Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/hapdec: Change compressed_offset to unsigned 32bit
2021-02-20 14:22:23 +01:00 · 2021-02-20 14:21:24 +01:00 · 2021-02-20 14:21:24 +01:00 · 2021-02-20 14:21:24 +01:00 · 2021-02-20 14:21:24 +01:00 · 2021-02-20 14:21:24 +01:00
220 changed files with 2329 additions and 882 deletions
@@ -1,6 +1,303 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 4.3.2:
+ avcodec/hapdec: Change compressed_offset to unsigned 32bit
+ avformat/rmdec: Check codec_length without overflow
+ avformat/mov: Check element count in mov_metadata_hmmt()
+ avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes()
+ avcodec/fits: Check gcount and pcount being non negative
+ avformat/nutdec: Check timebase count against main header length
+ avformat/electronicarts: Clear partial_packet on error
+ avformat/r3d: Check samples before computing duration
+ avcodec/pnm_parser: Check av_image_get_buffer_size() for failure
+ avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()
+ avformat/rmdec: Check remaining space in debug av_log() loop
+ avformat/flvdec: Treat high ts byte as unsigned
+ avformat/samidec: Sanity check pts
+ avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream()
+ avformat/avidec: Use 64bit in get_duration()
+ avformat/mov: Check for duplicate st3d
+ avformat/mvdec: Check for EOF in read_index()
+ avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular()
+ avformat/id3v2: Check the return from avio_get_str()
+ avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
+ libavutil/eval: Remove CONFIG_TRAPV special handling
+ avformat/wtvdec: Check len in parse_chunks() to avoid overflow
+ avformat/asfdec_f: Add an additional check for the extradata size
+ avformat/3dostr: Check sample_rate
+ avformat/4xm: Make audio_frame_count 64bit
+ avformat/mov: Use av_mul_q() to avoid integer overflows
+ avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper
+ avformat/rmdec: Reorder operations to avoid overflow
+ avcodec/mxpegdec: fix SOF counting
+ avcodec/rscc: Check inflated_buf size whan it is used
+ avformat/mvdec: Sanity check SAMPLE_WIDTH
+ avcodec/nvenc: fix timestamp offset ticks logic
+ avformat/rmdec: Fix codecdata_length overflow check
+ avcodec/simple_idct: Fix undefined integer overflow in idct4row()
+ avformat/wavdec: Check block_align vs. channels before combining them
+ avformat/tta: Use 64bit intermediate for index
+ avformat/soxdec: Check channels to be positive
+ avformat/smacker: Check for too small pts_inc
+ avformat/sbgdec: Use av_sat_add64() in str_to_time()
+ avcodec/cscd: Check output len in zlib as in lzo
+ avcodec/vp3: Check input amount in theora_decode_header()
+ avformat/wavdec: Check avio_get_str16le() for failure
+ avformat/flvdec: Check for EOF in amf_skip_tag()
+ avformat/aiffdec: Check size before subtraction in get_aiff_header()
+ avformat/electronicarts: More chunk_size checks
+ avcodec/cfhd: check peak.offset
+ avformat/tedcaptionsdec: Check for overflow in parse_int()
+ avformat/nuv: Check channels
+ avcodec/siren: Increase noise category 5 and 6
+ avformat/mpc8: Check size before implicitly converting to int
+ avformat/nutdec: Fix integer overflow in count computation
+ avformat/mvi: Use 64bit for testing dimensions
+ avformat/utils: Check dts in update_initial_timestamps() more
+ avformat/mpsubdec: Use av_sat_add/sub64() in fracval handling
+ avformat/flvdec: Check for avio_read() failure in amf_get_string()
+ avformat/flvdec: Check for nesting depth in amf_skip_tag()
+ avformat/flvdec: Check for nesting depth in amf_parse_object()
+ avformat/asfdec_o: Check for EOF in asf_read_marker()
+ avformat/flvdec: Use av_sat_add64() for pts computation
+ avformat/utils: Check dts - (1<<pts_wrap_bits) overflow
+ avformat/bfi: Check chunk_header
+ avformat/ads: Check size
+ avformat/iff: Check block align also for ID_MAUD
+ avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
+ avformat/fitsdec: Better size checks
+ avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()
+ avformat/avidec: dv does not support palettes
+ avformat/dhav: Break out of infinite dhav search loop
+ libavformat/utils: consider avio_size() failure in ffio_limit()
+ avformat/nistspheredec: Check bits_per_coded_sample and channels
+ avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
+ avformat/utils: check for integer overflow in av_get_frame_filename2()
+ avutil/timecode: Avoid undefined behavior with large framenum
+ avformat/mov: Check a.size before computing next_root_atom
+ avformat/sbgdec: Reduce the amount of floating point in str_to_time()
+ avformat/mxfdec: Free all types for both Descriptors
+ uavformat/rsd: check for EOF in extradata
+ avcodec/wmaprodec: Check packet size
+ avformat/dhav: Check position for overflow
+ avcodec/rasc: Check frame before clearing
+ avformat/vividas: Check number of audio channels
+ avcodec/alsdec: Fix integer overflow with quant_cof
+ avformat/mpegts: Fix argument type for av_log
+ avformat/cafdec: clip sample rate
+ avcodec/ffv1dec: Fix off by 1 error with quant tables
+ avformat/mpegts: Increase pcr_incr width to 64bit
+ avcodec/utils: Check bitrate for overflow in get_bit_rate()
+ avformat/mov: Check if hoov is at the end
+ avcodec/hevc_ps: check scaling_list_dc_coef
+ avformat/iff: Check data_size
+ avformat/matroskadec: Sanity check codec_id/track type
+ avformat/rpl: Check the number of streams
+ avformat/vividas: Check sample_rate
+ avformat/vividas: Make len signed
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avformat/dsfdec: Check block_align more completely
+ avformat/mpc8: Check remaining space in mpc8_parse_seektable()
+ avformat/id3v2: Sanity check tlen before alloc and uncompress
+ avformat/vqf: Check len for COMM chunks
+ avformat/mov: Avoid overflow in end computation in mov_read_custom()
+ avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
+ avformat/cafdec: Check the return code from av_add_index_entry()
+ avformat/cafdec: Check for EOF in index read loop
+ avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative
+ avformat/mpc8: correct integer overflow in mpc8_parse_seektable()
+ avformat/mpc8: correct 32bit timestamp truncation
+ avcodec/exr: Check ymin vs. h
+ avformat/avs: Use 64bit for the avio_tell() output
+ avformat/wavdec: More complete size check in find_guid()
+ avcodec/mv30: Use unsigned in idct_1d()
+ avformat/iff: Check size before skip
+ avformat/rmdec: Check for EOF in index packet reading
+ avcodec/vp3dsp: Use unsigned constant to avoid undefined integer overflow in ff_vp3dsp_set_bounding_values()
+ avformat/icodec: Check for zero streams and stream creation failure
+ avformat/icodec: Factor failure code out in read_header()
+ avformat/bintext: Check width
+ avformat/sbgdec: Check that end is not before start
+ avformat/lvfdec: Check stream_index before use
+ avformat/au: cleanup on EOF return in au_read_annotation()
+ avformat/mpegts: Limit copied data to space
+ avformat/bintext: Check width in idf_read_header()
+ avformat/iff: check size against INT64_MAX
+ avformat/vividas: improve extradata packing checks in track_header()
+ avformat/paf: Check for EOF in read_table()
+ avformat/gxf: Check pkt_len
+ avformat/aiffdec: Check packet size
+ avformat/concatdec: use av_strstart()
+ avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header()
+ avformat/rsd: Check size and start before computing duration
+ avformat/vividas: better check of current_sb_entry
+ avformat/iff: More completely check body_size
+ avformat/vividas use avpriv_set_pts_info()
+ avformat/xwma: Check for EOF in dpds_table read code
+ avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration()
+ avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET
+ avformat/rmdec: Make expected_len 64bit
+ avformat/pcm: Check block_align
+ avformat/lrcdec: Clip timestamps
+ avutil/mathematics: Use av_sat_add64() for the last addition in av_add_stable()
+ avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet()
+ avformat/ifv: Check that total frames do not overflow
+ avcodec/vp9dsp_template: Fix some overflows in iadst8_1d()
+ avcodec/fits: Check bscale
+ avformat/nistspheredec: Check bps
+ avformat/jacosubdec: Use 64bit inside get_shift()
+ avformat/genh: Check block_align
+ avformat/mvi: Check count for overflow
+ avcodec/magicyuv: Check slice size before reading flags and pred
+ avformat/asfdec_f: Check for negative ext_len
+ avformat/bethsoftvid: Check image dimensions before use
+ avformat/genh: Check block_align for how it will be used in SDX2_DPCM
+ avformat/au: Check for EOF in au_read_annotation()
+ avformat/vividas: Check for zero v_size
+ avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0
+ avformat/segafilm: Check that there is a stream
+ avformat/wtvdec: Check dir_length
+ avformat/ffmetadec: finalize AVBPrint on errors
+ avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN()
+ avcodec/exr: Check limits to avoid overflow in delta computation
+ avformat/boadec: Check that channels and block_align are set
+ avformat/asfdec_f: Check name_len for overflow
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avformat/sbgdec: Check for timestamp overflow in parse_time_sequence()
+ avcodec/aacdec_fixed: Limit index in vector_pow43()
+ avformat/kvag: Fix integer overflow in bitrate computation
+ avcodec/h264_slice: fix undefined integer overflow with POC in error concealment
+ avformat/rmdec: sanity check coded_framesize
+ avformat/flvdec: Check for EOF in amf_parse_object()
+ avcodec/mv30: Fix multiple integer overflows
+ avcodec/smacker: Check remaining bits in SMK_BLK_FULL
+ avcodec/cook: Check subpacket index against max
+ avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration()
+ avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred
+ avformat/icodec: Change order of operations to avoid NULL dereference
+ avcodec/exr: Fix overflow with many blocks
+ avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
+ avcodec/ansi: Check initial dimensions
+ avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset
+ avcodec/sonic: Check for overread
+ avformat/subviewerdec: fail on AV_NOPTS_VALUE
+ avcodec/exr: Check line size for overflow
+ avcodec/exr: Check xdelta, ydelta
+ avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter()
+ avcodec/takdsp: Fix negative shift in decorrelate_sf()
+ avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420()
+ avformat/asfdec_f: Change order or operations slightly
+ avformat/dxa: Use av_rescale() for duration computation
+ avcodec/vc1_block: Fix integer overflow in ac value
+ avcodec/mv30: Fix several integer overflows in idct_1d()
+ avformat/iff: Check data_size not overflowing int64
+ avcodec/dxtory: Fix negative shift in dx2_decode_slice_410()
+ avcodec/sonic: Check channels before deallocating
+ avformat/vividas: Check for EOF in first loop in track_header()
+ avformat/wvdec: Check rate for overflow
+ avcodec/ansi: Check nb_args for overflow
+ avformat/wc3movie: Cleanup on wc3_read_header() failure
+ avformat/wc3movie: Move wc3_read_close() up
+ avcodec/tiff: Fix default white level
+ avcodec/diracdsp: Fix integer anomaly in dequant_subband_*
+ avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c()
+ avcodec/mv30: Check remaining mask in decode_inter()
+ avcodec/wmalosslessdec: Check remaining space before padding and channel residue
+ avformat/cdg: Fix integer overflow in duration computation
+ avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()
+ avcodec/agm: Fix off by 1 error in decode_inter_plane()
+ avformat/electronicarts: Check if there are any streams
+ avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE
+ avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()
+ avformat/avidec: Fix io_fsize overflow
+ avcodec/cfhd: Check transform type
+ avcodec/tiff: Check jpeg context against jpeg frame parameters
+ avcodec/tiff: Restrict tag order based on specification
+ avcodec/tiff: Avoid abort with DNG RAW TIFF with YA8
+ avcodec/tiff: Check the linearization table size
+ avformat/siff: Reject audio packets without audio stream
+ avformat/mpeg: Check avio_read() return value in get_pts()
+ avcodec/tiff: Check bpp/bppcount for 0
+ avcodec/snowdec: Sanity check hcoeff
+ avformat/mov: Check comp_brand_size
+ avformat/ape: Error out in case of EOF in the header
+ avcodec/alac: Check decorr_shift to avoid invalid shift
+ avcodec/tdsc: Fix tile checks
+ opusdec: do not fail when LBRR frames are present
+ configure: update copyright year
+ avfilter/vf_framerate: fix infinite loop with 1-frame input
+ avformat/url: Change () position in ff_make_absolute_url()
+ avformat/mpegts: make sure mpegts_read_header always stops at the first pmt
+ avformat/alp: fix handling of TUN files
+ avformat/argo_asf: fix handling of v1.1 files
+ swscale/x86/yuv2rgb: fix crashes when loading alpha from unaligned buffers
+ lavf/url: fix relative url parsing when the query string or fragment has a colon
+ avformat/libsrt: fix cleanups on failed libsrt_open() and libsrt_setup()
+ avcodec/cuviddec: backport extradata fixes
+ avcodec/cuviddec: handle arbitrarily sized extradata
+ lavf/srt: fix build fail when used the libsrt 1.4.1
+ avformat/libsrt: close listen fd in listener mode
+ lavf/url: rewrite ff_make_absolute_url() using ff_url_decompose().
+ lavf/url: add ff_url_decompose().
+ avcodec/cbs_av1: fix setting FrameWidth in frame_size_with_refs()
+ avcodec/cbs_av1: use a more appropiate AV1ReferenceFrameState pointer variable name
+ avcodec/cbs_av1: fix handling reference frames on show_existing_frame frames
+ avcodec/cbs_av1: infer frame_type in show_existing_frame frames earlier
+ avcodec/cbs_av1: add OrderHint to CodedBitstreamAV1Context
+ avcodec/cbs_av1: infer frame_type when parsing a show_existing_frame frame
+ cbs_av1: Fix test for presence of buffer_removal_time element
+ avcodec/cbs_av1: fix storage size for render_{width,height}_minus_1
+ lavc: Lower MediaFoundation audio encoder priority.
+ x86/yuv2rgb: fix crashes when storing data on unaligned buffers
+ checkasm/vf_blend: use the correct depth parameters to initialize the blend modes
+ x86/vf_blend: fix warnings about trailing empty parameters
+ x86/h264_deblock: fix warning about trailing empty parameter
+ avutil/x86inc: fix warnings when assembling with Nasm 2.15
+
+
+version 4.3.1:
+ avcodec/tiff: Check input space in dng_decode_jpeg()
+ avcodec/mjpeg_parser: Adjust size rejection threshold
+ avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment()
+ avformat/sdp: Fix potential write beyond end of buffer
+ avformat/mm: Check for existence of audio stream
+ avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default
+ avcodec/apedec: Fix undefined integer overflow with 24bit
+ avcodec/loco: Fix integer overflow with large values from loco_get_rice()
+ avformat/smjpegdec: Check the existence of referred streams
+ avcodec/tiff: Check frame parameters before blit for DNG
+ avcodec/mjpegdec: Limit bayer to single plane outputting format
+ avcodec/pnmdec: Fix misaligned reads
+ avcodec/mv30: Fix integer overflows in idct2_1d()
+ avcodec/hcadec: Check total_band_count against imdct_in size
+ avcodec/scpr3: Fix out of array access with dectab
+ avcodec/tiff: Do not overrun the array ends in dng_blit()
+ avcodec/dstdec: Replace AC overread check by sample rate check
+ dnn_backend_native: Add overflow check for length calculation.
+ avcodec/h264_metadata_bsf: Fix invalid av_freep
+ avcodec/cbs_h265: set default VUI parameters when vui_parameters_present_flag is false
+ avcodec/av1_parser: initialize avctx->pix_fmt
+ avcodec/av1_parser: add missing parsing for RGB pixel format signaling
+ avcodec/av1_parser: set context values outside the OBU parsing loop
+ avutil/avsscanf: Add () to avoid integer overflow in scanexp()
+ avformat/utils: reorder duration computation to avoid overflow
+ avcodec/pngdec: Check for fctl after idat
+ avformat/hls: Pass a copy of the URL for probing
+ avutil/common: Fix integer overflow in av_ceil_log2_c()
+ avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
+ avformat/mvdec: Fix integer overflow with billions of channels
+ avformat/microdvddec: skip malformed lines without frame number.
+ dnn_backend_native: check operand index
+ dnn_backend_native.c: refine code for fail case
+ avformat/mov: fix memleaks
+ libavformat/mov: Fix memleaks when demuxing DV audio
+ avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX
+ avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak
+ avcodec/bitstream: Don't check for undefined behaviour after it happened
+ avformat/aviobuf: Also return truncated buffer in avio_get_dyn_buf()
+ avformat/aviobuf: Don't check for overflow after it happened
+
 version 4.3:
 - v360 filter
 - Intel QSV-accelerated MJPEG decoding
@@ -1 +1 @@
-4.2.git
+4.3.2
@@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 4.3 "4:3" │
+              └────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 4.3 "4:3", about 10
+   months after the release of FFmpeg 4.2.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   on the mailing-lists.
@@ -7513,7 +7513,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2020
+#define CONFIG_THIS_YEAR 2021
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 4.3.2

