Update for 4.2.7

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avfilter/vf_colorspace: fix memmory leaks
2022-05-09 23:52:36 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00
356 changed files with 3487 additions and 1485 deletions
@@ -1,6 +1,736 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 4.2.7
+ avfilter/vf_colorspace: fix memmory leaks
+ avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written
+ avfilter/vf_random: fix memory leaks
+ avfilter/vf_bwdif: fix heap-buffer overflow
+ fftools/ffmpeg_opt: Fix leak of options when parsing options fails
+ avfilter/vf_edgedetect: fix heap-buffer overflow
+ avfilter/vf_w3fdif: deny processing small videos
+ avfilter/vf_avgblur: fix heap-buffer overflow
+ avfilter/af_tremolo: fix heap-buffer overflow
+ avfilter/vf_edgedetect: check if height is big enough
+ avfilter/vf_bitplanenoise: fix overreads
+ avfilter/vf_fieldorder: fix heap-buffer overflow
+ avfilter/vf_fieldmatch: fix heap-buffer overflow
+ avcodec/pngenc: remove monowhite from apng formats
+ lavf/tls_mbedtls: add support for mbedtls version 3
+
+version 4.2.6
+ configure: bump year
+ avfilter/vf_lenscorrection: make width/height int
+ avcodec/diracdec: avoid signed integer overflow in global mv
+ avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+ avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+ avfilter/vf_subtitles: pass storage size to libass
+ avformat/aqtitledec: Skip unrepresentable durations
+ avformat/cafdec: Do not store empty keys in read_info_chunk()
+ avformat/hls: Check target_duration
+ avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+ avformat/matroskadec: Check pre_ns
+ avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+ avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+ avformat/avidec: Check height
+ avformat/rmdec: Better duplicate tags check
+ avformat/mov: Disallow empty sidx
+ avformat/matroskadec: Check duration
+ avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+ avcodec/jpeglsdec: Fix if( code style
+ avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+ avcodec/motion_est: fix indention of ff_get_best_fcode()
+ avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+ avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
+ avformat/matroskadec: Check desc_bytes
+ avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+ avformat/matroskadec: Fix infinite loop with bz decompression
+ avformat/mov: Check size before subtraction
+ avcodec/apedec: Fix integer overflows in predictor_update_3930()
+ avcodec/apedec: fix integer overflow in 8bit samples
+ avformat/flvdec: timestamps cannot use the full int64 range
+ avcodec/vqavideo: reset accounting on error
+ avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+ avformat/4xm: Check for duplicate track ids
+ avformat/4xm: Consider max_streams on reallocating tracks array
+ avformat/mov: Check next offset in mov_read_dref()
+ avformat/vivo: Favor setting fps from explicit fractions
+ avformat/vivo: Do not use the general expression evaluator for parsing a floating point value
+ avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+ avcodec/apedec: Change avg to uint32_t
+ avformat/mov: Disallow duplicate smdm
+ avformat/mov: Check for EOF in mov_read_glbl()
+ avcodec/vp3: Check version in all cases when VP4 code is not built
+ avformat/mov: Check channels for mov_parse_stsd_audio()
+ avformat/avidec: Check read_odml_index() for failure
+ avformat/aiffdec: Use av_rescale() for bitrate
+ avformat/aiffdec: sanity check block_align
+ avformat/aiffdec: Check sample_rate
+ avfilter/vf_gblur: fix heap-buffer overflow
+ avfilter/vf_lenscorrection: fix division by zero
+ avformat/latmenc: abort if no extradata is available
+ avformat/movenc: Fix segfault when remuxing rtp hint stream
+ avformat/tty: add probe function
+ avfilter/vf_neighbor: check if width is 1
+ avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+ avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
+ avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
+ configure: Add missing libshine->mpegaudioheader dependency
+
+version 4.2.5
+ configure: update copyright year
+ avformat/matroskadec: Reset state also on failure in matroska_reset_status()
+ avformat/wavdec: Check smv_block_size
+ avformat/rmdec: Check for multiple audio_stream_info
+ avcodec/apedec: Use 64bit to avoid overflow
+ avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+ oavformat/avidec: Check offset in odml
+ avformat/mpegts: use actually read packet size in mpegts_resync special case
+ avfilter/scale_npp: fix non-aligned output frame dimensions
+ Update for 4.2.5
+ swscale/alphablend: Fix slice handling
+ avcodec/mxpegdec: Check for AVDISCARD_ALL
+ avcodec/flicvideo: Check remaining bytes in FLI*COPY
+ avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127
+ avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return
+ avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable
+ avcodec/apedec: Fix integer overflow in intermediate
+ avformat/mvdec: Do not set invalid sample rate
+ avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
+ avformat/mov: Check for duplicate clli
+ avformat/jacosubdec: Check for min in t overflow in get_shift()
+ avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
+ avcodec/utils: don't return negative values in av_get_audio_frame_duration()
+ avcodec/jpeg2000dec: Check that atom header is within bytsetream
+ avcodec/apedec: Fix 2 integer overflows in filter_3800()
+ avcodec/xpmdec: Move allocations down after more error checks
+ network: Define ENOTCONN as WSAENOTCONN if not defined
+ avformat/avidec: Use 64bit for frame number in odml index parsing
+ avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg
+ avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac()
+ avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata
+ avcodec/webp: Check available space in loop in decode_entropy_coded_image()
+ avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode
+ avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init
+ avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line()
+ avcodec/vc1dec: Disable error concealment for *IMAGE
+ avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c()
+ avformat/wtvdec: Check for EOF before seeking back in parse_media_type()
+ avformat/wavdec: Use 64bit in new_pos computation
+ avformat/sbgdec: Check for overflow in timestamp preparation
+ avformat/dsicin: Check packet size for overflow
+ avformat/bfi: check nframes
+ avformat/avidec: fix position overflow in avi_load_index()
+ avformat/asfdec_f: Check sizeX against padding
+ avformat/aiffdec: Check for size overflow in header parsing
+ avcodec/aaccoder: Add minimal bias in search_for_ms()
+ avfilter/af_drmeter: Check that there is data
+ avfilter/vf_mestimate: Check b_count
+ avformat/mov: do not ignore errors in mov_metadata_hmmt()
+ avformat/mxfdec: Check size for shrinking
+ avcodec/dnxhddec: check and propagate function return value
+ swscale/slice: Fix wrong return on error
+ swscale/slice: Check slice for allocation failure
+ avformat/matroskadec: Fix handling of huge default durations
+ avcodec/lpc: check for zero err in normalization in compute_lpc_coefs()
+ avformat/ftp: Check for av_strtok() failure
+ tools/cws2fws: Check read() for failure
+ avcodec/cpia: Fix missing src_size update
+ avcodec/clearvideo: Check tile_size to be not too large
+ avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation
+ avformat/rmdec: Check old_format len for overflow
+ avformat/realtextdec: Check the pts difference before using it for the duration computation
+ avformat/qcp: Avoid negative nb_rates
+ avformat/nutdec: Check tmp_size
+ avformat/msf: Check that channels doesnt overflow during extradata construction
+ avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
+ avformat/iff: Use 64bit in duration computation
+ avformat/dxa: Check fps to be within the supported range more precissely
+ avcodec/iff: Only write palette to plane 1 if its PAL8
+ avformat/tta: Check for EOF in index reading loop
+ Update missed irc links
+ avformat/rpl: The associative law doesnt hold for signed integers in C
+ avcodec/faxcompr: Check available bits in decode_uncompressed()
+ avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10
+ avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit
+ avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
+ avformat/mov: Check for duplicate mdcv
+ avfilter/vf_dctdnoiz: Check threads
+ avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black
+ avformat/rpl: Check for EOF and zero framesize
+ avcodec/vc2enc: Check for non negative slice bounds
+ avformat/rpl: Use 64bit in bitrate computation and check it
+ avcodec/svq1enc: Do not print debug RD value before it has been computed
+ avcodec/aacpsy: Check bandwidth
+ avcodec/aacenc: Do not divide by lambda_count if it is 0
+ avcodec/aacenc: Use FLT_EPSILON for lambda minimum
+ avformat/cinedec: Fix index_entries size check
+ avfilter/vf_yadif: Fix handing of tiny images
+ avfilter/vf_vmafmotion: Check dimensions
+ avformat/movenc: Check pal_size before use
+ avcodec/lpc: Avoid floating point division by 0
+ avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
+ avcodec/aacenc: Avoid 0 lambda
+ avcodec/exr: x/ymax cannot be INT_MAX
+ avformat/avio: Check av_opt_copy() for failure
+ avcodec/clearvideo: Check for 0 tile_shift
+ avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header()
+ avformat/mov: Ignore duplicate CoLL
+ avformat/mov: Limit nb_chapter_tracks to input size
+ avformat/utils: Use 64bit earlier in r_frame_rate check
+ avformat/mvdec: Check sample rate in parse_audio_var()
+ avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line()
+ avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
+ avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
+ avformat/asfdec_o: Use ff_get_extradata()
+ avformat/id3v2: Check end for overflow in id3v2_parse()
+ avformat/wtvdec: Improve size overflow checks in parse_chunks()
+ avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
+ avcodec/utils: Check ima wav duration for overflow
+ avformat/cafdec: Check channels
+ avcodec/dpx: Check bits_per_color earlier
+ avcodec/pnm_parser: Check image size addition for overflow
+ avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment()
+ avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check
+ avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context()
+ avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change()
+ avformat/mov: Ignore multiple STSC / STCO
+ avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields()
+ avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice()
+ avutil/common: Add FF_PTR_ADD()
+ avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid
+ avformat/cafdec: Do not build an index if all packets are the same
+ avformat/vividas: Use equals check with n in read_sb_block()
+ avcodec/sonic: Use unsigned temporary in predictor_calc_error()
+ avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift
+ avformat/flvdec: Check array entry number
+ avcodec/h264_slice: Check sps in h264_slice_header_init()
+ avformat/movenc: Avoid loosing cluster array on failure
+ avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb
+ avformat/mov: Check sample size for overflow in mov_parse_stsd_audio()
+ avcodec/ffwavesynth: Avoid signed integer overflow in phi_at()
+ avcodec/mpeg4videoenc: Check extradata malloc()
+ avcodec/speedhq: Width < 8 is not supported
+ avformat/matroskadec: Check for EOF in resync loop
+ avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS
+ avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular()
+ avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet()
+ avutil/timecode: Avoid fps overflow
+ avformat/mvi: Check audio size for more overflows
+ avcodec/flacdec: Avoid undefined shift in error case
+ avcodec/ffv1dec: Check if trailer is available
+ avcodec/4xm: Check pre_gb in decode_i_block()
+ avcodec/dcadsp: Fix integer overflow in dmix_add_c()
+ avformat/flvdec: Check double before cast in parse_keyframes_index()
+ avformat/paf: Check for EOF before allocation in read_header()
+ avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld()
+ avformat/lxfdec: Fix multiple integer overflows related to track_size
+ avcodec/exr: skip bottom clearing loop when its outside the image
+ avutil/parseutils: Check sign in av_parse_time()
+ avformat/aiffdec: Check that SSND is at least 8 bytes
+ avformat/dcstr: Check sample rate
+ avcodec/alsdec: Check bitstream input in read_block()
+ avformat/mov: Extend data_size check in mov_read_udta_string()
+ avformat/aadec: Check for EOF while reading chapters
+ avformat/voc_packet: Add a basic check on max_size
+ avformat/microdvddec: use 64bit for durations
+ avcodec/hapdec: Change compressed_offset to unsigned 32bit
+ avformat/rmdec: Check codec_length without overflow
+ avformat/mov: Check element count in mov_metadata_hmmt()
+ avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes()
+ avcodec/fits: Check gcount and pcount being non negative
+ avformat/nutdec: Check timebase count against main header length
+ avformat/electronicarts: Clear partial_packet on error
+ avformat/r3d: Check samples before computing duration
+ avcodec/pnm_parser: Check av_image_get_buffer_size() for failure
+ avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()
+ avformat/rmdec: Check remaining space in debug av_log() loop
+ avformat/flvdec: Treat high ts byte as unsigned
+ avformat/samidec: Sanity check pts
+ avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream()
+ avformat/avidec: Use 64bit in get_duration()
+ avformat/mov: Check for duplicate st3d
+ avformat/mvdec: Check for EOF in read_index()
+ avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular()
+ avformat/id3v2: Check the return from avio_get_str()
+ avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
+ libavutil/eval: Remove CONFIG_TRAPV special handling
+ avformat/wtvdec: Check len in parse_chunks() to avoid overflow
+ avformat/asfdec_f: Add an additional check for the extradata size
+ avformat/3dostr: Check sample_rate
+ avformat/4xm: Make audio_frame_count 64bit
+ avformat/mov: Use av_mul_q() to avoid integer overflows
+ avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper
+ avformat/rmdec: Reorder operations to avoid overflow
+ avcodec/mxpegdec: fix SOF counting
+ avcodec/rscc: Check inflated_buf size whan it is used
+ avformat/mvdec: Sanity check SAMPLE_WIDTH
+ avformat/rmdec: Fix codecdata_length overflow check
+ avcodec/simple_idct: Fix undefined integer overflow in idct4row()
+ avformat/tta: Use 64bit intermediate for index
+ avformat/soxdec: Check channels to be positive
+ avcodec/cscd: Check output len in zlib as in lzo
+ avcodec/vp3: Check input amount in theora_decode_header()
+ avformat/wavdec: Check avio_get_str16le() for failure
+ avformat/flvdec: Check for EOF in amf_skip_tag()
+ avformat/aiffdec: Check size before subtraction in get_aiff_header()
+ avformat/electronicarts: More chunk_size checks
+ avcodec/cfhd: check peak.offset
+ avformat/tedcaptionsdec: Check for overflow in parse_int()
+ avformat/nuv: Check channels
+ avformat/mpc8: Check size before implicitly converting to int
+ avformat/nutdec: Fix integer overflow in count computation
+ avformat/mvi: Use 64bit for testing dimensions
+ avformat/utils: Check dts in update_initial_timestamps() more
+ avformat/flvdec: Check for avio_read() failure in amf_get_string()
+ avformat/flvdec: Check for nesting depth in amf_skip_tag()
+ avformat/flvdec: Check for nesting depth in amf_parse_object()
+ avformat/asfdec_o: Check for EOF in asf_read_marker()
+ avformat/utils: Check dts - (1<<pts_wrap_bits) overflow
+ avformat/bfi: Check chunk_header
+ avformat/ads: Check size
+ avformat/iff: Check block align also for ID_MAUD
+ avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
+ avformat/fitsdec: Better size checks
+ avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()
+ avformat/avidec: dv does not support palettes
+ libavformat/utils: consider avio_size() failure in ffio_limit()
+ avformat/nistspheredec: Check bits_per_coded_sample and channels
+ avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
+ avformat/utils: check for integer overflow in av_get_frame_filename2()
+ avutil/timecode: Avoid undefined behavior with large framenum
+ avformat/mov: Check a.size before computing next_root_atom
+ avformat/sbgdec: Reduce the amount of floating point in str_to_time()
+ avformat/mxfdec: Free all types for both Descriptors
+ uavformat/rsd: check for EOF in extradata
+ avcodec/wmaprodec: Check packet size
+ avcodec/rasc: Check frame before clearing
+ avformat/vividas: Check number of audio channels
+ avcodec/alsdec: Fix integer overflow with quant_cof
+ avformat/mpegts: Fix argument type for av_log
+ avformat/cafdec: clip sample rate
+ avcodec/ffv1dec: Fix off by 1 error with quant tables
+ avformat/mpegts: Increase pcr_incr width to 64bit
+ avcodec/utils: Check bitrate for overflow in get_bit_rate()
+ avformat/mov: Check if hoov is at the end
+ avcodec/hevc_ps: check scaling_list_dc_coef
+ avformat/iff: Check data_size
+ avformat/matroskadec: Sanity check codec_id/track type
+ avformat/rpl: Check the number of streams
+ avformat/vividas: Check sample_rate
+ avformat/vividas: Make len signed
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avformat/dsfdec: Check block_align more completely
+ avformat/mpc8: Check remaining space in mpc8_parse_seektable()
+ avformat/id3v2: Sanity check tlen before alloc and uncompress
+ avformat/vqf: Check len for COMM chunks
+ avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
+ avformat/cafdec: Check the return code from av_add_index_entry()
+ avformat/cafdec: Check for EOF in index read loop
+ avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative
+ avformat/mpc8: correct integer overflow in mpc8_parse_seektable()
+ avformat/mpc8: correct 32bit timestamp truncation
+ avcodec/exr: Check ymin vs. h
+ avformat/avs: Use 64bit for the avio_tell() output
+ avformat/wavdec: More complete size check in find_guid()
+ avformat/iff: Check size before skip
+ avformat/rmdec: Check for EOF in index packet reading
+ avcodec/vp3dsp: Use unsigned constant to avoid undefined integer overflow in ff_vp3dsp_set_bounding_values()
+ avformat/icodec: Check for zero streams and stream creation failure
+ avformat/icodec: Factor failure code out in read_header()
+ avformat/bintext: Check width
+ avformat/sbgdec: Check that end is not before start
+ avformat/lvfdec: Check stream_index before use
+ avformat/au: cleanup on EOF return in au_read_annotation()
+ avformat/mpegts: Limit copied data to space
+ avformat/bintext: Check width in idf_read_header()
+ avformat/iff: check size against INT64_MAX
+ avformat/vividas: improve extradata packing checks in track_header()
+ avformat/paf: Check for EOF in read_table()
+ avformat/gxf: Check pkt_len
+ avformat/aiffdec: Check packet size
+ avformat/concatdec: use av_strstart()
+ avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header()
+ avformat/rsd: Check size and start before computing duration
+ avformat/vividas: better check of current_sb_entry
+ avformat/iff: More completely check body_size
+ avformat/xwma: Check for EOF in dpds_table read code
+ avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration()
+ avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET
+ avformat/rmdec: Make expected_len 64bit
+ avformat/pcm: Check block_align
+ avformat/lrcdec: Clip timestamps
+ avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet()
+ avformat/ifv: Check that total frames do not overflow
+ avcodec/vp9dsp_template: Fix some overflows in iadst8_1d()
+ avcodec/fits: Check bscale
+ avformat/nistspheredec: Check bps
+ avformat/jacosubdec: Use 64bit inside get_shift()
+ avformat/genh: Check block_align
+ avformat/mvi: Check count for overflow
+ avcodec/magicyuv: Check slice size before reading flags and pred
+ avformat/asfdec_f: Check for negative ext_len
+ avformat/bethsoftvid: Check image dimensions before use
