Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/tiff: Check input space in dng_decode_jpeg()
2020-07-11 00:26:17 +02:00 · 2020-07-11 00:25:33 +02:00 · 2020-07-11 00:25:33 +02:00 · 2020-07-11 00:25:33 +02:00 · 2020-07-10 20:52:00 +02:00 · 2020-07-10 20:52:00 +02:00
95 changed files with 669 additions and 308 deletions
@@ -1,6 +1,48 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 4.3.1:
+ avcodec/tiff: Check input space in dng_decode_jpeg()
+ avcodec/mjpeg_parser: Adjust size rejection threshold
+ avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment()
+ avformat/sdp: Fix potential write beyond end of buffer
+ avformat/mm: Check for existence of audio stream
+ avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default
+ avcodec/apedec: Fix undefined integer overflow with 24bit
+ avcodec/loco: Fix integer overflow with large values from loco_get_rice()
+ avformat/smjpegdec: Check the existence of referred streams
+ avcodec/tiff: Check frame parameters before blit for DNG
+ avcodec/mjpegdec: Limit bayer to single plane outputting format
+ avcodec/pnmdec: Fix misaligned reads
+ avcodec/mv30: Fix integer overflows in idct2_1d()
+ avcodec/hcadec: Check total_band_count against imdct_in size
+ avcodec/scpr3: Fix out of array access with dectab
+ avcodec/tiff: Do not overrun the array ends in dng_blit()
+ avcodec/dstdec: Replace AC overread check by sample rate check
+ dnn_backend_native: Add overflow check for length calculation.
+ avcodec/h264_metadata_bsf: Fix invalid av_freep
+ avcodec/cbs_h265: set default VUI parameters when vui_parameters_present_flag is false
+ avcodec/av1_parser: initialize avctx->pix_fmt
+ avcodec/av1_parser: add missing parsing for RGB pixel format signaling
+ avcodec/av1_parser: set context values outside the OBU parsing loop
+ avutil/avsscanf: Add () to avoid integer overflow in scanexp()
+ avformat/utils: reorder duration computation to avoid overflow
+ avcodec/pngdec: Check for fctl after idat
+ avformat/hls: Pass a copy of the URL for probing
+ avutil/common: Fix integer overflow in av_ceil_log2_c()
+ avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
+ avformat/mvdec: Fix integer overflow with billions of channels
+ avformat/microdvddec: skip malformed lines without frame number.
+ dnn_backend_native: check operand index
+ dnn_backend_native.c: refine code for fail case
+ avformat/mov: fix memleaks
+ libavformat/mov: Fix memleaks when demuxing DV audio
+ avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX
+ avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak
+ avcodec/bitstream: Don't check for undefined behaviour after it happened
+ avformat/aviobuf: Also return truncated buffer in avio_get_dyn_buf()
+ avformat/aviobuf: Don't check for overflow after it happened
+
 version 4.3:
 - v360 filter
 - Intel QSV-accelerated MJPEG decoding
@@ -1 +1 @@
-4.2.git
+4.3.1
@@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 4.3 "4:3" │
+              └────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 4.3 "4:3", about 10
+   months after the release of FFmpeg 4.2.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   on the mailing-lists.
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 4.3.1

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -317,7 +317,7 @@ list are dropped. You may use the special @code{*} string to match all pages,
 or @code{subtitle} to match all subtitle pages.
 Default value is *.
@item txt_default_region
-Set default G0 character set used for decoding, a value between 0 and 80 (see
+Set default character set used for decoding, a value between 0 and 87 (see
 ETS 300 706, Section 15, Table 32). Default value is -1, which does not
 override the libzvbi default. This option is needed for some legacy level 1.0
 transmissions which cannot signal the proper charset.
@@ -1573,7 +1573,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        for (ch = 0; ch < s->channels; ch++) {
            sample24 = (int32_t *)frame->data[ch];
            for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] * 256;
+                *sample24++ = s->decoded[ch][i] * 256U;
        }
        break;
    }
@@ -45,6 +45,10 @@ static const enum AVPixelFormat pix_fmts_12bit[2][2] = {
    { AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV420P12 },
 };

+static const enum AVPixelFormat pix_fmts_rgb[3] = {
+    AV_PIX_FMT_GBRP, AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRP12,
+};
+
 static int av1_parser_parse(AVCodecParserContext *ctx,
                            AVCodecContext *avctx,
                            const uint8_t **out_data, int *out_size,
@@ -53,6 +57,8 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
    AV1ParseContext *s = ctx->priv_data;
    CodedBitstreamFragment *td = &s->temporal_unit;
    CodedBitstreamAV1Context *av1 = s->cbc->priv_data;
+    AV1RawSequenceHeader *seq;
+    AV1RawColorConfig *color;
    int ret;

    *out_data = data;
@@ -86,11 +92,12 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
        goto end;
    }

+    seq = av1->sequence_header;
+    color = &seq->color_config;
+
    for (int i = 0; i < td->nb_units; i++) {
        CodedBitstreamUnit *unit = &td->units[i];
        AV1RawOBU *obu = unit->content;
-        AV1RawSequenceHeader *seq = av1->sequence_header;
-        AV1RawColorConfig *color = &seq->color_config;
        AV1RawFrameHeader *frame;
        int frame_type;

