configure: update copyright year

(cherry picked from commit b95ee2ec5f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Update for 4.3.7
2024-06-15 00:38:19 +02:00 · 2024-06-14 21:09:22 +02:00 · 2024-06-14 11:11:55 +02:00 · 2024-06-14 11:11:55 +02:00 · 2024-06-14 11:11:55 +02:00 · 2024-06-14 11:11:54 +02:00
126 changed files with 926 additions and 330 deletions
@@ -2,6 +2,185 @@ Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.


+version 4.3.7:
+ avfilter/vf_rotate: Check ff_draw_init2() return value
+ avformat/matroskadec: Assert that num_levels is non negative
+ avformat/libzmq: Check av_strstart()
+ avformat/img2dec: Move DQT after unrelated if()
+ avdevice/xcbgrab: Check sscanf() return
+ fftools/cmdutils: Add protective () to FLAGS
+ avformat/sdp: Check before appending ","
+ avcodec/ilbcdec: Remove dead code
+ avcodec/vp8: Check cond init
+ avcodec/vp8: Check mutex init
+ avcodec/notchlc: Check init_get_bits8() for failure
+ avcodec/tests/dct: Use 64bit in intermediate for error computation
+ avcodec/scpr3: Check add_dec() for failure
+ avcodec/wavpackenc: Use unsigned for potential 31bit shift
+ avcodec/tests/jpeg2000dwt: Use 64bit in comparission
+ avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation
+ avformat/fwse: Remove always false expression
+ avformat/asfdec_f: Use 64bit for preroll computation
+ avformat/ape: Use 64bit for final frame size
+ avcodec/tiff: Assert init_get_bits8() success in unpack_gray()
+ avcodec/tiff: Assert init_get_bits8() success in horizontal_fill()
+ swscale/yuv2rgb: Use 64bit for brightness computation
+ avutil/tests/opt: Check av_set_options_string() for failure
+ avutil/tests/dict: Check av_dict_set() before get for failure
+ avdevice/dshow: fix badly indented line
+ avcodec/mscc & mwsc: Check loop counts before use
+ avcodec/mpegvideo_enc: Fix potential overflow in RD
+ avcodec/mpeg4videodec: assert impossible wrap points
+ avcodec/vble: Check av_image_get_buffer_size() for failure
+ avcodec/vp3: Replace check by assert
+ avcodec/jpeg2000dec: remove ST=3 case
+ avcodec/qsvdec: Check av_image_get_buffer_size() for failure
+ avcodec/fmvc: remove dead assignment
+ avcodec/h264_slice: Remove dead sps check
+ avcodec/lpc: copy levenson coeffs only when they have been computed
+ avutil/tests/base64: Check with too short output array
+ libavutil/base64: Try not to write over the array end
+ avcodec/cbs_av1: Avoid shift overflow
+ doc/examples/demux_decode: Simplify loop
+ avcodec/mpegvideo_enc: Fix 1 line and one column images
+ swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template()
+ swscale/output: Fix integer overflow in yuv2rgba64_1_c_template
+ avformat/mxfdec: Check body_offset
+ avformat/kvag: Check sample_rate
+ avcodec/ac3_parser: Check init_get_bits8() for failure
+ avcodec/hevcdec: Check ref frame
+ doc/examples/vaapi_transcode: Simplify loop
+ avfilter/vf_thumbnail_cuda: Set ret before checking it
+ avfilter/signature_lookup: Dont copy uninitialized stuff around
+ avfilter/signature_lookup: Fix 2 differences to the refernce SW
+ avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash
+ fate/subtitles: Ignore line endings for sub-scc test
+ avformat/mxfdec: Check index_edit_rate
+ swscale/utils: Fix xInc overflow
+ avformat/mxfdec: Make edit_unit_byte_count unsigned
+ avformat/movenc: Check that cts fits in 32bit
+ avformat/mxfdec: Check first case of offset_temp computation for overflow
+ avfilter/vf_signature: Dont crash on no frames
+ avformat/westwood_vqa: Fix 2g packets
+ avformat/matroskadec: Check timescale
+ avformat/wavdec: satuarte next_tag_ofs, data_end
+ avformat/sbgdec: Check for negative duration
+ avformat/rpl: Use 64bit for total_audio_size and check it
+ avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate()
+ avformat/jacosubdec: Use 64bit for abs
+ avformat/concatdec: Check user_duration sum
+ avcodec/truemotion1: Height not being a multiple of 4 is unsupported
+ avcodec/hcadec: do not set hfr_group_count to invalid values
+ avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration()
+ avformat/jacosubdec: clarify code
+ avformat/cafdec: Check that data chunk end fits within 64bit
+ avformat/iff: Saturate avio_tell() + 12
+ avformat/dxa: Adjust order of operations around block align
+ avformat/cafdec: dont seek beyond 64bit
+ avformat/id3v2: read_uslt() check for the amount read
+ avcodec/proresenc_kostya: Remove bug similarity text
+ avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal()
+ libswscale/utils: Fix bayer to yuvj
+ swscale/swscale: Check srcSliceH for bayer
+ swscale/utils: Allocate more dithererror
+ avcodec/indeo3: Round dimensions up in allocate_frame_buffers()
+ avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers
+ avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure
+ avfilter/signature_lookup: dont leave uncleared pointers in sll_free()
+ avcodec/mpegvideo_enc: Use ptrdiff_t for stride
+ libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr.
+ avcodec/mpegvideo_enc: Dont copy beyond the image
+ avfilter/vf_minterpolate: Check pts before division
+ avformat/flacdec: Avoid double AVERRORS
+ avfilter/vf_vidstabdetect: Avoid double AVERRORS
+ avfilter/vf_swaprect: round coordinates down
+ avfilter/vf_swaprect: Use height for vertical variables
+ avfilter/vf_swaprect: assert that rectangles are within memory
+ avfilter/af_alimiter: Check nextpos before use
+ avfilter/af_stereowiden: Check length
+ avfilter/vf_weave: Fix odd height handling
+ avfilter/vf_gradfun: Do not overread last line
+ avformat/mov: do not set sign bit for chunk_offsets
+ avcodec/jpeglsdec: Check Jpeg-LS LSE
+ configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm
+ avformat/mov: Ignore duplicate ftyp
+ avformat/mov: Fix integer overflow in mov_read_packet().
+ seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14
+ avcodec/4xm: Check for cfrm exhaustion
+ avformat/mov: Disallow FTYP after streams
+ doc/html: fix styling issue with Texinfo 7.0
+ doc/html: support texinfo 7.0
+ doc/t2h.pm: fix missing TOC with texinfo 6.8 and above
+ doc/t2h.pm: fix missing CSS with texinfo 6.8 and above
+ avformat/matroskadec: Fix declaration-after-statement warnings
+ avformat/rtsp: Use rtsp_st->stream_index
+ avcodec/jpeg2000dec: Check image offset
+ avformat/mxfdec: Check klv offset
+ libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined
+ avcodec/h2645_parse: Avoid EAGAIN
+ avcodec/xvididct: Make c* unsigned to avoid undefined overflows
+ avformat/tmv: Check video chunk size
+ avcodec/h264_parser: saturate dts a bit
+ avformat/asfdec_f: Saturate presentation time in marker
+ avformat/xwma: sanity check bits_per_coded_sample
+ avformat/matroskadec: Check prebuffered_ns for overflow
+ avformat/wavdec: Check left avio_tell for overflow
+ avformat/tta: Better totalframes check
+ avformat/rpl: Check for number_of_chunks overflow
+ avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample()
+ avformat/jacosubdec: Check timeres
+ avformat/jacosubdec: avoid signed integer overflows in get_shift()
+ avformat/jacosubdec: Factorize code in get_shift() a bit
+ avcodec/escape124: Do not return random numbers
+ avformat/avs: Check if return code is representable
+ avcodec/lcldec: Make PNG filter addressing match the code afterwards
+ avformat/westwood_vqa: Check chunk size
+ avformat/sbgdec: Check for period overflow
+ avformat/concatdec: Check in/outpoint for overflow
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avcodec/celp_math: avoid overflow in shift
+ tools/target_dec_fuzzer: Adjust threshold for rtv1
+ avformat/hls: reduce default max reload to 3
+ avformat/format: Stop reading data at EOF during probing
+ avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure
+ avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files
+ avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files
+ avcodec/hevcdec: Fix undefined memcpy()
+ avcodec/mpeg4videodec: more unsigned in amv computation
+ avcodec/tta: fix signed overflow in decorrelate
+ avcodec/apedec: Fix CRC for 24bps and bigendian
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avformat/avr: Check sample rate
+ avcodec/jpeg2000dec: Check for reduction factor and image offset
+ avutil/softfloat: Basic documentation for av_sincos_sf()
+ avutil/softfloat: fix av_sincos_sf()
+ avcodec/utils: fix 2 integer overflows in get_audio_frame_duration()
+ avcodec/hevcdec: Avoid null pointer dereferences in MC
+ avcodec/takdsp: Fix integer overflows
+ avcodec: Ignoring errors is only possible before the input end
+ avcodec/noise_bsf: Check for wrapped frames
+ avformat/oggparsetheora: clip duration within 64bit
+ avformat/wavdec: Check that smv block fits in available space
+ avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check
+ avcodec/tak: Check remaining bits in ff_tak_decode_frame_header()
+ avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated
+ avcodec/pngdec: Do not pass AVFrame into global header decode
+ avcodec/vorbisdec: Check codebook float values to be finite
+ avcodec/g2meet: Replace fake allocation avoidance for framebuf
+ avcodec/lcldec: More space for rgb24
+ avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width
+ libavcodec/lcldec: width and height should not be unsigned
+ avcodec/x86/mathops: clip constants used with shift instructions within inline assembly
+ lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads
+ avformat/mov: Check if a key is longer than the atom containing it
+ avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer
+ avformat/mov: don't abort on duplicate Mastering Display Metadata boxes
+ avcodec/vdpau_mpeg4: fix order of quant matrix coefficients
+ avcodec/vdpau_mpeg12: fix order of quant matrix coefficients
+ avcodec/nvdec_mpeg4: fix order of quant matrix coefficients
+ avcodec/nvdec_mpeg2: fix order of quant matrix coefficients
+ avformat/nutdec: Add check for avformat_new_stream
+
 version 4.3.6:
 - avcodec/escape124: Check that blocks are allocated before use
 - avcodec/huffyuvdec: Fix undefined behavior with shift
@@ -1 +1 @@
-4.3.6
+4.3.7
@@ -5330,6 +5330,7 @@ case $target_os in
        ;;
    netbsd)
        disable symver
+        enable section_data_rel_ro
        oss_indev_extralibs="-lossaudio"
        oss_outdev_extralibs="-lossaudio"
        enabled gcc || check_ldflags -Wl,-zmuldefs
@@ -5348,6 +5349,7 @@ case $target_os in
        disable symver
        ;;
    freebsd)
+        enable section_data_rel_ro
        ;;
    bsd/os)
        add_extralibs -lpoll -lgnugetopt
@@ -7513,7 +7515,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2023
+#define CONFIG_THIS_YEAR 2024
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 4.3.6
+PROJECT_NUMBER         = 4.3.7

