset;

    segments = bytestream2_get_le32(gb);
@@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                return AVERROR_INVALIDDATA;
            frame += v;
        } else {
-            if (frame_end - frame < width + 3)
+            if (frame_end - frame < width + 4)
                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
@@ -249,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
        segments = bytestream2_get_le16u(gb);
        while ((segments & 0xC000) == 0xC000) {
            unsigned skip_lines = -(int16_t)segments;
-            unsigned delta = -((int16_t)segments * width);
+            int64_t delta = -((int16_t)segments * (int64_t)width);
            if (frame_end - frame <= delta || y + lines + skip_lines > height)
                return AVERROR_INVALIDDATA;
            frame    += delta;
@@ -823,7 +823,7 @@ static int decode_hq_slice(DiracContext *s, DiracSlice *slice, uint8_t *tmp_buf)
    skip_bits_long(gb, 8*s->highquality.prefix_bytes);
    quant_idx = get_bits(gb, 8);

-    if (quant_idx > DIRAC_MAX_QUANT_INDEX) {
+    if (quant_idx > DIRAC_MAX_QUANT_INDEX - 1) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid quantization index - %i\n", quant_idx);
        return AVERROR_INVALIDDATA;
    }
@@ -2047,9 +2047,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)

    if (out) {
        out->reference ^= DELAYED_PIC_REF;
-        *got_frame = 1;
        if((ret = av_frame_ref(picture, out->avframe)) < 0)
            return ret;
+        *got_frame = 1;
    }

    return 0;
@@ -29,8 +29,6 @@

 typedef struct {
    ParseContext pc;
-    int interlaced;
-    int cur_field; /* first field is 0, second is 1 */
    int cur_byte;
    int remaining;
    int w, h;
@@ -56,8 +54,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
    uint64_t state = pc->state64;
    int pic_found = pc->frame_start_found;
    int i = 0;
-    int interlaced = dctx->interlaced;
-    int cur_field = dctx->cur_field;

    if (!pic_found) {
        for (i = 0; i < buf_size; i++) {
@@ -65,8 +61,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
            if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
                i++;
                pic_found = 1;
-                interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
-                cur_field = state&1;
                dctx->cur_byte = 0;
                dctx->remaining = 0;
                break;
@@ -97,13 +91,11 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                    if (dctx->remaining <= 0)
                        return dctx->remaining;
                }
-                if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
+                if (buf_size - i + 47 >= dctx->remaining) {
                    int remaining = dctx->remaining;

                    pc->frame_start_found = 0;
                    pc->state64 = -1;
-                    dctx->interlaced = interlaced;
-                    dctx->cur_field = 0;
                    dctx->cur_byte = 0;
                    dctx->remaining = 0;
                    return remaining;
@@ -120,8 +112,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,

            pc->frame_start_found = 0;
            pc->state64 = -1;
-            dctx->interlaced = interlaced;
-            dctx->cur_field = 0;
            dctx->cur_byte = 0;
            dctx->remaining = 0;
            return remaining;
@@ -129,8 +119,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
    }
    pc->frame_start_found = pic_found;
    pc->state64 = state;
-    dctx->interlaced = interlaced;
-    dctx->cur_field = cur_field;
    return END_NOT_FOUND;
 }

@@ -33,7 +33,7 @@

 #define DSS_SP_FRAME_SIZE        42
 #define DSS_SP_SAMPLE_COUNT     (66 * SUBFRAMES)
-#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15)
+#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15)

 typedef struct DssSpSubframe {
    int16_t gain;
@@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size)
            vec[i] = vec[i] >> -bits;
    else
        for (i = 0; i < size; i++)
-            vec[i] = vec[i] << bits;
+            vec[i] = vec[i] * (1 << bits);
 }

 static void dss_sp_update_buf(int32_t *hist, int32_t *vector)
@@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf,
        tmp = dst[a] * filter_buf[0];

        for (i = 14; i > 0; i--)
-            tmp -= error_buf[i] * filter_buf[i];
+            tmp -= error_buf[i] * (unsigned)filter_buf[i];

        for (i = 14; i > 0; i--)
            error_buf[i] = error_buf[i - 1];

-        tmp = (tmp + 4096) >> 13;
+        tmp = (int)(tmp + 4096U) >> 13;

        error_buf[1] = tmp;

@@ -24,6 +24,7 @@
 #include "bytestream.h"
 #include "internal.h"
 #include "libavutil/colorspace.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/opt.h"

 #define DVBSUB_PAGE_SEGMENT     0x10
@@ -1159,9 +1160,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx,
                return AVERROR_INVALIDDATA;
        }

-        if (depth & 0x80)
+        if (depth & 0x80 && entry_id < 4)
            clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha);
-        else if (depth & 0x40)
+        else if (depth & 0x40 && entry_id < 16)
            clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha);
        else if (depth & 0x20)
            clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha);
@@ -1184,6 +1185,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    DVBSubObject *object;
    DVBSubObjectDisplay *display;
    int fill;
+    int ret;

    if (buf_size < 10)
        return AVERROR_INVALIDDATA;
@@ -1212,6 +1214,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    region->height = AV_RB16(buf);
    buf += 2;

+    ret = av_image_check_size(region->width, region->height, 0, avctx);
+    if (ret < 0) {
+        region->width= region->height= 0;
+        return ret;
+    }
+
    if (region->width * region->height != region->buf_size) {
        av_free(region->pbuf);

@@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t *
        cb = *ycbcr++;
        YUV_TO_RGB1_CCIR(cb, cr);
        YUV_TO_RGB2_CCIR(r, g, b, y);
-        *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b;
+        *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b;
    }
 }

@@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx,
                r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
                g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
                b = (((subtitle_color >> 0) & 0xff) * level) >> 8;
-                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24);
+                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24);
                color_used[colormap[i]] = (i + 1);
                j++;
            } else {
                rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) |
-                                    ((alpha[i] * 17) << 24);
+                                    ((alpha[i] * 17U) << 24);
            }
        }
    }
@@ -335,6 +335,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx)
    DXVContext *ctx = avctx->priv_data;
    GetByteContext *gbc = &ctx->gbc;

+    if (bytestream2_get_bytes_left(gbc) < ctx->tex_size)
+        return AVERROR_INVALIDDATA;
+
    bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size);
    return 0;
 }
@@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx,

    if (avctx->width != width || avctx->height != height) {
        av_frame_unref(s->last_frame);
-        if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb))
+        if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb))
            return AVERROR_INVALIDDATA;
        if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
            return ret;
@@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame,

 static void tqi_calculate_qtable(TqiContext *t, int quant)
 {
-    const int qscale = (215 - 2*quant)*5;
+    const int64_t qscale = (215 - 2*quant)*5;
    int i;

    t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11;
@@ -220,9 +220,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf)
 *
 * @return normalized 16-bit unsigned int
 */
-static inline uint16_t exr_flt2uint(uint32_t v)
+static inline uint16_t exr_flt2uint(int32_t v)
 {
-    unsigned int exp = v >> 23;
+    int32_t exp = v >> 23;
    // "HACK": negative values result in exp<  0, so clipping them to 0
    // is also handled by this condition, avoids explicit check for sign bit.
    if (exp <= 127 + 7 - 24) // we would shift out all bits anyway
@@ -85,7 +85,7 @@ JNIEnv *ff_jni_get_env(void *log_ctx)
        av_log(log_ctx, AV_LOG_ERROR, "The specified JNI version is not supported\n");
        break;
    default:
-        av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread");
+        av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread\n");
        break;
    }