@@ -127,9 +134,6 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
            ctx->key_frame = frame_type == AV1_FRAME_KEY;
        }

-        avctx->profile = seq->seq_profile;
-        avctx->level   = seq->seq_level_idx[0];
-
        switch (frame_type) {
        case AV1_FRAME_KEY:
        case AV1_FRAME_INTRA_ONLY:
@@ -143,33 +147,44 @@ static int av1_parser_parse(AVCodecParserContext *ctx,
            break;
        }
        ctx->picture_structure = AV_PICTURE_STRUCTURE_FRAME;
+    }

-        switch (av1->bit_depth) {
-        case 8:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8
-                                             : pix_fmts_8bit [color->subsampling_x][color->subsampling_y];
-            break;
-        case 10:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10
-                                             : pix_fmts_10bit[color->subsampling_x][color->subsampling_y];
-            break;
-        case 12:
-            ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12
-                                             : pix_fmts_12bit[color->subsampling_x][color->subsampling_y];
-            break;
-        }
-        av_assert2(ctx->format != AV_PIX_FMT_NONE);
+    switch (av1->bit_depth) {
+    case 8:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8
+                                         : pix_fmts_8bit [color->subsampling_x][color->subsampling_y];
+        break;
+    case 10:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10
+                                         : pix_fmts_10bit[color->subsampling_x][color->subsampling_y];
+        break;
+    case 12:
+        ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12
+                                         : pix_fmts_12bit[color->subsampling_x][color->subsampling_y];
+        break;
+    }
+    av_assert2(ctx->format != AV_PIX_FMT_NONE);

-        avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients;
-        avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries;
-        avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics;
-        avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG;
+    if (!color->subsampling_x && !color->subsampling_y &&
+        color->matrix_coefficients       == AVCOL_SPC_RGB &&
+        color->color_primaries           == AVCOL_PRI_BT709 &&
+        color->transfer_characteristics  == AVCOL_TRC_IEC61966_2_1)
+        ctx->format = pix_fmts_rgb[color->high_bitdepth + color->twelve_bit];

-        if (ctx->width != avctx->width || ctx->height != avctx->height) {
-            ret = ff_set_dimensions(avctx, ctx->width, ctx->height);
-            if (ret < 0)
-                goto end;
-        }
+    avctx->pix_fmt = ctx->format;
+
+    avctx->profile = seq->seq_profile;
+    avctx->level   = seq->seq_level_idx[0];
+
+    avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients;
+    avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries;
+    avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics;
+    avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG;
+
+    if (ctx->width != avctx->width || ctx->height != avctx->height) {
+        ret = ff_set_dimensions(avctx, ctx->width, ctx->height);
+        if (ret < 0)
+            goto end;
    }

    if (avctx->framerate.num)
@@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    uint32_t code;
    volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2

-    table_size = 1 << table_nb_bits;
    if (table_nb_bits > 30)
       return AVERROR(EINVAL);
+    table_size = 1 << table_nb_bits;
    table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC);
    ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size);
    if (table_index < 0)
@@ -693,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx,
            memmove(units + position + 1, units + position,
                    (frag->nb_units - position) * sizeof(*units));
    } else {
-        units = av_malloc_array(frag->nb_units + 1, sizeof(*units));
+        units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units));
        if (!units)
            return AVERROR(ENOMEM);

-        ++frag->nb_units_allocated;
+        frag->nb_units_allocated = 2*frag->nb_units_allocated + 1;

        if (position > 0)
            memcpy(units, frag->units, position * sizeof(*units));
@@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc,
        put_bits(pbc, 1, 1);
    } else {
        zeroes = av_log2(value + 1);
-        v = value - (1 << zeroes) + 1;
-        put_bits(pbc, zeroes + 1, 1);
+        v = value - (1U << zeroes) + 1;
+        put_bits(pbc, zeroes, 0);
+        put_bits(pbc, 1, 1);
        put_bits(pbc, zeroes, v);
    }

@@ -711,10 +712,11 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc)

 #define infer(name, value) do { \
        if (current->name != (value)) { \
-            av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \
+            av_log(ctx->log_ctx, AV_LOG_ERROR, \
                   "%s does not match inferred value: " \
                   "%"PRId64", but should be %"PRId64".\n", \
                   #name, (int64_t)current->name, (int64_t)(value)); \
+            return AVERROR_INVALIDDATA; \
        } \
    } while (0)

@@ -408,10 +408,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc)

 #define infer(name, value) do { \
        if (current->name != (value)) { \
-            av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \
+            av_log(ctx->log_ctx, AV_LOG_ERROR, \
                   "%s does not match inferred value: " \
                   "%"PRId64", but should be %"PRId64".\n", \
                   #name, (int64_t)current->name, (int64_t)(value)); \
+            return AVERROR_INVALIDDATA; \
        } \
    } while (0)

