Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/pnmdec: Use unsigned for maxval rescaling
2020-05-21 15:33:14 +02:00 · 2020-05-21 15:32:29 +02:00 · 2020-05-21 15:32:29 +02:00 · 2020-05-21 15:32:28 +02:00 · 2020-05-21 15:32:28 +02:00 · 2020-05-21 15:32:28 +02:00
130 changed files with 1071 additions and 616 deletions
@@ -1,6 +1,208 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 4.2.3
+- avcodec/pnmdec: Use unsigned for maxval rescaling
+- avcodec/ivi: Clear got_p_frame before decoding a new frame using it
+- avcodec/dsddec: Check channels
+- avcodec/xvididct: Fix integer overflow in idct_row()
+- avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr()
+- avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment()
+- avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE
+- avformat/swfenc: Fix integer overflow in frame rate handling
+- avformat/aadec: Check toc_size to contain the minimum to demuxer uses
+- avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly
+- ffplay: set stream_index to -1 earlier to prevent segfault
+- avformat/mov: Free temp buffer upon negative sample_size error.
+- avformat/matroskadec: Improve forward compability
+- avformat/matroskadec: Don't discard valid packets
+- avformat/matroskaenc: Don't segfault when seekability changes
+- avformat/utils: Fix memleaks
+- avformat/utils: Fix memleaks in avformat_open_input()
+- avfilter/vf_dedot: Fix leak of AVFrame if making it writable fails
+- avfilter/vf_paletteuse: Fix potential double-free of AVFrame
+- avformat/mov: Don't leak MOVFragmentStreamInfo on error
+- avformat/mov: Free encryption data on error
+- fftools/ffmpeg: Free swresample dictionary during cleanup
+- avcodec/mediacodec_wrapper: fix {input,output}_buffers global reference leak
+- avformat/webm_chunk: Close IO if writing header fails
+- avcodec/cavsdsp: Fix undefined left shifts of negative numbers
+- avcodec/ra144enc: Fix invalid left shift of negative number
+- avcodec/adxenc: Avoid undefined left shift of negative numbers
+- avcodec/adpcm: Fix undefined left shifts of negative numbers
+- avcodec/proresenc_anatoliy: Fix invalid left shift of negative number
+- avformat/aviobuf: Honor avio_open[2] documentation
+- avcodec/cinepakenc: Fix invalid shifts
+- avfilter/vf_xbr: Fix left shift of negative number
+- avfilter/vf_hqx: Fix undefined left shifts of negative numbers
+- avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers
+- avcodec/ituh263dec: Fix undefined left shift of negative number
+- avcodec/dnxhdenc: Fix undefined left shifts of negative numbers
+- swscale/utils: Fix invalid left shifts of negative numbers
+- swscale/x86/swscale: Fix undefined left shifts of negative numbers
+- fftools/ffmpeg_opt: Fix signed integer overflow
+- avcodec/exr: Fix undefined left shifts of negative numbers
+- avformat/movenc: Fix undefined shift
+- avcodec/pcm: Fix undefined shifts
+- avcodec/wavpackenc: Fix undefined shifts
+- avutil/encryption_info: Don't pass NULL to memcpy
+- avcodec/ac3enc: Fix memleak
+- avcodec/ac3enc: Fix invalid shift
+- avcodec/g723_1dec: Fix invalid shift
+- avcodec/tdsc: Fix undefined shifts
+- avcodec/ttaenc: Fix undefined shift
+- avformat/avidec: Fix memleak with embedded GAB2 subtitles
+- avformat/matroskadec: Don't discard the upper 32bits of TrackNumber
+- dump_extradata: Insert extradata even for small packets
+- avformat/segafilmenc: Fix undefined left shift of 1 by 31 places
+- avformat/wtvdec: Fix memleak when reading header fails
+- avformat/dashenc: Fix leak of AVFormatContext on error
+- avformat/fitsdec: Fix potential leak of string in AVBPrint
+- avformat/matroskadec: Sanitize SeekHead entries
+- avformat/matroskaenc: Fix memleak upon encountering bogus chapter
+- avformat/matroskaenc: Make ebml_num_size() more robust
+- avformat/oggenc: Don't free AVStream's priv_data, fix memleak
+- avformat/utils: Fix memleak when decoding subtitle in find_stream_info
+- fftools/ffmpeg_opt: Check attachment filesize
+- avformat/mpeg: Don't use unintialized value
+- avformat/webmdashenc: Check codec types
+- avformat/webmdashenc: Fix memleak upon realloc failure
+- avformat/subtitles: Don't increment packet counter prematurely
+- avformat/bethsoftvid: Fix potential memleak upon reallocation failure
+- avformat/smoothstreaming: Fix memleaks on errors
+- avformat/matroskaenc: Check BlockAdditional size before use
+- avformat/matroskaenc: Check functions that can fail
+- avformat/matroskaenc: Check for reformatting errors
+- avformat/matroskadec: Check before allocations
+- avfilter/vf_unsharp: Don't dereference NULL
+- avcodec/zmbvenc: Correct offset in buffer
+- avcodec/cbs_h2645: Fix potential out-of-bounds array access
+- avformat/mov: Don't allow negative sample sizes.
+- mpeg4videoenc: Don't crash with -fsanitize=bounds
+- avformat/mpegts: Shuffle avio_seek
+- avcodec/binkaudio: Fix 2Ghz sample_rate
+- avcodec/adpcm: Fix integer overflow in ADPCM THP
+- avcodec/ralf: Check num_blocks before use
+- avcodec/iff: Test video_size being non zero
+- avcodec/utvideodec: Fix integer overflow in decode_plane()
+- avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c()
+- avcodec/ralf: Fix integer overflow in decode_block()
+- avcodec/nuv: widen buf_size type
+- avcodec/iff: Fix several integer overflows
+- avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1
+- avcodec/alac: Fix integer overflow with 24/20bps samples
+- avcodec/dstdec: Check sample rate
+- avformat/thp: Require a video stream
+- avformat/mpeg: Decrease score by 1 for files with very little valid data
+- avcodec/pngdec: Check length in fdAT
+- avcodec/g2meet: Check tile_width in epic_jb_decode_tile()
+- avcodec/hapdec: Check tex_size more strictly and before using it
+- avcodec/vp9dsp_template: Fix integer overflows in idct32_1d()
+- avcodec/alacdsp: Fix invalid shift in append_extra_bits()
+- libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative
+- avcodec/dstdec: Fix integer overflow in read_table()
+- avcodec/txd: Check for input size against the header size.
+- avcodec/svq1dec: Check that there is data left after the header
+- avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set
+- avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture()
+- avcodec/hevc_mp4toannexb_bsf: Check nalu_size
+- avcodec/iff: Check length before memcpy() in decode_deep_rle32()
+- avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32()
+- avcodec/pngdec: Pass ret from decode_iccp_chunk()
+- avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*()
+- avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()
+- avcodec/flac_parser: Do not lose header count in find_headers_search()
+- avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c()
+- avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table()
+- avcodec/cbs_jpeg_syntax_template: Check table index before use in dht()
+- avformat/oggdec: Check for EOF after page header
+- swscale/yuv2rgb: Fix vertical dither offset with slices
+- avcodec/dpcm: clip exponent into supported range in XAN DPCM
+- avcodec/flacdsp_template: Fix invalid shifts in decorrelate
+- avcodec/xvididct: Fix integer overflow in MULT()
+- avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT
+- avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle
+- swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input
+- swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c()
+- libavformat/amr.c: Check return value from avio_read()
+- libavformat/mov.c: Free aes_decrypt to avoid leaking memory
+- libavformat/oggdec.c: Check return value from avio_read()
+- avformat/asfdec_f: Fix overflow check in get_tag()
+- avformat/nsvdec: Fix memleaks on errors while reading the header
+- avcodec/ffwavesynth: Fix integer overflow in computation of ddphi
+- avcodec/cbs_jpeg: Check length for SOS
+- avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX
+- avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra()
+- avcodec/cbs_h2645: Treat slices without data as invalid
+- avcodec/cbs_h2645: Remove dead code to delete trailing zeroes
+- avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header()
+- avcodec/mpegaudioenc_template: fix invalid shift of sample
+- avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search()
+- libavformat/avienc: Check bits per sample for PAL8
+- avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
+- avcodec/magicyuv: Check that there are enough lines for interlacing to be possible
+- avformat/mvdec: Check stream numbers
+- avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF
+- avcodec/qdm2: Check fft_coefs_index
+- avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info()
+- avformat/avidec: Avoid integer overflow in NI switch check
+- fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start()
+- avfilter/vf_aspect: Fix integer overflow in compute_dar()
+- avcodec/apedec: Fix invalid shift with 24 bps
+- avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
+- avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM
+- avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits
+- avcodec/wmalosslessdec: Fix loop in revert_acfilter()
+- avcodec/agm: YUV420 without DCT needs even dimensions
+- avcodec/agm: Test remaining data in decode_raw_intra_rgb()
+- avcodec/lagarith: Sanity check scale
+- avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950()
+- avcodec/ralf: Fix integer overflow in apply_lpc()
+- avcodec/dca_lbr: Fix some error codes and error passing
+- avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response()
+- avcodec/wmavoice: sanity check block_align
+- avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF
+- avcodec/snappy: Sanity check bytestream2_get_levarint()
+- avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel()
+- avcodec/avdct: Clear IDCTDSPContext context
+- avcodec/x86/diracdsp: Fix high bits on Windows x86_64
+- tests/fate/lavf-video.mak: fix fate-lavf-gif dependencies
+- avformat/mov: Check STCO location
+- avcodec/wmalosslessdec: Fix multiple integer overflows
+- avcodec/apedec: Fix undefined integer overflow in decode_array_0000()
+- avcodec/smacker: Check space before decoding type
+- avcodec/rawdec: Use linesize in b64a
+- avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
+- avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32()
+- avfilter/vf_find_rect: Remove assert
+- avfilter/vf_find_rect: Increase worst case score
+- swscale/input: Fix several invalid shifts related to rgb2yuv constants
+- swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template()
+- swscale/swscale: Fix several invalid shifts related to vChrDrop
+- avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow
+- avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy()
+- avcodec/cbs_av1: Check leb128 values read
+- avcodec/wmalosslessdec: move channel check up
+- avcodec/cbs_h2645: Skip all 0 NAL units
+- avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS
+- avcodec/alac: Fix integer overflow in LPC coefficient adaption
+- avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp()
+- avcodec/vc1dec: Check field_mode for sprites
+- avcodec/vc1dec: Limit bits by the actual bitstream size
+- avcodec/vmdaudio: Check block_align more
+- configure: bump year
+- avcodec/pgssubdec: Free subtitle on error
+- avcodec/nvenc: use framerate if available
+- avcodec/cbs_h265: fix writing extension_data bits
+- avcodec/nvenc: offset dts to account for b-frame reordering
+- Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp"
+- avformat/matroskadec: Fix default value of BlockAddID
+- avformat/dashdec: Don't allocate and leak strings that are never used
+- avformat/matroskaenc: Write level 1 elements in one go
+- avformat/rtp: Pass sources and block filter addresses via sdp file for rtp
+- avformat/bintext: avoid division by zero
+
+
 version 4.2.2
 - cbs_mpeg2: Fix parsing the last unit
 - cbs_mpeg2: Rearrange start code search
@@ -1 +1 @@
-4.2.2
+4.2.3
@@ -7397,7 +7397,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2019
+#define CONFIG_THIS_YEAR 2020
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 4.2.2
+PROJECT_NUMBER         = 4.2.3