@@ -303,6 +303,11 @@ int ff_jni_init_jfields(JNIEnv *env, void *jfields, const struct FFJniField *jfi

            last_clazz = *(jclass*)((uint8_t*)jfields + jfields_mapping[i].offset) =
                    global ? (*env)->NewGlobalRef(env, clazz) : clazz;
+
+            if (global) {
+                (*env)->DeleteLocalRef(env, clazz);
+            }
+
        } else {

            if (!last_clazz) {
@@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
    if (get_rac(c, state + 0))
        return 0;
    else {
-        int i, e, a;
+        int i, e;
+        unsigned a;
        e = 0;
        while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
            e++;
@@ -898,7 +899,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            const uint8_t *src[4];
            uint8_t *dst[4];
            ff_thread_await_progress(&f->last_picture, INT_MAX, 0);
-            for (j = 0; j < 4; j++) {
+            for (j = 0; j < desc->nb_components; j++) {
                int pixshift = desc->comp[j].depth > 8;
                int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0;
                int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0;
@@ -906,6 +907,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
                src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] *
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
+
+            }
+            if (desc->flags & AV_PIX_FMT_FLAG_PAL ||
+                desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) {
+                dst[1] = p->data[1];
+                src[1] = f->last_picture.f->data[1];
            }
            av_image_copy(dst, p->linesize, src,
                          f->last_picture.f->linesize,
@@ -89,22 +89,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd
    const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
    const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
    const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-    const int t4 = 5793 * (t2 + t0 + 0x800 >> 12);
-    const int t5 = 5793 * (t3 + t1 + 0x800 >> 12);
-    const int t6 = t2 - t0;
-    const int t7 = t3 - t1;
-    const int t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
-    const int t9 =  17734 * blk[6 * step] + 42814 * blk[2 * step];
-    const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd;
-    const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd;
-    blk[0 * step] = (  t4       + t9 + tB) >> shift;
-    blk[1 * step] = (  t6 + t7  + t8 + tA) >> shift;
-    blk[2 * step] = (  t6 - t7  - t8 + tA) >> shift;
-    blk[3 * step] = (  t5       - t9 + tB) >> shift;
-    blk[4 * step] = ( -t5       - t9 + tB) >> shift;
-    blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift;
-    blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift;
-    blk[7 * step] = ( -t4       + t9 + tB) >> shift;
+    const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
+    const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+    const unsigned t6 = t2 - t0;
+    const unsigned t7 = t3 - t1;
+    const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
+    const unsigned t9 =  17734 * blk[6 * step] + 42814 * blk[2 * step];
+    const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
+    const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
+    blk[0 * step] = (int)(  t4       + t9 + tB) >> shift;
+    blk[1 * step] = (int)(  t6 + t7  + t8 + tA) >> shift;
+    blk[2 * step] = (int)(  t6 - t7  - t8 + tA) >> shift;
+    blk[3 * step] = (int)(  t5       - t9 + tB) >> shift;
+    blk[4 * step] = (int)( -t5       - t9 + tB) >> shift;
+    blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift;
+    blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift;
+    blk[7 * step] = (int)( -t4       + t9 + tB) >> shift;
 }

 static void fic_idct_put(uint8_t *dst, int stride, int16_t *block)
@@ -205,12 +205,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
    buf += 4;
    do {
        if (buf_end - buf < 4)
-            return 0;
+            return AVERROR_INVALIDDATA;
        flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
        buf += 4;
        if (buf_end - buf < metadata_size) {
            /* need more data in order to read the complete header */
-            return 0;
+            return AVERROR_INVALIDDATA;
        }
        buf += metadata_size;
    } while (!metadata_last);
@@ -199,6 +199,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    num_chunks = bytestream2_get_le16(&g2);
    bytestream2_skip(&g2, 8);  /* skip padding */

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
+
    frame_size -= 16;

    /* iterate through the chunks */
@@ -519,6 +522,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
    if (frame_size > buf_size)
        frame_size = buf_size;

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
    frame_size -= 16;

    /* iterate through the chunks */
@@ -804,6 +809,8 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
    if (frame_size > buf_size)
        frame_size = buf_size;

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
    frame_size -= 16;

    /* iterate through the chunks */
@@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
            int size, offset, start = 0;

            offset = bytestream2_get_le16(gb);
-            if (offset > s->nb_blocks)
+            if (offset >= s->nb_blocks)
                return AVERROR_INVALIDDATA;

            size = bytestream2_get_le16(gb);
@@ -561,6 +561,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }

    s->nb_blocks = s->xb * s->yb;
+    if (!s->nb_blocks)
+        return AVERROR_INVALIDDATA;
+
    s->blocks = av_calloc(s->nb_blocks, sizeof(*s->blocks));
    if (!s->blocks)
        return AVERROR(ENOMEM);
@@ -593,8 +596,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->bpp = avctx->bits_per_coded_sample >> 3;
    s->buffer_size = avctx->width * avctx->height * 4;
    s->pbuffer_size = avctx->width * avctx->height * 4;
-    s->buffer = av_malloc(s->buffer_size);
-    s->pbuffer = av_malloc(s->pbuffer_size);
+    s->buffer = av_mallocz(s->buffer_size);
+    s->pbuffer = av_mallocz(s->pbuffer_size);
    if (!s->buffer || !s->pbuffer)
        return AVERROR(ENOMEM);

@@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band)
        ACCUM(3, band->diff_mem[2], 1);
        ACCUM(2, band->diff_mem[1], 1);
        ACCUM(1, band->diff_mem[0], 1);
-        ACCUM(0, cur_diff << 1, 1);
+        ACCUM(0, cur_diff * 2, 1);
    } else {
        ACCUM(5, band->diff_mem[4], 0);
        ACCUM(4, band->diff_mem[3], 0);
        ACCUM(3, band->diff_mem[2], 0);
        ACCUM(2, band->diff_mem[1], 0);
        ACCUM(1, band->diff_mem[0], 0);
-        ACCUM(0, cur_diff << 1, 0);
+        ACCUM(0, cur_diff * 2, 0);
    }
    #undef ACCUM
    band->s_zero = s_zero;
@@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff)
    band->part_reconst_mem[0] = cur_part_reconst;

    band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) +
-                                (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);
+                                (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);

    limit = 15360 - band->pole_mem[1];
    band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit);

    s_zero(cur_diff, band);

-    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1);
+    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2);
    band->s_predictor = av_clip_int16(band->s_zero +
                                      (band->pole_mem[0] * cur_qtzd_reconst >> 15) +
                                      (band->pole_mem[1] * band->prev_qtzd_reconst >> 15));
@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
    bits= FFMAX(bits, 0);

    for (i = 0; i < length; i++)
-        dst[i] = vector[i] << bits >> 3;
+        dst[i] = (vector[i] * (1 << bits)) >> 3;

    return bits - 3;
 }
@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
    for (j = 0; j < LPC_ORDER; j++) {
        int index     = (lpc[j] >> 7) & 0x1FF;
        int offset    = lpc[j] & 0x7f;
-        int temp1     = cos_tab[index] << 16;
+        int temp1     = cos_tab[index] * (1 << 16);
        int temp2     = (cos_tab[index + 1] - cos_tab[index]) *
-                          ((offset << 8) + 0x80) << 1;
+                          (((offset << 8) + 0x80) << 1);

        lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
    }
@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
     */
    /* Initialize with values in Q28 */
    f1[0] = 1 << 28;
-    f1[1] = (lpc[0] << 14) + (lpc[2] << 14);
+    f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
    f1[2] = lpc[0] * lpc[2] + (2 << 28);

    f2[0] = 1 << 28;
-    f2[1] = (lpc[1] << 14) + (lpc[3] << 14);
+    f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
    f2[2] = lpc[1] * lpc[3] + (2 << 28);

    /*
@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)

        f1[0] >>= 1;
        f2[0] >>= 1;
-        f1[1] = ((lpc[2 * i]     << 16 >> i) + f1[1]) >> 1;
-        f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1;
+        f1[1] = ((lpc[2 * i]     * 65536 >> i) + f1[1]) >> 1;
+        f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
    }

    /* Convert polynomial coefficients to LPC coefficients */
@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
        int64_t ff1 = f1[i + 1] + f1[i];
        int64_t ff2 = f2[i + 1] - f2[i];

-        lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16;
-        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) +
+        lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
+        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
                                                (1 << 15)) >> 16;
    }
 }
@@ -55,7 +55,7 @@
 * @param b 16 bit multiplier
 */
 #define MULL2(a, b) \
-        ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15))
+        ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))

