Update for 4.2.7

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avfilter/vf_colorspace: fix memmory leaks
2022-05-09 23:52:36 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00 · 2022-05-04 20:00:05 +02:00
57 changed files with 342 additions and 118 deletions
@@ -1,6 +1,82 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 4.2.7
+ avfilter/vf_colorspace: fix memmory leaks
+ avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written
+ avfilter/vf_random: fix memory leaks
+ avfilter/vf_bwdif: fix heap-buffer overflow
+ fftools/ffmpeg_opt: Fix leak of options when parsing options fails
+ avfilter/vf_edgedetect: fix heap-buffer overflow
+ avfilter/vf_w3fdif: deny processing small videos
+ avfilter/vf_avgblur: fix heap-buffer overflow
+ avfilter/af_tremolo: fix heap-buffer overflow
+ avfilter/vf_edgedetect: check if height is big enough
+ avfilter/vf_bitplanenoise: fix overreads
+ avfilter/vf_fieldorder: fix heap-buffer overflow
+ avfilter/vf_fieldmatch: fix heap-buffer overflow
+ avcodec/pngenc: remove monowhite from apng formats
+ lavf/tls_mbedtls: add support for mbedtls version 3
+
+version 4.2.6
+ configure: bump year
+ avfilter/vf_lenscorrection: make width/height int
+ avcodec/diracdec: avoid signed integer overflow in global mv
+ avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+ avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+ avfilter/vf_subtitles: pass storage size to libass
+ avformat/aqtitledec: Skip unrepresentable durations
+ avformat/cafdec: Do not store empty keys in read_info_chunk()
+ avformat/hls: Check target_duration
+ avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+ avformat/matroskadec: Check pre_ns
+ avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+ avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+ avformat/avidec: Check height
+ avformat/rmdec: Better duplicate tags check
+ avformat/mov: Disallow empty sidx
+ avformat/matroskadec: Check duration
+ avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+ avcodec/jpeglsdec: Fix if( code style
+ avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+ avcodec/motion_est: fix indention of ff_get_best_fcode()
+ avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+ avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
+ avformat/matroskadec: Check desc_bytes
+ avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+ avformat/matroskadec: Fix infinite loop with bz decompression
+ avformat/mov: Check size before subtraction
+ avcodec/apedec: Fix integer overflows in predictor_update_3930()
+ avcodec/apedec: fix integer overflow in 8bit samples
+ avformat/flvdec: timestamps cannot use the full int64 range
+ avcodec/vqavideo: reset accounting on error
+ avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+ avformat/4xm: Check for duplicate track ids
+ avformat/4xm: Consider max_streams on reallocating tracks array
+ avformat/mov: Check next offset in mov_read_dref()
+ avformat/vivo: Favor setting fps from explicit fractions
+ avformat/vivo: Do not use the general expression evaluator for parsing a floating point value
+ avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+ avcodec/apedec: Change avg to uint32_t
+ avformat/mov: Disallow duplicate smdm
+ avformat/mov: Check for EOF in mov_read_glbl()
+ avcodec/vp3: Check version in all cases when VP4 code is not built
+ avformat/mov: Check channels for mov_parse_stsd_audio()
+ avformat/avidec: Check read_odml_index() for failure
+ avformat/aiffdec: Use av_rescale() for bitrate
+ avformat/aiffdec: sanity check block_align
+ avformat/aiffdec: Check sample_rate
+ avfilter/vf_gblur: fix heap-buffer overflow
+ avfilter/vf_lenscorrection: fix division by zero
+ avformat/latmenc: abort if no extradata is available
+ avformat/movenc: Fix segfault when remuxing rtp hint stream
+ avformat/tty: add probe function
+ avfilter/vf_neighbor: check if width is 1
+ avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+ avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
+ avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
+ configure: Add missing libshine->mpegaudioheader dependency
+
 version 4.2.5
 configure: update copyright year
 avformat/matroskadec: Reset state also on failure in matroska_reset_status()
@@ -1 +1 @@
-4.2.5
+4.2.7
@@ -3187,7 +3187,7 @@ libopus_encoder_deps="libopus"
 libopus_encoder_select="audio_frame_queue"
 librsvg_decoder_deps="librsvg"
 libshine_encoder_deps="libshine"
-libshine_encoder_select="audio_frame_queue"
+libshine_encoder_select="audio_frame_queue mpegaudioheader"
 libspeex_decoder_deps="libspeex"
 libspeex_encoder_deps="libspeex"
 libspeex_encoder_select="audio_frame_queue"
@@ -7397,7 +7397,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2021
+#define CONFIG_THIS_YEAR 2022
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 4.2.5
+PROJECT_NUMBER         = 4.2.7

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -3272,6 +3272,7 @@ static int open_files(OptionGroupList *l, const char *inout,
        if (ret < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file "
                   "%s.\n", inout, g->arg);
+            uninit_options(&o);
            return ret;
        }

@@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples,
        a = buffer[0][i];
        b = buffer[1][i];

