avcodec/x86/mathops: clip constants used with shift instructions within inline assembly

Fixes assembling with binutil as >= 2.41

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit effadce6c7)

CREDITS

@@ -1,6 +1,6 @@
-See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to
+See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to
 get the names of people who have contributed to FFmpeg.
 
 To check the log, you can type the command "git log" in the FFmpeg
 source directory, or browse the online repository at
-http://source.ffmpeg.org.
+https://git.ffmpeg.org/ffmpeg

Changelog

@@ -1,6 +1,203 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 4.1.11:
+ avformat/nutdec: Add check for avformat_new_stream
+ avformat/wavdec: Check that smv block fits in available space
+ avcodec/tak: Check remaining bits in ff_tak_decode_frame_header()
+ avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated
+ avcodec/pngdec: Do not pass AVFrame into global header decode
+ avcodec/vorbisdec: Check codebook float values to be finite
+ avcodec/g2meet: Replace fake allocation avoidance for framebuf
+ avcodec/lcldec: More space for rgb24
+ avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width
+ libavcodec/lcldec: width and height should not be unsigned
+ avcodec/escape124: Check that blocks are allocated before use
+ avcodec/huffyuvdec: Fix undefined behavior with shift
+ avcodec/j2kenc: Replace RGB24 special case by generic test
+ avcodec/j2kenc: remove misleading pred value
+ avcodec/j2kenc: fix 5/3 DWT identifer
+ avcodec/vp3: Check width to avoid assertion failure
+ avcodec/g729postfilter: Limit shift in long term filter
+ configure: update copyright year
+ avcodec/tests/snowenc: Fix 2nd test
+ avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches
+ avcodec/snowenc: Fix visual weight calculation
+ avcodec/tests/snowenc: unbreak DWT tests
+ avcodec/escape124: Fix some return codes
+ avcodec/escape124: fix signdness of end of input check
+ Use https for repository links
+ avcodec/motionpixels: Mask pixels to valid values
+ avcodec/xpmdec: Check size before allocation to avoid truncation
+ avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane()
+ avcodec/bink: Fix off by 1 error in ref end
+ avcodec/utils: Ensure linesize for SVQ3
+ avcodec/utils: allocate a line more for VC1 and WMV3
+ avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things
+ avcodec/pngdec: Check deloco index more exactly
+ avcodec/ffv1dec: Check that num h/v slices is supported
+ avformat/mov: Check samplesize and offset to avoid integer overflow
+ avcodec/pictordec: Remove mid exit branch
+ avcodec/eac3dec: avoid float noise in fixed mode addition to overflow
+ avcodec/utils: use 32pixel alignment for bink
+ avcodec/012v: Order operations for odd size handling
+ avcodec/eatgq: : Check index increments in tgq_decode_block()
+ avcodec/scpr: Test bx before use
+ avcodec/sunrast: Fix maplength check
+ avcodec/wavpack: Avoid undefined shift in get_tail()
+ avformat/id3v2: Check taglen in read_uslt()
+ avcodec/ffv1dec: restructure slice coordinate reading a bit
+ avcodec/mlpdec: Check max matrix instead of max channel in noise check
+ swscale/input: Use more unsigned intermediates
+ avcodec/alsdec: The minimal block is at least 7 bits
+ avformat/replaygain: avoid undefined / negative abs
+ swscale/output: Bias 16bps output calculations to improve non overflowing range
+ avcodec/speedhq: Check buf_size to be big enough for DC
+ avcodec/ffv1dec: Fail earlier if prior context is corrupted
+ (origin/release/4.1) avcodec/vdpau_mpeg4: fix order of quant matrix coefficients
+ avcodec/vdpau_mpeg12: fix order of quant matrix coefficients
+ avcodec/nvdec_mpeg4: fix order of quant matrix coefficients
+ avcodec/nvdec_mpeg2: fix order of quant matrix coefficients
+ avcodec/vp3: Add missing check for av_malloc
+ avcodec/mjpegenc: take into account component count when writing the SOF header size
+ checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing
+ swscale: aarch64: Fix yuv2rgb with negative strides
+
+version 4.1.10:
+ avcodec/dstdec: Check for overflow in build_filter()
+ avformat/spdifdec: Use 64bit to compute bit rate
+ avformat/xwma: Use av_rescale() for duration computation
+ avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation
+ avformat/rmdec: check tag_size
+ avformat/nutdec: Check fields
+ avformat/dxa: avoid bpc overflows
+ avformat/cafdec: Check that nb_frasmes fits within 64bit
+ avformat/asfdec_o: Limit packet offset
+ avformat/ape: Check frames size
+ avformat/icodec: Check nb_pal
+ avformat/aiffdec: Use 64bit for block_duration use
+ avformat/aiffdec: Check block_duration
+ avformat/mxfdec: only probe max run in
+ avformat/mxfdec: Check run_in is within 65536
+ avcodec/apedec: Fix integer overflow in filter_3800()
+ avcodec/tta: Check 24bit scaling for overflow
+ libavformat/hls: Free keys
+ avcodec/fmvc: Move frame allocation to a later stage
+ avcodec/speedhq: Check width
+ avcodec/bink: disallow odd positioned scaled blocks
+ avformat/asfdec_o: limit recursion depth in asf_read_unknown()
+ doc/git-howto.texi: Document commit signing
+ libavcodec/8bps: Check that line lengths fit within the buffer
+ libavformat/iff: Check for overflow in body_end calculation
+ avformat/avidec: Prevent entity expansion attacks
+ avcodec/h263dec: Sanity check against minimal I/P frame size
+ avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel
+ MAINTAINERS: Add ED25519 key for signing my commits in the future
+ avcodec/hevc_filter: copy_CTB() only within width&height
+ avformat/flvdec: Check for EOF in index reading
+ avformat/nutdec: Check get_packetheader() in mainheader
+ avformat/asfdec_f: Use 64bit for packet start time
+ avcodec/lagarith: Check dst/src in zero run code
+ avcodec/h264dec: Skip late SEI
+ avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c()
+ avfilter/vf_signature: Fix integer overflow in filter_frame()
+ avformat/rtsp: break on unknown protocols
+ avcodec/hevcdsp_template: stay within tables in sao_band_filter()
+ avcodec/qpeldsp: copy less for the mc0x cases
+ avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
+ avformat/iff: simplify duration calculation
+ avcodec/wnv1: Check for width =1
+ avformat/sctp: close socket on errors
+ avcodec/aasc: Fix indention
+ avcodec/qdrw: adjust max colors to array size
+ avcodec/alacdsp: Make intermediates unsigned
+ avformat/aiffdec: cleanup size handling for extreem cases
+ avcodec/jpeglsdec: fix end check for xfrm
+ avcodec/cdgraphics: limit scrolling to the line
+ avformat/aiffdec: avoid integer overflow in get_meta()
+ avformat/ape: more bits in size for less overflows
+ avformat/bfi: Check offsets better
+ avformat/asfdec_f: Check packet_frag_timestamp
+ avcodec/texturedspenc: Fix indexing in color distribution determination
+ avformat/act: Check ff_get_wav_header() for failure
+ avfilter/vsrc_mandelbrot: Check for malloc failure
+ avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements
+ avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment
+ avformat/genh: Check sample rate
+ configure: extend SDL check to accept all 2.x versions
+ FFmpeg 4.1.10 release
+ avfilter/vf_colorspace: fix memmory leaks
+ avcodec/ac3enc: Fix memleak
+ avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written
+ avfilter/vf_random: fix memory leaks
+ fftools/ffmpeg_opt: Fix leak of options when parsing options fails
+ lavf/tls_mbedtls: add support for mbedtls version 3
+ avfilter/vf_colorspace: fix memmory leaks
+ avcodec/ac3enc: Fix memleak
+ avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written
+ avfilter/vf_random: fix memory leaks
+ fftools/ffmpeg_opt: Fix leak of options when parsing options fails
+ lavf/tls_mbedtls: add support for mbedtls version 3
+
+version 4.1.9:
+ avfilter/vf_lenscorrection: make width/height int
+ avcodec/diracdec: avoid signed integer overflow in global mv
+ avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+ avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+ avfilter/vf_subtitles: pass storage size to libass
+ avformat/aqtitledec: Skip unrepresentable durations
+ avformat/cafdec: Do not store empty keys in read_info_chunk()
+ avformat/hls: Check target_duration
+ avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+ avformat/matroskadec: Check pre_ns
+ avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+ avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+ avformat/avidec: Check height
+ avformat/rmdec: Better duplicate tags check
+ avformat/mov: Disallow empty sidx
+ avformat/matroskadec: Check duration
+ avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+ avcodec/jpeglsdec: Fix if( code style
+ avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+ avcodec/motion_est: fix indention of ff_get_best_fcode()
+ avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+ avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
+ avformat/matroskadec: Check desc_bytes
+ avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+ avformat/matroskadec: Fix infinite loop with bz decompression
+ avformat/mov: Check size before subtraction
+ avcodec/apedec: Fix integer overflows in predictor_update_3930()
+ avcodec/apedec: fix integer overflow in 8bit samples
+ avformat/flvdec: timestamps cannot use the full int64 range
+ avcodec/vqavideo: reset accounting on error
+ avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+ avformat/4xm: Check for duplicate track ids
+ avformat/4xm: Consider max_streams on reallocating tracks array
+ avformat/mov: Check next offset in mov_read_dref()
+ avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+ avcodec/apedec: Change avg to uint32_t
+ avformat/mov: Disallow duplicate smdm
+ avformat/mov: Check for EOF in mov_read_glbl()
+ avformat/mov: Check channels for mov_parse_stsd_audio()
+ avformat/avidec: Check read_odml_index() for failure
+ avformat/aiffdec: Use av_rescale() for bitrate
+ avformat/aiffdec: sanity check block_align
+ avformat/aiffdec: Check sample_rate
+ avfilter/vf_gblur: fix heap-buffer overflow
+ avfilter/vf_lenscorrection: fix division by zero
+ avformat/latmenc: abort if no extradata is available
+ avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum()
+ avformat/tty: add probe function
+ avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+ avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
+ avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
+ fate: update reference files after the recent dash manifest muxer changes
+ avformat/webmdashenc: fix on-demand profile string
+ configure: Add missing libshine->mpegaudioheader dependency
+ avformat/mpegenc: Ensure packet queue stays valid
+ avformat/movenc: Fix segfault when remuxing rtp hint stream
+ avformat/mxfenc: fix index byte count in partition header
+
 version 4.1.8:
 - configure: update copyright year
 - avformat/wavdec: Check smv_block_size

MAINTAINERS

@@ -598,6 +598,7 @@ Jean Delvare                  7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A
 Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
 Lou Logan (llogan)            7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A
 Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
+                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
 Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
 Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
 Panagiotis Issaris            6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029

RELEASE

@@ -1 +1 @@
-4.1.8
+4.1.11

configure

@@ -3121,7 +3121,7 @@ libopus_encoder_deps="libopus"
 libopus_encoder_select="audio_frame_queue"
 librsvg_decoder_deps="librsvg"
 libshine_encoder_deps="libshine"
-libshine_encoder_select="audio_frame_queue"
+libshine_encoder_select="audio_frame_queue mpegaudioheader"
 libspeex_decoder_deps="libspeex"
 libspeex_encoder_deps="libspeex"
 libspeex_encoder_select="audio_frame_queue"
@@ -6256,7 +6256,7 @@ fi
 
 if enabled sdl2; then
     SDL2_CONFIG="${cross_prefix}sdl2-config"
-    test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent
+    test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent
     if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then
         sdl2_cflags=$("${SDL2_CONFIG}" --cflags)
         sdl2_extralibs=$("${SDL2_CONFIG}" --libs)
@@ -7243,7 +7243,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2021
+#define CONFIG_THIS_YEAR 2023
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"

doc/Doxyfile

@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 4.1.8
+PROJECT_NUMBER         = 4.1.11
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

doc/authors.texi

@@ -3,9 +3,9 @@
 The FFmpeg developers.
 