 /**
 * G723.1 frame types
@@ -488,7 +488,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                          (FRAME_LEN - lag) * sizeof(*out));
    } else {  /* Unvoiced */
        for (i = 0; i < FRAME_LEN; i++) {
-            *rseed = *rseed * 521 + 259;
+            *rseed = (int16_t)(*rseed * 521 + 259);
            out[i] = gain * *rseed >> 15;
        }
        memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf));
@@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                      (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
        }\
 \
-        (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\
+        (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
                                   (1 << 15)) >> res_shift;\
    }\
 }
@@ -664,7 +664,7 @@ static int estimate_sid_gain(G723_1_Context *p)
        t = p->sid_gain << shift;
    else
        t = p->sid_gain >> -shift;
-    x = t * cng_filt[0] >> 16;
+    x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);

    if (x >= cng_bseg[2])
        return 0x3F;
@@ -695,13 +695,13 @@ static int estimate_sid_gain(G723_1_Context *p)
    if (y <= 0) {
        t = seg * 32 + (val + 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val++;
    } else {
        t = seg * 32 + (val - 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val--;
    }
@@ -733,7 +733,7 @@ static void generate_noise(G723_1_Context *p)
        off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN;
        t >>= 2;
        for (j = 0; j < 11; j++) {
-            signs[i * 11 + j] = (t & 1) * 2 - 1 << 14;
+            signs[i * 11 + j] = ((t & 1) * 2 - 1)  * (1 << 14);
            t >>= 1;
        }
    }
@@ -777,7 +777,7 @@ static void generate_noise(G723_1_Context *p)
        sum = 0;
        if (shift < 0) {
           for (j = 0; j < SUBFRAME_LEN * 2; j++) {
-               t      = vector_ptr[j] << -shift;
+               t      = vector_ptr[j] * (1 << -shift);
               sum   += t * t;
               tmp[j] = t;
           }
@@ -815,7 +815,7 @@ static void generate_noise(G723_1_Context *p)
        if (shift < 0)
           x >>= -shift;
        else
-           x <<= shift;
+           x *= 1 << shift;
        x = av_clip(x, -10000, 10000);

        for (j = 0; j < 11; j++) {
@@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
                                             &p->subframe[i], p->cur_rate);
                /* Get the total excitation */
                for (j = 0; j < SUBFRAME_LEN; j++) {
-                    int v = av_clip_int16(vector_ptr[j] << 1);
+                    int v = av_clip_int16(vector_ptr[j] * 2);
                    vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
                }
                vector_ptr += SUBFRAME_LEN;
@@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I)
        c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]);
    c->se >>= 1;

-    return av_clip(re_signal << 2, -0xffff, 0xffff);
+    return av_clip(re_signal * 4, -0xffff, 0xffff);
 }

 static av_cold int g726_reset(G726Context *c)
@@ -1112,7 +1112,7 @@ decode_intra_mb:

        dquant= get_se_golomb(&sl->gb);

-        sl->qscale += dquant;
+        sl->qscale += (unsigned)dquant;

        if (((unsigned)sl->qscale) > max_qp){
            if (sl->qscale < 0) sl->qscale += max_qp + 1;
@@ -59,6 +59,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
            if (luma_weight_flag) {
                pwt->luma_weight[i][list][0] = get_se_golomb(gb);
                pwt->luma_weight[i][list][1] = get_se_golomb(gb);
+                if ((int8_t)pwt->luma_weight[i][list][0] != pwt->luma_weight[i][list][0] ||
+                    (int8_t)pwt->luma_weight[i][list][1] != pwt->luma_weight[i][list][1])
+                    goto out_range_weight;
                if (pwt->luma_weight[i][list][0] != luma_def ||
                    pwt->luma_weight[i][list][1] != 0) {
                    pwt->use_weight             = 1;
@@ -76,6 +79,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
                    for (j = 0; j < 2; j++) {
                        pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb);
                        pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb);
+                        if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] ||
+                            (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1])
+                            goto out_range_weight;
                        if (pwt->chroma_weight[i][list][j][0] != chroma_def ||
                            pwt->chroma_weight[i][list][j][1] != 0) {
                            pwt->use_weight_chroma        = 1;
@@ -104,6 +110,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
    }
    pwt->use_weight = pwt->use_weight || pwt->use_weight_chroma;
    return 0;
+out_range_weight:
+    avpriv_request_sample(logctx, "Out of range weight\n");
+    return AVERROR_INVALIDDATA;
 }

 /**
@@ -109,7 +109,6 @@ int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src)
    dst->poc           = src->poc;
    dst->frame_num     = src->frame_num;
    dst->mmco_reset    = src->mmco_reset;
-    dst->pic_id        = src->pic_id;
    dst->long_ref      = src->long_ref;
    dst->mbaff         = src->mbaff;
    dst->field_picture = src->field_picture;
@@ -1423,14 +1423,14 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,
     * We have to do that before the "dummy" in-between frame allocation,
     * since that can modify h->cur_pic_ptr. */
    if (h->first_field) {
+        int last_field = last_pic_structure == PICT_BOTTOM_FIELD;
        av_assert0(h->cur_pic_ptr);
        av_assert0(h->cur_pic_ptr->f->buf[0]);
        assert(h->cur_pic_ptr->reference != DELAYED_PIC_REF);

        /* Mark old field/frame as completed */
-        if (h->cur_pic_ptr->tf.owner == h->avctx) {
-            ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX,
-                                      last_pic_structure == PICT_BOTTOM_FIELD);
+        if (h->cur_pic_ptr->tf.owner[last_field] == h->avctx) {
+            ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, last_field);
        }

        /* figure out if we have a complementary field pair */
@@ -1568,7 +1568,9 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,
            return AVERROR_INVALIDDATA;
        }
    } else {
+        int field = h->picture_structure == PICT_BOTTOM_FIELD;
        release_unused_pictures(h, 0);
+        h->cur_pic_ptr->tf.owner[field] = h->avctx;
    }
    /* Some macroblocks can be accessed before they're available in case
    * of lost slices, MBAFF or threading. */
@@ -1778,9 +1780,12 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
    }
    if ((pps->weighted_pred && sl->slice_type_nos == AV_PICTURE_TYPE_P) ||
        (pps->weighted_bipred_idc == 1 &&
-         sl->slice_type_nos == AV_PICTURE_TYPE_B))
-        ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count,
+         sl->slice_type_nos == AV_PICTURE_TYPE_B)) {
+        ret = ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count,
                                  sl->slice_type_nos, &sl->pwt, h->avctx);
+        if (ret < 0)
+            return ret;
+    }

    sl->explicit_ref_marking = 0;
    if (nal->ref_idc) {
@@ -1886,7 +1891,8 @@ static int h264_slice_init(H264Context *h, H264SliceContext *sl,

    if (sl->slice_type_nos == AV_PICTURE_TYPE_B && !sl->direct_spatial_mv_pred)
        ff_h264_direct_dist_scale_factor(h, sl);
-    ff_h264_direct_ref_list_init(h, sl);
+    if (!h->setup_finished)
+        ff_h264_direct_ref_list_init(h, sl);

    if (h->avctx->skip_loop_filter >= AVDISCARD_ALL ||
        (h->avctx->skip_loop_filter >= AVDISCARD_NONKEY &&
@@ -170,6 +170,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
            }
        }

+        if (k >= FF_ARRAY_ELEMS(rps->used)) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid num_delta_pocs: %d\n", k);
+            return AVERROR_INVALIDDATA;
+        }
+
        rps->num_delta_pocs    = k;
        rps->num_negative_pics = k0;
        // sort in increasing order (smallest first)
@@ -751,7 +757,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
                                  ff_hevc_diag_scan8x8_x[i];

                    scaling_list_delta_coef = get_se_golomb(gb);
-                    next_coef = (next_coef + scaling_list_delta_coef + 256) % 256;
+                    next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256;
                    sl->sl[size_id][matrix_id][pos] = next_coef;
                }
            }
@@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s)
    return 0;
 }

-static int decode_pic_timing(HEVCContext *s)
+static int decode_pic_timing(HEVCContext *s, int size)
 {
    GetBitContext *gb = &s->HEVClc->gb;
    HEVCSPS *sps;
@@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s)
        }
        get_bits(gb, 2);                   // source_scan_type
        get_bits(gb, 1);                   // duplicate_flag
+        skip_bits1(gb);
+        size--;
    }
-    return 1;
+    skip_bits_long(gb, 8 * size);
+
+    return 0;
 }

 static int decode_registered_user_data_closed_caption(HEVCContext *s, int size)
@@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size)
        return decode_nal_sei_display_orientation(s);
    case SEI_TYPE_PICTURE_TIMING:
        {
-            int ret = decode_pic_timing(s);
+            int ret = decode_pic_timing(s, size);
            av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type);
-            skip_bits(gb, 8 * size);
            return ret;
        }
    case SEI_TYPE_MASTERING_DISPLAY_INFO:
@@ -585,7 +585,7 @@ static int hls_slice_header(HEVCContext *s)
        }

        /* 8.3.1 */
-        if (s->temporal_id == 0 &&
+        if (sh->first_slice_in_pic_flag && s->temporal_id == 0 &&
            s->nal_unit_type != HEVC_NAL_TRAIL_N &&
            s->nal_unit_type != HEVC_NAL_TSA_N   &&
            s->nal_unit_type != HEVC_NAL_STSA_N  &&
@@ -2771,25 +2771,25 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
        if (ret < 0)
            return ret;