+ avformat/genh: Check block_align for how it will be used in SDX2_DPCM
+ avformat/au: Check for EOF in au_read_annotation()
+ avformat/vividas: Check for zero v_size
+ avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0
+ avformat/segafilm: Check that there is a stream
+ avformat/wtvdec: Check dir_length
+ avformat/ffmetadec: finalize AVBPrint on errors
+ avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN()
+ avcodec/exr: Check limits to avoid overflow in delta computation
+ avformat/boadec: Check that channels and block_align are set
+ avformat/asfdec_f: Check name_len for overflow
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avcodec/aacdec_fixed: Limit index in vector_pow43()
+ avformat/rmdec: sanity check coded_framesize
+ avformat/flvdec: Check for EOF in amf_parse_object()
+ avcodec/smacker: Check remaining bits in SMK_BLK_FULL
+ avcodec/cook: Check subpacket index against max
+ avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration()
+ avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred
+ avformat/icodec: Change order of operations to avoid NULL dereference
+ avcodec/exr: Fix overflow with many blocks
+ avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
+ avcodec/ansi: Check initial dimensions
+ avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset
+ avcodec/sonic: Check for overread
+ avformat/subviewerdec: fail on AV_NOPTS_VALUE
+ avcodec/exr: Check line size for overflow
+ avcodec/exr: Check xdelta, ydelta
+ avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter()
+ avcodec/takdsp: Fix negative shift in decorrelate_sf()
+ avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420()
+ avformat/asfdec_f: Change order or operations slightly
+ avformat/dxa: Use av_rescale() for duration computation
+ avcodec/vc1_block: Fix integer overflow in ac value
+ avformat/iff: Check data_size not overflowing int64
+ avcodec/dxtory: Fix negative shift in dx2_decode_slice_410()
+ avcodec/sonic: Check channels before deallocating
+ avformat/vividas: Check for EOF in first loop in track_header()
+ avcodec/ansi: Check nb_args for overflow
+ avformat/wc3movie: Cleanup on wc3_read_header() failure
+ avformat/wc3movie: Move wc3_read_close() up
+ avcodec/diracdsp: Fix integer anomaly in dequant_subband_*
+ avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c()
+ avcodec/wmalosslessdec: Check remaining space before padding and channel residue
+ avformat/cdg: Fix integer overflow in duration computation
+ avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()
+ avcodec/agm: Fix off by 1 error in decode_inter_plane()
+ avformat/electronicarts: Check if there are any streams
+ avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE
+ avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()
+ avformat/avidec: Fix io_fsize overflow
+ avcodec/cfhd: Check transform type
+ avcodec/tiff: Restrict tag order based on specification
+ avformat/siff: Reject audio packets without audio stream
+ avformat/mpeg: Check avio_read() return value in get_pts()
+ avcodec/tiff: Check bpp/bppcount for 0
+ avcodec/snowdec: Sanity check hcoeff
+ avformat/mov: Check comp_brand_size
+ avcodec/alac: Check decorr_shift to avoid invalid shift
+ avcodec/tdsc: Fix tile checks
+ avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment()
+ avcodec/cuviddec: backport extradata fixes
+ avcodec/cuviddec: handle arbitrarily sized extradata
+ lavf/tls_gnutls: check for interrupt inside handshake loop
+ avformat/tls_schannel: immediately return decrypted data if available
+ avformat/tls_schannel: always decrypt all received data
+ avformat/sdp: Fix potential write beyond end of buffer
+ avformat/mm: Check for existence of audio stream
+
+version 4.2.4
+ avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default
+ avcodec/apedec: Fix undefined integer overflow with 24bit
+ avcodec/loco: Fix integer overflow with large values from loco_get_rice()
+ avformat/smjpegdec: Check the existence of referred streams
+ avcodec/pnmdec: Fix misaligned reads
+ avcodec/scpr3: Fix out of array access with dectab
+ avcodec/dstdec: Replace AC overread check by sample rate check
+ avutil/avsscanf: Add () to avoid integer overflow in scanexp()
+ avformat/utils: reorder duration computation to avoid overflow
+ avcodec/pngdec: Check for fctl after idat
+ avformat/hls: Pass a copy of the URL for probing
+ avformat/hls: check segment duration value of EXTINF
+ avutil/common: Fix integer overflow in av_ceil_log2_c()
+ avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
+ avformat/mvdec: Fix integer overflow with billions of channels
+ avformat/microdvddec: skip malformed lines without frame number.
+ avformat/mxfdec: free duplicated utf16 strings
+ avformat/4xm: Check that a video stream was created before returning packets for it
+ avcodec/ffwavesynth: Avoid undefined operation on ts overflow
+ avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()
+ avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c()
+ avcodec/sonic: Fix several integer overflows
+ avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile
+ avcodec/pixlet: Fix log(0) check
+ avcodec/iff: Fix off by x error
+ avcodec/wmalosslessdec: Check block_align maximum
+ avcodec/loco: Fix signed integer overflow in loco_get_rice()
+ avformat/thp: Check fps
+ avformat/mpl2dec: Fix integer overflow with duration
+ avcodec/cbs: Allocate more CodedBitstreamUnit at once in cbs_insert_unit()
+ avcodec/mpeg12dec: remove outdated comments
+ avcodec/snowdec: Avoid integer overflow with huge qlog
+ avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample().
+ avcodec/mpeg12dec: Fix got_output
+ avformat/4xm: Cleanup on GET_LIST_HEADER() failure
+ avcodec/lzf: Consider the needed size in reallocation
+ avformat/mlvdec: fail reading a packet with 0 streams
+ avformat/thp: Check compcount
+ avcodec/adpcm: XA: Check shift similar to filter
+ avcodec/huffyuvdec: Test vertical coordinate more often
+ avformat/rawdec: fix identifier names
+ avcodec/hq_hqa: Check info size
+ avcodec/wmalosslessdec: Fix integer overflow in mclms_predict()
+ avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d()
+ avcodec/h264dec: Disable forced small_padding on flag2 fast
+ avformat/oggparsevorbis: Error out on double init of vp
+ avcodec/h264_metadata_bsf: Fix invalid av_freep
+ avformat/hnm: Check for extradata allocation failure
+ avcodec/bitstream: Don't check for undefined behaviour after it happened
+ avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak
+ avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX
+ avformat/mov: Fix memleak
+ avformat/mov: fix memleaks
+ libavformat/mov: Fix memleaks when demuxing DV audio
+ avformat/mov: Fix reel_name size check
+ avformat/mov: Fix memleak upon encountering repeating tags
+ avformat/matroskaenc: Don't use NULL for %s format string
+ avformat/webvttdec: Fix memleak upon read header failure
+ avformat/vplayerdec: Fix memleak upon read header failure
+ avformat/tedcaptionsdec: Fix memleak upon read header failure
+ avformat/subviewerdec: Fix memleak upon read header failure
+ avformat/subviewer1dec: Fix memleak upon read header failure
+ avformat/stldec: Fix memleak upon read header failure
+ avformat/srtdec: Fix memleak upon read header failure
+ avformat/sccdec: Fix memleak upon read header failure
+ avformat/samidec: Fix memleak upon read header failure
+ avformat/pjsdec: Fix memleak upon read header failure
+ avformat/mpsubdec: Fix memleak upon read header failure
+ avformat/mpl2dec: Fix memleak upon read header failure
+ avformat/microdvddec: Fix memleak upon read header failure
+ avformat/lrcdec: Fix memleak upon read header failure
+ avformat/jacosubdec: Fix memleak upon read header failure
+ avformat/assdec: Fix memleak upon read header failure
+ avformat/aqtitledec: Fix memleak upon read header failure
+ avformat/mov: Fix memleaks upon read_header failure
+ avformat/omadec: Fix memleaks upon read_header failure
+ avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer
+ avformat/matroskadec: Use right number of tracks
+ avformat/matroskadec: Fix handling gigantic durations
+ avformat/aviobuf: Don't check for overflow after it happened
+ avformat/apngenc: Add deinit function
+ avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input
+ avcodec/nvenc: honor max bitrate in CQ mode
+ avcodec/nvenc: zero avg and max bitrate in CQ mode
+ libavcodec/libvpxenc: Don't free user-provided AVPacket
+ libavcodec/libmp3lame: Don't free user-provided AVPacket
+ avcodec/libopusenc: Don't free user-provided AVPacket
+
+version 4.2.3
+- avcodec/pnmdec: Use unsigned for maxval rescaling
+- avcodec/ivi: Clear got_p_frame before decoding a new frame using it
+- avcodec/dsddec: Check channels
+- avcodec/xvididct: Fix integer overflow in idct_row()
+- avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr()
+- avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment()
+- avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE
+- avformat/swfenc: Fix integer overflow in frame rate handling
+- avformat/aadec: Check toc_size to contain the minimum to demuxer uses
+- avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly
+- ffplay: set stream_index to -1 earlier to prevent segfault
+- avformat/mov: Free temp buffer upon negative sample_size error.
+- avformat/matroskadec: Improve forward compability
+- avformat/matroskadec: Don't discard valid packets
+- avformat/matroskaenc: Don't segfault when seekability changes
+- avformat/utils: Fix memleaks
+- avformat/utils: Fix memleaks in avformat_open_input()
+- avfilter/vf_dedot: Fix leak of AVFrame if making it writable fails
+- avfilter/vf_paletteuse: Fix potential double-free of AVFrame
+- avformat/mov: Don't leak MOVFragmentStreamInfo on error
+- avformat/mov: Free encryption data on error
+- fftools/ffmpeg: Free swresample dictionary during cleanup
+- avcodec/mediacodec_wrapper: fix {input,output}_buffers global reference leak
+- avformat/webm_chunk: Close IO if writing header fails
+- avcodec/cavsdsp: Fix undefined left shifts of negative numbers
+- avcodec/ra144enc: Fix invalid left shift of negative number
+- avcodec/adxenc: Avoid undefined left shift of negative numbers
+- avcodec/adpcm: Fix undefined left shifts of negative numbers
+- avcodec/proresenc_anatoliy: Fix invalid left shift of negative number
+- avformat/aviobuf: Honor avio_open[2] documentation
+- avcodec/cinepakenc: Fix invalid shifts
+- avfilter/vf_xbr: Fix left shift of negative number
+- avfilter/vf_hqx: Fix undefined left shifts of negative numbers
+- avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers
+- avcodec/ituh263dec: Fix undefined left shift of negative number
+- avcodec/dnxhdenc: Fix undefined left shifts of negative numbers
+- swscale/utils: Fix invalid left shifts of negative numbers
+- swscale/x86/swscale: Fix undefined left shifts of negative numbers
+- fftools/ffmpeg_opt: Fix signed integer overflow
+- avcodec/exr: Fix undefined left shifts of negative numbers
+- avformat/movenc: Fix undefined shift
+- avcodec/pcm: Fix undefined shifts
+- avcodec/wavpackenc: Fix undefined shifts
+- avutil/encryption_info: Don't pass NULL to memcpy
+- avcodec/ac3enc: Fix memleak
+- avcodec/ac3enc: Fix invalid shift
+- avcodec/g723_1dec: Fix invalid shift
+- avcodec/tdsc: Fix undefined shifts
+- avcodec/ttaenc: Fix undefined shift
+- avformat/avidec: Fix memleak with embedded GAB2 subtitles
+- avformat/matroskadec: Don't discard the upper 32bits of TrackNumber
+- dump_extradata: Insert extradata even for small packets
+- avformat/segafilmenc: Fix undefined left shift of 1 by 31 places
+- avformat/wtvdec: Fix memleak when reading header fails
+- avformat/dashenc: Fix leak of AVFormatContext on error
+- avformat/fitsdec: Fix potential leak of string in AVBPrint
+- avformat/matroskadec: Sanitize SeekHead entries
+- avformat/matroskaenc: Fix memleak upon encountering bogus chapter
+- avformat/matroskaenc: Make ebml_num_size() more robust
+- avformat/oggenc: Don't free AVStream's priv_data, fix memleak
+- avformat/utils: Fix memleak when decoding subtitle in find_stream_info
+- fftools/ffmpeg_opt: Check attachment filesize
+- avformat/mpeg: Don't use unintialized value
+- avformat/webmdashenc: Check codec types
+- avformat/webmdashenc: Fix memleak upon realloc failure
+- avformat/subtitles: Don't increment packet counter prematurely
+- avformat/bethsoftvid: Fix potential memleak upon reallocation failure
+- avformat/smoothstreaming: Fix memleaks on errors
+- avformat/matroskaenc: Check BlockAdditional size before use
+- avformat/matroskaenc: Check functions that can fail
+- avformat/matroskaenc: Check for reformatting errors
+- avformat/matroskadec: Check before allocations
+- avfilter/vf_unsharp: Don't dereference NULL
+- avcodec/zmbvenc: Correct offset in buffer
+- avcodec/cbs_h2645: Fix potential out-of-bounds array access
+- avformat/mov: Don't allow negative sample sizes.
+- mpeg4videoenc: Don't crash with -fsanitize=bounds
+- avformat/mpegts: Shuffle avio_seek
+- avcodec/binkaudio: Fix 2Ghz sample_rate
+- avcodec/adpcm: Fix integer overflow in ADPCM THP
+- avcodec/ralf: Check num_blocks before use
+- avcodec/iff: Test video_size being non zero
+- avcodec/utvideodec: Fix integer overflow in decode_plane()
+- avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c()
+- avcodec/ralf: Fix integer overflow in decode_block()
+- avcodec/nuv: widen buf_size type
+- avcodec/iff: Fix several integer overflows
+- avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1
+- avcodec/alac: Fix integer overflow with 24/20bps samples
+- avcodec/dstdec: Check sample rate
+- avformat/thp: Require a video stream
+- avformat/mpeg: Decrease score by 1 for files with very little valid data
+- avcodec/pngdec: Check length in fdAT
+- avcodec/g2meet: Check tile_width in epic_jb_decode_tile()
+- avcodec/hapdec: Check tex_size more strictly and before using it
+- avcodec/vp9dsp_template: Fix integer overflows in idct32_1d()
+- avcodec/alacdsp: Fix invalid shift in append_extra_bits()
+- libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative
+- avcodec/dstdec: Fix integer overflow in read_table()
+- avcodec/txd: Check for input size against the header size.
+- avcodec/svq1dec: Check that there is data left after the header
+- avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set
+- avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture()
+- avcodec/hevc_mp4toannexb_bsf: Check nalu_size
+- avcodec/iff: Check length before memcpy() in decode_deep_rle32()
+- avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32()
+- avcodec/pngdec: Pass ret from decode_iccp_chunk()
+- avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*()
+- avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()
+- avcodec/flac_parser: Do not lose header count in find_headers_search()
+- avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c()
+- avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table()
+- avcodec/cbs_jpeg_syntax_template: Check table index before use in dht()
+- avformat/oggdec: Check for EOF after page header
+- swscale/yuv2rgb: Fix vertical dither offset with slices
+- avcodec/dpcm: clip exponent into supported range in XAN DPCM
+- avcodec/flacdsp_template: Fix invalid shifts in decorrelate
+- avcodec/xvididct: Fix integer overflow in MULT()
+- avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT
+- avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle
+- swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input
+- swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c()
+- libavformat/amr.c: Check return value from avio_read()
+- libavformat/mov.c: Free aes_decrypt to avoid leaking memory
+- libavformat/oggdec.c: Check return value from avio_read()
+- avformat/asfdec_f: Fix overflow check in get_tag()
+- avformat/nsvdec: Fix memleaks on errors while reading the header
+- avcodec/ffwavesynth: Fix integer overflow in computation of ddphi
+- avcodec/cbs_jpeg: Check length for SOS
+- avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX
+- avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra()
+- avcodec/cbs_h2645: Treat slices without data as invalid
+- avcodec/cbs_h2645: Remove dead code to delete trailing zeroes
+- avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header()
+- avcodec/mpegaudioenc_template: fix invalid shift of sample
+- avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search()
+- libavformat/avienc: Check bits per sample for PAL8
+- avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
+- avcodec/magicyuv: Check that there are enough lines for interlacing to be possible
+- avformat/mvdec: Check stream numbers
+- avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF
+- avcodec/qdm2: Check fft_coefs_index
+- avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info()
+- avformat/avidec: Avoid integer overflow in NI switch check
+- fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start()
+- avfilter/vf_aspect: Fix integer overflow in compute_dar()
+- avcodec/apedec: Fix invalid shift with 24 bps
+- avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
+- avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM
+- avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits
+- avcodec/wmalosslessdec: Fix loop in revert_acfilter()
+- avcodec/agm: YUV420 without DCT needs even dimensions
+- avcodec/agm: Test remaining data in decode_raw_intra_rgb()
+- avcodec/lagarith: Sanity check scale
+- avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950()
+- avcodec/ralf: Fix integer overflow in apply_lpc()
+- avcodec/dca_lbr: Fix some error codes and error passing
+- avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response()
+- avcodec/wmavoice: sanity check block_align
+- avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF
+- avcodec/snappy: Sanity check bytestream2_get_levarint()
+- avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel()
+- avcodec/avdct: Clear IDCTDSPContext context
+- avcodec/x86/diracdsp: Fix high bits on Windows x86_64
+- tests/fate/lavf-video.mak: fix fate-lavf-gif dependencies
+- avformat/mov: Check STCO location
+- avcodec/wmalosslessdec: Fix multiple integer overflows
+- avcodec/apedec: Fix undefined integer overflow in decode_array_0000()
+- avcodec/smacker: Check space before decoding type
+- avcodec/rawdec: Use linesize in b64a
+- avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
+- avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32()
+- avfilter/vf_find_rect: Remove assert
+- avfilter/vf_find_rect: Increase worst case score
+- swscale/input: Fix several invalid shifts related to rgb2yuv constants
+- swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template()
+- swscale/swscale: Fix several invalid shifts related to vChrDrop
+- avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow
+- avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy()
+- avcodec/cbs_av1: Check leb128 values read
+- avcodec/wmalosslessdec: move channel check up
+- avcodec/cbs_h2645: Skip all 0 NAL units
+- avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS
+- avcodec/alac: Fix integer overflow in LPC coefficient adaption
+- avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp()
+- avcodec/vc1dec: Check field_mode for sprites
+- avcodec/vc1dec: Limit bits by the actual bitstream size
+- avcodec/vmdaudio: Check block_align more
+- configure: bump year
+- avcodec/pgssubdec: Free subtitle on error
+- avcodec/nvenc: use framerate if available
+- avcodec/cbs_h265: fix writing extension_data bits
+- avcodec/nvenc: offset dts to account for b-frame reordering
+- Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp"
+- avformat/matroskadec: Fix default value of BlockAddID
+- avformat/dashdec: Don't allocate and leak strings that are never used
+- avformat/matroskaenc: Write level 1 elements in one go
+- avformat/rtp: Pass sources and block filter addresses via sdp file for rtp
+- avformat/bintext: avoid division by zero
+
+
 version 4.2.2
 - cbs_mpeg2: Fix parsing the last unit
 - cbs_mpeg2: Rearrange start code search
@@ -1 +1 @@
-4.2.2
+4.2.7
@@ -11,5 +11,5 @@