 For details about the authorship, see the Git history of the project
-(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command
+(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command
 @command{git log} in the FFmpeg source directory, or browsing the
-online repository at @url{http://source.ffmpeg.org}.
+online repository at @url{https://git.ffmpeg.org/ffmpeg}.
 
 Maintainers for the specific components are listed in the file
 @file{MAINTAINERS} in the source code tree.

doc/git-howto.texi

@@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it.
 @section Cloning the source tree
 
 @example
-git clone git://source.ffmpeg.org/ffmpeg <target>
+git clone https://git.ffmpeg.org/ffmpeg.git <target>
 @end example
 
 This will put the FFmpeg sources into the directory @var{<target>}.
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
 git add [-i|-p|-A] <filenames/dirnames>
 @end example
 
-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key
 
 @example
 git config --global user.name "My Name"
 git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
 @end example
 
 Use @option{--global} to set the global configuration for all your Git checkouts.
@@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1
 where @var{$SHA1} is the commit hash from the @command{git log} output.
 
 
+@chapter gpg key generation
+
+If you have no gpg key yet, we recommend that you create a ed25519 based key as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com"
+@end example
+
+When generating a key, make sure the email specified matches the email used in git as some sites like
+github consider mismatches a reason to declare such commits unverified. After generating a key you
+can add it to the MAINTAINER file and upload it to a keyserver.
+
 @chapter Pre-push checklist
 
 Once you have a set of commits that you feel are ready for pushing,

fftools/ffmpeg_opt.c

@@ -3232,6 +3232,7 @@ static int open_files(OptionGroupList *l, const char *inout,
         if (ret < 0) {
             av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file "
                    "%s.\n", inout, g->arg);
+            uninit_options(&o);
             return ret;
         }
 

libavcodec/012v.c

@@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
             u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
             v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
             memcpy(y, y_temp, sizeof(*y) * (width - x));
-            memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
-            memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
+            memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2));
+            memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2));
         }
 
         line_end += stride;

libavcodec/8bps.c

@@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     unsigned char *planemap = c->planemap;
     int ret;
 
+    if (buf_size < planes * height *2)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
         return ret;
 

libavcodec/aasc.c

@@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx,
         ff_msrle_decode(avctx, s->frame, 8, &s->gb);
         break;
     case MKTAG('A', 'A', 'S', 'C'):
-    switch (compr) {
-    case 0:
-        stride = (avctx->width * psize + psize) & ~psize;
-        if (buf_size < stride * avctx->height)
+        switch (compr) {
+        case 0:
+            stride = (avctx->width * psize + psize) & ~psize;
+            if (buf_size < stride * avctx->height)
+                return AVERROR_INVALIDDATA;
+            for (i = avctx->height - 1; i >= 0; i--) {
+                memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
+                buf += stride;
+                buf_size -= stride;
+            }
+            break;
+        case 1:
+            bytestream2_init(&s->gb, buf, buf_size);
+            ff_msrle_decode(avctx, s->frame, 8, &s->gb);
+            break;
+        default:
+            av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
             return AVERROR_INVALIDDATA;
-        for (i = avctx->height - 1; i >= 0; i--) {
-            memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
-            buf += stride;
-            buf_size -= stride;
         }
         break;
-    case 1:
-        bytestream2_init(&s->gb, buf, buf_size);
-        ff_msrle_decode(avctx, s->frame, 8, &s->gb);
-        break;
-    default:
-        av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
-        return AVERROR_INVALIDDATA;
-    }
-        break;
     default:
         av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag);
         return -1;

libavcodec/ac3.h

@@ -75,6 +75,7 @@
 #define AC3_DYNAMIC_RANGE1      0
 
 typedef int                     INTFLOAT;
+typedef unsigned int            UINTFLOAT;
 typedef int16_t                 SHORTFLOAT;
 
 #else /* USE_FIXED */
@@ -94,6 +95,7 @@ typedef int16_t                 SHORTFLOAT;
 #define AC3_DYNAMIC_RANGE1      1.0f
 
 typedef float                   INTFLOAT;
+typedef float                   UINTFLOAT;
 typedef float                   SHORTFLOAT;
 
 #endif /* USE_FIXED */

libavcodec/ac3enc.c

@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx)
         av_freep(&block->cpl_coord_mant);
     }
 
-    s->mdct_end(s);
+    if (s->mdct_end)
+        s->mdct_end(s);
 
     return 0;
 }
@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx)
 
     ret = validate_options(s);
     if (ret)
-        return ret;
+        goto init_fail;
 
     avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks;
     avctx->initial_padding = AC3_BLOCK_SIZE;

libavcodec/alacdsp.c

@@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples,
     int i;
 
     for (i = 0; i < nb_samples; i++) {
-        int32_t a, b;
+        uint32_t a, b;
 
         a = buffer[0][i];
         b = buffer[1][i];
 
-        a -= (b * decorr_left_weight) >> decorr_shift;
+        a -= (int)(b * decorr_left_weight) >> decorr_shift;
         b += a;
 
         buffer[0][i] = b;

libavcodec/alsdec.c

@@ -1016,7 +1016,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 
     *bd->shift_lsbs = 0;
 
-    if (get_bits_left(gb) < 1)
+    if (get_bits_left(gb) < 7)
         return AVERROR_INVALIDDATA;
 
     // read block type flag and read the samples accordingly

libavcodec/apedec.c

@@ -101,7 +101,7 @@ typedef struct APEFilter {
     int16_t *historybuffer; ///< filter memory
     int16_t *delay;         ///< filtered values
 
-    int avg;
+    uint32_t avg;
 } APEFilter;
 
 typedef struct APERice {
@@ -880,7 +880,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
     p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign;
     p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;
 
-    p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
+    p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift);
     p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);
 
     return p->filterA[filter];
@@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
             dotprod += delay[j] * (unsigned)coeffs[j];
             coeffs[j] += ((delay[j] >> 31) | 1) * sign;
         }
-        buffer[i] -= dotprod >> shift;
+        buffer[i] -= (unsigned)(dotprod >> shift);
         for (j = 0; j < order - 1; j++)
             delay[j] = delay[j + 1];
         delay[order - 1] = buffer[i];
@@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                                                   const int delayA)
 {
     int32_t predictionA, sign;
-    int32_t d0, d1, d2, d3;
+    uint32_t d0, d1, d2, d3;
 
     p->buf[delayA]     = p->lastA[filter];
     d0 = p->buf[delayA    ];
-    d1 = p->buf[delayA    ] - p->buf[delayA - 1];
-    d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-    d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+    d1 = p->buf[delayA    ] - (unsigned)p->buf[delayA - 1];
+    d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+    d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];
 
     predictionA = d0 * p->coeffsA[filter][0] +
                   d1 * p->coeffsA[filter][1] +
@@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
     p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);
 
     sign = APESIGN(decoded);
-    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;
 
     return p->filterA[filter];
 }
@@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
         for (ch = 0; ch < s->channels; ch++) {
             sample8 = (uint8_t *)frame->data[ch];
             for (i = 0; i < blockstodecode; i++)
-                *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+                *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
         }
         break;
     case 16:

libavcodec/bink.c

@@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
 
     binkb_init_bundles(c);
     ref_start = frame->data[plane_idx];
-    ref_end   = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8;
+    ref_end   = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8;
 
     for (i = 0; i < 64; i++)
         coordmap[i] = (i & 7) + (i >> 3) * stride;
@@ -894,7 +894,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                 xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                 yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                 ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8*stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                     av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                 } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                     c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -910,7 +910,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                 xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                 yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                 ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8 * stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                     av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                 } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                     c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
                 xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
                 yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
                 ref = dst + xoff + yoff * stride;
-                if (ref < ref_start || ref + 8 * stride > ref_end) {
+                if (ref < ref_start || ref > ref_end) {
                     av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
                 } else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
                     c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8);
@@ -1054,7 +1054,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
         for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
             blk = get_value(c, BINK_SRC_BLOCK_TYPES);
             // 16x16 block type on odd line means part of the already decoded block, so skip it
-            if ((by & 1) && blk == SCALED_BLOCK) {
+            if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) {
                 bx++;
                 dst  += 8;
                 prev += 8;

libavcodec/cdgraphics.c

@@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
     for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++)
         memcpy(out + FFMAX(0, hinc) + stride * y,
                in + FFMAX(0, hinc) - hinc + (y - vinc) * stride,
-               FFMIN(stride + hinc, stride));
+               FFABS(stride) - FFABS(hinc));
 
     if (vinc > 0)
         cdg_fill_wrapper(0, 0, out,

libavcodec/diracdec.c

@@ -1430,8 +1430,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
     int *c      = s->globalmc[ref].perspective;
 
     int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
+    int64_t mx  = m * (uint64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (uint64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
 
     block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
     block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

libavcodec/dstdec.c

@@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c)
     return (ff_reverse[c & 127] >> 1) + 1;
 }
 
-static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
+static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
 {
     int i, j, k, l;
 
@@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *
             int total = av_clip(length - j * 8, 0, 8);
 
             for (k = 0; k < 256; k++) {
-                int v = 0;
+                int64_t v = 0;
 
                 for (l = 0; l < total; l++)
                     v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l];
+                if ((int16_t)v != v)
+                    return AVERROR_INVALIDDATA;
                 table[i][j][k] = v;
             }
         }
     }
+    return 0;
 }
 
 static int decode_frame(AVCodecContext *avctx, void *data,
@@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     ac_init(ac, gb);
 
-    build_filter(s->filter, &s->fsets);
+    ret = build_filter(s->filter, &s->fsets);
+    if (ret < 0)
+        return ret;
 
     memset(s->status, 0xAA, sizeof(s->status));
     memset(dsd, 0, frame->nb_samples * 4 * avctx->channels);

libavcodec/eac3dec.c

@@ -145,9 +145,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s)
             // spx_noise_blend and spx_signal_blend are both FP.23
             nscale *= 1.0 / (1<<23);
             sscale *= 1.0 / (1<<23);
+            if (nscale < -1.0)
+                nscale = -1.0;
 #endif
             for (i = 0; i < s->spx_band_sizes[bnd]; i++) {
-                float noise  = nscale * (int32_t)av_lfg_get(&s->dith_state);
+                UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state));
                 s->transform_coeffs[ch][bin]   *= sscale;
                 s->transform_coeffs[ch][bin++] += noise;
             }

libavcodec/eatgq.c

@@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
+static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
 {
     uint8_t *perm = s->scantable.permutated;
     int i, j, value;
@@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
     for (i = 1; i < 64;) {
         switch (show_bits(gb, 3)) {
         case 4:
+            if (i >= 63)
+                return AVERROR_INVALIDDATA;
             block[perm[i++]] = 0;
         case 0:
             block[perm[i++]] = 0;
@@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         case 1:
             skip_bits(gb, 2);
             value = get_bits(gb, 6);
+            if (value > 64 - i)
+                return AVERROR_INVALIDDATA;
             for (j = 0; j < value; j++)
                 block[perm[i++]] = 0;
             break;
@@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         }
     }
     block[0] += 128 << 4;
+    return 0;
 }
 
 static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
@@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x)
         if (ret < 0)
             return ret;
 