-        a -= (b * decorr_left_weight) >> decorr_shift;
+        a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
        b += a;

        buffer[0][i] = b;
@@ -101,7 +101,7 @@ typedef struct APEFilter {
    int16_t *historybuffer; ///< filter memory
    int16_t *delay;         ///< filtered values

-    int avg;
+    uint32_t avg;
 } APEFilter;

 typedef struct APERice {
@@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
-        buffer[i] -= dotprod >> shift;
+        buffer[i] -= (unsigned)(dotprod >> shift);
        for (j = 0; j < order - 1; j++)
            delay[j] = delay[j + 1];
        delay[order - 1] = buffer[i];
@@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                                                  const int delayA)
 {
    int32_t predictionA, sign;
-    int32_t d0, d1, d2, d3;
+    uint32_t d0, d1, d2, d3;

    p->buf[delayA]     = p->lastA[filter];
    d0 = p->buf[delayA    ];
-    d1 = p->buf[delayA    ] - p->buf[delayA - 1];
-    d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-    d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+    d1 = p->buf[delayA    ] - (unsigned)p->buf[delayA - 1];
+    d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+    d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];

    predictionA = d0 * p->coeffsA[filter][0] +
                  d1 * p->coeffsA[filter][1] +
@@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
-    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;

    return p->filterA[filter];
 }
@@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample8 = (uint8_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+                *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
        }
        break;
    case 16:
@@ -1435,8 +1435,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
+    int64_t mx  = m * (uint64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (uint64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -55,6 +55,7 @@

 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)

 typedef struct FLACHeaderMarker {
    int offset;       /**< byte offset from start of FLACParseContext->buffer */
@@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset)
    uint8_t *header_buf;
    int size = 0;
    header_buf = flac_fifo_read_wrap(fpc, offset,
-                                     MAX_FRAME_HEADER_SIZE,
+                                     MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE,
                                     &fpc->wrap_buf,
                                     &fpc->wrap_buf_allocated_size);
    if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) {
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        s->t3     = get_bits(&s->gb, 16);
        s->reset  = get_bits(&s->gb, 16);

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n",
                   s->maxval, s->t1, s->t2, s->t3, s->reset);
        }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        else
            maxtab = 65530/wt - 1;

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab);
        }
        if (maxtab >= 256) {
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
    if (RItype)
        temp += state->N[Q] >> 1;

-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
        ;

 #ifdef JLS_BROKEN
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
 #endif
    ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
                               state->qbpp);
+    if (ret < 0)
+        return -0x10000;

    /* decode mapped error */
    map = 0;
@@ -209,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
        ret = ret >> 1;
    }

-    if(FFABS(ret) > 0xFFFF)
+    if (FFABS(ret) > 0xFFFF)
        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
@@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
        for(y=0; y<s->mb_height; y++){
            int x;
            int xy= y*s->mb_stride;
-            for(x=0; x<s->mb_width; x++){
+            for(x=0; x<s->mb_width; x++, xy++){
                if(s->mb_type[xy] & type){
                    int mx= mv_table[xy][0];
                    int my= mv_table[xy][1];
@@ -1622,16 +1622,15 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
                                     fcode_tab[my + MAX_MV]);
                    int j;

-                        if(mx >= range || mx < -range ||
-                           my >= range || my < -range)
-                            continue;
+                    if (mx >= range || mx < -range ||
+                        my >= range || my < -range)
+                        continue;

                    for(j=0; j<fcode && j<8; j++){
                        if(s->pict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])
                            score[j]-= 170;
                    }
                }
-                xy++;
            }
        }

@@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                (int64_t) low [i - 1] * -INT64_C(325392907)  +
                (int64_t) high[i + 0] *  INT64_C(1518500249) +
                (int64_t) high[i - 1] *  INT64_C(1518500249);
-        dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
    }

    for (i = 0; i < hsize; i++) {
@@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                (int64_t) high[i + 1] *  INT64_C(303700064)  +
                (int64_t) high[i + 0] * -INT64_C(3644400640) +
                (int64_t) high[i - 1] *  INT64_C(303700064);
-        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
    }
 }

@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = {
        AV_PIX_FMT_PAL8,
        AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A,
        AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE,
-        AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE
+        AV_PIX_FMT_NONE
    },
    .priv_class     = &apngenc_class,
 };
@@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,

    // dequantize
    for (i = 0; i < s->num_taps; i++)
-        s->predictor_k[i] *= s->tap_quant[i];
+        s->predictor_k[i] *= (unsigned) s->tap_quant[i];

    if (s->lossless)
        quant = 1;
@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
    for (i = 0; i < length; i++) {
        int32_t a = p1[i];
        int32_t b = p2[i];
-        b         = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
+        b         = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
        p1[i]     = b - a;
    }
 }
@@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl,
    *error = *in;
    *in += (round >> shift);

