Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
2021-10-23 23:31:29 +02:00 · 2021-10-23 23:31:08 +02:00 · 2021-10-21 19:21:14 +02:00 · 2021-10-21 19:21:14 +02:00 · 2021-10-21 19:21:14 +02:00 · 2021-10-21 19:21:14 +02:00
135 changed files with 947 additions and 394 deletions
@@ -1,7 +1,196 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

-version <next>:
+version 4.4.1:
+- avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+- avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
+- avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
+- avcodec/utils: Ensure 8x8 alignment for ARGO in avcodec_align_dimensions2()
+- avformat/matroskadec: Reset state also on failure in matroska_reset_status()
+- avformat/wavdec: Check smv_block_size
+- avformat/rmdec: Check for multiple audio_stream_info
+- avcodec/apedec: Use 64bit to avoid overflow
+- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+- oavformat/avidec: Check offset in odml
+- avformat/mpegts: use actually read packet size in mpegts_resync special case
+- fftools/ffmpeg: Fix crash when flushing non-fully setup output stream
+- avfilter/scale_npp: fix non-aligned output frame dimensions
+- Revert "avformat/hlsenc: compute video_keyframe_size after write keyframe"
+- Changelog: update
+- swscale/alphablend: Fix slice handling
+- avcodec/apedec: Fix integer overflow in filter_fast_3320()
+- avformat/mov: Fix last mfra check
+- avcodec/mxpegdec: Check for AVDISCARD_ALL
+- avcodec/flicvideo: Check remaining bytes in FLI*COPY
+- avcodec/utils: ARGO writes 4x4 blocks without regard to the image dimensions
+- avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127
+- avcodec/snowdec: Maintain avmv buffer
+- avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return
+- avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable
+- avcodec/apedec: Fix integer overflow in intermediate
+- avformat/mvdec: Do not set invalid sample rate
+- avformat/sbgdec: Check for t0 overflow in expand_tseq()
+- avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
+- avformat/sbgdec: Check opt_duration and start for overflow
+- avcodec/exr: Fix undefined integer multiplication
+- avformat/mov: Check for duplicate clli
+- avformat/utils: Ignore negative duration in codec_info_duration computation
+- avformat/jacosubdec: Check for min in t overflow in get_shift()
+- avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
+- (origin/release/4.4) avcodec/wmadec: handle run_level_decode error
+- avcodec/wma: Return specific error code
+- avcodec/dxva2_av1: fix superres_denom parameter
+- avcodec/libdav1d: fix compilation after recent libdav1d API changes
+- Changelog: update
+- avcodec/utils: don't return negative values in av_get_audio_frame_duration()
+- avcodec/jpeg2000dec: Check that atom header is within bytsetream
+- avcodec/apedec: Fix 2 integer overflows in filter_3800()
+- avcodec/xpmdec: Move allocations down after more error checks
+- avcodec/argo: Move U, fix shift
+- avformat/mov: Check dts for overflow in mov_read_trun()
+- avformat/avidec: Use 64bit for frame number in odml index parsing
+- avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg
+- avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac()
+- avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata
+- avcodec/webp: Check available space in loop in decode_entropy_coded_image()
+- avcodec/h264dec: use picture parameters in ff_print_debug_info2()
+- avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode
+- avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init
+- avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line()
+- avcodec/vc1dec: Disable error concealment for *IMAGE
+- avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c()
+- avcodec/argo: Check for even dimensions
+- avformat/wtvdec: Check for EOF before seeking back in parse_media_type()
+- avformat/mpc8: Check first keyframe position for overflow
+- avcodec/exr: Check ac_count
+- avformat/wavdec: Use 64bit in new_pos computation
+- avformat/sbgdec: Check for overflow in timestamp preparation
+- avformat/dsicin: Check packet size for overflow
+- avformat/dsfdec: Change order of operations in bitrate computation
+- avformat/bfi: check nframes
+- avformat/avidec: fix position overflow in avi_load_index()
+- avformat/asfdec_f: Check sizeX against padding
+- avformat/aiffdec: Check for size overflow in header parsing
+- avcodec/aaccoder: Add minimal bias in search_for_ms()
+- avformat/mov: Fix incorrect overflow detection in mov_read_sidx()
+- avformat/mov: Avoid undefined overflow in time_offset calculation
+- avfilter/af_drmeter: Check that there is data
+- avfilter/vf_fftdnoiz: Use lrintf() in export_row8()
+- avfilter/vf_mestimate: Check b_count
+- avformat/mov: do not ignore errors in mov_metadata_hmmt()
+- avformat/mxfdec: Check size for shrinking
+- avcodec/dnxhddec: check and propagate function return value
+- swscale/slice: Fix wrong return on error
+- avcodec/aacdec_template: Avoid some invalid values to be set by decode_audio_specific_config_gb()
+- swscale/slice: Check slice for allocation failure
+- avformat/matroskadec: Fix handling of huge default durations
+- avcodec/lpc: check for zero err in normalization in compute_lpc_coefs()
+- avcodec/j2kenc: Check for av_strtok() failure
+- avformat/ftp: Check for av_strtok() failure
+- tools/cws2fws: Check read() for failure
+- avcodec/cpia: Fix missing src_size update
+- avcodec/exr: Better size checks
+- avcodec/clearvideo: Check tile_size to be not too large
+- avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation
+- avformat/aaxdec: Check avio_seek() in header reading
+- avcodec/hevc_sei: Use get_bits_long() for time_offset_value
+- avformat/rmdec: Check old_format len for overflow
+- avformat/realtextdec: Check the pts difference before using it for the duration computation
+- avformat/qcp: Avoid negative nb_rates
+- avformat/pp_bnk: Use 64bit in bitrate computation
+- avformat/nutdec: Check tmp_size
+- avformat/msf: Check that channels doesnt overflow during extradata construction
+- avformat/subtitles: Check pts difference before use
+- avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
+- avformat/mccdec: Fix overflows in num/den
+- avformat/iff: Use 64bit in duration computation
+- avformat/dxa: Check fps to be within the supported range more precissely
+- avcodec/iff: Only write palette to plane 1 if its PAL8
+- avformat/tta: Check for EOF in index reading loop
+- avfilter/vf_scale: set the RGB matrix coefficients in case of RGB
+- avfilter/vf_scale: reset color matrix in case of identity & non-RGB
+- ffmpeg: fix order between field order autodetection and override
+- avcodec/h264_slice: clear old slice POC values on parsing failure
+- avfilter/f_metadata: do not return the frame early if there is no metadata
+- ffbuild: Avoid using the --preprocessor argument to windres
+- avcodec/crystalhd: signal that the decoder sets all output frame properties
+- avcodec/cuviddec: signal that the decoder sets all output frame properties
+- avcodec/decode: reindent after the previous commit
+- avcodec/decode: add an internal codec flag to signal a decoder sets all output frame properties
+- avcodec/decode: fetch packets from the pkt_props FIFO on every frame returned
+- Update missed irc links
+- avformat/rpl: The associative law doesnt hold for signed integers in C
+- avcodec/faxcompr: Check available bits in decode_uncompressed()
+- avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10
+- avformat/utils: Avoid overflow in codec_info_duration computation for subtitles
+- avformat/utils: check dts/duration to be representable before using them
+- avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit
+- avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
+- avformat/mov: Check for duplicate mdcv
+- avfilter/vf_dctdnoiz: Check threads
+- avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black
+- avcodec/dpx: fix off by 1 in bits_per_color check
+- avformat/rpl: Check for EOF and zero framesize
+- avcodec/vc2enc: Check for non negative slice bounds
+- avformat/rpl: Use 64bit in bitrate computation and check it
+- avcodec/mpegvideo_enc: Reset stuffing bits if they are not supported
+- avcodec/svq1enc: Do not print debug RD value before it has been computed
+- avcodec/aacpsy: Check bandwidth
+- avcodec/aacenc: Do not divide by lambda_count if it is 0
+- avcodec/aacenc: Use FLT_EPSILON for lambda minimum
+- avfilter/vf_yadif: Fix handing of tiny images
+- avfilter/vf_vmafmotion: Check dimensions
+- avformat/movenc: Check pal_size before use
+- avcodec/lpc: Avoid floating point division by 0
+- avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
+- avcodec/aacenc: Avoid 0 lambda
+- avcodec/exr: More strictly check dc_count
+- avcodec/exr: x/ymax cannot be INT_MAX
+- avformat/avio: Check av_opt_copy() for failure
+- avformat/moflex: Remove unneeded format variable
+- avformat/fifo: check for flushed packets and timeshift
+- avcodec/clearvideo: Check for 0 tile_shift
+- avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header()
+- avformat/mov: Ignore duplicate CoLL
+- avformat/mov: Limit nb_chapter_tracks to input size
+- avformat/utils: Use 64bit earlier in r_frame_rate check
+- avcodec/alsdec: Fix decoding error with mono audio files
+- avformat/mvdec: Check sample rate in parse_audio_var()
+- avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line()
+- avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
+- avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
+- avformat/asfdec_o: Use ff_get_extradata()
+- avformat/id3v2: Check end for overflow in id3v2_parse()
+- avformat/mxfdec: Fix file position addition
+- avformat/wtvdec: Improve size overflow checks in parse_chunks()
+- avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
+- avformat/mov: check for pts overflow in mov_read_sidx()
+- avcodec/utils: Check ima wav duration for overflow
+- avcodec/rv10: Execute whole size check earlier for rv20
+- avformat/cafdec: Check channels
+- avcodec/exr: increase vlc depth
+- avcodec/dpx: Check bits_per_color earlier
+- avformat/mvi: Check audio_data_size to be non negative
+- avcodec/nvenc: disable s12m timestamps by default
+- aarch64: hevc_idct: Fix overflows in idct_dc
+- avcodec/vaapi_av1: pass full buffer size for each tile
+- avcodec/videotoolboxenc: #define TARGET_CPU_ARM64 to 0 if not provided by the SDK
+- lavc/pngdec: fix updating reference frames for APNG_DISPOSE_OP_BACKGROUND
+- ffmpeg: return no chosen output if an uninitialized stream is unavailable
+- avcodec/h263, h263data: Move ff_h263_init_rl_inter to h263.c
+- configure: Add missing mpegvideo dependency for IPU decoder
+- avcodec/ttmlenc: Don't confuse capabilities and caps_internal
+- avformat/mpegts: add missing sample_rate value to Opus extradata
+- avformat/movenc: fix writing dOps atoms
+- avcodec/av1_metadata: don't store the inserted TD OBU in stack
+- avcodec/nellymoserenc: Fix segfault when using unsupported channels/rate
+- avutil/cpu: Use HW_NCPUONLINE to detect # of online CPUs with OpenBSD
+- avcodec/nvenc: fix lossless tuning logic
+- avfilter/overlay_cuda: check av_buffer_ref result
+- avfilter/overlay_cuda: hold explicit reference to hw_device_ctx
+- avformat/matroskaenc: Fix leak when writing attachment without filename
+
+version 4.4:
 - AudioToolbox output device
 - MacCaption demuxer
 - PGX decoder
@@ -1 +1 @@
-4.4
+4.4.1
@@ -11,5 +11,5 @@

   We hope you will like this release as much as we enjoyed working on it, and
   as usual, if you have any questions about it, or any FFmpeg related topic,
-   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
   on the mailing-lists.
@@ -536,7 +536,7 @@ die(){

 If you think configure made a mistake, make sure you are using the latest
 version from Git.  If the latest version fails, report the problem to the
-ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
 EOF
    if disabled logging; then
        cat <<EOF
@@ -2761,6 +2761,7 @@ indeo3_decoder_select="hpeldsp"
 indeo4_decoder_select="ividsp"
 indeo5_decoder_select="ividsp"
 interplay_video_decoder_select="hpeldsp"
+ipu_decoder_select="mpegvideo"
 jpegls_decoder_select="mjpeg_decoder"
 jv_decoder_select="blockdsp"
 lagarith_decoder_select="llviddsp"
@@ -7501,7 +7502,6 @@ LD_LIB=$LD_LIB
 LD_PATH=$LD_PATH
 DLLTOOL=$dlltool
 WINDRES=$windres
-DEPWINDRES=$dep_cc
 DOXYGEN=$doxygen
 LDFLAGS=$LDFLAGS
 LDEXEFLAGS=$LDEXEFLAGS
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 4.4
+PROJECT_NUMBER         = 4.4.1