-        for (i = 0; i < 6; i++)
-            tgq_decode_block(s, s->block[i], &gb);
+        for (i = 0; i < 6; i++) {
+            int ret = tgq_decode_block(s, s->block[i], &gb);
+            if (ret < 0)
+                return ret;
+        }
         tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y);
         bytestream2_skip(&s->gb, mode);
     } else {

libavcodec/escape124.c

@@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth,
     unsigned i, j;
     CodeBook cb = { 0 };
 
-    if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34)
-        return cb;
-
-    if (size >= INT_MAX / sizeof(MacroBlock))
-        return cb;
     cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1);
     if (!cb.blocks)
         return cb;
@@ -162,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb,
 
     // This condition can occur with invalid bitstreams and
     // *codebook_index == 2
-    if (block_index >= s->codebooks[*codebook_index].size)
+    if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks)
         return (MacroBlock) { { 0 } };
 
     return s->codebooks[*codebook_index].blocks[block_index];
@@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,
     // represent a lower bound of the space needed for skipped superblocks. Non
     // skipped SBs need more space.
     if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     frame_flags = get_bits_long(&gb, 32);
     frame_size  = get_bits_long(&gb, 32);
@@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx,
             }
 
             av_freep(&s->codebooks[i].blocks);
+            if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34)
+                return AVERROR_INVALIDDATA;
+
+            if (cb_size >= INT_MAX / sizeof(MacroBlock))
+                return AVERROR_INVALIDDATA;
             s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size);
             if (!s->codebooks[i].blocks)
-                return -1;
+                return AVERROR(ENOMEM);
         }
     }
 

libavcodec/ffv1dec.c

@@ -169,24 +169,34 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
     RangeCoder *c = &fs->c;
     uint8_t state[CONTEXT_SIZE];
     unsigned ps, i, context_count;
+    int sx, sy, sw, sh;
+
     memset(state, 128, sizeof(state));
+    sx = get_symbol(c, state, 0);
+    sy = get_symbol(c, state, 0);
+    sw = get_symbol(c, state, 0) + 1U;
+    sh = get_symbol(c, state, 0) + 1U;
 
     av_assert0(f->version > 2);
 
-    fs->slice_x      =  get_symbol(c, state, 0)      * f->width ;
-    fs->slice_y      =  get_symbol(c, state, 0)      * f->height;
-    fs->slice_width  = (get_symbol(c, state, 0) + 1) * f->width  + fs->slice_x;
-    fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y;
 
-    fs->slice_x /= f->num_h_slices;
-    fs->slice_y /= f->num_v_slices;
-    fs->slice_width  = fs->slice_width /f->num_h_slices - fs->slice_x;
-    fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y;
-    if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height)
-        return -1;
-    if (    (unsigned)fs->slice_x + (uint64_t)fs->slice_width  > f->width
-         || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
-        return -1;
+    if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0)
+        return AVERROR_INVALIDDATA;
+    if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh)
+        return AVERROR_INVALIDDATA;
+
+    fs->slice_x      =  sx       * (int64_t)f->width  / f->num_h_slices;
+    fs->slice_y      =  sy       * (int64_t)f->height / f->num_v_slices;
+    fs->slice_width  = (sx + sw) * (int64_t)f->width  / f->num_h_slices - fs->slice_x;
+    fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y;
+
+    av_assert0((unsigned)fs->slice_width  <= f->width &&
+                (unsigned)fs->slice_height <= f->height);
+    av_assert0 (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  <= f->width
+                && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height);
+
+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
 
     for (i = 0; i < f->plane_count; i++) {
         PlaneContext * const p = &fs->plane[i];
@@ -301,8 +311,11 @@ static int decode_slice(AVCodecContext *c, void *arg)
     }
     if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0)
         return ret;
-    if (f->cur->key_frame || fs->slice_reset_contexts)
+    if (f->cur->key_frame || fs->slice_reset_contexts) {
         ff_ffv1_clear_slice_state(f, fs);
+    } else if (fs->slice_damaged) {
+        return AVERROR_INVALIDDATA;
+    }
 
     width  = fs->slice_width;
     height = fs->slice_height;
@@ -465,6 +478,11 @@ static int read_extra_header(FFV1Context *f)
         return AVERROR_INVALIDDATA;
     }
 
+    if (f->num_h_slices > MAX_SLICES / f->num_v_slices) {
+        av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     f->quant_table_count = get_symbol(c, state, 0);
     if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) {
         av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count);
@@ -767,21 +785,25 @@ static int read_header(FFV1Context *f)
         fs->slice_damaged = 0;
 
         if (f->version == 2) {
-            fs->slice_x      =  get_symbol(c, state, 0)      * f->width ;
-            fs->slice_y      =  get_symbol(c, state, 0)      * f->height;
-            fs->slice_width  = (get_symbol(c, state, 0) + 1) * f->width  + fs->slice_x;
-            fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y;
+            int sx = get_symbol(c, state, 0);
+            int sy = get_symbol(c, state, 0);
+            int sw = get_symbol(c, state, 0) + 1U;
+            int sh = get_symbol(c, state, 0) + 1U;
 
-            fs->slice_x     /= f->num_h_slices;
-            fs->slice_y     /= f->num_v_slices;
-            fs->slice_width  = fs->slice_width  / f->num_h_slices - fs->slice_x;
-            fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y;
-            if ((unsigned)fs->slice_width  > f->width ||
-                (unsigned)fs->slice_height > f->height)
+            if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0)
                 return AVERROR_INVALIDDATA;
-            if (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  > f->width
-                || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
+            if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh)
                 return AVERROR_INVALIDDATA;
+
+            fs->slice_x      =  sx       * (int64_t)f->width  / f->num_h_slices;
+            fs->slice_y      =  sy       * (int64_t)f->height / f->num_v_slices;
+            fs->slice_width  = (sx + sw) * (int64_t)f->width  / f->num_h_slices - fs->slice_x;
+            fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y;
+
+            av_assert0((unsigned)fs->slice_width  <= f->width &&
+                       (unsigned)fs->slice_height <= f->height);
+            av_assert0 (   (unsigned)fs->slice_x + (uint64_t)fs->slice_width  <= f->width
+                        && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height);
         }
 
         for (i = 0; i < f->plane_count; i++) {

libavcodec/flac_parser.c

@@ -55,6 +55,7 @@
 
 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)
 
 typedef struct FLACHeaderMarker {
     int offset;       /**< byte offset from start of FLACParseContext->buffer */
@@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset)
     uint8_t *header_buf;
     int size = 0;
     header_buf = flac_fifo_read_wrap(fpc, offset,
-                                     MAX_FRAME_HEADER_SIZE,
+                                     MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE,
                                      &fpc->wrap_buf,
                                      &fpc->wrap_buf_allocated_size);
     if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) {

libavcodec/fmvc.c

@@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     PutByteContext *pb = &s->pb;
     AVFrame *frame = data;
     int ret, y, x;
+    int key_frame;
 
     if (avpkt->size < 8)
         return AVERROR_INVALIDDATA;
 
-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-
     bytestream2_init(gb, avpkt->data, avpkt->size);
     bytestream2_skip(gb, 2);
 
-    frame->key_frame = !!bytestream2_get_le16(gb);
-    frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
+    key_frame = !!bytestream2_get_le16(gb);
 
-    if (frame->key_frame) {
+    if (key_frame) {
         const uint8_t *src;
         unsigned type, size;
         uint8_t *dst;
@@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_PATCHWELCOME;
         }
 
+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
+        frame->key_frame = 1;
+        frame->pict_type = AV_PICTURE_TYPE_I;
+
         src = s->buffer;
         dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
         for (y = 0; y < avctx->height; y++) {
@@ -512,6 +515,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
             dst = &rect[block_h * s->stride];
         }
 
+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
+        frame->key_frame = 0;
+        frame->pict_type = AV_PICTURE_TYPE_P;
+
         ssrc = s->buffer;
         ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
         for (y = 0; y < avctx->height; y++) {

libavcodec/g2meet.c

@@ -143,7 +143,8 @@ typedef struct G2MContext {
     int        got_header;
 
     uint8_t    *framebuf;
-    int        framebuf_stride, old_width, old_height;
+    int        framebuf_stride;
+    unsigned int framebuf_allocated;
 
     uint8_t    *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base;
     int        tile_stride, epic_buf_stride, old_tile_w, old_tile_h;
@@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c)
 {
     int aligned_height;
 
-    if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) {
-        c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3;
-        aligned_height     = c->height + 15;
-        av_free(c->framebuf);
-        c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height);
-        if (!c->framebuf)
-            return AVERROR(ENOMEM);
-    }
+    c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3;
+    aligned_height = c->height + 15;
+
+    av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height);
+    if (!c->framebuf)
+        return AVERROR(ENOMEM);
+
     if (!c->synth_tile || !c->jpeg_tile ||
         (c->compression == 2 && !c->epic_buf_base) ||
         c->old_tile_w < c->tile_width ||
@@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx)
     av_freep(&c->jpeg_tile);
     av_freep(&c->cursor);
     av_freep(&c->framebuf);
+    c->framebuf_allocated = 0;
 
     return 0;
 }

libavcodec/g729dec.c

@@ -536,12 +536,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
           fc_v[i] = <
                      \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay
         */
-        ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i],
-                                     fc + pitch_delay_int[i],
-                                     fc, 1 << 14,
-                                     av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX),
-                                     0, 14,
-                                     SUBFRAME_SIZE - pitch_delay_int[i]);
+        if (SUBFRAME_SIZE > pitch_delay_int[i])
+            ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i],
+                                         fc + pitch_delay_int[i],
+                                         fc, 1 << 14,
+                                         av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX),
+                                         0, 14,
+                                         SUBFRAME_SIZE - pitch_delay_int[i]);
 
         memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t));
         ctx->past_gain_code[1] = ctx->past_gain_code[0];

libavcodec/g729postfilter.c

@@ -350,7 +350,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
         if (tmp > 0)
             L_temp0 >>= tmp;
         else
-            L_temp1 >>= -tmp;
+            L_temp1 >>= FFMIN(-tmp, 31);
 