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -317,7 +317,7 @@ list are dropped. You may use the special @code{*} string to match all pages,
 or @code{subtitle} to match all subtitle pages.
 Default value is *.
@item txt_default_region
-Set default G0 character set used for decoding, a value between 0 and 80 (see
+Set default character set used for decoding, a value between 0 and 87 (see
 ETS 300 706, Section 15, Table 32). Default value is -1, which does not
 override the libzvbi default. This option is needed for some legacy level 1.0
 transmissions which cannot signal the proper charset.
@@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len)
    for (i=0; i<len; i++) {
        coef = coefs[i];
        if (coef < 0)
-            coef = -(int)ff_cbrt_tab_fixed[-coef];
+            coef = -(int)ff_cbrt_tab_fixed[(-coef) & 8191];
        else
-            coef = (int)ff_cbrt_tab_fixed[coef];
+            coef =  (int)ff_cbrt_tab_fixed[  coef  & 8191];
        coefs[i] = coef;
    }
 }
@@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size,
                int map = s->map[x];

                if (orig_mv_x >= -32) {
-                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 >= h ||
-                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 >= w)
+                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h ||
+                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w)
                        return AVERROR_INVALIDDATA;

                    copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8,
@@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
        decorr_shift       = get_bits(&alac->gb, 8);
        decorr_left_weight = get_bits(&alac->gb, 8);

+        if (channels == 2 && decorr_left_weight && decorr_shift > 31)
+            return AVERROR_INVALIDDATA;
+
        for (ch = 0; ch < channels; ch++) {
            prediction_type[ch]   = get_bits(&alac->gb, 4);
            lpc_quant[ch]         = get_bits(&alac->gb, 4);
@@ -679,9 +679,7 @@ extern AVCodec ff_xsub_decoder;
 /* external libraries */
 extern AVCodec ff_aac_at_encoder;
 extern AVCodec ff_aac_at_decoder;
-extern AVCodec ff_aac_mf_encoder;
 extern AVCodec ff_ac3_at_decoder;
-extern AVCodec ff_ac3_mf_encoder;
 extern AVCodec ff_adpcm_ima_qt_at_decoder;
 extern AVCodec ff_alac_at_encoder;
 extern AVCodec ff_alac_at_decoder;
@@ -693,7 +691,6 @@ extern AVCodec ff_ilbc_at_decoder;
 extern AVCodec ff_mp1_at_decoder;
 extern AVCodec ff_mp2_at_decoder;
 extern AVCodec ff_mp3_at_decoder;
-extern AVCodec ff_mp3_mf_encoder;
 extern AVCodec ff_pcm_alaw_at_encoder;
 extern AVCodec ff_pcm_alaw_at_decoder;
 extern AVCodec ff_pcm_mulaw_at_encoder;
@@ -757,6 +754,8 @@ extern AVCodec ff_idf_decoder;

 /* external libraries, that shouldn't be used by default if one of the
 * above is available */
+extern AVCodec ff_aac_mf_encoder;
+extern AVCodec ff_ac3_mf_encoder;
 extern AVCodec ff_h263_v4l2m2m_encoder;
 extern AVCodec ff_libaom_av1_decoder;
 extern AVCodec ff_libopenh264_encoder;
@@ -789,6 +788,7 @@ extern AVCodec ff_mjpeg_cuvid_decoder;
 extern AVCodec ff_mjpeg_qsv_encoder;
 extern AVCodec ff_mjpeg_qsv_decoder;
 extern AVCodec ff_mjpeg_vaapi_encoder;
+extern AVCodec ff_mp3_mf_encoder;
 extern AVCodec ff_mpeg1_cuvid_decoder;
 extern AVCodec ff_mpeg2_cuvid_decoder;
 extern AVCodec ff_mpeg2_qsv_encoder;
@@ -762,7 +762,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            }

            for (k = 2; k < opt_order; k++)
-                quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13);
+                quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13);
        }
    }

@@ -431,7 +431,8 @@ static int decode_frame(AVCodecContext *avctx,
                    s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                break;
            case ';':
-                s->nb_args++;
+                if (s->nb_args < MAX_NB_ARGS)
+                    s->nb_args++;
                if (s->nb_args < MAX_NB_ARGS)
                    s->args[s->nb_args] = 0;
                break;
@@ -474,6 +475,11 @@ static av_cold int decode_close(AVCodecContext *avctx)
    return 0;
 }

+static const AVCodecDefault ansi_defaults[] = {
+    { "max_pixels", "640*480" },
+    { NULL },
+};
+
 AVCodec ff_ansi_decoder = {
    .name           = "ansi",
    .long_name      = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"),
@@ -485,4 +491,5 @@ AVCodec ff_ansi_decoder = {
    .decode         = decode_frame,
    .capabilities   = AV_CODEC_CAP_DR1,
    .caps_internal  = FF_CODEC_CAP_INIT_THREADSAFE,
+    .defaults       = ansi_defaults,
 };
@@ -1573,7 +1573,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] * 256;
+                *sample24++ = s->decoded[ch][i] * 256U;
        }
        break;
    }
@@ -45,6 +45,10 @@ static const enum AVPixelFormat pix_fmts_12bit[2][2] = {
    { AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV420P12 },
 };

+static const enum AVPixelFormat pix_fmts_rgb[3] = {
+    AV_PIX_FMT_GBRP, AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRP12,
+};
+
 static int av1_parser_parse(AVCodecParserContext *ctx,
                            AVCodecContext *avctx,
                            const uint8_t **out_data, int *out_size,
@@ -53,6 +57,8 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
    AV1ParseContext *s = ctx->priv_data;
    CodedBitstreamFragment *td = &s->temporal_unit;
    CodedBitstreamAV1Context *av1 = s->cbc->priv_data;
+    AV1RawSequenceHeader *seq;
+    AV1RawColorConfig *color;
    int ret;

    *out_data = data;
@@ -86,11 +92,12 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
        goto end;
    }

+    seq = av1->sequence_header;
+    color = &seq->color_config;
+
    for (int i = 0; i < td->nb_units; i++) {
        CodedBitstreamUnit *unit = &td->units[i];
        AV1RawOBU *obu = unit->content;
-        AV1RawSequenceHeader *seq = av1->sequence_header;
-        AV1RawColorConfig *color = &seq->color_config;
        AV1RawFrameHeader *frame;
        int frame_type;

@@ -127,9 +134,6 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
            ctx->key_frame = frame_type == AV1_FRAME_KEY;
        }

-        avctx->profile = seq->seq_profile;
-        avctx->level   = seq->seq_level_idx[0];
-
        switch (frame_type) {
        case AV1_FRAME_KEY:
        case AV1_FRAME_INTRA_ONLY:
@@ -143,33 +147,44 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
            break;
        }
        ctx->picture_structure = AV_PICTURE_STRUCTURE_FRAME;
+    }

-        switch (av1->bit_depth) {
-        case 8:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8
-                                             : pix_fmts_8bit [color->subsampling_x][color->subsampling_y];
-            break;
-        case 10:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10
-                                             : pix_fmts_10bit[color->subsampling_x][color->subsampling_y];
-            break;
-        case 12:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12
-                                             : pix_fmts_12bit[color->subsampling_x][color->subsampling_y];
-            break;
-        }
-        av_assert2(ctx->format != AV_PIX_FMT_NONE);
+    switch (av1->bit_depth) {
+    case 8:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8
+                                         : pix_fmts_8bit [color->subsampling_x][color->subsampling_y];
+        break;
+    case 10:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10
+                                         : pix_fmts_10bit[color->subsampling_x][color->subsampling_y];
+        break;
+    case 12:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12
+                                         : pix_fmts_12bit[color->subsampling_x][color->subsampling_y];
+        break;
+    }
+    av_assert2(ctx->format != AV_PIX_FMT_NONE);

-        avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients;
-        avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries;
-        avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics;
-        avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG;
+    if (!color->subsampling_x && !color->subsampling_y &&
+        color->matrix_coefficients       == AVCOL_SPC_RGB &&
+        color->color_primaries           == AVCOL_PRI_BT709 &&
+        color->transfer_characteristics  == AVCOL_TRC_IEC61966_2_1)
+        ctx->format = pix_fmts_rgb[color->high_bitdepth + color->twelve_bit];

-        if (ctx->width != avctx->width || ctx->height != avctx->height) {
-            ret = ff_set_dimensions(avctx, ctx->width, ctx->height);
-            if (ret < 0)
-                goto end;
-        }
+    avctx->pix_fmt = ctx->format;
+
+    avctx->profile = seq->seq_profile;
+    avctx->level   = seq->seq_level_idx[0];
+
+    avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients;
+    avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries;
+    avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics;
+    avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG;
+
+    if (ctx->width != avctx->width || ctx->height != avctx->height) {
+        ret = ff_set_dimensions(avctx, ctx->width, ctx->height);
+        if (ret < 0)
+            goto end;
    }

    if (avctx->framerate.num)
@@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    uint32_t code;
    volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2

-    table_size = 1 << table_nb_bits;
    if (table_nb_bits > 30)
       return AVERROR(EINVAL);
+    table_size = 1 << table_nb_bits;
    table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC);
    ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size);
    if (table_index < 0)
@@ -693,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx,
            memmove(units + position + 1, units + position,
                    (frag->nb_units - position) * sizeof(*units));
    } else {
-        units = av_malloc_array(frag->nb_units + 1, sizeof(*units));
+        units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units));
        if (!units)
            return AVERROR(ENOMEM);

-        ++frag->nb_units_allocated;
+        frag->nb_units_allocated = 2*frag->nb_units_allocated + 1;

        if (position > 0)
            memcpy(units, frag->units, position * sizeof(*units));
@@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc,
        put_bits(pbc, 1, 1);
    } else {
        zeroes = av_log2(value + 1);
-        v = value - (1 << zeroes) + 1;
-        put_bits(pbc, zeroes + 1, 1);
+        v = value - (1U << zeroes) + 1;
+        put_bits(pbc, zeroes, 0);
+        put_bits(pbc, 1, 1);
        put_bits(pbc, zeroes, v);
    }

@@ -711,10 +712,11 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc)

 #define infer(name, value) do { \
        if (current->name != (value)) { \
-            av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \
+            av_log(ctx->log_ctx, AV_LOG_ERROR, \
                   "%s does not match inferred value: " \
                   "%"PRId64", but should be %"PRId64".\n", \
                   #name, (int64_t)current->name, (int64_t)(value)); \
+            return AVERROR_INVALIDDATA; \
        } \
    } while (0)

@@ -158,8 +158,8 @@ typedef struct AV1RawFrameHeader {
    uint8_t  use_superres;
    uint8_t  coded_denom;
    uint8_t  render_and_frame_size_different;
-    uint8_t  render_width_minus_1;
-    uint8_t  render_height_minus_1;
+    uint16_t render_width_minus_1;
+    uint16_t render_height_minus_1;

    uint8_t found_ref[AV1_REFS_PER_FRAME];