-    dl[4] = -dl[5]; dl[5] = -dl[6];
-    dl[6] = *in - dl[7]; dl[7] = *in;
-    dl[5] += dl[6]; dl[4] += dl[5];
+    dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6];
+    dl[6] = *in -(unsigned)dl[7]; dl[7] = *in;
+    dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5];
 }

 av_cold void ff_ttadsp_init(TTADSPContext *c)
@@ -2748,7 +2748,14 @@ static int vp3_decode_frame(AVCodecContext *avctx,
            skip_bits(&gb, 4); /* width code */
            skip_bits(&gb, 4); /* height code */
            if (s->version) {
-                s->version = get_bits(&gb, 5);
+                int version = get_bits(&gb, 5);
+#if !CONFIG_VP4_DECODER
+                if (version >= 2) {
+                    av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n");
+                    return AVERROR_DECODER_NOT_FOUND;
+                }
+#endif
+                s->version = version;
                if (avctx->frame_number == 0)
                    av_log(s->avctx, AV_LOG_DEBUG,
                           "VP version: %d\n", s->version);
@@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
        if (s->partial_countdown <= 0) {
            bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index);
            /* decompress codebook */
-            if ((res = decode_format80(s, s->next_codebook_buffer_index,
-                                       s->codebook, s->codebook_size, 0)) < 0)
-                return res;
+            res = decode_format80(s, s->next_codebook_buffer_index,
+                                  s->codebook, s->codebook_size, 0);

            /* reset accounting */
            s->next_codebook_buffer_index = 0;
            s->partial_countdown = s->partial_count;
+            if (res < 0)
+                return res;
        }
    }

@@ -28,6 +28,7 @@ typedef struct TremoloContext {
    double freq;
    double depth;
    double *table;
+    int table_size;
    int index;
 } TremoloContext;

@@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
        dst += channels;
        src += channels;
        s->index++;
-        if (s->index >= inlink->sample_rate / s->freq)
+        if (s->index >= s->table_size)
            s->index = 0;
    }

@@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink)
    const double offset = 1. - s->depth / 2.;
    int i;

-    s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table));
+    s->table_size = inlink->sample_rate / s->freq;
+    s->table = av_malloc_array(s->table_size, sizeof(*s->table));
    if (!s->table)
        return AVERROR(ENOMEM);

-    for (i = 0; i < inlink->sample_rate / s->freq; i++) {
+    for (i = 0; i < s->table_size; i++) {
        double env = s->freq * i / inlink->sample_rate;
        env = sin(2 * M_PI * fmod(env + 0.25, 1.0));
        s->table[i] = env * (1 - fabs(offset)) + offset;
@@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr,
                                                                                              \
        src = s->buffer + x;                                                                  \
        ptr = buffer + x;                                                                     \
-        for (i = 0; i <= radius; i++) {                                                       \
+        for (i = 0; i + radius < height && i <= radius; i++) {                                \
            acc += src[(i + radius) * width];                                                 \
            count++;                                                                          \
            ptr[i * linesize] = acc / count;                                                  \
@@ -122,7 +122,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)

    if (s->depth <= 8) {
        for (plane = 0; plane < s->nb_planes; plane++) {
-            const int linesize = in->linesize[plane];
+            const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] : 0;
            const int dlinesize = out->linesize[plane];
            uint8_t *val = in->data[plane];
            uint8_t *dst = s->filter ? out->data[plane]: NULL;
@@ -151,7 +151,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
        }
    } else {
        for (plane = 0; plane < s->nb_planes; plane++) {
-            const int linesize = in->linesize[plane] / 2;
+            const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] / 2 : 0;
            const int dlinesize = out->linesize[plane] / 2;
            uint16_t *val = (uint16_t *)in->data[plane];
            uint16_t *dst = s->filter ? (uint16_t *)out->data[plane] : NULL;
@@ -343,8 +343,8 @@ static int config_props(AVFilterLink *link)
    if(yadif->mode&1)
        link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1});

-    if (link->w < 3 || link->h < 3) {
-        av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n");
+    if (link->w < 3 || link->h < 4) {
+        av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n");
        return AVERROR(EINVAL);
    }

@@ -780,6 +780,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
    res = av_frame_copy_props(out, in);
    if (res < 0) {
        av_frame_free(&in);
+        av_frame_free(&out);
        return res;
    }

@@ -839,13 +840,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
            !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] ||
            !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) {
            uninit(ctx);
+            av_frame_free(&in);
+            av_frame_free(&out);
            return AVERROR(ENOMEM);
        }
        s->rgb_sz = rgb_sz;
    }
    res = create_filtergraph(ctx, in, out);
-    if (res < 0)
+    if (res < 0) {
+        av_frame_free(&in);
+        av_frame_free(&out);
        return res;
+    }
    s->rgb_stride = rgb_stride / sizeof(int16_t);
    td.in = in;
    td.out = out;
@@ -859,8 +865,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
    td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h;
    if (s->yuv2yuv_passthrough) {
        res = av_frame_copy(out, in);
-        if (res < 0)
+        if (res < 0) {
+            av_frame_free(&in);
+            av_frame_free(&out);
            return res;
+        }
    } else {
        ctx->internal->execute(ctx, convert, &td, NULL,
                               FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx)));
@@ -150,10 +150,12 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h,
    int i, j;