   We hope you will like this release as much as we enjoyed working on it, and
   as usual, if you have any questions about it, or any FFmpeg related topic,
-   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
   on the mailing-lists.
@@ -526,7 +526,7 @@ die(){

 If you think configure made a mistake, make sure you are using the latest
 version from Git.  If the latest version fails, report the problem to the
-ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
 EOF
    if disabled logging; then
        cat <<EOF
@@ -3187,7 +3187,7 @@ libopus_encoder_deps="libopus"
 libopus_encoder_select="audio_frame_queue"
 librsvg_decoder_deps="librsvg"
 libshine_encoder_deps="libshine"
-libshine_encoder_select="audio_frame_queue"
+libshine_encoder_select="audio_frame_queue mpegaudioheader"
 libspeex_decoder_deps="libspeex"
 libspeex_encoder_deps="libspeex"
 libspeex_encoder_select="audio_frame_queue"
@@ -7397,7 +7397,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2019
+#define CONFIG_THIS_YEAR 2022
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 4.2.2
+PROJECT_NUMBER         = 4.2.7

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -418,4 +418,4 @@ done:

 When all of this is done, you can submit your patch to the ffmpeg-devel
 mailing-list for review.  If you need any help, feel free to come on our IRC
-channel, #ffmpeg-devel on irc.freenode.net.
+channel, #ffmpeg-devel on irc.libera.chat.
@@ -567,6 +567,7 @@ static void ffmpeg_cleanup(int ret)
        ost->audio_channels_mapped = 0;

        av_dict_free(&ost->sws_dict);
+        av_dict_free(&ost->swr_opts);

        avcodec_free_context(&ost->enc_ctx);
        avcodec_parameters_free(&ost->ref_par);
@@ -4235,7 +4236,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is)
            ifile->time_base = ist->st->time_base;
        /* the total duration of the stream, max_pts - min_pts is
         * the duration of the stream without the last frame */
-        duration += ist->max_pts - ist->min_pts;
+        if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration)
+            duration += ist->max_pts - ist->min_pts;
        ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base,
                                        ifile->time_base);
    }
@@ -1,3 +1,4 @@
+
 /*
 * ffmpeg option parsing
 *
@@ -2372,12 +2373,14 @@ loop_end:
                   o->attachments[i]);
            exit_program(1);
        }
-        if (!(attachment = av_malloc(len))) {
-            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n",
+        if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE ||
+            !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
+            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n",
                   o->attachments[i]);
            exit_program(1);
        }
        avio_read(pb, attachment, len);
+        memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);

        ost = new_attachment_stream(o, oc, -1);
        ost->stream_copy               = 0;
@@ -2769,13 +2772,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
    } else {
        /* Try to determine PAL/NTSC by peeking in the input files */
        if (nb_input_files) {
-            int i, j, fr;
+            int i, j;
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j]->nb_streams; i++) {
                    AVStream *st = input_files[j]->ctx->streams[i];
+                    int64_t fr;
                    if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
                        continue;
-                    fr = st->time_base.den * 1000 / st->time_base.num;
+                    fr = st->time_base.den * 1000LL / st->time_base.num;
                    if (fr == 25000) {
                        norm = PAL;
                        break;
@@ -3268,6 +3272,7 @@ static int open_files(OptionGroupList *l, const char *inout,
        if (ret < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file "
                   "%s.\n", inout, g->arg);
+            uninit_options(&o);
            return ret;
        }

@@ -2760,9 +2760,6 @@ static int read_thread(void *arg)
    }

    memset(st_index, -1, sizeof(st_index));
-    is->last_video_stream = is->video_stream = -1;
-    is->last_audio_stream = is->audio_stream = -1;
-    is->last_subtitle_stream = is->subtitle_stream = -1;
    is->eof = 0;

    ic = avformat_alloc_context();
@@ -3068,6 +3065,9 @@ static VideoState *stream_open(const char *filename, AVInputFormat *iformat)
    is = av_mallocz(sizeof(VideoState));
    if (!is)
        return NULL;
+    is->last_video_stream = is->video_stream = -1;
+    is->last_audio_stream = is->audio_stream = -1;
+    is->last_subtitle_stream = is->subtitle_stream = -1;
    is->filename = av_strdup(filename);
    if (!is->filename)
        goto fail;
@@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block)
 {
    int code, i, j, level, val;

-    if (get_bits_left(&f->gb) < 2){
-        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb));
+    if (get_bits_left(&f->pre_gb) < 2) {
+        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb));
        return AVERROR_INVALIDDATA;
    }

@@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe)
                                                    sce0->ics.swb_sizes[g],
                                                    sce0->sf_idx[w*16+g],
                                                    sce0->band_type[w*16+g],
-                                                    lambda / band0->threshold, INFINITY, &b1, NULL, 0);
+                                                    lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0);
                        dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128],
                                                    R34,
                                                    sce1->ics.swb_sizes[g],
                                                    sce1->sf_idx[w*16+g],
                                                    sce1->band_type[w*16+g],
-                                                    lambda / band1->threshold, INFINITY, &b2, NULL, 0);
+                                                    lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0);
                        dist2 += quantize_band_cost(s, M,
                                                    M34,
                                                    sce0->ics.swb_sizes[g],
                                                    mididx,
                                                    midcb,
-                                                    lambda / minthr, INFINITY, &b3, NULL, 0);
+                                                    lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0);
                        dist2 += quantize_band_cost(s, S,
                                                    S34,
                                                    sce1->ics.swb_sizes[g],
                                                    sididx,
                                                    sidcb,
-                                                    mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0);
+                                                    mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0);
                        B0 += b1+b2;
                        B1 += b3+b4;
                        dist1 -= b1+b2;
@@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len)
    for (i=0; i<len; i++) {
        coef = coefs[i];
        if (coef < 0)
-            coef = -(int)ff_cbrt_tab_fixed[-coef];
+            coef = -(int)ff_cbrt_tab_fixed[(-coef) & 8191];
        else
-            coef = (int)ff_cbrt_tab_fixed[coef];
+            coef =  (int)ff_cbrt_tab_fixed[  coef  & 8191];
        coefs[i] = coef;
    }
 }
@@ -2807,7 +2807,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce)

 static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce)
 {
-    INTFLOAT *in    = sce->coeffs;
+    UINTFLOAT *in   = sce->coeffs;
    INTFLOAT *out   = sce->ret;
    INTFLOAT *saved = sce->saved;
    INTFLOAT *buf  = ac->buf_mdct;
@@ -28,6 +28,7 @@
 *              TODOs:
 * add sane pulse detection
 ***********************************/
+#include <float.h>