@@ -429,6 +429,7 @@ typedef struct CodedBitstreamAV1Context {
    int operating_point_idc;

    int bit_depth;
+    int order_hint;
    int frame_width;
    int frame_height;
    int upscaled_width;
@@ -366,7 +366,7 @@ static int FUNC(set_frame_refs)(CodedBitstreamContext *ctx, RWContext *rw,
    for (i = 0; i < AV1_NUM_REF_FRAMES; i++)
        shifted_order_hints[i] = cur_frame_hint +
                                 cbs_av1_get_relative_dist(seq, priv->ref[i].order_hint,
-                                                           current->order_hint);
+                                                           priv->order_hint);

    latest_order_hint = shifted_order_hints[current->last_frame_idx];
    earliest_order_hint = shifted_order_hints[current->golden_frame_idx];
@@ -541,7 +541,7 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw,
            }

            priv->upscaled_width = ref->upscaled_width;
-            priv->frame_width    = ref->frame_width;
+            priv->frame_width    = priv->upscaled_width;
            priv->frame_height   = ref->frame_height;
            priv->render_width   = ref->render_width;
            priv->render_height  = ref->render_height;
@@ -993,7 +993,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw,
        for (i = 0; i < AV1_REFS_PER_FRAME; i++) {
            ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint;
            dist = cbs_av1_get_relative_dist(seq, ref_hint,
-                                             current->order_hint);
+                                             priv->order_hint);
            if (dist < 0) {
                if (forward_idx < 0 ||
                    cbs_av1_get_relative_dist(seq, ref_hint,
@@ -1261,10 +1261,10 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,
        flag(show_existing_frame);

        if (current->show_existing_frame) {
-            AV1ReferenceFrameState *frame;
+            AV1ReferenceFrameState *ref;

            fb(3, frame_to_show_map_idx);
-            frame = &priv->ref[current->frame_to_show_map_idx];
+            ref = &priv->ref[current->frame_to_show_map_idx];

            if (seq->decoder_model_info_present_flag &&
                !seq->timing_info.equal_picture_interval) {
@@ -1275,12 +1275,24 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,
            if (seq->frame_id_numbers_present_flag)
                fb(id_len, display_frame_id);

-            if (frame->frame_type == AV1_FRAME_KEY)
+            infer(frame_type, ref->frame_type);
+            if (current->frame_type == AV1_FRAME_KEY) {
                infer(refresh_frame_flags, all_frames);
-            else
+
+                // Section 7.21
+                infer(current_frame_id, ref->frame_id);
+                priv->upscaled_width  = ref->upscaled_width;
+                priv->frame_width     = ref->frame_width;
+                priv->frame_height    = ref->frame_height;
+                priv->render_width    = ref->render_width;
+                priv->render_height   = ref->render_height;
+                priv->bit_depth       = ref->bit_depth;
+                priv->order_hint      = ref->order_hint;
+            } else
                infer(refresh_frame_flags, 0);

-            return 0;
+            // Section 7.20
+            goto update_refs;
        }

        fb(2, frame_type);
@@ -1366,6 +1378,7 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,
        fb(order_hint_bits, order_hint);
    else
        infer(order_hint, 0);
+    priv->order_hint = current->order_hint;

    if (frame_is_intra || current->error_resilient_mode)
        infer(primary_ref_frame, AV1_PRIMARY_REF_NONE);
@@ -1381,7 +1394,7 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,
                    int in_temporal_layer = (op_pt_idc >>  priv->temporal_id    ) & 1;
                    int in_spatial_layer  = (op_pt_idc >> (priv->spatial_id + 8)) & 1;
                    if (seq->operating_point_idc[i] == 0 ||
-                        in_temporal_layer || in_spatial_layer) {
+                        (in_temporal_layer && in_spatial_layer)) {
                        fbs(seq->decoder_model_info.buffer_removal_time_length_minus_1 + 1,
                            buffer_removal_time[i], 1, i);
                    }
@@ -1541,6 +1554,16 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,

    CHECK(FUNC(film_grain_params)(ctx, rw, current));

+    av_log(ctx->log_ctx, AV_LOG_DEBUG, "Frame %d:  size %dx%d  "
+           "upscaled %d  render %dx%d  subsample %dx%d  "
+           "bitdepth %d  tiles %dx%d.\n", priv->order_hint,
+           priv->frame_width, priv->frame_height, priv->upscaled_width,
+           priv->render_width, priv->render_height,
+           seq->color_config.subsampling_x + 1,
+           seq->color_config.subsampling_y + 1, priv->bit_depth,
+           priv->tile_rows, priv->tile_cols);
+
+update_refs:
    for (i = 0; i < AV1_NUM_REF_FRAMES; i++) {
        if (current->refresh_frame_flags & (1 << i)) {
            priv->ref[i] = (AV1ReferenceFrameState) {
@@ -1555,20 +1578,11 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw,
                .subsampling_x  = seq->color_config.subsampling_x,
                .subsampling_y  = seq->color_config.subsampling_y,
                .bit_depth      = priv->bit_depth,
-                .order_hint     = current->order_hint,
+                .order_hint     = priv->order_hint,
            };
        }
    }

-    av_log(ctx->log_ctx, AV_LOG_DEBUG, "Frame %d:  size %dx%d  "
-           "upscaled %d  render %dx%d  subsample %dx%d  "
-           "bitdepth %d  tiles %dx%d.\n", current->order_hint,
-           priv->frame_width, priv->frame_height, priv->upscaled_width,
-           priv->render_width, priv->render_height,
-           seq->color_config.subsampling_x + 1,
-           seq->color_config.subsampling_y + 1, priv->bit_depth,
-           priv->tile_rows, priv->tile_cols);
-
    return 0;
 }

@@ -408,10 +408,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc)

 #define infer(name, value) do { \
        if (current->name != (value)) { \
-            av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \
+            av_log(ctx->log_ctx, AV_LOG_ERROR, \
                   "%s does not match inferred value: " \
                   "%"PRId64", but should be %"PRId64".\n", \
                   #name, (int64_t)current->name, (int64_t)(value)); \
+            return AVERROR_INVALIDDATA; \
        } \
    } while (0)

@@ -744,6 +744,32 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw,
    return 0;
 }

+static int FUNC(vui_parameters_default)(CodedBitstreamContext *ctx,
+                                        RWContext *rw, H265RawVUI *current,
+                                        H265RawSPS *sps)
+{
+    infer(aspect_ratio_idc, 0);
+
+    infer(video_format,             5);
+    infer(video_full_range_flag,    0);
+    infer(colour_primaries,         2);
+    infer(transfer_characteristics, 2);
+    infer(matrix_coefficients,      2);
+
+    infer(chroma_sample_loc_type_top_field,    0);
+    infer(chroma_sample_loc_type_bottom_field, 0);
+
+    infer(tiles_fixed_structure_flag,    0);
+    infer(motion_vectors_over_pic_boundaries_flag, 1);
+    infer(min_spatial_segmentation_idc,  0);
+    infer(max_bytes_per_pic_denom,       2);
+    infer(max_bits_per_min_cu_denom,     1);
+    infer(log2_max_mv_length_horizontal, 15);
+    infer(log2_max_mv_length_vertical,   15);
+
+    return 0;
+}
+
 static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw,
                     H265RawSPS *current)
 {
@@ -908,6 +934,8 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw,
    flag(vui_parameters_present_flag);
    if (current->vui_parameters_present_flag)
        CHECK(FUNC(vui_parameters)(ctx, rw, &current->vui, current));
+    else
+        CHECK(FUNC(vui_parameters_default)(ctx, rw, &current->vui, current));

    flag(sps_extension_present_flag);
    if (current->sps_extension_present_flag) {
@@ -149,6 +149,7 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
            break;
        } else if (marker == JPEG_MARKER_SOS) {
            next_marker = -1;
+            end = start;
            for (i = start; i + 1 < frag->data_size; i++) {
                if (frag->data[i] != 0xff)
                    continue;
@@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs,
    int i,n;

    for (n = 0; n < buffer_length; n++) {
-        int sum = -rounder, sum1;
+        int sum = rounder, sum1;
        for (i = 1; i <= filter_length; i++)
-            sum += (unsigned)(filter_coeffs[i-1] * out[n-i]);
+            sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]);

-        sum1 = ((-sum >> 12) + in[n]) >> shift;
+        sum1 = ((sum >> 12) + in[n]) >> shift;
        sum  = av_clip_int16(sum1);

        if (stop_on_overflow && sum != sum1)
@@ -503,6 +503,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data);
                ret = AVERROR_PATCHWELCOME;
                break;
+            } else if (data == 1) {
+                av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n");
+                ret = AVERROR_PATCHWELCOME;
+                break;
            }
            av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data);
        } else if (abstag >= 0x4000 && abstag <= 0x40ff) {
@@ -607,6 +611,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            s->peak.level   = 0;
        } else if (tag == -74 && s->peak.offset) {
            s->peak.level = data;
+            if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) ||
+                s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base)
+            ) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
            bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
        } else
            av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
@@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    ff_audiodsp_init(&q->adsp);

    while (bytestream2_get_bytes_left(&gb)) {
+        if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
+            return AVERROR_PATCHWELCOME;
+        }
        /* 8 for mono, 16 for stereo, ? for multichannel
           Swap to right endianness so we don't need to care later on. */
        q->subpacket[s].cookversion      = bytestream2_get_be32(&gb);
@@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)

        q->num_subpackets++;
        s++;
-        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
-            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
-            return AVERROR_PATCHWELCOME;
-        }
    }

    /* Try to catch some obviously faulty streams, otherwise it might be exploitable */
@@ -93,7 +93,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    case 1: { // zlib compression
 #if CONFIG_ZLIB
        unsigned long dlen = c->decomp_size;
-        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
+        if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) {
            av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
            return AVERROR_INVALIDDATA;
        }
@@ -88,7 +88,7 @@ typedef struct CuvidContext
    CUVIDDECODECAPS caps8, caps10, caps12;

    CUVIDPARSERPARAMS cuparseinfo;
-    CUVIDEOFORMATEX cuparse_ext;
+    CUVIDEOFORMATEX *cuparse_ext;

    CudaFunctions *cudl;
    CuvidFunctions *cvdl;
@@ -684,6 +684,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx)
    av_buffer_unref(&ctx->hwdevice);

    av_freep(&ctx->key_frame);
+    av_freep(&ctx->cuparse_ext);

    cuvid_free_functions(&ctx->cvdl);

@@ -793,6 +794,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    CUVIDSOURCEDATAPACKET seq_pkt;
    CUcontext cuda_ctx = NULL;
    CUcontext dummy;
+    uint8_t *extradata;
+    int extradata_size;
    int ret = 0;

    enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA,
@@ -889,11 +892,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    ctx->cudl = device_hwctx->internal->cuda_dl;

    memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo));
-    memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext));
    memset(&seq_pkt, 0, sizeof(seq_pkt));

-    ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext;
-
    switch (avctx->codec->id) {
 #if CONFIG_H264_CUVID_DECODER
    case AV_CODEC_ID_H264:
@@ -947,17 +947,26 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)

    if (avctx->codec->bsfs) {
        const AVCodecParameters *par = avctx->internal->bsf->par_out;
-        ctx->cuparse_ext.format.seqhdr_data_length = par->extradata_size;
-        memcpy(ctx->cuparse_ext.raw_seqhdr_data,
-               par->extradata,
-               FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), par->extradata_size));
-    } else if (avctx->extradata_size > 0) {
-        ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size;
-        memcpy(ctx->cuparse_ext.raw_seqhdr_data,
-               avctx->extradata,
-               FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size));
+        extradata = par->extradata;
+        extradata_size = par->extradata_size;
+    } else {
+        extradata = avctx->extradata;
+        extradata_size = avctx->extradata_size;
    }

+    ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext)
+            + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0));
+    if (!ctx->cuparse_ext) {
+        ret = AVERROR(ENOMEM);
+        goto error;
+    }
+
+    if (extradata_size > 0)
+        memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size);
+    ctx->cuparse_ext->format.seqhdr_data_length = extradata_size;
+
+    ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext;
+
    ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int));
    if (!ctx->key_frame) {
        ret = AVERROR(ENOMEM);
@@ -986,8 +995,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
    if (ret < 0)
        goto error;

-    seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data;
-    seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length;
+    seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data;
+    seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length;

    if (seq_pkt.payload && seq_pkt.payload_size) {
        ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt));
@@ -1046,8 +1055,8 @@ static void cuvid_flush(AVCodecContext *avctx)
    if (ret < 0)
        goto error;

-    seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data;
-    seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length;
+    seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data;
+    seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length;

    if (seq_pkt.payload && seq_pkt.payload_size) {
        ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt));
@@ -1858,7 +1858,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
    int ret;

    if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) {
-        if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
+        if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN ||
+            (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
            av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n");
            ret = AVERROR(EINVAL);
            goto fail;
@@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
            int64_t pts = AV_RB32(cur_pu + 13);
            if (s->last_pts == 0 && s->last_dts == 0)
                s->dts = pts - 1;
-            else
+            else if (s->last_dts != AV_NOPTS_VALUE)
                s->dts = s->last_dts + 1;
            s->pts = pts;
            if (!avctx->has_b_frames && (cur_pu[4] & 0x03))
@@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
        PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst;                                \
        for (i = 0; i < tot_h; i++) {                                                      \
            c = *src_r++;                                                                  \
-            sign = FFSIGN(c)*(!!c);                                                        \
-            c = (FFABS(c)*(unsigned)qf + qs) >> 2;                                                   \
-            *dst_r++ = c*sign;                                                             \
+            if     (c < 0) c = -((-(unsigned)c*qf + qs) >> 2);                             \
+            else if(c > 0) c =  (( (unsigned)c*qf + qs) >> 2);                             \
+            *dst_r++ = c;                                                                  \
        }                                                                                  \
        src += tot_h << (sizeof(PX) >> 1);                                                 \
        dst += stride;                                                                     \
@@ -56,7 +56,6 @@ static const int8_t probs_code_pred_coeff[3][3] = {
 typedef struct ArithCoder {
    unsigned int a;
    unsigned int c;
-    int overread;
 } ArithCoder;

 typedef struct Table {
@@ -86,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E)
+    // We are a bit more tolerant here, but this check is needed to bound the size and duration
+    if (avctx->sample_rate > 512 * 44100)
+        return AVERROR_INVALIDDATA;
+
+
    if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) {
        return AVERROR_PATCHWELCOME;
    }
@@ -181,7 +186,6 @@ static void ac_init(ArithCoder *ac, GetBitContext *gb)
 {
    ac->a = 4095;
    ac->c = get_bits(gb, 12);
-    ac->overread = 0;
 }

 static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, int *e)
@@ -201,8 +205,6 @@ static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, in
    if (ac->a < 2048) {
        int n = 11 - av_log2(ac->a);
        ac->a <<= n;
-        if (get_bits_left(gb) < n)
-            ac->overread ++;
        ac->c = (ac->c << n) | get_bits(gb, n);
    }
 }
@@ -355,9 +357,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
                prob = 128;
            }