    memcpy(dst, src, w); dst += dst_linesize; src += src_linesize;
-    memcpy(dst, src, w); dst += dst_linesize; src += src_linesize;
+    if (h > 1)
+        memcpy(dst, src, w); dst += dst_linesize; src += src_linesize;
    for (j = 2; j < h - 2; j++) {
        dst[0] = src[0];
-        dst[1] = src[1];
+        if (w > 1)
+            dst[1] = src[1];
        for (i = 2; i < w - 2; i++) {
            /* Gaussian mask of size 5x5 with sigma = 1.4 */
            dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2
@@ -174,14 +176,18 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h,
                    + src[i+1] * 12
                    + src[i+2] *  5) / 159;
        }
-        dst[i    ] = src[i    ];
-        dst[i + 1] = src[i + 1];
+        if (w > 2)
+            dst[i    ] = src[i    ];
+        if (w > 3)
+            dst[i + 1] = src[i + 1];

        dst += dst_linesize;
        src += src_linesize;
    }
-    memcpy(dst, src, w); dst += dst_linesize; src += src_linesize;
-    memcpy(dst, src, w);
+    if (h > 2)
+        memcpy(dst, src, w); dst += dst_linesize; src += src_linesize;
+    if (h > 3)
+        memcpy(dst, src, w);
 }

 enum {
@@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink)
    fm->tpitchy  = FFALIGN(w,      16);
    fm->tpitchuv = FFALIGN(w >> 1, 16);

-    fm->tbuffer = av_malloc(h/2 * fm->tpitchy);
+    fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer));
    fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) *
                            (((h + fm->blocky/2)/fm->blocky)+1) *
                            4 * sizeof(*fm->c_array));
@@ -108,8 +108,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
            s->dst_tff ? "up" : "down");
    h = frame->height;
    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) {
-        dst_line_step = out->linesize[plane];
-        src_line_step = frame->linesize[plane];
+        dst_line_step = out->linesize[plane] * (h > 2);
+        src_line_step = frame->linesize[plane] * (h > 2);
        line_size = s->line_size[plane];
        dst = out->data[plane];
        src = frame->data[plane];
@@ -236,7 +236,7 @@ static int config_input(AVFilterLink *inlink)

    s->nb_planes = av_pix_fmt_count_planes(inlink->format);

-    s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer));
+    s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer));
    if (!s->buffer)
        return AVERROR(ENOMEM);

@@ -36,8 +36,8 @@

 typedef struct LenscorrectionCtx {
    const AVClass *av_class;
-    unsigned int width;
-    unsigned int height;
+    int width;
+    int height;
    int hsub, vsub;
    int nb_planes;
    double cx, cy, k1, k2;
@@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    for (plane = 0; plane < rect->nb_planes; ++plane) {
        int hsub = plane == 1 || plane == 2 ? rect->hsub : 0;
        int vsub = plane == 1 || plane == 2 ? rect->vsub : 0;
-        int hdiv = 1 << hsub;
-        int vdiv = 1 << vsub;
-        int w = rect->width / hdiv;
-        int h = rect->height / vdiv;
+        int w = AV_CEIL_RSHIFT(rect->width, hsub);
+        int h = AV_CEIL_RSHIFT(rect->height, vsub);
        int xcenter = rect->cx * w;
        int ycenter = rect->cy * h;
        int k1 = rect->k1 * (1<<24);
@@ -296,9 +296,11 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
                                               src + (width - 2) * bpc,                                                      src + (width - 2) * bpc,
                                               src + (width - 2) * bpc + ph * stride, src + (width - 1) * bpc + ph * stride, src + (width - 2) * bpc + ph * stride};

-            s->filter(dst,                     src,                     1,         threshold, coordinateslb, s->coordinates, s->max);
-            s->filter(dst          + 1  * bpc, src          + 1  * bpc, width - 2, threshold, coordinates,   s->coordinates, s->max);
-            s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1,         threshold, coordinatesrb, s->coordinates, s->max);
+            s->filter(dst,                         src,                     1,         threshold, coordinateslb, s->coordinates, s->max);
+            if (width > 1) {
+                s->filter(dst          + 1  * bpc, src          + 1  * bpc, width - 2, threshold, coordinates,   s->coordinates, s->max);
+                s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1,         threshold, coordinatesrb, s->coordinates, s->max);
+            }

            src += stride;
            dst += dstride;
@@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink)
    return ret;
 }

+static av_cold void uninit(AVFilterContext *ctx)
+{
+    RandomContext *s = ctx->priv;
+
+    for (int i = 0; i < s->nb_frames; i++)
+        av_frame_free(&s->frames[i]);
+}
+
 static const AVFilterPad random_inputs[] = {
    {
        .name         = "default",
@@ -132,6 +140,7 @@ AVFilter ff_vf_random = {
    .priv_size   = sizeof(RandomContext),
    .priv_class  = &random_class,
    .init        = init,
+    .uninit      = uninit,
    .inputs      = random_inputs,
    .outputs     = random_outputs,
 };
@@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink)
    ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0);

    ass_set_frame_size  (ass->renderer, inlink->w, inlink->h);
-    if (ass->original_w && ass->original_h)
+    if (ass->original_w && ass->original_h) {
        ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h,
                             (double)ass->original_w / ass->original_h);
+#if LIBASS_VERSION > 0x01010000
+        ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h);
+    } else {
+        ass_set_storage_size(ass->renderer, inlink->w, inlink->h);
+#endif
+    }
+
    if (ass->shaping != -1)
        ass_set_shaper(ass->renderer, ass->shaping);