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -137,11 +137,9 @@ static int decode_packet(AVCodecContext *dec, const AVPacket *pkt)
            ret = output_audio_frame(frame);

        av_frame_unref(frame);
-        if (ret < 0)
-            return ret;
    }

-    return 0;
+    return ret;
 }

 static int open_codec_context(int *stream_idx,
@@ -221,10 +221,8 @@ static int dec_enc(AVPacket *pkt, AVCodec *enc_codec)

 fail:
        av_frame_free(&frame);
-        if (ret < 0)
-            return ret;
    }
-    return 0;
+    return ret;
 }

 int main(int argc, char **argv)
@@ -20,8 +20,45 @@
 # License along with FFmpeg; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

+# Texinfo 7.0 changed the syntax of various functions.
+# Provide a shim for older versions.
+sub ff_set_from_init_file($$) {
+    my $key = shift;
+    my $value = shift;
+    if (exists &{'texinfo_set_from_init_file'}) {
+        texinfo_set_from_init_file($key, $value);
+    } else {
+        set_from_init_file($key, $value);
+    }
+}
+
+sub ff_get_conf($) {
+    my $key = shift;
+    if (exists &{'texinfo_get_conf'}) {
+        texinfo_get_conf($key);
+    } else {
+        get_conf($key);
+    }
+}
+
+sub get_formatting_function($$) {
+    my $obj = shift;
+    my $func = shift;
+
+    my $sub = $obj->can('formatting_function');
+    if ($sub) {
+        return $obj->formatting_function($func);
+    } else {
+        return $obj->{$func};
+    }
+}
+
+# determine texinfo version
+my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify;
+my $program_version_6_8 = $program_version_num >= 6.008000;
+
 # no navigation elements
-set_from_init_file('HEADERS', 0);
+ff_set_from_init_file('HEADERS', 0);

 sub ffmpeg_heading_command($$$$$)
 {
@@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$)
        $element = $command->{'parent'};
    }
    if ($element) {
-        $result .= &{$self->{'format_element_header'}}($self, $cmdname,
+        $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname,
                                                       $command, $element);
    }

@@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$)
                $cmdname
                    = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level];
            }
-            $result .= &{$self->{'format_heading_text'}}(
+            # format_heading_text expects an array of headings for texinfo >= 7.0
+            if ($program_version_num >= 7.000000) {
+                $heading = [$heading];
+            }
+            $result .= &{get_formatting_function($self,'format_heading_text')}(
                        $self, $cmdname, $heading,
                        $heading_level +
                        $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command);
@@ -127,14 +168,18 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') {
 }

 # print the TOC where @contents is used
-set_from_init_file('INLINE_CONTENTS', 1);
+if ($program_version_6_8) {
+    ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline');
+} else {
+    ff_set_from_init_file('INLINE_CONTENTS', 1);
+}

 # make chapters <h2>
-set_from_init_file('CHAPTER_HEADER_LEVEL', 2);
+ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2);

 # Do not add <hr>
-set_from_init_file('DEFAULT_RULE', '');
-set_from_init_file('BIG_RULE', '');
+ff_set_from_init_file('DEFAULT_RULE', '');
+ff_set_from_init_file('BIG_RULE', '');

 # Customized file beginning
 sub ffmpeg_begin_file($$$)
@@ -151,7 +196,18 @@ sub ffmpeg_begin_file($$$)
    my ($title, $description, $encoding, $date, $css_lines,
        $doctype, $bodytext, $copying_comment, $after_body_open,
        $extra_head, $program_and_version, $program_homepage,
-        $program, $generator) = $self->_file_header_informations($command);
+        $program, $generator);
+    if ($program_version_num >= 7.000000) {
+        ($title, $description, $encoding, $date, $css_lines,
+         $doctype, $bodytext, $copying_comment, $after_body_open,
+         $extra_head, $program_and_version, $program_homepage,
+         $program, $generator) = $self->_file_header_information($command);
+    } else {
+        ($title, $description, $encoding, $date, $css_lines,
+         $doctype, $bodytext, $copying_comment, $after_body_open,
+         $extra_head, $program_and_version, $program_homepage,
+         $program, $generator) = $self->_file_header_informations($command);
+    }

    my $links = $self->_get_links ($filename, $element);

@@ -184,7 +240,11 @@ EOT

    return $head1 . $head_title . $head2 . $head_title . $head3;
 }
-texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file);
+if ($program_version_6_8) {
+    texinfo_register_formatting_function('format_begin_file', \&ffmpeg_begin_file);
+} else {
+    texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file);
+}

 sub ffmpeg_program_string($)
 {
@@ -201,13 +261,17 @@ sub ffmpeg_program_string($)
      $self->gdt('This document was generated automatically.'));
  }
 }
-texinfo_register_formatting_function('program_string', \&ffmpeg_program_string);
+if ($program_version_6_8) {
+    texinfo_register_formatting_function('format_program_string', \&ffmpeg_program_string);
+} else {
+    texinfo_register_formatting_function('program_string', \&ffmpeg_program_string);
+}

 # Customized file ending
 sub ffmpeg_end_file($)
 {
    my $self = shift;
-    my $program_string = &{$self->{'format_program_string'}}($self);
+    my $program_string = &{get_formatting_function($self,'format_program_string')}($self);
    my $program_text = <<EOT;
      <p style="font-size: small;">
        $program_string
@@ -220,11 +284,15 @@ EOT
 EOT
    return $program_text . $footer;
 }
-texinfo_register_formatting_function('end_file', \&ffmpeg_end_file);
+if ($program_version_6_8) {
+    texinfo_register_formatting_function('format_end_file', \&ffmpeg_end_file);
+} else {
+    texinfo_register_formatting_function('end_file', \&ffmpeg_end_file);
+}

 # Dummy title command
 # Ignore title. Title is handled through ffmpeg_begin_file().
-set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1);
+ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1);
 sub ffmpeg_title($$$$)
 {
    return '';
@@ -242,8 +310,14 @@ sub ffmpeg_float($$$$$)
    my $args = shift;
    my $content = shift;

-    my ($caption, $prepended) = Texinfo::Common::float_name_caption($self,
-                                                                $command);
+    my ($caption, $prepended);
+    if ($program_version_num >= 7.000000) {
+        ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self,
+                                                                                 $command);
+    } else {
+        ($caption, $prepended) = Texinfo::Common::float_name_caption($self,
+                                                                     $command);
+    }
    my $caption_text = '';
    my $prepended_text;
    my $prepended_save = '';
@@ -315,8 +389,13 @@ sub ffmpeg_float($$$$$)
            $caption->{'args'}->[0], 'float caption');
    }
    if ($prepended_text.$caption_text ne '') {
-        $prepended_text = $self->_attribute_class('div','float-caption'). '>'
-                . $prepended_text;
+        if ($program_version_num >= 7.000000) {
+            $prepended_text = $self->html_attribute_class('div',['float-caption']). '>'
+                    . $prepended_text;
+        } else {
+            $prepended_text = $self->_attribute_class('div','float-caption'). '>'
+                    . $prepended_text;
+        }
        $caption_text .= '</div>';
    }
    my $html_class = '';
@@ -329,8 +408,13 @@ sub ffmpeg_float($$$$$)
        $prepended_text = '';
        $caption_text   = '';
    }
-    return $self->_attribute_class('div', $html_class). '>' . "\n" .
-        $prepended_text . $caption_text . $content . '</div>';
+    if ($program_version_num >= 7.000000) {
+        return $self->html_attribute_class('div', [$html_class]). '>' . "\n" .
+            $prepended_text . $caption_text . $content . '</div>';
+    } else {
+        return $self->_attribute_class('div', $html_class). '>' . "\n" .
+            $prepended_text . $caption_text . $content . '</div>';
+    }
 }

 texinfo_register_command_formatting('float',
@@ -538,7 +538,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit,
    return o;
 }

-#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0
+#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0)
 int opt_default(void *optctx, const char *opt, const char *arg)
 {
    const AVOption *o;
@@ -885,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        }

        if (i >= CFRAME_BUFFER_COUNT) {
+            if (free_index < 0)
+                return AVERROR_INVALIDDATA;
            i             = free_index;
            f->cfrm[i].id = id;
        }
@@ -179,7 +179,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size,
    AC3HeaderInfo hdr;
    int err;

-    init_get_bits8(&gb, buf, size);
+    err = init_get_bits8(&gb, buf, size);
+    if (err < 0)
+        return AVERROR_INVALIDDATA;
    err = ff_ac3_parse_header(&gb, &hdr);
    if (err < 0)
        return AVERROR_INVALIDDATA;
@@ -1581,13 +1581,24 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    s->samples -= blockstodecode;

    if (avctx->err_recognition & AV_EF_CRCCHECK &&
-        s->fileversion >= 3900 && s->bps < 24) {
+        s->fileversion >= 3900) {
        uint32_t crc = s->CRC_state;
        const AVCRC *crc_tab = av_crc_get_table(AV_CRC_32_IEEE_LE);
+        int stride = s->bps == 24 ? 4 : (s->bps>>3);
+        int offset = s->bps == 24;
+        int bytes  = s->bps >> 3;
+
        for (i = 0; i < blockstodecode; i++) {
            for (ch = 0; ch < s->channels; ch++) {
-                uint8_t *smp = frame->data[ch] + (i*(s->bps >> 3));
-                crc = av_crc(crc_tab, crc, smp, s->bps >> 3);
+#if HAVE_BIGENDIAN
+                uint8_t *smp_native = frame->data[ch] + i*stride;
+                uint8_t smp[4];
+                for(int j = 0; j<stride; j++)
+                    smp[j] = smp_native[stride-j-1];
+#else
+                uint8_t *smp = frame->data[ch] + i*stride;
+#endif
+                crc = av_crc(crc_tab, crc, smp+offset, bytes);
            }
        }

@@ -383,7 +383,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb
    }

    if (len > 0)
-        put_bits(pbc, len, (1 << len) - 1 - (value != range_max));
+        put_bits(pbc, len, (1U << len) - 1 - (value != range_max));

    return 0;
 }
@@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length);
 *
 * @return value << offset, if offset>=0; value >> -offset - otherwise
 */
-static inline int bidir_sal(int value, int offset)
+static inline unsigned bidir_sal(unsigned value, int offset)
 {
    if(offset < 0) return value >> -offset;
    else           return value <<  offset;
@@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    int buf_size = avpkt->size;
    CamStudioContext *c = avctx->priv_data;
    int ret;
+    int bpp = avctx->bits_per_coded_sample / 8;
+    int bugdelta = FFALIGN(avctx->width * bpp, 4)       * avctx->height
+                 -        (avctx->width     & ~3) * bpp * avctx->height;

    if (buf_size < 2) {
        av_log(avctx, AV_LOG_ERROR, "coded frame too small\n");
@@ -84,7 +87,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    switch ((buf[0] >> 1) & 7) {
    case 0: { // lzo compression
        int outlen = c->decomp_size, inlen = buf_size - 2;
-        if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) {
+        if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) {
            av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
            return AVERROR_INVALIDDATA;
        }
@@ -93,7 +96,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    case 1: { // zlib compression
 #if CONFIG_ZLIB
        unsigned long dlen = c->decomp_size;
-        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) {
+        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || (dlen != c->decomp_size && dlen != c->decomp_size - bugdelta)) {
            av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
            return AVERROR_INVALIDDATA;
        }
@@ -238,7 +238,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,
        if ((ret = av_frame_ref(frame, s->frame)) < 0)
            return ret;

-        return frame_size;
+        return 0;
    }

    for (i = 0; i < 3; i++) {
@@ -372,7 +372,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    *got_frame = 1;