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -567,6 +567,7 @@ static void ffmpeg_cleanup(int ret)
        ost->audio_channels_mapped = 0;

        av_dict_free(&ost->sws_dict);
+        av_dict_free(&ost->swr_opts);

        avcodec_free_context(&ost->enc_ctx);
        avcodec_parameters_free(&ost->ref_par);
@@ -4235,7 +4236,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is)
            ifile->time_base = ist->st->time_base;
        /* the total duration of the stream, max_pts - min_pts is
         * the duration of the stream without the last frame */
-        duration += ist->max_pts - ist->min_pts;
+        if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration)
+            duration += ist->max_pts - ist->min_pts;
        ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base,
                                        ifile->time_base);
    }
@@ -1,3 +1,4 @@
+
 /*
 * ffmpeg option parsing
 *
@@ -2372,12 +2373,14 @@ loop_end:
                   o->attachments[i]);
            exit_program(1);
        }
-        if (!(attachment = av_malloc(len))) {
-            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n",
+        if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE ||
+            !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
+            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n",
                   o->attachments[i]);
            exit_program(1);
        }
        avio_read(pb, attachment, len);
+        memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);

        ost = new_attachment_stream(o, oc, -1);
        ost->stream_copy               = 0;
@@ -2769,13 +2772,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
    } else {
        /* Try to determine PAL/NTSC by peeking in the input files */
        if (nb_input_files) {
-            int i, j, fr;
+            int i, j;
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j]->nb_streams; i++) {
                    AVStream *st = input_files[j]->ctx->streams[i];
+                    int64_t fr;
                    if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
                        continue;
-                    fr = st->time_base.den * 1000 / st->time_base.num;
+                    fr = st->time_base.den * 1000LL / st->time_base.num;
                    if (fr == 25000) {
                        norm = PAL;
                        break;
@@ -2760,9 +2760,6 @@ static int read_thread(void *arg)
    }

    memset(st_index, -1, sizeof(st_index));
-    is->last_video_stream = is->video_stream = -1;
-    is->last_audio_stream = is->audio_stream = -1;
-    is->last_subtitle_stream = is->subtitle_stream = -1;
    is->eof = 0;

    ic = avformat_alloc_context();
@@ -3068,6 +3065,9 @@ static VideoState *stream_open(const char *filename, AVInputFormat *iformat)
    is = av_mallocz(sizeof(VideoState));
    if (!is)
        return NULL;
+    is->last_video_stream = is->video_stream = -1;
+    is->last_audio_stream = is->audio_stream = -1;
+    is->last_subtitle_stream = is->subtitle_stream = -1;
    is->filename = av_strdup(filename);
    if (!is->filename)
        goto fail;
@@ -107,29 +107,30 @@ static void scale_coefs (
      }
    } else {
      shift = -shift;
+      mul <<= shift;
      for (i=0; i<len; i+=8) {

          temp = src[i] * mul;
          temp1 = src[i+1] * mul;
          temp2 = src[i+2] * mul;

-          dst[i] = temp << shift;
+          dst[i] = temp;
          temp3 = src[i+3] * mul;

-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
          temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;

          temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
          temp6 = src[i+6] * mul;

-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
          temp7 = src[i+7] * mul;

-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;

      }
    }
@@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset)
 {
    int blk, ch;

-    snr_offset = (snr_offset - 240) << 2;
+    snr_offset = (snr_offset - 240) * 4;

    reset_block_bap(s);
    for (blk = 0; blk < s->num_blocks; blk++) {
@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx)
        av_freep(&block->cpl_coord_mant);
    }

-    s->mdct_end(s);
+    if (s->mdct_end)
+        s->mdct_end(s);

    return 0;
 }
@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx)

    ret = validate_options(s);
    if (ret)
-        return ret;
+        goto init_fail;

    avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks;
    avctx->initial_padding = AC3_BLOCK_SIZE;
@@ -1204,7 +1204,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
        }
        for (i=0; i<=st; i++) {
            c->status[i].predictor  = bytestream2_get_le32u(&gb);
-            if (FFABS(c->status[i].predictor) > (1<<16))
+            if (FFABS((int64_t)c->status[i].predictor) > (1<<16))
                return AVERROR_INVALIDDATA;
        }

@@ -1253,8 +1253,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

            for (count2 = 0; count2 < 28; count2++) {
                byte = bytestream2_get_byteu(&gb);
-                next_left_sample  = sign_extend(byte >> 4, 4) << shift_left;
-                next_right_sample = sign_extend(byte,      4) << shift_right;
+                next_left_sample  = sign_extend(byte >> 4, 4) * (1 << shift_left);
+                next_right_sample = sign_extend(byte,      4) * (1 << shift_right);

                next_left_sample = (next_left_sample +
                    (current_left_sample * coeff1l) +
@@ -1293,7 +1293,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            if (st) byte[1] = bytestream2_get_byteu(&gb);
            for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */
                for(channel = 0; channel < avctx->channels; channel++) {
-                    int sample = sign_extend(byte[channel] >> i, 4) << shift[channel];
+                    int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]);
                    sample = (sample +
                             c->status[channel].sample1 * coeff[channel][0] +
                             c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8;
@@ -1408,11 +1408,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    int level, pred;
                    int byte = bytestream2_get_byteu(&gb);

-                    level = sign_extend(byte >> 4, 4) << shift[n];
+                    level = sign_extend(byte >> 4, 4) * (1 << shift[n]);
                    pred  = s[-1] * coeff[0][n] + s[-2] * coeff[1][n];
                    s[0]  = av_clip_int16((level + pred + 0x80) >> 8);

-                    level = sign_extend(byte, 4) << shift[n];
+                    level = sign_extend(byte, 4) * (1 << shift[n]);
                    pred  = s[0] * coeff[0][n] + s[-1] * coeff[1][n];
                    s[1]  = av_clip_int16((level + pred + 0x80) >> 8);
                }
@@ -1569,8 +1569,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                        sampledat = sign_extend(byte >> 4, 4);
                    }

-                    sampledat = ((prev1 * factor1 + prev2 * factor2) +
-                                 ((sampledat * scale) << 11)) >> 11;
+                    sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) +
+                                sampledat * scale;
                    *samples = av_clip_int16(sampledat);
                    prev2 = prev1;
                    prev1 = *samples++;
@@ -1632,8 +1632,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                int byte = bytestream2_get_byteu(&gb);
                int index = (byte >> 4) & 7;
                unsigned int exp = byte & 0x0F;
-                int factor1 = table[ch][index * 2];
-                int factor2 = table[ch][index * 2 + 1];
+                int64_t factor1 = table[ch][index * 2];
+                int64_t factor2 = table[ch][index * 2 + 1];

                /* Decode 14 samples.  */
                for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) {
@@ -1647,7 +1647,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    }

                    sampledat = ((c->status[ch].sample1 * factor1
-                                + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp);
+                                + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp);
                    *samples = av_clip_int16(sampledat);
                    c->status[ch].sample2 = c->status[ch].sample1;
                    c->status[ch].sample1 = *samples++;
@@ -1731,7 +1731,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                            scale = sign_extend(byte, 4);
                        }

-                        scale  = scale << 12;
+                        scale  = scale * (1 << 12);
                        sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64);
                    }
                    *samples++ = av_clip_int16(sample);
@@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
        s0 = wav[i];
-        d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);
        if (max < d)
            max = d;
        if (min > d)
@@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s1 = prev->s1;
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
-        d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);

        d = av_clip_intp2(ROUNDED_DIV(d, scale), 3);

        put_sbits(&pb, 4, d);

-        s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+        s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS);
        s2 = s1;
        s1 = s0;
    }
@@ -573,13 +573,16 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV
    uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
    uint8_t r = 0, g = 0, b = 0;

+    if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height)
+        return AVERROR_INVALIDDATA;
+
    for (int y = 0; y < avctx->height; y++) {
        for (int x = 0; x < avctx->width; x++) {
-            dst[x*3+0] = bytestream2_get_byte(gbyte) + r;
+            dst[x*3+0] = bytestream2_get_byteu(gbyte) + r;
            r = dst[x*3+0];
-            dst[x*3+1] = bytestream2_get_byte(gbyte) + g;
+            dst[x*3+1] = bytestream2_get_byteu(gbyte) + g;
            g = dst[x*3+1];
-            dst[x*3+2] = bytestream2_get_byte(gbyte) + b;
+            dst[x*3+2] = bytestream2_get_byteu(gbyte) + b;
            b = dst[x*3+2];
        }
        dst -= frame->linesize[0];
@@ -1239,6 +1242,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->dct = avctx->codec_tag != MKTAG('A', 'G', 'M', '4') &&
             avctx->codec_tag != MKTAG('A', 'G', 'M', '5');

+    if (!s->rgb && !s->dct) {
+        if ((avctx->width & 1) || (avctx->height & 1))
+            return AVERROR_INVALIDDATA;
+    }
+
    avctx->idct_algo = FF_IDCT_SIMPLE;
    ff_idctdsp_init(&s->idsp, avctx);
    ff_init_scantable(s->idsp.idct_permutation, &s->scantable, ff_zigzag_direct);
@@ -228,7 +228,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out,
                sign = sign_only(val) * error_sign;
                lpc_coefs[j] -= sign;
                val *= (unsigned)sign;
-                error_val -= (val >> lpc_quant) * (j + 1);
+                error_val -= (val >> lpc_quant) * (j + 1U);
            }
        }
    }
@@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
    case 20: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] *= 1 << 12;
+                alac->output_samples_buffer[ch][i] *= 1U << 12;
        }}
        break;
    case 24: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] *= 1 << 8;
+                alac->output_samples_buffer[ch][i] *= 1U << 8;
        }}
        break;
    }
@@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2],

    for (ch = 0; ch < channels; ch++)
        for (i = 0; i < nb_samples; i++)
-            buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
+            buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
 }

 av_cold void ff_alacdsp_init(ALACDSPContext *c)
@@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
    ksummin = rice->k ? (1 << rice->k + 6) : 0;
    for (; i < blockstodecode; i++) {
        out[i] = get_rice_ook(&ctx->gb, rice->k);
-        rice->ksum += out[i] - out[i - 64];
+        rice->ksum += out[i] - (unsigned)out[i - 64];
        while (rice->ksum < ksummin) {
            rice->k--;
            ksummin = rice->k ? ksummin >> 1 : 0;
@@ -1203,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
        A = *decoded0;

        p->buf[YDELAYA] = currentA;
-        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1];
+        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1];

        predictionA = p->buf[YDELAYA    ] * p->coeffsA[0][0] +
                      p->buf[YDELAYA - 1] * p->coeffsA[0][1] +
                      p->buf[YDELAYA - 2] * p->coeffsA[0][2] +
                      p->buf[YDELAYA - 3] * p->coeffsA[0][3];

-        currentA = A + (predictionA >> 10);
+        currentA = A + (unsigned)(predictionA >> 10);

        p->buf[YADAPTCOEFFSA]     = APESIGN(p->buf[YDELAYA    ]);
        p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]);
@@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] << 8;
+                *sample24++ = s->decoded[ch][i] * 256;
        }
        break;
    }
@@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len,
 static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2,
                                     int order)
 {
-    int res = 0;
+    unsigned res = 0;

    while (order--)
        res += *v1++ **v2++;
@@ -100,7 +100,7 @@ int avcodec_dct_init(AVDCT *dsp)

 #if CONFIG_IDCTDSP
    {
-        IDCTDSPContext idsp;
+        IDCTDSPContext idsp = {0};
        ff_idctdsp_init(&idsp, avctx);
        COPY(idsp, idct);
        COPY(idsp, idct_permutation);
@@ -109,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->frame_len     = 1 << frame_len_bits;
    s->overlap_len   = s->frame_len / 16;
    s->block_size    = (s->frame_len - s->overlap_len) * s->channels;
-    sample_rate_half = (sample_rate + 1) / 2;
+    sample_rate_half = (sample_rate + 1LL) / 2;
    if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT)
        s->root = 2.0 / (sqrt(s->frame_len) * 32768.0);
    else
@@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
    src[0][0] += 8;

    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[i][1] - (src[i][7]<<1);
-        const int a1 =  3*src[i][3] + (src[i][5]<<1);
-        const int a2 =  (src[i][3]<<1) - 3*src[i][5];
-        const int a3 =  (src[i][1]<<1) + 3*src[i][7];
+        const int a0 = 3 * src[i][1] - 2 * src[i][7];
+        const int a1 = 3 * src[i][3] + 2 * src[i][5];
+        const int a2 = 2 * src[i][3] - 3 * src[i][5];
+        const int a3 = 2 * src[i][1] + 3 * src[i][7];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[i][2]<<2) - 10*src[i][6];
-        const int a6 = (src[i][6]<<2) + 10*src[i][2];
-        const int a5 = ((src[i][0] - src[i][4]) << 3) + 4;
-        const int a4 = ((src[i][0] + src[i][4]) << 3) + 4;
+        const int a7 = 4 * src[i][2] - 10 * src[i][6];
+        const int a6 = 4 * src[i][6] + 10 * src[i][2];
+        const int a5 = 8 * (src[i][0] - src[i][4]) + 4;
+        const int a4 = 8 * (src[i][0] + src[i][4]) + 4;