-        if (s->max_ra == INT_MAX) {
-            if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) {
-                s->max_ra = s->poc;
+        if (s->sh.first_slice_in_pic_flag) {
+            if (s->max_ra == INT_MAX) {
+                if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) {
+                    s->max_ra = s->poc;
+                } else {
+                    if (IS_IDR(s))
+                        s->max_ra = INT_MIN;
+                }
+            }
+
+            if ((s->nal_unit_type == HEVC_NAL_RASL_R || s->nal_unit_type == HEVC_NAL_RASL_N) &&
+                s->poc <= s->max_ra) {
+                s->is_decoded = 0;
+                break;
            } else {
-                if (IS_IDR(s))
+                if (s->nal_unit_type == HEVC_NAL_RASL_R && s->poc > s->max_ra)
                    s->max_ra = INT_MIN;
            }
-        }

-        if ((s->nal_unit_type == HEVC_NAL_RASL_R || s->nal_unit_type == HEVC_NAL_RASL_N) &&
-            s->poc <= s->max_ra) {
-            s->is_decoded = 0;
-            break;
-        } else {
-            if (s->nal_unit_type == HEVC_NAL_RASL_R && s->poc > s->max_ra)
-                s->max_ra = INT_MIN;
-        }
-
-        if (s->sh.first_slice_in_pic_flag) {
            ret = hevc_frame_start(s);
            if (ret < 0)
                return ret;
@@ -68,11 +68,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
    memset(block, 0, 64 * sizeof(*block));

    if (!is_hqa) {
-        block[0] = get_sbits(gb, 9) << 6;
+        block[0] = get_sbits(gb, 9) * 64;
        q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
    } else {
        q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
-        block[0] = get_sbits(gb, 9) << 6;
+        block[0] = get_sbits(gb, 9) * 64;
    }

    for (;;) {
@@ -83,7 +83,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
        pos += ff_hq_ac_skips[val];
        if (pos >= 64)
            break;
-        block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12;
+        block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12;
        pos++;
    }

@@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant)
    s6 = (int) blk[6 * 8] * quant[6 * 8];
    s7 = (int) blk[7 * 8] * quant[7 * 8];

-    t0  =  (s3 * 19266 + s5 * 12873) >> 15;
-    t1  =  (s5 * 19266 - s3 * 12873) >> 15;
-    t2  = ((s7 * 4520  + s1 * 22725) >> 15) - t0;
-    t3  = ((s1 * 4520  - s7 * 22725) >> 15) - t1;
+    t0  =  (int)(s3 * 19266U + s5 * 12873U) >> 15;
+    t1  =  (int)(s5 * 19266U - s3 * 12873U) >> 15;
+    t2  = ((int)(s7 * 4520U  + s1 * 22725U) >> 15) - t0;
+    t3  = ((int)(s1 * 4520U  - s7 * 22725U) >> 15) - t1;
    t4  = t0 * 2 + t2;
    t5  = t1 * 2 + t3;
    t6  = t2 - t3;
    t7  = t3 * 2 + t6;
-    t8  = (t6 * 11585) >> 14;
-    t9  = (t7 * 11585) >> 14;
-    tA  = (s2 * 8867 - s6 * 21407) >> 14;
-    tB  = (s6 * 8867 + s2 * 21407) >> 14;
+    t8  = (int)(t6 * 11585U) >> 14;
+    t9  = (int)(t7 * 11585U) >> 14;
+    tA  = (int)(s2 * 8867U - s6 * 21407U) >> 14;
+    tB  = (int)(s6 * 8867U + s2 * 21407U) >> 14;
    tC  = (s0 >> 1) - (s4 >> 1);
    tD  = (s4 >> 1) * 2 + tC;
    tE  = tC - (tA >> 1);
@@ -46,11 +46,12 @@ typedef struct SrtStack {

 static void rstrip_spaces_buf(AVBPrint *buf)
 {
-    while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
-        buf->str[--buf->len] = 0;
+    if (av_bprint_is_complete(buf))
+        while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
+            buf->str[--buf->len] = 0;
 }

-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
 {
    char *param, buffer[128], tmp[128];
    int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0;
@@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
            line_start = 0;
    }

+    if (!av_bprint_is_complete(dst))
+        return AVERROR(ENOMEM);
+
    while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2))
        dst->len -= 2;
    dst->str[dst->len] = 0;
    rstrip_spaces_buf(dst);
+
+    return 0;
 }
@@ -23,6 +23,6 @@

 #include "libavutil/bprint.h"

-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);

 #endif /* AVCODEC_HTMLSUBTITLES_H */
@@ -579,6 +579,8 @@ static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
    HYuvContext *s = avctx->priv_data;
    int i, ret;

+    s->avctx = avctx;
+
    if ((ret = ff_huffyuv_alloc_temp(s)) < 0) {
        ff_huffyuv_common_end(s);
        return ret;
@@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
            for (i = 0; i < c * 2; i++)
                dst[out++] = 0x80;
        } else { /* copy two values from table */
+            if (c <= 0)
+                return AVERROR_INVALIDDATA;
            dst[out++] = table[c * 2];
            dst[out++] = table[(c * 2) + 1];
        }
@@ -77,6 +79,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst

    for (j = 1; j < height; j++) {
        out = 0;
+        if (get_bits_left(&ctx->gb) <= 0)
+            return AVERROR_INVALIDDATA;
        while (out < width) {
            int c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
@@ -88,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
                    out++;
                }
            } else { /* add two deltas from table */
-                int t    = dst[out - pitch] + (table[c * 2] - 128);
+                int t;
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
+                t        = dst[out - pitch] + (table[c * 2] - 128);
                t        = av_clip_uint8(t);
                dst[out] = t;
                out++;
@@ -116,12 +123,16 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_

    for (j = 0; j < height; j++) {
        out = 0;
+        if (get_bits_left(&ctx->gb) <= 0)
+            return AVERROR_INVALIDDATA;
        while (out < width) {
            c = ir2_get_code(&ctx->gb);
            if (c >= 0x80) { /* we have a skip */
                c   -= 0x7F;
                out += c * 2;
            } else { /* add two deltas from table */
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
                t        = dst[out] + (((table[c * 2] - 128)*3) >> 2);
                t        = av_clip_uint8(t);
                dst[out] = t;
@@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
                b0_2 = b0_ptr[pitch+indx+1];
                tmp1 = tmp0 + b0_1;

-                p0 =  tmp0 << 4;
-                p1 =  tmp1 << 3;
-                p2 = (tmp0 + tmp2) << 3;
-                p3 = (tmp1 + tmp2 + b0_2) << 2;
+                p0 =  tmp0 * 16;
+                p1 =  tmp1 * 8;
+                p2 = (tmp0 + tmp2) * 8;
+                p3 = (tmp1 + tmp2 + b0_2) * 4;
            }

            /* process the HL-band by applying HPF vertically and LPF horizontally */
@@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
                tmp2 = tmp1 - tmp0*6 + b1_3;
                b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1];

-                p0 += (tmp0 + tmp1) << 3;
-                p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2;
-                p2 +=  tmp2 << 2;
-                p3 += (tmp2 + b1_3) << 1;
+                p0 += (tmp0 + tmp1) * 8;
+                p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4;
+                p2 +=  tmp2 * 4;
+                p3 += (tmp2 + b1_3) * 2;
            }

            /* process the LH-band by applying LPF vertically and HPF horizontally */
@@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,
                tmp0 = b2_1 + b2_2;
                tmp1 = b2_1 - b2_2*6 + b2_3;

-                p0 += tmp0 << 3;
-                p1 += tmp1 << 2;
-                p2 += (tmp0 + b2_4 + b2_5) << 2;
-                p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1;
+                p0 += tmp0 * 8;
+                p1 += tmp1 * 4;
+                p2 += (tmp0 + b2_4 + b2_5) * 4;
+                p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2;
            }

            /* process the HH-band by applying HPF both vertically and horizontally */
@@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst,

                b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1];

-                p0 += (tmp0 + tmp1) << 2;
-                p1 += (tmp0 - tmp1*6 + tmp2) << 1;
-                p2 += (b3_7 + b3_8) << 1;
+                p0 += (tmp0 + tmp1) * 4;
+                p1 += (tmp0 - tmp1*6 + tmp2) * 2;
+                p2 += (b3_7 + b3_8) * 2;
                p3 +=  b3_7 - b3_8*6 + b3_9;
            }