-    return frame_size;
+    return 0;
 }


@@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb)
                            continue;
                        }
                    }
-                    repeat = 0;
                }
                repeat = 1;
            }
@@ -143,7 +143,8 @@ typedef struct G2MContext {
    int        got_header;

    uint8_t    *framebuf;
-    int        framebuf_stride, old_width, old_height;
+    int        framebuf_stride;
+    unsigned int framebuf_allocated;

    uint8_t    *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base;
    int        tile_stride, epic_buf_stride, old_tile_w, old_tile_h;
@@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c)
 {
    int aligned_height;

-    if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) {
-        c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3;
-        aligned_height     = c->height + 15;
-        av_free(c->framebuf);
-        c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height);
-        if (!c->framebuf)
-            return AVERROR(ENOMEM);
-    }
+    c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3;
+    aligned_height = c->height + 15;
+
+    av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height);
+    if (!c->framebuf)
+        return AVERROR(ENOMEM);
+
    if (!c->synth_tile || !c->jpeg_tile ||
        (c->compression == 2 && !c->epic_buf_base) ||
        c->old_tile_w < c->tile_width ||
@@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx)
    av_freep(&c->jpeg_tile);
    av_freep(&c->cursor);
    av_freep(&c->framebuf);
+    c->framebuf_allocated = 0;

    return 0;
 }
@@ -578,7 +578,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici
 int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech,
                                   int subframe_size, int16_t gain_prev)
 {
-    int gain; // (3.12)
+    unsigned gain; // (3.12)
    int n;
    int exp_before, exp_after;

@@ -600,7 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
            gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
            gain = bidir_sal(gain, exp_after - exp_before);
        }
-        gain = av_clip_int16(gain);
+        gain = FFMIN(gain, 32767);
        gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
    } else
        gain = 0;
@@ -300,7 +300,7 @@ static int decode_slice(MpegEncContext *s)
                ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y,
                                s->mb_x, s->mb_y, ER_MB_ERROR & part_mask);

-                if (s->avctx->err_recognition & AV_EF_IGNORE_ERR)
+                if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0)
                    continue;
                return AVERROR_INVALIDDATA;
            }
@@ -122,7 +122,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf,

    if (*buf_index >= buf_size - nal_length_size) {
        // the end of the buffer is reached, refill it
-        return AVERROR(EAGAIN);
+        return AVERROR_INVALIDDATA;
    }

    for (i = 0; i < nal_length_size; i++)
@@ -625,10 +625,10 @@ static int h264_parse(AVCodecParserContext *s,
            int64_t num = avctx->time_base.num * (int64_t)avctx->pkt_timebase.den;
            if (s->dts != AV_NOPTS_VALUE) {
                // got DTS from the stream, update reference timestamp
-                p->reference_dts = s->dts - av_rescale(s->dts_ref_dts_delta, num, den);
+                p->reference_dts = av_sat_sub64(s->dts, av_rescale(s->dts_ref_dts_delta, num, den));
            } else if (p->reference_dts != AV_NOPTS_VALUE) {
                // compute DTS based on reference timestamp
-                s->dts = p->reference_dts + av_rescale(s->dts_ref_dts_delta, num, den);
+                s->dts = av_sat_add64(p->reference_dts, av_rescale(s->dts_ref_dts_delta, num, den));
            }

            if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE)
@@ -1458,7 +1458,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,

    sps = h->ps.sps;

-    if (sps && sps->bitstream_restriction_flag &&
+    if (sps->bitstream_restriction_flag &&
        h->avctx->has_b_frames < sps->num_reorder_frames) {
        h->avctx->has_b_frames = sps->num_reorder_frames;
    }
@@ -109,6 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    float scale = 1.f / 8.f;
    unsigned b, chunk;
    int version, ret;
+    unsigned hfr_group_count;

    avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
    c->crc_table = av_crc_get_table(AV_CRC_16_ANSI);
@@ -232,11 +233,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
    if (c->total_band_count < c->base_band_count)
        return AVERROR_INVALIDDATA;

-    c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count),
+    hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count),
                               c->bands_per_hfr_group);

-    if (c->base_band_count + c->stereo_band_count + (unsigned long)c->hfr_group_count > 128ULL)
+    if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count > 128ULL)
        return AVERROR_INVALIDDATA;
+    c->hfr_group_count = hfr_group_count;

    for (int i = 0; i < avctx->channels; i++) {
        c->ch[i].chan_type = r[i];
@@ -1461,7 +1461,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride,

    if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER ||
        x_off >= pic_width - block_w - QPEL_EXTRA_AFTER ||
-        y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) {
+        y_off >= pic_height - block_h - QPEL_EXTRA_AFTER ||
+        ref == s->frame) {
        const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift;
        int offset     = QPEL_EXTRA_BEFORE * srcstride       + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift);
        int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift);
@@ -1609,6 +1610,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0,
    intptr_t my          = av_mod_uintp2(mv->y, 2 + vshift);
    intptr_t _mx         = mx << (1 - hshift);
    intptr_t _my         = my << (1 - vshift);
+    int emu              = src0 == s->frame->data[1] || src0 == s->frame->data[2];

    x_off += mv->x >> (2 + hshift);
    y_off += mv->y >> (2 + vshift);
@@ -1616,7 +1618,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0,

    if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER ||
        x_off >= pic_width - block_w - EPEL_EXTRA_AFTER ||
-        y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) {
+        y_off >= pic_height - block_h - EPEL_EXTRA_AFTER ||
+        emu) {
        const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift;
        int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift));
        int buf_offset0 = EPEL_EXTRA_BEFORE *
@@ -1855,13 +1858,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0,

    if (current_mv.pred_flag & PF_L0) {
        ref0 = refPicList[0].ref[current_mv.ref_idx[0]];
-        if (!ref0)
+        if (!ref0 || !ref0->frame)
            return;
        hevc_await_progress(s, ref0, &current_mv.mv[0], y0, nPbH);
    }
    if (current_mv.pred_flag & PF_L1) {
        ref1 = refPicList[1].ref[current_mv.ref_idx[1]];
-        if (!ref1)
+        if (!ref1 || !ref1->frame)
            return;
        hevc_await_progress(s, ref1, &current_mv.mv[1], y0, nPbH);
    }
@@ -722,7 +722,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane)
            }
        }
        if( width&1 && get_bits_left(&s->gb)>0 ) {
-            int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;
+            int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;
            s->temp16[0][width-1] = dst + get_bits(&s->gb, 2);
        }
    }
@@ -1092,12 +1092,6 @@ static void do_plc(int16_t *plc_residual,      /* (o) concealed residual */

        if (s->consPLICount * s->block_samples > 320) {
            use_gain = 29491;   /* 0.9 in Q15 */
-        } else if (s->consPLICount * s->block_samples > 640) {
-            use_gain = 22938;   /* 0.7 in Q15 */
-        } else if (s->consPLICount * s->block_samples > 960) {
-            use_gain = 16384;   /* 0.5 in Q15 */
-        } else if (s->consPLICount * s->block_samples > 1280) {
-            use_gain = 0;       /* 0.0 in Q15 */
        }

        /* Compute mixing factor of picth repeatition and noise:
@@ -169,6 +169,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx,
    int luma_size, chroma_size;
    ptrdiff_t luma_pitch, chroma_pitch;

+    luma_width  = FFALIGN(luma_width , 2);
+    luma_height = FFALIGN(luma_height, 2);
+
    if (luma_width  < 16 || luma_width  > 640 ||
        luma_height < 16 || luma_height > 480 ||
        luma_width  &  3 || luma_height &   3) {
@@ -317,6 +317,16 @@ static int get_siz(Jpeg2000DecoderContext *s)
        return AVERROR_INVALIDDATA;
    }

+    if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) {
+        av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image");
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){
+        av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented");
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->ncomponents = ncomponents;

    if (s->tile_width <= 0 || s->tile_height <= 0) {
@@ -873,9 +883,6 @@ static int get_tlm(Jpeg2000DecoderContext *s, int n)
        case 2:
            bytestream2_get_be16(&s->g);
            break;
-        case 3:
-            bytestream2_get_be32(&s->g);
-            break;
        }
        if (SP == 0) {
            bytestream2_get_be16(&s->g);
@@ -376,6 +376,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
    state->T3     = s->t3;
    state->reset  = s->reset;
    ff_jpegls_reset_coding_parameters(state, 0);
+
+    /* Testing parameters here, we cannot test in LSE or SOF because
+     * these interdepend and are allowed in either order
+     */
+    if (state->maxval >= (1<<state->bpp) ||
+        state->T1 > state->T2 ||
+        state->T2 > state->T3 ||
+        state->T3 > state->maxval ||
+        state->reset > FFMAX(255, state->maxval)) {
+        ret = AVERROR_INVALIDDATA;
+        goto end;
+    }
+
    ff_jpegls_init_state(state);

    if (s->bits <= 8)
@@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i
    if (expected != (unsigned int)c->zstream.total_out) {
        av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n",
               expected, c->zstream.total_out);
+        if (expected > (unsigned int)c->zstream.total_out)
+            return (unsigned int)c->zstream.total_out;
        return AVERROR_UNKNOWN;
    }
    return c->zstream.total_out;
@@ -166,8 +168,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
    int row, col;
    unsigned char *encoded = avpkt->data, *outptr;
    uint8_t *y_out, *u_out, *v_out;
-    unsigned int width = avctx->width; // Real image width
-    unsigned int height = avctx->height; // Real image height
+    int width = avctx->width; // Real image width
+    int height = avctx->height; // Real image height
    unsigned int mszh_dlen;
    unsigned char yq, y1q, uq, vq;
    int uqvq, ret;
@@ -224,16 +226,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            break;
        case COMP_MSZH_NOCOMP: {
            int bppx2;
+            int aligned_width = width;
            switch (c->imgtype) {
            case IMGTYPE_YUV111:
            case IMGTYPE_RGB24:
                bppx2 = 6;
                break;
            case IMGTYPE_YUV422:
+                aligned_width &= ~3;
            case IMGTYPE_YUV211:
                bppx2 = 4;
                break;
            case IMGTYPE_YUV411:
+                aligned_width &= ~3;
            case IMGTYPE_YUV420:
                bppx2 = 3;
                break;
@@ -241,7 +246,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                bppx2 = 0; // will error out below
                break;
            }
-            if (len < ((width * height * bppx2) >> 1))
+            if (len < ((aligned_width * height * bppx2) >> 1))
                return AVERROR_INVALIDDATA;
            break;
        }
@@ -273,12 +278,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen,
                              mthread_outlen, mthread_outlen);
            if (ret < 0) return ret;
+            len = c->decomp_size;
        } else {
            int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size);
            if (ret < 0) return ret;
+            len = ret;
        }
        encoded = c->decomp_buf;
-        len = c->decomp_size;
        break;
 #endif
    default:
@@ -306,8 +312,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            }
            break;
        case IMGTYPE_YUV422:
+            pixel_ptr = 0;
            for (row = 0; row < height; row++) {
-                pixel_ptr = row * width * 2;
                yq = uq = vq =0;
                for (col = 0; col < width/4; col++) {
                    encoded[pixel_ptr] = yq -= encoded[pixel_ptr];
@@ -323,8 +329,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            }
            break;
        case IMGTYPE_YUV411:
+            pixel_ptr = 0;
            for (row = 0; row < height; row++) {
-                pixel_ptr = row * width / 2 * 3;
                yq = uq = vq =0;
                for (col = 0; col < width/4; col++) {
                    encoded[pixel_ptr] = yq -= encoded[pixel_ptr];
@@ -398,6 +404,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                v_out[ col >> 1     ] = *encoded++ + 128;
                v_out[(col >> 1) + 1] = *encoded++ + 128;
            }
+            if (col && col < width) {
+                u_out[ col >> 1     ] = u_out[(col>>1) - 1];
+                v_out[ col >> 1     ] = v_out[(col>>1) - 1];
+            }
+
            y_out -= frame->linesize[0];
            u_out -= frame->linesize[1];
            v_out -= frame->linesize[2];
@@ -419,6 +430,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                u_out[col >> 2] = *encoded++ + 128;
                v_out[col >> 2] = *encoded++ + 128;
            }
+            if (col && col < width) {
+                u_out[col >> 2] = u_out[(col>>2) - 1];
+                v_out[col >> 2] = v_out[(col>>2) - 1];
+            }
            y_out -= frame->linesize[0];
            u_out -= frame->linesize[1];
            v_out -= frame->linesize[2];
@@ -476,6 +491,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                FFALIGN(avctx->height, 4);
    unsigned int max_decomp_size;
    int subsample_h, subsample_v;
+    int partial_h_supported = 0;