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
        src[i][7] = (b0 - b4) >> 3;
    }
    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[1][i] - (src[7][i]<<1);
-        const int a1 =  3*src[3][i] + (src[5][i]<<1);
-        const int a2 =  (src[3][i]<<1) - 3*src[5][i];
-        const int a3 =  (src[1][i]<<1) + 3*src[7][i];
+        const int a0 = 3 * src[1][i] - 2 * src[7][i];
+        const int a1 = 3 * src[3][i] + 2 * src[5][i];
+        const int a2 = 2 * src[3][i] - 3 * src[5][i];
+        const int a3 = 2 * src[1][i] + 3 * src[7][i];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[2][i]<<2) - 10*src[6][i];
-        const int a6 = (src[6][i]<<2) + 10*src[2][i];
-        const int a5 = (src[0][i] - src[4][i]) << 3;
-        const int a4 = (src[0][i] + src[4][i]) << 3;
+        const int a7 = 4 * src[2][i] - 10 * src[6][i];
+        const int a6 = 4 * src[6][i] + 10 * src[2][i];
+        const int a5 = 8 * (src[0][i] - src[4][i]);
+        const int a4 = 8 * (src[0][i] + src[4][i]);

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -170,6 +170,9 @@ static int cbs_av1_read_leb128(CodedBitstreamContext *ctx, GetBitContext *gbc,
            break;
    }

+    if (value > UINT32_MAX)
+        return AVERROR_INVALIDDATA;
+
    if (ctx->trace_enable)
        ff_cbs_trace_syntax_element(ctx, position, name, NULL, "", value);

@@ -1500,8 +1500,6 @@ static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw,
        else
            HEADER("Frame Header");

-        priv->seen_frame_header = 1;
-
 #ifdef READ
        start_pos = get_bits_count(rw);
 #else
@@ -568,7 +568,10 @@ static int cbs_h2645_fragment_add_nals(CodedBitstreamContext *ctx,
        // Remove trailing zeroes.
        while (size > 0 && nal->data[size - 1] == 0)
            --size;
-        av_assert0(size > 0);
+        if (size == 0) {
+            av_log(ctx->log_ctx, AV_LOG_VERBOSE, "Discarding empty 0 NAL unit\n");
+            continue;
+        }

        ref = (nal->data == nal->raw_data) ? frag->data_ref
                                           : packet->rbsp.rbsp_buffer_ref;
@@ -748,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \
    CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \
    H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \
    unsigned int id = ps_var->id_element; \
-    if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \
+    if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \
        av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \
               " id : %d.\n", id); \
        return AVERROR_INVALIDDATA; \
@@ -855,15 +858,11 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx,
            if (err < 0)
                return err;

+            if (!cbs_h2645_read_more_rbsp_data(&gbc))
+                return AVERROR_INVALIDDATA;
+
            pos = get_bits_count(&gbc);
            len = unit->data_size;
-            if (!unit->data[len - 1]) {
-                int z;
-                for (z = 0; z < len && !unit->data[len - z - 1]; z++);
-                av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes "
-                       "from slice data.\n", z);
-                len -= z;
-            }

            slice->data_size = len - pos / 8;
            slice->data_ref  = av_buffer_ref(unit->data_ref);
@@ -1037,15 +1036,11 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx,
            if (err < 0)
                return err;

+            if (!cbs_h2645_read_more_rbsp_data(&gbc))
+                return AVERROR_INVALIDDATA;
+
            pos = get_bits_count(&gbc);
            len = unit->data_size;
-            if (!unit->data[len - 1]) {
-                int z;
-                for (z = 0; z < len && !unit->data[len - z - 1]; z++);
-                av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes "
-                       "from slice data.\n", z);
-                len -= z;
-            }

            slice->data_size = len - pos / 8;
            slice->data_ref  = av_buffer_ref(unit->data_ref);
@@ -1366,7 +1366,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw,
                   (sps->pic_height_in_map_units_minus1 + 1);
        max = (pic_size + pps->slice_group_change_rate_minus1) /
              (pps->slice_group_change_rate_minus1 + 1);
-        bits = av_log2(2 * max - 1);
+        bits = av_ceil_log2(max + 1);

        u(bits, slice_group_change_cycle, 0, max);
    }
@@ -80,7 +80,7 @@ static int FUNC(extension_data)(CodedBitstreamContext *ctx, RWContext *rw,
    }
 #else
    for (k = 0; k < current->bit_length; k++)
-        xu(1, extension_data, current->data[k / 8] >> (7 - k % 8), 0, 1, 0);
+        xu(1, extension_data, current->data[k / 8] >> (7 - k % 8) & 1, 0, 1, 0);
 #endif
    return 0;
 }
@@ -601,6 +601,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
            }
        }

+        if (i > 15)
+            return AVERROR_INVALIDDATA;
        infer(num_negative_pics, i);
        for (i = 0; i < current->num_negative_pics; i++) {
            infer(delta_poc_s0_minus1[i],
@@ -630,6 +632,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
            }
        }

+        if (i + current->num_negative_pics > 15)
+            return AVERROR_INVALIDDATA;
        infer(num_positive_pics, i);
        for (i = 0; i < current->num_positive_pics; i++) {
            infer(delta_poc_s1_minus1[i],
@@ -1367,7 +1371,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw,
                    infer(num_long_term_sps, 0);
                    idx_size = 0;
                }
-                ue(num_long_term_pics, 0, HEVC_MAX_LONG_TERM_REF_PICS);
+                ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps);

                for (i = 0; i < current->num_long_term_sps +
                                current->num_long_term_pics; i++) {
@@ -148,15 +148,14 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
        if (marker == JPEG_MARKER_EOI) {
            break;
        } else if (marker == JPEG_MARKER_SOS) {
+            next_marker = -1;
            for (i = start; i + 1 < frag->data_size; i++) {
                if (frag->data[i] != 0xff)
                    continue;
                end = i;
                for (++i; i + 1 < frag->data_size &&
                          frag->data[i] == 0xff; i++);
-                if (i + 1 >= frag->data_size) {
-                    next_marker = -1;
-                } else {
+                if (i + 1 < frag->data_size) {
                    if (frag->data[i] == 0x00)
                        continue;
                    next_marker = frag->data[i];
@@ -197,6 +196,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
        if (marker == JPEG_MARKER_SOS) {
            length = AV_RB16(frag->data + start);

+            if (length > end - start)
+                return AVERROR_INVALIDDATA;
+
            data_ref = NULL;
            data     = av_malloc(end - start +
                                 AV_INPUT_BUFFER_PADDING_SIZE);
@@ -89,6 +89,8 @@ static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw,
    ij = 0;
    for (i = 0; i < 16; i++) {
        for (j = 0; j < current->L[i]; j++) {
+            if (ij >= 224)
+                return AVERROR_INVALIDDATA;
            us(8, V[ij], ij, 0, 255);
            ++ij;
        }
@@ -108,6 +110,9 @@ static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw,

    n = 2;
    for (i = 0; n < current->Lh; i++) {
+        if (i >= 8)
+            return AVERROR_INVALIDDATA;
+
        CHECK(FUNC(huffman_table)(ctx, rw, &current->table[i]));

        ++n;
@@ -544,8 +544,9 @@ static int encode_mode(CinepakEncContext *s, int h,
                       uint8_t *last_data[4], int last_linesize[4],
                       strip_info *info, unsigned char *buf)
 {
-    int x, y, z, flags, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA;
+    int x, y, z, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA;
    int needs_extra_bit, should_write_temp;
+    uint32_t flags;
    unsigned char temp[64]; // 32/2 = 16 V4 blocks at 4 B each -> 64 B
    mb_info *mb;
    uint8_t *sub_scratch_data[4] = { 0 }, *sub_last_data[4] = { 0 };
@@ -599,7 +600,7 @@ static int encode_mode(CinepakEncContext *s, int h,
            flags = 0;
            for (y = x; y < FFMIN(x + 32, mb_count); y++)
                if (s->mb[y].best_encoding == ENC_V4)
-                    flags |= 1 << (31 - y + x);
+                    flags |= 1U << (31 - y + x);

            AV_WB32(&buf[ret], flags);
            ret += 4;
@@ -626,13 +627,13 @@ static int encode_mode(CinepakEncContext *s, int h,

        for (x = 0; x < mb_count; x++) {
            mb                = &s->mb[x];
-            flags            |= (mb->best_encoding != ENC_SKIP) << (31 - bits++);
+            flags            |= (uint32_t)(mb->best_encoding != ENC_SKIP) << (31 - bits++);
            needs_extra_bit   = 0;
            should_write_temp = 0;

            if (mb->best_encoding != ENC_SKIP) {
                if (bits < 32)
-                    flags |= (mb->best_encoding == ENC_V4) << (31 - bits++);
+                    flags |= (uint32_t)(mb->best_encoding == ENC_V4) << (31 - bits++);
                else
                    needs_extra_bit = 1;
            }
@@ -651,7 +652,7 @@ static int encode_mode(CinepakEncContext *s, int h,
            }

            if (needs_extra_bit) {
-                flags = (mb->best_encoding == ENC_V4) << 31;
+                flags = (uint32_t)(mb->best_encoding == ENC_V4) << 31;
                bits  = 1;
            }

@@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_24[step_i];
@@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_16[step_i];
@@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s)

 static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!(s->flags & LBR_FLAG_LFE_PRESENT))
        return 0;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Determine bit depth from chunk size
    if (chunk->len >= 52)
@@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
        return parse_lfe_16(s);

    av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n");
-    return -1;
+    return AVERROR_INVALIDDATA;
 }

 static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth)
@@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group)
        for (freq = 1;; freq++) {
            if (get_bits_left(&s->gb) < 1) {
                av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2);
            if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff];
@@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group)
            freq += diff - 2;
            if (freq >> (5 - group) > s->nsubbands * 4 - 6) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            // Main channel
@@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group)

 static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
-    int sb, group;
+    int sb, group, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+
+    if (ret < 0)
+        return ret;

    // Scale factors
    if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) {
        if (get_bits_left(&s->gb) < 36) {
            av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
        for (sb = 0; sb < 6; sb++)
            s->tonal_scf[sb] = get_bits(&s->gb, 6);
@@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)

    // Tonal groups
    if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF)
-        for (group = 0; group < 5; group++)
-            if (parse_tonal(s, group) < 0)
-                return -1;
+        for (group = 0; group < 5; group++) {
+            ret = parse_tonal(s, group);
+            if (ret < 0)
+                return ret;
+        }

    return 0;
 }

 static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    return parse_tonal(s, chunk->id);
 }
@@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n)
 {
    int left = get_bits_left(s);
    if (left < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
    if (left < n) {
        skip_bits_long(s, left);
        return 1;
@@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf)
        dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1;
        if (dist > 7 - sf) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (ensure_bits(&s->gb, 20))
@@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v)

 static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
-    int ch, sb, sf, nsubbands;
+    int ch, sb, sf, nsubbands, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0)
-            return -1;
-        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]);
+        if (ret < 0)
+            return ret;
+        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    if (get_bits_left(&s->gb) < 1)
@@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

    if (get_bits_left(&s->gb) < 0) {
        av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    // Stereo image for partial mono mode
@@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

 static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2)
 {
-    int sb, nsubbands;
+    int sb, nsubbands, ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    // Average values for third grid
@@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,
            s->sb_indices[sb] = sb_reorder;
        }
        if (sb_reorder >= s->nsubbands)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Third grid scale factors
        if (sb == 12) {
@@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,

        quant_level = s->quant_levels[ch1 / 2][sb];
        if (!quant_level)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Time samples for one or both channels
        if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) {
@@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s
 static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
    int quant_levels[DCA_LBR_SUBBANDS];
-    int sb, ch, ol, st, max_sb, profile;
+    int sb, ch, ol, st, max_sb, profile, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Quantizer profile
    profile = get_bits(&s->gb, 8);
@@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c
        s->quant_levels[ch1 / 2][sb] = quant_levels[sb];

    // LPC for the first two subbands
-    if (parse_lpc(s, ch1, ch2, 0, 2) < 0)
-        return -1;
+    ret = parse_lpc(s, ch1, ch2, 0, 2);
+    if (ret < 0)
+        return ret;

    // Time-samples for the first two subbands of main channel
-    if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0)
-        return -1;
+    ret = parse_ts(s, ch1, ch2, 0, 2, 0);
+    if (ret < 0)
+        return ret;

    // First two bands of the first grid
    for (sb = 0; sb < 2; sb++)
        for (ch = ch1; ch <= ch2; ch++)
-            if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0)
-                return -1;
+            if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0)
+                return ret;

    return 0;
 }
@@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2,

 static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_lpc(s, ch1, ch2, 2, 3) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0)
+        return ret;
    return 0;
 }

 static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0)
+        return ret;
    if (ch1 != ch2) {
-        if (parse_grid_1_sec_ch(s, ch2) < 0)
-            return -1;
-        if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0)
-            return -1;
+        if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0)
+            return ret;
+        if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0)
+            return ret;
    }
-    if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0)
-        return -1;
+    if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0)
+        return ret;
    return 0;
 }

@@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s)
 {
    double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range));
    int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total;
+    int ret;

    ff_mdct_end(&s->imdct);