@@ -274,6 +274,11 @@ static int config_input(AVFilterLink *inlink)
    s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h);
    s->planeheight[0] = s->planeheight[3] = inlink->h;

+    if (inlink->h < 3) {
+        av_log(ctx, AV_LOG_ERROR, "Video of less than 3 lines is not supported\n");
+        return AVERROR(EINVAL);
+    }
+
    s->nb_planes = av_pix_fmt_count_planes(inlink->format);
    s->nb_threads = ff_filter_get_nb_threads(ctx);
    s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line));
@@ -100,7 +100,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step,

        add widthq, remainq
        cmp xq, widthq
-        je .end_scalar
+        jge .end_scalar

        .loop_scalar:
            ; ptr[x] += nu * ptr[x-1]
@@ -148,7 +148,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step,
            jg .loop_x_back

        cmp xq, 0
-        je .end_scalar_back
+        jle .end_scalar_back

        .loop_scalar_back:
            ; ptr[x-1] += nu * ptr[x]
@@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s,
        return AVERROR_INVALIDDATA;

    track = AV_RL32(buf + 8);
-    if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) {
+    if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 ||
+        track >= s->max_streams) {
        av_log(s, AV_LOG_ERROR, "current_track too large\n");
        return AVERROR_INVALIDDATA;
    }
@@ -148,6 +149,9 @@ static int parse_strk(AVFormatContext *s,
        memset(&fourxm->tracks[fourxm->track_count], 0,
               sizeof(AudioTrack) * (track + 1 - fourxm->track_count));
        fourxm->track_count = track + 1;
+    } else {
+        if (fourxm->tracks[track].bits)
+            return AVERROR_INVALIDDATA;
    }
    fourxm->tracks[track].adpcm       = AV_RL32(buf + 12);
    fourxm->tracks[track].channels    = AV_RL32(buf + 36);
@@ -121,6 +121,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
        sample_rate = val << exp;
    else
        sample_rate = (val + (1ULL<<(-exp-1))) >> -exp;
+    if (sample_rate <= 0)
+        return AVERROR_INVALIDDATA;
+
    par->sample_rate = sample_rate;
    if (size < 18)
        return AVERROR_INVALIDDATA;
@@ -183,8 +186,10 @@ static int get_aiff_header(AVFormatContext *s, int size,
        par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3;

    if (aiff->block_duration) {
-        par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) /
-                        aiff->block_duration;
+        par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL,
+                                   aiff->block_duration);
+        if (par->bit_rate < 0)
+            par->bit_rate = 0;
    }

    /* Chunk is over */
@@ -359,7 +364,7 @@ got_sound:
    if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) {
        av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n");
        st->codecpar->block_align = 35;
-    } else if (!st->codecpar->block_align) {
+    } else if (st->codecpar->block_align <= 0) {
        av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n");
        return -1;
    }
@@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s)
            new_event = 1;
            pos = avio_tell(s->pb);
            if (sub) {
-                sub->duration = frame - sub->pts;
+                if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX)
+                    sub->duration = frame - sub->pts;
                sub = NULL;
            }
        } else if (*line) {
@@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
        } else {
            int64_t offset, pos;
            int duration;
+            int ret;
+
            offset = avio_rl64(pb);
            avio_rl32(pb);       /* size */
            duration = avio_rl32(pb);
@@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
            if (avio_seek(pb, offset + 8, SEEK_SET) < 0)
                return -1;
            avi->odml_depth++;
-            read_odml_index(s, frame_num);
+            ret = read_odml_index(s, frame_num);
            avi->odml_depth--;
            frame_num += duration;

@@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
                av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n");
                return -1;
            }
-
+            if (ret < 0)
+                return ret;
        }
    }
    avi->index_loaded = 2;
@@ -843,6 +846,8 @@ FF_ENABLE_DEPRECATION_WARNINGS
                            memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9,
                                   "BottomUp", 9);
                    }
+                    if (st->codecpar->height == INT_MIN)
+                        return AVERROR_INVALIDDATA;
                    st->codecpar->height = FFABS(st->codecpar->height);