    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
@@ -497,26 +513,24 @@ static av_cold int decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n");
        break;
    case IMGTYPE_YUV422:
-        c->decomp_size = basesize * 2;
+        c->decomp_size = (avctx->width & ~3) * avctx->height * 2;
        max_decomp_size = max_basesize * 2;
        avctx->pix_fmt = AV_PIX_FMT_YUV422P;
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n");
-        if (avctx->width % 4) {
-            avpriv_request_sample(avctx, "Unsupported dimensions");
-            return AVERROR_INVALIDDATA;
-        }
+        partial_h_supported = 1;
        break;
    case IMGTYPE_RGB24:
-        c->decomp_size = basesize * 3;
+        c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height;
        max_decomp_size = max_basesize * 3;
        avctx->pix_fmt = AV_PIX_FMT_BGR24;
        av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n");
        break;
    case IMGTYPE_YUV411:
-        c->decomp_size = basesize / 2 * 3;
+        c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3;
        max_decomp_size = max_basesize / 2 * 3;
        avctx->pix_fmt = AV_PIX_FMT_YUV411P;
        av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n");
+        partial_h_supported = 1;
        break;
    case IMGTYPE_YUV211:
        c->decomp_size = basesize * 2;
@@ -536,7 +550,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }

    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v);
-    if (avctx->width % (1<<subsample_h) || avctx->height % (1<<subsample_v)) {
+    if ((avctx->width % (1<<subsample_h) && !partial_h_supported) || avctx->height % (1<<subsample_v)) {
        avpriv_request_sample(avctx, "Unsupported dimensions");
        return AVERROR_INVALIDDATA;
    }
@@ -243,8 +243,10 @@ int ff_lpc_calc_coefs(LPCContext *s,
        double av_uninit(weight);
        memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var));

-        for(j=0; j<max_order; j++)
-            m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];
+        /* Avoids initializing with an unused value when lpc_passes == 1 */
+        if (lpc_passes > 1)
+            for(j=0; j<max_order; j++)
+                m[0].coeff[max_order-1][j] = -lpc[max_order-1][j];

        for(; pass<lpc_passes; pass++){
            avpriv_init_lls(&m[pass&1], max_order);
@@ -351,6 +351,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
        ctx->sprite_shift[0]  = alpha + beta + rho - min_ab;
        ctx->sprite_shift[1]  = alpha + beta + rho - min_ab + 2;
        break;
+    default:
+        av_assert0(0);
    }
    /* try to simplify the situation */
    if (sprite_delta[0][0] == a << ctx->sprite_shift[0] &&
@@ -616,7 +618,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
        for (y = 0; y < 16; y++) {
            int v;

-            v = mb_v + dy * y;
+            v = mb_v + (unsigned)dy * y;
            // FIXME optimize
            for (x = 0; x < 16; x++) {
                sum += v >> shift;
@@ -1189,7 +1191,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block,
                                if (SHOW_UBITS(re, &s->gb, 1) == 0) {
                                    av_log(s->avctx, AV_LOG_ERROR,
                                           "1. marker bit missing in 3. esc\n");
-                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR))
+                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0)
                                        return AVERROR_INVALIDDATA;
                                }
                                SKIP_CACHE(re, &s->gb, 1);
@@ -1200,7 +1202,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block,
                                if (SHOW_UBITS(re, &s->gb, 1) == 0) {
                                    av_log(s->avctx, AV_LOG_ERROR,
                                           "2. marker bit missing in 3. esc\n");
-                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR))
+                                    if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0)
                                        return AVERROR_INVALIDDATA;
                                }

@@ -1235,12 +1235,12 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                                                 &v_chroma_shift);

                for (i = 0; i < 3; i++) {
-                    int src_stride = pic_arg->linesize[i];
-                    int dst_stride = i ? s->uvlinesize : s->linesize;
+                    ptrdiff_t src_stride = pic_arg->linesize[i];
+                    ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize;
                    int h_shift = i ? h_chroma_shift : 0;
                    int v_shift = i ? v_chroma_shift : 0;
-                    int w = s->width  >> h_shift;
-                    int h = s->height >> v_shift;
+                    int w = AV_CEIL_RSHIFT(s->width , h_shift);
+                    int h = AV_CEIL_RSHIFT(s->height, v_shift);
                    uint8_t *src = pic_arg->data[i];
                    uint8_t *dst = pic->f->data[i];
                    int vpad = 16;
@@ -1254,7 +1254,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
                        dst += INPLACE_OFFSET;

                    if (src_stride == dst_stride)
-                        memcpy(dst, src, src_stride * h);
+                        memcpy(dst, src, src_stride * h - src_stride + w);
                    else {
                        int h2 = h;
                        uint8_t *dst2 = dst;
@@ -1475,7 +1475,7 @@ static int estimate_best_b_count(MpegEncContext *s)
                goto fail;
            }

-            rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3);
+            rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3);
        }

        /* get the delayed frames */
@@ -1484,7 +1484,7 @@ static int estimate_best_b_count(MpegEncContext *s)
            ret = out_size;
            goto fail;
        }
-        rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3);
+        rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3);

        rd += c->error[0] + c->error[1] + c->error[2];

@@ -52,6 +52,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont
        unsigned run = bytestream2_get_byte(gb);

        if (run) {
+            if (bytestream2_get_bytes_left_p(pb) < run * s->bpp)
+                return AVERROR_INVALIDDATA;
+
            switch (avctx->bits_per_coded_sample) {
            case 8:
                fill = bytestream2_get_byte(gb);
@@ -100,6 +103,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont

                bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET);
            } else {
+                if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp)
+                    return AVERROR_INVALIDDATA;
+
                for (j = 0; j < copy; j++) {
                    switch (avctx->bits_per_coded_sample) {
                    case 8:
@@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext

        if (run == 0) {
            run = bytestream2_get_le32(gb);
+
+            if (bytestream2_tell_p(pb) + width - w < run)
+                return AVERROR_INVALIDDATA;
+
            for (int j = 0; j < run; j++, w++) {
                if (w == width) {
                    w = 0;
@@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext
            int pos = bytestream2_tell_p(pb);

            bytestream2_seek(gbp, pos, SEEK_SET);
+
+            if (pos + width - w < fill)
+                return AVERROR_INVALIDDATA;
+
            for (int j = 0; j < fill; j++, w++) {
                if (w == width) {
                    w = 0;
@@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext

            intra = 0;
        } else {
+            if (bytestream2_tell_p(pb) + width - w < run)
+                return AVERROR_INVALIDDATA;
+
            for (int j = 0; j < run; j++, w++) {
                if (w == width) {
                    w = 0;
@@ -42,6 +42,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt)
    if (amount <= 0)
        return AVERROR(EINVAL);

+    if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) {
+        av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    ret = ff_bsf_get_packet_ref(ctx, pkt);
    if (ret < 0)
        return ret;
@@ -240,7 +240,9 @@ static int decode_blocks(AVCodecContext *avctx, AVFrame *p, ThreadFrame *frame,

        bytestream2_seek(&dgb, s->y_data_offset + row_offset, SEEK_SET);

-        init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb));
+        ret = init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb));
+        if (ret < 0)
+            return ret;
        for (int x = 0; x < avctx->width; x += 4) {
            unsigned item = bytestream2_get_le32(gb);
            unsigned y_min = item & 4095;
@@ -624,6 +624,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx)
    NVDECContext *ctx = avctx->internal->hwaccel_priv_data;
    int ret = ff_nvdec_end_frame(avctx);
    ctx->bitstream = NULL;
+    ctx->bitstream_len = 0;
+    ctx->nb_slices = 0;
    return ret;
 }

@@ -80,8 +80,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer
    };

    for (i = 0; i < 64; ++i) {
-        ppc->QuantMatrixIntra[i] = s->intra_matrix[i];
-        ppc->QuantMatrixInter[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        ppc->QuantMatrixIntra[i] = s->intra_matrix[n];
+        ppc->QuantMatrixInter[i] = s->inter_matrix[n];
    }

    return 0;
@@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer,
    };

    for (i = 0; i < 64; ++i) {
-        ppc->QuantMatrixIntra[i] = s->intra_matrix[i];
-        ppc->QuantMatrixInter[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        ppc->QuantMatrixIntra[i] = s->intra_matrix[n];
+        ppc->QuantMatrixInter[i] = s->inter_matrix[n];
    }

    // We need to pass the full frame buffer and not just the slice
@@ -632,6 +632,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
    int ret;
    size_t byte_depth = s->bit_depth > 8 ? 2 : 1;

+    if (!p)
+        return AVERROR_INVALIDDATA;
    if (!(s->hdr_state & PNG_IHDR)) {
        av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
        return AVERROR_INVALIDDATA;
@@ -1382,6 +1384,9 @@ skip_tag:
    }
 exit_loop:

+    if (!p)
+        return AVERROR_INVALIDDATA;
+
    if (avctx->codec_id == AV_CODEC_ID_PNG &&
        avctx->skip_frame == AVDISCARD_ALL) {
        return 0;
@@ -1551,7 +1556,7 @@ static int decode_frame_apng(AVCodecContext *avctx,
        s->zstream.zfree  = ff_png_zfree;

        bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size);
-        if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
+        if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0)
            goto end;
    }

@@ -3,9 +3,6 @@
 *
 * Copyright (c) 2012 Konstantin Shishkov
 *
- * This encoder appears to be based on Anatoliy Wassermans considering
- * similarities in the bugs.
- *
 * This file is part of FFmpeg.
 *
 * FFmpeg is free software; you can redistribute it and/or
@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
                                    * Set for the first N packets, where N is the number of threads.
                                    * While it is set, ff_thread_en/decode_frame won't return any results.
                                    */
+
+    /* hwaccel state is temporarily stored here in order to transfer its ownership
+     * to the next decoding thread without the need for extra synchronization */
+    const AVHWAccel *stash_hwaccel;
+    void            *stash_hwaccel_context;
+    void            *stash_hwaccel_priv;
 } FrameThreadContext;