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -418,4 +418,4 @@ done:

 When all of this is done, you can submit your patch to the ffmpeg-devel
 mailing-list for review.  If you need any help, feel free to come on our IRC
-channel, #ffmpeg-devel on irc.freenode.net.
+channel, #ffmpeg-devel on irc.libera.chat.
@@ -90,7 +90,7 @@ COMPILE_MSA = $(call COMPILE,CC,MSAFLAGS)
 	-$(if $(ASMSTRIPFLAGS), $(STRIP) $(ASMSTRIPFLAGS) $@)

 %.o: %.rc
-	$(WINDRES) $(IFLAGS) --preprocessor "$(DEPWINDRES) -E -xc-header -DRC_INVOKED $(CC_DEPFLAGS)" -o $@ $<
+	$(WINDRES) $(IFLAGS) $(foreach ARG,$(CC_DEPFLAGS),--preprocessor-arg "$(ARG)") -o $@ $<

 %.i: %.c
 	$(CC) $(CCFLAGS) $(CC_E) $<
@@ -1974,6 +1974,9 @@ static void flush_encoders(void)
            AVPacket *pkt = ost->pkt;
            int pkt_size;

+            if (!pkt)
+                break;
+
            switch (enc->codec_type) {
            case AVMEDIA_TYPE_AUDIO:
                desc   = "audio";
@@ -3463,12 +3466,7 @@ static int init_output_stream_encode(OutputStream *ost, AVFrame *frame)
            enc_ctx->bits_per_raw_sample = frame_bits_per_raw_sample;
        }

-        if (ost->top_field_first == 0) {
-            enc_ctx->field_order = AV_FIELD_BB;
-        } else if (ost->top_field_first == 1) {
-            enc_ctx->field_order = AV_FIELD_TT;
-        }
-
+        // Field order: autodetection
        if (frame) {
            if (enc_ctx->flags & (AV_CODEC_FLAG_INTERLACED_DCT | AV_CODEC_FLAG_INTERLACED_ME) &&
                ost->top_field_first >= 0)
@@ -3483,6 +3481,13 @@ static int init_output_stream_encode(OutputStream *ost, AVFrame *frame)
                enc_ctx->field_order = AV_FIELD_PROGRESSIVE;
        }

+        // Field order: override
+        if (ost->top_field_first == 0) {
+            enc_ctx->field_order = AV_FIELD_BB;
+        } else if (ost->top_field_first == 1) {
+            enc_ctx->field_order = AV_FIELD_TT;
+        }
+
        if (ost->forced_keyframes) {
            if (!strncmp(ost->forced_keyframes, "expr:", 5)) {
                ret = av_expr_parse(&ost->forced_keyframes_pexpr, ost->forced_keyframes+5,
@@ -3950,7 +3955,7 @@ static OutputStream *choose_output(void)
                ost->st->index, ost->st->id, ost->initialized, ost->inputs_done, ost->finished);

        if (!ost->initialized && !ost->inputs_done)
-            return ost;
+            return ost->unavailable ? NULL : ost;

        if (!ost->finished && opts < opts_min) {
            opts_min = opts;
@@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe)
                                                    sce0->ics.swb_sizes[g],
                                                    sce0->sf_idx[w*16+g],
                                                    sce0->band_type[w*16+g],
-                                                    lambda / band0->threshold, INFINITY, &b1, NULL, 0);
+                                                    lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0);
                        dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128],
                                                    R34,
                                                    sce1->ics.swb_sizes[g],
                                                    sce1->sf_idx[w*16+g],
                                                    sce1->band_type[w*16+g],
-                                                    lambda / band1->threshold, INFINITY, &b2, NULL, 0);
+                                                    lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0);
                        dist2 += quantize_band_cost(s, M,
                                                    M34,
                                                    sce0->ics.swb_sizes[g],
                                                    mididx,
                                                    midcb,
-                                                    lambda / minthr, INFINITY, &b3, NULL, 0);
+                                                    lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0);
                        dist2 += quantize_band_cost(s, S,
                                                    S34,
                                                    sce1->ics.swb_sizes[g],
                                                    sididx,
                                                    sidcb,
-                                                    mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0);
+                                                    mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0);
                        B0 += b1+b2;
                        B1 += b3+b4;
                        dist1 -= b1+b2;
@@ -1076,14 +1076,18 @@ static int decode_audio_specific_config_gb(AACContext *ac,
 {
    int i, ret;
    GetBitContext gbc = *gb;
+    MPEG4AudioConfig m4ac_bak = *m4ac;

-    if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0)
+    if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0) {
+        *m4ac = m4ac_bak;
        return AVERROR_INVALIDDATA;
+    }

    if (m4ac->sampling_index > 12) {
        av_log(avctx, AV_LOG_ERROR,
               "invalid sampling rate index %d\n",
               m4ac->sampling_index);
+        *m4ac = m4ac_bak;
        return AVERROR_INVALIDDATA;
    }
    if (m4ac->object_type == AOT_ER_AAC_LD &&
@@ -1091,6 +1095,7 @@ static int decode_audio_specific_config_gb(AACContext *ac,
        av_log(avctx, AV_LOG_ERROR,
               "invalid low delay sampling rate index %d\n",
               m4ac->sampling_index);
+        *m4ac = m4ac_bak;
        return AVERROR_INVALIDDATA;
    }

@@ -28,6 +28,7 @@
 *              TODOs:
 * add sane pulse detection
 ***********************************/
+#include <float.h>

 #include "libavutil/libm.h"
 #include "libavutil/float_dsp.h"
@@ -852,7 +853,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
                /* Not so fast though */
                ratio = sqrtf(ratio);
            }
-            s->lambda = FFMIN(s->lambda * ratio, 65536.f);
+            s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f);

            /* Keep iterating if we must reduce and lambda is in the sky */
            if (ratio > 0.9f && ratio < 1.1f) {
@@ -897,7 +898,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx)
 {
    AACEncContext *s = avctx->priv_data;

-    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count);
+    av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN);

    ff_mdct_end(&s->mdct1024);
    ff_mdct_end(&s->mdct128);
@@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
    const int bandwidth    = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx);
    const float num_bark   = calc_bark((float)bandwidth);

+    if (bandwidth <= 0)
+        return AVERROR(EINVAL);
+
    ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext));
    if (!ctx->model_priv_data)
        return AVERROR(ENOMEM);
@@ -794,7 +797,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,

        if (pe < 1.15f * desired_pe) {
            /* 6.6.1.3.6 "Final threshold modification by linearization" */
-            norm_fac = 1.0f / norm_fac;
+            norm_fac = norm_fac ? 1.0f / norm_fac : 0;
            for (w = 0; w < wi->num_windows*16; w += 16) {
                for (g = 0; g < num_bands; g++) {
                    AacPsyBand *band = &pch->band[w+g];
@@ -573,14 +573,13 @@ idct_16x16 10
 // void ff_hevc_idct_NxN_dc_DEPTH_neon(int16_t *coeffs)
 .macro idct_dc size, bitdepth
 function ff_hevc_idct_\size\()x\size\()_dc_\bitdepth\()_neon, export=1
-        movi          v1.8h,  #((1 << (14 - \bitdepth))+1)
        ld1r         {v4.8h}, [x0]
-        add           v4.8h,  v4.8h,  v1.8h
-        sshr          v0.8h,  v4.8h,  #(15 - \bitdepth)
-        sshr          v1.8h,  v4.8h,  #(15 - \bitdepth)
+        srshr         v4.8h,  v4.8h,  #1
+        srshr         v0.8h,  v4.8h,  #(14 - \bitdepth)
+        srshr         v1.8h,  v4.8h,  #(14 - \bitdepth)
 .if \size > 4
-        sshr          v2.8h,  v4.8h,  #(15 - \bitdepth)
-        sshr          v3.8h,  v4.8h,  #(15 - \bitdepth)
+        srshr         v2.8h,  v4.8h,  #(14 - \bitdepth)
+        srshr         v3.8h,  v4.8h,  #(14 - \bitdepth)
 .if \size > 16 /* dc 32x32 */
        mov              x2,  #4
 1:
@@ -1632,7 +1632,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
    AVCodecContext *avctx    = ctx->avctx;
    GetBitContext *gb = &ctx->gb;
    unsigned int div_blocks[32];                ///< block sizes.
-    unsigned int c;
+    int c;
    unsigned int js_blocks[2];
    uint32_t bs_info = 0;
    int ret;
@@ -1810,14 +1810,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
    else
        ctx->cur_frame_length = sconf->frame_length;

-    ctx->highest_decoded_channel = 0;
+    ctx->highest_decoded_channel = -1;
    // decode the frame data
    if ((invalid_frame = read_frame_data(ctx, ra_frame)) < 0)
        av_log(ctx->avctx, AV_LOG_WARNING,
               "Reading frame data failed. Skipping RA unit.\n");

-    if (ctx->highest_decoded_channel == 0)
+    if (ctx->highest_decoded_channel == -1) {
+        av_log(ctx->avctx, AV_LOG_WARNING,
+               "No channel data decoded.\n");
        return AVERROR_INVALIDDATA;
+    }

    ctx->frame_id++;

@@ -879,7 +879,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p,
    }

    predictionA = p->buf[delayA] * 2U - p->buf[delayA - 1];
-    p->lastA[filter] = decoded + ((int32_t)(predictionA  * p->coeffsA[filter][0]) >> 9);
+    p->lastA[filter] = decoded + (unsigned)((int32_t)(predictionA  * p->coeffsA[filter][0]) >> 9);

    if ((decoded ^ predictionA) > 0)
        p->coeffsA[filter][0]++;
@@ -909,8 +909,8 @@ static av_always_inline int filter_3800(APEPredictor *p,
        return predictionA;
    }
    d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U);
+    d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8);
    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
    d4 =  p->buf[delayB];

@@ -979,7 +979,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
        for (j = 7; j > 0; j--)
            delay[j] = delay[j - 1];
        delay[0] = buffer[i];
-        buffer[i] -= dotprod >> 9;
+        buffer[i] -= (unsigned)(dotprod >> 9);
    }
 }

@@ -1337,7 +1337,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
            absres = FFABSU(res);
            if (absres)
                *f->adaptcoeffs = APESIGN(res) *
-                                  (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3)));
+                                  (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3))));
                /* equivalent to the following code
                    if (absres <= f->avg * 4 / 3)
                        *f->adaptcoeffs = APESIGN(res) * 8;
@@ -59,7 +59,7 @@ static int decode_pal8(AVCodecContext *avctx, uint32_t *pal)
        return AVERROR_INVALIDDATA;

    for (int i = 0; i < count; i++)
-        pal[start + i] = (0xFF << 24U) | bytestream2_get_be24u(gb);
+        pal[start + i] = (0xFFU << 24) | bytestream2_get_be24u(gb);

    return 0;
 }
@@ -685,6 +685,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
             return AVERROR_PATCHWELCOME;
    }