@@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst,
 #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\
                  d1, d2, d3, d4, d5, d6, d7, d8,\
                  t0, t1, t2, t3, t4, t5, t6, t7, t8) {\
-    t1 = (s1) << 1; t5 = (s5) << 1;\
+    t1 = (s1) * 2; t5 = (s5) * 2;\
    IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\
    IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\
    IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\
@@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, ptrdiff_t pitch,
        if (flags[i]) {
            /* pre-scaling */
            shift = !(i & 4);
-            sp1 = src[ 0] << shift;
-            sp2 = src[ 8] << shift;
-            sp3 = src[16] << shift;
-            sp4 = src[24] << shift;
+            sp1 = src[ 0] * (1 << shift);
+            sp2 = src[ 8] * (1 << shift);
+            sp3 = src[16] * (1 << shift);
+            sp4 = src[24] * (1 << shift);
            INV_HAAR8(    sp1,     sp2,     sp3,     sp4,
                      src[32], src[40], src[48], src[56],
                      dst[ 0], dst[ 8], dst[16], dst[24],
@@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, ptrdiff_t pitch,
        if (flags[i]) {
            /* pre-scaling */
            shift = !(i & 2);
-            sp1 = src[0] << shift;
-            sp2 = src[4] << shift;
+            sp1 = src[0] * (1 << shift);
+            sp2 = src[4] * (1 << shift);
            INV_HAAR4(   sp1,    sp2, src[8], src[12],
                      dst[0], dst[4], dst[8], dst[12],
                      t0, t1, t2, t3, t4);
@@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b)

 static inline int ff_jpeg2000_ceildiv(int a, int b)
 {
-    return (a + b - 1) / b;
+    return (a + (int64_t)b - 1) / b;
 }

 /* TIER-1 routines */
@@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s)
    uint32_t log2_chroma_wh = 0;
    const enum AVPixelFormat *possible_fmts = NULL;
    int possible_fmts_nb = 0;
+    int ret;

    if (bytestream2_get_bytes_left(&s->g) < 36) {
        av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n");
@@ -298,6 +299,16 @@ static int get_siz(Jpeg2000DecoderContext *s)
        return AVERROR_PATCHWELCOME;
    }

+    if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
+        s->image_offset_x < s->tile_offset_x ||
+        s->image_offset_y < s->tile_offset_y ||
+        s->tile_width  + (int64_t)s->tile_offset_x <= s->image_offset_x ||
+        s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y
+    ) {
+        av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    s->ncomponents = ncomponents;

    if (s->tile_width <= 0 || s->tile_height <= 0) {
@@ -349,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s)
    }

    /* compute image size with reduction factor */
-    s->avctx->width  = ff_jpeg2000_ceildivpow2(s->width  - s->image_offset_x,
-                                               s->reduction_factor);
-    s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
-                                               s->reduction_factor);
+    ret = ff_set_dimensions(s->avctx,
+            ff_jpeg2000_ceildivpow2(s->width  - s->image_offset_x,
+                                               s->reduction_factor),
+            ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
+                                               s->reduction_factor));
+    if (ret < 0)
+        return ret;

    if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K ||
        s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) {
@@ -390,6 +390,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
        av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n",
                ilv, point_transform, s->bits, s->cur_scan);
    }
+    if (get_bits_left(&s->gb) < s->height) {
+        ret = AVERROR_INVALIDDATA;
+        goto end;
+    }
    if (ilv == 0) { /* separate planes */
        if (s->cur_scan > s->nb_components) {
            ret = AVERROR_INVALIDDATA;
@@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa)

 static uint8_t lag_calc_zero_run(int8_t x)
 {
-    return (x << 1) ^ (x >> 7);
+    return (x * 2) ^ (x >> 7);
 }

 static int lag_decode_prob(GetBitContext *gb, uint32_t *value)
@@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
        }

        scale_factor++;
-        cumulative_target = 1 << scale_factor;
+        if (scale_factor >= 32U)
+            return AVERROR_INVALIDDATA;
+        cumulative_target = 1U << scale_factor;

        if (scaled_cumul_prob > cumulative_target) {
            av_log(rac->avctx, AV_LOG_ERROR,
@@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }

-    err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0);
+    err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0);
    if (err == AAC_DEC_NOT_ENOUGH_BITS) {
        ret = avpkt->size - valid;
        goto end;
@@ -97,6 +97,8 @@ static int huff_build10(VLC *vlc, uint8_t *len)
    for (i = 0; i < 1024; i++) {
        he[i].sym = 1023 - i;
        he[i].len = len[i];
+        if (len[i] == 0)
+            return AVERROR_INVALIDDATA;
    }
    AV_QSORT(he, 1024, HuffEntry, huff_cmp_len10);

@@ -127,6 +129,8 @@ static int huff_build(VLC *vlc, uint8_t *len)
    for (i = 0; i < 256; i++) {
        he[i].sym = 255 - i;
        he[i].len = len[i];
+        if (len[i] == 0)
+            return AVERROR_INVALIDDATA;
    }
    AV_QSORT(he, 256, HuffEntry, huff_cmp_len);

@@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
        if (diff >= 0xffff)
            return AVERROR_INVALIDDATA;
        a->last_dc[component] += diff;
-        block[0] = a->last_dc[component] << 3;
+        block[0] = a->last_dc[component] * (1 << 3);
    }

    i = 0;
@@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
                j = scantable[i];
                if (level < 0) {
                    level = -level;
-                    level = (level * qscale * quant_matrix[j]) >> 3;
+                    level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
                    level = (level - 1) | 1;
                    level = -level;
                } else {
-                    level = (level * qscale * quant_matrix[j]) >> 3;
+                    level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
                    level = (level - 1) | 1;
                }
            }
@@ -66,7 +66,7 @@ struct JNIAMediaCodecListFields {
    jfieldID hevc_profile_main10_id;
    jfieldID hevc_profile_main10_hdr10_id;

-} JNIAMediaCodecListFields;
+};

 static const struct FFJniField jni_amediacodeclist_mapping[] = {
    { "android/media/MediaCodecList", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecListFields, mediacodec_list_class), 1 },
@@ -125,7 +125,7 @@ struct JNIAMediaFormatFields {

    jmethodID to_string_id;

-} JNIAMediaFormatFields;
+};

 static const struct FFJniField jni_amediaformat_mapping[] = {
    { "android/media/MediaFormat", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaFormatFields, mediaformat_class), 1 },
@@ -210,7 +210,7 @@ struct JNIAMediaCodecFields {
    jfieldID presentation_time_us_id;
    jfieldID size_id;

-} JNIAMediaCodecFields;
+};

 static const struct FFJniField jni_amediacodec_mapping[] = {
    { "android/media/MediaCodec", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecFields, mediacodec_class), 1 },
@@ -608,6 +608,7 @@ FFAMediaFormat *ff_AMediaFormat_new(void)
 {
    JNIEnv *env = NULL;
    FFAMediaFormat *format = NULL;
+    jobject object = NULL;

    format = av_mallocz(sizeof(FFAMediaFormat));
    if (!format) {
@@ -625,23 +626,27 @@ FFAMediaFormat *ff_AMediaFormat_new(void)
        goto fail;
    }

-    format->object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id);
+    object = (*env)->NewObject(env, format->jfields.mediaformat_class, format->jfields.init_id);
+    if (!object) {
+        goto fail;
+    }
+
+    format->object = (*env)->NewGlobalRef(env, object);
    if (!format->object) {
        goto fail;
    }

-    format->object = (*env)->NewGlobalRef(env, format->object);
+fail:
+    if (object) {
+        (*env)->DeleteLocalRef(env, object);
+    }
+
    if (!format->object) {
-        goto fail;
+        ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format);
+        av_freep(&format);
    }

    return format;
-fail:
-    ff_jni_reset_jfields(env, &format->jfields, jni_amediaformat_mapping, 1, format);
-
-    av_freep(&format);
-
-    return NULL;
 }

 static FFAMediaFormat *ff_AMediaFormat_newFromObject(void *object)
@@ -1129,9 +1134,11 @@ fail:

 FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name)
 {
+    int ret = -1;
    JNIEnv *env = NULL;
    FFAMediaCodec *codec = NULL;
    jstring codec_name = NULL;
+    jobject object = NULL;

    codec = av_mallocz(sizeof(FFAMediaCodec));
    if (!codec) {
@@ -1154,12 +1161,12 @@ FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name)
        goto fail;
    }

-    codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_by_codec_name_id, codec_name);
+    object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_by_codec_name_id, codec_name);
    if (ff_jni_exception_check(env, 1, codec) < 0) {
        goto fail;
    }

-    codec->object = (*env)->NewGlobalRef(env, codec->object);
+    codec->object = (*env)->NewGlobalRef(env, object);
    if (!codec->object) {
        goto fail;
    }
@@ -1172,24 +1179,31 @@ FFAMediaCodec* ff_AMediaCodec_createCodecByName(const char *name)
        codec->has_get_i_o_buffer = 1;
    }

-    return codec;
+    ret = 0;
 fail:
-    ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
-
    if (codec_name) {
        (*env)->DeleteLocalRef(env, codec_name);
    }

-    av_freep(&codec);
+    if (object) {
+        (*env)->DeleteLocalRef(env, object);
+    }