 #define THREAD_SAFE_CALLBACKS(avctx) \
@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
            ff_thread_finish_setup(avctx);

        if (p->hwaccel_serializing) {
+            /* wipe hwaccel state to avoid stale pointers lying around;
+             * the state was transferred to FrameThreadContext in
+             * ff_thread_finish_setup(), so nothing is leaked */
+            avctx->hwaccel                     = NULL;
+            avctx->hwaccel_context             = NULL;
+            avctx->internal->hwaccel_priv_data = NULL;
+
            p->hwaccel_serializing = 0;
            pthread_mutex_unlock(&p->parent->hwaccel_mutex);
        }
+        av_assert0(!avctx->hwaccel);

        if (p->async_serializing) {
            p->async_serializing = 0;
@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
        dst->color_range = src->color_range;
        dst->chroma_sample_location = src->chroma_sample_location;

-        dst->hwaccel = src->hwaccel;
-        dst->hwaccel_context = src->hwaccel_context;
-
        dst->channels       = src->channels;
        dst->sample_rate    = src->sample_rate;
        dst->sample_fmt     = src->sample_fmt;
        dst->channel_layout = src->channel_layout;
-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;

        if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
            (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
@@ -426,6 +436,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
            pthread_mutex_unlock(&p->mutex);
            return err;
        }
+
+        /* transfer hwaccel state stashed from previous thread, if any */
+        av_assert0(!p->avctx->hwaccel);
+        FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
+        FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+        FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
    }

    av_packet_unref(&p->avpkt);
@@ -627,6 +643,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
        async_lock(p->parent);
    }

+    /* save hwaccel state for passing to the next thread;
+     * this is done here so that this worker thread can wipe its own hwaccel
+     * state after decoding, without requiring synchronization */
+    av_assert0(!p->parent->stash_hwaccel);
+    p->parent->stash_hwaccel         = avctx->hwaccel;
+    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
+
    pthread_mutex_lock(&p->progress_mutex);
    if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
        av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
@@ -668,13 +692,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)

    park_frame_worker_threads(fctx, thread_count);

-    if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
-                             fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
-        if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
-            av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
-        }
-    }
-
    if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
        if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
@@ -738,6 +755,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
    pthread_mutex_destroy(&fctx->async_mutex);
    pthread_cond_destroy(&fctx->async_cond);

+    /* if we have stashed hwaccel state, move it to the user-facing context,
+     * so it will be freed in avcodec_close() */
+    av_assert0(!avctx->hwaccel);
+    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
+    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
    av_freep(&avctx->internal->thread_ctx);

    if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
@@ -248,9 +248,12 @@ static int qsv_decode_init(AVCodecContext *avctx, QSVContext *q, mfxVideoParam *

    q->frame_info = param->mfx.FrameInfo;

-    if (!avctx->hw_frames_ctx)
-        q->pool = av_buffer_pool_init(av_image_get_buffer_size(avctx->pix_fmt,
-                    FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1), av_buffer_allocz);
+    if (!avctx->hw_frames_ctx) {
+        ret = av_image_get_buffer_size(avctx->pix_fmt, FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1);
+        if (ret < 0)
+            return ret;
+        q->pool = av_buffer_pool_init(ret, av_buffer_allocz);
+    }
    return 0;
 }

@@ -466,6 +466,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value,
            return 0;
        grow_dec(m);
        c = add_dec(m, q, g, f);
+        if (c < 0)
+            return AVERROR_INVALIDDATA;
    }

    incr_cntdec(m, c);
@@ -885,11 +887,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        sync_code3(gb, rc);
        break;
    case 6:
-        if (!decode_adaptive6(m, code, value, &a, &b)) {
+        ret = decode_adaptive6(m, code, value, &a, &b);
+        if (!ret)
            ret = update_model6_to_7(m);
-            if (ret < 0)
-                return AVERROR_INVALIDDATA;
-        }
+        if (ret < 0)
+            return ret;
        decode3(gb, rc, a, b);
        sync_code3(gb, rc);
        break;
@@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb,
    if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA)
        return AVERROR_INVALIDDATA;

+    if (get_bits_left(gb) < 24)
+        return AVERROR_INVALIDDATA;
+
    skip_bits(gb, 24);

    return 0;
@@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length)
    int i;

    for (i = 0; i < length; i++) {
-        int32_t a = p1[i];
-        int32_t b = p2[i];
+        uint32_t a = p1[i];
+        uint32_t b = p2[i];
        p2[i]     = a + b;
    }
 }
@@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length)
    int i;

    for (i = 0; i < length; i++) {
-        int32_t a = p1[i];
-        int32_t b = p2[i];
+        uint32_t a = p1[i];
+        uint32_t b = p2[i];
        p1[i]     = b - a;
    }
 }
@@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length)
    int i;

    for (i = 0; i < length; i++) {
-        int32_t a = p1[i];
+        uint32_t a = p1[i];
        int32_t b = p2[i];
        a        -= b >> 1;
        p1[i]     = a;
@@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
    int i;

    for (i = 0; i < length; i++) {
-        int32_t a = p1[i];
+        uint32_t a = p1[i];
        int32_t b = p2[i];
        b         = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
        p1[i]     = b - a;
@@ -222,8 +222,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c
            v = abs(err);
            if (v > err_inf)
                err_inf = v;
-            err2_matrix[i] += v * v;
-            err2 += v * v;
+            err2_matrix[i] += v * (int64_t)v;
+            err2 += v * (int64_t)v;
            sysErr[i] += block[i] - block1[i];
            blockSumErr += v;
            if (abs(block[i]) > maxout)
@@ -47,12 +47,12 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i
        return 1;
    }
    for (j = 0; j<MAX_W * MAX_W; j++) {
-        if (FFABS(array[j] - ref[j]) > max_diff) {
+        if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) {
            fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n",
                    j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]);
            return 2;
        }
-        err2 += (array[j] - ref[j]) * (array[j] - ref[j]);
+        err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]);
        array[j] = ref[j];
    }
    ff_dwt_destroy(s);
@@ -317,7 +317,8 @@ static void av_always_inline horizontal_fill(TiffContext *s,
            uint8_t shift = is_dng ? 0 : 16 - bpp;
            GetBitContext gb;

-            init_get_bits8(&gb, src, width);
+            int ret = init_get_bits8(&gb, src, width);
+            av_assert1(ret >= 0);
            for (int i = 0; i < s->width; i++) {
                dst16[i] = get_bits(&gb, bpp) << shift;
            }
@@ -351,7 +352,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p,
    GetBitContext gb;
    uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]);

-    init_get_bits8(&gb, src, width);
+    int ret = init_get_bits8(&gb, src, width);
+    av_assert1(ret >= 0);

    for (int i = 0; i < s->width; i++) {
        dst[i] = get_bits(&gb, bpp);
@@ -1447,7 +1449,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
            s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */
        break;
    case DNG_LINEARIZATION_TABLE:
-        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+        if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut))
            return AVERROR_INVALIDDATA;
        for (int i = 0; i < count; i++)
            s->dng_lut[i] = ff_tget(&s->gb, type, s->le);
@@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
        return AVERROR_PATCHWELCOME;
    }

+    if (s->h & 3) {
+        avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4");
+        return AVERROR_PATCHWELCOME;
+    }
+
    if (s->w != s->avctx->width || s->h != s->avctx->height ||
        new_pix_fmt != s->avctx->pix_fmt) {
        av_frame_unref(s->frame);
@@ -335,7 +335,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
            if (s->channels > 1) {
                int32_t *r = p - 1;
                for (*p += *r / 2; r > (int32_t*)p - s->channels; r--)
-                    *r = *(r + 1) - *r;
+                    *r = *(r + 1) - (unsigned)*r;
            }
            cur_chan = 0;
            i++;
@@ -323,7 +323,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
    }

    if (s->codec_id == AV_CODEC_ID_IFF_ILBM) {
-        w_align = FFMAX(w_align, 8);
+        w_align = FFMAX(w_align, 16);
    }

    *width  = FFALIGN(*width, w_align);
@@ -1635,9 +1635,9 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
    if (sr > 0) {
        /* calc from sample rate */
        if (id == AV_CODEC_ID_TTA)
-            return 256 * sr / 245;
+            return 256ll * sr / 245;
        else if (id == AV_CODEC_ID_DST)
-            return 588 * sr / 44100;
+            return 588ll * sr / 44100;

        if (ch > 0) {
            /* calc from sample rate and channels */
@@ -193,6 +193,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx)
    ctx->size = av_image_get_buffer_size(avctx->pix_fmt,
                                         avctx->width, avctx->height, 1);

+    if (ctx->size < 0)
+        return ctx->size;
+
    ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val));

    if (!ctx->val) {
@@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx,
    info->f_code[1][0]               = s->mpeg_f_code[1][0];
    info->f_code[1][1]               = s->mpeg_f_code[1][1];
    for (i = 0; i < 64; ++i) {
-        info->intra_quantizer_matrix[i]     = s->intra_matrix[i];
-        info->non_intra_quantizer_matrix[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        info->intra_quantizer_matrix[i]     = s->intra_matrix[n];
+        info->non_intra_quantizer_matrix[i] = s->inter_matrix[n];
    }

    return ff_vdpau_common_start_frame(pic_ctx, buffer, size);
@@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx,
    info->alternate_vertical_scan_flag      = s->alternate_scan;
    info->top_field_first                   = s->top_field_first;
    for (i = 0; i < 64; ++i) {
-        info->intra_quantizer_matrix[i]     = s->intra_matrix[i];
-        info->non_intra_quantizer_matrix[i] = s->inter_matrix[i];
+        int n = s->idsp.idct_permutation[i];
+        info->intra_quantizer_matrix[i]     = s->intra_matrix[n];
+        info->non_intra_quantizer_matrix[i] = s->inter_matrix[n];
    }

    ff_vdpau_common_start_frame(pic_ctx, buffer, size);
@@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc)
            unsigned codebook_value_bits = get_bits(gb, 4) + 1;
            unsigned codebook_sequence_p = get_bits1(gb);

+            if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) {
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
            ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n",
                    codebook_lookup_values);
            ff_dlog(NULL, "  delta %f minmum %f \n",
@@ -1447,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                            unsigned step = FASTDIV(vr->partition_size << 1, dim << 1);
                            vorbis_codebook codebook = vc->codebooks[vqbook];

+                            if (get_bits_left(gb) <= 0)
+                                return AVERROR_INVALIDDATA;
+
                            if (vr_type == 0) {

                                voffs = voffset+j*vlen;
@@ -1999,8 +1999,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int
        x_offset = (-(x + 2) & 7) + 2;
        y_offset = (-(y + 2) & 7) + 2;

-        if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)
-            return 0;
+        av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel));

        s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1,
             loop_stride, stride,
@@ -235,8 +235,16 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7)
            return AVERROR(ENOMEM);
        }
 #if HAVE_THREADS
-        pthread_mutex_init(&s->thread_data[i].lock, NULL);
-        pthread_cond_init(&s->thread_data[i].cond, NULL);
+        ret = pthread_mutex_init(&s->thread_data[i].lock, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
+        ret = pthread_cond_init(&s->thread_data[i].cond, NULL);
+        if (ret) {
+            free_buffers(s);
+            return AVERROR(ret);
+        }
 #endif
    }