@@ -744,6 +744,32 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw,
    return 0;
 }

+static int FUNC(vui_parameters_default)(CodedBitstreamContext *ctx,
+                                        RWContext *rw, H265RawVUI *current,
+                                        H265RawSPS *sps)
+{
+    infer(aspect_ratio_idc, 0);
+
+    infer(video_format,             5);
+    infer(video_full_range_flag,    0);
+    infer(colour_primaries,         2);
+    infer(transfer_characteristics, 2);
+    infer(matrix_coefficients,      2);
+
+    infer(chroma_sample_loc_type_top_field,    0);
+    infer(chroma_sample_loc_type_bottom_field, 0);
+
+    infer(tiles_fixed_structure_flag,    0);
+    infer(motion_vectors_over_pic_boundaries_flag, 1);
+    infer(min_spatial_segmentation_idc,  0);
+    infer(max_bytes_per_pic_denom,       2);
+    infer(max_bits_per_min_cu_denom,     1);
+    infer(log2_max_mv_length_horizontal, 15);
+    infer(log2_max_mv_length_vertical,   15);
+
+    return 0;
+}
+
 static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw,
                     H265RawSPS *current)
 {
@@ -908,6 +934,8 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw,
    flag(vui_parameters_present_flag);
    if (current->vui_parameters_present_flag)
        CHECK(FUNC(vui_parameters)(ctx, rw, &current->vui, current));
+    else
+        CHECK(FUNC(vui_parameters_default)(ctx, rw, &current->vui, current));

    flag(sps_extension_present_flag);
    if (current->sps_extension_present_flag) {
@@ -149,6 +149,7 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
            break;
        } else if (marker == JPEG_MARKER_SOS) {
            next_marker = -1;
+            end = start;
            for (i = start; i + 1 < frag->data_size; i++) {
                if (frag->data[i] != 0xff)
                    continue;
@@ -56,7 +56,6 @@ static const int8_t probs_code_pred_coeff[3][3] = {
 typedef struct ArithCoder {
    unsigned int a;
    unsigned int c;
-    int overread;
 } ArithCoder;

 typedef struct Table {
@@ -86,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E)
+    // We are a bit more tolerant here, but this check is needed to bound the size and duration
+    if (avctx->sample_rate > 512 * 44100)
+        return AVERROR_INVALIDDATA;
+
+
    if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) {
        return AVERROR_PATCHWELCOME;
    }
@@ -181,7 +186,6 @@ static void ac_init(ArithCoder *ac, GetBitContext *gb)
 {
    ac->a = 4095;
    ac->c = get_bits(gb, 12);
-    ac->overread = 0;
 }

 static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, int *e)
@@ -201,8 +205,6 @@ static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, in
    if (ac->a < 2048) {
        int n = 11 - av_log2(ac->a);
        ac->a <<= n;
-        if (get_bits_left(gb) < n)
-            ac->overread ++;
        ac->c = (ac->c << n) | get_bits(gb, n);
    }
 }
@@ -355,9 +357,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
                prob = 128;
            }

-            if (ac->overread > 16)
-                return AVERROR_INVALIDDATA;
-
            ac_get(ac, gb, prob, &residual);
            v = ((predict >> 15) ^ residual) & 1;
            dsd[((i >> 3) * channels + ch) << 2] |= v << (7 - (i & 0x7 ));
@@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    if (r < 0)
        return r;
    pcm = (int16_t *)frame->data[0];
-    for (s = 0; s < duration; s++, ts++) {
+    for (s = 0; s < duration; s++, ts+=(uint64_t)1) {
        memset(channels, 0, avc->channels * sizeof(*channels));
        if (ts >= ws->next_ts)
            wavesynth_enter_intervals(ws, ts);
@@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
        for (c = 0; c < avc->channels; c++)
            *(pcm++) = channels[c] >> 16;
    }
-    ws->cur_ts += duration;
+    ws->cur_ts += (uint64_t)duration;
    *rgot_frame = 1;
    return packet->size;
 }
@@ -528,7 +528,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt)
                if (err < 0) {
                    av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted "
                           "displaymatrix side data to packet.\n");
-                    av_freep(matrix);
+                    av_free(matrix);
                    goto fail;
                }
            }
@@ -157,6 +157,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
    } else
        return AVERROR_INVALIDDATA;

+    if (c->total_band_count > FF_ARRAY_ELEMS(c->ch->imdct_in))
+        return AVERROR_INVALIDDATA;
+
+
    while (get_bits_left(gb) >= 32) {
        chunk = get_bits_long(gb, 32);
        if (chunk == MKBETAG('v', 'b', 'r', 0)) {
@@ -142,10 +142,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        int      nalu_type;
        int is_irap, add_extradata, extra_size, prev_size;

+        if (bytestream2_get_bytes_left(&gb) < s->length_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
        for (i = 0; i < s->length_size; i++)
            nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);