-    if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0)
-        return -1;
+    ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale);
+    if (ret < 0)
+        return ret;

    for (i = 0; i < 32 << s->freq_range; i++)
        s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)];
@@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s)
    // Reallocate time sample buffer
    av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float));
    if (!s->ts_buffer)
-        return -1;
+        return AVERROR(ENOMEM);

    ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY;
    for (ch = 0; ch < s->nchannels; ch++) {
@@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s)
    init_tables();

    if (!(s->fdsp = avpriv_float_dsp_alloc(0)))
-        return -1;
+        return AVERROR(ENOMEM);

    s->lbr_rand = 1;
    return 0;
@@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx)
    ctx->vlc_bits  = ctx->orig_vlc_bits + max_level * 2;
    for (level = -max_level; level < max_level; level++) {
        for (run = 0; run < 2; run++) {
-            int index = (level << 1) | run;
+            int index = level * (1 << 1) | run;
            int sign, offset = 0, alevel = level;

            MASK_ABS(sign, alevel);
@@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block,
        slevel = block[j];
        if (slevel) {
            int run_level = i - last_non_zero - 1;
-            int rlevel = (slevel << 1) | !!run_level;
+            int rlevel = slevel * (1 << 1) | !!run_level;
            put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]);
            if (run_level)
                put_bits(&ctx->m.pb, ctx->run_bits[run_level],
@@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index)
        level = block[j];
        if (level) {
            int run_level = i - last_non_zero - 1;
-            bits += ctx->vlc_bits[(level << 1) |
+            bits += ctx->vlc_bits[level * (1 << 1) |
                    !!run_level] + ctx->run_bits[run_level];
            last_non_zero = i;
        }
@@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
                shift[ch] -= (2 * n);
            diff = sign_extend((diff &~ 3) << 8, 16);

-            /* saturate the shifter to a lower limit of 0 */
-            if (shift[ch] < 0)
-                shift[ch] = 0;
+            /* saturate the shifter to 0..31 */
+            shift[ch] = av_clip_uintp2(shift[ch], 5);

            diff >>= shift[ch];
            predictor[ch] += diff;
@@ -367,7 +366,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
        while (output_samples < samples_end) {
            uint8_t n = bytestream2_get_byteu(&gb);

-            *output_samples++ = s->sample[idx] += s->array[n];
+            *output_samples++ = s->sample[idx] += (unsigned)s->array[n];
            idx ^= 1;
        }
        }
@@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
    int i;
    uint8_t silence;

+    if (!avctx->channels)
+        return AVERROR_INVALIDDATA;
+
    ff_init_dsd_data();

    s = av_malloc_array(sizeof(DSDContext), avctx->channels);
@@ -85,6 +85,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) {
+        return AVERROR_PATCHWELCOME;
+    }
+
    avctx->sample_fmt = AV_SAMPLE_FMT_FLT;

    for (i = 0; i < avctx->channels; i++)
@@ -155,7 +159,7 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
            for (j = method + 1; j < t->length[i]; j++) {
                int c, x = 0;
                for (k = 0; k < method + 1; k++)
-                    x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1];
+                    x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1];
                c = get_sr_golomb_dst(gb, lsb_size);
                if (x >= 0)
                    c -= (x + 4) / 8;
@@ -51,8 +51,8 @@ static int dump_extradata(AVBSFContext *ctx, AVPacket *out)
    if (ctx->par_in->extradata &&
        (s->freq == DUMP_FREQ_ALL ||
         (s->freq == DUMP_FREQ_KEYFRAME && in->flags & AV_PKT_FLAG_KEY)) &&
-         in->size >= ctx->par_in->extradata_size &&
-         memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size)) {
+         (in->size < ctx->par_in->extradata_size ||
+          memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size))) {
        if (in->size >= INT_MAX - ctx->par_in->extradata_size) {
            ret = AVERROR(ERANGE);
            goto fail;
@@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
                in     = ptr[3] + s->xdelta;

                for (j = 0; j < s->xdelta; ++j) {
-                    uint32_t diff = (*(ptr[0]++) << 24) |
+                    uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                    (*(ptr[1]++) << 16) |
                    (*(ptr[2]++) << 8 ) |
                    (*(ptr[3]++));
@@ -217,7 +217,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
    *last = -1;
    lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
    if (ws->pink_need) {
-        uint64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_cur  = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1);
        uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
        int pos = ts & (PINK_UNIT - 1);
        lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
@@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
                dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16);
                dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16);
                in->dphi0 = dphi1;
-                in->ddphi = (dphi2 - dphi1) / dt;
+                in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt;
                if (phi & 0x80000000) {
                    phi &= ~0x80000000;
                    if (phi >= i)
@@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size
    uint32_t x;

    for (i = 0; i < mod_offset; i++) {
-        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8)
-            size = find_headers_search_validate(fpc, search_start + i);
+        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) {
+            int ret = find_headers_search_validate(fpc, search_start + i);
+            size = FFMAX(size, ret);
+        }
    }

    for (; i < buf_size - 1; i += 4) {
        x = AV_RB32(buf + i);
        if (((x & ~(x + 0x01010101)) & 0x80808080)) {
            for (j = 0; j < 4; j++) {
-                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8)
-                    size = find_headers_search_validate(fpc, search_start + i + j);
+                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) {
+                    int ret = find_headers_search_validate(fpc, search_start + i + j);
+                    size = FFMAX(size, ret);
+                }
            }
        }
    }
@@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) =  a      << shift;
        S(samples, 1, i) = (a - b) << shift;
    }
@@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) = (a + b) << shift;
        S(samples, 1, i) =  b      << shift;
    }
@@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
+        unsigned a = in[0][i];
        int b = in[1][i];
        a -= b >> 1;
        S(samples, 0, i) = (a + b) << shift;
@@ -917,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
    awidth      = FFALIGN(tile_width,  16);
    aheight     = FFALIGN(tile_height, 16);

+    if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) {
+        avpriv_request_sample(avctx, "large tile width");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (els_dsize) {
        int ret, i, j, k;
        uint8_t tr_r, tr_g, tr_b, *buf;
@@ -1012,7 +1012,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
            formant_postfilter(p, lpc, p->audio, out);
        } else { // if output is not postfiltered it should be scaled by 2
            for (i = 0; i < FRAME_LEN; i++)
-                out[i] = av_clip_int16(p->audio[LPC_ORDER + i] << 1);
+                out[i] = av_clip_int16(2 * p->audio[LPC_ORDER + i]);
        }
    }

@@ -486,14 +486,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,

    if (refl_coeff > 0) {
        gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15;
-        fact = 0x4000; // 0.5 in (0.15)
-        sh_fact = 15;
+        fact = 0x2000; // 0.5 in (0.15)
+        sh_fact = 14;
    } else {
        gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15;
-        fact = 0x800; // 0.5 in (3.12)
-        sh_fact = 12;
+        fact = 0x400; // 0.5 in (3.12)
+        sh_fact = 11;
    }
-    ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt));
+    ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt));
    gt >>= 1;

    /* Apply tilt compensation filter to signal. */
@@ -503,12 +503,12 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,
        tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000;
        tmp2 = res_pst[i] + (tmp2 >> 15);

-        tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+        tmp2 = (tmp2 * ga + fact) >> sh_fact;
        out[i] = tmp2;
    }
    tmp2 = (gt * ht_prev_data) * 2 + 0x4000;
    tmp2 = res_pst[0] + (tmp2 >> 15);
-    tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+    tmp2 = (tmp2 * ga + fact) >> sh_fact;
    out[0] = tmp2;

    return tmp;
@@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
            gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
            gain = bidir_sal(gain, exp_after - exp_before);
        }
+        gain = av_clip_int16(gain);
        gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
    } else
        gain = 0;
@@ -305,7 +305,6 @@ static int hap_decode(AVCodecContext *avctx, void *data,
    HapContext *ctx = avctx->priv_data;
    ThreadFrame tframe;
    int ret, i, t;
-    int tex_size;
    int section_size;
    enum HapSectionType section_type;
    int start_texture_section = 0;
@@ -342,6 +341,13 @@ static int hap_decode(AVCodecContext *avctx, void *data,
        if (ret < 0)
            return ret;

+        if (ctx->tex_size != (avctx->coded_width  / TEXTURE_BLOCK_W)
+            *(avctx->coded_height / TEXTURE_BLOCK_H)
+            *tex_rat[t]) {
+            av_log(avctx, AV_LOG_ERROR, "uncompressed size mismatches\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        start_texture_section += ctx->texture_section_size + 4;

        if (avctx->codec->update_thread_context)
@@ -349,9 +355,16 @@ static int hap_decode(AVCodecContext *avctx, void *data,

        /* Unpack the DXT texture */
        if (hap_can_use_tex_in_place(ctx)) {
+            int tex_size;
            /* Only DXTC texture compression in a contiguous block */
            ctx->tex_data = ctx->gbc.buffer;
            tex_size = FFMIN(ctx->texture_section_size, bytestream2_get_bytes_left(&ctx->gbc));
+            if (tex_size < (avctx->coded_width  / TEXTURE_BLOCK_W)
+                *(avctx->coded_height / TEXTURE_BLOCK_H)
+                *tex_rat[t]) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            /* Perform the second-stage decompression */
            ret = av_reallocp(&ctx->tex_buf, ctx->tex_size);
@@ -367,14 +380,6 @@ static int hap_decode(AVCodecContext *avctx, void *data,
            }

            ctx->tex_data = ctx->tex_buf;
-            tex_size = ctx->tex_size;
-        }
-
-        if (tex_size < (avctx->coded_width  / TEXTURE_BLOCK_W)
-            *(avctx->coded_height / TEXTURE_BLOCK_H)
-            *tex_rat[t]) {
-            av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
-            return AVERROR_INVALIDDATA;
        }

        /* Use the decompress function on the texture, one block per thread */
@@ -144,6 +144,11 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

+        if (nalu_size < 2) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
        nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f;

        /* prepend extradata to IRAP frames */
@@ -152,8 +157,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        extra_size    = add_extradata * ctx->par_out->extradata_size;
        got_irap     |= is_irap;

-        if (SIZE_MAX - nalu_size < 4 ||
-            SIZE_MAX - 4 - nalu_size < extra_size) {
+        if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -164,7 +168,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        if (ret < 0)
            goto fail;

-        if (add_extradata)
+        if (extra_size)
            memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size);
        AV_WB32(out->data + prev_size + extra_size, 1);
        bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size);
@@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx,
            int i, count = FFMIN(palette_size / 3, 1 << s->ham);
            int ham_count;
            const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+            int extra_space = 1;
+
+            if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+                extra_space = 4;

            s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_buf)
                return AVERROR(ENOMEM);

            ham_count = 8 * (1 << s->ham);
-            s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+            s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_palbuf) {
                av_freep(&s->ham_buf);
                return AVERROR(ENOMEM);
@@ -436,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) {
        s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp;
+        if (!s->video_size)
+            return AVERROR_INVALIDDATA;
        s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->pal = av_calloc(256, sizeof(*s->pal));
@@ -711,13 +717,15 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
 {
    const uint8_t *src_end = src + src_size;
    int x = 0, y = 0, i;
-    while (src + 5 <= src_end) {
+    while (src_end - src >= 5) {
        int opcode;
        opcode = *(int8_t *)src++;
        if (opcode >= 0) {
            int size = opcode + 1;
            for (i = 0; i < size; i++) {
                int length = FFMIN(size - i, width);
+                if (src_end - src < length * 4)
+                    return;
                memcpy(dst + y*linesize + x * 4, src, length * 4);
                src += length * 4;
                x += length;
@@ -1369,11 +1377,10 @@ static void decode_delta_d(uint8_t *dst,
                    opcode--;
                }
            } else {
-                opcode = -opcode;
                while (opcode && bytestream2_get_bytes_left(&gb) > 0) {
                    bytestream2_put_be32(&pb, bytestream2_get_be32(&gb));
                    bytestream2_skip_p(&pb, pitch - 4);
-                    opcode--;
+                    opcode++;
                }
            }
            entries--;
@@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict,
    for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) {
        x8_init_block_index(w, w->frame);
        mb_xy = (w->mb_y >> 1) * (w->mb_width + 1);
+        if (get_bits_left(gb) < 1)
+            goto error;
        for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) {
            x8_get_prediction(w);
            if (x8_setup_spatial_predictor(w, 0))
@@ -1286,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
        for(i=0; i<13; i++){
            for(j=0; j<3; j++){
                int v= get_bits(&s->gb, 8);
-                v |= get_sbits(&s->gb, 8)<<8;
+                v |= get_sbits(&s->gb, 8) * (1 << 8);
                av_log(s->avctx, AV_LOG_DEBUG, " %5d", v);
            }
            av_log(s->avctx, AV_LOG_DEBUG, "\n");
@@ -1196,6 +1196,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            AVPacket pkt;
            pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3);
            pkt.size = get_bits_left(&ctx->gb) >> 3;
+            ctx->got_p_frame = 0;
+            av_frame_unref(ctx->p_frame);
            ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt);
        }
    }
@@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t)
    line += 5;

    for (i = 0; i < w * h; i++)
-        t[i] <<= I_PRESHIFT;
+        t[i] *= 1 << I_PRESHIFT;

    for (lev = s->ndeclevels-1; lev >= 0; lev--){
        int lh = s->linelen[lev][0],
@@ -226,6 +226,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
        }
    }