 #include "libavutil/libm.h"
 #include "libavutil/thread.h"
@@ -855,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                /* Not so fast though */
                ratio = sqrtf(ratio);
            }
-            s->lambda = FFMIN(s->lambda * ratio, 65536.f);
+            s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f);

            /* Keep iterating if we must reduce and lambda is in the sky */
            if (ratio > 0.9f && ratio < 1.1f) {
@@ -900,7 +901,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx)
 {
    AACEncContext *s = avctx->priv_data;

-    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count);
+    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN);

    ff_mdct_end(&s->mdct1024);
    ff_mdct_end(&s->mdct128);
@@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
    const int bandwidth    = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx);
    const float num_bark   = calc_bark((float)bandwidth);

+    if (bandwidth <= 0)
+        return AVERROR(EINVAL);
+
    ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext));
    if (!ctx->model_priv_data)
        return AVERROR(ENOMEM);
@@ -794,7 +797,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,

        if (pe < 1.15f * desired_pe) {
            /* 6.6.1.3.6 "Final threshold modification by linearization" */
-            norm_fac = 1.0f / norm_fac;
+            norm_fac = norm_fac ? 1.0f / norm_fac : 0;
            for (w = 0; w < wi->num_windows*16; w += 16) {
                for (g = 0; g < num_bands; g++) {
                    AacPsyBand *band = &pch->band[w+g];
@@ -107,29 +107,30 @@ static void scale_coefs (
      }
    } else {
      shift = -shift;
+      mul <<= shift;
      for (i=0; i<len; i+=8) {

          temp = src[i] * mul;
          temp1 = src[i+1] * mul;
          temp2 = src[i+2] * mul;

-          dst[i] = temp << shift;
+          dst[i] = temp;
          temp3 = src[i+3] * mul;

-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
          temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;

          temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
          temp6 = src[i+6] * mul;

-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
          temp7 = src[i+7] * mul;

-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;

      }
    }
@@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset)
 {
    int blk, ch;

-    snr_offset = (snr_offset - 240) << 2;
+    snr_offset = (snr_offset - 240) * 4;

    reset_block_bap(s);
    for (blk = 0; blk < s->num_blocks; blk++) {
@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx)
        av_freep(&block->cpl_coord_mant);
    }

-    s->mdct_end(s);
+    if (s->mdct_end)
+        s->mdct_end(s);

    return 0;
 }
@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx)

    ret = validate_options(s);
    if (ret)
-        return ret;
+        goto init_fail;

    avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks;
    avctx->initial_padding = AC3_BLOCK_SIZE;
@@ -426,6 +426,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
            avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
            filter=0;
        }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }
        f0 = xa_adpcm_table[filter][0];
        f1 = xa_adpcm_table[filter][1];

@@ -451,10 +455,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,

        shift  = 12 - (in[5+i*2] & 15);
        filter = in[5+i*2] >> 4;
-        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) {
+        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) {
            avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
            filter=0;
        }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }

        f0 = xa_adpcm_table[filter][0];
        f1 = xa_adpcm_table[filter][1];
@@ -1204,7 +1212,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
        }
        for (i=0; i<=st; i++) {
            c->status[i].predictor  = bytestream2_get_le32u(&gb);
-            if (FFABS(c->status[i].predictor) > (1<<16))
+            if (FFABS((int64_t)c->status[i].predictor) > (1<<16))
                return AVERROR_INVALIDDATA;
        }

@@ -1253,8 +1261,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

            for (count2 = 0; count2 < 28; count2++) {
                byte = bytestream2_get_byteu(&gb);
-                next_left_sample  = sign_extend(byte >> 4, 4) << shift_left;
-                next_right_sample = sign_extend(byte,      4) << shift_right;
+                next_left_sample  = sign_extend(byte >> 4, 4) * (1 << shift_left);
+                next_right_sample = sign_extend(byte,      4) * (1 << shift_right);

                next_left_sample = (next_left_sample +
                    (current_left_sample * coeff1l) +
@@ -1293,7 +1301,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            if (st) byte[1] = bytestream2_get_byteu(&gb);
            for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */
                for(channel = 0; channel < avctx->channels; channel++) {
-                    int sample = sign_extend(byte[channel] >> i, 4) << shift[channel];
+                    int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]);
                    sample = (sample +
                             c->status[channel].sample1 * coeff[channel][0] +
                             c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8;
@@ -1408,11 +1416,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    int level, pred;
                    int byte = bytestream2_get_byteu(&gb);

-                    level = sign_extend(byte >> 4, 4) << shift[n];
+                    level = sign_extend(byte >> 4, 4) * (1 << shift[n]);
                    pred  = s[-1] * coeff[0][n] + s[-2] * coeff[1][n];
                    s[0]  = av_clip_int16((level + pred + 0x80) >> 8);

-                    level = sign_extend(byte, 4) << shift[n];
+                    level = sign_extend(byte, 4) * (1 << shift[n]);
                    pred  = s[0] * coeff[0][n] + s[-1] * coeff[1][n];
                    s[1]  = av_clip_int16((level + pred + 0x80) >> 8);
                }
@@ -1569,8 +1577,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                        sampledat = sign_extend(byte >> 4, 4);
                    }

-                    sampledat = ((prev1 * factor1 + prev2 * factor2) +
-                                 ((sampledat * scale) << 11)) >> 11;
+                    sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) +
+                                sampledat * scale;
                    *samples = av_clip_int16(sampledat);
                    prev2 = prev1;
                    prev1 = *samples++;
@@ -1632,8 +1640,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                int byte = bytestream2_get_byteu(&gb);
                int index = (byte >> 4) & 7;
                unsigned int exp = byte & 0x0F;
-                int factor1 = table[ch][index * 2];
-                int factor2 = table[ch][index * 2 + 1];
+                int64_t factor1 = table[ch][index * 2];
+                int64_t factor2 = table[ch][index * 2 + 1];

                /* Decode 14 samples.  */
                for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) {
@@ -1647,7 +1655,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    }

                    sampledat = ((c->status[ch].sample1 * factor1
-                                + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp);
+                                + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp);
                    *samples = av_clip_int16(sampledat);
                    c->status[ch].sample2 = c->status[ch].sample1;
                    c->status[ch].sample1 = *samples++;
@@ -1731,7 +1739,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                            scale = sign_extend(byte, 4);
                        }

-                        scale  = scale << 12;
+                        scale  = scale * (1 << 12);
                        sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64);
                    }
                    *samples++ = av_clip_int16(sample);
@@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
        s0 = wav[i];
-        d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);
        if (max < d)
            max = d;
        if (min > d)
@@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s1 = prev->s1;
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
-        d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);

        d = av_clip_intp2(ROUNDED_DIV(d, scale), 3);

        put_sbits(&pb, 4, d);

-        s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+        s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS);
        s2 = s1;
        s1 = s0;
    }
@@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size,
                int map = s->map[x];

                if (orig_mv_x >= -32) {
-                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 >= h ||
-                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 >= w)
+                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h ||
+                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w)
                        return AVERROR_INVALIDDATA;

                    copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8,
@@ -573,13 +573,16 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV
    uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
    uint8_t r = 0, g = 0, b = 0;

+    if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height)
+        return AVERROR_INVALIDDATA;
+
    for (int y = 0; y < avctx->height; y++) {
        for (int x = 0; x < avctx->width; x++) {
-            dst[x*3+0] = bytestream2_get_byte(gbyte) + r;
+            dst[x*3+0] = bytestream2_get_byteu(gbyte) + r;
            r = dst[x*3+0];
-            dst[x*3+1] = bytestream2_get_byte(gbyte) + g;
+            dst[x*3+1] = bytestream2_get_byteu(gbyte) + g;
            g = dst[x*3+1];
-            dst[x*3+2] = bytestream2_get_byte(gbyte) + b;
+            dst[x*3+2] = bytestream2_get_byteu(gbyte) + b;
            b = dst[x*3+2];
        }
        dst -= frame->linesize[0];
@@ -1239,6 +1242,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->dct = avctx->codec_tag != MKTAG('A', 'G', 'M', '4') &&
             avctx->codec_tag != MKTAG('A', 'G', 'M', '5');

+    if (!s->rgb && !s->dct) {
+        if ((avctx->width & 1) || (avctx->height & 1))
+            return AVERROR_INVALIDDATA;
+    }
+
    avctx->idct_algo = FF_IDCT_SIMPLE;
    ff_idctdsp_init(&s->idsp, avctx);
    ff_init_scantable(s->idsp.idct_permutation, &s->scantable, ff_zigzag_direct);
@@ -228,7 +228,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out,
                sign = sign_only(val) * error_sign;
                lpc_coefs[j] -= sign;
                val *= (unsigned)sign;
-                error_val -= (val >> lpc_quant) * (j + 1);
+                error_val -= (val >> lpc_quant) * (j + 1U);
            }
        }
    }
@@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
        decorr_shift       = get_bits(&alac->gb, 8);
        decorr_left_weight = get_bits(&alac->gb, 8);

+        if (channels == 2 && decorr_left_weight && decorr_shift > 31)
+            return AVERROR_INVALIDDATA;
+
        for (ch = 0; ch < channels; ch++) {
            prediction_type[ch]   = get_bits(&alac->gb, 4);
            lpc_quant[ch]         = get_bits(&alac->gb, 4);
@@ -397,13 +400,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
    case 20: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] *= 1 << 12;
+                alac->output_samples_buffer[ch][i] *= 1U << 12;
        }}
        break;
    case 24: {
        for (ch = 0; ch < channels; ch++) {
            for (i = 0; i < alac->nb_samples; i++)
-                alac->output_samples_buffer[ch][i] *= 1 << 8;
+                alac->output_samples_buffer[ch][i] *= 1U << 8;
        }}
        break;
    }
@@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples,
        a = buffer[0][i];
        b = buffer[1][i];

-        a -= (b * decorr_left_weight) >> decorr_shift;
+        a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
        b += a;

        buffer[0][i] = b;
@@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2],

    for (ch = 0; ch < channels; ch++)
        for (i = 0; i < nb_samples; i++)
-            buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
+            buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i];
 }

 av_cold void ff_alacdsp_init(ALACDSPContext *c)
@@ -761,7 +761,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            }

            for (k = 2; k < opt_order; k++)
-                quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13);
+                quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13);
        }
    }

@@ -1015,6 +1015,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
    ALSSpecificConfig *sconf = &ctx->sconf;

    *bd->shift_lsbs = 0;
+
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
    // read block type flag and read the samples accordingly
    if (get_bits1(gb)) {
        ret = read_var_block_data(ctx, bd);
@@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx,
                    s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                break;
            case ';':
-                s->nb_args++;
+                if (s->nb_args < MAX_NB_ARGS)
+                    s->nb_args++;
                if (s->nb_args < MAX_NB_ARGS)
                    s->args[s->nb_args] = 0;
                break;
@@ -473,6 +474,11 @@ static av_cold int decode_close(AVCodecContext *avctx)
    return 0;
 }

+static const AVCodecDefault ansi_defaults[] = {
+    { "max_pixels", "640*480" },
+    { NULL },
+};
+
 AVCodec ff_ansi_decoder = {
    .name           = "ansi",
    .long_name      = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"),
@@ -484,4 +490,5 @@ AVCodec ff_ansi_decoder = {
    .decode         = decode_frame,
    .capabilities   = AV_CODEC_CAP_DR1,
    .caps_internal  = FF_CODEC_CAP_INIT_THREADSAFE,
+    .defaults       = ansi_defaults,
 };
@@ -101,7 +101,7 @@ typedef struct APEFilter {
    int16_t *historybuffer; ///< filter memory
    int16_t *delay;         ///< filtered values

-    int avg;
+    uint32_t avg;
 } APEFilter;

 typedef struct APERice {
@@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
    ksummin = rice->k ? (1 << rice->k + 6) : 0;
    for (; i < blockstodecode; i++) {
        out[i] = get_rice_ook(&ctx->gb, rice->k);
-        rice->ksum += out[i] - out[i - 64];
+        rice->ksum += out[i] - (unsigned)out[i - 64];
        while (rice->ksum < ksummin) {
            rice->k--;
            ksummin = rice->k ? ksummin >> 1 : 0;
@@ -859,8 +859,8 @@ static av_always_inline int filter_3800(APEPredictor *p,
        return predictionA;
    }
    d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U);
+    d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8);
    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
    d4 =  p->buf[delayB];

@@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
-        buffer[i] -= dotprod >> shift;
+        buffer[i] -= (unsigned)(dotprod >> shift);
        for (j = 0; j < order - 1; j++)
            delay[j] = delay[j + 1];
        delay[order - 1] = buffer[i];
@@ -929,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
        for (j = 7; j > 0; j--)
            delay[j] = delay[j - 1];
        delay[0] = buffer[i];
-        buffer[i] -= dotprod >> 9;
+        buffer[i] -= (unsigned)(dotprod >> 9);
    }
 }

@@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                                                  const int delayA)
 {
    int32_t predictionA, sign;
-    int32_t d0, d1, d2, d3;
+    uint32_t d0, d1, d2, d3;

    p->buf[delayA]     = p->lastA[filter];
    d0 = p->buf[delayA    ];
-    d1 = p->buf[delayA    ] - p->buf[delayA - 1];
-    d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-    d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+    d1 = p->buf[delayA    ] - (unsigned)p->buf[delayA - 1];
+    d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+    d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];

    predictionA = d0 * p->coeffsA[filter][0] +
                  d1 * p->coeffsA[filter][1] +
@@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
-    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;

    return p->filterA[filter];
 }
@@ -1203,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
        A = *decoded0;

        p->buf[YDELAYA] = currentA;
-        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1];
+        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1];

        predictionA = p->buf[YDELAYA    ] * p->coeffsA[0][0] +
                      p->buf[YDELAYA - 1] * p->coeffsA[0][1] +
                      p->buf[YDELAYA - 2] * p->coeffsA[0][2] +
                      p->buf[YDELAYA - 3] * p->coeffsA[0][3];

-        currentA = A + (predictionA >> 10);
+        currentA = A + (unsigned)(predictionA >> 10);

        p->buf[YADAPTCOEFFSA]     = APESIGN(p->buf[YDELAYA    ]);
        p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]);
@@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            absres = res < 0 ? -(unsigned)res : res;
            if (absres)
                *f->adaptcoeffs = APESIGN(res) *
-                                  (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3)));
+                                  (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3))));
                /* equivalent to the following code
                    if (absres <= f->avg * 4 / 3)
                        *f->adaptcoeffs = APESIGN(res) * 8;
@@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample8 = (uint8_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+                *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
        }
        break;
    case 16:
@@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] << 8;
+                *sample24++ = s->decoded[ch][i] * 256U;
        }
        break;
    }
@@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len,
 static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2,
                                     int order)
 {
-    int res = 0;
+    unsigned res = 0;

    while (order--)
        res += *v1++ **v2++;
@@ -100,7 +100,7 @@ int avcodec_dct_init(AVDCT *dsp)