 //                    avio_skip(pb, size - 5 * 4);
@@ -243,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size)
        char value[1024];
        avio_get_str(pb, INT_MAX, key, sizeof(key));
        avio_get_str(pb, INT_MAX, value, sizeof(value));
+        if (!*key)
+            continue;
        av_dict_set(&s->metadata, key, value, 0);
    }
 }
@@ -460,6 +460,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m
            d = av_int2double(avio_rb64(ioc));
            if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
                goto invalid;
+            if (current_array == &times && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000))
+                goto invalid;
            current_array[0][i] = d;
        }
        if (times && filepositions) {
@@ -791,10 +791,16 @@ static int parse_playlist(HLSContext *c, const char *url,
                               &info);
            new_rendition(c, &info, url);
        } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) {
+            int64_t t;
            ret = ensure_playlist(c, &pls, url);
            if (ret < 0)
                goto fail;
-            pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE;
+            t = strtoll(ptr, NULL, 10);
+            if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+            pls->target_duration = t * AV_TIME_BASE;
        } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) {
            ret = ensure_playlist(c, &pls, url);
            if (ret < 0)
@@ -176,7 +176,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt)
                if (ret < 0)
                    return ret;
                memcpy(par->extradata, side_data, side_data_size);
-            }
+            } else
+                return AVERROR_INVALIDDATA;
        }
    }

@@ -1633,7 +1633,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
    case MATROSKA_TRACK_ENCODING_COMP_ZLIB:
    {
        z_stream zstream = { 0 };
-        if (inflateInit(&zstream) != Z_OK)
+        if (!pkt_size || inflateInit(&zstream) != Z_OK)
            return -1;
        zstream.next_in  = data;
        zstream.avail_in = isize;
@@ -1666,7 +1666,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
    case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
    {
        bz_stream bzstream = { 0 };
-        if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
+        if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
            return -1;
        bzstream.next_in  = data;
        bzstream.avail_in = isize;
@@ -2892,6 +2892,8 @@ static int matroska_read_header(AVFormatContext *s)

    if (!matroska->time_scale)
        matroska->time_scale = 1000000;
+    if (isnan(matroska->duration))
+        matroska->duration = 0;
    if (matroska->duration)
        matroska->ctx->duration = matroska->duration * matroska->time_scale *
                                  1000 / AV_TIME_BASE;
@@ -3871,7 +3873,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start)
    int i;
    int nb_index_entries = s->streams[0]->nb_index_entries;
    AVIndexEntry *index_entries = s->streams[0]->index_entries;
-    if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1};
+
+    if (ts >= (int64_t)(matroska->duration * matroska->time_scale))
+        return (CueDesc) {-1, -1, -1, -1};
    for (i = 1; i < nb_index_entries; i++) {
        if (index_entries[i - 1].timestamp * matroska->time_scale <= ts &&
            index_entries[i].timestamp * matroska->time_scale > ts) {
@@ -4060,6 +4064,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
            // prebuffered.
            pre_bytes = desc_end.end_offset - desc_end.start_offset;
            pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
+            if (pre_ns <= 0)
+                return -1;
            pre_sec = pre_ns / nano_seconds_per_second;
            prebuffer_bytes +=
                pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec);
@@ -4071,12 +4077,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
            do {
                int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
                int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
-                double desc_sec = desc_ns / nano_seconds_per_second;
-                double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
+                double desc_sec, calc_bits_per_second, percent, mod_bits_per_second;
+                if (desc_bytes <= 0)
+                    return -1;
+
+                desc_sec = desc_ns / nano_seconds_per_second;
+                calc_bits_per_second = (desc_bytes * 8) / desc_sec;

                // Drop the bps by the percentage of bytes buffered.
-                double percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
-                double mod_bits_per_second = calc_bits_per_second * percent;
+                percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
+                mod_bits_per_second = calc_bits_per_second * percent;

                if (prebuffer < desc_sec) {
                    double search_sec =
@@ -603,11 +603,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    for (i = 0; i < entries; i++) {
        MOVDref *dref = &sc->drefs[i];
        uint32_t size = avio_rb32(pb);
-        int64_t next = avio_tell(pb) + size - 4;
+        int64_t next = avio_tell(pb);

-        if (size < 12)
+        if (size < 12 || next < 0 || next > INT64_MAX - size)
            return AVERROR_INVALIDDATA;

+        next += size - 4;
+
        dref->type = avio_rl32(pb);
        avio_rb32(pb); // version + flags

@@ -1903,6 +1905,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        // wrap a whole fiel atom inside of a glbl atom.
        unsigned size = avio_rb32(pb);
        unsigned type = avio_rl32(pb);
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
        avio_seek(pb, -8, SEEK_CUR);
        if (type == MKTAG('f','i','e','l') && size == atom.size)
            return mov_read_default(c, pb, atom);
@@ -2525,6 +2529,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries)
                av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate);
                return AVERROR_INVALIDDATA;
            }
+            if (st->codecpar->channels < 0) {
+                av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels);
+                return AVERROR_INVALIDDATA;
+            }
        } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){
            mov_parse_stsd_subtitle(c, pb, st, sc,
                                    size - (avio_tell(pb) - start_pos));
@@ -5031,6 +5039,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    avio_rb16(pb); // reserved

    item_count = avio_rb16(pb);
+    if (item_count == 0)
+        return AVERROR_INVALIDDATA;

    for (i = 0; i < item_count; i++) {
        int index;
@@ -5335,6 +5345,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version);
        return 0;
    }
+    if (sc->mastering)
+        return AVERROR_INVALIDDATA;
+
    avio_skip(pb, 3); /* flags */

    sc->mastering = av_mastering_display_metadata_alloc();
@@ -6032,6 +6045,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        }
        if (pb->eof_reached) {
            av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n");
+            if (ret >= 0)
+                av_encryption_info_free(encryption_index->encrypted_samples[i]);
            ret = AVERROR_INVALIDDATA;
        }