+    if (scale_factor > 23)
+        return AVERROR_INVALIDDATA;
+
    rac->scale = scale_factor;

    /* Fill probability array with cumulative probability for each symbol. */
@@ -677,6 +677,17 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }

+    if (s->interlaced) {
+        if ((s->slice_height >> s->vshift[1]) < 2) {
+            av_log(avctx, AV_LOG_ERROR, "impossible slice height\n");
+            return AVERROR_INVALIDDATA;
+        }
+        if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) {
+            av_log(avctx, AV_LOG_ERROR, "impossible height\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
    for (i = 0; i < s->planes; i++) {
        av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice));
        if (!s->slices[i])
@@ -1303,6 +1303,12 @@ int ff_AMediaCodec_delete(FFAMediaCodec* codec)
        ret = AVERROR_EXTERNAL;
    }

+    (*env)->DeleteGlobalRef(env, codec->input_buffers);
+    codec->input_buffers = NULL;
+
+    (*env)->DeleteGlobalRef(env, codec->output_buffers);
+    codec->output_buffers = NULL;
+
    (*env)->DeleteGlobalRef(env, codec->object);
    codec->object = NULL;

@@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples,

        if (matrix_noise_shift) {
            index &= access_unit_size_pow2 - 1;
-            accum += noise_buffer[index] << (matrix_noise_shift + 7);
+            accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7));
            index += index2;
        }

@@ -157,8 +157,8 @@ static int no_sub_motion_search(MpegEncContext * s,
                                  int src_index, int ref_index,
                                  int size, int h)
 {
-    (*mx_ptr)<<=1;
-    (*my_ptr)<<=1;
+    (*mx_ptr) *= 2;
+    (*my_ptr) *= 2;
    return dmin;
 }

@@ -586,7 +586,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s,
    dc = s->last_dc[component];
    dc += diff;
    s->last_dc[component] = dc;
-    block[0] = dc << (3 - s->intra_dc_precision);
+    block[0] = dc * (1 << (3 - s->intra_dc_precision));
    i = 0;
    if (s->intra_vlc_format)
        rl = &ff_rl_mpeg2;
@@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64],
    memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6);

    for (n = 0; n < 6; n++) {
-        int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16;
+        int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16;

        st[n] = s->intra_scantable.permutated;
        if (dir[n]) {
@@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64],
        score -= get_block_rate(s, block[n], s->block_last_index[n],
                                s->intra_scantable.permutated);

-        ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+        ac_val  = &s->ac_val[0][0][0] + s->block_index[n] * 16;
        ac_val1 = ac_val;
        if (dir[n]) {
            const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride;
@@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s,

                                /* normalize to P bits */
                                if (shift < 0)
-                                    q1 = sample << (-shift);
+                                    q1 = sample * (1 << -shift);
                                else
                                    q1 = sample >> shift;
                                q1 = (q1 * mult) >> P;
@@ -126,7 +126,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height,
        get_quant_quality(c, quality);
    if (width != c->width || height != c->height) {
        // also reserve space for a possible additional header
-        int buf_size = height * width * 3 / 2
+        int64_t buf_size = height * (int64_t)width * 3 / 2
                     + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE)
                     + RTJPEG_HEADER_SIZE;
        if (buf_size > INT_MAX/8)
@@ -1164,8 +1164,13 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx)
    ctx->init_encode_params.darHeight = dh;
    ctx->init_encode_params.darWidth = dw;

-    ctx->init_encode_params.frameRateNum = avctx->time_base.den;
-    ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame;
+    if (avctx->framerate.num > 0 && avctx->framerate.den > 0) {
+        ctx->init_encode_params.frameRateNum = avctx->framerate.num;
+        ctx->init_encode_params.frameRateDen = avctx->framerate.den;
+    } else {
+        ctx->init_encode_params.frameRateNum = avctx->time_base.den;
+        ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame;
+    }

    ctx->init_encode_params.enableEncodeAsync = 0;
    ctx->init_encode_params.enablePTD = 1;
@@ -1783,10 +1788,11 @@ static int nvenc_set_timestamp(AVCodecContext *avctx,
        pkt->dts = ts0 - delta;

        ctx->first_packet_output = 1;
-        return 0;
+    } else {
+        pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list);
    }

-    pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list);
+    pkt->dts -= avctx->max_b_frames;

    return 0;
 }
@@ -306,7 +306,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx)
 #define DECODE(size, endian, src, dst, n, shift, offset)                \
    for (; n > 0; n--) {                                                \
        uint ## size ## _t v = bytestream_get_ ## endian(&src);         \
-        AV_WN ## size ## A(dst, (v - offset) << shift);                 \
+        AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \
        dst += size / 8;                                                \
    }

@@ -317,7 +317,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx)
        dst = frame->extended_data[c];                                \
        for (i = n; i > 0; i--) {                                       \
            uint ## size ## _t v = bytestream_get_ ## endian(&src);     \
-            AV_WN ## size ## A(dst, (v - offset) << shift);             \
+            AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \
            dst += size / 8;                                            \
        }                                                               \
    }
@@ -515,13 +515,13 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data,
            dst_int32_t = (int32_t *)frame->extended_data[c];
            for (i = 0; i < n; i++) {
                // extract low 20 bits and expand to 32 bits
-                *dst_int32_t++ =  (src[2]         << 28) |
+                *dst_int32_t++ =  ((uint32_t)src[2]<<28) |
                                  (src[1]         << 20) |
                                  (src[0]         << 12) |
                                 ((src[2] & 0x0F) <<  8) |
                                   src[1];
                // extract high 20 bits and expand to 32 bits
-                *dst_int32_t++ =  (src[4]         << 24) |
+                *dst_int32_t++ =  ((uint32_t)src[4]<<24) |
                                  (src[3]         << 16) |
                                 ((src[2] & 0xF0) <<  8) |
                                  (src[4]         <<  4) |
@@ -691,8 +691,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size,
            ret = AVERROR_INVALIDDATA;
            break;
        }
-        if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE))
+        if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) {
+            avsubtitle_free(data);
+            *data_size = 0;
            return ret;
+        }

        buf += segment_length;
    }
@@ -1242,7 +1242,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
        case MKTAG('f', 'd', 'A', 'T'):
            if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG)
                goto skip_tag;
-            if (!decode_next_dat) {
+            if (!decode_next_dat || length < 4) {
                ret = AVERROR_INVALIDDATA;
                goto fail;
            }
@@ -1290,7 +1290,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
            break;
        }
        case MKTAG('i', 'C', 'C', 'P'): {
-            if (decode_iccp_chunk(s, length, p) < 0)
+            if ((ret = decode_iccp_chunk(s, length, p)) < 0)
                goto fail;
            break;
        }
@@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                init_put_bits(&pb, ptr, linesize);
                for(j=0; j<avctx->width * components; j++){
                    unsigned int c=0;
-                    int v=0;
+                    unsigned v=0;
                    if(s->type < 4)
                    while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' ))
                        s->bytestream++;
@@ -224,7 +224,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook)
 }

 #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind]))
-#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31))
+#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31))
 #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign))
 #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1)
 #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign))
@@ -1334,6 +1334,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration,
        if (q->frequency_range > (local_int_14 + 1)) {
            int sub_packet = (local_int_20 + local_int_28);

+            if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs))
+                return;
+
            qdm2_fft_init_coefficient(q, sub_packet, offset, duration,
                                      channel, exp, phase);
            if (stereo)
@@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                      LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON,
                      0, ORDER_METHOD_EST, 0, 12, 0);
    for (i = 0; i < LPC_ORDER; i++)
-        block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] <<
-                                        (12 - shift[LPC_ORDER - 1]));
+        block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i]
+                                       * (1 << (12 - shift[LPC_ORDER - 1]));

    /**
     * TODO: apply perceptual weighting of the input speech through bandwidth
@@ -330,7 +330,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits)
            acc = (acc + bias - 1) >> ctx->filter_bits;
            acc = FFMAX(acc, min_clip);
        } else {
-            acc = (acc + bias) >> ctx->filter_bits;
+            acc = ((unsigned)acc + bias) >> ctx->filter_bits;
            acc = FFMIN(acc, max_clip);
        }
        audio[i] += acc;
@@ -344,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb,
    int len, ch, ret;
    int dmode, mode[2], bits[2];
    int *ch0, *ch1;
-    int i, t, t2;
+    int i;
+    unsigned int t, t2;

    len = 12 - get_unary(gb, 0, 6);

@@ -409,8 +410,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb,
        for (i = 0; i < len; i++) {
            t  =   ch1[i] + ctx->bias[1];
            t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1);
-            dst0[i] = (t2 + t) / 2;
-            dst1[i] = (t2 - t) / 2;
+            dst0[i] = (int)(t2 + t) / 2;
+            dst1[i] = (int)(t2 - t) / 2;
        }
        break;
    }
@@ -481,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
    init_get_bits(&gb, src + 2, table_size);
    ctx->num_blocks = 0;
    while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
        ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels);
        if (get_bits1(&gb)) {
            ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
@@ -467,10 +467,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
        avctx->pix_fmt   == AV_PIX_FMT_RGBA64BE) {
        uint8_t *dst = frame->data[0];
        uint64_t v;
-        int x;
-        for (x = 0; x >> 3 < avctx->width * avctx->height; x += 8) {
-            v = AV_RB64(&dst[x]);
-            AV_WB64(&dst[x], v << 16 | v >> 48);
+        int x, y;
+        for (y = 0; y < avctx->height; y++) {
+            for (x = 0; x >> 3 < avctx->width; x += 8) {
+                v = AV_RB64(&dst[x]);
+                AV_WB64(&dst[x], v << 16 | v >> 48);
+            }
+            dst += frame->linesize[0];
        }
    }

@@ -385,7 +385,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t
 \
    for (j = 0; j < size; j++) {\
        for (i = 0; i < size; i++)\
-            dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\
+            dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\
        src1 += stride;\
        src2 += stride;\
        dst  += stride;\
@@ -397,7 +397,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_
 \
    for (j = 0; j < size; j++) {\
        for (i = 0; i < size; i++)\
-            dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\
+            dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\
        src1 += stride;\
        src2 += stride;\
        dst  += stride;\
@@ -391,6 +391,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la
    int v;

    while(*table & SMK_NODE) {
+        if (get_bits_left(gb) < 1)
+            return AVERROR_INVALIDDATA;
        if(get_bits1(gb))
            table += (*table) & (~SMK_NODE);
        table++;
@@ -455,6 +457,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        uint16_t pix;

        type = smk_get_code(&gb, smk->type_tbl, smk->type_last);
+        if (type < 0)
+            return type;
        run = block_runs[(type >> 2) & 0x3F];
        switch(type & 3){
        case SMK_BLK_MONO:
@@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb)

    do {
        tmp = bytestream2_get_byte(gb);
+        if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX)
+            return AVERROR_INVALIDDATA;
        val |= (tmp & 127) << shift;
        shift += 7;
    } while (tmp & 128);
@@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
        if (skip_1stop_8data_bits(bitbuf) < 0)
            return AVERROR_INVALIDDATA;
    }
+    if (get_bits_left(bitbuf) <= 0)
+        return AVERROR_INVALIDDATA;

    s->width  = width;
    s->height = height;
@@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride)
 static int tdsc_load_cursor(AVCodecContext *avctx)
 {
    TDSCContext *ctx  = avctx->priv_data;
-    int i, j, k, ret, bits, cursor_fmt;
+    int i, j, k, ret, cursor_fmt;
    uint8_t *dst;

    ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc);
@@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx)
    case CUR_FMT_MONO:
        for (j = 0; j < ctx->cursor_h; j++) {
            for (i = 0; i < ctx->cursor_w; i += 32) {
-                bits = bytestream2_get_be32(&ctx->gbc);
+                uint32_t bits = bytestream2_get_be32(&ctx->gbc);
                for (k = 0; k < 32; k++) {
                    dst[0] = !!(bits & 0x80000000);
                    dst   += 4;
@@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx)
        dst = ctx->cursor;
        for (j = 0; j < ctx->cursor_h; j++) {
            for (i = 0; i < ctx->cursor_w; i += 32) {
-                bits = bytestream2_get_be32(&ctx->gbc);
+                uint32_t bits = bytestream2_get_be32(&ctx->gbc);
                for (k = 0; k < 32; k++) {
                    int mask_bit = !!(bits & 0x80000000);
                    switch (dst[0] * 2 + mask_bit) {
@@ -20,9 +20,11 @@
 #include "ttadsp.h"
 #include "config.h"

-static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl,
+static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl,
                                 int32_t *error, int32_t *in, int32_t shift,
                                 int32_t round) {
+    uint32_t *qm = qmi;
+
    if (*error < 0) {
        qm[0] -= dx[0]; qm[1] -= dx[1]; qm[2] -= dx[2]; qm[3] -= dx[3];
        qm[4] -= dx[4]; qm[5] -= dx[5]; qm[6] -= dx[6]; qm[7] -= dx[7];
@@ -164,7 +164,7 @@ pkt_alloc:
                    put_bits(&pb, 31, 0x7FFFFFFF);
                    unary -= 31;
                } else {
-                    put_bits(&pb, unary, (1 << unary) - 1);
+                    put_bits(&pb, unary, (1U << unary) - 1);
                    unary = 0;
                }
            } while (unary);
@@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int i, j;
    int ret;

+    if (avpkt->size < 88)
+        return AVERROR_INVALIDDATA;
+
    ff_texturedsp_init(&dxtc);

    bytestream2_init(&gb, avpkt->data, avpkt->size);
@@ -317,7 +317,7 @@ static int decode_plane(UtvideoContext *c, int plane_no,
                for (i = 0; i < width; i++) {
                    pix = fsym;
                    if (use_pred) {
-                        prev += pix;
+                        prev += (unsigned)pix;
                        pix   = prev;
                    }
                    dest[i] = pix;
@@ -854,7 +854,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
        ret = AVERROR_INVALIDDATA;
        goto err;
    }
-
+    if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE)
+        && v->field_mode) {
+        av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n");
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
    if ((s->mb_height >> v->field_mode) == 0) {
        av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n");
        ret = AVERROR_INVALIDDATA;
@@ -1033,7 +1038,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,

        ff_mpeg_er_frame_start(s);

-        v->bits = buf_size * 8;
+        v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits);
        v->end_mb_x = s->mb_width;
        if (v->field_mode) {
            s->current_picture.f->linesize[0] <<= 1;
@@ -1107,8 +1112,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
                continue;
            }
            ff_vc1_decode_blocks(v);
-            if (i != n_slices)
+            if (i != n_slices) {
                s->gb = slices[i].gb;
+                v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits);
+            }
        }
        if (v->field_mode) {
            v->second_field = 0;
@@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n");
        return AVERROR(EINVAL);
    }
-    if (avctx->block_align < 1 || avctx->block_align % avctx->channels) {
+    if (avctx->block_align < 1 || avctx->block_align % avctx->channels ||
+        avctx->block_align > INT_MAX - avctx->channels
+    ) {
        av_log(avctx, AV_LOG_ERROR, "invalid block align\n");
        return AVERROR(EINVAL);
    }
@@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6)
 static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
                                       dctcoef *out, int pass)
 {
-    dctint t0a  = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14;
-    dctint t1a  = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14;
-    dctint t2a  = (IN( 8) *  6270 - IN(24) * 15137 + (1 << 13)) >> 14;
-    dctint t3a  = (IN( 8) * 15137 + IN(24) *  6270 + (1 << 13)) >> 14;
-    dctint t4a  = (IN( 4) *  3196 - IN(28) * 16069 + (1 << 13)) >> 14;
-    dctint t7a  = (IN( 4) * 16069 + IN(28) *  3196 + (1 << 13)) >> 14;
-    dctint t5a  = (IN(20) * 13623 - IN(12) *  9102 + (1 << 13)) >> 14;
-    dctint t6a  = (IN(20) *  9102 + IN(12) * 13623 + (1 << 13)) >> 14;
-    dctint t8a  = (IN( 2) *  1606 - IN(30) * 16305 + (1 << 13)) >> 14;
-    dctint t15a = (IN( 2) * 16305 + IN(30) *  1606 + (1 << 13)) >> 14;
-    dctint t9a  = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14;
-    dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14;
-    dctint t10a = (IN(10) *  7723 - IN(22) * 14449 + (1 << 13)) >> 14;
-    dctint t13a = (IN(10) * 14449 + IN(22) *  7723 + (1 << 13)) >> 14;
-    dctint t11a = (IN(26) * 15679 - IN( 6) *  4756 + (1 << 13)) >> 14;
-    dctint t12a = (IN(26) *  4756 + IN( 6) * 15679 + (1 << 13)) >> 14;
-    dctint t16a = (IN( 1) *   804 - IN(31) * 16364 + (1 << 13)) >> 14;
-    dctint t31a = (IN( 1) * 16364 + IN(31) *   804 + (1 << 13)) >> 14;
-    dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14;
-    dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14;
-    dctint t18a = (IN( 9) *  7005 - IN(23) * 14811 + (1 << 13)) >> 14;
-    dctint t29a = (IN( 9) * 14811 + IN(23) *  7005 + (1 << 13)) >> 14;
-    dctint t19a = (IN(25) * 15426 - IN( 7) *  5520 + (1 << 13)) >> 14;
-    dctint t28a = (IN(25) *  5520 + IN( 7) * 15426 + (1 << 13)) >> 14;
-    dctint t20a = (IN( 5) *  3981 - IN(27) * 15893 + (1 << 13)) >> 14;
-    dctint t27a = (IN( 5) * 15893 + IN(27) *  3981 + (1 << 13)) >> 14;
-    dctint t21a = (IN(21) * 14053 - IN(11) *  8423 + (1 << 13)) >> 14;
-    dctint t26a = (IN(21) *  8423 + IN(11) * 14053 + (1 << 13)) >> 14;
-    dctint t22a = (IN(13) *  9760 - IN(19) * 13160 + (1 << 13)) >> 14;
-    dctint t25a = (IN(13) * 13160 + IN(19) *  9760 + (1 << 13)) >> 14;
-    dctint t23a = (IN(29) * 16207 - IN( 3) *  2404 + (1 << 13)) >> 14;
-    dctint t24a = (IN(29) *  2404 + IN( 3) * 16207 + (1 << 13)) >> 14;
+    dctint t0a  = (dctint)((IN(0) + IN(16)) * 11585U         + (1 << 13)) >> 14;
+    dctint t1a  = (dctint)((IN(0) - IN(16)) * 11585U         + (1 << 13)) >> 14;
+    dctint t2a  = (dctint)(IN( 8) *  6270U - IN(24) * 15137U + (1 << 13)) >> 14;
+    dctint t3a  = (dctint)(IN( 8) * 15137U + IN(24) *  6270U + (1 << 13)) >> 14;
+    dctint t4a  = (dctint)(IN( 4) *  3196U - IN(28) * 16069U + (1 << 13)) >> 14;
+    dctint t7a  = (dctint)(IN( 4) * 16069U + IN(28) *  3196U + (1 << 13)) >> 14;
+    dctint t5a  = (dctint)(IN(20) * 13623U - IN(12) *  9102U + (1 << 13)) >> 14;
+    dctint t6a  = (dctint)(IN(20) *  9102U + IN(12) * 13623U + (1 << 13)) >> 14;
+    dctint t8a  = (dctint)(IN( 2) *  1606U - IN(30) * 16305U + (1 << 13)) >> 14;
+    dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) *  1606U + (1 << 13)) >> 14;
+    dctint t9a  = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14;
+    dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14;
+    dctint t10a = (dctint)(IN(10) *  7723U - IN(22) * 14449U + (1 << 13)) >> 14;
+    dctint t13a = (dctint)(IN(10) * 14449U + IN(22) *  7723U + (1 << 13)) >> 14;
+    dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) *  4756U + (1 << 13)) >> 14;
+    dctint t12a = (dctint)(IN(26) *  4756U + IN( 6) * 15679U + (1 << 13)) >> 14;
+    dctint t16a = (dctint)(IN( 1) *   804U - IN(31) * 16364U + (1 << 13)) >> 14;
+    dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) *   804U + (1 << 13)) >> 14;
+    dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14;
+    dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14;
+    dctint t18a = (dctint)(IN( 9) *  7005U - IN(23) * 14811U + (1 << 13)) >> 14;
+    dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) *  7005U + (1 << 13)) >> 14;
+    dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) *  5520U + (1 << 13)) >> 14;
+    dctint t28a = (dctint)(IN(25) *  5520U + IN( 7) * 15426U + (1 << 13)) >> 14;
+    dctint t20a = (dctint)(IN( 5) *  3981U - IN(27) * 15893U + (1 << 13)) >> 14;
+    dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) *  3981U + (1 << 13)) >> 14;
+    dctint t21a = (dctint)(IN(21) * 14053U - IN(11) *  8423U + (1 << 13)) >> 14;
+    dctint t26a = (dctint)(IN(21) *  8423U + IN(11) * 14053U + (1 << 13)) >> 14;
+    dctint t22a = (dctint)(IN(13) *  9760U - IN(19) * 13160U + (1 << 13)) >> 14;
+    dctint t25a = (dctint)(IN(13) * 13160U + IN(19) *  9760U + (1 << 13)) >> 14;
+    dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) *  2404U + (1 << 13)) >> 14;
+    dctint t24a = (dctint)(IN(29) *  2404U + IN( 3) * 16207U + (1 << 13)) >> 14;

    dctint t0  = t0a  + t3a;
    dctint t1  = t1a  + t2a;
@@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
    dctint t30 = t31a - t30a;
    dctint t31 = t31a + t30a;

-    t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14;
-    t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14;
-    t9a  = (  t14 *  6270 - t9  * 15137  + (1 << 13)) >> 14;
-    t14a = (  t14 * 15137 + t9  *  6270  + (1 << 13)) >> 14;
-    t10a = (-(t13 * 15137 + t10 *  6270) + (1 << 13)) >> 14;
-    t13a = (  t13 *  6270 - t10 * 15137  + (1 << 13)) >> 14;
-    t17a = (  t30 *  3196 - t17 * 16069  + (1 << 13)) >> 14;
-    t30a = (  t30 * 16069 + t17 *  3196  + (1 << 13)) >> 14;
-    t18a = (-(t29 * 16069 + t18 *  3196) + (1 << 13)) >> 14;
-    t29a = (  t29 *  3196 - t18 * 16069  + (1 << 13)) >> 14;
-    t21a = (  t26 * 13623 - t21 *  9102  + (1 << 13)) >> 14;
-    t26a = (  t26 *  9102 + t21 * 13623  + (1 << 13)) >> 14;
-    t22a = (-(t25 *  9102 + t22 * 13623) + (1 << 13)) >> 14;
-    t25a = (  t25 * 13623 - t22 *  9102  + (1 << 13)) >> 14;
+    t5a  = (dctint)((t6 - t5) * 11585U             + (1 << 13)) >> 14;
+    t6a  = (dctint)((t6 + t5) * 11585U             + (1 << 13)) >> 14;
+    t9a  = (dctint)(  t14 *  6270U - t9  * 15137U  + (1 << 13)) >> 14;
+    t14a = (dctint)(  t14 * 15137U + t9  *  6270U  + (1 << 13)) >> 14;
+    t10a = (dctint)(-(t13 * 15137U + t10 *  6270U) + (1 << 13)) >> 14;
+    t13a = (dctint)(  t13 *  6270U - t10 * 15137U  + (1 << 13)) >> 14;
+    t17a = (dctint)(  t30 *  3196U - t17 * 16069U  + (1 << 13)) >> 14;
+    t30a = (dctint)(  t30 * 16069U + t17 *  3196U  + (1 << 13)) >> 14;
+    t18a = (dctint)(-(t29 * 16069U + t18 *  3196U) + (1 << 13)) >> 14;
+    t29a = (dctint)(  t29 *  3196U - t18 * 16069U  + (1 << 13)) >> 14;
+    t21a = (dctint)(  t26 * 13623U - t21 *  9102U  + (1 << 13)) >> 14;
+    t26a = (dctint)(  t26 *  9102U + t21 * 13623U  + (1 << 13)) >> 14;
+    t22a = (dctint)(-(t25 *  9102U + t22 * 13623U) + (1 << 13)) >> 14;
+    t25a = (dctint)(  t25 * 13623U - t22 *  9102U  + (1 << 13)) >> 14;

    t0a  = t0   + t7;
    t1a  = t1   + t6a;
@@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
    t30  = t30a + t29a;
    t31a = t31  + t28;