 #if CONFIG_IDCTDSP
    {
-        IDCTDSPContext idsp;
+        IDCTDSPContext idsp = {0};
        ff_idctdsp_init(&idsp, avctx);
        COPY(idsp, idct);
        COPY(idsp, idct_permutation);
@@ -109,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->frame_len     = 1 << frame_len_bits;
    s->overlap_len   = s->frame_len / 16;
    s->block_size    = (s->frame_len - s->overlap_len) * s->channels;
-    sample_rate_half = (sample_rate + 1) / 2;
+    sample_rate_half = (sample_rate + 1LL) / 2;
    if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT)
        s->root = 2.0 / (sqrt(s->frame_len) * 32768.0);
    else
@@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    uint32_t code;
    volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2

-    table_size = 1 << table_nb_bits;
    if (table_nb_bits > 30)
       return AVERROR(EINVAL);
+    table_size = 1 << table_nb_bits;
    table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC);
    ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size);
    if (table_index < 0)
@@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
    src[0][0] += 8;

    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[i][1] - (src[i][7]<<1);
-        const int a1 =  3*src[i][3] + (src[i][5]<<1);
-        const int a2 =  (src[i][3]<<1) - 3*src[i][5];
-        const int a3 =  (src[i][1]<<1) + 3*src[i][7];
+        const int a0 = 3 * src[i][1] - 2 * src[i][7];
+        const int a1 = 3 * src[i][3] + 2 * src[i][5];
+        const int a2 = 2 * src[i][3] - 3 * src[i][5];
+        const int a3 = 2 * src[i][1] + 3 * src[i][7];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[i][2]<<2) - 10*src[i][6];
-        const int a6 = (src[i][6]<<2) + 10*src[i][2];
-        const int a5 = ((src[i][0] - src[i][4]) << 3) + 4;
-        const int a4 = ((src[i][0] + src[i][4]) << 3) + 4;
+        const int a7 = 4 * src[i][2] - 10 * src[i][6];
+        const int a6 = 4 * src[i][6] + 10 * src[i][2];
+        const int a5 = 8 * (src[i][0] - src[i][4]) + 4;
+        const int a4 = 8 * (src[i][0] + src[i][4]) + 4;

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
        src[i][7] = (b0 - b4) >> 3;
    }
    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[1][i] - (src[7][i]<<1);
-        const int a1 =  3*src[3][i] + (src[5][i]<<1);
-        const int a2 =  (src[3][i]<<1) - 3*src[5][i];
-        const int a3 =  (src[1][i]<<1) + 3*src[7][i];
+        const int a0 = 3 * src[1][i] - 2 * src[7][i];
+        const int a1 = 3 * src[3][i] + 2 * src[5][i];
+        const int a2 = 2 * src[3][i] - 3 * src[5][i];
+        const int a3 = 2 * src[1][i] + 3 * src[7][i];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[2][i]<<2) - 10*src[6][i];
-        const int a6 = (src[6][i]<<2) + 10*src[2][i];
-        const int a5 = (src[0][i] - src[4][i]) << 3;
-        const int a4 = (src[0][i] + src[4][i]) << 3;
+        const int a7 = 4 * src[2][i] - 10 * src[6][i];
+        const int a6 = 4 * src[6][i] + 10 * src[2][i];
+        const int a5 = 8 * (src[0][i] - src[4][i]);
+        const int a4 = 8 * (src[0][i] + src[4][i]);

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@@ -693,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx,
            memmove(units + position + 1, units + position,
                    (frag->nb_units - position) * sizeof(*units));
    } else {
-        units = av_malloc_array(frag->nb_units + 1, sizeof(*units));
+        units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units));
        if (!units)
            return AVERROR(ENOMEM);

-        ++frag->nb_units_allocated;
+        frag->nb_units_allocated = 2*frag->nb_units_allocated + 1;

        if (position > 0)
            memcpy(units, frag->units, position * sizeof(*units));
@@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc,
        put_bits(pbc, 1, 1);
    } else {
        zeroes = av_log2(value + 1);
-        v = value - (1 << zeroes) + 1;
-        put_bits(pbc, zeroes + 1, 1);
+        v = value - (1U << zeroes) + 1;
+        put_bits(pbc, zeroes, 0);
+        put_bits(pbc, 1, 1);
        put_bits(pbc, zeroes, v);
    }

@@ -170,6 +171,9 @@ static int cbs_av1_read_leb128(CodedBitstreamContext *ctx, GetBitContext *gbc,
            break;
    }

+    if (value > UINT32_MAX)
+        return AVERROR_INVALIDDATA;
+
    if (ctx->trace_enable)
        ff_cbs_trace_syntax_element(ctx, position, name, NULL, "", value);

@@ -1500,8 +1500,6 @@ static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw,
        else
            HEADER("Frame Header");

-        priv->seen_frame_header = 1;
-
 #ifdef READ
        start_pos = get_bits_count(rw);
 #else
@@ -568,7 +568,10 @@ static int cbs_h2645_fragment_add_nals(CodedBitstreamContext *ctx,
        // Remove trailing zeroes.
        while (size > 0 && nal->data[size - 1] == 0)
            --size;
-        av_assert0(size > 0);
+        if (size == 0) {
+            av_log(ctx->log_ctx, AV_LOG_VERBOSE, "Discarding empty 0 NAL unit\n");
+            continue;
+        }

        ref = (nal->data == nal->raw_data) ? frag->data_ref
                                           : packet->rbsp.rbsp_buffer_ref;
@@ -748,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \
    CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \
    H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \
    unsigned int id = ps_var->id_element; \
-    if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \
+    if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \
        av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \
               " id : %d.\n", id); \
        return AVERROR_INVALIDDATA; \
@@ -855,15 +858,11 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx,
            if (err < 0)
                return err;

+            if (!cbs_h2645_read_more_rbsp_data(&gbc))
+                return AVERROR_INVALIDDATA;
+
            pos = get_bits_count(&gbc);
            len = unit->data_size;
-            if (!unit->data[len - 1]) {
-                int z;
-                for (z = 0; z < len && !unit->data[len - z - 1]; z++);
-                av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes "
-                       "from slice data.\n", z);
-                len -= z;
-            }

            slice->data_size = len - pos / 8;
            slice->data_ref  = av_buffer_ref(unit->data_ref);
@@ -1037,15 +1036,11 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx,
            if (err < 0)
                return err;

+            if (!cbs_h2645_read_more_rbsp_data(&gbc))
+                return AVERROR_INVALIDDATA;
+
            pos = get_bits_count(&gbc);
            len = unit->data_size;
-            if (!unit->data[len - 1]) {
-                int z;
-                for (z = 0; z < len && !unit->data[len - z - 1]; z++);
-                av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes "
-                       "from slice data.\n", z);
-                len -= z;
-            }

            slice->data_size = len - pos / 8;
            slice->data_ref  = av_buffer_ref(unit->data_ref);
@@ -1366,7 +1366,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw,
                   (sps->pic_height_in_map_units_minus1 + 1);
        max = (pic_size + pps->slice_group_change_rate_minus1) /
              (pps->slice_group_change_rate_minus1 + 1);
-        bits = av_log2(2 * max - 1);
+        bits = av_ceil_log2(max + 1);

        u(bits, slice_group_change_cycle, 0, max);
    }
@@ -80,7 +80,7 @@ static int FUNC(extension_data)(CodedBitstreamContext *ctx, RWContext *rw,
    }
 #else
    for (k = 0; k < current->bit_length; k++)
-        xu(1, extension_data, current->data[k / 8] >> (7 - k % 8), 0, 1, 0);
+        xu(1, extension_data, current->data[k / 8] >> (7 - k % 8) & 1, 0, 1, 0);
 #endif
    return 0;
 }
@@ -601,6 +601,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
            }
        }

+        if (i > 15)
+            return AVERROR_INVALIDDATA;
        infer(num_negative_pics, i);
        for (i = 0; i < current->num_negative_pics; i++) {
            infer(delta_poc_s0_minus1[i],
@@ -630,6 +632,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
            }
        }

+        if (i + current->num_negative_pics > 15)
+            return AVERROR_INVALIDDATA;
        infer(num_positive_pics, i);
        for (i = 0; i < current->num_positive_pics; i++) {
            infer(delta_poc_s1_minus1[i],
@@ -718,7 +722,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw,

        flag(sps_palette_predictor_initializer_present_flag);
        if (current->sps_palette_predictor_initializer_present_flag) {
-            ue(sps_num_palette_predictor_initializer_minus1, 0, 128);
+            ue(sps_num_palette_predictor_initializer_minus1, 0, 127);
            for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) {
                int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8
                                          : current->bit_depth_chroma_minus8 + 8;
@@ -1367,7 +1371,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw,
                    infer(num_long_term_sps, 0);
                    idx_size = 0;
                }
-                ue(num_long_term_pics, 0, HEVC_MAX_LONG_TERM_REF_PICS);
+                ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps);

                for (i = 0; i < current->num_long_term_sps +
                                current->num_long_term_pics; i++) {
@@ -148,15 +148,15 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
        if (marker == JPEG_MARKER_EOI) {
            break;
        } else if (marker == JPEG_MARKER_SOS) {
+            next_marker = -1;
+            end = start;
            for (i = start; i + 1 < frag->data_size; i++) {
                if (frag->data[i] != 0xff)
                    continue;
                end = i;
                for (++i; i + 1 < frag->data_size &&
                          frag->data[i] == 0xff; i++);
-                if (i + 1 >= frag->data_size) {
-                    next_marker = -1;
-                } else {
+                if (i + 1 < frag->data_size) {
                    if (frag->data[i] == 0x00)
                        continue;
                    next_marker = frag->data[i];
@@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
        if (marker == JPEG_MARKER_SOS) {
            length = AV_RB16(frag->data + start);

+            if (length > end - start)
+                return AVERROR_INVALIDDATA;
+
            data_ref = NULL;
            data     = av_malloc(end - start +
                                 AV_INPUT_BUFFER_PADDING_SIZE);
@@ -89,6 +89,8 @@ static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw,
    ij = 0;
    for (i = 0; i < 16; i++) {
        for (j = 0; j < current->L[i]; j++) {
+            if (ij >= 224)
+                return AVERROR_INVALIDDATA;
            us(8, V[ij], ij, 0, 255);
            ++ij;
        }
@@ -108,6 +110,9 @@ static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw,

    n = 2;
    for (i = 0; n < current->Lh; i++) {
+        if (i >= 8)
+            return AVERROR_INVALIDDATA;
+
        CHECK(FUNC(huffman_table)(ctx, rw, &current->table[i]));

        ++n;
@@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs,
    int i,n;

    for (n = 0; n < buffer_length; n++) {
-        int sum = -rounder, sum1;
+        int sum = rounder, sum1;
        for (i = 1; i <= filter_length; i++)
-            sum += (unsigned)(filter_coeffs[i-1] * out[n-i]);
+            sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]);

-        sum1 = ((-sum >> 12) + in[n]) >> shift;
+        sum1 = ((sum >> 12) + in[n]) >> shift;
        sum  = av_clip_int16(sum1);

        if (stop_on_overflow && sum != sum1)
@@ -444,6 +444,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data);
                ret = AVERROR_PATCHWELCOME;
                break;
+            } else if (data == 1) {
+                av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n");
+                ret = AVERROR_PATCHWELCOME;
+                break;
            }
            av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data);
        } else if (abstag >= 0x4000 && abstag <= 0x40ff) {
@@ -546,6 +550,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            s->peak.level   = 0;
        } else if (tag == -74 && s->peak.offset) {
            s->peak.level = data;
+            if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) ||
+                s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base)
+            ) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
            bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
        } else
            av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
@@ -544,8 +544,9 @@ static int encode_mode(CinepakEncContext *s, int h,
                       uint8_t *last_data[4], int last_linesize[4],
                       strip_info *info, unsigned char *buf)
 {
-    int x, y, z, flags, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA;
+    int x, y, z, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA;
    int needs_extra_bit, should_write_temp;
+    uint32_t flags;
    unsigned char temp[64]; // 32/2 = 16 V4 blocks at 4 B each -> 64 B
    mb_info *mb;
    uint8_t *sub_scratch_data[4] = { 0 }, *sub_last_data[4] = { 0 };
@@ -599,7 +600,7 @@ static int encode_mode(CinepakEncContext *s, int h,
            flags = 0;
            for (y = x; y < FFMIN(x + 32, mb_count); y++)
                if (s->mb[y].best_encoding == ENC_V4)
-                    flags |= 1 << (31 - y + x);
+                    flags |= 1U << (31 - y + x);

            AV_WB32(&buf[ret], flags);
            ret += 4;
@@ -626,13 +627,13 @@ static int encode_mode(CinepakEncContext *s, int h,

        for (x = 0; x < mb_count; x++) {
            mb                = &s->mb[x];
-            flags            |= (mb->best_encoding != ENC_SKIP) << (31 - bits++);
+            flags            |= (uint32_t)(mb->best_encoding != ENC_SKIP) << (31 - bits++);
            needs_extra_bit   = 0;
            should_write_temp = 0;

            if (mb->best_encoding != ENC_SKIP) {
                if (bits < 32)
-                    flags |= (mb->best_encoding == ENC_V4) << (31 - bits++);
+                    flags |= (uint32_t)(mb->best_encoding == ENC_V4) << (31 - bits++);
                else
                    needs_extra_bit = 1;
            }
@@ -651,7 +652,7 @@ static int encode_mode(CinepakEncContext *s, int h,
            }

            if (needs_extra_bit) {
-                flags = (mb->best_encoding == ENC_V4) << 31;
+                flags = (uint32_t)(mb->best_encoding == ENC_V4) << 31;
                bits  = 1;
            }

@@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx)
    }

    c->tile_shift = av_log2(c->tile_size);
-    if (1U << c->tile_shift != c->tile_size) {
-        av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size);
+    if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) {
+        av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size);
        return AVERROR_INVALIDDATA;
    }

@@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    ff_audiodsp_init(&q->adsp);

    while (bytestream2_get_bytes_left(&gb)) {
+        if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
+            return AVERROR_PATCHWELCOME;
+        }
        /* 8 for mono, 16 for stereo, ? for multichannel
           Swap to right endianness so we don't need to care later on. */
        q->subpacket[s].cookversion      = bytestream2_get_be32(&gb);
@@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)

        q->num_subpackets++;
        s++;
-        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
-            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
-            return AVERROR_PATCHWELCOME;
-        }
    }

    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
@@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
        // Read line length, two byte little endian
        linelength = AV_RL16(src);
        src += 2;
+        src_size -= 2;

        if (src_size < linelength) {
            frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM;
@@ -93,7 +93,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    case 1: { // zlib compression
 #if CONFIG_ZLIB
        unsigned long dlen = c->decomp_size;
-        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
+        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) {
            av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
            return AVERROR_INVALIDDATA;
        }
@@ -90,7 +90,7 @@ typedef struct CuvidContext
    CUVIDDECODECAPS caps8, caps10, caps12;