+    if (avctx->width % 2 || avctx->height % 2) {
+        avpriv_request_sample(s, "Odd dimensions\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->frame = av_frame_alloc();
    if (!s->frame)
        return AVERROR(ENOMEM);
@@ -28,6 +28,7 @@ typedef struct AV1MetadataContext {
    CBSBSFContext common;

    int td;
+    AV1RawOBU td_obu;

    int color_primaries;
    int transfer_characteristics;
@@ -107,12 +108,11 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
                                        CodedBitstreamFragment *frag)
 {
    AV1MetadataContext *ctx = bsf->priv_data;
-    AV1RawOBU td, *obu;
    int err, i;

    for (i = 0; i < frag->nb_units; i++) {
        if (frag->units[i].type == AV1_OBU_SEQUENCE_HEADER) {
-            obu = frag->units[i].content;
+            AV1RawOBU *obu = frag->units[i].content;
            err = av1_metadata_update_sequence_header(bsf, &obu->obu.sequence_header);
            if (err < 0)
                return err;
@@ -124,12 +124,8 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
        if (ctx->td == BSF_ELEMENT_REMOVE)
            ff_cbs_delete_unit(frag, 0);
    } else if (pkt && ctx->td == BSF_ELEMENT_INSERT) {
-        td = (AV1RawOBU) {
-            .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
-        };
-
        err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER,
-                                         &td, NULL);
+                                         &ctx->td_obu, NULL);
        if (err < 0) {
            av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n");
            return err;
@@ -155,6 +151,12 @@ static const CBSBSFType av1_metadata_type = {

 static int av1_metadata_init(AVBSFContext *bsf)
 {
+    AV1MetadataContext *ctx = bsf->priv_data;
+
+    ctx->td_obu = (AV1RawOBU) {
+        .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
+    };
+
    return ff_cbs_bsf_generic_init(bsf, &av1_metadata_type);
 }

@@ -728,7 +728,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw,

        flag(sps_palette_predictor_initializer_present_flag);
        if (current->sps_palette_predictor_initializer_present_flag) {
-            ue(sps_num_palette_predictor_initializer_minus1, 0, 128);
+            ue(sps_num_palette_predictor_initializer_minus1, 0, 127);
            for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) {
                int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8
                                          : current->bit_depth_chroma_minus8 + 8;
@@ -722,8 +722,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx)
    }

    c->tile_shift = av_log2(c->tile_size);
-    if (1U << c->tile_shift != c->tile_size) {
-        av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size);
+    if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) {
+        av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size);
        return AVERROR_INVALIDDATA;
    }

@@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
        // Read line length, two byte little endian
        linelength = AV_RL16(src);
        src += 2;
+        src_size -= 2;

        if (src_size < linelength) {
            frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM;
@@ -785,6 +785,7 @@ static int crystalhd_receive_frame(AVCodecContext *avctx, AVFrame *frame)
        .flush          = flush, \
        .bsfs           = bsf_name, \
        .capabilities   = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING | AV_CODEC_CAP_HARDWARE, \
+        .caps_internal  = FF_CODEC_CAP_SETS_FRAME_PROPS, \
        .pix_fmts       = (const enum AVPixelFormat[]){AV_PIX_FMT_YUYV422, AV_PIX_FMT_NONE}, \
        .wrapper_name   = "crystalhd", \
    };
@@ -1150,6 +1150,7 @@ static const AVCodecHWConfigInternal *const cuvid_hw_configs[] = {
        .flush          = cuvid_flush, \
        .bsfs           = bsf_name, \
        .capabilities   = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING | AV_CODEC_CAP_HARDWARE, \
+        .caps_internal  = FF_CODEC_CAP_SETS_FRAME_PROPS, \
        .pix_fmts       = (const enum AVPixelFormat[]){ AV_PIX_FMT_CUDA, \
                                                        AV_PIX_FMT_NV12, \
                                                        AV_PIX_FMT_P010, \
@@ -233,9 +233,11 @@ int ff_decode_get_packet(AVCodecContext *avctx, AVPacket *pkt)
    if (ret < 0)
        return ret;

-    ret = extract_packet_props(avctx->internal, pkt);
-    if (ret < 0)
-        goto finish;
+    if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) {
+        ret = extract_packet_props(avctx->internal, pkt);
+        if (ret < 0)
+            goto finish;
+    }

    ret = apply_param_change(avctx, pkt);
    if (ret < 0)
@@ -502,11 +504,13 @@ FF_ENABLE_DEPRECATION_WARNINGS

        pkt->data                += consumed;
        pkt->size                -= consumed;
-        avci->last_pkt_props->size -= consumed; // See extract_packet_props() comment.
        pkt->pts                  = AV_NOPTS_VALUE;
        pkt->dts                  = AV_NOPTS_VALUE;
-        avci->last_pkt_props->pts = AV_NOPTS_VALUE;
-        avci->last_pkt_props->dts = AV_NOPTS_VALUE;
+        if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) {
+            avci->last_pkt_props->size -= consumed; // See extract_packet_props() comment.
+            avci->last_pkt_props->pts = AV_NOPTS_VALUE;
+            avci->last_pkt_props->dts = AV_NOPTS_VALUE;
+        }
    }

    if (got_frame)
@@ -548,6 +552,11 @@ static int decode_receive_frame_internal(AVCodecContext *avctx, AVFrame *frame)
    if (ret == AVERROR_EOF)
        avci->draining_done = 1;

+    if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS) &&
+        IS_EMPTY(avci->last_pkt_props) && av_fifo_size(avci->pkt_props) >= sizeof(*avci->last_pkt_props))
+        av_fifo_generic_read(avci->pkt_props,
+                             avci->last_pkt_props, sizeof(*avci->last_pkt_props), NULL);
+
    if (!ret) {
        frame->best_effort_timestamp = guess_correct_pts(avctx,
                                                         frame->pts,
@@ -1738,39 +1747,37 @@ int ff_decode_frame_props(AVCodecContext *avctx, AVFrame *frame)
        { AV_PKT_DATA_S12M_TIMECODE,              AV_FRAME_DATA_S12M_TIMECODE },
    };

-    if (IS_EMPTY(pkt) && av_fifo_size(avctx->internal->pkt_props) >= sizeof(*pkt))
-        av_fifo_generic_read(avctx->internal->pkt_props,
-                             pkt, sizeof(*pkt), NULL);
-
-    frame->pts = pkt->pts;
+    if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) {
+        frame->pts = pkt->pts;
 #if FF_API_PKT_PTS
 FF_DISABLE_DEPRECATION_WARNINGS
-    frame->pkt_pts = pkt->pts;
+        frame->pkt_pts = pkt->pts;
 FF_ENABLE_DEPRECATION_WARNINGS
 #endif
-    frame->pkt_pos      = pkt->pos;
-    frame->pkt_duration = pkt->duration;
-    frame->pkt_size     = pkt->size;
+        frame->pkt_pos      = pkt->pos;
+        frame->pkt_duration = pkt->duration;
+        frame->pkt_size     = pkt->size;

-    for (int i = 0; i < FF_ARRAY_ELEMS(sd); i++) {
-        buffer_size_t size;
-        uint8_t *packet_sd = av_packet_get_side_data(pkt, sd[i].packet, &size);
-        if (packet_sd) {
-            AVFrameSideData *frame_sd = av_frame_new_side_data(frame,
-                                                               sd[i].frame,
-                                                               size);
-            if (!frame_sd)
-                return AVERROR(ENOMEM);
+        for (int i = 0; i < FF_ARRAY_ELEMS(sd); i++) {
+            buffer_size_t size;
+            uint8_t *packet_sd = av_packet_get_side_data(pkt, sd[i].packet, &size);
+            if (packet_sd) {
+                AVFrameSideData *frame_sd = av_frame_new_side_data(frame,
+                                                                   sd[i].frame,
+                                                                   size);
+                if (!frame_sd)
+                    return AVERROR(ENOMEM);

-            memcpy(frame_sd->data, packet_sd, size);
+                memcpy(frame_sd->data, packet_sd, size);
+            }
        }
-    }
-    add_metadata_from_side_data(pkt, frame);
+        add_metadata_from_side_data(pkt, frame);

-    if (pkt->flags & AV_PKT_FLAG_DISCARD) {
-        frame->flags |= AV_FRAME_FLAG_DISCARD;
-    } else {
-        frame->flags = (frame->flags & ~AV_FRAME_FLAG_DISCARD);
+        if (pkt->flags & AV_PKT_FLAG_DISCARD) {
+            frame->flags |= AV_FRAME_FLAG_DISCARD;
+        } else {
+            frame->flags = (frame->flags & ~AV_FRAME_FLAG_DISCARD);
+        }
    }
    frame->reordered_opaque = avctx->reordered_opaque;

@@ -112,6 +112,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx)

 static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
 {
+    int ret;
    if (cid != ctx->cid) {
        const CIDEntry *cid_table = ff_dnxhd_get_cid_table(cid);

@@ -132,19 +133,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
        ff_free_vlc(&ctx->dc_vlc);
        ff_free_vlc(&ctx->run_vlc);

-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
                 ctx->cid_table->ac_bits, 1, 1,
-                 ctx->cid_table->ac_codes, 2, 2, 0);
-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
                 ctx->cid_table->dc_bits, 1, 1,
-                 ctx->cid_table->dc_codes, 1, 1, 0);
-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
                 ctx->cid_table->run_bits, 1, 1,
-                 ctx->cid_table->run_codes, 2, 2, 0);
+                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
+            goto out;

        ctx->cid = cid;
    }
-    return 0;
+    ret = 0;
+out:
+    if (ret < 0)
+        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
+    return ret;
 }

 static int dnxhd_get_profile(int cid)
@@ -242,6 +242,9 @@ static int decode_frame(AVCodecContext *avctx,
        return AVERROR_PATCHWELCOME;
    }

+    if (bits_per_color > 31)
+        return AVERROR_INVALIDDATA;
+
    buf += 820;
    avctx->sample_aspect_ratio.num = read32(&buf, endian);
    avctx->sample_aspect_ratio.den = read32(&buf, endian);
@@ -316,7 +319,7 @@ static int decode_frame(AVCodecContext *avctx,
            minCV = av_int2float(i);
            maxCV = av_int2float(j);
            if (bits_per_color >= 1 &&
-                minCV == 0.0f && maxCV == ((1<<bits_per_color) - 1)) {
+                minCV == 0.0f && maxCV == ((1U<<bits_per_color) - 1)) {
                avctx->color_range = AVCOL_RANGE_JPEG;
            } else if (bits_per_color >= 8 &&
                       minCV == (1  <<(bits_per_color - 4)) &&
@@ -73,7 +73,7 @@ static int fill_picture_parameters(const AVCodecContext *avctx, AVDXVAContext *c
    pp->max_height = seq->max_frame_height_minus_1 + 1;

    pp->CurrPicTextureIndex = ff_dxva2_get_surface_index(avctx, ctx, h->cur_frame.tf.f);
-    pp->superres_denom      = frame_header->use_superres ? frame_header->coded_denom : AV1_SUPERRES_NUM;
+    pp->superres_denom      = frame_header->use_superres ? frame_header->coded_denom + AV1_SUPERRES_DENOM_MIN : AV1_SUPERRES_NUM;
    pp->bitdepth            = get_bit_depth_from_seq(seq);
    pp->seq_profile         = seq->seq_profile;

@@ -418,7 +418,7 @@ static int huf_decode(VLC *vlc, GetByteContext *gb, int nbits, int run_sym,

    init_get_bits(&gbit, gb->buffer, nbits);
    while (get_bits_left(&gbit) > 0 && oe < no) {
-        uint16_t x = get_vlc2(&gbit, vlc->table, 12, 2);
+        uint16_t x = get_vlc2(&gbit, vlc->table, 12, 3);

        if (x == run_sym) {
            int run = get_bits(&gbit, 8);
@@ -1014,7 +1014,9 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
    dc_count = AV_RL64(src + 72);
    ac_compression = AV_RL64(src + 80);

-    if (compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize)
+    if (   compressed_size < (uint64_t)(lo_size | ac_size | dc_size | rle_csize) || compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize
+        || ac_count > (uint64_t)INT_MAX/2
+    )
        return AVERROR_INVALIDDATA;

    bytestream2_init(&gb, src + 88, compressed_size - 88);
@@ -1031,12 +1033,14 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
    }

    if (ac_size > 0) {
-        unsigned long dest_len = ac_count * 2LL;
+        unsigned long dest_len;
        GetByteContext agb = gb;

        if (ac_count > 3LL * td->xsize * s->scan_lines_per_block)
            return AVERROR_INVALIDDATA;

+        dest_len = ac_count * 2LL;
+
        av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len);
        if (!td->ac_data)
            return AVERROR(ENOMEM);
@@ -1059,13 +1063,15 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
        bytestream2_skip(&gb, ac_size);
    }