-    return NULL;
+    if (ret < 0) {
+        ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
+        av_freep(&codec);
+    }
+
+    return codec;
 }

 FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime)
 {
+    int ret = -1;
    JNIEnv *env = NULL;
    FFAMediaCodec *codec = NULL;
    jstring mime_type = NULL;
+    jobject object = NULL;

    codec = av_mallocz(sizeof(FFAMediaCodec));
    if (!codec) {
@@ -1212,12 +1226,12 @@ FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime)
        goto fail;
    }

-    codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_decoder_by_type_id, mime_type);
+    object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_decoder_by_type_id, mime_type);
    if (ff_jni_exception_check(env, 1, codec) < 0) {
        goto fail;
    }

-    codec->object = (*env)->NewGlobalRef(env, codec->object);
+    codec->object = (*env)->NewGlobalRef(env, object);
    if (!codec->object) {
        goto fail;
    }
@@ -1230,24 +1244,31 @@ FFAMediaCodec* ff_AMediaCodec_createDecoderByType(const char *mime)
        codec->has_get_i_o_buffer = 1;
    }

-    return codec;
+    ret = 0;
 fail:
-    ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
-
    if (mime_type) {
        (*env)->DeleteLocalRef(env, mime_type);
    }

-    av_freep(&codec);
+    if (object) {
+        (*env)->DeleteLocalRef(env, object);
+    }

-    return NULL;
+    if (ret < 0) {
+        ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
+        av_freep(&codec);
+    }
+
+    return codec;
 }

 FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime)
 {
+    int ret = -1;
    JNIEnv *env = NULL;
    FFAMediaCodec *codec = NULL;
    jstring mime_type = NULL;
+    jobject object = NULL;

    codec = av_mallocz(sizeof(FFAMediaCodec));
    if (!codec) {
@@ -1270,12 +1291,12 @@ FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime)
        goto fail;
    }

-    codec->object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_encoder_by_type_id, mime_type);
+    object = (*env)->CallStaticObjectMethod(env, codec->jfields.mediacodec_class, codec->jfields.create_encoder_by_type_id, mime_type);
    if (ff_jni_exception_check(env, 1, codec) < 0) {
        goto fail;
    }

-    codec->object = (*env)->NewGlobalRef(env, codec->object);
+    codec->object = (*env)->NewGlobalRef(env, object);
    if (!codec->object) {
        goto fail;
    }
@@ -1288,17 +1309,22 @@ FFAMediaCodec* ff_AMediaCodec_createEncoderByType(const char *mime)
        codec->has_get_i_o_buffer = 1;
    }

-    return codec;
+    ret = 0;
 fail:
-    ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
-
    if (mime_type) {
        (*env)->DeleteLocalRef(env, mime_type);
    }

-    av_freep(&codec);
+    if (object) {
+        (*env)->DeleteLocalRef(env, object);
+    }

-    return NULL;
+    if  (ret < 0) {
+        ff_jni_reset_jfields(env, &codec->jfields, jni_amediacodec_mapping, 1, codec);
+        av_freep(&codec);
+    }
+
+    return codec;
 }

 int ff_AMediaCodec_delete(FFAMediaCodec* codec)
@@ -1541,6 +1567,7 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t
    JNIEnv *env = NULL;

    jobject buffer = NULL;
+    jobject input_buffers = NULL;

    JNI_GET_ENV_OR_RETURN(env, codec, NULL);

@@ -1551,12 +1578,12 @@ uint8_t* ff_AMediaCodec_getInputBuffer(FFAMediaCodec* codec, size_t idx, size_t
        }
    } else {
        if (!codec->input_buffers) {
-            codec->input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id);
+            input_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_input_buffers_id);
            if (ff_jni_exception_check(env, 1, codec) < 0) {
                goto fail;
            }

-            codec->input_buffers = (*env)->NewGlobalRef(env, codec->input_buffers);
+            codec->input_buffers = (*env)->NewGlobalRef(env, input_buffers);
            if (ff_jni_exception_check(env, 1, codec) < 0) {
                goto fail;
            }
@@ -1575,6 +1602,10 @@ fail:
        (*env)->DeleteLocalRef(env, buffer);
    }

+    if (input_buffers) {
+        (*env)->DeleteLocalRef(env, input_buffers);
+    }
+
    return ret;
 }

@@ -1584,6 +1615,7 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t
    JNIEnv *env = NULL;

    jobject buffer = NULL;
+    jobject output_buffers = NULL;

    JNI_GET_ENV_OR_RETURN(env, codec, NULL);

@@ -1594,12 +1626,12 @@ uint8_t* ff_AMediaCodec_getOutputBuffer(FFAMediaCodec* codec, size_t idx, size_t
        }
    } else {
        if (!codec->output_buffers) {
-            codec->output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id);
+            output_buffers = (*env)->CallObjectMethod(env, codec->object, codec->jfields.get_output_buffers_id);
            if (ff_jni_exception_check(env, 1, codec) < 0) {
                goto fail;
            }

-            codec->output_buffers = (*env)->NewGlobalRef(env, codec->output_buffers);
+            codec->output_buffers = (*env)->NewGlobalRef(env, output_buffers);
            if (ff_jni_exception_check(env, 1, codec) < 0) {
                goto fail;
            }
@@ -1618,6 +1650,10 @@ fail:
        (*env)->DeleteLocalRef(env, buffer);
    }

+    if (output_buffers) {
+        (*env)->DeleteLocalRef(env, output_buffers);
+    }
+
    return ret;
 }

@@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale)

        coeff = vlcdec_lookup[num_bits][value];
        if (pos < 3)
-            coeff <<= 4;
+            coeff *= 16;
        else /* TODO Use >> 10 instead of / 1001 */
            coeff = (coeff * qscale) / 1001;

@@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
        }

+        res = ff_set_dimensions(avctx, width, height);
+        if (res < 0)
+            return res;
+
        ctx->avctx     = avctx;
-        avctx->width   = width;
-        avctx->height  = height;
        avctx->pix_fmt = AV_PIX_FMT_YUV420P;
        for (i = 0; i < 3; i++) {
            ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height,   3 + !!i);
@@ -738,7 +738,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block,
                                 int component, int dc_index,
                                 uint16_t *quant_matrix, int Al)
 {
-    int val;
+    unsigned val;
    s->bdsp.clear_block(block);
    val = mjpeg_decode_dc(s, dc_index);
    if (val == 0xfffff) {
@@ -757,7 +757,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
                                    uint16_t *quant_matrix,
                                    int ss, int se, int Al, int *EOBRUN)
 {
-    int code, i, j, level, val, run;
+    int code, i, j, val, run;
+    unsigned level;

    if (*EOBRUN) {
        (*EOBRUN)--;
@@ -1478,6 +1479,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
        return -1;
    }

+    if (reference) {
+        if (reference->width  != s->picture_ptr->width  ||
+            reference->height != s->picture_ptr->height ||
+            reference->format != s->picture_ptr->format) {
+            av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
    av_assert0(s->picture_ptr->data[0]);
    /* XXX: verify len field validity */
    len = get_bits(&s->gb, 16);
@@ -91,13 +91,17 @@ static void jpeg_table_header(AVCodecContext *avctx, PutBitContext *p,
 {
    int i, j, size;
    uint8_t *ptr;
-    MpegEncContext *s = avctx->priv_data;
+    MpegEncContext *s = NULL;
+
+    /* Since avctx->priv_data will point to LJpegEncContext in this case */
+    if (avctx->codec_id != AV_CODEC_ID_LJPEG)
+        s = avctx->priv_data;

    if (avctx->codec_id != AV_CODEC_ID_LJPEG) {
        int matrix_count = 1 + !!memcmp(luma_intra_matrix,
                                        chroma_intra_matrix,
                                        sizeof(luma_intra_matrix[0]) * 64);
-    if (s->force_duplicated_matrix)
+    if (s && s->force_duplicated_matrix)
        matrix_count = 2;
    /* quant matrixes */
    put_marker(p, DQT);
@@ -134,7 +138,7 @@ static void jpeg_table_header(AVCodecContext *avctx, PutBitContext *p,

    // Only MJPEG can have a variable Huffman variable. All other
    // formats use the default Huffman table.
-    if (s->out_format == FMT_MJPEG && s->huffman == HUFFMAN_TABLE_OPTIMAL) {
+    if (s && s->huffman == HUFFMAN_TABLE_OPTIMAL) {
        size += put_huffman_table(p, 0, 0, s->mjpeg_ctx->bits_dc_luminance,
                                  s->mjpeg_ctx->val_dc_luminance);
        size += put_huffman_table(p, 0, 1, s->mjpeg_ctx->bits_dc_chrominance,
@@ -87,6 +87,8 @@ void ff_mjpegenc_huffman_compute_bits(PTable *prob_table, HuffTable *distincts,

    int min;