    CUVIDPARSERPARAMS cuparseinfo;
-    CUVIDEOFORMATEX cuparse_ext;
+    CUVIDEOFORMATEX *cuparse_ext;

    CudaFunctions *cudl;
    CuvidFunctions *cvdl;
@@ -714,6 +714,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx)
    av_buffer_unref(&ctx->hwdevice);

    av_freep(&ctx->key_frame);
+    av_freep(&ctx->cuparse_ext);

    cuvid_free_functions(&ctx->cvdl);

@@ -824,6 +825,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    CUcontext cuda_ctx = NULL;
    CUcontext dummy;
    const AVBitStreamFilter *bsf;
+    uint8_t *extradata;
+    int extradata_size;
    int ret = 0;

    enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA,
@@ -920,11 +923,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    ctx->cudl = device_hwctx->internal->cuda_dl;

    memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo));
-    memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext));
    memset(&seq_pkt, 0, sizeof(seq_pkt));

-    ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext;
-
    switch (avctx->codec->id) {
 #if CONFIG_H264_CUVID_DECODER
    case AV_CODEC_ID_H264:
@@ -994,17 +994,26 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
            goto error;
        }

-        ctx->cuparse_ext.format.seqhdr_data_length = ctx->bsf->par_out->extradata_size;
-        memcpy(ctx->cuparse_ext.raw_seqhdr_data,
-               ctx->bsf->par_out->extradata,
-               FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), ctx->bsf->par_out->extradata_size));
-    } else if (avctx->extradata_size > 0) {
-        ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size;
-        memcpy(ctx->cuparse_ext.raw_seqhdr_data,
-               avctx->extradata,
-               FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size));
+        extradata = ctx->bsf->par_out->extradata;
+        extradata_size = ctx->bsf->par_out->extradata_size;
+    } else {
+        extradata = avctx->extradata;
+        extradata_size = avctx->extradata_size;
    }

+    ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext)
+            + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0));
+    if (!ctx->cuparse_ext) {
+        ret = AVERROR(ENOMEM);
+        goto error;
+    }
+
+    if (extradata_size > 0)
+        memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size);
+    ctx->cuparse_ext->format.seqhdr_data_length = extradata_size;
+
+    ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext;
+
    ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int));
    if (!ctx->key_frame) {
        ret = AVERROR(ENOMEM);
@@ -1033,8 +1042,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    if (ret < 0)
        goto error;

-    seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data;
-    seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length;
+    seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data;
+    seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length;

    if (seq_pkt.payload && seq_pkt.payload_size) {
        ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt));
@@ -1093,8 +1102,8 @@ static void cuvid_flush(AVCodecContext *avctx)
    if (ret < 0)
        goto error;

-    seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data;
-    seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length;
+    seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data;
+    seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length;

    if (seq_pkt.payload && seq_pkt.payload_size) {
        ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt));
@@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_24[step_i];
@@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s)
    step_i = get_bits(&s->gb, 8);
    if (step_i > step_max) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    step = ff_dca_lfe_step_size_16[step_i];
@@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s)

 static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!(s->flags & LBR_FLAG_LFE_PRESENT))
        return 0;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Determine bit depth from chunk size
    if (chunk->len >= 52)
@@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk)
        return parse_lfe_16(s);

    av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n");
-    return -1;
+    return AVERROR_INVALIDDATA;
 }

 static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth)
@@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group)
        for (freq = 1;; freq++) {
            if (get_bits_left(&s->gb) < 1) {
                av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2);
            if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff];
@@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group)
            freq += diff - 2;
            if (freq >> (5 - group) > s->nsubbands * 4 - 6) {
                av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            // Main channel
@@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group)

 static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)
 {
-    int sb, group;
+    int sb, group, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+
+    if (ret < 0)
+        return ret;

    // Scale factors
    if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) {
        if (get_bits_left(&s->gb) < 36) {
            av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
        for (sb = 0; sb < 6; sb++)
            s->tonal_scf[sb] = get_bits(&s->gb, 6);
@@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk)

    // Tonal groups
    if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF)
-        for (group = 0; group < 5; group++)
-            if (parse_tonal(s, group) < 0)
-                return -1;
+        for (group = 0; group < 5; group++) {
+            ret = parse_tonal(s, group);
+            if (ret < 0)
+                return ret;
+        }

    return 0;
 }

 static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    return parse_tonal(s, chunk->id);
 }
@@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n)
 {
    int left = get_bits_left(s);
    if (left < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
    if (left < n) {
        skip_bits_long(s, left);
        return 1;
@@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf)
        dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1;
        if (dist > 7 - sf) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (ensure_bits(&s->gb, 20))
@@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v)

 static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
-    int ch, sb, sf, nsubbands;
+    int ch, sb, sf, nsubbands, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0)
-            return -1;
-        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]);
+        if (ret < 0)
+            return ret;
+        if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    if (get_bits_left(&s->gb) < 1)
@@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

    if (get_bits_left(&s->gb) < 0) {
        av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    // Stereo image for partial mono mode
@@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch

 static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2)
 {
-    int sb, nsubbands;
+    int sb, nsubbands, ret;

    // Scale factors
    nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1;
    for (sb = 2; sb < nsubbands; sb++) {
-        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband
-            && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0)
-            return -1;
+        if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) {
+            ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]);
+            if (ret < 0)
+                return ret;
+        }
    }

    // Average values for third grid
@@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,
            s->sb_indices[sb] = sb_reorder;
        }
        if (sb_reorder >= s->nsubbands)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Third grid scale factors
        if (sb == 12) {
@@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2,

        quant_level = s->quant_levels[ch1 / 2][sb];
        if (!quant_level)
-            return -1;
+            return AVERROR_INVALIDDATA;

        // Time samples for one or both channels
        if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) {
@@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s
 static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
    int quant_levels[DCA_LBR_SUBBANDS];
-    int sb, ch, ol, st, max_sb, profile;
+    int sb, ch, ol, st, max_sb, profile, ret;

    if (!chunk->len)
        return 0;

-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
+    ret = init_get_bits8(&s->gb, chunk->data, chunk->len);
+    if (ret < 0)
+        return ret;

    // Quantizer profile
    profile = get_bits(&s->gb, 8);
@@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c
        s->quant_levels[ch1 / 2][sb] = quant_levels[sb];

    // LPC for the first two subbands
-    if (parse_lpc(s, ch1, ch2, 0, 2) < 0)
-        return -1;
+    ret = parse_lpc(s, ch1, ch2, 0, 2);
+    if (ret < 0)
+        return ret;

    // Time-samples for the first two subbands of main channel
-    if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0)
-        return -1;
+    ret = parse_ts(s, ch1, ch2, 0, 2, 0);
+    if (ret < 0)
+        return ret;

    // First two bands of the first grid
    for (sb = 0; sb < 2; sb++)
        for (ch = ch1; ch <= ch2; ch++)
-            if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0)
-                return -1;
+            if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0)
+                return ret;

    return 0;
 }
@@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2,

 static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_lpc(s, ch1, ch2, 2, 3) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0)
+        return ret;
    return 0;
 }

 static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2)
 {
+    int ret;
+
    if (!chunk->len)
        return 0;
-    if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0)
-        return -1;
-    if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0)
-        return -1;
-    if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0)
-        return -1;
+    if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0)
+        return ret;
+    if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0)
+        return ret;
+    if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0)
+        return ret;
    if (ch1 != ch2) {
-        if (parse_grid_1_sec_ch(s, ch2) < 0)
-            return -1;
-        if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0)
-            return -1;
+        if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0)
+            return ret;
+        if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0)
+            return ret;
    }
-    if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0)
-        return -1;
+    if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0)
+        return ret;
    return 0;
 }

@@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s)
 {
    double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range));
    int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total;
+    int ret;

    ff_mdct_end(&s->imdct);

-    if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0)
-        return -1;
+    ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale);
+    if (ret < 0)
+        return ret;

    for (i = 0; i < 32 << s->freq_range; i++)
        s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)];
@@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s)
    // Reallocate time sample buffer
    av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float));
    if (!s->ts_buffer)
-        return -1;
+        return AVERROR(ENOMEM);

    ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY;
    for (ch = 0; ch < s->nchannels; ch++) {
@@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s)
    init_tables();

    if (!(s->fdsp = avpriv_float_dsp_alloc(0)))
-        return -1;
+        return AVERROR(ENOMEM);

    s->lbr_rand = 1;
    return 0;
@@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
    int i;

    for (i = 0; i < len; i++)
-        dst[i] += mul15(src[i], coeff);
+        dst[i] += (unsigned)mul15(src[i], coeff);
 }

 static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len)
@@ -1910,7 +1910,8 @@ static int get_buffer_internal(AVCodecContext *avctx, AVFrame *frame, int flags)
    int ret;

    if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) {
-        if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
+        if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN ||
+            (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
            av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n");
            return AVERROR(EINVAL);
        }
@@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
            int64_t pts = AV_RB32(cur_pu + 13);
            if (s->last_pts == 0 && s->last_dts == 0)
                s->dts = pts - 1;
-            else
+            else if (s->last_dts != AV_NOPTS_VALUE)
                s->dts = s->last_dts + 1;
            s->pts = pts;
            if (!avctx->has_b_frames && (cur_pu[4] & 0x03))
@@ -1435,8 +1435,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
+    int64_t mx  = m * (uint64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (uint64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
        PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst;                                \
        for (i = 0; i < tot_h; i++) {                                                      \
            c = *src_r++;                                                                  \
-            sign = FFSIGN(c)*(!!c);                                                        \
-            c = (FFABS(c)*(unsigned)qf + qs) >> 2;                                                   \
-            *dst_r++ = c*sign;                                                             \
+            if     (c < 0) c = -((-(unsigned)c*qf + qs) >> 2);                             \
+            else if(c > 0) c =  (( (unsigned)c*qf + qs) >> 2);                             \
+            *dst_r++ = c;                                                                  \
        }                                                                                  \
        src += tot_h << (sizeof(PX) >> 1);                                                 \
        dst += stride;                                                                     \
@@ -111,6 +111,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx)

 static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
 {
+    int ret;
    if (cid != ctx->cid) {
        int index;

@@ -130,19 +131,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
        ff_free_vlc(&ctx->dc_vlc);
        ff_free_vlc(&ctx->run_vlc);

-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
                 ctx->cid_table->ac_bits, 1, 1,
-                 ctx->cid_table->ac_codes, 2, 2, 0);
-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
                 ctx->cid_table->dc_bits, 1, 1,
-                 ctx->cid_table->dc_codes, 1, 1, 0);
-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
                 ctx->cid_table->run_bits, 1, 1,
-                 ctx->cid_table->run_codes, 2, 2, 0);
+                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
+            goto out;

        ctx->cid = cid;
    }
-    return 0;
+    ret = 0;
+out:
+    if (ret < 0)
+        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
+    return ret;
 }

 static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx)
@@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx)
    ctx->vlc_bits  = ctx->orig_vlc_bits + max_level * 2;
    for (level = -max_level; level < max_level; level++) {
        for (run = 0; run < 2; run++) {
-            int index = (level << 1) | run;
+            int index = level * (1 << 1) | run;
            int sign, offset = 0, alevel = level;

            MASK_ABS(sign, alevel);
@@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block,
        slevel = block[j];
        if (slevel) {
            int run_level = i - last_non_zero - 1;
-            int rlevel = (slevel << 1) | !!run_level;
+            int rlevel = slevel * (1 << 1) | !!run_level;
            put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]);
            if (run_level)
                put_bits(&ctx->m.pb, ctx->run_bits[run_level],
@@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index)
        level = block[j];
        if (level) {
            int run_level = i - last_non_zero - 1;
-            bits += ctx->vlc_bits[(level << 1) |
+            bits += ctx->vlc_bits[level * (1 << 1) |
                    !!run_level] + ctx->run_bits[run_level];
            last_non_zero = i;
        }
@@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
                shift[ch] -= (2 * n);
            diff = sign_extend((diff &~ 3) << 8, 16);

-            /* saturate the shifter to a lower limit of 0 */
-            if (shift[ch] < 0)
-                shift[ch] = 0;
+            /* saturate the shifter to 0..31 */
+            shift[ch] = av_clip_uintp2(shift[ch], 5);

            diff >>= shift[ch];
            predictor[ch] += diff;
@@ -367,7 +366,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
        while (output_samples < samples_end) {
            uint8_t n = bytestream2_get_byteu(&gb);

-            *output_samples++ = s->sample[idx] += s->array[n];
+            *output_samples++ = s->sample[idx] += (unsigned)s->array[n];
            idx ^= 1;
        }
        }
@@ -206,6 +206,9 @@ static int decode_frame(AVCodecContext *avctx,
        return AVERROR_PATCHWELCOME;
    }

+    if (bits_per_color > 32)
+        return AVERROR_INVALIDDATA;
+
    buf += 820;
    avctx->sample_aspect_ratio.num = read32(&buf, endian);
    avctx->sample_aspect_ratio.den = read32(&buf, endian);
@@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
    int i;
    uint8_t silence;

+    if (!avctx->channels)
+        return AVERROR_INVALIDDATA;
+
    ff_init_dsd_data();

    s = av_malloc_array(sizeof(DSDContext), avctx->channels);
@@ -85,6 +85,16 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E)
+    // We are a bit more tolerant here, but this check is needed to bound the size and duration
+    if (avctx->sample_rate > 512 * 44100)
+        return AVERROR_INVALIDDATA;
+
+
+    if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) {
+        return AVERROR_PATCHWELCOME;
+    }
+
    avctx->sample_fmt = AV_SAMPLE_FMT_FLT;

    for (i = 0; i < avctx->channels; i++)
@@ -155,7 +165,7 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
            for (j = method + 1; j < t->length[i]; j++) {
                int c, x = 0;
                for (k = 0; k < method + 1; k++)
-                    x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1];
+                    x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1];
                c = get_sr_golomb_dst(gb, lsb_size);
                if (x >= 0)
                    c -= (x + 4) / 8;
@@ -51,8 +51,8 @@ static int dump_extradata(AVBSFContext *ctx, AVPacket *out)
    if (ctx->par_in->extradata &&
        (s->freq == DUMP_FREQ_ALL ||
         (s->freq == DUMP_FREQ_KEYFRAME && in->flags & AV_PKT_FLAG_KEY)) &&
-         in->size >= ctx->par_in->extradata_size &&
-         memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size)) {
+         (in->size < ctx->par_in->extradata_size ||
+          memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size))) {
        if (in->size >= INT_MAX - ctx->par_in->extradata_size) {
            ret = AVERROR(ERANGE);
            goto fail;
@@ -456,7 +456,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
            V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 2;
+        Y += ystride * 4;
        U += ustride;
        V += vstride;
    }
@@ -501,7 +501,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
            V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 1;
+        Y += ystride * 2;
        U += ustride;
        V += vstride;
    }
@@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
                in     = ptr[3] + s->xdelta;

                for (j = 0; j < s->xdelta; ++j) {
-                    uint32_t diff = (*(ptr[0]++) << 24) |
+                    uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                    (*(ptr[1]++) << 16) |
                    (*(ptr[2]++) << 8 ) |
                    (*(ptr[3]++));
@@ -1092,6 +1092,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */
            axmax = 0; /* doesn't add pixel at the right of the datawindow */