-            if (ac->overread > 16)
-                return AVERROR_INVALIDDATA;
-
            ac_get(ac, gb, prob, &residual);
            v = ((predict >> 15) ^ residual) & 1;
            dsd[((i >> 3) * channels + ch) << 2] |= v << (7 - (i & 0x7 ));
@@ -456,7 +456,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
            V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 2;
+        Y += ystride * 4;
        U += ustride;
        V += vstride;
    }
@@ -501,7 +501,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
            V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80;
        }

-        Y += ystride << 1;
+        Y += ystride * 2;
        U += ustride;
        V += vstride;
    }
@@ -1051,6 +1051,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */
            axmax = 0; /* doesn't add pixel at the right of the datawindow */

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
    } else {
@@ -1070,6 +1073,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
        td->xsize          = s->xdelta;

+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+            return AVERROR_INVALIDDATA;
+
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */

@@ -1493,15 +1499,27 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            continue;
        } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
                                                     31)) >= 0) {
+            int xmin, ymin, xmax, ymax;
            if (!var_size) {
                ret = AVERROR_INVALIDDATA;
                goto fail;
            }

-            s->xmin   = bytestream2_get_le32(&s->gb);
-            s->ymin   = bytestream2_get_le32(&s->gb);
-            s->xmax   = bytestream2_get_le32(&s->gb);
-            s->ymax   = bytestream2_get_le32(&s->gb);
+            xmin   = bytestream2_get_le32(&s->gb);
+            ymin   = bytestream2_get_le32(&s->gb);
+            xmax   = bytestream2_get_le32(&s->gb);
+            ymax   = bytestream2_get_le32(&s->gb);
+
+            if (xmin > xmax || ymin > ymax ||
+                (unsigned)xmax - xmin >= INT_MAX ||
+                (unsigned)ymax - ymin >= INT_MAX) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+            s->xmin = xmin;
+            s->xmax = xmax;
+            s->ymin = ymin;
+            s->ymax = ymax;
            s->xdelta = (s->xmax - s->xmin) + 1;
            s->ydelta = (s->ymax - s->ymin) + 1;

@@ -1734,7 +1752,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        s->ymin > s->ymax                  ||
        s->xdelta != s->xmax - s->xmin + 1 ||
        s->xmax >= s->w                    ||
-        s->ymax >= s->h) {
+        s->ymax >= s->h                    ||
+        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF
+    ) {
        av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n");
        return AVERROR_INVALIDDATA;
    }
@@ -1765,7 +1785,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)
        return ret;

-    if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8)
+    if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks)
        return AVERROR_INVALIDDATA;

    // check offset table and recreate it if need
@@ -1794,7 +1814,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    // Zero out the start if ymin is not 0
    for (i = 0; i < planes; i++) {
        ptr = picture->data[i];
-        for (y = 0; y < s->ymin; y++) {
+        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
            memset(ptr, 0, out_line_size);
            ptr += picture->linesize[i];
        }
@@ -786,7 +786,7 @@ static int read_header(FFV1Context *f)

            if (f->version == 2) {
                int idx = get_symbol(c, state, 0);
-                if (idx > (unsigned)f->quant_table_count) {
+                if (idx >= (unsigned)f->quant_table_count) {
                    av_log(f->avctx, AV_LOG_ERROR,
                           "quant_table_index out of range\n");
                    return AVERROR_INVALIDDATA;
@@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
        in->amp  += in->damp;
        switch (in->type) {
            case WS_SINE:
-                val = amp * ws->sin[in->phi >> (64 - SIN_BITS)];
+                val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)];
                in->phi  += in->dphi;
                in->dphi += in->ddphi;
                break;
@@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    if (r < 0)
        return r;
    pcm = (int16_t *)frame->data[0];
-    for (s = 0; s < duration; s++, ts++) {
+    for (s = 0; s < duration; s++, ts+=(uint64_t)1) {
        memset(channels, 0, avc->channels * sizeof(*channels));
        if (ts >= ws->next_ts)
            wavesynth_enter_intervals(ws, ts);
@@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
        for (c = 0; c < avc->channels; c++)
            *(pcm++) = channels[c] >> 16;
    }
-    ws->cur_ts += duration;
+    ws->cur_ts += (uint64_t)duration;
    *rgot_frame = 1;
    return packet->size;
 }
@@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t
            header->blank = t;
            header->blank_found = 1;
        } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) {
+            if (d <= 0)
+                return AVERROR_INVALIDDATA;
            header->bscale = d;
        } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) {
            header->bzero = d;
@@ -203,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t
        } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) {
            header->groups = (c == 'T');
        } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) {
+            if (t < 0 || t > INT_MAX)
+                return AVERROR_INVALIDDATA;
            header->gcount = t;
        } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) {
+            if (t < 0 || t > INT_MAX)
+                return AVERROR_INVALIDDATA;
            header->pcount = t;
        }
        dict_set_if_not_null(metadata, keyword, value);
@@ -528,7 +528,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt)
                if (err < 0) {
                    av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted "
                           "displaymatrix side data to packet.\n");
-                    av_freep(matrix);
+                    av_free(matrix);
                    goto fail;
                }
            }
@@ -1599,7 +1599,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,
                              prev->f->format,
                              prev->f->width,
                              prev->f->height);
-                h->short_ref[0]->poc = prev->poc + 2;
+                h->short_ref[0]->poc = prev->poc + 2U;
            } else if (!h->frame_recovered && !h->avctx->hwaccel)
                ff_color_frame(h->short_ref[0]->f, c);
            h->short_ref[0]->frame_num = h->poc.prev_frame_num;
@@ -278,13 +278,13 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){
    const int stride= 16*2;
    const int xStride= 16;
    int i;
-    int temp[8];
+    unsigned temp[8];
    static const uint8_t x_offset[2]={0, 16};
    dctcoef *block = (dctcoef*)_block;

    for(i=0; i<4; i++){
-        temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1];
-        temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1];
+        temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1];
+        temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1];
    }

    for(i=0; i<2; i++){
@@ -52,7 +52,7 @@ enum HapSectionType {

 typedef struct HapChunk {
    enum HapCompressor compressor;
-    int compressed_offset;
+    uint32_t compressed_offset;
    size_t compressed_size;
    int uncompressed_offset;
    size_t uncompressed_size;
@@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size)
        size_t running_size = 0;
        for (i = 0; i < ctx->chunk_count; i++) {
            ctx->chunks[i].compressed_offset = running_size;
+            if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size)
+                return AVERROR_INVALIDDATA;
            running_size += ctx->chunks[i].compressed_size;
        }
    }
@@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx)
        HapChunk *chunk = &ctx->chunks[i];

        /* Check the compressed buffer is valid */
-        if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc))
+        if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc))
            return AVERROR_INVALIDDATA;

        /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed
@@ -157,6 +157,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
    } else
        return AVERROR_INVALIDDATA;

+    if (c->total_band_count > FF_ARRAY_ELEMS(c->ch->imdct_in))
+        return AVERROR_INVALIDDATA;
+
+
    while (get_bits_left(gb) >= 32) {
        chunk = get_bits_long(gb, 32);
        if (chunk == MKBETAG('v', 'b', 'r', 0)) {
@@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
    } else {
        int prefix_minus3 = prefix - 3;

-        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
            av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
            return 0;
        }
@@ -142,10 +142,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        int      nalu_type;
        int is_irap, add_extradata, extra_size, prev_size;

+        if (bytestream2_get_bytes_left(&gb) < s->length_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

-        if (nalu_size < 2) {
+        if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -816,7 +816,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
                next_coef = 8;
                coef_num  = FFMIN(64, 1 << (4 + (size_id << 1)));
                if (size_id > 1) {
-                    scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8;
+                    int scaling_list_coeff_minus8 = get_se_golomb(gb);
+                    if (scaling_list_coeff_minus8 < -7 ||
+                        scaling_list_coeff_minus8 > 247)
+                        return AVERROR_INVALIDDATA;
+                    scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8;
                    next_coef = scaling_list_dc_coef[size_id - 2][matrix_id];
                    sl->sl_dc[size_id - 2][matrix_id] = next_coef;
                }
@@ -343,6 +343,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
        byte          = get_bits(gb, 8);
        payload_size += byte;
    }
+    if (get_bits_left(gb) < 8LL*payload_size)
+        return AVERROR_INVALIDDATA;
    if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
        return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
    } else { /* nal_unit_type == NAL_SEI_SUFFIX */
@@ -785,6 +785,11 @@ static int hls_slice_header(HEVCContext *s)
        if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
            sh->slice_cb_qp_offset = get_se_golomb(gb);
            sh->slice_cr_qp_offset = get_se_golomb(gb);
+            if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
+                sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            sh->slice_cb_qp_offset = 0;
            sh->slice_cr_qp_offset = 0;
@@ -83,6 +83,7 @@ do {                                  \
    int y = y0 >> vshift;
    int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
    int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
+    int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size));

    int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb);

@@ -103,11 +104,11 @@ do {                                  \
    pixel  *top           = top_array  + 1;
    pixel  *filtered_left = filtered_left_array + 1;
    pixel  *filtered_top  = filtered_top_array  + 1;
-    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask);
+    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask);
    int cand_left        = lc->na.cand_left;
    int cand_up_left     = lc->na.cand_up_left;
    int cand_up          = lc->na.cand_up;
-    int cand_up_right    = lc->na.cand_up_right    && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);
+    int cand_up_right    = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);

    int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) -
                           (y0 + size_in_luma_v)) >> vshift;
@@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
        if (opcode >= 0) {
            int size = opcode + 1;
            for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
                if (src_end - src < length * 4)
                    return;
                memcpy(dst + y*linesize + x * 4, src, length * 4);
@@ -612,12 +612,19 @@ static int get_rgn(Jpeg2000DecoderContext *s, int n)
    // Currently compno cannot be greater than 4.
    // However, future implementation should support compno up to 65536
    if (compno < s->ncomponents) {
-        if (s->curtileno == -1)
-            s->roi_shift[compno] = bytestream2_get_byte(&s->g);
-        else {
+        int v;
+        if (s->curtileno == -1) {
+            v =  bytestream2_get_byte(&s->g);
+            if (v > 30)
+                return AVERROR_PATCHWELCOME;
+            s->roi_shift[compno] = v;
+        } else {
            if (s->tile[s->curtileno].tp_idx != 0)
                return AVERROR_INVALIDDATA; // marker occurs only in first tile part of tile
-            s->tile[s->curtileno].comp[compno].roi_shift = bytestream2_get_byte(&s->g);
+            v = bytestream2_get_byte(&s->g);
+            if (v > 30)
+                return AVERROR_PATCHWELCOME;
+            s->tile[s->curtileno].comp[compno].roi_shift = v;
        }
        return 0;
    }
@@ -1669,8 +1676,8 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
    ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1);

    while (passno--) {
-        if (bpno < 0) {
-            av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n");
+        if (bpno < 0 || bpno > 29) {
+            av_log(s->avctx, AV_LOG_ERROR, "bpno became invalid\n");
            return AVERROR_INVALIDDATA;
        }
        switch(pass_t) {
@@ -2200,8 +2207,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                return 0;
            }
            atom_size = bytestream2_get_be32u(&s->g);
+            if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX)
+                return AVERROR_INVALIDDATA;
            atom_end  = bytestream2_tell(&s->g) + atom_size - 16;
        } else {
+            if (atom_size <  8 || (int64_t)bytestream2_tell(&s->g) + atom_size -  8 > INT_MAX)
+                return AVERROR_INVALIDDATA;
            atom_end  = bytestream2_tell(&s->g) + atom_size -  8;
        }

@@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q)
 {
    int k, ret;

-    for (k = 0; (state->N[Q] << k) < state->A[Q]; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++)
        ;

 #ifdef JLS_BROKEN
@@ -797,7 +797,7 @@ static void teletext_flush(AVCodecContext *avctx)
 #define SD AV_OPT_FLAG_SUBTITLE_PARAM | AV_OPT_FLAG_DECODING_PARAM
 static const AVOption options[] = {
    {"txt_page",        "page numbers to decode, subtitle for subtitles, * for all", OFFSET(pgno),   AV_OPT_TYPE_STRING, {.str = "*"},      0, 0,        SD},
-    {"txt_default_region", "default G0 character set used for decoding",     OFFSET(default_region), AV_OPT_TYPE_INT,    {.i64 = -1},      -1, 80,       SD},
+    {"txt_default_region", "default G0 character set used for decoding",     OFFSET(default_region), AV_OPT_TYPE_INT,    {.i64 = -1},      -1, 87,       SD},
    {"txt_chop_top",    "discards the top teletext line",                    OFFSET(chop_top),       AV_OPT_TYPE_INT,    {.i64 = 1},        0, 1,        SD},
    {"txt_format",      "format of the subtitles (bitmap or text or ass)",   OFFSET(format_id),      AV_OPT_TYPE_INT,    {.i64 = 0},        0, 2,        SD,  "txt_format"},
    {"bitmap",          NULL,                                                0,                      AV_OPT_TYPE_CONST,  {.i64 = 0},        0, 0,        SD,  "txt_format"},
@@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val)

 static inline int loco_get_rice(RICEContext *r)
 {
-    int v;
+    unsigned v;
    if (r->run > 0) { /* we have zero run */
        r->run--;
        loco_update_rice_param(r, 0);
@@ -131,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
                             int stride, const uint8_t *buf, int buf_size)
 {
    RICEContext rc;
-    int val;
+    unsigned val;
    int ret;
    int i, j;