-    if (dc_size > 0) {
-        unsigned long dest_len = dc_count * 2LL;
+    {
+        unsigned long dest_len;
        GetByteContext agb = gb;

-        if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)
+        if (dc_count != dc_w * dc_h * 3)
            return AVERROR_INVALIDDATA;

+        dest_len = dc_count * 2LL;
+
        av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
        if (!td->dc_data)
            return AVERROR(ENOMEM);
@@ -1795,6 +1801,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            ymax   = bytestream2_get_le32(gb);

            if (xmin > xmax || ymin > ymax ||
+                ymax == INT_MAX || xmax == INT_MAX ||
                (unsigned)xmax - xmin >= INT_MAX ||
                (unsigned)ymax - ymin >= INT_MAX) {
                ret = AVERROR_INVALIDDATA;
@@ -144,6 +144,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb,
                return AVERROR_INVALIDDATA;
            }
            cwi = 10 - av_log2(cwi);
+            if (get_bits_left(gb) < cwi + 1)
+                return AVERROR_INVALIDDATA;
            skip_bits(gb, cwi + 1);
            if (cwi > 5) {
                newmode = get_bits1(gb);
@@ -209,6 +211,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int run = 0;
    unsigned int t;
    for (;;) {
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
        t    = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
        run += t;
        if (t < 64) {
@@ -227,7 +231,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
            run       = 0;
            mode      = !mode;
        } else if ((int)t == -1) {
-            if (show_bits(gb, 12) == 15) {
+            if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
                int ret;
                skip_bits(gb, 12);
                ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode);
@@ -254,7 +258,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
    unsigned int offs = 0, run = 0;

    while (offs < width) {
-        int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
+        int cmode;
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
+        cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
        if (cmode == -1) {
            av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n");
            return AVERROR_INVALIDDATA;
@@ -276,6 +283,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
            for (k = 0; k < 2; k++) {
                run = 0;
                for (;;) {
+                    if (get_bits_left(gb) <= 0)
+                        return AVERROR_INVALIDDATA;
                    t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
                    if (t == -1) {
                        av_log(avctx, AV_LOG_ERROR, "Incorrect code\n");
@@ -299,7 +308,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
                mode = !mode;
            }
        } else if (cmode == 9 || cmode == 10) {
-            int xxx = get_bits(gb, 3);
+            int xxx;
+            if (get_bits_left(gb) < 3)
+                return AVERROR_INVALIDDATA;
+            xxx = get_bits(gb, 3);
            if (cmode == 9 && xxx == 7) {
                int ret;
                int pix_left = width - offs;
@@ -55,6 +55,7 @@

 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)

 typedef struct FLACHeaderMarker {
    int offset;       /**< byte offset from start of FLACParseContext->buffer */
@@ -170,7 +171,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset)
    uint8_t *header_buf;
    int size = 0;
    header_buf = flac_fifo_read_wrap(fpc, offset,
-                                     MAX_FRAME_HEADER_SIZE,
+                                     MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE,
                                     &fpc->wrap_buf,
                                     &fpc->wrap_buf_allocated_size);
    if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) {
@@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                bytestream2_skip(&g2, chunk_size - 6);
            } else {

+                if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
+                    return AVERROR_INVALIDDATA;
                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
                     y_ptr += s->frame->linesize[0]) {

@@ -124,7 +124,7 @@ end:
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
    int i=0;
    ThreadContext *c;
-
+    AVCodecContext *thread_avctx = NULL;

    if(   !(avctx->thread_type & FF_THREAD_FRAME)
       || !(avctx->codec->capabilities & AV_CODEC_CAP_FRAME_THREADS))
@@ -205,16 +205,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
        AVDictionary *tmp = NULL;
        int ret;
        void *tmpv;
-        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
+        thread_avctx = avcodec_alloc_context3(avctx->codec);
        if(!thread_avctx)
            goto fail;
        tmpv = thread_avctx->priv_data;
        *thread_avctx = *avctx;
+        thread_avctx->priv_data = tmpv;
+        thread_avctx->internal = NULL;
+        thread_avctx->hw_frames_ctx = NULL;
        ret = av_opt_copy(thread_avctx, avctx);
        if (ret < 0)
            goto fail;
-        thread_avctx->priv_data = tmpv;
-        thread_avctx->internal = NULL;
        if (avctx->codec->priv_class) {
            int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data);
            if (ret < 0)
@@ -243,6 +244,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){

    return 0;
 fail:
+    avcodec_close(thread_avctx);
+    av_freep(&thread_avctx);
    avctx->thread_count = i;
    av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
    ff_frame_thread_encoder_free(avctx);
@@ -23,6 +23,10 @@

 #include "avcodec.h"

+/**
+ * Initialize frame thread encoder.
+ * @note hardware encoders are not supported
+ */
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options);
 void ff_frame_thread_encoder_free(AVCodecContext *avctx);
 int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
@@ -29,6 +29,7 @@

 #include <limits.h>

+#include "libavutil/thread.h"
 #include "avcodec.h"
 #include "mpegvideo.h"
 #include "h263.h"
@@ -38,6 +39,17 @@
 #include "flv.h"
 #include "mpeg4video.h"

+static av_cold void h263_init_rl_inter(void)
+{
+    static uint8_t h263_rl_inter_table[2][2 * MAX_RUN + MAX_LEVEL + 3];
+    ff_rl_init(&ff_h263_rl_inter, h263_rl_inter_table);
+}
+
+av_cold void ff_h263_init_rl_inter(void)
+{
+    static AVOnce init_static_once = AV_ONCE_INIT;
+    ff_thread_once(&init_static_once, h263_init_rl_inter);
+}

 void ff_h263_update_motion_val(MpegEncContext * s){
    const int mb_xy = s->mb_y * s->mb_stride + s->mb_x;
@@ -66,6 +66,7 @@ int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir,
                             int *px, int *py);
 void ff_h263_encode_init(MpegEncContext *s);
 void ff_h263_decode_init_vlc(void);
+void ff_h263_init_rl_inter(void);
 int ff_h263_decode_picture_header(MpegEncContext *s);
 int ff_h263_decode_gob_header(MpegEncContext *s);
 void ff_h263_update_motion_val(MpegEncContext * s);
@@ -25,8 +25,6 @@

 #include <stdint.h>

-#include "libavutil/thread.h"
-
 #include "h263data.h"
 #include "mpegvideo.h"

@@ -290,15 +288,3 @@ const AVRational ff_h263_pixel_aspect[16] = {
    {  0,  1 },
    {  0,  1 },
 };
-
-static av_cold void h263_init_rl_inter(void)
-{
-    static uint8_t h263_rl_inter_table[2][2 * MAX_RUN + MAX_LEVEL + 3];
-    ff_rl_init(&ff_h263_rl_inter, h263_rl_inter_table);
-}
-
-av_cold void ff_h263_init_rl_inter(void)
-{
-    static AVOnce init_static_once = AV_ONCE_INIT;
-    ff_thread_once(&init_static_once, h263_init_rl_inter);
-}
@@ -61,7 +61,6 @@ extern const int8_t ff_inter_run[102];

 extern RLTable ff_h263_rl_inter;
 extern RLTable ff_rl_intra_aic;
-void ff_h263_init_rl_inter(void);

 extern const uint16_t ff_h263_format[8][2];

@@ -1831,6 +1831,8 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
    if (nal->type == H264_NAL_IDR_SLICE)
        get_ue_golomb_long(&sl->gb); /* idr_pic_id */

+    sl->poc_lsb = 0;
+    sl->delta_poc_bottom = 0;
    if (sps->poc_type == 0) {
        sl->poc_lsb = get_bits(&sl->gb, sps->log2_max_poc_lsb);

@@ -1838,6 +1840,7 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
            sl->delta_poc_bottom = get_se_golomb(&sl->gb);
    }

+    sl->delta_poc[0] = sl->delta_poc[1] = 0;
    if (sps->poc_type == 1 && !sps->delta_pic_order_always_zero_flag) {
        sl->delta_poc[0] = get_se_golomb(&sl->gb);

@@ -914,7 +914,7 @@ static int finalize_frame(H264Context *h, AVFrame *dst, H264Picture *out, int *g
                                 out->qscale_table,
                                 out->motion_val,
                                 NULL,
-                                 h->mb_width, h->mb_height, h->mb_stride, 1);
+                                 out->mb_width, out->mb_height, out->mb_stride, 1);
        }
    }

@@ -386,7 +386,7 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)

            s->time_offset_length[i] = get_bits(gb, 5);
            if (s->time_offset_length[i] > 0) {
-                s->time_offset_value[i] = get_bits(gb, s->time_offset_length[i]);
+                s->time_offset_value[i] = get_bits_long(gb, s->time_offset_length[i]);
            }
        }
    }
@@ -1848,7 +1848,8 @@ static int decode_frame(AVCodecContext *avctx,
                    buf += s->planesize;
                }
            }
-            memcpy(frame->data[1], s->pal, 256 * 4);
+            if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
+                memcpy(frame->data[1], s->pal, 256 * 4);
        } else if (s->ham) {
            int i, count = 1 << s->ham;

@@ -78,6 +78,11 @@
 * Codec handles avctx->thread_count == 0 (auto) internally.
 */
 #define FF_CODEC_CAP_AUTO_THREADS           (1 << 7)
+/**
+ * Codec handles output frame properties internally instead of letting the
+ * internal logic derive them from AVCodecInternal.last_pkt_props.
+ */
+#define FF_CODEC_CAP_SETS_FRAME_PROPS       (1 << 8)

 /**
 * AVCodec.codec_tags termination value
@@ -1679,7 +1679,7 @@ static int parse_layer_rates(Jpeg2000EncoderContext *s)
    }

    token = av_strtok(s->lr_str, ",", &saveptr);
-    if (rate = strtol(token, NULL, 10)) {
+    if (token && (rate = strtol(token, NULL, 10))) {
            s->layer_rates[0] = rate <= 1 ? 0:rate;
            nlayers++;
    } else {
@@ -2361,6 +2361,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                   atom_size >= 16) {
            uint32_t atom2_size, atom2, atom2_end;
            do {
+                if (bytestream2_get_bytes_left(&s->g) < 8)
+                    break;
                atom2_size = bytestream2_get_be32u(&s->g);
                atom2      = bytestream2_get_be32u(&s->g);
                atom2_end  = bytestream2_tell(&s->g) + atom2_size - 8;
@@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
            s->avctx->pix_fmt = AV_PIX_FMT_PAL8;
            for (i=s->palette_index; i<=maxtab; i++) {
                uint8_t k = i << shift;
-                pal[k] = 0;
+                pal[k] = wt < 4 ? 0xFF000000 : 0;
                for (j=0; j<wt; j++) {
                    pal[k] |= get_bits(&s->gb, 8) << (8*(wt-j-1));
                }
@@ -33,6 +33,9 @@
 #include "decode.h"
 #include "internal.h"

+#define FF_DAV1D_VERSION_AT_LEAST(x,y) \
+    (DAV1D_API_VERSION_MAJOR > (x) || DAV1D_API_VERSION_MAJOR == (x) && DAV1D_API_VERSION_MINOR >= (y))
+
 typedef struct Libdav1dContext {
    AVClass *class;
    Dav1dContext *c;
@@ -145,6 +148,15 @@ static av_cold int libdav1d_init(AVCodecContext *c)
    if (dav1d->operating_point >= 0)
        s.operating_point = dav1d->operating_point;