-        if (nalu_size < 2) {
+        if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }
@@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
        if (opcode >= 0) {
            int size = opcode + 1;
            for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
                if (src_end - src < length * 4)
                    return;
                memcpy(dst + y*linesize + x * 4, src, length * 4);
@@ -612,12 +612,19 @@ static int get_rgn(Jpeg2000DecoderContext *s, int n)
    // Currently compno cannot be greater than 4.
    // However, future implementation should support compno up to 65536
    if (compno < s->ncomponents) {
-        if (s->curtileno == -1)
-            s->roi_shift[compno] = bytestream2_get_byte(&s->g);
-        else {
+        int v;
+        if (s->curtileno == -1) {
+            v =  bytestream2_get_byte(&s->g);
+            if (v > 30)
+                return AVERROR_PATCHWELCOME;
+            s->roi_shift[compno] = v;
+        } else {
            if (s->tile[s->curtileno].tp_idx != 0)
                return AVERROR_INVALIDDATA; // marker occurs only in first tile part of tile
-            s->tile[s->curtileno].comp[compno].roi_shift = bytestream2_get_byte(&s->g);
+            v = bytestream2_get_byte(&s->g);
+            if (v > 30)
+                return AVERROR_PATCHWELCOME;
+            s->tile[s->curtileno].comp[compno].roi_shift = v;
        }
        return 0;
    }
@@ -1669,8 +1676,8 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
    ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1);

    while (passno--) {
-        if (bpno < 0) {
-            av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n");
+        if (bpno < 0 || bpno > 29) {
+            av_log(s->avctx, AV_LOG_ERROR, "bpno became invalid\n");
            return AVERROR_INVALIDDATA;
        }
        switch(pass_t) {
@@ -797,7 +797,7 @@ static void teletext_flush(AVCodecContext *avctx)
 #define SD AV_OPT_FLAG_SUBTITLE_PARAM | AV_OPT_FLAG_DECODING_PARAM
 static const AVOption options[] = {
    {"txt_page",        "page numbers to decode, subtitle for subtitles, * for all", OFFSET(pgno),   AV_OPT_TYPE_STRING, {.str = "*"},      0, 0,        SD},
-    {"txt_default_region", "default G0 character set used for decoding",     OFFSET(default_region), AV_OPT_TYPE_INT,    {.i64 = -1},      -1, 80,       SD},
+    {"txt_default_region", "default G0 character set used for decoding",     OFFSET(default_region), AV_OPT_TYPE_INT,    {.i64 = -1},      -1, 87,       SD},
    {"txt_chop_top",    "discards the top teletext line",                    OFFSET(chop_top),       AV_OPT_TYPE_INT,    {.i64 = 1},        0, 1,        SD},
    {"txt_format",      "format of the subtitles (bitmap or text or ass)",   OFFSET(format_id),      AV_OPT_TYPE_INT,    {.i64 = 0},        0, 2,        SD,  "txt_format"},
    {"bitmap",          NULL,                                                0,                      AV_OPT_TYPE_CONST,  {.i64 = 0},        0, 0,        SD,  "txt_format"},
@@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val)

 static inline int loco_get_rice(RICEContext *r)
 {
-    int v;
+    unsigned v;
    if (r->run > 0) { /* we have zero run */
        r->run--;
        loco_update_rice_param(r, 0);
@@ -131,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
                             int stride, const uint8_t *buf, int buf_size)
 {
    RICEContext rc;
-    int val;
+    unsigned val;
    int ret;
    int i, j;

@@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2,
                                              const int16_t *v3,
                                              int order, int mul)
 {
-    int res = 0;
+    unsigned res = 0;

    do {
        res   += *v1 * *v2++;
@@ -82,7 +82,7 @@ static int find_frame_end(MJPEGParserContext *m, const uint8_t *buf, int buf_siz
                    return i-3;
                } else if(state<0xFFD00000 || state>0xFFD9FFFF){
                    m->size= (state&0xFFFF)-1;
-                    if (m->size >= 0x8000)
+                    if (m->size >= 0xF000)
                        m->size = 0;
                }
            }
@@ -499,6 +499,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
            }
        }

+        if (s->bayer) {
+            if (pix_fmt_id != 0x11110000 && pix_fmt_id != 0x11000000)
+                goto unk_pixfmt;
+        }
+
        switch (pix_fmt_id) {
        case 0x11110000: /* for bayer-encoded huffman lossless JPEGs embedded in DNGs */
            if (!s->bayer)
@@ -492,10 +492,10 @@ static int mov_text_init(AVCodecContext *avctx) {
        return ff_ass_subtitle_header_full(avctx,
                    m->frame_width, m->frame_height,
                    m->d.font, m->d.fontsize,
-                    (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
-                    (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
-                    (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
-                    (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
+                    (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
+                    (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color),
+                    (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
+                    (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color),
                    m->d.bold, m->d.italic, m->d.underline,
                    ASS_DEFAULT_BORDERSTYLE, m->d.alignment);
    } else
@@ -221,7 +221,6 @@ end:
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -397,7 +396,6 @@ end:
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -559,7 +557,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s,
 }