@@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2,
                                              const int16_t *v3,
                                              int order, int mul)
 {
-    int res = 0;
+    unsigned res = 0;

    do {
        res   += *v1 * *v2++;
@@ -695,6 +695,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,

        s->slices[i][j].start = offset + header_size;
        s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
+
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
    }

    if (bytestream2_get_byte(&gbyte) != s->planes)
@@ -82,7 +82,7 @@ static int find_frame_end(MJPEGParserContext *m, const uint8_t *buf, int buf_siz
                    return i-3;
                } else if(state<0xFFD00000 || state>0xFFD9FFFF){
                    m->size= (state&0xFFFF)-1;
-                    if (m->size >= 0x8000)
+                    if (m->size >= 0xF000)
                        m->size = 0;
                }
            }
@@ -499,6 +499,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
            }
        }

+        if (s->bayer) {
+            if (pix_fmt_id != 0x11110000 && pix_fmt_id != 0x11000000)
+                goto unk_pixfmt;
+        }
+
        switch (pix_fmt_id) {
        case 0x11110000: /* for bayer-encoded huffman lossless JPEGs embedded in DNGs */
            if (!s->bayer)
@@ -492,10 +492,10 @@ static int mov_text_init(AVCodecContext *avctx) {
        return ff_ass_subtitle_header_full(avctx,
                    m->frame_width, m->frame_height,
                    m->d.font, m->d.fontsize,
-                    (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
-                    (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
-                    (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
-                    (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
+                    (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
+                    (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
+                    (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
+                    (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
                    m->d.bold, m->d.italic, m->d.underline,
                    ASS_DEFAULT_BORDERSTYLE, m->d.alignment);
    } else
@@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out,
                j = 0;
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF];
                for(; j < 12; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF];
                for(; j < 24; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF];
                for(; j < 36; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
            }
        }
        if(bands[i].msf){
-            int t1, t2;
+            unsigned t1, t2;
            for(j = 0; j < SAMPLES_PER_BAND; j++){
                t1 = c->sb_samples[0][j][i];
                t2 = c->sb_samples[1][j][i];
@@ -221,7 +221,6 @@ end:
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -397,7 +396,6 @@ end:
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -559,7 +557,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s,
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
            dy -= 1 << (shift + a + 1);
        else
            dx -= 1 << (shift + a + 1);
-        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16;
+        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U;

        sum = 0;
        for (y = 0; y < 16; y++) {
@@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
    MpegEncContext *s = &ctx->m;
    int width, height;
    int bits_per_raw_sample;
+    int rgb, chroma_format;

            // random_accessible_vol and video_object_type_indication have already
            // been read by the caller decode_vol_header()
@@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
            ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */
            skip_bits(gb, 4); /* video_object_layer_shape_extension */
            skip_bits1(gb); /* progressive_sequence */
+            if (ctx->shape != RECT_SHAPE) {
+                avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape");
+                return AVERROR_PATCHWELCOME;
+            }
            if (ctx->shape != BIN_ONLY_SHAPE) {
-                ctx->rgb = get_bits1(gb); /* rgb_components */
-                s->chroma_format = get_bits(gb, 2); /* chroma_format */
-                if (!s->chroma_format) {
+                rgb = get_bits1(gb); /* rgb_components */
+                chroma_format = get_bits(gb, 2); /* chroma_format */
+                if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) {
                    av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n");
                    return AVERROR_INVALIDDATA;
                }

                bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */
                if (bits_per_raw_sample == 10) {
-                    if (ctx->rgb) {
+                    if (rgb) {
                        s->avctx->pix_fmt = AV_PIX_FMT_GBRP10;
                    }
                    else {
-                        s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10;
+                        s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10;
                    }
                }
                else {
                    avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample);
                    return AVERROR_PATCHWELCOME;
                }
+                if (rgb != ctx->rgb || s->chroma_format != chroma_format)
+                    s->context_reinit = 1;
                s->avctx->bits_per_raw_sample = bits_per_raw_sample;
+                ctx->rgb = rgb;
+                s->chroma_format = chroma_format;
            }
            if (ctx->shape == RECT_SHAPE) {
                check_marker(s->avctx, gb, "before video_object_layer_width");
@@ -102,25 +102,25 @@ static void get_qtable(int16_t *table, int quant, const uint8_t *quant_tab)
    }
 }

-static inline void idct_1d(int *blk, int step)
+static inline void idct_1d(unsigned *blk, int step)
 {
-    const int t0 = blk[0 * step] + blk[4 * step];
-    const int t1 = blk[0 * step] - blk[4 * step];
-    const int t2 = blk[2 * step] + blk[6 * step];
-    const int t3 = ((int)((blk[2 * step] - blk[6 * step]) * 362U) >> 8) - t2;
-    const int t4 = t0 + t2;
-    const int t5 = t0 - t2;
-    const int t6 = t1 + t3;
-    const int t7 = t1 - t3;
-    const int t8 = blk[5 * step] + blk[3 * step];
-    const int t9 = blk[5 * step] - blk[3 * step];
-    const int tA = blk[1 * step] + blk[7 * step];
-    const int tB = blk[1 * step] - blk[7 * step];
-    const int tC = t8 + tA;
-    const int tD = (int)((tB + t9) * 473U) >> 8;
-    const int tE = (((int)(t9 * -669U) >> 8) - tC) + tD;
-    const int tF = ((int)((tA - t8) * 362U) >> 8) - tE;
-    const int t10 = (((int)(tB * 277U) >> 8) - tD) + tF;
+    const unsigned t0 = blk[0 * step] + blk[4 * step];
+    const unsigned t1 = blk[0 * step] - blk[4 * step];
+    const unsigned t2 = blk[2 * step] + blk[6 * step];
+    const unsigned t3 = ((int)((blk[2 * step] - blk[6 * step]) * 362U) >> 8) - t2;
+    const unsigned t4 = t0 + t2;
+    const unsigned t5 = t0 - t2;
+    const unsigned t6 = t1 + t3;
+    const unsigned t7 = t1 - t3;
+    const unsigned t8 = blk[5 * step] + blk[3 * step];
+    const unsigned t9 = blk[5 * step] - blk[3 * step];
+    const unsigned tA = blk[1 * step] + blk[7 * step];
+    const unsigned tB = blk[1 * step] - blk[7 * step];
+    const unsigned tC = t8 + tA;
+    const unsigned tD = (int)((tB + t9) * 473U) >> 8;
+    const unsigned tE = (((int)(t9 * -669U) >> 8) - tC) + tD;
+    const unsigned tF = ((int)((tA - t8) * 362U) >> 8) - tE;
+    const unsigned t10 = (((int)(tB * 277U) >> 8) - tD) + tF;

    blk[0 * step] = t4 + tC;
    blk[1 * step] = t6 + tE;
@@ -198,12 +198,12 @@ static void idct_add(uint8_t *dst, int stride,

 static inline void idct2_1d(int *blk, int step)
 {
-    const int t0 = blk[0 * step];
-    const int t1 = blk[1 * step];
-    const int t2 = t1 * 473 >> 8;
-    const int t3 = t2 - t1;
-    const int t4 = (t1 * 362 >> 8) - t3;
-    const int t5 = ((t1 * 277 >> 8) - t2) + t4;
+    const unsigned int  t0 = blk[0 * step];
+    const unsigned int t1 = blk[1 * step];
+    const unsigned int t2 = (int)(t1 * 473U) >> 8;
+    const unsigned int t3 = t2 - t1;
+    const unsigned int t4 =  ((int)(t1 * 362U) >> 8) - t3;
+    const unsigned int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4;

    blk[0 * step] = t1 + t0;
    blk[1 * step] = t0 + t3;
@@ -305,14 +305,14 @@ static int decode_intra_block(AVCodecContext *avctx, int mode,
    case 1:
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = ((pfill[0] * qtab[0]) >> 5) + 128;
+        block[0] = ((int)((unsigned)pfill[0] * qtab[0]) >> 5) + 128;
        s->bdsp.fill_block_tab[1](dst, block[0], linesize, 8);
        break;
    case 2:
        memset(block, 0, sizeof(*block) * 64);
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = pfill[0] * qtab[0];
+        block[0] = (unsigned)pfill[0] * qtab[0];
        block[1] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[1];
        block[8] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[8];
        block[9] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[9];
@@ -321,7 +321,7 @@ static int decode_intra_block(AVCodecContext *avctx, int mode,
    case 3:
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = pfill[0] * qtab[0];
+        block[0] = (unsigned)pfill[0] * qtab[0];
        for (int i = 1; i < 64; i++)
            block[zigzag[i]] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[zigzag[i]];
        idct_put(dst, linesize, block);
@@ -346,14 +346,14 @@ static int decode_inter_block(AVCodecContext *avctx, int mode,
    case 1:
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = (pfill[0] * qtab[0]) >> 5;
+        block[0] = (int)((unsigned)pfill[0] * qtab[0]) >> 5;
        update_inter_block(dst, linesize, src, in_linesize, block[0]);
        break;
    case 2:
        memset(block, 0, sizeof(*block) * 64);
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = pfill[0] * qtab[0];
+        block[0] = (unsigned)pfill[0] * qtab[0];
        block[1] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[1];
        block[8] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[8];
        block[9] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[9];
@@ -362,7 +362,7 @@ static int decode_inter_block(AVCodecContext *avctx, int mode,
    case 3:
        fill = sign_extend(bytestream2_get_ne16(gbyte), 16);
        pfill[0] += fill;
-        block[0] = pfill[0] * qtab[0];
+        block[0] = (unsigned)pfill[0] * qtab[0];
        for (int i = 1; i < 64; i++)
            block[zigzag[i]] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[zigzag[i]];
        idct_add(dst, linesize, src, in_linesize, block);
@@ -410,6 +410,9 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame
    int ret;

    mgb = *gb;
+    if (get_bits_left(gb) < s->mode_size * 8)
+        return AVERROR_INVALIDDATA;
+
    skip_bits_long(gb, s->mode_size * 8);

    linesize[0] = frame->linesize[0];
@@ -528,8 +531,13 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb,
        for (int x = 0; x < avctx->width; x += 16) {
            if (cnt >= 4)
                cnt = 0;
-            if (cnt == 0)
+            if (cnt == 0) {
+                if (get_bits_left(&mask) < 8) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                flags = get_bits(&mask, 8);
+            }

            dst[0] = frame->data[0] + linesize[0] * y + x;
            dst[1] = frame->data[0] + linesize[0] * y + x + 8;
@@ -247,16 +247,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
                           "Multiple SOF in a frame\n");
                    return AVERROR_INVALIDDATA;
                }
-                s->got_sof_data = 0;
                ret = ff_mjpeg_decode_sof(jpg);
                if (ret < 0) {
                    av_log(avctx, AV_LOG_ERROR,
                           "SOF data decode error\n");
+                    s->got_sof_data = 0;
                    return ret;
                }
                if (jpg->interlaced) {
                    av_log(avctx, AV_LOG_ERROR,
                           "Interlaced mode not supported in MxPEG\n");
+                    s->got_sof_data = 0;
                    return AVERROR(EINVAL);
                }
                s->got_sof_data ++;
@@ -1829,7 +1829,7 @@ static int nvenc_set_timestamp(AVCodecContext *avctx,
    pkt->pts = params->outputTimeStamp;
    pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list);

-    pkt->dts -= FFMAX(avctx->max_b_frames, 0) * FFMIN(avctx->ticks_per_frame, 1);
+    pkt->dts -= FFMAX(avctx->max_b_frames, 0) * FFMAX(avctx->ticks_per_frame, 1);

    return 0;
 }
@@ -506,7 +506,8 @@ static inline void silk_decode_excitation(SilkContext *s, OpusRangeCoder *rc,
 #define LTP_ORDER 5

 static void silk_decode_frame(SilkContext *s, OpusRangeCoder *rc,
-                              int frame_num, int channel, int coded_channels, int active, int active1)
+                              int frame_num, int channel, int coded_channels,
+                              int active, int active1, int redundant)
 {
    /* per frame */
    int voiced;       // combines with active to indicate inactive, active, or active+voiced
@@ -665,8 +666,9 @@ static void silk_decode_frame(SilkContext *s, OpusRangeCoder *rc,
    silk_decode_excitation(s, rc, residual + SILK_MAX_LAG, qoffset_high,
                           active, voiced);

-    /* skip synthesising the side channel if we want mono-only */
-    if (s->output_channels == channel)
+    /* skip synthesising the output if we do not need it */
+    // TODO: implement error recovery
+    if (s->output_channels == channel || redundant)
        return;