+#if FF_DAV1D_VERSION_AT_LEAST(6,0)
+    if (dav1d->frame_threads || dav1d->tile_threads)
+        s.n_threads = FFMAX(dav1d->frame_threads, dav1d->tile_threads);
+    else
+        s.n_threads = FFMIN(threads, DAV1D_MAX_THREADS);
+    s.max_frame_delay = (c->flags & AV_CODEC_FLAG_LOW_DELAY) ? 1 : s.n_threads;
+    av_log(c, AV_LOG_DEBUG, "Using %d threads, %d max_frame_delay\n",
+           s.n_threads, s.max_frame_delay);
+#else
    s.n_tile_threads = dav1d->tile_threads
                     ? dav1d->tile_threads
                     : FFMIN(floor(sqrt(threads)), DAV1D_MAX_TILE_THREADS);
@@ -153,6 +165,7 @@ static av_cold int libdav1d_init(AVCodecContext *c)
                      : FFMIN(ceil(threads / s.n_tile_threads), DAV1D_MAX_FRAME_THREADS);
    av_log(c, AV_LOG_DEBUG, "Using %d frame threads, %d tile threads\n",
           s.n_frame_threads, s.n_tile_threads);
+#endif

    res = dav1d_open(&dav1d->c, &s);
    if (res < 0)
@@ -456,6 +469,13 @@ static av_cold int libdav1d_close(AVCodecContext *c)
    return 0;
 }

+#ifndef DAV1D_MAX_FRAME_THREADS
+#define DAV1D_MAX_FRAME_THREADS DAV1D_MAX_THREADS
+#endif
+#ifndef DAV1D_MAX_TILE_THREADS
+#define DAV1D_MAX_TILE_THREADS DAV1D_MAX_THREADS
+#endif
+
 #define OFFSET(x) offsetof(Libdav1dContext, x)
 #define VD AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM
 static const AVOption libdav1d_options[] = {
@@ -189,7 +189,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len,
    compute_ref_coefs(autoc, order, ref, error);
    for (i = 0; i < order; i++)
        avg_err = (avg_err + error[i])/2.0f;
-    return signal/avg_err;
+    return avg_err ? signal/avg_err : NAN;
 }

 /**
@@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
        gen0[i] = gen1[i] = autoc[i + 1];

    err    = autoc[0];
-    ref[0] = -gen1[0] / err;
+    ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
    err   +=  gen1[0] * ref[0];
    if (error)
        error[0] = err;
@@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
            gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j];
            gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j];
        }
-        ref[i] = -gen1[0] / err;
+        ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
        err   +=  gen1[0] * ref[i];
        if (error)
            error[i] = err;
@@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o
            for(j=0; j<i; j++)
                r -= lpc_last[j] * autoc[i-j-1];

-            r /= err;
+            if (err)
+                r /= err;
            err *= FIXR(1.0) - (r * r);
        }

@@ -119,9 +119,13 @@ read_header:
                      8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
        s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
        s->start_code = SOS;
-        ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL);
-        if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE))
-            return ret;
+        if (avctx->skip_frame == AVDISCARD_ALL) {
+            skip_bits(&s->gb, get_bits_left(&s->gb));
+        } else {
+            ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL);
+            if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE))
+                return ret;
+        }
    }

    if (s->interlaced) {
@@ -1573,6 +1573,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
                else
                    ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0],
                                                   quant_matrix, ss, se, Al, &EOBRUN);
+
+                if (ret >= 0 && get_bits_left(&s->gb) < 0)
+                    ret = AVERROR_INVALIDDATA;
                if (ret < 0) {
                    av_log(s->avctx, AV_LOG_ERROR,
                           "error y=%d x=%d\n", mb_y, mb_x);
@@ -1538,6 +1538,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
    s->mpeg_f_code[0][1] = get_bits(&s->gb, 4);
    s->mpeg_f_code[1][0] = get_bits(&s->gb, 4);
    s->mpeg_f_code[1][1] = get_bits(&s->gb, 4);
+    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
+    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
+    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
+    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];
    if (!s->pict_type && s1->mpeg_enc_ctx_allocated) {
        av_log(s->avctx, AV_LOG_ERROR,
               "Missing picture start code, guessing missing values\n");
@@ -1551,10 +1555,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
        s->current_picture.f->pict_type = s->pict_type;
        s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I;
    }
-    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
-    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
-    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
-    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];

    s->intra_dc_precision         = get_bits(&s->gb, 2);
    s->picture_structure          = get_bits(&s->gb, 2);
@@ -509,9 +509,13 @@ FF_ENABLE_DEPRECATION_WARNINGS
    if (!s->fixed_qscale &&
        avctx->bit_rate * av_q2d(avctx->time_base) >
            avctx->bit_rate_tolerance) {
+        double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5;
        av_log(avctx, AV_LOG_WARNING,
               "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate);
-        avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base);
+        if (nbt <= INT_MAX) {
+            avctx->bit_rate_tolerance = nbt;
+        } else
+            avctx->bit_rate_tolerance = INT_MAX;
    }

    if (avctx->rc_max_rate &&
@@ -2016,6 +2020,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
            break;
            default:
                av_log(avctx, AV_LOG_ERROR, "vbv buffer overflow\n");
+                s->stuffing_bits = 0;
            }
            flush_put_bits(&s->pb);
            s->frame_bits  = put_bits_count(&s->pb);
@@ -193,6 +193,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
    int start_code;
    int ret;

+    if (avctx->skip_frame == AVDISCARD_ALL)
+        return AVERROR_PATCHWELCOME;
+
    buf_ptr = buf;
    buf_end = buf + buf_size;
    jpg->got_picture = 0;
@@ -138,10 +138,8 @@ static av_cold int encode_end(AVCodecContext *avctx)

    ff_mdct_end(&s->mdct_ctx);

-    if (s->avctx->trellis) {
-        av_freep(&s->opt);
-        av_freep(&s->path);
-    }
+    av_freep(&s->opt);
+    av_freep(&s->path);
    ff_af_queue_close(&s->afq);
    av_freep(&s->fdsp);

@@ -144,6 +144,70 @@ static int nvenc_print_error(AVCodecContext *avctx, NVENCSTATUS err,
    return ret;
 }

+typedef struct GUIDTuple {
+    const GUID guid;
+    int flags;
+} GUIDTuple;
+
+#define PRESET_ALIAS(alias, name, ...) \
+    [PRESET_ ## alias] = { NV_ENC_PRESET_ ## name ## _GUID, __VA_ARGS__ }
+
+#define PRESET(name, ...) PRESET_ALIAS(name, name, __VA_ARGS__)
+
+static void nvenc_map_preset(NvencContext *ctx)
+{
+    GUIDTuple presets[] = {
+#ifdef NVENC_HAVE_NEW_PRESETS
+        PRESET(P1),
+        PRESET(P2),
+        PRESET(P3),
+        PRESET(P4),
+        PRESET(P5),
+        PRESET(P6),
+        PRESET(P7),
+        PRESET_ALIAS(SLOW,   P7, NVENC_TWO_PASSES),
+        PRESET_ALIAS(MEDIUM, P4, NVENC_ONE_PASS),
+        PRESET_ALIAS(FAST,   P1, NVENC_ONE_PASS),
+        // Compat aliases
+        PRESET_ALIAS(DEFAULT,             P4, NVENC_DEPRECATED_PRESET),
+        PRESET_ALIAS(HP,                  P1, NVENC_DEPRECATED_PRESET),
+        PRESET_ALIAS(HQ,                  P7, NVENC_DEPRECATED_PRESET),
+        PRESET_ALIAS(BD,                  P5, NVENC_DEPRECATED_PRESET),
+        PRESET_ALIAS(LOW_LATENCY_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
+        PRESET_ALIAS(LOW_LATENCY_HP,      P1, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
+        PRESET_ALIAS(LOW_LATENCY_HQ,      P7, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
+        PRESET_ALIAS(LOSSLESS_DEFAULT,    P4, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS),
+        PRESET_ALIAS(LOSSLESS_HP,         P1, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS),
+#else
+        PRESET(DEFAULT),
+        PRESET(HP),
+        PRESET(HQ),
+        PRESET(BD),
+        PRESET_ALIAS(SLOW,   HQ,    NVENC_TWO_PASSES),
+        PRESET_ALIAS(MEDIUM, HQ,    NVENC_ONE_PASS),
+        PRESET_ALIAS(FAST,   HP,    NVENC_ONE_PASS),
+        PRESET(LOW_LATENCY_DEFAULT, NVENC_LOWLATENCY),
+        PRESET(LOW_LATENCY_HP,      NVENC_LOWLATENCY),
+        PRESET(LOW_LATENCY_HQ,      NVENC_LOWLATENCY),
+        PRESET(LOSSLESS_DEFAULT,    NVENC_LOSSLESS),
+        PRESET(LOSSLESS_HP,         NVENC_LOSSLESS),
+#endif
+    };
+
+    GUIDTuple *t = &presets[ctx->preset];
+
+    ctx->init_encode_params.presetGUID = t->guid;
+    ctx->flags = t->flags;
+
+#ifdef NVENC_HAVE_NEW_PRESETS
+    if (ctx->tuning_info == NV_ENC_TUNING_INFO_LOSSLESS)
+        ctx->flags |= NVENC_LOSSLESS;
+#endif
+}
+
+#undef PRESET
+#undef PRESET_ALIAS
+
 static void nvenc_print_driver_requirement(AVCodecContext *avctx, int level)
 {
 #if NVENCAPI_CHECK_VERSION(11, 1)
@@ -358,7 +422,7 @@ static int nvenc_check_capabilities(AVCodecContext *avctx)
    }

    ret = nvenc_check_cap(avctx, NV_ENC_CAPS_SUPPORT_LOSSLESS_ENCODE);
-    if (ctx->preset >= PRESET_LOSSLESS_DEFAULT && ret <= 0) {
+    if (ctx->flags & NVENC_LOSSLESS && ret <= 0) {
        av_log(avctx, AV_LOG_WARNING, "Lossless encoding not supported\n");
        return AVERROR(ENOSYS);
    }
@@ -548,6 +612,11 @@ static av_cold int nvenc_setup_device(AVCodecContext *avctx)
        return AVERROR_BUG;
    }

+    nvenc_map_preset(ctx);
+
+    if (ctx->flags & NVENC_DEPRECATED_PRESET)
+        av_log(avctx, AV_LOG_WARNING, "The selected preset is deprecated. Use p1 to p7 + -tune or fast/medium/slow.\n");
+
    if (avctx->pix_fmt == AV_PIX_FMT_CUDA || avctx->pix_fmt == AV_PIX_FMT_D3D11 || avctx->hw_frames_ctx || avctx->hw_device_ctx) {
        AVHWFramesContext   *frames_ctx;
        AVHWDeviceContext   *hwdev_ctx;
@@ -638,65 +707,6 @@ static av_cold int nvenc_setup_device(AVCodecContext *avctx)
    return 0;
 }

-typedef struct GUIDTuple {
-    const GUID guid;
-    int flags;
-} GUIDTuple;
-
-#define PRESET_ALIAS(alias, name, ...) \
-    [PRESET_ ## alias] = { NV_ENC_PRESET_ ## name ## _GUID, __VA_ARGS__ }
-
-#define PRESET(name, ...) PRESET_ALIAS(name, name, __VA_ARGS__)
-
-static void nvenc_map_preset(NvencContext *ctx)
-{
-    GUIDTuple presets[] = {
-#ifdef NVENC_HAVE_NEW_PRESETS
-        PRESET(P1),
-        PRESET(P2),
-        PRESET(P3),
-        PRESET(P4),
-        PRESET(P5),
-        PRESET(P6),
-        PRESET(P7),
-        PRESET_ALIAS(SLOW,   P7, NVENC_TWO_PASSES),
-        PRESET_ALIAS(MEDIUM, P4, NVENC_ONE_PASS),
-        PRESET_ALIAS(FAST,   P1, NVENC_ONE_PASS),
-        // Compat aliases
-        PRESET_ALIAS(DEFAULT,             P4, NVENC_DEPRECATED_PRESET),
-        PRESET_ALIAS(HP,                  P1, NVENC_DEPRECATED_PRESET),
-        PRESET_ALIAS(HQ,                  P7, NVENC_DEPRECATED_PRESET),
-        PRESET_ALIAS(BD,                  P5, NVENC_DEPRECATED_PRESET),
-        PRESET_ALIAS(LOW_LATENCY_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
-        PRESET_ALIAS(LOW_LATENCY_HP,      P1, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
-        PRESET_ALIAS(LOW_LATENCY_HQ,      P7, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY),
-        PRESET_ALIAS(LOSSLESS_DEFAULT,    P4, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS),
-        PRESET_ALIAS(LOSSLESS_HP,         P1, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS),
-#else
-        PRESET(DEFAULT),
-        PRESET(HP),
-        PRESET(HQ),
-        PRESET(BD),
-        PRESET_ALIAS(SLOW,   HQ,    NVENC_TWO_PASSES),
-        PRESET_ALIAS(MEDIUM, HQ,    NVENC_ONE_PASS),
-        PRESET_ALIAS(FAST,   HP,    NVENC_ONE_PASS),
-        PRESET(LOW_LATENCY_DEFAULT, NVENC_LOWLATENCY),
-        PRESET(LOW_LATENCY_HP,      NVENC_LOWLATENCY),
-        PRESET(LOW_LATENCY_HQ,      NVENC_LOWLATENCY),
-        PRESET(LOSSLESS_DEFAULT,    NVENC_LOSSLESS),
-        PRESET(LOSSLESS_HP,         NVENC_LOSSLESS),
-#endif
-    };
-
-    GUIDTuple *t = &presets[ctx->preset];
-
-    ctx->init_encode_params.presetGUID = t->guid;
-    ctx->flags = t->flags;
-}
-
-#undef PRESET
-#undef PRESET_ALIAS
-
 static av_cold void set_constqp(AVCodecContext *avctx)
 {
    NvencContext *ctx = avctx->priv_data;
@@ -1254,18 +1264,15 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx)

    ctx->init_encode_params.encodeConfig = &ctx->encode_config;