 /**
- * Note: this function can read out of range and crash for corrupt streams.
 * Changing this would eat up any speed benefits it has.
 * Do not use "fast" flag if you need the code to be robust.
 */
@@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
            dy -= 1 << (shift + a + 1);
        else
            dx -= 1 << (shift + a + 1);
-        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16;
+        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U;

        sum = 0;
        for (y = 0; y < 16; y++) {
@@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
    MpegEncContext *s = &ctx->m;
    int width, height;
    int bits_per_raw_sample;
+    int rgb, chroma_format;

            // random_accessible_vol and video_object_type_indication have already
            // been read by the caller decode_vol_header()
@@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb)
            ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */
            skip_bits(gb, 4); /* video_object_layer_shape_extension */
            skip_bits1(gb); /* progressive_sequence */
+            if (ctx->shape != RECT_SHAPE) {
+                avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape");
+                return AVERROR_PATCHWELCOME;
+            }
            if (ctx->shape != BIN_ONLY_SHAPE) {
-                ctx->rgb = get_bits1(gb); /* rgb_components */
-                s->chroma_format = get_bits(gb, 2); /* chroma_format */
-                if (!s->chroma_format) {
+                rgb = get_bits1(gb); /* rgb_components */
+                chroma_format = get_bits(gb, 2); /* chroma_format */
+                if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) {
                    av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n");
                    return AVERROR_INVALIDDATA;
                }

                bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */
                if (bits_per_raw_sample == 10) {
-                    if (ctx->rgb) {
+                    if (rgb) {
                        s->avctx->pix_fmt = AV_PIX_FMT_GBRP10;
                    }
                    else {
-                        s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10;
+                        s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10;
                    }
                }
                else {
                    avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample);
                    return AVERROR_PATCHWELCOME;
                }
+                if (rgb != ctx->rgb || s->chroma_format != chroma_format)
+                    s->context_reinit = 1;
                s->avctx->bits_per_raw_sample = bits_per_raw_sample;
+                ctx->rgb = rgb;
+                s->chroma_format = chroma_format;
            }
            if (ctx->shape == RECT_SHAPE) {
                check_marker(s->avctx, gb, "before video_object_layer_width");
@@ -200,10 +200,10 @@ static inline void idct2_1d(int *blk, int step)
 {
    const int t0 = blk[0 * step];
    const int t1 = blk[1 * step];
-    const int t2 = t1 * 473 >> 8;
+    const int t2 = (int)(t1 * 473U) >> 8;
    const int t3 = t2 - t1;
-    const int t4 = (t1 * 362 >> 8) - t3;
-    const int t5 = ((t1 * 277 >> 8) - t2) + t4;
+    const int t4 =  ((int)(t1 * 362U) >> 8) - t3;
+    const int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4;

    blk[0 * step] = t1 + t0;
    blk[1 * step] = t0 + t3;
@@ -410,6 +410,9 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame
    int ret;

    mgb = *gb;
+    if (get_bits_left(gb) < s->mode_size * 8)
+        return AVERROR_INVALIDDATA;
+
    skip_bits_long(gb, s->mode_size * 8);

    linesize[0] = frame->linesize[0];
@@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst,
    length = 25 - nbits;

    while (i < size) {
-        if (state >> 8 != -3)
+        if (((state >> 8) + 3) & 0xFFFFFFF)
            value = ff_clz((state >> 8) + 3) ^ 0x1F;
        else
            value = -1;
@@ -984,6 +984,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
        return AVERROR_INVALIDDATA;
    }

+    if (s->pic_state & PNG_IDAT) {
+        av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    s->last_w = s->cur_w;
    s->last_h = s->cur_h;
    s->last_x_offset = s->x_offset;
@@ -173,7 +173,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            } else if (upgrade == 2) {
                unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval;
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
            }
@@ -227,7 +227,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                return AVERROR_INVALIDDATA;
            for (i = 0; i < avctx->height; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -239,13 +239,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            h = avctx->height >> 1;
            for (i = 0; i < h; i++) {
                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr1[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;

                for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                    ptr2[j] = (v * f + 16384) >> 15;
                }
                s->bytestream += n;
@@ -267,9 +267,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            b = (float *)p->data[1];
            for (int i = 0; i < avctx->height; i++) {
                for (int j = 0; j < avctx->width; j++) {
-                    r[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[0])) * scale;
-                    g[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[4])) * scale;
-                    b[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[8])) * scale;
+                    r[j] = av_int2float(AV_RL32(s->bytestream+0)) * scale;
+                    g[j] = av_int2float(AV_RL32(s->bytestream+4)) * scale;
+                    b[j] = av_int2float(AV_RL32(s->bytestream+8)) * scale;
                    s->bytestream += 12;
                }

@@ -285,9 +285,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
            b = (float *)p->data[1];
            for (int i = 0; i < avctx->height; i++) {
                for (int j = 0; j < avctx->width; j++) {
-                    r[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[0])) * scale;
-                    g[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[4])) * scale;
-                    b[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[8])) * scale;
+                    r[j] = av_int2float(AV_RB32(s->bytestream+0)) * scale;
+                    g[j] = av_int2float(AV_RB32(s->bytestream+4)) * scale;
+                    b[j] = av_int2float(AV_RB32(s->bytestream+8)) * scale;
                    s->bytestream += 12;
                }