         /* Check if longer filter increases the values of R'(k). */
         if (L_temp1 > L_temp0) {

libavcodec/h263dec.c

@@ -544,6 +544,8 @@ retry:
     avctx->has_b_frames = !s->low_delay;
 
     if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) {
+        if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
         if (ff_mpeg4_workaround_bugs(avctx) == 1)
             goto retry;
         if (s->studio_profile != (s->idsp.idct == NULL))

libavcodec/h264dec.c

@@ -699,6 +699,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size)
             avpriv_request_sample(avctx, "data partitioning");
             break;
         case H264_NAL_SEI:
+            if (h->setup_finished) {
+                avpriv_request_sample(avctx, "Late SEI");
+                break;
+            }
             ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx);
             h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1;
             if (avctx->debug & FF_DEBUG_GREEN_MD)

libavcodec/hevc_filter.c

@@ -145,11 +145,22 @@ int i, j;
 
     if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) {
         for (i = 0; i < height; i++) {
-            for (j = 0; j < width; j+=8)
+            for (j = 0; j < width - 7; j+=8)
                 AV_COPY64U(dst+j, src+j);
             dst += stride_dst;
             src += stride_src;
         }
+        if (width&7) {
+            dst += ((width>>3)<<3) - stride_dst * height;
+            src += ((width>>3)<<3) - stride_src * height;
+            width &= 7;
+            for (i = 0; i < height; i++) {
+                for (j = 0; j < width; j++)
+                    dst[j] = src[j];
+                dst += stride_dst;
+                src += stride_src;
+            }
+        }
     } else {
         for (i = 0; i < height; i++) {
             for (j = 0; j < width; j+=16)

libavcodec/hevcdec.c

@@ -3221,7 +3221,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output,
         }
     } else {
         /* verify the SEI checksum */
-        if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded &&
+        if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded &&
             s->sei.picture_hash.is_md5) {
             ret = verify_md5(s, s->ref->frame);
             if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) {

libavcodec/hevcdsp_template.c

@@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src,
         offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1];
     for (y = 0; y < height; y++) {
         for (x = 0; x < width; x++)
-            dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]);
+            dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]);
         dst += stride_dst;
         src += stride_src;
     }

libavcodec/huffyuvdec.c

@@ -691,9 +691,9 @@ static void decode_422_bitstream(HYuvContext *s, int count)
 /* TODO instead of restarting the read when the code isn't in the first level
  * of the joint table, jump into the 2nd level of the individual table. */
 #define READ_2PIX_PLANE16(dst0, dst1, plane){\
-    dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\
+    dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\
     dst0 += get_bits(&s->gb, 2);\
-    dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\
+    dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\
     dst1 += get_bits(&s->gb, 2);\
 }
 static void decode_plane_bitstream(HYuvContext *s, int width, int plane)

libavcodec/j2kenc.c

@@ -1003,6 +1003,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
     int tileno, ret;
     Jpeg2000EncoderContext *s = avctx->priv_data;
     uint8_t *chunkstart, *jp2cstart, *jp2hstart;
+    const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt);
 
     if ((ret = ff_alloc_packet2(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE, 0)) < 0)
         return ret;
@@ -1055,7 +1056,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
         bytestream_put_byte(&s->buf, 1);
         bytestream_put_byte(&s->buf, 0);
         bytestream_put_byte(&s->buf, 0);
-        if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) {
+        if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) {
             bytestream_put_be32(&s->buf, 16);
         } else if (s->ncomponents == 1) {
             bytestream_put_be32(&s->buf, 17);
@@ -1151,7 +1152,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 
     if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) {
         av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n");
-        s->pred = FF_DWT97_INT;
+        s->pred = 1;
         s->format = CODEC_JP2;
     }
 
@@ -1229,7 +1230,7 @@ static const AVOption options[] = {
     { "tile_height",   "Tile Height",       OFFSET(tile_height),   AV_OPT_TYPE_INT,   { .i64 = 256         }, 1,     1<<30,           VE, },
     { "pred",          "DWT Type",          OFFSET(pred),          AV_OPT_TYPE_INT,   { .i64 = 0           }, 0,         1,           VE, "pred"        },
     { "dwt97int",      NULL,                0,                     AV_OPT_TYPE_CONST, { .i64 = 0           }, INT_MIN, INT_MAX,       VE, "pred"        },
-    { "dwt53",         NULL,                0,                     AV_OPT_TYPE_CONST, { .i64 = 0           }, INT_MIN, INT_MAX,       VE, "pred"        },
+    { "dwt53",         NULL,                0,                     AV_OPT_TYPE_CONST, { .i64 = 1           }, INT_MIN, INT_MAX,       VE, "pred"        },
 
     { NULL }
 };

libavcodec/jpeglsdec.c

@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
         s->t3     = get_bits(&s->gb, 16);
         s->reset  = get_bits(&s->gb, 16);
 
-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
             av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n",
                    s->maxval, s->t1, s->t2, s->t3, s->reset);
         }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
         else
             maxtab = 65530/wt - 1;
 
-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
             av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab);
         }
         if (maxtab >= 256) {
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
     if (RItype)
         temp += state->N[Q] >> 1;
 
-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
         ;
 
 #ifdef JLS_BROKEN
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
 #endif
     ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
                                state->qbpp);
+    if (ret < 0)
+        return -0x10000;
 
     /* decode mapped error */
     map = 0;
@@ -209,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
         ret = ret >> 1;
     }
 
-    if(FFABS(ret) > 0xFFFF)
+    if (FFABS(ret) > 0xFFFF)
         return -0x10000;
     /* update state */
     state->A[Q] += FFABS(ret) - RItype;
@@ -463,19 +465,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
             for (i = 0; i < s->height; i++) {
                 switch(s->xfrm) {
                 case 1:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                         src[x  ] += src[x+1] + 128;
                         src[x+2] += src[x+1] + 128;
                     }
                     break;
                 case 2:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                         src[x  ] += src[x+1] + 128;
                         src[x+2] += ((src[x  ] + src[x+1])>>1) + 128;
                     }
                     break;
                 case 3:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                         int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64;
                         src[x+0] = src[x+2] + g + 128;
                         src[x+2] = src[x+1] + g + 128;
@@ -483,7 +485,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
                     }
                     break;
                 case 4:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                         int r    = src[x+0] - ((                       359 * (src[x+2]-128) + 490) >> 8);
                         int g    = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) +  30) >> 8);
                         int b    = src[x+0] + ((454 * (src[x+1]-128)                        + 574) >> 8);

libavcodec/lagarith.c

@@ -408,6 +408,9 @@ output_zeros:
         if (zero_run) {
             zero_run = 0;
             i += esc_count;
+            if (i >  end - dst ||
+                i >= src_end - src)
+                return AVERROR_INVALIDDATA;
             memcpy(dst, src, i);
             dst += i;
             l->zeros_rem = lag_calc_zero_run(src[i]);

libavcodec/lcldec.c

@@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i
     if (expected != (unsigned int)c->zstream.total_out) {
         av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n",
                expected, c->zstream.total_out);
+        if (expected > (unsigned int)c->zstream.total_out)
+            return (unsigned int)c->zstream.total_out;
         return AVERROR_UNKNOWN;
     }
     return c->zstream.total_out;
@@ -166,8 +168,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
     int row, col;
     unsigned char *encoded = avpkt->data, *outptr;
     uint8_t *y_out, *u_out, *v_out;
-    unsigned int width = avctx->width; // Real image width
-    unsigned int height = avctx->height; // Real image height
+    int width = avctx->width; // Real image width
+    int height = avctx->height; // Real image height
     unsigned int mszh_dlen;
     unsigned char yq, y1q, uq, vq;
     int uqvq, ret;
@@ -274,12 +276,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
             ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen,
                               mthread_outlen, mthread_outlen);
             if (ret < 0) return ret;
+            len = c->decomp_size;
         } else {
             int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size);
             if (ret < 0) return ret;
+            len = ret;
         }
         encoded = c->decomp_buf;
-        len = c->decomp_size;
         break;
 #endif
     default:
@@ -399,6 +402,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                 v_out[ col >> 1     ] = *encoded++ + 128;
                 v_out[(col >> 1) + 1] = *encoded++ + 128;
             }
+            if (col && col < width) {
+                u_out[ col >> 1     ] = u_out[(col>>1) - 1];
+                v_out[ col >> 1     ] = v_out[(col>>1) - 1];
+            }
+
             y_out -= frame->linesize[0];
             u_out -= frame->linesize[1];
             v_out -= frame->linesize[2];
@@ -420,6 +428,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                 u_out[col >> 2] = *encoded++ + 128;
                 v_out[col >> 2] = *encoded++ + 128;
             }
+            if (col && col < width) {
+                u_out[col >> 2] = u_out[(col>>2) - 1];
+                v_out[col >> 2] = v_out[(col>>2) - 1];
+            }
             y_out -= frame->linesize[0];
             u_out -= frame->linesize[1];
             v_out -= frame->linesize[2];
@@ -477,6 +489,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                 FFALIGN(avctx->height, 4);
     unsigned int max_decomp_size;
     int subsample_h, subsample_v;
+    int partial_h_supported = 0;
 
     if (avctx->extradata_size < 8) {
         av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
@@ -498,26 +511,24 @@ static av_cold int decode_init(AVCodecContext *avctx)
         av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n");
         break;
     case IMGTYPE_YUV422:
-        c->decomp_size = basesize * 2;
+        c->decomp_size = (avctx->width & ~3) * avctx->height * 2;
         max_decomp_size = max_basesize * 2;
         avctx->pix_fmt = AV_PIX_FMT_YUV422P;
         av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n");
-        if (avctx->width % 4) {
-            avpriv_request_sample(avctx, "Unsupported dimensions");
-            return AVERROR_INVALIDDATA;
-        }
+        partial_h_supported = 1;
         break;
     case IMGTYPE_RGB24:
-        c->decomp_size = basesize * 3;
+        c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height;
         max_decomp_size = max_basesize * 3;
         avctx->pix_fmt = AV_PIX_FMT_BGR24;
         av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n");
         break;
     case IMGTYPE_YUV411:
-        c->decomp_size = basesize / 2 * 3;
+        c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3;
         max_decomp_size = max_basesize / 2 * 3;
         avctx->pix_fmt = AV_PIX_FMT_YUV411P;
         av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n");
+        partial_h_supported = 1;
         break;
     case IMGTYPE_YUV211:
         c->decomp_size = basesize * 2;
@@ -537,7 +548,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     }
 
     av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v);
-    if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) {
+    if ((avctx->width % (1<<subsample_h) && !partial_h_supported) || avctx->height % (1<<subsample_v)) {
         avpriv_request_sample(avctx, "Unsupported dimensions");
         return AVERROR_INVALIDDATA;
     }

libavcodec/mjpegenc_common.c

@@ -275,7 +275,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb,
     default: av_assert0(0);
     }
 
-    put_bits(pb, 16, 17);
+    put_bits(pb, 16, 8 + 3 * components);
     if (lossless && (  avctx->pix_fmt == AV_PIX_FMT_BGR0
                     || avctx->pix_fmt == AV_PIX_FMT_BGRA
                     || avctx->pix_fmt == AV_PIX_FMT_BGR24))

libavcodec/mlpdec.c

@@ -520,7 +520,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
 
     /* This should happen for TrueHD streams with >6 channels and MLP's noise
      * type. It is not yet known if this is allowed. */
-    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
+    if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
         avpriv_request_sample(m->avctx,
                               "%d channels (more than the "
                               "maximum supported by the decoder)",

libavcodec/motion_est.c

@@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
         for(y=0; y<s->mb_height; y++){
             int x;
             int xy= y*s->mb_stride;
-            for(x=0; x<s->mb_width; x++){
+            for(x=0; x<s->mb_width; x++, xy++){
                 if(s->mb_type[xy] & type){
                     int mx= mv_table[xy][0];
                     int my= mv_table[xy][1];
@@ -1622,16 +1622,15 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
                                      fcode_tab[my + MAX_MV]);
                     int j;
 