-    nvenc_map_preset(ctx);
-
-    if (ctx->flags & NVENC_DEPRECATED_PRESET)
-        av_log(avctx, AV_LOG_WARNING, "The selected preset is deprecated. Use p1 to p7 + -tune or fast/medium/slow.\n");
-
    preset_config.version = NV_ENC_PRESET_CONFIG_VER;
    preset_config.presetCfg.version = NV_ENC_CONFIG_VER;

 #ifdef NVENC_HAVE_NEW_PRESETS
    ctx->init_encode_params.tuningInfo = ctx->tuning_info;

-    if (ctx->flags & NVENC_LOWLATENCY)
+    if (ctx->flags & NVENC_LOSSLESS)
+        ctx->init_encode_params.tuningInfo = NV_ENC_TUNING_INFO_LOSSLESS;
+    else if (ctx->flags & NVENC_LOWLATENCY)
        ctx->init_encode_params.tuningInfo = NV_ENC_TUNING_INFO_LOW_LATENCY;

    nv_status = p_nvenc->nvEncGetEncodePresetConfigEx(ctx->nvencoder,
@@ -1307,9 +1314,6 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx)
     * */
    if (ctx->rc_lookahead == 0 && ctx->encode_config.rcParams.enableLookahead)
        ctx->rc_lookahead = ctx->encode_config.rcParams.lookaheadDepth;
-
-    if (ctx->init_encode_params.tuningInfo == NV_ENC_TUNING_INFO_LOSSLESS)
-        ctx->flags |= NVENC_LOSSLESS;
 #endif

    if (ctx->weighted_pred == 1)
@@ -103,7 +103,7 @@ enum {
    PRESET_LOW_LATENCY_DEFAULT ,
    PRESET_LOW_LATENCY_HQ ,
    PRESET_LOW_LATENCY_HP,
-    PRESET_LOSSLESS_DEFAULT, // lossless presets must be the last ones
+    PRESET_LOSSLESS_DEFAULT,
    PRESET_LOSSLESS_HP,
 #ifdef NVENC_HAVE_NEW_PRESETS
    PRESET_P1,
@@ -148,7 +148,7 @@ static const AVOption options[] = {
    { "middle",       "",                                   0,                    AV_OPT_TYPE_CONST, { .i64 = 2 }, 0, 0,       VE, "b_ref_mode" },
 #endif
    { "a53cc",        "Use A53 Closed Captions (if available)", OFFSET(a53_cc),   AV_OPT_TYPE_BOOL,  { .i64 = 1 }, 0, 1,       VE },
-    { "s12m_tc",      "Use timecode (if available)",        OFFSET(s12m_tc),      AV_OPT_TYPE_BOOL,  { .i64 = 1 }, 0, 1,       VE },
+    { "s12m_tc",      "Use timecode (if available)",        OFFSET(s12m_tc),      AV_OPT_TYPE_BOOL,  { .i64 = 0 }, 0, 1,       VE },
    { "dpb_size",     "Specifies the DPB size used for encoding (0 means automatic)",
                                                            OFFSET(dpb_size),     AV_OPT_TYPE_INT,   { .i64 = 0 }, 0, INT_MAX, VE },
 #ifdef NVENC_HAVE_MULTIPASS
@@ -1644,7 +1644,7 @@ static int decode_frame_apng(AVCodecContext *avctx,
    if (!(avctx->active_thread_type & FF_THREAD_FRAME)) {
        if (s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) {
            ff_thread_release_buffer(avctx, &s->picture);
-        } else if (s->dispose_op == APNG_DISPOSE_OP_NONE) {
+        } else {
            ff_thread_release_buffer(avctx, &s->last_picture);
            FFSWAP(ThreadFrame, s->picture, s->last_picture);
        }
@@ -1693,8 +1693,8 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src)
        pdst->hdr_state |= psrc->hdr_state;
    }

-    src_frame = psrc->dispose_op == APNG_DISPOSE_OP_NONE ?
-                &psrc->picture : &psrc->last_picture;
+    src_frame = psrc->dispose_op == APNG_DISPOSE_OP_PREVIOUS ?
+                &psrc->last_picture : &psrc->picture;

    ff_thread_release_buffer(dst, &pdst->last_picture);
    if (src_frame && src_frame->f->data[0]) {
@@ -154,7 +154,7 @@ static int rv10_decode_picture_header(MpegEncContext *s)
    return mb_count;
 }

-static int rv20_decode_picture_header(RVDecContext *rv)
+static int rv20_decode_picture_header(RVDecContext *rv, int whole_size)
 {
    MpegEncContext *s = &rv->m;
    int seq, mb_pos, i, ret;
@@ -232,6 +232,10 @@ static int rv20_decode_picture_header(RVDecContext *rv)
                   "attempting to change resolution to %dx%d\n", new_w, new_h);
            if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0)
                return AVERROR_INVALIDDATA;
+
+            if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8)
+                return AVERROR_INVALIDDATA;
+
            ff_mpv_common_end(s);

            // attempt to keep aspect during typical resolution switches
@@ -447,7 +451,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
    if (s->codec_id == AV_CODEC_ID_RV10)
        mb_count = rv10_decode_picture_header(s);
    else
-        mb_count = rv20_decode_picture_header(rv);
+        mb_count = rv20_decode_picture_header(rv, whole_size);
    if (mb_count < 0) {
        if (mb_count != ERROR_SKIP_FRAME)
            av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n");
@@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x)
 {
    int i;
    for (i = 1; i < 64; i += 2)
-        x[i] = -x[i];
+        x[i] = -(unsigned)x[i];
 }

 static void sbr_qmf_pre_shuffle_c(int *z)
@@ -186,6 +186,7 @@ typedef struct SnowContext{
    uint8_t *emu_edge_buffer;

    AVMotionVector *avmv;
+    unsigned avmv_size;
    int avmv_index;
    uint64_t encoding_error[AV_NUM_DATA_POINTERS];

@@ -493,9 +493,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
               s->spatial_decomposition_count
              );

-    av_assert0(!s->avmv);
    if (s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_MVS) {
-        s->avmv = av_malloc_array(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2));
+        size_t size;
+        res = av_size_mult(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2), &size);
+        if (res)
+            return res;
+        av_fast_malloc(&s->avmv, &s->avmv_size, size);
+        if (!s->avmv)
+            return AVERROR(ENOMEM);
+    } else {
+        s->avmv_size = 0;
+        av_freep(&s->avmv);
    }
    s->avmv_index = 0;

@@ -624,8 +632,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        memcpy(sd->data, s->avmv, s->avmv_index * sizeof(AVMotionVector));
    }

-    av_freep(&s->avmv);
-
    if (res < 0)
        return res;

@@ -645,6 +651,9 @@ static av_cold int decode_end(AVCodecContext *avctx)

    ff_snow_common_end(s);

+    s->avmv_size = 0;
+    av_freep(&s->avmv);
+
    return 0;
 }

@@ -487,9 +487,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx)
    SVQ1EncContext *const s = avctx->priv_data;
    int i;

-    av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
-           s->rd_total / (double)(avctx->width * avctx->height *
-                                  avctx->frame_number));
+    if (avctx->frame_number)
+        av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
+               s->rd_total / (double)(avctx->width * avctx->height *
+                                      avctx->frame_number));

    s->m.mb_type = NULL;
    ff_mpv_common_end(&s->m);
@@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = {
    0x01000000, 0x02000000, 0x04000000, 0x08000000,
    0x10000000, 0x20000000, 0x40000000, 0x80000000,
    0x80000000, 0x80000000, 0x80000000, 0x80000000,
-    0x80000000, 0x80000000, 0x80000000, 0x80000000
+    0x80000000, 0x80000000, 0x80000000, 0x80000000,
+    0xFFFFFFFF
 };

 const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4;
@@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl,
    *error = *in;
    *in += (round >> shift);

-    dl[4] = -dl[5]; dl[5] = -dl[6];
-    dl[6] = *in - dl[7]; dl[7] = *in;
-    dl[5] += dl[6]; dl[4] += dl[5];
+    dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6];
+    dl[6] = *in -(unsigned)dl[7]; dl[7] = *in;
+    dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5];
 }

 av_cold void ff_ttadsp_init(TTADSPContext *c)
@@ -206,5 +206,5 @@ AVCodec ff_ttml_encoder = {
    .init           = ttml_encode_init,
    .encode_sub     = ttml_encode_frame,
    .close          = ttml_encode_close,
-    .capabilities   = FF_CODEC_CAP_INIT_CLEANUP,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 };
@@ -268,10 +268,21 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
            h_align = 4;
        }
        if (s->codec_id == AV_CODEC_ID_JV ||
+            s->codec_id == AV_CODEC_ID_ARGO ||
            s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) {
            w_align = 8;
            h_align = 8;
        }
+        if (s->codec_id == AV_CODEC_ID_MJPEG   ||
+            s->codec_id == AV_CODEC_ID_MJPEGB  ||
+            s->codec_id == AV_CODEC_ID_LJPEG   ||
+            s->codec_id == AV_CODEC_ID_SMVJPEG ||
+            s->codec_id == AV_CODEC_ID_AMV     ||
+            s->codec_id == AV_CODEC_ID_SP5X    ||
+            s->codec_id == AV_CODEC_ID_JPEGLS) {
+            w_align =   8;
+            h_align = 2*8;
+        }
        break;
    case AV_PIX_FMT_BGR24:
        if ((s->codec_id == AV_CODEC_ID_MSZH) ||
@@ -286,6 +297,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
            h_align = 4;
        }
        break;
+    case AV_PIX_FMT_BGR0:
+        if (s->codec_id == AV_CODEC_ID_ARGO) {
+            w_align = 8;
+            h_align = 8;
+        }
+        break;
    default:
        break;
    }
@@ -739,7 +756,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
            case AV_CODEC_ID_ADPCM_THP:
            case AV_CODEC_ID_ADPCM_THP_LE:
                if (extradata)
-                    return frame_bytes * 14 / (8 * ch);
+                    return frame_bytes * 14LL / (8 * ch);
                break;
            case AV_CODEC_ID_ADPCM_XA:
                return (frame_bytes / 128) * 224 / ch;
@@ -773,21 +790,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
            if (ba > 0) {
                /* calc from frame_bytes, channels, and block_align */
                int blocks = frame_bytes / ba;
+                int64_t tmp = 0;
                switch (id) {
                case AV_CODEC_ID_ADPCM_IMA_WAV:
                    if (bps < 2 || bps > 5)
                        return 0;
-                    return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8);
+                    tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8);
+                    break;
                case AV_CODEC_ID_ADPCM_IMA_DK3:
-                    return blocks * (((ba - 16) * 2 / 3 * 4) / ch);
+                    tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch);
+                    break;
                case AV_CODEC_ID_ADPCM_IMA_DK4:
-                    return blocks * (1 + (ba - 4 * ch) * 2 / ch);
+                    tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch);
+                    break;
                case AV_CODEC_ID_ADPCM_IMA_RAD:
-                    return blocks * ((ba - 4 * ch) * 2 / ch);
+                    tmp = blocks * ((ba - 4LL * ch) * 2 / ch);
+                    break;
                case AV_CODEC_ID_ADPCM_MS:
-                    return blocks * (2 + (ba - 7 * ch) * 2LL / ch);
+                    tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch);
+                    break;
                case AV_CODEC_ID_ADPCM_MTAF:
-                    return blocks * (ba - 16) * 2 / ch;
+                    tmp = blocks * (ba - 16LL) * 2 / ch;
+                    break;
+                }
+                if (tmp) {
+                    if (tmp != (int)tmp)
+                        return 0;
+                    return tmp;
                }
            }