@@ -310,7 +310,6 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
    }

    if (for_user) {
-        dst->delay       = src->thread_count - 1;
 #if FF_API_CODED_FRAME
 FF_DISABLE_DEPRECATION_WARNINGS
        dst->coded_frame = src->coded_frame;
@@ -790,6 +789,9 @@ int ff_frame_thread_init(AVCodecContext *avctx)
    fctx->async_lock = 1;
    fctx->delaying = 1;

+    if (codec->type == AVMEDIA_TYPE_VIDEO)
+        avctx->delay = src->thread_count - 1;
+
    for (i = 0; i < thread_count; i++) {
        AVCodecContext *copy = av_malloc(sizeof(AVCodecContext));
        PerThreadContext *p  = &fctx->threads[i];
@@ -827,6 +829,8 @@ int ff_frame_thread_init(AVCodecContext *avctx)
        copy->internal->thread_ctx = p;
        copy->internal->last_pkt_props = &p->avpkt;

+        copy->delay = avctx->delay;
+
        if (codec->priv_data_size) {
            copy->priv_data = av_mallocz(codec->priv_data_size);
            if (!copy->priv_data) {
@@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m)
        }
        p = (e + 127) >> 7;
        k = ((f + e - 1) >> 7) + 1;
+        if (k > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
        for (i = 0; i < k - p; i++)
            n.dectab[p + i] = j;
        e += f;
@@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value)
        e = d;
        n.cntsum += n.cnts[e];
        n.freqs1[e] = c;
-        for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) {
+        g = n.freqs[e];
+        f = (c + g - 1 >> 7) + 1;
+        if (f > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
+        for (q = c + 128 - 1 >> 7; q < f; q++) {
            n.dectab[q] = e;
        }
        c += g;
@@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
    uint16_t a = 0, b = 0;
    uint32_t param;
    int type;
+    int ret;

    type = m->type;
    switch (type) {
@@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 3:
        *value = bytestream2_get_byte(&s->gb);
-        decode_static3(m, *value);
+        ret = decode_static3(m, *value);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
        sync_code3(gb, rc);
        break;
    case 4:
@@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 6:
        if (!decode_adaptive6(m, code, value, &a, &b)) {
-            update_model6_to_7(m);
+            ret = update_model6_to_7(m);
+            if (ret < 0)
+                return AVERROR_INVALIDDATA;
        }
        decode3(gb, rc, a, b);
        sync_code3(gb, rc);
@@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer
 static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){
    const int w= b->width;
    int y;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
    int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
    int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
    int new_index = 0;
@@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){

 static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){
    const int w= b->width;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
    const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
    const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
    int x,y;
@@ -1625,10 +1625,22 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
        s->lambda = 0;
    }//else keep previous frame's qlog until after motion estimation

+#if FF_API_CODED_FRAME
+FF_DISABLE_DEPRECATION_WARNINGS
+    av_frame_unref(avctx->coded_frame);
+FF_ENABLE_DEPRECATION_WARNINGS
+#endif
+
    if (s->current_picture->data[0]) {
        int w = s->avctx->width;
        int h = s->avctx->height;

+#if FF_API_CODED_FRAME
+        ret = av_frame_make_writable(s->current_picture);
+        if (ret < 0)
+            return ret;
+#endif
+
        s->mpvencdsp.draw_edges(s->current_picture->data[0],
                                s->current_picture->linesize[0], w   , h   ,
                                EDGE_WIDTH  , EDGE_WIDTH  , EDGE_TOP | EDGE_BOTTOM);
@@ -1646,7 +1658,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    ff_snow_frame_start(s);
 #if FF_API_CODED_FRAME
 FF_DISABLE_DEPRECATION_WARNINGS
-    av_frame_unref(avctx->coded_frame);
    ret = av_frame_ref(avctx->coded_frame, s->current_picture);
 FF_ENABLE_DEPRECATION_WARNINGS
 #endif
@@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
    if(get_rac(c, state+0))
        return 0;
    else{
-        int i, e, a;
+        int i, e;
+        unsigned a;
        e= 0;
        while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
            e++;
@@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
    for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--)
    {
        int k_value = *k_ptr, state_value = *state_ptr;
-        x -= shift_down(k_value * state_value, LATTICE_SHIFT);
+        x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT);
        state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT);
    }
 #else
@@ -1044,7 +1045,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
                x += s->channels;
            }

-            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant);
+            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant);
            x += s->channels;
        }

@@ -679,6 +679,9 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
        return 0;
    }