+    av_assert0(max_length > 0);
+
    to->nitems = 0;
    from->nitems = 0;
    to->item_idx[0] = 0;
@@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp,
            result = (result << lsb_bits) + get_bits(gbp, lsb_bits);

        result  += cp->sign_huff_offset;
-        result <<= quant_step_size;
+        result *= 1 << quant_step_size;

        m->sample_buffer[pos + s->blockpos][channel] = result;
    }
@@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
        }

        for (i = 0; i < order; i++)
-            fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift;
+            fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift);

        if (get_bits1(gbp)) {
            int state_bits, state_shift;
@@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
            /* TODO: Check validity of state data. */

            for (i = 0; i < order; i++)
-                fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0;
+                fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0;
        }
    }

@@ -729,7 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
        av_log(m->avctx, AV_LOG_ERROR,
               "Number of primitive matrices cannot be greater than %d.\n",
               max_primitive_matrices);
-        return AVERROR_INVALIDDATA;
+        goto error;
    }

    for (mat = 0; mat < s->num_primitive_matrices; mat++) {
@@ -742,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
            av_log(m->avctx, AV_LOG_ERROR,
                    "Invalid channel %d specified as output from matrix.\n",
                    s->matrix_out_ch[mat]);
-            return AVERROR_INVALIDDATA;
+            goto error;
        }
        if (frac_bits > 14) {
            av_log(m->avctx, AV_LOG_ERROR,
                    "Too many fractional bits specified.\n");
-            return AVERROR_INVALIDDATA;
+            goto error;
        }

        max_chan = s->max_matrix_channel;
@@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
            if (get_bits1(gbp))
                coeff_val = get_sbits(gbp, frac_bits + 2);

-            s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits);
+            s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits));
        }

        if (s->noise_type)
@@ -769,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
    }

    return 0;
+error:
+    s->num_primitive_matrices = 0;
+    memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch));
+
+    return AVERROR_INVALIDDATA;
 }

 /** Read channel parameters. */
@@ -999,8 +1004,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr)

    for (i = 0; i < s->blockpos; i++) {
        uint16_t seed_shr7 = seed >> 7;
-        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift;
-        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   << s->noise_shift;
+        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift);
+        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   * (1 << s->noise_shift);

        seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5);
    }
@@ -1162,6 +1167,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
            substr_header_size += 2;
        }

+        if (length < header_size + substr_header_size) {
+            av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n");
+            goto error;
+        }
+
        if (!(nonrestart_substr ^ m->is_major_sync_unit)) {
            av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n");
            goto error;
@@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
    for (i = 0; i < blockpos; i++) {
        for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
            int mat_ch = ch_assign[out_ch];
-            int32_t sample = sample_buffer[i][mat_ch]
-                          << output_shift[mat_ch];
+            int32_t sample = sample_buffer[i][mat_ch] *
+                          (1U << output_shift[mat_ch]);
            lossless_check_data ^= (sample & 0xffffff) << mat_ch;
            if (is32)
                *data_32++ = sample << 8;
@@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx)

    if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) {
        // MPEG-1 aspect
-        avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+        AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+        avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num };
    } else { // MPEG-2
        // MPEG-2 aspect
        if (s->aspect_ratio_info > 1) {
@@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
    int min_ab, i, w2, h2, w3, h3;
    int sprite_ref[4][2];
    int virtual_ref[2][2];
+    int64_t sprite_offset[2][2];

    // only true for rectangle shapes
    const int vop_ref[4][2] = { { 0, 0 },         { s->width, 0 },
@@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g

    switch (ctx->num_sprite_warping_points) {
    case 0:
-        s->sprite_offset[0][0] =
-        s->sprite_offset[0][1] =
-        s->sprite_offset[1][0] =
-        s->sprite_offset[1][1] = 0;
+        sprite_offset[0][0]    =
+        sprite_offset[0][1]    =
+        sprite_offset[1][0]    =
+        sprite_offset[1][1]    = 0;
        s->sprite_delta[0][0]  = a;
        s->sprite_delta[0][1]  =
        s->sprite_delta[1][0]  = 0;
@@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[1]   = 0;
        break;
    case 1:     // GMC only
-        s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0];
-        s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1];
-        s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
+        sprite_offset[0][0]    = sprite_ref[0][0] - a * vop_ref[0][0];
+        sprite_offset[0][1]    = sprite_ref[0][1] - a * vop_ref[0][1];
+        sprite_offset[1][0]    = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
                                 a * (vop_ref[0][0] / 2);
-        s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
+        sprite_offset[1][1]    = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
                                 a * (vop_ref[0][1] / 2);
        s->sprite_delta[0][0]  = a;
        s->sprite_delta[0][1]  =
@@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[1]   = 0;
        break;
    case 2:
-        s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) +
+        sprite_offset[0][0]    = (sprite_ref[0][0] * (1 << alpha + rho)) +
                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                 (-vop_ref[0][0]) +
                                 (r * sprite_ref[0][1] - virtual_ref[0][1]) *
                                 (-vop_ref[0][1]) + (1 << (alpha + rho - 1));
-        s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) +
+        sprite_offset[0][1]    = (sprite_ref[0][1] * (1 << alpha + rho)) +
                                 (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
                                 (-vop_ref[0][0]) +
                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                 (-vop_ref[0][1]) + (1 << (alpha + rho - 1));
-        s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
+        sprite_offset[1][0]    = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                  (-2 * vop_ref[0][0] + 1) +
                                  (r * sprite_ref[0][1] - virtual_ref[0][1]) *
                                  (-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
                                  sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1)));
-        s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
+        sprite_offset[1][1]    = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
                                  (-2 * vop_ref[0][0] + 1) +
                                  (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                  (-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
@@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        min_ab = FFMIN(alpha, beta);
        w3     = w2 >> min_ab;
        h3     = h2 >> min_ab;
-        s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
-                                 h3 * (-vop_ref[0][0]) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
-                                 w3 * (-vop_ref[0][1]) +
-                                 (1 << (alpha + beta + rho - min_ab - 1));
-        s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
-                                 h3 * (-vop_ref[0][0]) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
-                                 w3 * (-vop_ref[0][1]) +
-                                 (1 << (alpha + beta + rho - min_ab - 1));
-        s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
-                                 h3 * (-2 * vop_ref[0][0] + 1) +
-                                 (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
-                                 w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
-                                 r * sprite_ref[0][0] - 16 * w2 * h3 +
-                                 (1 << (alpha + beta + rho - min_ab + 1));
-        s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
-                                 h3 * (-2 * vop_ref[0][0] + 1) +
-                                 (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
-                                 w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
-                                 r * sprite_ref[0][1] - 16 * w2 * h3 +
-                                 (1 << (alpha + beta + rho - min_ab + 1));
+        sprite_offset[0][0]    = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+        sprite_offset[0][1]    = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+        sprite_offset[1][0]    = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) +
+                                 ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) +
+                                  (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
+        sprite_offset[1][1]    = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) +
+                                 ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) +
+                                  (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 +
+                                 ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
        s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3;
        s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3;
        s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3;
@@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        s->sprite_delta[0][1] == 0 &&
        s->sprite_delta[1][0] == 0 &&
        s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
-        s->sprite_offset[0][0] >>= ctx->sprite_shift[0];
-        s->sprite_offset[0][1] >>= ctx->sprite_shift[0];
-        s->sprite_offset[1][0] >>= ctx->sprite_shift[1];
-        s->sprite_offset[1][1] >>= ctx->sprite_shift[1];
+        sprite_offset[0][0] >>= ctx->sprite_shift[0];
+        sprite_offset[0][1] >>= ctx->sprite_shift[0];
+        sprite_offset[1][0] >>= ctx->sprite_shift[1];
+        sprite_offset[1][1] >>= ctx->sprite_shift[1];
        s->sprite_delta[0][0] = a;
        s->sprite_delta[0][1] = 0;
        s->sprite_delta[1][0] = 0;
@@ -369,18 +362,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        int shift_c = 16 - ctx->sprite_shift[1];

        if (shift_c < 0 || shift_y < 0 ||
-            FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y  ||
-            FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c  ||
-            FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y  ||
-            FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c
+            FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y  ||
+            FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c  ||
+            FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y  ||
+            FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c
        ) {
            avpriv_request_sample(s->avctx, "Too large sprite shift or offset");
            goto overflow;
        }

        for (i = 0; i < 2; i++) {
-            s->sprite_offset[0][i] *= 1 << shift_y;
-            s->sprite_offset[1][i] *= 1 << shift_c;
+            sprite_offset[0][i]    *= 1 << shift_y;
+            sprite_offset[1][i]    *= 1 << shift_c;
            s->sprite_delta[0][i]  *= 1 << shift_y;
            s->sprite_delta[1][i]  *= 1 << shift_y;
            ctx->sprite_shift[i]     = 16;
@@ -392,16 +385,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
                s->sprite_delta[i][1] - a * (1LL<<16)
            };