@@ -825,20 +854,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,

 int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
 {
-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
                                    avctx->channels, avctx->block_align,
                                    avctx->codec_tag, avctx->bits_per_coded_sample,
                                    avctx->bit_rate, avctx->extradata, avctx->frame_size,
                                    frame_bytes);
+    return FFMAX(0, duration);
 }

 int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
 {
-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
+    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
                                    par->channels, par->block_align,
                                    par->codec_tag, par->bits_per_coded_sample,
                                    par->bit_rate, par->extradata, par->frame_size,
                                    frame_bytes);
+    return FFMAX(0, duration);
 }

 #if !HAVE_THREADS
@@ -292,7 +292,7 @@ static int vaapi_av1_decode_slice(AVCodecContext *avctx,
        err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &slice_param,
                                                sizeof(VASliceParameterBufferAV1),
                                                buffer,
-                                                s->tile_group_info[i].tile_size);
+                                                size);
        if (err) {
            ff_vaapi_decode_cancel(avctx, pic);
            return err;
@@ -672,6 +672,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb)
    if (v->s.pict_type == AV_PICTURE_TYPE_P)
        v->rnd ^= 1;

+    if (get_bits_left(gb) < 5)
+        return AVERROR_INVALIDDATA;
    /* Quantizer stuff */
    pqindex = get_bits(gb, 5);
    if (!pqindex)
@@ -764,6 +766,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb)
        av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: "
               "Imode: %i, Invert: %i\n", status>>1, status&1);

+        if (get_bits_left(gb) < 4)
+            return AVERROR_INVALIDDATA;
+
        /* Hopefully this is correct for P-frames */
        v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables
        v->cbptab = get_bits(gb, 2);
@@ -1124,7 +1124,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
            ret = AVERROR_INVALIDDATA;
            goto err;
        }
-        if (!v->field_mode)
+        if (   !v->field_mode
+            && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE
+            && avctx->codec_id != AV_CODEC_ID_VC1IMAGE)
            ff_er_frame_end(&s->er);
    }

@@ -1152,12 +1154,14 @@ image:
        if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) {
            if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0)
                goto err;
-            ff_print_debug_info(s, s->current_picture_ptr, pict);
+            if (!v->field_mode)
+                ff_print_debug_info(s, s->current_picture_ptr, pict);
            *got_frame = 1;
        } else if (s->last_picture_ptr) {
            if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0)
                goto err;
-            ff_print_debug_info(s, s->last_picture_ptr, pict);
+            if (!v->field_mode)
+                ff_print_debug_info(s, s->last_picture_ptr, pict);
            *got_frame = 1;
        }
    }
@@ -982,6 +982,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
    }

    s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f);
+    if (s->slice_min_bytes < 0)
+        return AVERROR(EINVAL);

    ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced);
    if (ret)
@@ -49,6 +49,10 @@ enum { kCVPixelFormatType_420YpCbCr10BiPlanarFullRange = 'xf20' };
 enum { kCVPixelFormatType_420YpCbCr10BiPlanarVideoRange = 'x420' };
 #endif

+#ifndef TARGET_CPU_ARM64
+#   define TARGET_CPU_ARM64 0
+#endif
+
 typedef OSStatus (*getParameterSetAtIndex)(CMFormatDescriptionRef videoDesc,
                                           size_t parameterSetIndex,
                                           const uint8_t **parameterSetPointerOut,
@@ -627,6 +627,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
    while (y < img->frame->height) {
        int v;

+        if (get_bits_left(&s->gb) < 0)
+            return AVERROR_INVALIDDATA;
+
        hg = get_huffman_group(s, img, x, y);
        v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb);
        if (v < NUM_LITERAL_CODES) {
@@ -457,7 +457,7 @@ int ff_wma_run_level_decode(AVCodecContext *avctx, GetBitContext *gb,
                        if (get_bits1(gb)) {
                            av_log(avctx, AV_LOG_ERROR,
                                   "broken escape sequence\n");
-                            return -1;
+                            return AVERROR_INVALIDDATA;
                        } else
                            offset += get_bits(gb, frame_len_bits) + 4;
                    } else
@@ -475,7 +475,7 @@ int ff_wma_run_level_decode(AVCodecContext *avctx, GetBitContext *gb,
               offset,
               num_coefs
              );
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    return 0;
@@ -590,15 +590,18 @@ static int wma_decode_block(WMACodecContext *s)
        if (s->channel_coded[ch]) {
            int tindex;
            WMACoef *ptr = &s->coefs1[ch][0];
+            int ret;

            /* special VLC tables are used for ms stereo because
             * there is potentially less energy there */
            tindex = (ch == 1 && s->ms_stereo);
            memset(ptr, 0, s->block_len * sizeof(WMACoef));
-            ff_wma_run_level_decode(s->avctx, &s->gb, &s->coef_vlc[tindex],
-                                    s->level_table[tindex], s->run_table[tindex],
-                                    0, ptr, 0, nb_coefs[ch],
-                                    s->block_len, s->frame_len_bits, coef_nb_bits);
+            ret = ff_wma_run_level_decode(s->avctx, &s->gb, &s->coef_vlc[tindex],
+                                          s->level_table[tindex], s->run_table[tindex],
+                                          0, ptr, 0, nb_coefs[ch],
+                                          s->block_len, s->frame_len_bits, coef_nb_bits);
+            if (ret < 0)
+                return ret;
        }
        if (s->version == 1 && s->avctx->channels >= 2)
            align_get_bits(&s->gb);
@@ -985,13 +985,16 @@ static int decode_coeffs(WMAProDecodeCtx *s, int c)

    /** decode run level coded coefficients */
    if (cur_coeff < s->subframe_len) {
+        int ret;
+
        memset(&ci->coeffs[cur_coeff], 0,
               sizeof(*ci->coeffs) * (s->subframe_len - cur_coeff));
-        if (ff_wma_run_level_decode(s->avctx, &s->gb, vlc,
-                                    level, run, 1, ci->coeffs,
-                                    cur_coeff, s->subframe_len,
-                                    s->subframe_len, s->esc_len, 0))
-            return AVERROR_INVALIDDATA;
+        ret = ff_wma_run_level_decode(s->avctx, &s->gb, vlc,
+                                      level, run, 1, ci->coeffs,
+                                      cur_coeff, s->subframe_len,
+                                      s->subframe_len, s->esc_len, 0);
+        if (ret < 0)
+            return ret;
    }

    return 0;
@@ -341,9 +341,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
    if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
        return ret;

-    if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
-        return ret;
-
    if (cpp <= 0 || cpp >= 5) {
        av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp);
        return AVERROR_INVALIDDATA;
@@ -360,14 +357,17 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,

    size *= 4;

-    av_fast_padded_malloc(&x->pixels, &x->pixels_size, size);
-    if (!x->pixels)
-        return AVERROR(ENOMEM);
-
    ptr += mod_strcspn(ptr, ",") + 1;
    if (end - ptr < 1)
        return AVERROR_INVALIDDATA;

+    if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
+        return ret;
+
+    av_fast_padded_malloc(&x->pixels, &x->pixels_size, size);
+    if (!x->pixels)
+        return AVERROR(ENOMEM);
+
    for (i = 0; i < ncolors; i++) {
        const uint8_t *index;
        int len;
@@ -167,6 +167,11 @@ static void print_stats(AVFilterContext *ctx)
        float chdr, secondpeak, rmssum = 0;
        int i, j, first = 0;

+        if (!p->nb_samples) {
+            av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n");
+            return;
+        }
+
        finish_block(p);

        for (i = 0; i <= 10000; i++) {
@@ -304,9 +304,6 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
    AVDictionary **metadata = &frame->metadata;
    AVDictionaryEntry *e;

-    if (!*metadata && s->mode != METADATA_ADD)
-        return ff_filter_frame(outlink, frame);
-
    e = av_dict_get(*metadata, !s->key ? "" : s->key, NULL,
                    !s->key ? AV_DICT_IGNORE_SUFFIX: 0);

@@ -849,7 +849,8 @@ rgb_to_xy(double rc,
    *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc;

    sum = *x + *y + *z;
-
+    if (sum == 0)
+        sum = 1;
    *x = *x / sum;
    *y = *y / sum;
 }
@@ -564,6 +564,9 @@ static int config_input(AVFilterLink *inlink)
               inlink->h - s->pr_height);

    max_slice_h = s->pr_height / ((s->bsize - 1) * 2);
+    if (max_slice_h == 0)
+        return AVERROR(EINVAL);
+
    s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h);
    av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n",
           MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads);
@@ -161,7 +161,7 @@ static void export_row8(FFTComplex *src, uint8_t *dst, int rw, float scale, int
    int j;

    for (j = 0; j < rw; j++)
-        dst[j] = av_clip_uint8(src[j].re * scale + 0.5f);
+        dst[j] = av_clip_uint8(lrintf(src[j].re * scale));
 }

 static void import_row16(FFTComplex *dst, uint8_t *srcp, int rw)
@@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink)
    s->b_height = inlink->h >> s->log2_mb_size;
    s->b_count = s->b_width * s->b_height;

+    if (s->b_count == 0)
+        return AVERROR(EINVAL);
+
    for (i = 0; i < 3; i++) {
        s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0]));
        if (!s->mv_table[i])
@@ -63,6 +63,7 @@ typedef struct OverlayCUDAContext {
    enum AVPixelFormat in_format_overlay;
    enum AVPixelFormat in_format_main;

+    AVBufferRef *hw_device_ctx;
    AVCUDADeviceContext *hwctx;

    CUcontext cu_ctx;
@@ -256,6 +257,9 @@ static av_cold void overlay_cuda_uninit(AVFilterContext *avctx)
        CHECK_CU(cu->cuModuleUnload(ctx->cu_module));
        CHECK_CU(cu->cuCtxPopCurrent(&dummy));
    }
+
+    av_buffer_unref(&ctx->hw_device_ctx);
+    ctx->hwctx = NULL;
 }

 /**
@@ -341,13 +345,19 @@ static int overlay_cuda_config_output(AVFilterLink *outlink)

    // initialize

-    ctx->hwctx = frames_ctx->device_ctx->hwctx;
+    ctx->hw_device_ctx = av_buffer_ref(frames_ctx->device_ref);
+    if (!ctx->hw_device_ctx)
+        return AVERROR(ENOMEM);
+    ctx->hwctx = ((AVHWDeviceContext*)ctx->hw_device_ctx->data)->hwctx;
+
    cuda_ctx = ctx->hwctx->cuda_ctx;
    ctx->fs.time_base = inlink->time_base;

    ctx->cu_stream = ctx->hwctx->stream;

    outlink->hw_frames_ctx = av_buffer_ref(inlink->hw_frames_ctx);
+    if (!outlink->hw_frames_ctx)
+        return AVERROR(ENOMEM);

    // load functions

@@ -739,6 +739,18 @@ scale:
    out->width  = outlink->w;
    out->height = outlink->h;