@@ -6880,6 +6895,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        if (a.size == 0) {
            a.size = atom.size - total_size + 8;
        }
+        if (a.size < 0)
+            break;
        a.size -= 8;
        if (a.size < 0)
            break;
@@ -1552,6 +1552,10 @@ static unsigned int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track)
 {
    unsigned int tag = track->par->codec_tag;

+    // "rtp " is used to distinguish internally created RTP-hint tracks
+    // (with rtp_ctx) from other tracks.
+    if (tag == MKTAG('r','t','p',' '))
+        tag = 0;
    if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL &&
                 (track->par->codec_id == AV_CODEC_ID_DVVIDEO ||
                  track->par->codec_id == AV_CODEC_ID_RAWVIDEO ||
@@ -1067,6 +1067,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
 {
    int i, length;

+    if (segment->temporal_offset_entries)
+        return AVERROR_INVALIDDATA;
+
    segment->nb_index_entries = avio_rb32(pb);

    length = avio_rb32(pb);
@@ -1171,8 +1171,11 @@ static int nut_write_trailer(AVFormatContext *s)
    while (nut->header_count < 3)
        write_headers(s, bc);

+    if (!nut->sp_count)
+        return 0;
+
    ret = avio_open_dyn_buf(&dyn_bc);
-    if (ret >= 0 && nut->sp_count) {
+    if (ret >= 0) {
        av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written
        write_index(nut, dyn_bc);
        put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE);
@@ -127,10 +127,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
    uint32_t version;
    int ret;

-    // Duplicate tags
-    if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO)
-        return AVERROR_INVALIDDATA;
-
    /* ra type header */
    version = avio_rb16(pb); /* version */
    if (version == 3) {
@@ -330,6 +326,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb,
    if (codec_data_size == 0)
        return 0;

+    // Duplicate tags
+    if (   st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN
+        && st->codecpar->codec_type != AVMEDIA_TYPE_DATA)
+        return AVERROR_INVALIDDATA;
+
    avpriv_set_pts_info(st, 64, 1, 1000);
    codec_pos = avio_tell(pb);
    v = avio_rb32(pb);
@@ -19,8 +19,7 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

-#include <mbedtls/certs.h>
-#include <mbedtls/config.h>
+#include <mbedtls/version.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/net_sockets.h>
@@ -129,9 +128,15 @@ static void handle_pk_parse_error(URLContext *h, int ret)
 static void handle_handshake_error(URLContext *h, int ret)
 {
    switch (ret) {
+#if MBEDTLS_VERSION_MAJOR < 3
    case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
        av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
        break;
+#else
+    case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
+        av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n");
+        break;
+#endif
    case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
        av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");
        break;
@@ -194,16 +199,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
        }
    }

-    // load key file
-    if (shr->key_file) {
-        if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
-                                            shr->key_file,
-                                            tls_ctx->priv_key_pw)) != 0) {
-            handle_pk_parse_error(h, ret);
-            goto fail;
-        }
-    }
-
    // seed the random number generator
    if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
                                     mbedtls_entropy_func,
@@ -213,6 +208,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
        goto fail;
    }

+    // load key file
+    if (shr->key_file) {
+        if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
+                                            shr->key_file,
+                                            tls_ctx->priv_key_pw
+#if MBEDTLS_VERSION_MAJOR >= 3
+                                            , mbedtls_ctr_drbg_random,
+                                            &tls_ctx->ctr_drbg_context
+#endif
+                                            )) != 0) {
+            handle_pk_parse_error(h, ret);
+            goto fail;
+        }
+    }
+
    if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,
                                           shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
                                           MBEDTLS_SSL_TRANSPORT_STREAM,
@@ -34,6 +34,13 @@
 #include "internal.h"
 #include "sauce.h"

+static int isansicode(int x)
+{
+    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
+}
+
+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
+
 typedef struct TtyDemuxContext {
    AVClass *class;
    int chars_per_frame;
@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
    AVRational framerate; /**< Set by a private option. */
 } TtyDemuxContext;

+static int read_probe(const AVProbeData *p)
+{
+    int cnt = 0;
+
+    for (int i = 0; i < p->buf_size; i++)
+        cnt += !!isansicode(p->buf[i]);
+
+    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
+        !!av_match_ext(p->filename, tty_extensions);
+}
+
 /**
 * Parse EFI header
 */
@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
    .name           = "tty",
    .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
    .priv_data_size = sizeof(TtyDemuxContext),
+    .read_probe     = read_probe,
    .read_header    = read_header,
    .read_packet    = read_packet,
-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
+    .extensions     = tty_extensions,
    .priv_class     = &tty_demuxer_class,
 };
@@ -4962,7 +4962,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf,
        key_len = ptr - key;

        callback_get_buf(context, key, key_len, &dest, &dest_len);
-        dest_end = dest + dest_len - 1;
+        dest_end = dest ? dest + dest_len - 1 : NULL;

        if (*ptr == '\"') {
            ptr++;
@@ -26,6 +26,7 @@
 * @sa http://wiki.multimedia.cx/index.php?title=Vivo
 */