    /* generate the output signal */
@@ -814,15 +816,27 @@ int ff_silk_decode_superframe(SilkContext *s, OpusRangeCoder *rc,
            active[i][j] = ff_opus_rc_dec_log(rc, 1);

        redundancy[i] = ff_opus_rc_dec_log(rc, 1);
-        if (redundancy[i]) {
-            avpriv_report_missing_feature(s->avctx, "LBRR frames");
-            return AVERROR_PATCHWELCOME;
+    }
+
+    /* read the per-frame LBRR flags */
+    for (i = 0; i < coded_channels; i++)
+        if (redundancy[i] && duration_ms > 20) {
+            redundancy[i] = ff_opus_rc_dec_cdf(rc, duration_ms == 40 ?
+                                                   ff_silk_model_lbrr_flags_40 : ff_silk_model_lbrr_flags_60);
        }
+
+    /* decode the LBRR frames */
+    for (i = 0; i < nb_frames; i++) {
+        for (j = 0; j < coded_channels; j++)
+            if (redundancy[j] & (1 << i)) {
+                int active1 = (j == 0 && !(redundancy[1] & (1 << i))) ? 0 : 1;
+                silk_decode_frame(s, rc, i, j, coded_channels, 1, active1, 1);
+            }
    }

    for (i = 0; i < nb_frames; i++) {
        for (j = 0; j < coded_channels && !s->midonly; j++)
-            silk_decode_frame(s, rc, i, j, coded_channels, active[j][i], active[1][i]);
+            silk_decode_frame(s, rc, i, j, coded_channels, active[j][i], active[1][i], 0);

        /* reset the side channel if it is not coded */
        if (s->midonly && s->frame[1].coded)
@@ -26,6 +26,9 @@ const uint8_t ff_opus_default_coupled_streams[] = { 0, 1, 1, 2, 2, 2, 2, 3 };

 const uint8_t ff_celt_band_end[] = { 13, 17, 17, 19, 21 };

+const uint16_t ff_silk_model_lbrr_flags_40[] = { 256, 0, 53, 106, 256 };
+const uint16_t ff_silk_model_lbrr_flags_60[] = { 256, 0, 41, 61, 90, 131, 146, 174, 256 };
+
 const uint16_t ff_silk_model_stereo_s1[] = {
    256,   7,   9,  10,  11,  12,  22,  46,  54,  55,  56,  59,  82, 174, 197, 200,
    201, 202, 210, 234, 244, 245, 246, 247, 249, 256
@@ -31,6 +31,9 @@ extern const uint8_t  ff_celt_band_end[];

 extern const uint8_t  ff_opus_default_coupled_streams[];

+extern const uint16_t ff_silk_model_lbrr_flags_40[];
+extern const uint16_t ff_silk_model_lbrr_flags_60[];
+
 extern const uint16_t ff_silk_model_stereo_s1[];
 extern const uint16_t ff_silk_model_stereo_s2[];
 extern const uint16_t ff_silk_model_stereo_s3[];
@@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst,
    length = 25 - nbits;

    while (i < size) {
-        if (state >> 8 != -3)
+        if (((state >> 8) + 3) & 0xFFFFFFF)
            value = ff_clz((state >> 8) + 3) ^ 0x1F;
        else
            value = -1;
@@ -984,6 +984,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
        return AVERROR_INVALIDDATA;
    }

+    if (s->pic_state & PNG_IDAT) {
+        av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    s->last_w = s->cur_w;
    s->last_h = s->cur_h;
    s->last_x_offset = s->x_offset;
@@ -109,8 +109,10 @@ retry:
        if (next == END_NOT_FOUND)
            pnmpc->ascii_scan = sync - pnmctx.bytestream + skip;
    } else {
-        next = pnmctx.bytestream - pnmctx.bytestream_start + skip
-               + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
+        int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
+        next = pnmctx.bytestream - pnmctx.bytestream_start + skip;
+        if (ret >= 0)
+            next += ret;
    }
    if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip)
        next -= pc->index;
@@ -173,7 +173,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            } else if (upgrade == 2) {
                unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval;
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
            }
@@ -227,7 +227,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                return AVERROR_INVALIDDATA;
            for (i = 0; i < avctx->height; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -239,13 +239,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            h = avctx->height >> 1;
            for (i = 0; i < h; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr1[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;

                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr2[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -267,9 +267,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            b = (float *)p->data[1];
            for (int i = 0; i < avctx->height; i++) {
                for (int j = 0; j < avctx->width; j++) {
-                    r[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[0])) * scale;
-                    g[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[4])) * scale;
-                    b[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[8])) * scale;
+                    r[j] = av_int2float(AV_RL32(s->bytestream+0)) * scale;
+                    g[j] = av_int2float(AV_RL32(s->bytestream+4)) * scale;
+                    b[j] = av_int2float(AV_RL32(s->bytestream+8)) * scale;
                    s->bytestream += 12;
                }

@@ -285,9 +285,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            b = (float *)p->data[1];
            for (int i = 0; i < avctx->height; i++) {
                for (int j = 0; j < avctx->width; j++) {
-                    r[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[0])) * scale;
-                    g[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[4])) * scale;
-                    b[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[8])) * scale;
+                    r[j] = av_int2float(AV_RB32(s->bytestream+0)) * scale;
+                    g[j] = av_int2float(AV_RB32(s->bytestream+4)) * scale;
+                    b[j] = av_int2float(AV_RB32(s->bytestream+8)) * scale;
                    s->bytestream += 12;
                }

@@ -310,7 +310,6 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
    }

    if (for_user) {
-        dst->delay       = src->thread_count - 1;
 #if FF_API_CODED_FRAME
 FF_DISABLE_DEPRECATION_WARNINGS
        dst->coded_frame = src->coded_frame;
@@ -790,6 +789,9 @@ int ff_frame_thread_init(AVCodecContext *avctx)
    fctx->async_lock = 1;
    fctx->delaying = 1;

+    if (codec->type == AVMEDIA_TYPE_VIDEO)
+        avctx->delay = src->thread_count - 1;
+
    for (i = 0; i < thread_count; i++) {
        AVCodecContext *copy = av_malloc(sizeof(AVCodecContext));
        PerThreadContext *p  = &fctx->threads[i];
@@ -827,6 +829,8 @@ int ff_frame_thread_init(AVCodecContext *avctx)
        copy->internal->thread_ctx = p;
        copy->internal->last_pkt_props = &p->avpkt;

+        copy->delay = avctx->delay;
+
        if (codec->priv_data_size) {
            copy->priv_data = av_mallocz(codec->priv_data_size);
            if (!copy->priv_data) {
@@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame)
    RASCContext *s = avctx->priv_data;
    uint8_t *dst = frame->data[0];

+    if (!dst)
+        return;
+
    for (int y = 0; y < avctx->height; y++) {
        memset(dst, 0, avctx->width * s->bpp);
        dst += frame->linesize[0];
@@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
            ret = AVERROR_INVALIDDATA;
            goto end;
        }
+        if (ctx->inflated_size < pixel_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
        ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size);
        if (ret) {
            av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret);
@@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m)
        }
        p = (e + 127) >> 7;
        k = ((f + e - 1) >> 7) + 1;
+        if (k > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
        for (i = 0; i < k - p; i++)
            n.dectab[p + i] = j;
        e += f;
@@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value)
        e = d;
        n.cntsum += n.cnts[e];
        n.freqs1[e] = c;
-        for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) {
+        g = n.freqs[e];
+        f = (c + g - 1 >> 7) + 1;
+        if (f > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
+        for (q = c + 128 - 1 >> 7; q < f; q++) {
            n.dectab[q] = e;
        }
        c += g;
@@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
    uint16_t a = 0, b = 0;
    uint32_t param;
    int type;
+    int ret;

    type = m->type;
    switch (type) {
@@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 3:
        *value = bytestream2_get_byte(&s->gb);
-        decode_static3(m, *value);
+        ret = decode_static3(m, *value);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
        sync_code3(gb, rc);
        break;
    case 4:
@@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 6:
        if (!decode_adaptive6(m, code, value, &a, &b)) {
-            update_model6_to_7(m);
+            ret = update_model6_to_7(m);
+            if (ret < 0)
+                return AVERROR_INVALIDDATA;
        }
        decode3(gb, rc, a, b);
        sync_code3(gb, rc);
@@ -175,7 +175,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_
 #define R_SHIFT 11
 static inline void idct4row(int16_t *row)
 {
-    int c0, c1, c2, c3, a0, a1, a2, a3;
+    unsigned c0, c1, c2, c3;
+    int a0, a1, a2, a3;

    a0 = row[0];
    a1 = row[1];
@@ -341,12 +341,12 @@ static const float mlt_quant[7][14] = {
    { 0.0f, 1.964f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f }
 };

-static const float noise_category5[20] = {
+static const float noise_category5[21] = {
    0.70711f, 0.6179f, 0.5005f, 0.3220f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f,
    0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f
 };

-static const float noise_category6[20] = {
+static const float noise_category6[21] = {
    0.70711f, 0.5686f, 0.3563f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f,
    0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f
 };
@@ -491,6 +491,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        case SMK_BLK_FULL:
            mode = 0;
            if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes
+                if (get_bits_left(&gb) < 1)
+                    return AVERROR_INVALIDDATA;
                if(get_bits1(&gb)) mode = 1;
                else if(get_bits1(&gb)) mode = 2;
            }
@@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer
 static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){
    const int w= b->width;
    int y;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
    int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
    int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
    int new_index = 0;
@@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){

 static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){
    const int w= b->width;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
    const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
    const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
    int x,y;
@@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){
                htaps = htaps*2 + 2;
                p->htaps= htaps;
                for(i= htaps/2; i; i--){
-                    p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1));
+                    unsigned hcoeff = get_symbol(&s->c, s->header_state, 0);
+                    if (hcoeff > 127)
+                        return AVERROR_INVALIDDATA;
+                    p->hcoeff[i]= hcoeff * (1-2*(i&1));
                    sum += p->hcoeff[i];
                }
                p->hcoeff[0]= 32-sum;
@@ -1625,10 +1625,22 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
        s->lambda = 0;
    }//else keep previous frame's qlog until after motion estimation

+#if FF_API_CODED_FRAME
+FF_DISABLE_DEPRECATION_WARNINGS
+    av_frame_unref(avctx->coded_frame);
+FF_ENABLE_DEPRECATION_WARNINGS
+#endif
+
    if (s->current_picture->data[0]) {
        int w = s->avctx->width;
        int h = s->avctx->height;

+#if FF_API_CODED_FRAME
+        ret = av_frame_make_writable(s->current_picture);
+        if (ret < 0)
+            return ret;
+#endif
+
        s->mpvencdsp.draw_edges(s->current_picture->data[0],
                                s->current_picture->linesize[0], w   , h   ,
                                EDGE_WIDTH  , EDGE_WIDTH  , EDGE_TOP | EDGE_BOTTOM);
@@ -1646,7 +1658,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    ff_snow_frame_start(s);
 #if FF_API_CODED_FRAME
 FF_DISABLE_DEPRECATION_WARNINGS
-    av_frame_unref(avctx->coded_frame);
    ret = av_frame_ref(avctx->coded_frame, s->current_picture);
 FF_ENABLE_DEPRECATION_WARNINGS
 #endif
@@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
    if(get_rac(c, state+0))
        return 0;
    else{
-        int i, e, a;
+        int i, e;
+        unsigned a;
        e= 0;
        while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
            e++;
@@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
    for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--)
    {
        int k_value = *k_ptr, state_value = *state_ptr;
-        x -= shift_down(k_value * state_value, LATTICE_SHIFT);
+        x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT);
        state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT);
    }
 #else
@@ -979,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx)
    av_freep(&s->int_samples);
    av_freep(&s->tap_quant);
    av_freep(&s->predictor_k);
-
-    for (i = 0; i < s->channels; i++)
-    {
+    for (i = 0; i < MAX_CHANNELS; i++) {
        av_freep(&s->predictor_state[i]);
        av_freep(&s->coded_samples[i]);
    }
@@ -1032,6 +1031,9 @@ static int sonic_decode_frame(AVCodecContext *avctx,
    {
        int x = ch;

+        if (c.overread > MAX_OVERREAD)
+            return AVERROR_INVALIDDATA;
+
        predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps);

        intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1);
@@ -1044,7 +1046,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
                x += s->channels;
            }

-            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant);
+            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant);
            x += s->channels;
        }

@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
    for (i = 0; i < length; i++) {
        int32_t a = p1[i];
        int32_t b = p2[i];
-        b         = dfactor * (b >> dshift) + 128 >> 8 << dshift;
+        b         = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
        p1[i]     = b - a;
    }
 }
@@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
    for (i = 0; i < number_tiles; i++) {
        int tile_size;
        int tile_mode;
-        int x, y, w, h;
+        int x, y, x2, y2, w, h;
        int ret;

        if (bytestream2_get_bytes_left(&ctx->gbc) < 4 ||
@@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
        bytestream2_skip(&ctx->gbc, 4); // unknown
        x = bytestream2_get_le32(&ctx->gbc);
        y = bytestream2_get_le32(&ctx->gbc);
-        w = bytestream2_get_le32(&ctx->gbc) - x;
-        h = bytestream2_get_le32(&ctx->gbc) - y;
+        x2 = bytestream2_get_le32(&ctx->gbc);
+        y2 = bytestream2_get_le32(&ctx->gbc);

-        if (x >= ctx->width || y >= ctx->height) {
+        if (x < 0 || y < 0 || x2 <= x || y2 <= y ||
+            x2 > ctx->width || y2 > ctx->height
+        ) {
            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile position (%d.%d outside %dx%d).\n",
-                   x, y, ctx->width, ctx->height);
-            return AVERROR_INVALIDDATA;
-        }
-        if (x + w > ctx->width || y + h > ctx->height) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile size %dx%d\n", w, h);
+                   "Invalid tile position (%d.%d %d.%d outside %dx%d).\n",
+                   x, y, x2, y2, ctx->width, ctx->height);
            return AVERROR_INVALIDDATA;
        }
+        w = x2 - x;
+        h = y2 - y;

        ret = av_reallocp(&ctx->tilebuffer, tile_size);
        if (!ctx->tilebuffer)
@@ -79,6 +79,7 @@ typedef struct TiffContext {
    int fill_order;
    uint32_t res[4];
    int is_thumbnail;
+    unsigned last_tag;

    int is_bayer;
    uint8_t pattern[4];
@@ -679,6 +680,9 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
        return 0;
    }

+    if (is_dng && stride == 0)
+        return AVERROR_INVALIDDATA;
+
    for (line = 0; line < lines; line++) {
        if (src - ssrc > size) {
            av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n");
@@ -706,7 +710,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
            if (is_dng) {
                int is_u16, pixel_size_bytes, pixel_size_bits, elements;