@@ -1976,7 +1976,7 @@ static void encode_flush(WavPackEncodeContext *s)
                put_bits(pb, 31, 0x7FFFFFFF);
                cbits -= 31;
            } else {
-                put_bits(pb, cbits, (1 << cbits) - 1);
+                put_bits(pb, cbits, (1U << cbits) - 1);
                cbits = 0;
            }
        } while (cbits);
@@ -2005,7 +2005,7 @@ static void encode_flush(WavPackEncodeContext *s)
                    put_bits(pb, 31, 0x7FFFFFFF);
                    cbits -= 31;
                } else {
-                    put_bits(pb, cbits, (1 << cbits) - 1);
+                    put_bits(pb, cbits, (1U << cbits) - 1);
                    cbits = 0;
                }
            } while (cbits);
@@ -35,12 +35,20 @@
 static av_always_inline av_const int MULL(int a, int b, unsigned shift)
 {
    int rt, dummy;
+    if (__builtin_constant_p(shift))
    __asm__ (
        "imull %3               \n\t"
        "shrdl %4, %%edx, %%eax \n\t"
        :"=a"(rt), "=d"(dummy)
-        :"a"(a), "rm"(b), "ci"((uint8_t)shift)
+        :"a"(a), "rm"(b), "i"(shift & 0x1F)
    );
+    else
+        __asm__ (
+            "imull %3               \n\t"
+            "shrdl %4, %%edx, %%eax \n\t"
+            :"=a"(rt), "=d"(dummy)
+            :"a"(a), "rm"(b), "c"((uint8_t)shift)
+        );
    return rt;
 }

@@ -113,19 +121,31 @@ __asm__ volatile(\
 // avoid +32 for shift optimization (gcc should do that ...)
 #define NEG_SSR32 NEG_SSR32
 static inline  int32_t NEG_SSR32( int32_t a, int8_t s){
+    if (__builtin_constant_p(s))
    __asm__ ("sarl %1, %0\n\t"
         : "+r" (a)
-         : "ic" ((uint8_t)(-s))
+         : "i" (-s & 0x1F)
    );
+    else
+        __asm__ ("sarl %1, %0\n\t"
+               : "+r" (a)
+               : "c" ((uint8_t)(-s))
+        );
    return a;
 }

 #define NEG_USR32 NEG_USR32
 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){
+    if (__builtin_constant_p(s))
    __asm__ ("shrl %1, %0\n\t"
         : "+r" (a)
-         : "ic" ((uint8_t)(-s))
+         : "i" (-s & 0x1F)
    );
+    else
+        __asm__ ("shrl %1, %0\n\t"
+               : "+r" (a)
+               : "c" ((uint8_t)(-s))
+        );
    return a;
 }

@@ -60,7 +60,7 @@ av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags)

        if (!(flags & AV_CODEC_FLAG_BITEXACT)) {
            c->v_loop_filter = c->v_loop_filter_unaligned = ff_vp3_v_loop_filter_mmxext;
-            c->h_loop_filter = c->v_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext;
+            c->h_loop_filter = c->h_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext;
        }
    }

@@ -56,37 +56,37 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 };

 static int idct_row(short *in, const int *const tab, int rnd)
 {
-    const int c1 = tab[0];
-    const int c2 = tab[1];
-    const int c3 = tab[2];
-    const int c4 = tab[3];
-    const int c5 = tab[4];
-    const int c6 = tab[5];
-    const int c7 = tab[6];
+    const unsigned c1 = tab[0];
+    const unsigned c2 = tab[1];
+    const unsigned c3 = tab[2];
+    const unsigned c4 = tab[3];
+    const unsigned c5 = tab[4];
+    const unsigned c6 = tab[5];
+    const unsigned c7 = tab[6];

    const int right = in[5] | in[6] | in[7];
    const int left  = in[1] | in[2] | in[3];
    if (!(right | in[4])) {
        const int k = c4 * in[0] + rnd;
        if (left) {
-            const int a0 = k + c2 * in[2];
-            const int a1 = k + c6 * in[2];
-            const int a2 = k - c6 * in[2];
-            const int a3 = k - c2 * in[2];
+            const unsigned a0 = k + c2 * in[2];
+            const unsigned a1 = k + c6 * in[2];
+            const unsigned a2 = k - c6 * in[2];
+            const unsigned a3 = k - c2 * in[2];

            const int b0 = c1 * in[1] + c3 * in[3];
            const int b1 = c3 * in[1] - c7 * in[3];
            const int b2 = c5 * in[1] - c1 * in[3];
            const int b3 = c7 * in[1] - c5 * in[3];

-            in[0] = (a0 + b0) >> ROW_SHIFT;
-            in[1] = (a1 + b1) >> ROW_SHIFT;
-            in[2] = (a2 + b2) >> ROW_SHIFT;
-            in[3] = (a3 + b3) >> ROW_SHIFT;
-            in[4] = (a3 - b3) >> ROW_SHIFT;
-            in[5] = (a2 - b2) >> ROW_SHIFT;
-            in[6] = (a1 - b1) >> ROW_SHIFT;
-            in[7] = (a0 - b0) >> ROW_SHIFT;
+            in[0] = (int)(a0 + b0) >> ROW_SHIFT;
+            in[1] = (int)(a1 + b1) >> ROW_SHIFT;
+            in[2] = (int)(a2 + b2) >> ROW_SHIFT;
+            in[3] = (int)(a3 + b3) >> ROW_SHIFT;
+            in[4] = (int)(a3 - b3) >> ROW_SHIFT;
+            in[5] = (int)(a2 - b2) >> ROW_SHIFT;
+            in[6] = (int)(a1 - b1) >> ROW_SHIFT;
+            in[7] = (int)(a0 - b0) >> ROW_SHIFT;
        } else {
            const int a0 = k >> ROW_SHIFT;
            if (a0) {
@@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd)
                return 0;
        }
    } else if (!(left | right)) {
-        const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT;
-        const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT;
+        const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT;
+        const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT;

        in[0] = a0;
        in[3] = a0;
@@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd)
        in[5] = a1;
        in[6] = a1;
    } else {
-        const int k  = c4 * in[0] + rnd;
+        const unsigned int k  = c4 * in[0] + rnd;
        const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
        const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
        const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
@@ -778,7 +778,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum,
            goto error;
        }
    }
-        if (ctx->device_filter[otherDevType]) {
+    if (ctx->device_filter[otherDevType]) {
        // avoid adding add two instances of the same device to the graph, one for video, one for audio
        // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK)
        if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) {
@@ -680,7 +680,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s)

    if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) {
        *display_name = 0;
-        sscanf(s->url, "+%d,%d", &c->x, &c->y);
+        if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) {
+            if (*s->url)
+                av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url);
+        }
    }

    c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num);
@@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
            } else {
                for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) {
                    int j = i % buffer_size;
-                    double ppeak, pdelta;
+                    double ppeak = 0, pdelta;

-                    ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ?
-                            fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]);
+                    if (nextpos[j] >= 0)
+                        ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ?
+                                fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]);
                    pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels);
                    if (pdelta < nextdelta[j]) {
                        nextdelta[j] = pdelta;
@@ -75,6 +75,8 @@ static int config_input(AVFilterLink *inlink)

    s->length = s->delay * inlink->sample_rate / 1000;
    s->length *= 2;
+    if (s->length == 0)
+        return AVERROR(EINVAL);
    s->buffer = av_calloc(s->length, sizeof(*s->buffer));
    if (!s->buffer)
        return AVERROR(ENOMEM);
@@ -37,6 +37,16 @@
 #define STATUS_END_REACHED 1
 #define STATUS_BEGIN_REACHED 2

+static void sll_free(MatchingInfo **sll)
+{
+    while (*sll) {
+        MatchingInfo *tmp = *sll;
+        *sll = tmp->next;
+        tmp->next = NULL;
+        av_free(tmp);
+    }
+}
+
 static void fill_l1distlut(uint8_t lut[])
 {
    int i, j, tmp_i, tmp_j,count;
@@ -289,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont
                        if (!c->next)
                            av_log(ctx, AV_LOG_FATAL, "Could not allocate memory");
                        c = c->next;
+
+                    }
+                    if (!c) {
+                        sll_free(&cands);
+                        goto error;
                    }
                    c->framerateratio = (i+1.0) / 30;
                    c->score = hspace[i][j].score;
@@ -305,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont
            }
        }
    }
+    error:
    for (i = 0; i < MAX_FRAMERATE; i++) {
        av_freep(&hspace[i]);
    }
@@ -437,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext *
                }

                if (tolerancecount > 2) {
-                    a = aprev;
-                    b = bprev;
                    if (dir == DIR_NEXT) {
                        /* turn around */
                        a = infos->first;
                        b = infos->second;
                        dir = DIR_PREV;
                    } else {
+                        a = aprev;
+                        b = bprev;
                        break;
                    }
                }
@@ -485,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext *
            continue; /* matching sequence is too short */
        if ((double) goodfcount / (double) fcount < sc->thit)
            continue;
-        if ((double) goodfcount*0.5 < FFMAX(gooda, goodb))
+        if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb))
            continue;

-        meandist = (double) goodfcount / (double) distsum;
+        meandist = (double) distsum / (double) goodfcount;

        if (meandist < minmeandist ||
                status == STATUS_END_REACHED | STATUS_BEGIN_REACHED ||
@@ -520,16 +536,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext *
    return bestmatch;
 }

-static void sll_free(MatchingInfo *sll)
-{
-    void *tmp;
-    while (sll) {
-        tmp = sll;
-        sll = sll->next;
-        av_freep(&tmp);
-    }
-}
-
 static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode)
 {
    CoarseSignature *cs, *cs2;
@@ -572,7 +578,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc
                   "ratio %f, offset %d, score %d, %d frames matching\n",
                   bestmatch.first->index, bestmatch.second->index,
                   bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes);
-            sll_free(infos);
+            sll_free(&infos);
        }
    } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole);
    return bestmatch;
@@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi
    for (y = 0; y < r; y++)
        ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
    for (;;) {
-        if (y < height - r) {
+        if (y + 1 < height - r) {
            int mod = ((y + r) / 2) % r;
            uint16_t *buf0 = buf + mod * bstride;
            uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;
@@ -1096,8 +1096,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out)
    pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den,
                                   (int64_t)             outlink->time_base.den * inlink->time_base.num);

-    alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
-    alpha = av_clip(alpha, 0, ALPHA_MAX);
+    if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) {
+        alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+        alpha = av_clip(alpha, 0, ALPHA_MAX);
+    } else {
+        av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n");
+        alpha = 0;
+    }

    if (alpha == 0 || alpha == ALPHA_MAX) {
        av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf);
@@ -296,7 +296,9 @@ static int config_props(AVFilterLink *outlink)
    double res;
    char *expr;

-    ff_draw_init(&rot->draw, inlink->format, 0);
+    ret = ff_draw_init(&rot->draw, inlink->format, 0);
+    if (ret < 0)
+        return ret;
    ff_draw_color(&rot->draw, &rot->color, rot->fillcolor);

    rot->hsub = pixdesc->log2_chroma_w;
@@ -390,6 +390,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen
    FILE* f;
    unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 };

+    if (!sc->coarseend->last)
+        return AVERROR(EINVAL); // No frames ?
+
    f = fopen(filename, "w");
    if (!f) {
        int err = AVERROR(EINVAL);
@@ -18,6 +18,7 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/eval.h"
 #include "libavutil/imgutils.h"
@@ -146,10 +147,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2;

    x1[0] = av_clip(x1[0], 0, inlink->w - 1);
-    y1[0] = av_clip(y1[0], 0, inlink->w - 1);
+    y1[0] = av_clip(y1[0], 0, inlink->h - 1);

    x2[0] = av_clip(x2[0], 0, inlink->w - 1);
-    y2[0] = av_clip(y2[0], 0, inlink->w - 1);
+    y2[0] = av_clip(y2[0], 0, inlink->h - 1);

    ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h);
    ah[0] = ah[3] = h;
@@ -169,16 +170,20 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w);
    lw[0] = lw[3] = inlink->w;

-    x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w);
+    x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w);
    x1[0] = x1[3] = x1[0];
-    y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h);
+    y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h);
    y1[0] = y1[3] = y1[0];

-    x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w);
+    x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w);
    x2[0] = x2[3] = x2[0];
-    y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h);
+    y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h);
    y2[0] = y2[3] = y2[0];

+
+    av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]);
+    av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]);
+
    for (p = 0; p < s->nb_planes; p++) {
        if (ph[p] == ah[p] && pw[p] == aw[p]) {
            uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p];
@@ -288,7 +288,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
            hist[i] = 4 * hist[i];
    }

-    CHECK_CU(cu->cuCtxPopCurrent(&dummy));
+    ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy));
    if (ret < 0)
        return ret;

@@ -176,7 +176,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    }
    if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) {
        av_log(ctx, AV_LOG_ERROR, "motion detection failed");
-        return AVERROR(AVERROR_EXTERNAL);
+        return AVERROR_EXTERNAL;
    } else {
        if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) {
            int ret = AVERROR(errno);
@@ -30,6 +30,7 @@ typedef struct WeaveContext {
    int double_weave;
    int nb_planes;
    int planeheight[4];
+    int outheight[4];
    int linesize[4];

    AVFrame *prev;
@@ -92,6 +93,9 @@ static int config_props_output(AVFilterLink *outlink)
    s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h);
    s->planeheight[0] = s->planeheight[3] = inlink->h;

+    s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h);
+    s->outheight[0] = s->outheight[3] = 2*inlink->h;
+
    s->nb_planes = av_pix_fmt_count_planes(inlink->format);

    return 0;
@@ -124,14 +128,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    field1 = weave ? s->first_field : (!s->first_field);
    field2 = weave ? (!s->first_field) : s->first_field;
    for (i = 0; i < s->nb_planes; i++) {
+        const int compensation = 2*s->planeheight[i] > s->outheight[i];
        av_image_copy_plane(out->data[i] + out->linesize[i] * field1,
                            out->linesize[i] * 2,
                            in->data[i], in->linesize[i],
-                            s->linesize[i], s->planeheight[i]);
+                            s->linesize[i], s->planeheight[i] - compensation * field1);
        av_image_copy_plane(out->data[i] + out->linesize[i] * field2,
                            out->linesize[i] * 2,
                            s->prev->data[i], s->prev->linesize[i],
-                            s->linesize[i], s->planeheight[i]);
+                            s->linesize[i], s->planeheight[i] - compensation * field2);
    }

    out->pts = s->double_weave ? s->prev->pts : in->pts / 2;
@@ -324,7 +324,7 @@ static int ape_read_header(AVFormatContext * s)
        final_size -= final_size & 3;
    }
    if (file_size <= 0 || final_size <= 0)
-        final_size = ape->finalframeblocks * 8;
+        final_size = ape->finalframeblocks * 8LL;
    ape->frames[ape->totalframes - 1].size = final_size;

    for (i = 0; i < ape->totalframes; i++) {
@@ -768,7 +768,7 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)

        avio_rl64(pb);             // offset, 8 bytes
        pres_time = avio_rl64(pb); // presentation time
-        pres_time -= asf->hdr.preroll * 10000;
+        pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000LL);
        avio_rl16(pb);             // entry length
        avio_rl32(pb);             // send time
        avio_rl32(pb);             // flags
@@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s)
    avio_skip(s->pb, 1); // replay speed

    st->codecpar->sample_rate = avio_rb24(s->pb);
+    if (st->codecpar->sample_rate == 0)
+        return AVERROR_INVALIDDATA;
+
    avio_skip(s->pb, 4 * 3);
    avio_skip(s->pb, 2 * 3);
    avio_skip(s->pb, 20);
@@ -140,6 +140,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt)
        return 0;    /* this indicate EOS */
    if (ret < 0)
        return ret;
+    if (size != (int)size) {
+        av_packet_unref(pkt);
+        return AVERROR(EDOM);
+    }

    pkt->stream_index = avs->st_audio->index;
    pkt->flags |= AV_PKT_FLAG_KEY;
@@ -220,7 +220,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
        }
    }

-    if (avio_tell(pb) - ccount > size) {
+    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
        av_log(s, AV_LOG_ERROR, "error reading packet table\n");
        return AVERROR_INVALIDDATA;
    }
@@ -292,6 +292,9 @@ static int read_header(AVFormatContext *s)
            avio_skip(pb, 4); /* edit count */
            caf->data_start = avio_tell(pb);
            caf->data_size  = size < 0 ? -1 : size - 4;
+            if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start)
+                return AVERROR_INVALIDDATA;
+
            if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL))
                avio_skip(pb, caf->data_size);
            found_data = 1;
@@ -317,7 +317,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, AVFormatContext *avf)
    if (file->user_duration != AV_NOPTS_VALUE)
        return file->user_duration;
    if (file->outpoint != AV_NOPTS_VALUE)
-        return file->outpoint - file->file_inpoint;
+        return av_sat_sub64(file->outpoint, file->file_inpoint);
    if (avf->duration > 0)
        return avf->duration - (file->file_inpoint - file->file_start_time);
    if (file->next_dts != AV_NOPTS_VALUE)
@@ -494,11 +494,15 @@ static int concat_read_header(AVFormatContext *avf)
        else
            time = cat->files[i].start_time;
        if (cat->files[i].user_duration == AV_NOPTS_VALUE) {
-            if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE)
+            if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE ||
+                cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint)
+            )
                break;
            cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint;
        }
        cat->files[i].duration = cat->files[i].user_duration;
+        if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX)
+            return AVERROR_INVALIDDATA;
        time += cat->files[i].user_duration;
    }
    if (i == cat->nb_files) {
@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s)
        if(ast->codecpar->block_align) {
            if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
                return AVERROR_INVALIDDATA;
-            c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+            c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
        }
        c->bytes_left = fsize;
        c->wavpos = avio_tell(pb);
@@ -68,7 +68,7 @@ static int flac_read_header(AVFormatContext *s)
    /* process metadata blocks */
    while (!avio_feof(s->pb) && !metadata_last) {
        if (avio_read(s->pb, header, 4) != 4)
-            return AVERROR(AVERROR_INVALIDDATA);
+            return AVERROR_INVALIDDATA;
        flac_parse_block_header(header, &metadata_last, &metadata_type,
                                   &metadata_size);
        switch (metadata_type) {
@@ -228,6 +228,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt,
    int ret = 0, probe_size, buf_offset = 0;
    int score = 0;
    int ret2;
+    int eof = 0;

    if (!max_probe_size)
        max_probe_size = PROBE_BUF_MAX;
@@ -251,7 +252,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt,
        }
    }

-    for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt;
+    for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof;
         probe_size = FFMIN(probe_size << 1,
                            FFMAX(max_probe_size, probe_size + 1))) {
        score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0;
@@ -267,6 +268,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt,

            score = 0;
            ret   = 0;          /* error was end of file, nothing read */
+            eof   = 1;
        }
        buf_offset += ret;
        if (buf_offset < offset)
@@ -67,7 +67,7 @@ static int fwse_read_header(AVFormatContext *s)
        par->channel_layout = AV_CH_LAYOUT_STEREO;
    st->duration = avio_rl32(pb);
    par->sample_rate = avio_rl32(pb);
-    if (par->sample_rate <= 0 || par->sample_rate > INT_MAX)
+    if (par->sample_rate <= 0)
        return AVERROR_INVALIDDATA;

    par->block_align = 1;
@@ -2377,7 +2377,7 @@ static const AVOption hls_options[] = {
        {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
        INT_MIN, INT_MAX, FLAGS},
    {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
-        OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
+        OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS},
    {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments",
        OFFSET(m3u8_hold_counters), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
    {"http_persistent", "Use persistent HTTP connections",
@@ -339,8 +339,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs)
    } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) {
        snprintf(attr, sizeof(attr), "mp4a.40.34");
    } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) {
-        /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */
-        snprintf(attr, sizeof(attr), "mp4a.40.2");
+        if (st->codecpar->profile != FF_PROFILE_UNKNOWN)
+            snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1);
+        else
+            // This is for backward compatibility with the previous implementation.
+            snprintf(attr, sizeof(attr), "mp4a.40.2");
    } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) {
        snprintf(attr, sizeof(attr), "ac-3");
    } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) {
@@ -365,7 +365,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen,
    int encoding;
    int ok = 0;

-    if (taglen < 1)
+    if (taglen < 4)
        goto error;

    encoding = avio_r8(pb);
@@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof)
 {
    AVIOContext *pb = s->pb;

-    while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+    while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
        uint32_t tag      = avio_rl32(pb);
        uint64_t size     = avio_rb64(pb);
        uint64_t orig_pos = avio_tell(pb);
@@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof)
    int dsd_layout[6];
    ID3v2ExtraMeta *id3v2_extra_meta;

-    while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+    while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
        uint32_t tag      = avio_rl32(pb);
        uint64_t size     = avio_rb64(pb);
        uint64_t orig_pos = avio_tell(pb);
@@ -773,7 +773,6 @@ static int jpeg_probe(const AVProbeData *p)
                return 0;
            state = EOI;
            break;
-        case DQT:
        case APP0:
        case APP1:
        case APP2:
@@ -790,6 +789,7 @@ static int jpeg_probe(const AVProbeData *p)
        case APP13:
        case APP14:
        case APP15:
+        case DQT: /* fallthrough */
        case COM:
            i += AV_RB16(&b[i + 2]) + 1;
            break;
@@ -132,35 +132,35 @@ shift_and_ret:
    return buf + len;
 }

-static int get_shift(int timeres, const char *buf)
+static int get_shift(unsigned timeres, const char *buf)
 {
    int sign = 1;
-    int a = 0, b = 0, c = 0, d = 0;
+    int h = 0, m = 0, s = 0, d = 0;
    int64_t ret;
 #define SSEP "%*1[.:]"
-    int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
+    int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &h, &m, &s, &d);
 #undef SSEP

-    if (a == INT_MIN)
+    if (h == INT_MIN)
        return 0;

-    if (*buf == '-' || a < 0) {
+    if (*buf == '-' || h < 0) {
        sign = -1;
-        a = FFABS(a);
+        h = FFABS(h);
    }

    ret = 0;
    switch (n) {
-    case 4:
-        ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d);
-        break;
-    case 3:
-        ret = sign * ((         (int64_t)a*60 + b) * timeres + c);
-        break;
-    case 2:
-        ret = sign * ((                (int64_t)a) * timeres + b);
-        break;
+    case 1:        h = 0;                   //clear all in case of a single parameter
+    case 2: s = m; m = h; h = 0;            //shift into second subsecondd
+    case 3: d = s; s = m; m = h; h = 0;     //shift into minute second subsecond
    }
+
+    ret = (int64_t)h*3600 + (int64_t)m*60 + s;
+    if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres)
+        return 0;
+    ret = sign * (ret * timeres + d);
+
    if ((int)ret != ret)
        ret = 0;