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
    } else {
@@ -1111,6 +1114,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
        td->xsize          = s->xdelta;

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */

@@ -1514,15 +1520,28 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            continue;
        } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
                                                     31)) >= 0) {
+            int xmin, ymin, xmax, ymax;
            if (!var_size) {
                ret = AVERROR_INVALIDDATA;
                goto fail;
            }

-            s->xmin   = bytestream2_get_le32(&s->gb);
-            s->ymin   = bytestream2_get_le32(&s->gb);
-            s->xmax   = bytestream2_get_le32(&s->gb);
-            s->ymax   = bytestream2_get_le32(&s->gb);
+            xmin   = bytestream2_get_le32(&s->gb);
+            ymin   = bytestream2_get_le32(&s->gb);
+            xmax   = bytestream2_get_le32(&s->gb);
+            ymax   = bytestream2_get_le32(&s->gb);
+
+            if (xmin > xmax || ymin > ymax ||
+                ymax == INT_MAX || xmax == INT_MAX ||
+                (unsigned)xmax - xmin >= INT_MAX ||
+                (unsigned)ymax - ymin >= INT_MAX) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+            s->xmin = xmin;
+            s->xmax = xmax;
+            s->ymin = ymin;
+            s->ymax = ymax;
            s->xdelta = (s->xmax - s->xmin) + 1;
            s->ydelta = (s->ymax - s->ymin) + 1;

@@ -1739,7 +1758,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        s->ymin > s->ymax                  ||
        s->xdelta != s->xmax - s->xmin + 1 ||
        s->xmax >= s->w                    ||
-        s->ymax >= s->h) {
+        s->ymax >= s->h                    ||
+        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF
+    ) {
        av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n");
        return AVERROR_INVALIDDATA;
    }
@@ -1763,7 +1784,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)
        return ret;

-    if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8)
+    if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks)
        return AVERROR_INVALIDDATA;

    // check offset table and recreate it if need
@@ -1791,7 +1812,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    ptr         = picture->data[0];

    // Zero out the start if ymin is not 0
-    for (y = 0; y < s->ymin; y++) {
+    for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
        memset(ptr, 0, out_line_size);
        ptr += picture->linesize[0];
    }
@@ -1801,10 +1822,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);

    // Zero out the end if ymax+1 is not h
-    ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]);
-    for (y = s->ymax + 1; y < avctx->height; y++) {
-        memset(ptr, 0, out_line_size);
-        ptr += picture->linesize[0];
+    if ((s->ymax+1) < avctx->height) {
+        ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]);
+        for (y = s->ymax + 1; y < avctx->height; y++) {
+            memset(ptr, 0, out_line_size);
+            ptr += picture->linesize[0];
+        }
    }

    picture->pict_type = AV_PICTURE_TYPE_I;
@@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb,
                return AVERROR_INVALIDDATA;
            }
            cwi = 10 - av_log2(cwi);
+            if (get_bits_left(gb) < cwi + 1)
+                return AVERROR_INVALIDDATA;
            skip_bits(gb, cwi + 1);
            if (cwi > 5) {
                newmode = get_bits1(gb);
@@ -206,6 +208,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int run = 0;
    unsigned int t;
    for (;;) {
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
        t    = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
        run += t;
        if (t < 64) {
@@ -224,7 +228,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
            run       = 0;
            mode      = !mode;
        } else if ((int)t == -1) {
-            if (show_bits(gb, 12) == 15) {
+            if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
                int ret;
                skip_bits(gb, 12);
                ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode);
@@ -251,7 +255,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int offs = 0, run = 0;

    while (offs < width) {
-        int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
+        int cmode;
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
+        cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
        if (cmode == -1) {
            av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n");
            return AVERROR_INVALIDDATA;
@@ -273,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
            for (k = 0; k < 2; k++) {
                run = 0;
                for (;;) {
+                    if (get_bits_left(gb) <= 0)
+                        return AVERROR_INVALIDDATA;
                    t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
                    if (t == -1) {
                        av_log(avctx, AV_LOG_ERROR, "Incorrect code\n");
@@ -296,7 +305,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
                mode = !mode;
            }
        } else if (cmode == 9 || cmode == 10) {
-            int xxx = get_bits(gb, 3);
+            int xxx;
+            if (get_bits_left(gb) < 3)
+                return AVERROR_INVALIDDATA;
+            xxx = get_bits(gb, 3);
            if (cmode == 9 && xxx == 7) {
                int ret;
                int pix_left = width - offs;
@@ -789,7 +789,7 @@ static int read_header(FFV1Context *f)

            if (f->version == 2) {
                int idx = get_symbol(c, state, 0);
-                if (idx > (unsigned)f->quant_table_count) {
+                if (idx >= (unsigned)f->quant_table_count) {
                    av_log(f->avctx, AV_LOG_ERROR,
                           "quant_table_index out of range\n");
                    return AVERROR_INVALIDDATA;
@@ -893,8 +893,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        int trailer = 3 + 5*!!f->ec;
        int v;

-        if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer;
-        else                     v = buf_p - c->bytestream_start;
+        if (i || f->version > 2) {
+            if (trailer > buf_p - buf) v = INT_MAX;
+            else                       v = AV_RB24(buf_p-trailer) + trailer;
+        } else                         v = buf_p - c->bytestream_start;
        if (buf_p - c->bytestream_start < v) {
            av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n");
            ff_thread_report_progress(&f->picture, INT_MAX, 0);
@@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b)

 static uint64_t phi_at(struct ws_interval *in, int64_t ts)
 {
-    uint64_t dt = ts - in->ts_start;
+    uint64_t dt = ts - (uint64_t)in->ts_start;
    uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */
                   dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1);
    return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi;
@@ -217,7 +217,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
    *last = -1;
    lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
    if (ws->pink_need) {
-        uint64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_cur  = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1);
        uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
        int pos = ts & (PINK_UNIT - 1);
        lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
@@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
                dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16);
                dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16);
                in->dphi0 = dphi1;
-                in->ddphi = (dphi2 - dphi1) / dt;
+                in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt;
                if (phi & 0x80000000) {
                    phi &= ~0x80000000;
                    if (phi >= i)
@@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
        in->amp  += in->damp;
        switch (in->type) {
            case WS_SINE:
-                val = amp * ws->sin[in->phi >> (64 - SIN_BITS)];
+                val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)];
                in->phi  += in->dphi;
                in->dphi += in->ddphi;
                break;
@@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    if (r < 0)
        return r;
    pcm = (int16_t *)frame->data[0];
-    for (s = 0; s < duration; s++, ts++) {
+    for (s = 0; s < duration; s++, ts+=(uint64_t)1) {
        memset(channels, 0, avc->channels * sizeof(*channels));
        if (ts >= ws->next_ts)
            wavesynth_enter_intervals(ws, ts);
@@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
        for (c = 0; c < avc->channels; c++)
            *(pcm++) = channels[c] >> 16;
    }
-    ws->cur_ts += duration;
+    ws->cur_ts += (uint64_t)duration;
    *rgot_frame = 1;
    return packet->size;
 }
@@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t
            header->blank = t;
            header->blank_found = 1;
        } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) {
+            if (d <= 0)
+                return AVERROR_INVALIDDATA;
            header->bscale = d;
        } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) {
            header->bzero = d;
@@ -203,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t
        } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) {
            header->groups = (c == 'T');
        } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) {
+            if (t < 0 || t > INT_MAX)
+                return AVERROR_INVALIDDATA;
            header->gcount = t;
        } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) {
+            if (t < 0 || t > INT_MAX)
+                return AVERROR_INVALIDDATA;
            header->pcount = t;
        }
        dict_set_if_not_null(metadata, keyword, value);
@@ -55,6 +55,7 @@

 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)

 typedef struct FLACHeaderMarker {
    int offset;       /**< byte offset from start of FLACParseContext->buffer */
@@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset)
    uint8_t *header_buf;
    int size = 0;
    header_buf = flac_fifo_read_wrap(fpc, offset,
-                                     MAX_FRAME_HEADER_SIZE,
+                                     MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE,
                                     &fpc->wrap_buf,
                                     &fpc->wrap_buf_allocated_size);
    if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) {
@@ -216,16 +217,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size
    uint32_t x;

    for (i = 0; i < mod_offset; i++) {
-        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8)
-            size = find_headers_search_validate(fpc, search_start + i);
+        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) {
+            int ret = find_headers_search_validate(fpc, search_start + i);
+            size = FFMAX(size, ret);
+        }
    }

    for (; i < buf_size - 1; i += 4) {
        x = AV_RB32(buf + i);
        if (((x & ~(x + 0x01010101)) & 0x80808080)) {
            for (j = 0; j < 4; j++) {
-                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8)
-                    size = find_headers_search_validate(fpc, search_start + i + j);
+                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) {
+                    int ret = find_headers_search_validate(fpc, search_start + i + j);
+                    size = FFMAX(size, ret);
+                }
            }
        }
    }
@@ -262,7 +262,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order)
        } else {
            int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX;
            for (; i < samples; i++) {
-                int v = get_sr_golomb_flac(&gb, tmp, real_limit, 0);
+                int v = get_sr_golomb_flac(&gb, tmp, real_limit, 1);
                if (v == 0x80000000){
                    av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n");
                    return AVERROR_INVALIDDATA;
@@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) =  a      << shift;
        S(samples, 1, i) = (a - b) << shift;
    }
@@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
        S(samples, 0, i) = (a + b) << shift;
        S(samples, 1, i) =  b      << shift;
    }
@@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in,
    int i;

    for (i = 0; i < len; i++) {
-        int a = in[0][i];
+        unsigned a = in[0][i];
        int b = in[1][i];
        a -= b >> 1;
        S(samples, 0, i) = (a + b) << shift;
@@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                bytestream2_skip(&g2, chunk_size - 6);
            } else {

+                if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
+                    return AVERROR_INVALIDDATA;
                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
                     y_ptr += s->frame->linesize[0]) {

@@ -117,7 +117,7 @@ end:
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
    int i=0;
    ThreadContext *c;
-
+    AVCodecContext *thread_avctx = NULL;

    if(   !(avctx->thread_type & FF_THREAD_FRAME)
       || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY))
@@ -195,16 +195,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
        AVDictionary *tmp = NULL;
        int ret;
        void *tmpv;
-        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
+        thread_avctx = avcodec_alloc_context3(avctx->codec);
        if(!thread_avctx)
            goto fail;
        tmpv = thread_avctx->priv_data;
        *thread_avctx = *avctx;
+        thread_avctx->priv_data = tmpv;
+        thread_avctx->internal = NULL;
+        thread_avctx->hw_frames_ctx = NULL;
        ret = av_opt_copy(thread_avctx, avctx);
        if (ret < 0)
            goto fail;
-        thread_avctx->priv_data = tmpv;
-        thread_avctx->internal = NULL;
        if (avctx->codec->priv_class) {
            int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data);
            if (ret < 0)
@@ -232,6 +233,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){

    return 0;
 fail:
+    avcodec_close(thread_avctx);
+    av_freep(&thread_avctx);
    avctx->thread_count = i;
    av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
    ff_frame_thread_encoder_free(avctx);
@@ -23,6 +23,10 @@

 #include "avcodec.h"

+/**
+ * Initialize frame thread encoder.
+ * @note hardware encoders are not supported
+ */
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options);
 void ff_frame_thread_encoder_free(AVCodecContext *avctx);
 int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr);
@@ -917,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
    awidth      = FFALIGN(tile_width,  16);
    aheight     = FFALIGN(tile_height, 16);

+    if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) {
+        avpriv_request_sample(avctx, "large tile width");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (els_dsize) {
        int ret, i, j, k;
        uint8_t tr_r, tr_g, tr_b, *buf;
@@ -1012,7 +1012,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
            formant_postfilter(p, lpc, p->audio, out);
        } else { // if output is not postfiltered it should be scaled by 2
            for (i = 0; i < FRAME_LEN; i++)
-                out[i] = av_clip_int16(p->audio[LPC_ORDER + i] << 1);
+                out[i] = av_clip_int16(2 * p->audio[LPC_ORDER + i]);
        }
    }

@@ -486,14 +486,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,

    if (refl_coeff > 0) {
        gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15;
-        fact = 0x4000; // 0.5 in (0.15)
-        sh_fact = 15;
+        fact = 0x2000; // 0.5 in (0.15)
+        sh_fact = 14;
    } else {
        gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15;
-        fact = 0x800; // 0.5 in (3.12)
-        sh_fact = 12;
+        fact = 0x400; // 0.5 in (3.12)
+        sh_fact = 11;
    }
-    ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt));
+    ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt));
    gt >>= 1;

    /* Apply tilt compensation filter to signal. */
@@ -503,12 +503,12 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,
        tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000;
        tmp2 = res_pst[i] + (tmp2 >> 15);

-        tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+        tmp2 = (tmp2 * ga + fact) >> sh_fact;
        out[i] = tmp2;
    }
    tmp2 = (gt * ht_prev_data) * 2 + 0x4000;
    tmp2 = res_pst[0] + (tmp2 >> 15);
-    tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+    tmp2 = (tmp2 * ga + fact) >> sh_fact;
    out[0] = tmp2;

    return tmp;
@@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
            gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
            gain = bidir_sal(gain, exp_after - exp_before);
        }
+        gain = av_clip_int16(gain);
        gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
    } else
        gain = 0;
@@ -488,7 +488,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt)
                if (err < 0) {
                    av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted "
                           "displaymatrix side data to packet.\n");
-                    av_freep(matrix);
+                    av_free(matrix);
                    goto fail;
                }
            }
@@ -296,9 +296,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst,
    if (dst == src)
        return 0;

-    // We can't fail if SPS isn't set at it breaks current skip_frame code
-    //if (!h1->ps.sps)
-    //    return AVERROR_INVALIDDATA;
+    if (inited && !h1->ps.sps)
+        return AVERROR_INVALIDDATA;

    if (inited &&
        (h->width                 != h1->width                 ||
@@ -920,6 +919,11 @@ static int h264_slice_header_init(H264Context *h)
    const SPS *sps = h->ps.sps;
    int i, ret;