-                is_u16 = (s->bpp > 8);
+                is_u16 = (s->bpp / s->bppcount > 8);
                pixel_size_bits = (is_u16 ? 16 : 8);
                pixel_size_bytes = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t));

@@ -856,8 +860,11 @@ static void dng_blit(TiffContext *s, uint8_t *dst, int dst_stride,
            }
        } else {
            for (line = 0; line < height; line++) {
+                uint8_t *dst_u8 = dst;
+                const uint8_t *src_u8 = src;
+
                for (col = 0; col < width; col++)
-                    *dst++ = dng_process_color8(*src++, s->dng_lut, s->black_level, scale_factor);
+                    *dst_u8++ = dng_process_color8(*src_u8++, s->dng_lut, s->black_level, scale_factor);

                dst += dst_stride;
                src += src_stride;
@@ -876,6 +883,9 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
    int is_single_comp, is_u16, pixel_size;
    int ret;

+    if (tile_byte_count < 0 || tile_byte_count > bytestream2_get_bytes_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
    /* Prepare a packet and send to the MJPEG decoder */
    av_init_packet(&jpkt);
    jpkt.data = (uint8_t*)s->gb.buffer;
@@ -905,12 +915,28 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
            return 0;
    }

+    is_u16 = (s->bpp > 8);
+
    /* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */

-    /* See dng_blit for explanation */
-    is_single_comp = (s->avctx_mjpeg->width == w * 2 && s->avctx_mjpeg->height == h / 2);
+    if (s->jpgframe->width  != s->avctx_mjpeg->width  ||
+        s->jpgframe->height != s->avctx_mjpeg->height ||
+        s->jpgframe->format != s->avctx_mjpeg->pix_fmt)
+        return AVERROR_INVALIDDATA;
+
+    /* See dng_blit for explanation */
+    if (s->avctx_mjpeg->width  == w * 2 &&
+        s->avctx_mjpeg->height == h / 2 &&
+        s->avctx_mjpeg->pix_fmt == AV_PIX_FMT_GRAY16LE) {
+        is_single_comp = 1;
+    } else if (s->avctx_mjpeg->width  == w &&
+               s->avctx_mjpeg->height == h &&
+               s->avctx_mjpeg->pix_fmt == (is_u16 ? AV_PIX_FMT_GRAY16 : AV_PIX_FMT_GRAY8)
+              ) {
+        is_single_comp = 0;
+    } else
+        return AVERROR_INVALIDDATA;

-    is_u16 = (s->bpp > 8);
    pixel_size = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t));

    if (is_single_comp && !is_u16) {
@@ -1232,6 +1258,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
    if (ret < 0) {
        goto end;
    }
+    if (tag <= s->last_tag)
+        return AVERROR_INVALIDDATA;
+
+    // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS
+    if (tag != TIFF_STRIP_SIZE)
+        s->last_tag = tag;

    off = bytestream2_tell(&s->gb);
    if (count == 1) {
@@ -1270,7 +1302,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
        s->height = value;
        break;
    case TIFF_BPP:
-        if (count > 5U) {
+        if (count > 5 || count <= 0) {
            av_log(s->avctx, AV_LOG_ERROR,
                   "This format is not supported (bpp=%d, %d components)\n",
                   value, count);
@@ -1301,9 +1333,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
                   "Samples per pixel requires a single value, many provided\n");
            return AVERROR_INVALIDDATA;
        }
-        if (value > 5U) {
+        if (value > 5 || value <= 0) {
            av_log(s->avctx, AV_LOG_ERROR,
-                   "Samples per pixel %d is too large\n", value);
+                   "Invalid samples per pixel %d\n", value);
            return AVERROR_INVALIDDATA;
        }
        if (s->bppcount == 1)
@@ -1414,7 +1446,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
            s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */
        break;
    case DNG_LINEARIZATION_TABLE:
-        for (int i = 0; i < FFMIN(count, 1 << s->bpp); i++)
+        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+            return AVERROR_INVALIDDATA;
+        for (int i = 0; i < count; i++)
            s->dng_lut[i] = ff_tget(&s->gb, type, s->le);
        break;
    case DNG_BLACK_LEVEL:
@@ -1785,6 +1819,7 @@ again:
    s->is_tiled    = 0;
    s->is_jpeg     = 0;
    s->cur_page    = 0;
+    s->last_tag    = 0;

    for (i = 0; i < 65536; i++)
        s->dng_lut[i] = i;
@@ -1863,8 +1898,14 @@ again:
    if (is_dng) {
        int bps;

+        if (s->bpp % s->bppcount)
+            return AVERROR_INVALIDDATA;
+        bps = s->bpp / s->bppcount;
+        if (bps < 8 || bps > 32)
+            return AVERROR_INVALIDDATA;
+
        if (s->white_level == 0)
-            s->white_level = (1 << s->bpp) - 1; /* Default value as per the spec */
+            s->white_level = (1LL << bps) - 1; /* Default value as per the spec */

        if (s->white_level <= s->black_level) {
            av_log(avctx, AV_LOG_ERROR, "BlackLevel (%"PRId32") must be less than WhiteLevel (%"PRId32")\n",
@@ -1872,11 +1913,6 @@ again:
            return AVERROR_INVALIDDATA;
        }

-        if (s->bpp % s->bppcount)
-            return AVERROR_INVALIDDATA;
-        bps = s->bpp / s->bppcount;
-        if (bps < 8 || bps > 32)
-            return AVERROR_INVALIDDATA;
        if (s->planar)
            return AVERROR_PATCHWELCOME;
    }
@@ -511,7 +511,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx)
        break;
    case AVMEDIA_TYPE_AUDIO:
        bits_per_sample = av_get_bits_per_sample(ctx->codec_id);
-        bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate;
+        if (bits_per_sample) {
+            bit_rate = ctx->sample_rate * (int64_t)ctx->channels;
+            if (bit_rate > INT64_MAX / bits_per_sample) {
+                bit_rate = 0;
+            } else
+                bit_rate *= bits_per_sample;
+        } else
+            bit_rate = ctx->bit_rate;
        break;
    default:
        bit_rate = 0;
@@ -1594,7 +1601,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
    case AV_CODEC_ID_MP1:          return  384;
    case AV_CODEC_ID_ATRAC1:       return  512;
    case AV_CODEC_ID_ATRAC9:
-    case AV_CODEC_ID_ATRAC3:       return 1024 * framecount;
+    case AV_CODEC_ID_ATRAC3:
+        if (framecount > INT_MAX/1024)
+            return 0;
+        return 1024 * framecount;
    case AV_CODEC_ID_ATRAC3P:      return 2048;
    case AV_CODEC_ID_MP2:
    case AV_CODEC_ID_MUSEPACK7:    return 1152;
@@ -1610,8 +1620,11 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,

        if (ch > 0) {
            /* calc from sample rate and channels */
-            if (id == AV_CODEC_ID_BINKAUDIO_DCT)
+            if (id == AV_CODEC_ID_BINKAUDIO_DCT) {
+                if (sr / 22050 > 22)
+                    return 0;
                return (480 << (sr / 22050)) / ch;
+            }
        }

        if (id == AV_CODEC_ID_MP3)
@@ -1657,7 +1670,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
                return frame_bytes / (9 * ch) * 16;
            case AV_CODEC_ID_ADPCM_PSX:
            case AV_CODEC_ID_ADPCM_DTK:
-                return frame_bytes / (16 * ch) * 28;
+                frame_bytes /= 16 * ch;
+                if (frame_bytes > INT_MAX / 28)
+                    return 0;
+                return frame_bytes * 28;
            case AV_CODEC_ID_ADPCM_4XM:
            case AV_CODEC_ID_ADPCM_IMA_DAT4:
            case AV_CODEC_ID_ADPCM_IMA_ISS:
@@ -1080,7 +1080,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
                    q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1;
                if (q2 && q1 != q2) {
                    for (k = 1; k < 8; k++)
-                        ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                }
            }
        } else { // top
@@ -1093,7 +1093,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
                    q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1;
                if (q2 && q1 != q2) {
                    for (k = 1; k < 8; k++)
-                        ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                }
            }
        }
@@ -2920,6 +2920,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
    int ret;
    AVRational fps, aspect;

+    if (get_bits_left(gb) < 206)
+        return AVERROR_INVALIDDATA;
+
    s->theora_header = 0;
    s->theora = get_bits(gb, 24);
    av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora);
@@ -490,5 +490,5 @@ void ff_vp3dsp_set_bounding_values(int * bounding_values_array, int filter_limit
    }
    if (value)
        bounding_values[128] = value;
-    bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202;
+    bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202U;
 }
@@ -2289,10 +2289,10 @@ int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe,
        s->mv_bounds.mv_min.x = -MARGIN;
        s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN;

-        if (vpX_rac_is_end(&s->c)) {
-            return AVERROR_INVALIDDATA;
-        }
        for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) {
+            if (vpX_rac_is_end(&s->c)) {
+                return AVERROR_INVALIDDATA;
+            }
            if (mb_y == 0)
                AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top,
                         DC_PRED * 0x01010101);
@@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \
            for (j = 0; j < sz; j++) \
                dst[j * stride] = av_clip_pixel(dst[j * stride] + \
                                                (bits ? \
-                                                 (t + (1 << (bits - 1))) >> bits : \
+                                                 (int)(t + (1U << (bits - 1))) >> bits : \
                                                 t)); \
            dst++; \
        } \
@@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \
        for (j = 0; j < sz; j++) \
            dst[j * stride] = av_clip_pixel(dst[j * stride] + \
                                            (bits ? \
-                                             (out[j] + (1 << (bits - 1))) >> bits : \
+                                             (int)(out[j] + (1U << (bits - 1))) >> bits : \
                                             out[j])); \
        dst++; \
    } \
@@ -1260,25 +1260,25 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride,
    t6 = (t2a - t6a + (1 << 13)) >> 14;
    t7 = (t3a - t7a + (1 << 13)) >> 14;

-    t4a = 15137 * t4 +  6270 * t5;
-    t5a =  6270 * t4 - 15137 * t5;
-    t6a = 15137 * t7 -  6270 * t6;
-    t7a =  6270 * t7 + 15137 * t6;
+    t4a = 15137U * t4 +  6270U * t5;
+    t5a =  6270U * t4 - 15137U * t5;
+    t6a = 15137U * t7 -  6270U * t6;
+    t7a =  6270U * t7 + 15137U * t6;

    out[0] =   t0 + t2;
    out[7] = -(t1 + t3);
    t2     =   t0 - t2;
    t3     =   t1 - t3;

-    out[1] = -((t4a + t6a + (1 << 13)) >> 14);
-    out[6] =   (t5a + t7a + (1 << 13)) >> 14;
-    t6     =   (t4a - t6a + (1 << 13)) >> 14;
-    t7     =   (t5a - t7a + (1 << 13)) >> 14;
+    out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14);
+    out[6] =   (dctint)((1U << 13) + t5a + t7a) >> 14;
+    t6     =   (dctint)((1U << 13) + t4a - t6a) >> 14;
+    t7     =   (dctint)((1U << 13) + t5a - t7a) >> 14;

-    out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14);
-    out[4] =   ((t2 - t3) * 11585 + (1 << 13)) >> 14;
-    out[2] =   ((t6 + t7) * 11585 + (1 << 13)) >> 14;
-    out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14);
+    out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14);
+    out[4] =   (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14;
+    out[2] =   (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14;
+    out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14);
 }

 itxfm_wrap(8, 5)
@@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
    dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a;
    dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a;

-    t0a  = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14;
-    t1a  = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14;
-    t2a  = (IN(4)  *  6270 - IN(12) * 15137 + (1 << 13)) >> 14;
-    t3a  = (IN(4)  * 15137 + IN(12) *  6270 + (1 << 13)) >> 14;
-    t4a  = (IN(2)  *  3196 - IN(14) * 16069 + (1 << 13)) >> 14;
-    t7a  = (IN(2)  * 16069 + IN(14) *  3196 + (1 << 13)) >> 14;
-    t5a  = (IN(10) * 13623 - IN(6)  *  9102 + (1 << 13)) >> 14;
-    t6a  = (IN(10) *  9102 + IN(6)  * 13623 + (1 << 13)) >> 14;
-    t8a  = (IN(1)  *  1606 - IN(15) * 16305 + (1 << 13)) >> 14;
-    t15a = (IN(1)  * 16305 + IN(15) *  1606 + (1 << 13)) >> 14;
-    t9a  = (IN(9)  * 12665 - IN(7)  * 10394 + (1 << 13)) >> 14;
-    t14a = (IN(9)  * 10394 + IN(7)  * 12665 + (1 << 13)) >> 14;
-    t10a = (IN(5)  *  7723 - IN(11) * 14449 + (1 << 13)) >> 14;
-    t13a = (IN(5)  * 14449 + IN(11) *  7723 + (1 << 13)) >> 14;
-    t11a = (IN(13) * 15679 - IN(3)  *  4756 + (1 << 13)) >> 14;
-    t12a = (IN(13) *  4756 + IN(3)  * 15679 + (1 << 13)) >> 14;
+    t0a  = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14;
+    t1a  = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14;
+    t2a  = (dctint)(IN(4)  *  6270U - IN(12) * 15137U + (1 << 13)) >> 14;
+    t3a  = (dctint)(IN(4)  * 15137U + IN(12) *  6270U + (1 << 13)) >> 14;
+    t4a  = (dctint)(IN(2)  *  3196U - IN(14) * 16069U + (1 << 13)) >> 14;
+    t7a  = (dctint)(IN(2)  * 16069U + IN(14) *  3196U + (1 << 13)) >> 14;
+    t5a  = (dctint)(IN(10) * 13623U - IN(6)  *  9102U + (1 << 13)) >> 14;
+    t6a  = (dctint)(IN(10) *  9102U + IN(6)  * 13623U + (1 << 13)) >> 14;
+    t8a  = (dctint)(IN(1)  *  1606U - IN(15) * 16305U + (1 << 13)) >> 14;
+    t15a = (dctint)(IN(1)  * 16305U + IN(15) *  1606U + (1 << 13)) >> 14;
+    t9a  = (dctint)(IN(9)  * 12665U - IN(7)  * 10394U + (1 << 13)) >> 14;
+    t14a = (dctint)(IN(9)  * 10394U + IN(7)  * 12665U + (1 << 13)) >> 14;
+    t10a = (dctint)(IN(5)  *  7723U - IN(11) * 14449U + (1 << 13)) >> 14;
+    t13a = (dctint)(IN(5)  * 14449U + IN(11) *  7723U + (1 << 13)) >> 14;
+    t11a = (dctint)(IN(13) * 15679U - IN(3)  *  4756U + (1 << 13)) >> 14;
+    t12a = (dctint)(IN(13) *  4756U + IN(3)  * 15679U + (1 << 13)) >> 14;

    t0  = t0a  + t3a;
    t1  = t1a  + t2a;
@@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
    t14 = t15a - t14a;
    t15 = t15a + t14a;