-    t10a = ((t13  - t10)  * 11585 + (1 << 13)) >> 14;
-    t13a = ((t13  + t10)  * 11585 + (1 << 13)) >> 14;
-    t11  = ((t12a - t11a) * 11585 + (1 << 13)) >> 14;
-    t12  = ((t12a + t11a) * 11585 + (1 << 13)) >> 14;
-    t18a = (  t29  *  6270 - t18  * 15137  + (1 << 13)) >> 14;
-    t29a = (  t29  * 15137 + t18  *  6270  + (1 << 13)) >> 14;
-    t19  = (  t28a *  6270 - t19a * 15137  + (1 << 13)) >> 14;
-    t28  = (  t28a * 15137 + t19a *  6270  + (1 << 13)) >> 14;
-    t20  = (-(t27a * 15137 + t20a *  6270) + (1 << 13)) >> 14;
-    t27  = (  t27a *  6270 - t20a * 15137  + (1 << 13)) >> 14;
-    t21a = (-(t26  * 15137 + t21  *  6270) + (1 << 13)) >> 14;
-    t26a = (  t26  *  6270 - t21  * 15137  + (1 << 13)) >> 14;
+    t10a = (dctint)((t13  - t10)  * 11585U           + (1 << 13)) >> 14;
+    t13a = (dctint)((t13  + t10)  * 11585U           + (1 << 13)) >> 14;
+    t11  = (dctint)((t12a - t11a) * 11585U           + (1 << 13)) >> 14;
+    t12  = (dctint)((t12a + t11a) * 11585U           + (1 << 13)) >> 14;
+    t18a = (dctint)(  t29  *  6270U - t18  * 15137U  + (1 << 13)) >> 14;
+    t29a = (dctint)(  t29  * 15137U + t18  *  6270U  + (1 << 13)) >> 14;
+    t19  = (dctint)(  t28a *  6270U - t19a * 15137U  + (1 << 13)) >> 14;
+    t28  = (dctint)(  t28a * 15137U + t19a *  6270U  + (1 << 13)) >> 14;
+    t20  = (dctint)(-(t27a * 15137U + t20a *  6270U) + (1 << 13)) >> 14;
+    t27  = (dctint)(  t27a *  6270U - t20a * 15137U  + (1 << 13)) >> 14;
+    t21a = (dctint)(-(t26  * 15137U + t21  *  6270U) + (1 << 13)) >> 14;
+    t26a = (dctint)(  t26  *  6270U - t21  * 15137U  + (1 << 13)) >> 14;

    t0   = t0a + t15a;
    t1   = t1a + t14;
@@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
    t30a = t30  + t25;
    t31  = t31a + t24a;

-    t20  = ((t27a - t20a) * 11585 + (1 << 13)) >> 14;
-    t27  = ((t27a + t20a) * 11585 + (1 << 13)) >> 14;
-    t21a = ((t26  - t21 ) * 11585 + (1 << 13)) >> 14;
-    t26a = ((t26  + t21 ) * 11585 + (1 << 13)) >> 14;
-    t22  = ((t25a - t22a) * 11585 + (1 << 13)) >> 14;
-    t25  = ((t25a + t22a) * 11585 + (1 << 13)) >> 14;
-    t23a = ((t24  - t23 ) * 11585 + (1 << 13)) >> 14;
-    t24a = ((t24  + t23 ) * 11585 + (1 << 13)) >> 14;
+    t20  = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14;
+    t27  = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14;
+    t21a = (dctint)((t26  - t21 ) * 11585U + (1 << 13)) >> 14;
+    t26a = (dctint)((t26  + t21 ) * 11585U + (1 << 13)) >> 14;
+    t22  = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14;
+    t25  = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14;
+    t23a = (dctint)((t24  - t23 ) * 11585U + (1 << 13)) >> 14;
+    t24a = (dctint)((t24  + t23 ) * 11585U + (1 << 13)) >> 14;

    out[ 0] = t0   + t31;
    out[ 1] = t1   + t30a;
@@ -529,9 +529,9 @@ static int8_t store_weight(int weight)

 static int restore_weight(int8_t weight)
 {
-    int result;
+    int result = 8 * weight;

-    if ((result = (int) weight << 3) > 0)
+    if (result > 0)
        result += (result + 64) >> 7;

    return result;
@@ -2557,7 +2557,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s,
            ret = wv_mono(s, samples_l, !s->num_terms, 1);
    } else {
        for (i = 0; i < nb_samples; i++)
-            crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i];
+            crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i];

        if (s->num_passes)
            ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1);
@@ -164,7 +164,7 @@ typedef struct WmallDecodeCtx {
    int transient_pos[WMALL_MAX_CHANNELS];
    int seekable_tile;

-    int ave_sum[WMALL_MAX_CHANNELS];
+    unsigned ave_sum[WMALL_MAX_CHANNELS];

    int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE];

@@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR(EINVAL);
    }

+    if (avctx->channels < 0) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n",
+               avctx->channels);
+        return AVERROR_INVALIDDATA;
+    } else if (avctx->channels > WMALL_MAX_CHANNELS) {
+        avpriv_request_sample(avctx,
+                              "More than %d channels", WMALL_MAX_CHANNELS);
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->max_frame_size = MAX_FRAMESIZE * avctx->channels;
    s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE);
    if (!s->frame_data)
@@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
                ++s->lfe_channel;
    }

-    if (s->num_channels < 0) {
-        av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n",
-               s->num_channels);
-        return AVERROR_INVALIDDATA;
-    } else if (s->num_channels > WMALL_MAX_CHANNELS) {
-        avpriv_request_sample(avctx,
-                              "More than %d channels", WMALL_MAX_CHANNELS);
-        return AVERROR_PATCHWELCOME;
-    }
-
    s->frame = av_frame_alloc();
    if (!s->frame)
        return AVERROR(ENOMEM);
@@ -535,7 +535,8 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size)
        i++;
    }
    for (; i < tile_size; i++) {
-        int quo = 0, rem, rem_bits, residue;
+        int rem, rem_bits;
+        unsigned quo = 0, residue;
        while(get_bits1(&s->gb)) {
            quo++;
            if (get_bits_left(&s->gb) <= 0)
@@ -774,7 +775,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \
                                                        s->cdlms[ch][ilms].recent, \
                                                        FFALIGN(s->cdlms[ch][ilms].order, ROUND), \
                                                        WMASIGN(residue)); \
-            input = residue + (pred >> s->cdlms[ch][ilms].scaling); \
+            input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \
            lms_update ## bits(s, ch, ilms, input); \
            s->channel_residues[ch][icoef] = input; \
        } \
@@ -792,8 +793,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size)
    else if (s->is_channel_coded[0] || s->is_channel_coded[1]) {
        int icoef;
        for (icoef = 0; icoef < tile_size; icoef++) {
-            s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1;
-            s->channel_residues[1][icoef] += s->channel_residues[0][icoef];
+            s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1);
+            s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef];
        }
    }
 }
@@ -825,8 +826,11 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size)
            pred >>= scaling;
            s->channel_residues[ich][i] += (unsigned)pred;
        }
-        for (j = 0; j < order; j++)
-            prevvalues[j] = s->channel_residues[ich][tile_size - j - 1];
+        for (j = order - 1; j >= 0; j--)
+            if (tile_size <= j) {
+                prevvalues[j] = prevvalues[j - tile_size];
+            }else
+                prevvalues[j] = s->channel_residues[ich][tile_size - j - 1];
    }
 }

@@ -991,7 +995,7 @@ static int decode_subframe(WmallDecodeCtx *s)
            if (s->bits_per_sample == 16) {
                *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes);
            } else {
-                *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes);
+                *s->samples_32[c]++ = s->channel_residues[c][j] * (256U << padding_zeroes);
            }
        }
    }
@@ -386,7 +386,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
               ctx->extradata_size);
        return AVERROR_INVALIDDATA;
    }
-    if (ctx->block_align <= 0) {
+    if (ctx->block_align <= 0 || ctx->block_align > (1<<22)) {
        av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align);
        return AVERROR_INVALIDDATA;
    }
@@ -636,12 +636,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs,
    for (n = 0; n <= 64; n++) {
        float pwr;

-        idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1);
+        idx = lrint((max - lpcs[n]) * irange - 1);
+        idx = FFMAX(0, idx);
        pwr = wmavoice_denoise_power_table[s->denoise_strength][idx];
        lpcs[n] = angle_mul * pwr;

        /* 70.57 =~ 1/log10(1.0331663) */
-        idx = (pwr * gain_mul - 0.0295) * 70.570526123;
+        idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2);
+
        if (idx > 127) { // fall back if index falls outside table range
            coeffs[n] = wmavoice_energy_table[127] *
                        powf(1.0331663, idx - 127);
@@ -274,7 +274,7 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h
    movd   m3, qsd
    SPLATD m2
    SPLATD m3
-    mov    r4, tot_hq
+    mov    r4d, tot_hd
    mov    r3, dstq

    .loop_v:
@@ -294,8 +294,9 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h

    add    srcq, mmsize
    add    dstq, mmsize
-    sub    tot_hd, 4
+    sub    tot_hq, 4
    jg     .loop_h
+    lea    srcq, [srcq + 4*tot_hq]

    add    r3, strideq
    dec    tot_vd
@@ -115,24 +115,24 @@ static int idct_row(short *in, const int *const tab, int rnd)
        in[6] = a1;
    } else {
        const int k  = c4 * in[0] + rnd;
-        const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
-        const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
-        const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
-        const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6];
+        const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
+        const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
+        const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
+        const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6];

-        const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7];
-        const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7];
-        const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7];
-        const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7];
+        const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7];
+        const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7];
+        const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7];
+        const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7];

-        in[0] = (a0 + b0) >> ROW_SHIFT;
-        in[1] = (a1 + b1) >> ROW_SHIFT;
-        in[2] = (a2 + b2) >> ROW_SHIFT;
-        in[3] = (a3 + b3) >> ROW_SHIFT;
-        in[4] = (a3 - b3) >> ROW_SHIFT;
-        in[5] = (a2 - b2) >> ROW_SHIFT;
-        in[6] = (a1 - b1) >> ROW_SHIFT;
-        in[7] = (a0 - b0) >> ROW_SHIFT;
+        in[0] = (int)(a0 + b0) >> ROW_SHIFT;
+        in[1] = (int)(a1 + b1) >> ROW_SHIFT;
+        in[2] = (int)(a2 + b2) >> ROW_SHIFT;
+        in[3] = (int)(a3 + b3) >> ROW_SHIFT;
+        in[4] = (int)(a3 - b3) >> ROW_SHIFT;
+        in[5] = (int)(a2 - b2) >> ROW_SHIFT;
+        in[6] = (int)(a1 - b1) >> ROW_SHIFT;
+        in[7] = (int)(a0 - b0) >> ROW_SHIFT;
    }
    return 1;
 }
@@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd)
 #define TAN3  0xAB0E
 #define SQRT2 0x5A82

-#define MULT(c, x, n)  (((c) * (x)) >> (n))
+#define MULT(c, x, n)  ((unsigned)((int)((c) * (unsigned)(x)) >> (n)))
 // 12b version => #define MULT(c,x, n)  ((((c) >> 3) * (x)) >> ((n) - 3))
 // 12b zero-testing version:

@@ -409,7 +409,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
     */
    c->pstride = FFALIGN((avctx->width + c->lrange) * c->bypp, 16);
    prev_size = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * (c->lrange + avctx->height + c->urange);
-    prev_offset = FFALIGN(c->lrange, 16) + c->pstride * c->lrange;
+    prev_offset = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * c->lrange;
    if (!(c->prev_buf = av_mallocz(prev_size))) {
        av_log(avctx, AV_LOG_ERROR, "Can't allocate picture.\n");
        return AVERROR(ENOMEM);
@@ -78,7 +78,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame)
 static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h)
 {
    if (sar.num && sar.den) {
-        av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX);
+        av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX);
    } else {
        av_reduce(&dar->num, &dar->den, w, h, INT_MAX);
    }
@@ -312,7 +312,8 @@ static int activate(AVFilterContext *ctx)
                                               FFMIN(s->planeheight[2],
                                               ff_filter_get_nb_threads(ctx)));
                    }
-                }
+                } else
+                    av_frame_free(&out);
            } else if (!out) {
                ret = AVERROR(ENOMEM);
            }
@@ -22,7 +22,6 @@
 * @todo switch to dualinput
 */