-                        if(mx >= range || mx < -range ||
-                           my >= range || my < -range)
-                            continue;
+                    if (mx >= range || mx < -range ||
+                        my >= range || my < -range)
+                        continue;
 
                     for(j=0; j<fcode && j<8; j++){
                         if(s->pict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])
                             score[j]-= 170;
                     }
                 }
-                xy++;
             }
         }
 

libavcodec/motionpixels.c

@@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y)
     int color;
 
     color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2];
-    return mp_rgb_yuv_table[color];
+    return mp_rgb_yuv_table[color & 0x7FFF];
 }
 
 static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p)

libavcodec/noise_bsf.c

@@ -44,6 +44,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt)
     if (amount <= 0)
         return AVERROR(EINVAL);
 
+    if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) {
+        av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     ret = ff_bsf_get_packet_ref(ctx, pkt);
     if (ret < 0)
         return ret;

libavcodec/nvdec.c

@@ -539,6 +539,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx)
     NVDECContext *ctx = avctx->internal->hwaccel_priv_data;
     int ret = ff_nvdec_end_frame(avctx);
     ctx->bitstream = NULL;
+    ctx->bitstream_len = 0;
+    ctx->nb_slices = 0;
     return ret;
 }
 

libavcodec/nvdec_mpeg12.c

@@ -76,8 +76,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer
     };
 
     for (i = 0; i < 64; ++i) {
-        ppc->QuantMatrixIntra[i] = s->intra_matrix[i];
-        ppc->QuantMatrixInter[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        ppc->QuantMatrixIntra[i] = s->intra_matrix[n];
+        ppc->QuantMatrixInter[i] = s->inter_matrix[n];
     }
 
     return 0;

libavcodec/nvdec_mpeg4.c

@@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer,
     };
 
     for (i = 0; i < 64; ++i) {
-        ppc->QuantMatrixIntra[i] = s->intra_matrix[i];
-        ppc->QuantMatrixInter[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        ppc->QuantMatrixIntra[i] = s->intra_matrix[n];
+        ppc->QuantMatrixInter[i] = s->inter_matrix[n];
     }
 
     // We need to pass the full frame buffer and not just the slice

libavcodec/pictordec.c

@@ -223,8 +223,6 @@ static int decode_frame(AVCodecContext *avctx,
                         run = bytestream2_get_le16(&s->g);
                     val = bytestream2_get_byte(&s->g);
                 }
-                if (!bytestream2_get_bytes_left(&s->g))
-                    break;
 
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, frame, val, run, &x, &y);

libavcodec/pixlet.c

@@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                 (int64_t) low [i - 1] * -INT64_C(325392907)  +
                 (int64_t) high[i + 0] *  INT64_C(1518500249) +
                 (int64_t) high[i - 1] *  INT64_C(1518500249);
-        dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
     }
 
     for (i = 0; i < hsize; i++) {
@@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                 (int64_t) high[i + 1] *  INT64_C(303700064)  +
                 (int64_t) high[i + 0] * -INT64_C(3644400640) +
                 (int64_t) high[i - 1] *  INT64_C(303700064);
-        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
     }
 }
 

libavcodec/pngdec.c

@@ -309,7 +309,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
 static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \
 { \
     int i; \
-    for (i = 0; i < size; i += 3 + alpha) { \
+    for (i = 0; i < size - 2; i += 3 + alpha) { \
         int g = dst [i + 1]; \
         dst[i + 0] += g; \
         dst[i + 2] += g; \
@@ -621,6 +621,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
     int ret;
     size_t byte_depth = s->bit_depth > 8 ? 2 : 1;
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
     if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
         return AVERROR_INVALIDDATA;
@@ -1295,6 +1297,8 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             break;
         }
         case MKTAG('i', 'C', 'C', 'P'): {
+            if (!p)
+                return AVERROR_INVALIDDATA;
             if ((ret = decode_iccp_chunk(s, length, p)) < 0)
                 goto fail;
             break;
@@ -1353,6 +1357,9 @@ skip_tag:
     }
 exit_loop:
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
+
     if (avctx->codec_id == AV_CODEC_ID_PNG &&
         avctx->skip_frame == AVDISCARD_ALL) {
         return 0;
@@ -1499,7 +1506,7 @@ static int decode_frame_apng(AVCodecContext *avctx,
         s->zstream.zfree  = ff_png_zfree;
 
         bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size);
-        if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
+        if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0)
             goto end;
     }
 

libavcodec/qdrw.c

@@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx,
             bytestream2_skip(&gbc, 18);
             colors = bytestream2_get_be16(&gbc);
 
-            if (colors < 0 || colors > 256) {
+            if (colors < 0 || colors > 255) {
                 av_log(avctx, AV_LOG_ERROR,
                        "Error color count - %i(0x%X)\n", colors, colors);
                 return AVERROR_INVALIDDATA;

libavcodec/qpeldsp.c

@@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src,          \
     uint8_t full[16 * 9];                                                     \
     uint8_t half[64];                                                         \
                                                                               \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
     put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
     OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8);                \
 }                                                                             \
@@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src,          \
 {                                                                             \
     uint8_t full[16 * 9];                                                     \
                                                                               \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
     OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16);                   \
 }                                                                             \
                                                                               \
@@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src,          \
     uint8_t full[16 * 9];                                                     \
     uint8_t half[64];                                                         \
                                                                               \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
     put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
     OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8);           \
 }                                                                             \
@@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src,         \
     uint8_t full[24 * 17];                                                    \
     uint8_t half[256];                                                        \
                                                                               \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
     put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
     OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16);             \
 }                                                                             \
@@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src,         \
 {                                                                             \
     uint8_t full[24 * 17];                                                    \
                                                                               \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
     OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24);                  \
 }                                                                             \
                                                                               \
@@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src,         \
     uint8_t full[24 * 17];                                                    \
     uint8_t half[256];                                                        \
                                                                               \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
     put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
     OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16);        \
 }                                                                             \

libavcodec/sbrdsp_fixed.c

@@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src)
 {
     int i;
     for (i = 0; i < 32; i++) {
-        v[     i] = ( src[63 - 2*i    ] + 0x10) >> 5;
-        v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5;
+        v[     i] = (int)(0x10U + src[63 - 2*i    ]) >> 5;
+        v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5;
     }
 }
 

libavcodec/scpr.c

@@ -592,6 +592,9 @@ static int decompress_p(AVCodecContext *avctx,
                 int run, z, bx = x * 16 + sx1, by = y * 16 + sy1;
                 unsigned r, g, b, clr, ptype = 0;
 
+                if (bx >= avctx->width)
+                    return AVERROR_INVALIDDATA;
+
                 for (; by < y * 16 + sy2 && by < avctx->height;) {
                     ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype);
                     if (ret < 0)

libavcodec/snowenc.c

@@ -1543,10 +1543,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){
     int level, orientation, x, y;
 
     for(level=0; level<s->spatial_decomposition_count; level++){
+        int64_t error=0;
         for(orientation=level ? 1 : 0; orientation<4; orientation++){
             SubBand *b= &p->band[level][orientation];
             IDWTELEM *ibuf= b->ibuf;
-            int64_t error=0;
 
             memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height);
             ibuf[b->width/2 + b->height/2*b->stride]= 256*16;
@@ -1557,9 +1557,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){
                     error += d*d;
                 }
             }
-
+            if (orientation == 2)
+                error /= 2;
             b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5);
+            if (orientation != 1)
+                error = 0;
         }
+        p->band[level][1].qlog = p->band[level][2].qlog;
     }
 }
 

libavcodec/sonic.c

@@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
 
     // dequantize
     for (i = 0; i < s->num_taps; i++)
-        s->predictor_k[i] *= s->tap_quant[i];
+        s->predictor_k[i] *= (unsigned) s->tap_quant[i];
 
     if (s->lossless)
         quant = 1;

libavcodec/speedhq.c

@@ -424,7 +424,9 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
     uint32_t second_field_offset;
     int ret;
 
-    if (buf_size < 4 || avctx->width < 8)
+    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
+        return AVERROR_INVALIDDATA;
+    if (buf_size < avctx->width*avctx->height / 64 / 4)
         return AVERROR_INVALIDDATA;
 
     quality = buf[0];

libavcodec/sunrast.c

@@ -19,6 +19,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/imgutils.h"
@@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_PATCHWELCOME;
     }
 
+    if (maplength > 768) {
+        av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // This also checks depth to be valid
     switch (depth) {
         case 1:
             avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE;
@@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_INVALIDDATA;
     }
 
+    // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int
     ret = ff_set_dimensions(avctx, w, h);
     if (ret < 0)
         return ret;
 
+    // ensured by ff_set_dimensions()
+    av_assert0(w <= (INT32_MAX - 7) / depth);
+
     /* scanlines are aligned on 16 bit boundaries */
     len  = (depth * w + 7) >> 3;
     alen = len + (len & 1);
 
-    if (buf_end - buf < maplength + (len * h) * 3 / 256)
+    // ensured by ff_set_dimensions()
+    av_assert0(h  <= INT32_MAX / (3 * len));
+
+    // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check
+    if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256)
         return AVERROR_INVALIDDATA;
 
     if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
@@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     } else if (maplength) {
         unsigned int len = maplength / 3;
 
-        if (maplength % 3 || maplength > 768) {
+        if (maplength % 3) {
             av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n");
             return AVERROR_INVALIDDATA;
         }

libavcodec/tak.c

@@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb,
     if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA)
         return AVERROR_INVALIDDATA;
 
+    if (get_bits_left(gb) < 24)
+        return AVERROR_INVALIDDATA;
+
     skip_bits(gb, 24);
 
     return 0;

libavcodec/takdsp.c

@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
     for (i = 0; i < length; i++) {
         int32_t a = p1[i];
         int32_t b = p2[i];
-        b         = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
+        b         = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
         p1[i]     = b - a;
     }
 }

libavcodec/tests/snowenc.c

@@ -31,11 +31,13 @@ int main(void){
 #define width  256
 #define height 256
     int buffer[2][width*height];
+    short obuffer[width*height];
     SnowContext s;
     int i;
     AVLFG prng;
     s.spatial_decomposition_count=6;
     s.spatial_decomposition_type=1;
+    int ret = 0;
 
     s.temp_dwt_buffer  = av_mallocz_array(width, sizeof(DWTELEM));
     s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM));
@@ -49,24 +51,34 @@ int main(void){
 
     printf("testing 5/3 DWT\n");
     for(i=0; i<width*height; i++)
-        buffer[0][i] = buffer[1][i] = av_lfg_get(&prng) % 54321 - 12345;
+        buffer[0][i] = buffer[1][i] = av_lfg_get(&prng) % 19000 - 9000;
 
     ff_spatial_dwt(buffer[0], s.temp_dwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
-    ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
+    for(i=0; i<width*height; i++)
+        obuffer[i] = buffer[0][i];
+    ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
 
     for(i=0; i<width*height; i++)
-        if(buffer[0][i]!= buffer[1][i]) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]);
+        if(buffer[1][i]!= obuffer[i]) {
+            printf("fsck: %4dx%4dx %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]);
+            ret = 1;
+        }
 
     printf("testing 9/7 DWT\n");
     s.spatial_decomposition_type=0;
     for(i=0; i<width*height; i++)
-        buffer[0][i] = buffer[1][i] = av_lfg_get(&prng) % 54321 - 12345;
+        buffer[0][i] = buffer[1][i] = av_lfg_get(&prng) % 11000 - 5000;
 
     ff_spatial_dwt(buffer[0], s.temp_dwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
-    ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
+    for(i=0; i<width*height; i++)
+        obuffer[i] = buffer[0][i];
+    ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
 
     for(i=0; i<width*height; i++)
-        if(FFABS(buffer[0][i] - buffer[1][i])>20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]);
+        if(FFABS(buffer[1][i] - obuffer[i])>20) {
+            printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]);
+            ret = 1;
+        }
 