+    if (is_dng && stride == 0)
+        return AVERROR_INVALIDDATA;
+
    for (line = 0; line < lines; line++) {
        if (src - ssrc > size) {
            av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n");
@@ -856,8 +859,11 @@ static void dng_blit(TiffContext *s, uint8_t *dst, int dst_stride,
            }
        } else {
            for (line = 0; line < height; line++) {
+                uint8_t *dst_u8 = dst;
+                const uint8_t *src_u8 = src;
+
                for (col = 0; col < width; col++)
-                    *dst++ = dng_process_color8(*src++, s->dng_lut, s->black_level, scale_factor);
+                    *dst_u8++ = dng_process_color8(*src_u8++, s->dng_lut, s->black_level, scale_factor);

                dst += dst_stride;
                src += src_stride;
@@ -876,6 +882,9 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
    int is_single_comp, is_u16, pixel_size;
    int ret;

+    if (tile_byte_count < 0 || tile_byte_count > bytestream2_get_bytes_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
    /* Prepare a packet and send to the MJPEG decoder */
    av_init_packet(&jpkt);
    jpkt.data = (uint8_t*)s->gb.buffer;
@@ -905,12 +914,23 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame,
            return 0;
    }

+    is_u16 = (s->bpp > 8);
+
    /* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */

    /* See dng_blit for explanation */
-    is_single_comp = (s->avctx_mjpeg->width == w * 2 && s->avctx_mjpeg->height == h / 2);
+    if (s->avctx_mjpeg->width  == w * 2 &&
+        s->avctx_mjpeg->height == h / 2 &&
+        s->avctx_mjpeg->pix_fmt == AV_PIX_FMT_GRAY16LE) {
+        is_single_comp = 1;
+    } else if (s->avctx_mjpeg->width  == w &&
+               s->avctx_mjpeg->height == h &&
+               s->avctx_mjpeg->pix_fmt == (is_u16 ? AV_PIX_FMT_GRAY16 : AV_PIX_FMT_GRAY8)
+              ) {
+        is_single_comp = 0;
+    } else
+        return AVERROR_INVALIDDATA;

-    is_u16 = (s->bpp > 8);
    pixel_size = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t));

    if (is_single_comp && !is_u16) {
@@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    unsigned int channel_mask;
    int i, log2_max_num_subframes;

-    if (avctx->block_align <= 0) {
+    if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) {
        av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n");
        return AVERROR(EINVAL);
    }
@@ -758,7 +758,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input)
 static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \
                                  int coef_begin, int coef_end) \
 { \
-    int icoef, pred, ilms, num_lms, residue, input; \
+    int icoef, ilms, num_lms, residue, input; \
+    unsigned pred;\
 \
    num_lms = s->cdlms_ttl[ch]; \
    for (ilms = num_lms - 1; ilms >= 0; ilms--) { \
@@ -772,7 +773,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \
                                                        s->cdlms[ch][ilms].recent, \
                                                        FFALIGN(s->cdlms[ch][ilms].order, ROUND), \
                                                        WMASIGN(residue)); \
-            input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \
+            input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \
            lms_update ## bits(s, ch, ilms, input); \
            s->channel_residues[ch][icoef] = input; \
        } \
@@ -79,6 +79,8 @@ static DNNReturnType set_input_output_native(void *model, DNNData *input, const

    av_freep(&oprd->data);
    oprd->length = calculate_operand_data_length(oprd);
+    if (oprd->length <= 0)
+        return DNN_ERROR;
    oprd->data = av_malloc(oprd->length);
    if (!oprd->data)
        return DNN_ERROR;
@@ -126,26 +128,23 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    int32_t layer;
    DNNLayerType layer_type;

-    model = av_malloc(sizeof(DNNModel));
-    if (!model){
-        return NULL;
-    }
-
    if (avio_open(&model_file_context, model_filename, AVIO_FLAG_READ) < 0){
-        av_freep(&model);
        return NULL;
    }
    file_size = avio_size(model_file_context);

+    model = av_mallocz(sizeof(DNNModel));
+    if (!model){
+        goto fail;
+    }
+
    /**
     * check file header with string and version
     */
    size = sizeof(header_expected);
    buf = av_malloc(size);
    if (!buf) {
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }

    // size - 1 to skip the ending '\0' which is not saved in file
@@ -153,18 +152,14 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    dnn_size = size - 1;
    if (strncmp(buf, header_expected, size) != 0) {
        av_freep(&buf);
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }
    av_freep(&buf);

    version = (int32_t)avio_rl32(model_file_context);
    dnn_size += 4;
    if (version != major_version_expected) {
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }

    // currently no need to check minor version
@@ -174,9 +169,7 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)

    network = av_mallocz(sizeof(ConvolutionalNetwork));
    if (!network){
-        avio_closep(&model_file_context);
-        av_freep(&model);
-        return NULL;
+        goto fail;
    }
    model->model = (void *)network;