-#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/opt.h"
 #include "internal.h"
@@ -159,7 +158,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax,

    if (pass + 1 <= maxpass) {
        int sub_x, sub_y;
-        search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0);
+        search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0);
        xmin = FFMAX(xmin, 2*sub_x - 4);
        xmax = FFMIN(xmax, 2*sub_x + 4);
        ymin = FFMAX(ymin, 2*sub_y - 4);
@@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax,
    for (y = ymin; y <= ymax; y++) {
        for (x = xmin; x <= xmax; x++) {
            float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y);
-            av_assert0(score != 0);
            if (score < best_score) {
                best_score = score;
                *best_x = x;
@@ -198,7 +196,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
                        FFMIN(foc->xmax, foc->last_x + 8),
                        FFMAX(foc->ymin, foc->last_y - 8),
                        FFMIN(foc->ymax, foc->last_y + 8),
-                        &best_x, &best_y, 1.0);
+                        &best_x, &best_y, 2.0);

    best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax,
                        &best_x, &best_y, best_score);
@@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx)
            int startg = FFMAX3(-bg, -rg, 0);
            int endg = FFMIN3(255-bg, 255-rg, 255);
            uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000);
-            c = bg + (rg<<16) + 0x010101 * startg;
+            c = bg + rg * (1 << 16) + 0x010101 * startg;
            for (g = startg; g <= endg; g++) {
                hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v;
                c+= 0x010101;
@@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)

    AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h);
    if (!out) {
-        av_frame_free(&in);
        *outf = NULL;
        return AVERROR(ENOMEM);
    }
@@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)
    if (av_frame_ref(s->last_in, in) < 0 ||
        av_frame_ref(s->last_out, out) < 0 ||
        av_frame_make_writable(s->last_in) < 0) {
-        av_frame_free(&in);
        av_frame_free(&out);
        *outf = NULL;
        return AVERROR(ENOMEM);
@@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)
    memcpy(out->data[1], s->palette, AVPALETTE_SIZE);
    if (s->calc_mean_err)
        debug_mean_error(s, in, out, inlink->frame_count_out);
-    av_frame_free(&in);
    *outf = out;
    return 0;
 }
@@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs)
    if (ret < 0)
        return ret;
    if (!master || !second) {
-        ret = AVERROR_BUG;
-        goto error;
+        av_frame_free(&master);
+        return AVERROR_BUG;
    }
    if (!s->palette_loaded) {
        load_palette(s, second);
    }
    ret = apply_palette(inlink, master, &out);
-    if (ret < 0)
-        goto error;
-    return ff_filter_frame(ctx->outputs[0], out);
-
-error:
    av_frame_free(&master);
-    return ret;
+    if (ret < 0)
+        return ret;
+    return ff_filter_frame(ctx->outputs[0], out);
 }

 #define DEFINE_SET_FRAME(color_search, name, value)                             \
@@ -218,7 +218,7 @@ static int init_filter_param(AVFilterContext *ctx, UnsharpFilterParam *fp, const
           effect, effect_type, fp->msize_x, fp->msize_y, fp->amount / 65535.0);

    fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads, sizeof(uint32_t));
-    fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t **));
+    fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t *));
    if (!fp->sr || !fp->sc)
        return AVERROR(ENOMEM);

@@ -258,9 +258,11 @@ static void free_filter_param(UnsharpFilterParam *fp, int nb_threads)
 {
    int z;

-    for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
-        av_freep(&fp->sc[z]);
-    av_freep(&fp->sc);
+    if (fp->sc) {
+        for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
+            av_freep(&fp->sc[z]);
+        av_freep(&fp->sc);
+    }
    av_freep(&fp->sr);
 }

@@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx)
            int startg = FFMAX3(-bg, -rg, 0);
            int endg = FFMIN3(255-bg, 255-rg, 255);
            uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000);
-            c = bg + (rg<<16) + 0x010101 * startg;
+            c = bg + rg * (1 << 16) + 0x010101 * startg;
            for (g = startg; g <= endg; g++) {
                s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v;
                c+= 0x010101;
@@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
    avio_skip(pb, 4); // magic string
    toc_size = avio_rb32(pb); // TOC size
    avio_skip(pb, 4); // unidentified integer
-    if (toc_size > MAX_TOC_ENTRIES)
+    if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
        return AVERROR_INVALIDDATA;
    for (i = 0; i < toc_size; i++) { // read TOC
        avio_skip(pb, 4); // TOC entry index
@@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s)
    AVStream *st;
    uint8_t header[9];

-    avio_read(pb, header, 6);
+    if (avio_read(pb, header, 6) != 6)
+        return AVERROR_INVALIDDATA;

    st = avformat_new_stream(s, NULL);
    if (!st)
        return AVERROR(ENOMEM);
    if (memcmp(header, AMR_header, 6)) {
-        avio_read(pb, header + 6, 3);
+        if (avio_read(pb, header + 6, 3) != 3)
+            return AVERROR_INVALIDDATA;
        if (memcmp(header, AMRWB_header, 9)) {
            return -1;
        }
@@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
    int64_t off = avio_tell(s->pb);
 #define LEN 22

-    if ((unsigned)len >= (UINT_MAX - LEN) / 2)
-        return;
+    av_assert0((unsigned)len < (INT_MAX - LEN) / 2);

    if (!asf->export_xmp && !strncmp(key, "xmp", 3))
        goto finish;
@@ -712,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
        value_type = avio_rl16(pb); /* value_type */
        value_len  = avio_rl32(pb);

+        if (value_len < 0 || value_len > UINT16_MAX)
+            return AVERROR_INVALIDDATA;
+
        name_len_utf8 = 2*name_len_utf16 + 1;
        name          = av_malloc(name_len_utf8);
        if (!name)
@@ -857,11 +859,20 @@ static int asf_read_header(AVFormatContext *s)
                        return ret;
                    av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size);
                    av_packet_unref(&pkt);
+
                    len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                    get_tag(s, "ASF_Protection_Type", -1, len, 32);
+
                    len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                    get_tag(s, "ASF_Key_ID", -1, len, 32);
+
                    len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                    get_tag(s, "ASF_License_URL", -1, len, 32);
                } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) {
                    av_log(s, AV_LOG_WARNING,
@@ -61,7 +61,7 @@ typedef struct AVIStream {

    AVFormatContext *sub_ctx;
    AVPacket sub_pkt;
-    uint8_t *sub_buffer;
+    AVBufferRef *sub_buffer;

    int64_t seek_pos;
 } AVIStream;
@@ -1121,8 +1121,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt)
            time_base = ast->sub_ctx->streams[0]->time_base;
            avpriv_set_pts_info(st, 64, time_base.num, time_base.den);
        }
-        ast->sub_buffer = pkt->data;
-        memset(pkt, 0, sizeof(*pkt));
+        ast->sub_buffer = pkt->buf;
+        pkt->buf = NULL;
+        av_packet_unref(pkt);
        return 1;

 error:
@@ -1531,11 +1532,12 @@ resync:
        if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) {
            int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q);

-            if (avi->dts_max - dts > 2*AV_TIME_BASE) {
+            if (avi->dts_max < dts) {
+                avi->dts_max = dts;
+            } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) {
                avi->non_interleaved= 1;
                av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n");
-            }else if (avi->dts_max < dts)
-                avi->dts_max = dts;
+            }
        }

        return 0;
@@ -1913,7 +1915,7 @@ static int avi_read_close(AVFormatContext *s)
                av_freep(&ast->sub_ctx->pb);
                avformat_close_input(&ast->sub_ctx);
            }
-            av_freep(&ast->sub_buffer);
+            av_buffer_unref(&ast->sub_buffer);
            av_packet_unref(&ast->sub_pkt);
        }
    }
@@ -459,6 +459,14 @@ static int avi_write_header(AVFormatContext *s)
                    && par->format != AV_PIX_FMT_NONE)
                    av_log(s, AV_LOG_ERROR, "%s rawvideo cannot be written to avi, output file will be unreadable\n",
                          av_get_pix_fmt_name(par->format));
+
+                if (par->format == AV_PIX_FMT_PAL8) {
+                    if (par->bits_per_coded_sample < 0 || par->bits_per_coded_sample > 8) {
+                        av_log(s, AV_LOG_ERROR, "PAL8 with %d bps is not allowed\n", par->bits_per_coded_sample);
+                        return AVERROR(EINVAL);
+                    }
+                }
+
                break;
            case AVMEDIA_TYPE_AUDIO:
                flags = (avi->write_channel_mask == 0) ? FF_PUT_WAV_HEADER_SKIP_CHANNELMASK : 0;
@@ -1163,6 +1163,8 @@ int ffio_open_whitelist(AVIOContext **s, const char *filename, int flags,
    URLContext *h;
    int err;

+    *s = NULL;
+
    err = ffurl_open_whitelist(&h, filename, flags, int_cb, options, whitelist, blacklist, NULL);
    if (err < 0)
        return err;
@@ -146,9 +146,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt,
    }

    do{
-        vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE);
-        if(!vidbuf_start)
-            return AVERROR(ENOMEM);
+        uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity,
+                                       vidbuf_nbytes + BUFFER_PADDING_SIZE);
+        if (!tmp) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
+        vidbuf_start = tmp;

        code = avio_r8(pb);
        vidbuf_start[vidbuf_nbytes++] = code;
@@ -149,7 +149,7 @@ static int bin_probe(const AVProbeData *p)
            return AVPROBE_SCORE_EXTENSION + 1;

        predict_width(&par, p->buf_size, got_width);
-        if (par.width <= 0)
+        if (par.width < 8)
            return 0;
        calculate_height(&par, p->buf_size);
        if (par.height <= 0)
@@ -195,6 +195,8 @@ static int bintext_read_header(AVFormatContext *s)
            next_tag_read(s, &bin->fsize);
        if (!bin->width) {
            predict_width(st->codecpar, bin->fsize, got_width);
+            if (st->codecpar->width < 8)
+                return AVERROR_INVALIDDATA;
            calculate_height(st->codecpar, bin->fsize);
        }
        avio_seek(pb, 0, SEEK_SET);
@@ -122,19 +122,6 @@ struct representation {
 typedef struct DASHContext {
    const AVClass *class;
    char *base_url;
-    char *adaptionset_contenttype_val;
-    char *adaptionset_par_val;
-    char *adaptionset_lang_val;
-    char *adaptionset_minbw_val;
-    char *adaptionset_maxbw_val;
-    char *adaptionset_minwidth_val;
-    char *adaptionset_maxwidth_val;
-    char *adaptionset_minheight_val;
-    char *adaptionset_maxheight_val;
-    char *adaptionset_minframerate_val;
-    char *adaptionset_maxframerate_val;
-    char *adaptionset_segmentalignment_val;
-    char *adaptionset_bitstreamswitching_val;

    int n_videos;
    struct representation **videos;
@@ -1107,26 +1094,12 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url,
                                        xmlNodePtr period_segmentlist_node)
 {
    int ret = 0;
-    DASHContext *c = s->priv_data;
    xmlNodePtr fragment_template_node = NULL;
    xmlNodePtr content_component_node = NULL;
    xmlNodePtr adaptionset_baseurl_node = NULL;
    xmlNodePtr adaptionset_segmentlist_node = NULL;
    xmlNodePtr adaptionset_supplementalproperty_node = NULL;
    xmlNodePtr node = NULL;
-    c->adaptionset_contenttype_val = xmlGetProp(adaptionset_node, "contentType");
-    c->adaptionset_par_val = xmlGetProp(adaptionset_node, "par");
-    c->adaptionset_lang_val = xmlGetProp(adaptionset_node, "lang");
-    c->adaptionset_minbw_val = xmlGetProp(adaptionset_node, "minBandwidth");
-    c->adaptionset_maxbw_val = xmlGetProp(adaptionset_node, "maxBandwidth");
-    c->adaptionset_minwidth_val = xmlGetProp(adaptionset_node, "minWidth");
-    c->adaptionset_maxwidth_val = xmlGetProp(adaptionset_node, "maxWidth");
-    c->adaptionset_minheight_val = xmlGetProp(adaptionset_node, "minHeight");
-    c->adaptionset_maxheight_val = xmlGetProp(adaptionset_node, "maxHeight");
-    c->adaptionset_minframerate_val = xmlGetProp(adaptionset_node, "minFrameRate");
-    c->adaptionset_maxframerate_val = xmlGetProp(adaptionset_node, "maxFrameRate");
-    c->adaptionset_segmentalignment_val = xmlGetProp(adaptionset_node, "segmentAlignment");
-    c->adaptionset_bitstreamswitching_val = xmlGetProp(adaptionset_node, "bitstreamSwitching");

    node = xmlFirstElementChild(adaptionset_node);
    while (node) {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.2
 .2.3