     {
     int level, orientation, x, y;
@@ -81,18 +93,18 @@ int main(void){
                 int w= width  >> (s.spatial_decomposition_count-level);
                 int h= height >> (s.spatial_decomposition_count-level);
                 int stride= width  << (s.spatial_decomposition_count-level);
-                DWTELEM *buf= buffer[0];
+                IDWTELEM *buf= obuffer;
                 int64_t error=0;
 
                 if(orientation&1) buf+=w;
                 if(orientation>1) buf+=stride>>1;
 
-                memset(buffer[0], 0, sizeof(int)*width*height);
-                buf[w/2 + h/2*stride]= 256*256;
-                ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
+                memset(obuffer, 0, sizeof(short)*width*height);
+                buf[w/2 + h/2*stride]= 8*256;
+                ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count);
                 for(y=0; y<height; y++){
                     for(x=0; x<width; x++){
-                        int64_t d= buffer[0][x + y*width];
+                        int64_t d= obuffer[x + y*width];
                         error += d*d;
                         if(FFABS(width/2-x)<9 && FFABS(height/2-y)<9 && level==2) printf("%8"PRId64" ", d);
                     }
@@ -143,5 +155,5 @@ int main(void){
         }
 
     }
-    return 0;
+    return ret;
 }

libavcodec/texturedspenc.c

@@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride,
 
         muv = minv = maxv = bp[0];
         for (y = 0; y < 4; y++) {
-            for (x = 4; x < 4; x += 4) {
+            for (x = 0; x < 4; x++) {
                 muv += bp[x * 4 + y * stride];
-                if (bp[x] < minv)
+                if (bp[x * 4 + y * stride] < minv)
                     minv = bp[x * 4 + y * stride];
-                else if (bp[x] > maxv)
+                else if (bp[x * 4 + y * stride] > maxv)
                     maxv = bp[x * 4 + y * stride];
             }
         }

libavcodec/tta.c

@@ -371,8 +371,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     case 3: {
         // shift samples for 24-bit sample format
         int32_t *samples = (int32_t *)frame->data[0];
-        for (i = 0; i < framelen * s->channels; i++)
-            *samples++ *= 256;
+        int overflow = 0;
+
+        for (i = 0; i < framelen * s->channels; i++) {
+            int scaled = *samples * 256U;
+            overflow += (scaled >> 8 != *samples);
+            *samples++ = scaled;
+        }
+        if (overflow)
+            av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow);
         // reset decode buffer
         s->decode_buffer = NULL;
         break;

libavcodec/ttadsp.c

@@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl,
     *error = *in;
     *in += (round >> shift);
 
-    dl[4] = -dl[5]; dl[5] = -dl[6];
-    dl[6] = *in - dl[7]; dl[7] = *in;
-    dl[5] += dl[6]; dl[4] += dl[5];
+    dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6];
+    dl[6] = *in -(unsigned)dl[7]; dl[7] = *in;
+    dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5];
 }
 
 av_cold void ff_ttadsp_init(TTADSPContext *c)

libavcodec/utils.c

@@ -252,6 +252,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
     case AV_PIX_FMT_GBRAP16BE:
         w_align = 16; //FIXME assume 16 pixel per macroblock
         h_align = 16 * 2; // interlaced needs 2 macroblocks height
+        if (s->codec_id == AV_CODEC_ID_BINKVIDEO)
+            w_align = 16*2;
         break;
     case AV_PIX_FMT_YUV411P:
     case AV_PIX_FMT_YUVJ411P:
@@ -317,12 +319,13 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
     }
 
     if (s->codec_id == AV_CODEC_ID_IFF_ILBM) {
-        w_align = FFMAX(w_align, 8);
+        w_align = FFMAX(w_align, 16);
     }
 
     *width  = FFALIGN(*width, w_align);
     *height = FFALIGN(*height, h_align);
     if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+        s->codec_id == AV_CODEC_ID_VC1  || s->codec_id == AV_CODEC_ID_WMV3 ||
         s->codec_id == AV_CODEC_ID_VP5  || s->codec_id == AV_CODEC_ID_VP6 ||
         s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
     ) {
@@ -336,6 +339,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
         // the next rounded up width is 32
         *width = FFMAX(*width, 32);
     }
+    if (s->codec_id == AV_CODEC_ID_SVQ3) {
+        *width = FFMAX(*width, 32);
+    }
 
     for (i = 0; i < 4; i++)
         linesize_align[i] = STRIDE_ALIGN;

libavcodec/vdpau_mpeg12.c

@@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx,
     info->f_code[1][0]               = s->mpeg_f_code[1][0];
     info->f_code[1][1]               = s->mpeg_f_code[1][1];
     for (i = 0; i < 64; ++i) {
-        info->intra_quantizer_matrix[i]     = s->intra_matrix[i];
-        info->non_intra_quantizer_matrix[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        info->intra_quantizer_matrix[i]     = s->intra_matrix[n];
+        info->non_intra_quantizer_matrix[i] = s->inter_matrix[n];
     }
 
     return ff_vdpau_common_start_frame(pic_ctx, buffer, size);

libavcodec/vdpau_mpeg4.c

@@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx,
     info->alternate_vertical_scan_flag      = s->alternate_scan;
     info->top_field_first                   = s->top_field_first;
     for (i = 0; i < 64; ++i) {
-        info->intra_quantizer_matrix[i]     = s->intra_matrix[i];
-        info->non_intra_quantizer_matrix[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        info->intra_quantizer_matrix[i]     = s->intra_matrix[n];
+        info->non_intra_quantizer_matrix[i] = s->inter_matrix[n];
     }
 
     ff_vdpau_common_start_frame(pic_ctx, buffer, size);

libavcodec/videodsp_template.c

@@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
     av_assert2(start_x < end_x && block_w);
 
     w    = end_x - start_x;
-    src += start_y * src_linesize + start_x * sizeof(pixel);
+    src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel);
     buf += start_x * sizeof(pixel);
 
     // top
@@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
         buf += buf_linesize;
     }
 
-    buf -= block_h * buf_linesize + start_x * sizeof(pixel);
+    buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel);
     while (block_h--) {
         pixel *bufp = (pixel *) buf;
 

libavcodec/vorbisdec.c

@@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc)
             unsigned codebook_value_bits = get_bits(gb, 4) + 1;
             unsigned codebook_sequence_p = get_bits1(gb);
 
+            if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) {
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
             ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n",
                     codebook_lookup_values);
             ff_dlog(NULL, "  delta %f minmum %f \n",

libavcodec/vp3.c

@@ -1782,6 +1782,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx)
     s->avctx  = avctx;
     s->width  = FFALIGN(avctx->coded_width, 16);
     s->height = FFALIGN(avctx->coded_height, 16);
+    if (s->width < 18)
+        return AVERROR_PATCHWELCOME;
     if (avctx->codec_id != AV_CODEC_ID_THEORA)
         avctx->pix_fmt = AV_PIX_FMT_YUV420P;
     avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
@@ -2136,8 +2138,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
     if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
         goto error;
 
-    if (!s->edge_emu_buffer)
+    if (!s->edge_emu_buffer) {
         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
+        if (!s->edge_emu_buffer) {
+            ret = AVERROR(ENOMEM);
+            goto error;
+        }
+    }
 
     if (s->keyframe) {
         if (!s->theora) {
@@ -2347,7 +2354,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
     /* sanity check */
     if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 ||
         visible_width  + offset_x > s->width ||
-        visible_height + offset_y > s->height) {
+        visible_height + offset_y > s->height ||
+        visible_width < 18
+    ) {
         av_log(avctx, AV_LOG_ERROR,
                "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n",
                visible_width, visible_height, offset_x, offset_y,
@@ -2393,6 +2402,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
     } else
         avctx->pix_fmt = AV_PIX_FMT_YUV420P;
 
+    if (s->width < 18)
+        return AVERROR_PATCHWELCOME;
     ret = ff_set_dimensions(avctx, s->width, s->height);
     if (ret < 0)
         return ret;

libavcodec/vqavideo.c

@@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
         if (s->partial_countdown <= 0) {
             bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index);
             /* decompress codebook */
-            if ((res = decode_format80(s, s->next_codebook_buffer_index,
-                                       s->codebook, s->codebook_size, 0)) < 0)
-                return res;
+            res = decode_format80(s, s->next_codebook_buffer_index,
+                                  s->codebook, s->codebook_size, 0);
 
             /* reset accounting */
             s->next_codebook_buffer_index = 0;
             s->partial_countdown = s->partial_count;
+            if (res < 0)
+                return res;
         }
     }
 

libavcodec/wavpack.c

@@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k)
     e   = (1 << (p + 1)) - k - 1;
     res = get_bitsz(gb, p);
     if (res >= e)
-        res = (res << 1) - e + get_bits1(gb);
+        res = res * 2U - e + get_bits1(gb);
     return res;
 }
 

libavcodec/wnv1.c

@@ -136,6 +136,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
     static VLC_TYPE code_table[1 << CODE_VLC_BITS][2];
 
+    if (avctx->width <= 1)
+        return AVERROR_INVALIDDATA;
+
     avctx->pix_fmt = AV_PIX_FMT_YUV422P;
 
     code_vlc.table           = code_table;

libavcodec/x86/mathops.h

@@ -35,12 +35,20 @@
 static av_always_inline av_const int MULL(int a, int b, unsigned shift)
 {
     int rt, dummy;
+    if (__builtin_constant_p(shift))
     __asm__ (
         "imull %3               \n\t"
         "shrdl %4, %%edx, %%eax \n\t"
         :"=a"(rt), "=d"(dummy)
-        :"a"(a), "rm"(b), "ci"((uint8_t)shift)
+        :"a"(a), "rm"(b), "i"(shift & 0x1F)
     );
+    else
+        __asm__ (
+            "imull %3               \n\t"
+            "shrdl %4, %%edx, %%eax \n\t"
+            :"=a"(rt), "=d"(dummy)
+            :"a"(a), "rm"(b), "c"((uint8_t)shift)
+        );
     return rt;
 }
 
@@ -113,19 +121,31 @@ __asm__ volatile(\
 // avoid +32 for shift optimization (gcc should do that ...)
 #define NEG_SSR32 NEG_SSR32
 static inline  int32_t NEG_SSR32( int32_t a, int8_t s){
+    if (__builtin_constant_p(s))
     __asm__ ("sarl %1, %0\n\t"
          : "+r" (a)
-         : "ic" ((uint8_t)(-s))
+         : "i" (-s & 0x1F)
     );
+    else
+        __asm__ ("sarl %1, %0\n\t"
+               : "+r" (a)
+               : "c" ((uint8_t)(-s))
+        );
     return a;
 }
 