@@ -235,14 +235,17 @@ static int jacosub_read_header(AVFormatContext *s)
            }
            av_bprintf(&header, "#S %s", p);
            break;
-        case 'T': // ...but must be placed after TIMERES
-            jacosub->timeres = strtol(p, NULL, 10);
-            if (!jacosub->timeres)
+        case 'T': { // ...but must be placed after TIMERES
+            int64_t timeres = strtol(p, NULL, 10);
+            if (timeres <= 0 || timeres > UINT32_MAX) {
                jacosub->timeres = 30;
-            else
+            } else {
+                jacosub->timeres = timeres;
                av_bprintf(&header, "#T %s", p);
+            }
            break;
        }
+        }
    }

    /* general/essential directives in the extradata */
@@ -31,7 +31,7 @@
 typedef struct KVAGHeader {
    uint32_t    magic;
    uint32_t    data_size;
-    uint32_t    sample_rate;
+    int    sample_rate;
    uint16_t    stereo;
 } KVAGHeader;

@@ -65,6 +65,9 @@ static int kvag_read_header(AVFormatContext *s)
    hdr.sample_rate             = AV_RL32(buf +  8);
    hdr.stereo                  = AV_RL16(buf + 12);

+    if (hdr.sample_rate <= 0)
+        return AVERROR_INVALIDDATA;
+
    par                         = st->codecpar;
    par->codec_type             = AVMEDIA_TYPE_AUDIO;
    par->codec_id               = AV_CODEC_ID_ADPCM_IMA_SSI;
@@ -94,7 +94,10 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags)
        return AVERROR_EXTERNAL;
    }

-    av_strstart(uri, "zmq:", &uri);
+    if (av_strstart(uri, "zmq:", &uri)) {
+        av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri);
+        return AVERROR(EINVAL);
+    }

    /*publish during write*/
    if (h->flags & AVIO_FLAG_WRITE) {
@@ -2687,6 +2687,10 @@ static int matroska_parse_tracks(AVFormatContext *s)

        if (track->time_scale < 0.01)
            track->time_scale = 1.0;
+
+        if (matroska->time_scale * track->time_scale > UINT_MAX)
+            return AVERROR_INVALIDDATA;
+
        avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale,
                            1000 * 1000 * 1000);    /* 64 bit pts in ns */

@@ -3700,7 +3704,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska)
    MatroskaBlock     *block = &cluster->block;
    int res;

-    av_assert0(matroska->num_levels <= 2);
+    av_assert0(matroska->num_levels <= 2U);

    if (matroska->num_levels == 1) {
        res = ebml_parse(matroska, matroska_segment, NULL);
@@ -4030,16 +4034,19 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
        int64_t prebuffer_ns = 1000000000;
        int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale;
        double nano_seconds_per_second = 1000000000.0;
-        int64_t prebuffered_ns = time_ns + prebuffer_ns;
+        int64_t prebuffered_ns;
        double prebuffer_bytes = 0.0;
        int64_t temp_prebuffer_ns = prebuffer_ns;
        int64_t pre_bytes, pre_ns;
        double pre_sec, prebuffer, bits_per_second;
        CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start);
-
        // Start with the first Cue.
        CueDesc desc_end = desc_beg;

+        if (time_ns > INT64_MAX - prebuffer_ns)
+            return -1;
+        prebuffered_ns = time_ns + prebuffer_ns;
+
        // Figure out how much data we have downloaded for the prebuffer. This will
        // be used later to adjust the bits per sample to try.
        while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) {
@@ -1116,6 +1116,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    int ret = ffio_read_size(pb, type, 4);
    if (ret < 0)
        return ret;
+    if (c->fc->nb_streams) {
+        if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT)
+            return AVERROR_INVALIDDATA;
+        av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n");
+        return 0;
+    }

    if (strcmp(type, "qt  "))
        c->isom = 1;
@@ -2032,8 +2038,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        for (i = 0; i < entries && !pb->eof_reached; i++)
            sc->chunk_offsets[i] = avio_rb32(pb);
    else if (atom.type == MKTAG('c','o','6','4'))
-        for (i = 0; i < entries && !pb->eof_reached; i++)
+        for (i = 0; i < entries && !pb->eof_reached; i++) {
            sc->chunk_offsets[i] = avio_rb64(pb);
+            if (sc->chunk_offsets[i] < 0) {
+                av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n");
+                sc->chunk_offsets[i] = 0;
+            }
+        }
    else
        return AVERROR_INVALIDDATA;

@@ -4400,12 +4411,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    for (i = 1; i <= count; ++i) {
        uint32_t key_size = avio_rb32(pb);
        uint32_t type = avio_rl32(pb);
-        if (key_size < 8) {
+        if (key_size < 8 || key_size > atom.size) {
            av_log(c->fc, AV_LOG_ERROR,
                   "The key# %"PRIu32" in meta has invalid size:"
                   "%"PRIu32"\n", i, key_size);
            return AVERROR_INVALIDDATA;
        }
+        atom.size -= key_size;
        key_size -= 8;
        if (type != MKTAG('m','d','t','a')) {
            avio_skip(pb, key_size);
@@ -5417,8 +5429,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version);
        return 0;
    }
-    if (sc->mastering)
-        return AVERROR_INVALIDDATA;
+    if (sc->mastering) {
+        av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n");
+        return 0;
+    }

    avio_skip(pb, 3); /* flags */

@@ -5455,11 +5469,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom)

    sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data;

-    if (atom.size < 24 || sc->mastering) {
+    if (atom.size < 24) {
        av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n");
        return AVERROR_INVALIDDATA;
    }

+    if (sc->mastering) {
+        av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n");
+        return 0;
+    }
+
    sc->mastering = av_mastering_display_metadata_alloc();
    if (!sc->mastering)
        return AVERROR(ENOMEM);
@@ -7829,12 +7848,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st)
        if (msc->pb && msc->current_sample < avst->nb_index_entries) {
            AVIndexEntry *current_sample = &avst->index_entries[msc->current_sample];
            int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale);
+            uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts);
            av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts);
            if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) ||
                ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) &&
                 ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE &&
-                 ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) ||
-                  (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) {
+                 ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) ||
+                  (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) {
                sample = current_sample;
                best_dts = dts;
                *st = avst;
@@ -7997,7 +8017,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
        pkt->flags |= AV_PKT_FLAG_DISCARD;
    }
    if (sc->ctts_data && sc->ctts_index < sc->ctts_count) {
-        pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration;
+        pkt->pts = av_sat_add64(pkt->dts, av_sat_add64(sc->dts_shift, sc->ctts_data[sc->ctts_index].duration));
        /* update ctts context */
        sc->ctts_sample++;
        if (sc->ctts_index < sc->ctts_count &&
@@ -5445,6 +5445,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
    if (ret < 0)
        return ret;

+    if (pkt->pts != AV_NOPTS_VALUE &&
+        (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) {
+        av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    if (mov->flags & FF_MOV_FLAG_FRAGMENT) {
        int ret;
        if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) {
@@ -213,7 +213,7 @@ typedef struct MXFDescriptor {
 typedef struct MXFIndexTableSegment {
    UID uid;
    enum MXFMetadataSetType type;
-    int edit_unit_byte_count;
+    unsigned edit_unit_byte_count;
    int index_sid;
    int body_sid;
    AVRational index_edit_rate;
@@ -397,12 +397,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size)
    return i == size;
 }

-static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
+static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb)
 {
    int64_t length, pos;
    if (!mxf_read_sync(pb, mxf_klv_key, 4))
        return AVERROR_INVALIDDATA;
    klv->offset = avio_tell(pb) - 4;
+    if (klv->offset < mxf->run_in)
+        return AVERROR_INVALIDDATA;
+
    memcpy(klv->key, mxf_klv_key, 4);
    avio_read(pb, klv->key + 4, 12);
    length = klv_decode_ber_length(pb);
@@ -718,6 +721,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
    partition->index_sid = avio_rb32(pb);
    partition->body_offset = avio_rb64(pb);
    partition->body_sid = avio_rb32(pb);
+    if (partition->body_offset < 0)
+        return AVERROR_INVALIDDATA;
+
    if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) {
        av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n");
        return AVERROR_INVALIDDATA;
@@ -1133,6 +1139,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int
    case 0x3F0B:
        segment->index_edit_rate.num = avio_rb32(pb);
        segment->index_edit_rate.den = avio_rb32(pb);
+        if (segment->index_edit_rate.num <= 0 ||
+            segment->index_edit_rate.den <= 0)
+            return AVERROR_INVALIDDATA;
        av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num,
                segment->index_edit_rate.den);
        break;
@@ -1598,9 +1607,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t
        if (edit_unit < s->index_start_position + s->index_duration) {
            int64_t index = edit_unit - s->index_start_position;

-            if (s->edit_unit_byte_count)
+            if (s->edit_unit_byte_count) {
+                if (index > INT64_MAX / s->edit_unit_byte_count ||
+                    s->edit_unit_byte_count * index > INT64_MAX - offset_temp)
+                    return AVERROR_INVALIDDATA;
+
                offset_temp += s->edit_unit_byte_count * index;
-            else {
+            } else {
                if (s->nb_index_entries == 2 * s->index_duration + 1)
                    index *= 2;     /* Avid index */

@@ -2876,7 +2889,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf)
    /* Make sure this is actually a PartitionPack, and if so parse it.
     * See deadlock2.mxf
     */
-    if ((ret = klv_read_packet(&klv, pb)) < 0) {
+    if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) {
        av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n");
        return ret;
    }
@@ -3158,7 +3171,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
    if (length < min_rip_length || length > max_rip_length)
        goto end;
    avio_seek(s->pb, file_size - length, SEEK_SET);
-    if (klv_read_packet(&klv, s->pb) < 0 ||
+    if (klv_read_packet(mxf, &klv, s->pb) < 0 ||
        !IS_KLV_KEY(klv.key, mxf_random_index_pack_key))
        goto end;
    if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) {
@@ -3206,7 +3219,7 @@ static int mxf_read_header(AVFormatContext *s)
    while (!avio_feof(s->pb)) {
        const MXFMetadataReadTableEntry *metadata;

-        if (klv_read_packet(&klv, s->pb) < 0) {
+        if (klv_read_packet(mxf, &klv, s->pb) < 0) {
            /* EOF - seek to previous partition or stop */
            if(mxf_parse_handle_partition_or_eof(mxf) <= 0)
                break;
@@ -3462,7 +3475,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt)

        if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) {
            mxf->current_klv_data = (KLVPacket){{0}};
-            ret = klv_read_packet(&klv, s->pb);
+            ret = klv_read_packet(mxf, &klv, s->pb);
            if (ret < 0)
                break;
            max_data_size = klv.length;
@@ -358,8 +358,12 @@ static int decode_main_header(NUTContext *nut)
        ret = AVERROR(ENOMEM);
        goto fail;
    }
-    for (i = 0; i < stream_count; i++)
-        avformat_new_stream(s, NULL);
+    for (i = 0; i < stream_count; i++) {
+        if (!avformat_new_stream(s, NULL)) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
+    }

    return 0;
 fail:
@@ -807,19 +811,23 @@ static int nut_read_header(AVFormatContext *s)
    NUTContext *nut = s->priv_data;
    AVIOContext *bc = s->pb;
    int64_t pos;
-    int initialized_stream_count;
+    int initialized_stream_count, ret;

    nut->avf = s;

    /* main header */
    pos = 0;
+    ret = 0;
    do {
+        if (ret == AVERROR(ENOMEM))
+            return ret;
+
        pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
        if (pos < 0 + 1) {
            av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
            goto fail;
        }
-    } while (decode_main_header(nut) < 0);
+    } while ((ret = decode_main_header(nut)) < 0);

    /* stream headers */
    pos = 0;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.6
 .3.7