-    t5a  = ((t6 - t5) * 11585 + (1 << 13)) >> 14;
-    t6a  = ((t6 + t5) * 11585 + (1 << 13)) >> 14;
-    t9a  = (  t14 *  6270 - t9  * 15137  + (1 << 13)) >> 14;
-    t14a = (  t14 * 15137 + t9  *  6270  + (1 << 13)) >> 14;
-    t10a = (-(t13 * 15137 + t10 *  6270) + (1 << 13)) >> 14;
-    t13a = (  t13 *  6270 - t10 * 15137  + (1 << 13)) >> 14;
+    t5a  = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14;
+    t6a  = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14;
+    t9a  = (dctint)(  t14 *  6270U - t9  * 15137U  + (1 << 13)) >> 14;
+    t14a = (dctint)(  t14 * 15137U + t9  *  6270U  + (1 << 13)) >> 14;
+    t10a = (dctint)(-(t13 * 15137U + t10 *  6270U) + (1 << 13)) >> 14;
+    t13a = (dctint)(  t13 *  6270U - t10 * 15137U  + (1 << 13)) >> 14;

    t0a  = t0   + t7;
    t1a  = t1   + t6a;
@@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
    t14  = t14a + t13a;
    t15a = t15  + t12;

-    t10a = ((t13  - t10)  * 11585 + (1 << 13)) >> 14;
-    t13a = ((t13  + t10)  * 11585 + (1 << 13)) >> 14;
-    t11  = ((t12a - t11a) * 11585 + (1 << 13)) >> 14;
-    t12  = ((t12a + t11a) * 11585 + (1 << 13)) >> 14;
+    t10a = (dctint)((t13  - t10)  * 11585U + (1 << 13)) >> 14;
+    t13a = (dctint)((t13  + t10)  * 11585U + (1 << 13)) >> 14;
+    t11  = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14;
+    t12  = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14;

    out[ 0] = t0a + t15a;
    out[ 1] = t1a + t14;
@@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    unsigned int channel_mask;
    int i, log2_max_num_subframes;

-    if (avctx->block_align <= 0) {
+    if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) {
        av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n");
        return AVERROR(EINVAL);
    }
@@ -758,7 +758,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input)
 static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \
                                  int coef_begin, int coef_end) \
 { \
-    int icoef, pred, ilms, num_lms, residue, input; \
+    int icoef, ilms, num_lms, residue, input; \
+    unsigned pred;\
 \
    num_lms = s->cdlms_ttl[ch]; \
    for (ilms = num_lms - 1; ilms >= 0; ilms--) { \
@@ -772,7 +773,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \
                                                        s->cdlms[ch][ilms].recent, \
                                                        FFALIGN(s->cdlms[ch][ilms].order, ROUND), \
                                                        WMASIGN(residue)); \
-            input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \
+            input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \
            lms_update ## bits(s, ch, ilms, input); \
            s->channel_residues[ch][icoef] = input; \
        } \
@@ -931,6 +932,8 @@ static int decode_subframe(WmallDecodeCtx *s)
            s->do_lpc = 0;
    }

+    if (get_bits_left(&s->gb) < 1)
+        return AVERROR_INVALIDDATA;

    if (get_bits1(&s->gb))
        padding_zeroes = get_bits(&s->gb, 5);
@@ -1719,6 +1719,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s,
        }
    } else {
        int frame_size;
+
+        if (avpkt->size < s->next_packet_start) {
+            s->packet_loss = 1;
+            return AVERROR_INVALIDDATA;
+        }
+
        s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
        init_get_bits(gb, avpkt->data, s->buf_bit_size);
        skip_bits(gb, s->packet_offset);
@@ -1185,7 +1185,7 @@ cglobal deblock_h_chroma_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_
    STORE_8_ROWS PASS8ROWS(pix_q - 2, r5 - 2, stride_q, r6)
 RET

-cglobal deblock_h_chroma422_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_,
+cglobal deblock_h_chroma422_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_
    CHROMA_H_START_XMM r5, r6
    LOAD_8_ROWS PASS8ROWS(pix_q - 2, r5 - 2, stride_q, r6)
    TRANSPOSE_8x4B_XMM
@@ -79,6 +79,8 @@ static DNNReturnType set_input_output_native(void *model, DNNData *input, const

    av_freep(&oprd->data);
    oprd->length = calculate_operand_data_length(oprd);
+    if (oprd->length <= 0)
+        return DNN_ERROR;
    oprd->data = av_malloc(oprd->length);
    if (!oprd->data)
        return DNN_ERROR;
@@ -126,26 +128,23 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    int32_t layer;
    DNNLayerType layer_type;

-    model = av_malloc(sizeof(DNNModel));
-    if (!model){
-        return NULL;
-    }
-
    if (avio_open(&model_file_context, model_filename, AVIO_FLAG_READ) < 0){
-        av_freep(&model);
        return NULL;
    }
    file_size = avio_size(model_file_context);

+    model = av_mallocz(sizeof(DNNModel));
+    if (!model){
+        goto fail;
+    }
+
    /**
     * check file header with string and version
     */
    size = sizeof(header_expected);
    buf = av_malloc(size);
    if (!buf) {
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }

    // size - 1 to skip the ending '\0' which is not saved in file
@@ -153,18 +152,14 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    dnn_size = size - 1;
    if (strncmp(buf, header_expected, size) != 0) {
        av_freep(&buf);
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }
    av_freep(&buf);

    version = (int32_t)avio_rl32(model_file_context);
    dnn_size += 4;
    if (version != major_version_expected) {
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }

    // currently no need to check minor version
@@ -174,9 +169,7 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)

    network = av_mallocz(sizeof(ConvolutionalNetwork));
    if (!network){
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }
    model->model = (void *)network;

@@ -188,16 +181,12 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)

    network->layers = av_mallocz(network->layers_num * sizeof(Layer));
    if (!network->layers){
-        avio_closep(&model_file_context);
-        ff_dnn_free_model_native(&model);
-        return NULL;
+        goto fail;
    }

    network->operands = av_mallocz(network->operands_num * sizeof(DnnOperand));
    if (!network->operands){
-        avio_closep(&model_file_context);
-        ff_dnn_free_model_native(&model);
-        return NULL;
+        goto fail;
    }

    for (layer = 0; layer < network->layers_num; ++layer){
@@ -205,17 +194,13 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
        dnn_size += 4;

        if (layer_type >= DLT_COUNT) {
-            avio_closep(&model_file_context);
-            ff_dnn_free_model_native(&model);
-            return NULL;
+            goto fail;
        }

        network->layers[layer].type = layer_type;
-        parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size);
+        parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size, network->operands_num);
        if (!parsed_size) {
-            avio_closep(&model_file_context);
-            ff_dnn_free_model_native(&model);
-            return NULL;
+            goto fail;
        }
        dnn_size += parsed_size;
    }
@@ -226,6 +211,10 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
        int32_t operand_index = (int32_t)avio_rl32(model_file_context);
        dnn_size += 4;

+        if (operand_index >= network->operands_num) {
+            goto fail;
+        }
+
        oprd = &network->operands[operand_index];
        name_len = (int32_t)avio_rl32(model_file_context);
        dnn_size += 4;
@@ -258,6 +247,11 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    model->get_input = &get_input_native;

    return model;
+
+fail:
+    ff_dnn_free_model_native(&model);
+    avio_closep(&model_file_context);
+    return NULL;
 }

 DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *outputs, uint32_t nb_output)
@@ -303,7 +297,13 @@ int32_t calculate_operand_dims_count(const DnnOperand *oprd)
 int32_t calculate_operand_data_length(const DnnOperand* oprd)
 {
    // currently, we just support DNN_FLOAT
-    return oprd->dims[0] * oprd->dims[1] * oprd->dims[2] * oprd->dims[3] * sizeof(float);
+    uint64_t len = sizeof(float);
+    for (int i = 0; i < 4; i++) {
+        len *= oprd->dims[i];
+        if (len > INT32_MAX)
+            return 0;
+    }
+    return len;
 }

 void ff_dnn_free_model_native(DNNModel **model)
@@ -314,23 +314,29 @@ void ff_dnn_free_model_native(DNNModel **model)

    if (*model)
    {
-        network = (ConvolutionalNetwork *)(*model)->model;
-        for (layer = 0; layer < network->layers_num; ++layer){
-            if (network->layers[layer].type == DLT_CONV2D){
-                conv_params = (ConvolutionalParams *)network->layers[layer].params;
-                av_freep(&conv_params->kernel);
-                av_freep(&conv_params->biases);
+        if ((*model)->model) {
+            network = (ConvolutionalNetwork *)(*model)->model;
+            if (network->layers) {
+                for (layer = 0; layer < network->layers_num; ++layer){
+                    if (network->layers[layer].type == DLT_CONV2D){
+                        conv_params = (ConvolutionalParams *)network->layers[layer].params;
+                        av_freep(&conv_params->kernel);
+                        av_freep(&conv_params->biases);
+                    }
+                    av_freep(&network->layers[layer].params);
+                }
+                av_freep(&network->layers);
            }
-            av_freep(&network->layers[layer].params);
+
+            if (network->operands) {
+                for (uint32_t operand = 0; operand < network->operands_num; ++operand)
+                    av_freep(&network->operands[operand].data);
+                av_freep(&network->operands);
+            }
+
+            av_freep(&network->output_indexes);
+            av_freep(&network);
        }
-        av_freep(&network->layers);
-
-        for (uint32_t operand = 0; operand < network->operands_num; ++operand)
-            av_freep(&network->operands[operand].data);
-        av_freep(&network->operands);
-
-        av_freep(&network->output_indexes);
-        av_freep(&network);
        av_freep(model);
    }
 }
@@ -120,6 +120,8 @@ DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *output

 void ff_dnn_free_model_native(DNNModel **model);

+// NOTE: User must check for error (return value <= 0) to handle
+// case like integer overflow.
 int32_t calculate_operand_data_length(const DnnOperand *oprd);
 int32_t calculate_operand_dims_count(const DnnOperand *oprd);
 #endif
@@ -23,7 +23,7 @@

 #define CLAMP_TO_EDGE(x, w) ((x) < 0 ? 0 : ((x) >= (w) ? (w - 1) : (x)))

-int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    ConvolutionalParams *conv_params;
    int kernel_size;
@@ -80,6 +80,11 @@ int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int fil
    layer->input_operand_indexes[0] = (int32_t)avio_rl32(model_file_context);
    layer->output_operand_index = (int32_t)avio_rl32(model_file_context);
    dnn_size += 8;
+
+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -108,6 +113,8 @@ int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_
    output_operand->dims[3] = conv_params->output_num;
    output_operand->data_type = operands[input_operand_index].data_type;
    output_operand->length = calculate_operand_data_length(output_operand);
+    if (output_operand->length <= 0)
+        return -1;
    output_operand->data = av_realloc(output_operand->data, output_operand->length);
    if (!output_operand->data)
        return -1;
@@ -36,7 +36,7 @@ typedef struct ConvolutionalParams{
    float *biases;
 } ConvolutionalParams;

-int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_indexes,
                             int32_t output_operand_index, const void *parameters);
 #endif
@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_depth2space.h"

-int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DepthToSpaceParams *params;
    int dnn_size = 0;
@@ -42,6 +42,10 @@ int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, in
    dnn_size += 8;
    layer->params = params;

+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -71,6 +75,8 @@ int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_ope
    output_operand->dims[3] = new_channels;
    output_operand->data_type = operands[input_operand_index].data_type;
    output_operand->length = calculate_operand_data_length(output_operand);
+    if (output_operand->length <= 0)
+        return -1;
    output_operand->data = av_realloc(output_operand->data, output_operand->length);
    if (!output_operand->data)
        return -1;
@@ -34,7 +34,7 @@ typedef struct DepthToSpaceParams{
    int block_size;
 } DepthToSpaceParams;

-int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_operand_indexes,
                                  int32_t output_operand_index, const void *parameters);

@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_mathbinary.h"

-int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DnnLayerMathBinaryParams *params;
    int dnn_size = 0;
@@ -45,6 +45,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
        params->v = av_int2float(avio_rl32(model_file_context));
    } else {
        layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context);
+        if (layer->input_operand_indexes[input_index] >= operands_num) {
+            return 0;
+        }
        input_index++;
    }
    dnn_size += 4;
@@ -55,6 +58,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
        params->v = av_int2float(avio_rl32(model_file_context));
    } else {
        layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context);
+        if (layer->input_operand_indexes[input_index] >= operands_num) {
+            return 0;
+        }
        input_index++;
    }
    dnn_size += 4;
@@ -63,6 +69,10 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
    dnn_size += 4;
    layer->params = params;

+    if (layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -81,6 +91,8 @@ int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_ope

    output->data_type = input->data_type;
    output->length = calculate_operand_data_length(output);
+    if (output->length <= 0)
+        return DNN_ERROR;
    output->data = av_realloc(output->data, output->length);
    if (!output->data)
        return DNN_ERROR;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.git
 .3.2