 #define NEG_USR32 NEG_USR32
 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){
+    if (__builtin_constant_p(s))
     __asm__ ("shrl %1, %0\n\t"
          : "+r" (a)
-         : "ic" ((uint8_t)(-s))
+         : "i" (-s & 0x1F)
     );
+    else
+        __asm__ ("shrl %1, %0\n\t"
+               : "+r" (a)
+               : "c" ((uint8_t)(-s))
+        );
     return a;
 }
 

libavcodec/xpmdec.c

@@ -351,6 +351,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
 
+    if (size > SIZE_MAX / 4)
+        return AVERROR(ENOMEM);
+
     size *= 4;
 
     ptr += mod_strcspn(ptr, ",") + 1;

libavfilter/vf_colorspace.c

@@ -852,6 +852,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
     res = av_frame_copy_props(out, in);
     if (res < 0) {
         av_frame_free(&in);
+        av_frame_free(&out);
         return res;
     }
 
@@ -911,13 +912,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
             !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] ||
             !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) {
             uninit(ctx);
+            av_frame_free(&in);
+            av_frame_free(&out);
             return AVERROR(ENOMEM);
         }
         s->rgb_sz = rgb_sz;
     }
     res = create_filtergraph(ctx, in, out);
-    if (res < 0)
+    if (res < 0) {
+        av_frame_free(&in);
+        av_frame_free(&out);
         return res;
+    }
     s->rgb_stride = rgb_stride / sizeof(int16_t);
     td.in = in;
     td.out = out;
@@ -931,8 +937,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
     td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h;
     if (s->yuv2yuv_passthrough) {
         res = av_frame_copy(out, in);
-        if (res < 0)
+        if (res < 0) {
+            av_frame_free(&in);
+            av_frame_free(&out);
             return res;
+        }
     } else {
         ctx->internal->execute(ctx, convert, &td, NULL,
                                FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx)));

libavfilter/vf_frei0r.c

@@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
 {
     Frei0rContext *s = inlink->dst->priv;
     AVFilterLink *outlink = inlink->dst->outputs[0];
-    AVFrame *out;
+    AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);
+    if (!out)
+        goto fail;
 
-    out = ff_get_video_buffer(outlink, outlink->w, outlink->h);
-    if (!out) {
-        av_frame_free(&in);
-        return AVERROR(ENOMEM);
-    }
     av_frame_copy_props(out, in);
 
+    if (in->linesize[0] != out->linesize[0]) {
+        AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);
+        if (!in2)
+            goto fail;
+        av_frame_copy(in2, in);
+        av_frame_free(&in);
+        in = in2;
+    }
+
     s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000,
                    (const uint32_t *)in->data[0],
                    (uint32_t *)out->data[0]);
@@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
     av_frame_free(&in);
 
     return ff_filter_frame(outlink, out);
+fail:
+    av_frame_free(&in);
+    av_frame_free(&out);
+    return AVERROR(ENOMEM);
 }
 
 #define OFFSET(x) offsetof(Frei0rContext, x)
@@ -451,7 +461,7 @@ static int source_config_props(AVFilterLink *outlink)
 static int source_request_frame(AVFilterLink *outlink)
 {
     Frei0rContext *s = outlink->src->priv;
-    AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h);
+    AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);
 
     if (!frame)
         return AVERROR(ENOMEM);

libavfilter/vf_gblur.c

@@ -222,7 +222,7 @@ static int config_input(AVFilterLink *inlink)
 
     s->nb_planes = av_pix_fmt_count_planes(inlink->format);
 
-    s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer));
+    s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer));
     if (!s->buffer)
         return AVERROR(ENOMEM);
 

libavfilter/vf_lenscorrection.c

@@ -36,8 +36,8 @@
 
 typedef struct LenscorrectionCtx {
     const AVClass *av_class;
-    unsigned int width;
-    unsigned int height;
+    int width;
+    int height;
     int hsub, vsub;
     int nb_planes;
     double cx, cy, k1, k2;
@@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
     for (plane = 0; plane < rect->nb_planes; ++plane) {
         int hsub = plane == 1 || plane == 2 ? rect->hsub : 0;
         int vsub = plane == 1 || plane == 2 ? rect->vsub : 0;
-        int hdiv = 1 << hsub;
-        int vdiv = 1 << vsub;
-        int w = rect->width / hdiv;
-        int h = rect->height / vdiv;
+        int w = AV_CEIL_RSHIFT(rect->width, hsub);
+        int h = AV_CEIL_RSHIFT(rect->height, vsub);
         int xcenter = rect->cx * w;
         int ycenter = rect->cy * h;
         int k1 = rect->k1 * (1<<24);

libavfilter/vf_random.c

@@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink)
     return ret;
 }
 
+static av_cold void uninit(AVFilterContext *ctx)
+{
+    RandomContext *s = ctx->priv;
+
+    for (int i = 0; i < s->nb_frames; i++)
+        av_frame_free(&s->frames[i]);
+}
+
 static const AVFilterPad random_inputs[] = {
     {
         .name         = "default",
@@ -132,6 +140,7 @@ AVFilter ff_vf_random = {
     .priv_size   = sizeof(RandomContext),
     .priv_class  = &random_class,
     .init        = init,
+    .uninit      = uninit,
     .inputs      = random_inputs,
     .outputs     = random_outputs,
 };

libavfilter/vf_signature.c

@@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref)
     dw1 = inlink->w / 32;
     if (inlink->w % 32)
         dw2 = dw1 + 1;
-    denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1;
+    denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1;
 
     for (i = 0; i < 32; i++) {
         rowcount = 0;
@@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref)
         }
     }
 
-    denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2;
+    denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2;
 
     for (i = 0; i < ELEMENT_COUNT; i++) {
         const ElemCat* elemcat = elements[i];

libavfilter/vf_subtitles.c

@@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink)
     ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0);
 
     ass_set_frame_size  (ass->renderer, inlink->w, inlink->h);
-    if (ass->original_w && ass->original_h)
+    if (ass->original_w && ass->original_h) {
         ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h,
                              (double)ass->original_w / ass->original_h);
+#if LIBASS_VERSION > 0x01010000
+        ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h);
+    } else {
+        ass_set_storage_size(ass->renderer, inlink->w, inlink->h);
+#endif
+    }
+
     if (ass->shaping != -1)
         ass_set_shaper(ass->renderer, ass->shaping);
 

libavfilter/video.c

@@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h)
     return ff_get_video_buffer(link->dst->outputs[0], w, h);
 }
 
-AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align)
 {
     AVFrame *frame = NULL;
     int pool_width = 0;
@@ -96,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
     return frame;
 }
 
+AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+{
+    return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align());
+}
+
 AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h)
 {
     AVFrame *ret = NULL;

libavfilter/video.h

@@ -24,6 +24,7 @@
 #include "avfilter.h"
 
 AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h);
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align);
 AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h);
 
 /**

libavfilter/vsrc_mandelbrot.c

@@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx)
     s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache));
     s-> zyklus    = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus));
 
+    if (!s->point_cache || !s->next_cache || !s->zyklus)
+        return AVERROR(ENOMEM);
+
     return 0;
 }
 

libavformat/4xm.c

@@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s,
         return AVERROR_INVALIDDATA;
 
     track = AV_RL32(buf + 8);
-    if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) {
+    if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 ||
+        track >= s->max_streams) {
         av_log(s, AV_LOG_ERROR, "current_track too large\n");
         return AVERROR_INVALIDDATA;
     }
@@ -148,6 +149,9 @@ static int parse_strk(AVFormatContext *s,
         memset(&fourxm->tracks[fourxm->track_count], 0,
                sizeof(AudioTrack) * (track + 1 - fourxm->track_count));
         fourxm->track_count = track + 1;
+    } else {
+        if (fourxm->tracks[track].bits)
+            return AVERROR_INVALIDDATA;
     }
     fourxm->tracks[track].adpcm       = AV_RL32(buf + 12);
     fourxm->tracks[track].channels    = AV_RL32(buf + 36);

libavformat/act.c

@@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s)
     AVIOContext *pb = s->pb;
     int size;
     AVStream* st;
+    int ret;
 
     int min,sec,msec;
 
@@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s)
 
     avio_skip(pb, 16);
     size=avio_rl32(pb);
-    ff_get_wav_header(s, pb, st->codecpar, size, 0);
+    ret = ff_get_wav_header(s, pb, st->codecpar, size, 0);
+    if (ret < 0)
+        return ret;
 
     /*
       8000Hz (Fine-rec) file format has 10 bytes long

libavformat/aiffdec.c

@@ -54,9 +54,9 @@ static enum AVCodecID aiff_codec_get_id(int bps)
 }
 
 /* returns the size of the found tag */
-static int get_tag(AVIOContext *pb, uint32_t * tag)
+static int64_t get_tag(AVIOContext *pb, uint32_t * tag)
 {
-    int size;
+    int64_t size;
 
     if (avio_feof(pb))
         return AVERROR(EIO);
@@ -64,16 +64,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
     *tag = avio_rl32(pb);
     size = avio_rb32(pb);
 
-    if (size < 0)
-        size = 0x7fffffff;
-
     return size;
 }
 
 /* Metadata string read */
-static void get_meta(AVFormatContext *s, const char *key, int size)
+static void get_meta(AVFormatContext *s, const char *key, int64_t size)
 {
-    uint8_t *str = av_malloc(size+1);
+    uint8_t *str = NULL;
+
+    if (size < SIZE_MAX)
+        str = av_malloc(size+1);
 
     if (str) {
         int res = avio_read(s->pb, str, size);
@@ -90,7 +90,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size)
 }
 
 /* Returns the number of sound data frames or negative on error */
-static int get_aiff_header(AVFormatContext *s, int size,
+static int get_aiff_header(AVFormatContext *s, int64_t size,
                                     unsigned version)
 {
     AVIOContext *pb        = s->pb;
@@ -101,9 +101,6 @@ static int get_aiff_header(AVFormatContext *s, int size,
     int sample_rate;
     unsigned int num_frames;
 
-    if (size == INT_MAX)
-        return AVERROR_INVALIDDATA;
-
     if (size & 1)
         size++;
     par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -121,6 +118,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
         sample_rate = val << exp;
     else
         sample_rate = (val + (1ULL<<(-exp-1))) >> -exp;
+    if (sample_rate <= 0)
+        return AVERROR_INVALIDDATA;
+
     par->sample_rate = sample_rate;
     if (size < 18)
         return AVERROR_INVALIDDATA;
@@ -183,8 +183,10 @@ static int get_aiff_header(AVFormatContext *s, int size,
         par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3;
 
     if (aiff->block_duration) {
-        par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) /
-                        aiff->block_duration;
+        par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL,
+                                   aiff->block_duration);
+        if (par->bit_rate < 0)
+            par->bit_rate = 0;
     }
 
     /* Chunk is over */
@@ -209,7 +211,8 @@ static int aiff_probe(AVProbeData *p)
 /* aiff input */
 static int aiff_read_header(AVFormatContext *s)
 {
-    int ret, size, filesize;
+    int ret;
+    int64_t filesize, size;
     int64_t offset = 0, position;
     uint32_t tag;
     unsigned version = AIFF_C_VERSION1;
@@ -220,7 +223,7 @@ static int aiff_read_header(AVFormatContext *s)
 