+#include "libavutil/avstring.h"
 #include "libavutil/parseutils.h"
 #include "avformat.h"
 #include "internal.h"
@@ -118,7 +119,7 @@ static int vivo_get_packet_header(AVFormatContext *s)
 static int vivo_read_header(AVFormatContext *s)
 {
    VivoContext *vivo = s->priv_data;
-    AVRational fps = { 1, 25};
+    AVRational fps = { 0 };
    AVStream *ast, *vst;
    unsigned char *line, *line_end, *key, *value;
    long value_int;
@@ -204,17 +205,21 @@ static int vivo_read_header(AVFormatContext *s)
                    return AVERROR_INVALIDDATA;
                value_used = 1;
            } else if (!strcmp(key, "FPS")) {
-                AVRational tmp;
+                double d;
+                if (av_sscanf(value, "%f", &d) != 1)
+                    return AVERROR_INVALIDDATA;

                value_used = 1;
-                if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s))
-                    fps = av_inv_q(tmp);
+                if (!fps.num && !fps.den)
+                    fps = av_inv_q(av_d2q(d, 10000));
            }

            if (!value_used)
                av_dict_set(&s->metadata, key, value, 0);
        }
    }
+    if (!fps.num || !fps.den)
+        fps = (AVRational){ 1, 25 };

    avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate);
    avpriv_set_pts_info(vst, 64, fps.num, fps.den);
@@ -104,7 +104,7 @@ static int write_header(AVFormatContext *s)
    }
    avio_printf(s->pb, "  minBufferTime=\"PT%gS\"\n", min_buffer_time);
    avio_printf(s->pb, "  profiles=\"%s\"%s",
-                w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012",
+                w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012",
                w->is_live ? "\n" : ">\n");
    if (w->is_live) {
        time_t local_time = time(NULL);
@@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const;
 *
 * The operation is mathematically equivalent to `a * b / c`, but writing that
 * directly can overflow, and does not support different rounding methods.
+ * If the result is not representable then INT64_MIN is returned.
 *
 * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd()
 */
@@ -6,7 +6,7 @@
  type="static"
  mediaPresentationDuration="PT32.501S"
  minBufferTime="PT1S"
-  profiles="urn:webm:dash:profile:webm-on-demand:2012">
+  profiles="urn:mpeg:dash:profile:webm-on-demand:2012">
 <Period id="0" start="PT0S" duration="PT32.501S" >
 <AdaptationSet id="0" mimeType="video/webm" codecs="vp8" lang="eng" width="640" height="360" bitstreamSwitching="true" subsegmentAlignment="true" subsegmentStartsWithSAP="1">
 <Representation id="0" bandwidth="302355">
@@ -6,7 +6,7 @@
  type="static"
  mediaPresentationDuration="PT32.48S"
  minBufferTime="PT1S"
-  profiles="urn:webm:dash:profile:webm-on-demand:2012">
+  profiles="urn:mpeg:dash:profile:webm-on-demand:2012">
 <Period id="0" start="PT0S" duration="PT32.48S" >
 <AdaptationSet id="0" mimeType="video/webm" codecs="vp8" lang="eng" bitstreamSwitching="true" subsegmentAlignment="false" subsegmentStartsWithSAP="1">
 <Representation id="0" bandwidth="302355" width="640" height="360">
@@ -6,7 +6,7 @@
  type="static"
  mediaPresentationDuration="PT32.501S"
  minBufferTime="PT1S"
-  profiles="urn:webm:dash:profile:webm-on-demand:2012">
+  profiles="urn:mpeg:dash:profile:webm-on-demand:2012">
 <Period id="0" start="PT0S" duration="PT32.501S" >
 <AdaptationSet id="0" mimeType="audio/webm" codecs="vorbis" lang="eng" audioSamplingRate="44100" bitstreamSwitching="false" subsegmentAlignment="false" subsegmentStartsWithSAP="1">
 <Representation id="0" bandwidth="82867">
@@ -6,7 +6,7 @@
  type="static"
  mediaPresentationDuration="PT32.48S"
  minBufferTime="PT1S"
-  profiles="urn:webm:dash:profile:webm-on-demand:2012">
+  profiles="urn:mpeg:dash:profile:webm-on-demand:2012">
 <Period id="0" start="PT0S" duration="PT32.48S" >
 <AdaptationSet id="0" mimeType="video/webm" codecs="vp8" lang="eng" width="640" height="360" bitstreamSwitching="true" subsegmentAlignment="false" subsegmentStartsWithSAP="0">
 <Representation id="0" bandwidth="302355">
@@ -1 +1 @@
 .2.5
 .2.7