+    // Sanity checks:
+    //   1. If the output is RGB, set the matrix coefficients to RGB.
+    //   2. If the output is not RGB and we've got the RGB/XYZ (identity)
+    //      matrix configured, unset the matrix.
+    //   In theory these should be in swscale itself as the AVFrame
+    //   based API gets in, so that not every swscale API user has
+    //   to go through duplicating such sanity checks.
+    if (av_pix_fmt_desc_get(out->format)->flags & AV_PIX_FMT_FLAG_RGB)
+        out->colorspace = AVCOL_SPC_RGB;
+    else if (out->colorspace == AVCOL_SPC_RGB)
+        out->colorspace = AVCOL_SPC_UNSPECIFIED;
+
    if (scale->output_is_pal)
        avpriv_set_systematic_pal2((uint32_t*)out->data[1], outlink->format == AV_PIX_FMT_PAL8 ? AV_PIX_FMT_BGR8 : outlink->format);

@@ -481,13 +481,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in)
        src        = s->stages[i].frame;
        last_stage = i;
    }
-
    if (last_stage < 0)
        return AVERROR_BUG;
+
    ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0);
    if (ret < 0)
        return ret;

+    s->tmp_frame->width  = src->width;
+    s->tmp_frame->height = src->height;
+
    av_frame_move_ref(out, src);
    av_frame_move_ref(src, s->tmp_frame);

@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s,
    int i;
    const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);

+    if (w < 3 || h < 3)
+        return AVERROR(EINVAL);
+
    s->width = w;
    s->height = h;
    s->stride = FFALIGN(w * sizeof(uint16_t), 32);
@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
    uint8_t *next2 = parity ? cur  : next;

    const int edge = MAX_ALIGN - 1;
+    int offset = FFMAX(w - edge, 3);

    /* Only edge pixels need to be processed here.  A constant value of false
     * for is_not_edge should let the compiler ignore the whole branch. */
-    FILTER(0, 3, 0)
+    FILTER(0, FFMIN(3, w), 0)

-    dst  = (uint8_t*)dst1  + w - edge;
-    prev = (uint8_t*)prev1 + w - edge;
-    cur  = (uint8_t*)cur1  + w - edge;
-    next = (uint8_t*)next1 + w - edge;
+    dst  = (uint8_t*)dst1  + offset;
+    prev = (uint8_t*)prev1 + offset;
+    cur  = (uint8_t*)cur1  + offset;
+    next = (uint8_t*)next1 + offset;
    prev2 = (uint8_t*)(parity ? prev : cur);
    next2 = (uint8_t*)(parity ? cur  : next);

-    FILTER(w - edge, w - 3, 1)
-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
 }


@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
    uint16_t *next2 = parity ? cur  : next;

    const int edge = MAX_ALIGN / 2 - 1;
+    int offset = FFMAX(w - edge, 3);

    mrefs /= 2;
    prefs /= 2;

-    FILTER(0, 3, 0)
+    FILTER(0,  FFMIN(3, w), 0)

-    dst   = (uint16_t*)dst1  + w - edge;
-    prev  = (uint16_t*)prev1 + w - edge;
-    cur   = (uint16_t*)cur1  + w - edge;
-    next  = (uint16_t*)next1 + w - edge;
+    dst   = (uint16_t*)dst1  + offset;
+    prev  = (uint16_t*)prev1 + offset;
+    cur   = (uint16_t*)cur1  + offset;
+    next  = (uint16_t*)next1 + offset;
    prev2 = (uint16_t*)(parity ? prev : cur);
    next2 = (uint16_t*)(parity ? cur  : next);

-    FILTER(w - edge, w - 3, 1)
-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
 }

 static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
@@ -117,6 +117,7 @@ static int aax_read_header(AVFormatContext *s)
    int64_t column_offset = 0;
    int ret, extradata_size;
    char *codec;
+    int64_t ret64;

    avio_skip(pb, 4);
    a->table_size      = avio_rb32(pb) + 8LL;
@@ -218,7 +219,10 @@ static int aax_read_header(AVFormatContext *s)
        }
    }

-    avio_seek(pb, a->strings_offset, SEEK_SET);
+    ret = ret64 = avio_seek(pb, a->strings_offset, SEEK_SET);
+    if (ret64 < 0)
+        goto fail;
+
    ret = avio_read(pb, a->string_table, a->strings_size);
    if (ret != a->strings_size) {
        if (ret < 0)
@@ -249,7 +253,10 @@ static int aax_read_header(AVFormatContext *s)
                goto fail;
            }

-            avio_seek(pb, data_offset, SEEK_SET);
+            ret = ret64 = avio_seek(pb, data_offset, SEEK_SET);
+            if (ret64 < 0)
+                goto fail;
+
            if (type == COLUMN_TYPE_VLDATA) {
                int64_t start, size;

@@ -281,8 +288,8 @@ static int aax_read_header(AVFormatContext *s)
    codec = a->string_table + a->name_offset;
    if (!strcmp(codec, "AAX")) {
        par->codec_id = AV_CODEC_ID_ADPCM_ADX;
-        avio_seek(pb, a->segments[0].start, SEEK_SET);
-        if (avio_rb16(pb) != 0x8000) {
+        ret64 = avio_seek(pb, a->segments[0].start, SEEK_SET);
+        if (ret64 < 0 || avio_rb16(pb) != 0x8000) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -51,9 +51,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui
    GetBitContext gb;
    PutBitContext pb;
    MPEG4AudioConfig m4ac;
-    int off;
+    int off, ret;

-    init_get_bits(&gb, buf, size * 8);
+    ret = init_get_bits8(&gb, buf, size);
+    if (ret < 0)
+        return ret;
    off = avpriv_mpeg4audio_get_config2(&m4ac, buf, size, 1, s);
    if (off < 0)
        return off;
@@ -100,6 +100,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
    int sample_rate;
    unsigned int num_frames;

+    if (size == INT_MAX)
+        return AVERROR_INVALIDDATA;
+
    if (size & 1)
        size++;
    par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -522,7 +522,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
        tag1                             = avio_rl32(pb);
        avio_skip(pb, 20);
        if (sizeX > 40) {
-            if (size < sizeX - 40)
+            if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
                return AVERROR_INVALIDDATA;
            st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
            st->codecpar->extradata      = av_mallocz(st->codecpar->extradata_size +
@@ -685,7 +685,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g)
    return 0;
 }

-static int parse_video_info(AVIOContext *pb, AVStream *st)
+static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st)
 {
    uint16_t size_asf; // ASF-specific Format Data size
    uint32_t size_bmp; // BMP_HEADER-specific Format Data size
@@ -700,19 +700,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
    st->codecpar->codec_id  = ff_codec_get_id(ff_codec_bmp_tags, tag);
    size_bmp = FFMAX(size_asf, size_bmp);

-    if (size_bmp > BMP_HEADER_SIZE &&
-        size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
-        int ret;
-        st->codecpar->extradata_size  = size_bmp - BMP_HEADER_SIZE;
-        if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +
-                                               AV_INPUT_BUFFER_PADDING_SIZE))) {
-            st->codecpar->extradata_size = 0;
-            return AVERROR(ENOMEM);
-        }
-        memset(st->codecpar->extradata + st->codecpar->extradata_size , 0,
-               AV_INPUT_BUFFER_PADDING_SIZE);
-        if ((ret = avio_read(pb, st->codecpar->extradata,
-                             st->codecpar->extradata_size)) < 0)
+    if (size_bmp > BMP_HEADER_SIZE) {
+        int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE);
+
+        if (ret < 0)
            return ret;
    }
    return 0;
@@ -795,7 +786,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable *
        break;
    case AVMEDIA_TYPE_VIDEO:
        asf_st->type = AVMEDIA_TYPE_VIDEO;
-        if ((ret = parse_video_info(pb, st)) < 0)
+        if ((ret = parse_video_info(s, pb, st)) < 0)
            return ret;
        break;
    default:
@@ -165,7 +165,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb)
    return 0;
 }

-static int read_odml_index(AVFormatContext *s, int frame_num)
+static int read_odml_index(AVFormatContext *s, int64_t frame_num)
 {
    AVIContext *avi     = s->priv_data;
    AVIOContext *pb     = s->pb;
@@ -185,7 +185,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num)

    av_log(s, AV_LOG_TRACE,
            "longs_per_entry:%d index_type:%d entries_in_use:%d "
-            "chunk_id:%X base:%16"PRIX64" frame_num:%d\n",
+            "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n",
            longs_per_entry,
            index_type,
            entries_in_use,
@@ -245,7 +245,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num)
            avio_rl32(pb);       /* size */
            duration = avio_rl32(pb);

-            if (avio_feof(pb))
+            if (avio_feof(pb) || offset > INT64_MAX - 8)
                return AVERROR_INVALIDDATA;

            pos = avio_tell(pb);
@@ -1783,7 +1783,10 @@ static int avi_load_index(AVFormatContext *s)
        size = avio_rl32(pb);
        if (avio_feof(pb))
            break;
-        next = avio_tell(pb) + size + (size & 1);
+        next = avio_tell(pb);
+        if (next < 0 || next > INT64_MAX - size - (size & 1))
+            break;
+        next += size + (size & 1LL);

        if (tag == MKTAG('i', 'd', 'x', '1') &&
            avi_read_idx1(s, size) >= 0) {
@@ -316,8 +316,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags,
    int ret = ffurl_alloc(puc, filename, flags, int_cb);
    if (ret < 0)
        return ret;
-    if (parent)
-        av_opt_copy(*puc, parent);
+    if (parent) {
+        ret = av_opt_copy(*puc, parent);
+        if (ret < 0)
+            goto fail;
+    }
    if (options &&
        (ret = av_opt_set_dict(*puc, options)) < 0)
        goto fail;
@@ -73,6 +73,8 @@ static int bfi_read_header(AVFormatContext * s)
        return AVERROR_INVALIDDATA;

    bfi->nframes           = avio_rl32(pb);
+    if (bfi->nframes < 0)
+        return AVERROR_INVALIDDATA;
    avio_rl32(pb);
    avio_rl32(pb);
    avio_rl32(pb);
@@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s)
    st->codecpar->channels    = avio_rb32(pb);
    st->codecpar->bits_per_coded_sample = avio_rb32(pb);

-    if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0)
+    if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0)
        return AVERROR_INVALIDDATA;

    /* calculate bit rate for constant size packets */
@@ -129,7 +129,7 @@ static int dsf_read_header(AVFormatContext *s)
        return AVERROR_INVALIDDATA;
    }
    st->codecpar->block_align *= st->codecpar->channels;
-    st->codecpar->bit_rate = st->codecpar->channels * st->codecpar->sample_rate * 8LL;
+    st->codecpar->bit_rate = st->codecpar->channels * 8LL * st->codecpar->sample_rate;
    avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate);
    avio_skip(pb, 4);

@@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt)
    CinDemuxContext *cin = s->priv_data;
    AVIOContext *pb = s->pb;
    CinFrameHeader *hdr = &cin->frame_header;
-    int rc, palette_type, pkt_size;
+    int rc, palette_type;
+    int64_t pkt_size;
    int ret;

    if (cin->audio_buffer_size == 0) {
@@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt)
        }

        /* palette and video packet */
-        pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size;
+        pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size;
+        if (pkt_size + 4 > INT_MAX)
+            return AVERROR_INVALIDDATA;

        pkt_size = ffio_limit(pb, pkt_size);

@@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s)
    if(fps > 0){
        den = 1000;
        num = fps;
-    }else if (fps < 0){
+    }else if (fps < 0 && fps > INT_MIN){
        den = 100000;
        num = -fps;
    }else{
@@ -593,7 +593,7 @@ static int fifo_write_packet(AVFormatContext *avf, AVPacket *pkt)
        goto fail;
    }

-    if (fifo->timeshift && pkt->dts != AV_NOPTS_VALUE)
+    if (fifo->timeshift && pkt && pkt->dts != AV_NOPTS_VALUE)
        atomic_fetch_add_explicit(&fifo->queue_duration, next_duration(avf, pkt, &fifo->last_sent_dts), memory_order_relaxed);

    return ret;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4
 .4.1