     /* check FORM header */
     filesize = get_tag(pb, &tag);
-    if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M'))
+    if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M'))
         return AVERROR_INVALIDDATA;
 
     /* AIFF data type */
@@ -359,10 +362,12 @@ got_sound:
     if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) {
         av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n");
         st->codecpar->block_align = 35;
-    } else if (!st->codecpar->block_align) {
+    } else if (st->codecpar->block_align <= 0) {
         av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n");
         return -1;
     }
+    if (aiff->block_duration < 0)
+        return AVERROR_INVALIDDATA;
 
     /* Now positioned, get the sound data start and end */
     avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate);
@@ -417,7 +422,7 @@ static int aiff_read_packet(AVFormatContext *s,
         pkt->flags &= ~AV_PKT_FLAG_CORRUPT;
     /* Only one stream in an AIFF file */
     pkt->stream_index = 0;
-    pkt->duration     = (res / st->codecpar->block_align) * aiff->block_duration;
+    pkt->duration     = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration;
     return 0;
 }
 

libavformat/ape.c

@@ -42,8 +42,8 @@
 
 typedef struct APEFrame {
     int64_t pos;
+    int64_t size;
     int nblocks;
-    int size;
     int skip;
     int64_t pts;
 } APEFrame;
@@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx)
 
     av_log(s, AV_LOG_DEBUG, "\nFrames\n\n");
     for (i = 0; i < ape_ctx->totalframes; i++)
-        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8d (%d samples)\n", i,
+        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8"PRId64" (%d samples)\n", i,
                ape_ctx->frames[i].pos, ape_ctx->frames[i].size,
                ape_ctx->frames[i].nblocks);
 
@@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s)
     AVStream *st;
     uint32_t tag;
     int i;
-    int total_blocks, final_size = 0;
+    int total_blocks;
+    int64_t final_size = 0;
     int64_t pts, file_size;
 
     /* Skip any leading junk such as id3v2 tags */
@@ -322,6 +323,8 @@ static int ape_read_header(AVFormatContext * s)
             ape->frames[i].pos  -= ape->frames[i].skip;
             ape->frames[i].size += ape->frames[i].skip;
         }
+        if (ape->frames[i].size > INT_MAX - 3)
+            return AVERROR_INVALIDDATA;
         ape->frames[i].size = (ape->frames[i].size + 3) & ~3;
     }
     if (ape->fileversion < 3810) {
@@ -403,7 +406,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)
 
     if (ape->frames[ape->currentframe].size <= 0 ||
         ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
-        av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+        av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n",
                ape->frames[ape->currentframe].size);
         ape->currentframe++;
         return AVERROR(EIO);

libavformat/aqtitledec.c

@@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s)
             new_event = 1;
             pos = avio_tell(s->pb);
             if (sub) {
-                sub->duration = frame - sub->pts;
+                if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX)
+                    sub->duration = frame - sub->pts;
                 sub = NULL;
             }
         } else if (*line) {

libavformat/asfdec_f.c

@@ -104,7 +104,7 @@ typedef struct ASFContext {
     int ts_is_pts;
     int packet_multi_size;
     int packet_time_delta;
-    int packet_time_start;
+    int64_t packet_time_start;
     int64_t packet_pos;
 
     int stream_index;
@@ -1315,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
             if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0)
                 return ret;
             asf_st->seq              = asf->packet_seq;
-            if (asf->ts_is_pts) {
-                asf_st->pkt.pts          = asf->packet_frag_timestamp - asf->hdr.preroll;
-            } else
-                asf_st->pkt.dts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+            if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) {
+                if (asf->ts_is_pts) {
+                    asf_st->pkt.pts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+                } else
+                    asf_st->pkt.dts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+            }
             asf_st->pkt.stream_index = asf->stream_index;
             asf_st->pkt.pos          = asf_st->packet_pos = asf->packet_pos;
             asf_st->pkt_clean        = 0;

libavformat/asfdec_o.c

@@ -113,6 +113,7 @@ typedef struct ASFContext {
     int64_t data_offset;
     int64_t first_packet_offset; // packet offset
     int64_t unknown_offset;   // for top level header objects or subobjects without specified behavior
+    int in_asf_read_unknown;
 
     // ASF file must not contain more than 128 streams according to the specification
     ASFStream *asf_st[ASF_MAX_STREAMS];
@@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
     uint64_t size   = avio_rl64(pb);
     int ret;
 
-    if (size > INT64_MAX)
+    if (size > INT64_MAX || asf->in_asf_read_unknown > 5)
         return AVERROR_INVALIDDATA;
 
     if (asf->is_header)
@@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
     if (!g->is_subobject) {
         if (!(ret = strcmp(g->name, "Header Extension")))
             avio_skip(pb, 22); // skip reserved fields and Data Size
-        if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
-                                            asf->unknown_size)) < 0)
+        asf->in_asf_read_unknown ++;
+        ret = detect_unknown_subobject(s, asf->unknown_offset,
+                                            asf->unknown_size);
+        asf->in_asf_read_unknown --;
+        if (ret < 0)
             return ret;
     } else {
         if (size < 24) {
@@ -1357,6 +1361,8 @@ static int asf_read_packet_header(AVFormatContext *s)
     unsigned char error_flags, len_flags, pay_flags;
 
     asf->packet_offset = avio_tell(pb);
+    if (asf->packet_offset > INT64_MAX/2)
+        asf->packet_offset = 0;
     error_flags = avio_r8(pb); // read Error Correction Flags
     if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) {
         if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) {

libavformat/avidec.c

@@ -80,6 +80,8 @@ typedef struct AVIContext {
     int stream_index;
     DVDemuxContext *dv_demux;
     int odml_depth;
+    int64_t odml_read;
+    int64_t odml_max_pos;
     int use_odml;
 #define MAX_ODML_DEPTH 1000
     int64_t dts_max;
@@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
     st  = s->streams[stream_id];
     ast = st->priv_data;
 
-    if (index_sub_type)
+    if (index_sub_type || entries_in_use < 0)
         return AVERROR_INVALIDDATA;
 
     avio_rl32(pb);
@@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
     }
 
     for (i = 0; i < entries_in_use; i++) {
+        avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb));
+
+        // If we read more than there are bytes then we must have been reading something twice
+        if (avi->odml_read > avi->odml_max_pos)
+            return AVERROR_INVALIDDATA;
+
         if (index_type) {
             int64_t pos = avio_rl32(pb) + base - 8;
             int len     = avio_rl32(pb);
             int key     = len >= 0;
             len &= 0x7FFFFFFF;
+            avi->odml_read += 8;
 
             av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len);
 
@@ -232,6 +241,9 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
         } else {
             int64_t offset, pos;
             int duration;
+            int ret;
+            avi->odml_read += 16;
+
             offset = avio_rl64(pb);
             avio_rl32(pb);       /* size */
             duration = avio_rl32(pb);
@@ -249,7 +261,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
             if (avio_seek(pb, offset + 8, SEEK_SET) < 0)
                 return -1;
             avi->odml_depth++;
-            read_odml_index(s, frame_num);
+            ret = read_odml_index(s, frame_num);
             avi->odml_depth--;
             frame_num += duration;
 
@@ -257,7 +269,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
                 av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n");
                 return -1;
             }
-
+            if (ret < 0)
+                return ret;
         }
     }
     avi->index_loaded = 2;
@@ -840,6 +853,8 @@ FF_ENABLE_DEPRECATION_WARNINGS
                             memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9,
                                    "BottomUp", 9);
                     }
+                    if (st->codecpar->height == INT_MIN)
+                        return AVERROR_INVALIDDATA;
                     st->codecpar->height = FFABS(st->codecpar->height);
 
 //                    avio_skip(pb, size - 5 * 4);

libavformat/bfi.c

@@ -143,12 +143,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
         audio_offset    = avio_rl32(pb);
         avio_rl32(pb);
         video_offset    = avio_rl32(pb);
-        audio_size      = video_offset - audio_offset;
-        bfi->video_size = chunk_size - video_offset;
-        if (audio_size < 0 || bfi->video_size < 0) {
+        if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) {
             av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
             return AVERROR_INVALIDDATA;
         }
+        audio_size      = video_offset - audio_offset;
+        bfi->video_size = chunk_size - video_offset;
 
         //Tossing an audio packet at the audio decoder.
         ret = av_get_packet(pb, pkt, audio_size);

libavformat/cafdec.c

@@ -243,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size)
         char value[1024];
         avio_get_str(pb, INT_MAX, key, sizeof(key));
         avio_get_str(pb, INT_MAX, value, sizeof(value));
+        if (!*key)
+            continue;
         av_dict_set(&s->metadata, key, value, 0);
     }
 }
@@ -339,7 +341,7 @@ static int read_header(AVFormatContext *s)
         return AVERROR_INVALIDDATA;
 
     if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) {
-        if (caf->data_size > 0)
+        if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet)
             st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet;
     } else if (st->nb_index_entries && st->duration > 0) {
         if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) {

libavformat/dxa.c

@@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s)
             if(tag == MKTAG('d', 'a', 't', 'a')) break;
             avio_skip(pb, fsize);
         }
-        c->bpc = (fsize + c->frames - 1) / c->frames;
-        if(ast->codecpar->block_align)
+        c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames;
+        if(ast->codecpar->block_align) {
+            if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
+                return AVERROR_INVALIDDATA;
             c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+        }
         c->bytes_left = fsize;
         c->wavpos = avio_tell(pb);
         avio_seek(pb, c->vidpos, SEEK_SET);

libavformat/flvdec.c

@@ -434,6 +434,10 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m
             d = av_int2double(avio_rb64(ioc));
             if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
                 goto invalid;
+            if (current_array == &times && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000))
+                goto invalid;
+            if (avio_feof(ioc))
+                goto invalid;
             current_array[0][i] = d;
         }
         if (times && filepositions) {

libavformat/genh.c

@@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s)
         return AVERROR_INVALIDDATA;
     st->codecpar->block_align = align * st->codecpar->channels;
     st->codecpar->sample_rate = avio_rl32(s->pb);
+    if (st->codecpar->sample_rate < 0)
+        return AVERROR_INVALIDDATA;
+
     avio_skip(s->pb, 4);
     st->duration = avio_rl32(s->pb);
 

libavformat/hls.c

@@ -232,6 +232,7 @@ static void free_init_section_list(struct playlist *pls)
 {
     int i;
     for (i = 0; i < pls->n_init_sections; i++) {
+        av_freep(&pls->init_sections[i]->key);
         av_freep(&pls->init_sections[i]->url);
         av_freep(&pls->init_sections[i]);
     }
@@ -786,10 +787,16 @@ static int parse_playlist(HLSContext *c, const char *url,
                                &info);
             new_rendition(c, &info, url);
         } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) {
+            int64_t t;
             ret = ensure_playlist(c, &pls, url);
             if (ret < 0)
                 goto fail;
-            pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE;
+            t = strtoll(ptr, NULL, 10);
+            if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+            pls->target_duration = t * AV_TIME_BASE;
         } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) {
             ret = ensure_playlist(c, &pls, url);
             if (ret < 0)