-            if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
-                llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
-                llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+            if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
                llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
                llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
                llabs(sd[0]) >= INT_MAX ||
                llabs(sd[1]) >= INT_MAX ||
-                llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
-                llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX ||
-                llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX
+                llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX ||
+                llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX
            ) {
                avpriv_request_sample(s->avctx, "Overflow on sprite points");
                goto overflow;
@@ -410,6 +403,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        s->real_sprite_warping_points = ctx->num_sprite_warping_points;
    }

+    s->sprite_offset[0][0] = sprite_offset[0][0];
+    s->sprite_offset[0][1] = sprite_offset[0][1];
+    s->sprite_offset[1][0] = sprite_offset[1][0];
+    s->sprite_offset[1][1] = sprite_offset[1][1];
+
    return 0;
 overflow:
    memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
@@ -2342,7 +2340,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
    if (s->pict_type != AV_PICTURE_TYPE_B) {
        s->last_time_base = s->time_base;
        s->time_base     += time_incr;
-        s->time = s->time_base * s->avctx->framerate.num + time_increment;
+        s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment;
        if (s->workaround_bugs & FF_BUG_UMP4) {
            if (s->time < s->last_non_b_time) {
                /* header is not mpeg-4-compatible, broken encoder,
@@ -2354,7 +2352,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
        s->pp_time         = s->time - s->last_non_b_time;
        s->last_non_b_time = s->time;
    } else {
-        s->time    = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment;
+        s->time    = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment;
        s->pb_time = s->pp_time - (s->last_non_b_time - s->time);
        if (s->pp_time <= s->pb_time ||
            s->pp_time <= s->pp_time - s->pb_time ||
@@ -2457,16 +2455,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
        ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan);
    }

-    if (s->pict_type == AV_PICTURE_TYPE_S &&
-        (ctx->vol_sprite_usage == STATIC_SPRITE ||
-         ctx->vol_sprite_usage == GMC_SPRITE)) {
-        if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
-            return AVERROR_INVALIDDATA;
-        if (ctx->sprite_brightness_change)
-            av_log(s->avctx, AV_LOG_ERROR,
-                   "sprite_brightness_change not supported\n");
-        if (ctx->vol_sprite_usage == STATIC_SPRITE)
-            av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+    if (s->pict_type == AV_PICTURE_TYPE_S) {
+        if((ctx->vol_sprite_usage == STATIC_SPRITE ||
+            ctx->vol_sprite_usage == GMC_SPRITE)) {
+            if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
+                return AVERROR_INVALIDDATA;
+            if (ctx->sprite_brightness_change)
+                av_log(s->avctx, AV_LOG_ERROR,
+                    "sprite_brightness_change not supported\n");
+            if (ctx->vol_sprite_usage == STATIC_SPRITE)
+                av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+        } else {
+            memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+            memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+        }
    }

    if (ctx->shape != BIN_ONLY_SHAPE) {
@@ -2564,6 +2566,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
    MpegEncContext *s = &ctx->m;
    unsigned startcode, v;
    int ret;
+    int vol = 0;

    /* search next start code */
    align_get_bits(gb);
@@ -2652,6 +2655,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
        }

        if (startcode >= 0x120 && startcode <= 0x12F) {
+            if (vol) {
+                av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
+                return AVERROR_INVALIDDATA;
+            }
+            vol++;
            if ((ret = decode_vol_header(ctx, gb)) < 0)
                return ret;
        } else if (startcode == USER_DATA_STARTCODE) {
@@ -399,6 +399,9 @@ FF_ENABLE_DEPRECATION_WARNINGS
        return AVERROR(EINVAL);
    }

+    if (avctx->codec_id == AV_CODEC_ID_AMV || (avctx->active_thread_type & FF_THREAD_SLICE))
+        s->huffman = 0;
+
    if (s->intra_dc_precision > (avctx->codec_id == AV_CODEC_ID_MPEG2VIDEO ? 3 : 0)) {
        av_log(avctx, AV_LOG_ERROR, "intra dc precision too large\n");
        return AVERROR(EINVAL);
@@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
        if(s->msmpeg4_version==2)
            cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1);
        else
-            cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1);
+            cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2);
        if(cbp<0 || cbp>3){
            av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y);
            return -1;
@@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
        s->mv[0][0][1] = my;
        *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16;
    } else {
+        int v;
        if(s->msmpeg4_version==2){
            s->ac_pred = get_bits1(&s->gb);
-            cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+            v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+            if (v < 0) {
+                av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+                return -1;
+            }
+            cbp|= v<<2;
        } else{
            s->ac_pred = 0;
-            cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+            v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+            if (v < 0) {
+                av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+                return -1;
+            }
+            cbp|= v<<2;
            if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C;
        }
        *mb_type_ptr = MB_TYPE_INTRA;
@@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m)

 static int rac_get_model_sym(RangeCoder *c, Model *m)
 {
-    int prob, prob2, helper, val;
+    int val;
    int end, end2;
+    unsigned prob, prob2, helper;

    prob       = 0;
    prob2      = c->range;
@@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma)
 }

 #define DCT_TEMPLATE(blk, step, SOP, shift)                         \
-    const int t0 = -39409 * blk[7 * step] -  58980 * blk[1 * step]; \
-    const int t1 =  39410 * blk[1 * step] -  58980 * blk[7 * step]; \
-    const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \
-    const int t3 =  33410 * blk[3 * step] - 167963 * blk[5 * step]; \
-    const int t4 =          blk[3 * step] +          blk[7 * step]; \
-    const int t5 =          blk[1 * step] +          blk[5 * step]; \
-    const int t6 =  77062 * t4            +  51491 * t5;            \
-    const int t7 =  77062 * t5            -  51491 * t4;            \
-    const int t8 =  35470 * blk[2 * step] -  85623 * blk[6 * step]; \
-    const int t9 =  35470 * blk[6 * step] +  85623 * blk[2 * step]; \
-    const int tA = SOP(blk[0 * step] - blk[4 * step]);              \
-    const int tB = SOP(blk[0 * step] + blk[4 * step]);              \
+    const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \
+    const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \
+    const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \
+    const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \
+    const unsigned t4 =          blk[3 * step] +          blk[7 * step]; \
+    const unsigned t5 =          blk[1 * step] +          blk[5 * step]; \
+    const unsigned t6 = 77062U * t4            + 51491U * t5;            \
+    const unsigned t7 = 77062U * t5            - 51491U * t4;            \
+    const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \
+    const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \
+    const unsigned tA = SOP(blk[0 * step] - blk[4 * step]);              \
+    const unsigned tB = SOP(blk[0 * step] + blk[4 * step]);              \
                                                                    \
-    blk[0 * step] = (  t1 + t6  + t9 + tB) >> shift;                \
-    blk[1 * step] = (  t3 + t7  + t8 + tA) >> shift;                \
-    blk[2 * step] = (  t2 + t6  - t8 + tA) >> shift;                \
-    blk[3 * step] = (  t0 + t7  - t9 + tB) >> shift;                \
-    blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift;                \
-    blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift;                \
-    blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift;                \
-    blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift;                \
+    blk[0 * step] = (int)(  t1 + t6  + t9 + tB) >> shift;                \
+    blk[1 * step] = (int)(  t3 + t7  + t8 + tA) >> shift;                \
+    blk[2 * step] = (int)(  t2 + t6  - t8 + tA) >> shift;                \
+    blk[3 * step] = (int)(  t0 + t7  - t9 + tB) >> shift;                \
+    blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift;                \
+    blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift;                \
+    blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift;                \
+    blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift;                \

-#define SOP_ROW(a) (((a) << 16) + 0x2000)
-#define SOP_COL(a) (((a) + 32) << 16)
+#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000)
+#define SOP_COL(a) (((a) + 32) * (1U << 16))

 void ff_mss34_dct_put(uint8_t *dst, ptrdiff_t stride, int *block)
 {
@@ -301,6 +301,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx,
    s->buf = buf;
    s->size = buf_size;

+    // Discard frame if its smaller than the minimum frame size
+    if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.git
 .3.2