+    if (!sps) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
    ff_set_sar(h->avctx, sps->sar);
    av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt,
                                     &h->chroma_x_shift, &h->chroma_y_shift);
@@ -623,7 +623,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size)
    }

    ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, h->nal_length_size,
-                                avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST, 0);
+                                avctx->codec_id, 0, 0);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR,
               "Error splitting the input into NAL units.\n");
@@ -278,13 +278,13 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){
    const int stride= 16*2;
    const int xStride= 16;
    int i;
-    int temp[8];
+    unsigned temp[8];
    static const uint8_t x_offset[2]={0, 16};
    dctcoef *block = (dctcoef*)_block;

    for(i=0; i<4; i++){
-        temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1];
-        temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1];
+        temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1];
+        temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1];
    }

    for(i=0; i<2; i++){
@@ -359,7 +359,7 @@ static int h265_metadata_filter(AVBSFContext *bsf, AVPacket *pkt)
    }

    // If an AUD is present, it must be the first NAL unit.
-    if (au->units[0].type == HEVC_NAL_AUD) {
+    if (au->nb_units && au->units[0].type == HEVC_NAL_AUD) {
        if (ctx->aud == REMOVE)
            ff_cbs_delete_unit(ctx->cbc, au, 0);
    } else {
@@ -52,7 +52,7 @@ enum HapSectionType {

 typedef struct HapChunk {
    enum HapCompressor compressor;
-    int compressed_offset;
+    uint32_t compressed_offset;
    size_t compressed_size;
    int uncompressed_offset;
    size_t uncompressed_size;
@@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size)
        size_t running_size = 0;
        for (i = 0; i < ctx->chunk_count; i++) {
            ctx->chunks[i].compressed_offset = running_size;
+            if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size)
+                return AVERROR_INVALIDDATA;
            running_size += ctx->chunks[i].compressed_size;
        }
    }
@@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx)
        HapChunk *chunk = &ctx->chunks[i];

        /* Check the compressed buffer is valid */
-        if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc))
+        if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc))
            return AVERROR_INVALIDDATA;

        /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed
@@ -305,7 +307,6 @@ static int hap_decode(AVCodecContext *avctx, void *data,
    HapContext *ctx = avctx->priv_data;
    ThreadFrame tframe;
    int ret, i, t;
-    int tex_size;
    int section_size;
    enum HapSectionType section_type;
    int start_texture_section = 0;
@@ -342,6 +343,13 @@ static int hap_decode(AVCodecContext *avctx, void *data,
        if (ret < 0)
            return ret;

+        if (ctx->tex_size != (avctx->coded_width  / TEXTURE_BLOCK_W)
+            *(avctx->coded_height / TEXTURE_BLOCK_H)
+            *tex_rat[t]) {
+            av_log(avctx, AV_LOG_ERROR, "uncompressed size mismatches\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        start_texture_section += ctx->texture_section_size + 4;

        if (avctx->codec->update_thread_context)
@@ -349,9 +357,16 @@ static int hap_decode(AVCodecContext *avctx, void *data,

        /* Unpack the DXT texture */
        if (hap_can_use_tex_in_place(ctx)) {
+            int tex_size;
            /* Only DXTC texture compression in a contiguous block */
            ctx->tex_data = ctx->gbc.buffer;
            tex_size = FFMIN(ctx->texture_section_size, bytestream2_get_bytes_left(&ctx->gbc));
+            if (tex_size < (avctx->coded_width  / TEXTURE_BLOCK_W)
+                *(avctx->coded_height / TEXTURE_BLOCK_H)
+                *tex_rat[t]) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            /* Perform the second-stage decompression */
            ret = av_reallocp(&ctx->tex_buf, ctx->tex_size);
@@ -367,14 +382,6 @@ static int hap_decode(AVCodecContext *avctx, void *data,
            }

            ctx->tex_data = ctx->tex_buf;
-            tex_size = ctx->tex_size;
-        }
-
-        if (tex_size < (avctx->coded_width  / TEXTURE_BLOCK_W)
-            *(avctx->coded_height / TEXTURE_BLOCK_H)
-            *tex_rat[t]) {
-            av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
-            return AVERROR_INVALIDDATA;
        }

        /* Use the decompress function on the texture, one block per thread */
@@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
    } else {
        int prefix_minus3 = prefix - 3;

-        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
            return 0;
        }
@@ -141,9 +141,18 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        int      nalu_type;
        int is_irap, add_extradata, extra_size, prev_size;

+        if (bytestream2_get_bytes_left(&gb) < s->length_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

+        if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
        nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f;

        /* prepend extradata to IRAP frames */
@@ -152,8 +161,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        extra_size    = add_extradata * ctx->par_out->extradata_size;
        got_irap     |= is_irap;

-        if (SIZE_MAX - nalu_size < 4 ||
-            SIZE_MAX - 4 - nalu_size < extra_size) {
+        if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -164,7 +172,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        if (ret < 0)
            goto fail;

-        if (add_extradata)
+        if (extra_size)
            memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size);
        AV_WB32(out->data + prev_size + extra_size, 1);
        bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size);
@@ -786,7 +786,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
                next_coef = 8;
                coef_num  = FFMIN(64, 1 << (4 + (size_id << 1)));
                if (size_id > 1) {
-                    scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8;
+                    int scaling_list_coeff_minus8 = get_se_golomb(gb);
+                    if (scaling_list_coeff_minus8 < -7 ||
+                        scaling_list_coeff_minus8 > 247)
+                        return AVERROR_INVALIDDATA;
+                    scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8;
                    next_coef = scaling_list_dc_coef[size_id - 2][matrix_id];
                    sl->sl_dc[size_id - 2][matrix_id] = next_coef;
                }
@@ -336,6 +336,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
        byte          = get_bits(gb, 8);
        payload_size += byte;
    }
+    if (get_bits_left(gb) < 8LL*payload_size)
+        return AVERROR_INVALIDDATA;
    if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
        return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
    } else { /* nal_unit_type == NAL_SEI_SUFFIX */
@@ -780,6 +780,11 @@ static int hls_slice_header(HEVCContext *s)
        if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
            sh->slice_cb_qp_offset = get_se_golomb(gb);
            sh->slice_cr_qp_offset = get_se_golomb(gb);
+            if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
+                sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            sh->slice_cb_qp_offset = 0;
            sh->slice_cr_qp_offset = 0;
@@ -83,6 +83,7 @@ do {                                  \
    int y = y0 >> vshift;
    int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
    int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
+    int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size));

    int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb);

@@ -103,11 +104,11 @@ do {                                  \
    pixel  *top           = top_array  + 1;
    pixel  *filtered_left = filtered_left_array + 1;
    pixel  *filtered_top  = filtered_top_array  + 1;
-    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask);
+    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask);
    int cand_left        = lc->na.cand_left;
    int cand_up_left     = lc->na.cand_up_left;
    int cand_up          = lc->na.cand_up;
-    int cand_up_right    = lc->na.cand_up_right    && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);
+    int cand_up_right    = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);

    int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) -
                           (y0 + size_in_luma_v)) >> vshift;
@@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
        int info_size;
        bytestream2_skip(&ctx->gbc, 4);
        info_size = bytestream2_get_le32(&ctx->gbc);
-        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
+        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
            av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
            return AVERROR_INVALIDDATA;
        }
@@ -957,12 +957,16 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height,
                left= left_prediction(s, p->data[plane], s->temp[0], w, 0);

                y = 1;
+                if (y >= h)
+                    break;

                /* second line is left predicted for interlaced case */
                if (s->interlaced) {
                    decode_plane_bitstream(s, w, plane);
                    left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left);
                    y++;
+                    if (y >= h)
+                        break;
                }

                lefttop = p->data[plane][0];
@@ -1074,6 +1078,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height,
                }

                cy = y = 1;
+                if (y >= height)
+                    break;

                /* second line is left predicted for interlaced case */
                if (s->interlaced) {
@@ -1086,6 +1092,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height,
                    }
                    y++;
                    cy++;
+                    if (y >= height)
+                        break;
                }

                /* next 4 pixels are left predicted too */
@@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx,
            int i, count = FFMIN(palette_size / 3, 1 << s->ham);
            int ham_count;
            const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+            int extra_space = 1;
+
+            if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+                extra_space = 4;

            s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_buf)
                return AVERROR(ENOMEM);

            ham_count = 8 * (1 << s->ham);
-            s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+            s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
            if (!s->ham_palbuf) {
                av_freep(&s->ham_buf);
                return AVERROR(ENOMEM);
@@ -436,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) {
        s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp;
+        if (!s->video_size)
+            return AVERROR_INVALIDDATA;
        s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp);
        s->pal = av_calloc(256, sizeof(*s->pal));
@@ -711,13 +717,15 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
 {
    const uint8_t *src_end = src + src_size;
    int x = 0, y = 0, i;
-    while (src + 5 <= src_end) {
+    while (src_end - src >= 5) {
        int opcode;
        opcode = *(int8_t *)src++;
        if (opcode >= 0) {
            int size = opcode + 1;
            for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
+                if (src_end - src < length * 4)
+                    return;
                memcpy(dst + y*linesize + x * 4, src, length * 4);
                src += length * 4;
                x += length;
@@ -1369,11 +1377,10 @@ static void decode_delta_d(uint8_t *dst,
                    opcode--;
                }
            } else {
-                opcode = -opcode;
                while (opcode && bytestream2_get_bytes_left(&gb) > 0) {
                    bytestream2_put_be32(&pb, bytestream2_get_be32(&gb));
                    bytestream2_skip_p(&pb, pitch - 4);
-                    opcode--;
+                    opcode++;
                }
            }
            entries--;
@@ -1838,7 +1845,8 @@ static int decode_frame(AVCodecContext *avctx,
                    buf += s->planesize;
                }
            }
-            memcpy(frame->data[1], s->pal, 256 * 4);
+            if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
+                memcpy(frame->data[1], s->pal, 256 * 4);
        } else if (s->ham) {
            int i, count = 1 << s->ham;

@@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict,
    for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) {
        x8_init_block_index(w, w->frame);
        mb_xy = (w->mb_y >> 1) * (w->mb_width + 1);
+        if (get_bits_left(gb) < 1)
+            goto error;
        for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) {
            x8_get_prediction(w);
            if (x8_setup_spatial_predictor(w, 0))
@@ -1286,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
        for(i=0; i<13; i++){
            for(j=0; j<3; j++){
                int v= get_bits(&s->gb, 8);
-                v |= get_sbits(&s->gb, 8)<<8;
+                v |= get_sbits(&s->gb, 8) * (1 << 8);
                av_log(s->avctx, AV_LOG_DEBUG, " %5d", v);
            }
            av_log(s->avctx, AV_LOG_DEBUG, "\n");
@@ -1196,6 +1196,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            AVPacket pkt;
            pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3);
            pkt.size = get_bits_left(&ctx->gb) >> 3;
+            ctx->got_p_frame = 0;
+            av_frame_unref(ctx->p_frame);
            ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt);
        }
    }
@@ -2040,8 +2040,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                return 0;
            }
            atom_size = bytestream2_get_be32u(&s->g);
+            if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX)
+                return AVERROR_INVALIDDATA;
            atom_end  = bytestream2_tell(&s->g) + atom_size - 16;
        } else {
+            if (atom_size <  8 || (int64_t)bytestream2_tell(&s->g) + atom_size -  8 > INT_MAX)
+                return AVERROR_INVALIDDATA;
            atom_end  = bytestream2_tell(&s->g) + atom_size -  8;
        }

@@ -2055,6 +2059,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                   atom_size >= 16) {
            uint32_t atom2_size, atom2, atom2_end;
            do {
+                if (bytestream2_get_bytes_left(&s->g) < 8)
+                    break;
                atom2_size = bytestream2_get_be32u(&s->g);
                atom2      = bytestream2_get_be32u(&s->g);
                atom2_end  = bytestream2_tell(&s->g) + atom2_size - 8;
@@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t)
    line += 5;

    for (i = 0; i < w * h; i++)
-        t[i] <<= I_PRESHIFT;
+        t[i] *= 1 << I_PRESHIFT;

    for (lev = s->ndeclevels-1; lev >= 0; lev--){
        int lh = s->linelen[lev][0],
@@ -99,7 +99,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q)
 static inline int ff_jpegls_update_state_regular(JLSState *state,
                                                 int Q, int err)
 {
-    if(FFABS(err) > 0xFFFF)
+    if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q])
        return -0x10000;
    state->A[Q] += FFABS(err);
    err         *= state->twonear;
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        s->t3     = get_bits(&s->gb, 16);
        s->reset  = get_bits(&s->gb, 16);

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n",
                   s->maxval, s->t1, s->t2, s->t3, s->reset);
        }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        else
            maxtab = 65530/wt - 1;

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab);
        }
        if (maxtab >= 256) {
@@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
            s->avctx->pix_fmt = AV_PIX_FMT_PAL8;
            for (i=s->palette_index; i<=maxtab; i++) {
                uint8_t k = i << shift;
-                pal[k] = 0;
+                pal[k] = wt < 4 ? 0xFF000000 : 0;
                for (j=0; j<wt; j++) {
                    pal[k] |= get_bits(&s->gb, 8) << (8*(wt-j-1));
                }
@@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q)
 {
    int k, ret;

-    for (k = 0; (state->N[Q] << k) < state->A[Q]; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++)
        ;

 #ifdef JLS_BROKEN
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
    if (RItype)
        temp += state->N[Q] >> 1;

-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
        ;

 #ifdef JLS_BROKEN
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
 #endif
    ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
                               state->qbpp);
+    if (ret < 0)
+        return -0x10000;

    /* decode mapped error */
    map = 0;
@@ -209,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
        ret = ret >> 1;
    }

-    if(FFABS(ret) > 0xFFFF)
+    if (FFABS(ret) > 0xFFFF)
        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
@@ -226,6 +226,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
        }
    }

+    if (scale_factor > 23)
+        return AVERROR_INVALIDDATA;
+
    rac->scale = scale_factor;

    /* Fill probability array with cumulative probability for each symbol. */
@@ -279,7 +279,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
        if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) {
            av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n");
            av_packet_unref(avpkt);
-            av_free(avpkt);
            return AVERROR(EINVAL);
        }
        if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) {
@@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                                                         10);
            if(!side_data) {
                av_packet_unref(avpkt);
-                av_free(avpkt);
                return AVERROR(ENOMEM);
            }
            if (!s->delay_sent) {
@@ -503,7 +503,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
    // Check if subtraction resulted in an overflow
    if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) {
        av_packet_unref(avpkt);
-        av_free(avpkt);
        return AVERROR(EINVAL);
    }
    if (discard_padding > 0) {
@@ -512,7 +511,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
                                                     10);
        if(!side_data) {
            av_packet_unref(avpkt);
-            av_free(avpkt);
            return AVERROR(ENOMEM);
        }
        AV_WL32(side_data + 4, discard_padding);
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.2
 .2.7