@@ -188,16 +181,12 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)

    network->layers = av_mallocz(network->layers_num * sizeof(Layer));
    if (!network->layers){
-        avio_closep(&model_file_context);
-        ff_dnn_free_model_native(&model);
-        return NULL;
+        goto fail;
    }

    network->operands = av_mallocz(network->operands_num * sizeof(DnnOperand));
    if (!network->operands){
-        avio_closep(&model_file_context);
-        ff_dnn_free_model_native(&model);
-        return NULL;
+        goto fail;
    }

    for (layer = 0; layer < network->layers_num; ++layer){
@@ -205,17 +194,13 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
        dnn_size += 4;

        if (layer_type >= DLT_COUNT) {
-            avio_closep(&model_file_context);
-            ff_dnn_free_model_native(&model);
-            return NULL;
+            goto fail;
        }

        network->layers[layer].type = layer_type;
-        parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size);
+        parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size, network->operands_num);
        if (!parsed_size) {
-            avio_closep(&model_file_context);
-            ff_dnn_free_model_native(&model);
-            return NULL;
+            goto fail;
        }
        dnn_size += parsed_size;
    }
@@ -226,6 +211,10 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
        int32_t operand_index = (int32_t)avio_rl32(model_file_context);
        dnn_size += 4;

+        if (operand_index >= network->operands_num) {
+            goto fail;
+        }
+
        oprd = &network->operands[operand_index];
        name_len = (int32_t)avio_rl32(model_file_context);
        dnn_size += 4;
@@ -258,6 +247,11 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename)
    model->get_input = &get_input_native;

    return model;
+
+fail:
+    ff_dnn_free_model_native(&model);
+    avio_closep(&model_file_context);
+    return NULL;
 }

 DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *outputs, uint32_t nb_output)
@@ -303,7 +297,13 @@ int32_t calculate_operand_dims_count(const DnnOperand *oprd)
 int32_t calculate_operand_data_length(const DnnOperand* oprd)
 {
    // currently, we just support DNN_FLOAT
-    return oprd->dims[0] * oprd->dims[1] * oprd->dims[2] * oprd->dims[3] * sizeof(float);
+    uint64_t len = sizeof(float);
+    for (int i = 0; i < 4; i++) {
+        len *= oprd->dims[i];
+        if (len > INT32_MAX)
+            return 0;
+    }
+    return len;
 }

 void ff_dnn_free_model_native(DNNModel **model)
@@ -314,23 +314,29 @@ void ff_dnn_free_model_native(DNNModel **model)

    if (*model)
    {
-        network = (ConvolutionalNetwork *)(*model)->model;
-        for (layer = 0; layer < network->layers_num; ++layer){
-            if (network->layers[layer].type == DLT_CONV2D){
-                conv_params = (ConvolutionalParams *)network->layers[layer].params;
-                av_freep(&conv_params->kernel);
-                av_freep(&conv_params->biases);
+        if ((*model)->model) {
+            network = (ConvolutionalNetwork *)(*model)->model;
+            if (network->layers) {
+                for (layer = 0; layer < network->layers_num; ++layer){
+                    if (network->layers[layer].type == DLT_CONV2D){
+                        conv_params = (ConvolutionalParams *)network->layers[layer].params;
+                        av_freep(&conv_params->kernel);
+                        av_freep(&conv_params->biases);
+                    }
+                    av_freep(&network->layers[layer].params);
+                }
+                av_freep(&network->layers);
            }
-            av_freep(&network->layers[layer].params);
+
+            if (network->operands) {
+                for (uint32_t operand = 0; operand < network->operands_num; ++operand)
+                    av_freep(&network->operands[operand].data);
+                av_freep(&network->operands);
+            }
+
+            av_freep(&network->output_indexes);
+            av_freep(&network);
        }
-        av_freep(&network->layers);
-
-        for (uint32_t operand = 0; operand < network->operands_num; ++operand)
-            av_freep(&network->operands[operand].data);
-        av_freep(&network->operands);
-
-        av_freep(&network->output_indexes);
-        av_freep(&network);
        av_freep(model);
    }
 }
@@ -120,6 +120,8 @@ DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *output

 void ff_dnn_free_model_native(DNNModel **model);

+// NOTE: User must check for error (return value <= 0) to handle
+// case like integer overflow.
 int32_t calculate_operand_data_length(const DnnOperand *oprd);
 int32_t calculate_operand_dims_count(const DnnOperand *oprd);
 #endif
@@ -23,7 +23,7 @@

 #define CLAMP_TO_EDGE(x, w) ((x) < 0 ? 0 : ((x) >= (w) ? (w - 1) : (x)))

-int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    ConvolutionalParams *conv_params;
    int kernel_size;
@@ -80,6 +80,11 @@ int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int fil
    layer->input_operand_indexes[0] = (int32_t)avio_rl32(model_file_context);
    layer->output_operand_index = (int32_t)avio_rl32(model_file_context);
    dnn_size += 8;
+
+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -108,6 +113,8 @@ int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_
    output_operand->dims[3] = conv_params->output_num;
    output_operand->data_type = operands[input_operand_index].data_type;
    output_operand->length = calculate_operand_data_length(output_operand);
+    if (output_operand->length <= 0)
+        return -1;
    output_operand->data = av_realloc(output_operand->data, output_operand->length);
    if (!output_operand->data)
        return -1;
@@ -36,7 +36,7 @@ typedef struct ConvolutionalParams{
    float *biases;
 } ConvolutionalParams;

-int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_indexes,
                             int32_t output_operand_index, const void *parameters);
 #endif
@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_depth2space.h"

-int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DepthToSpaceParams *params;
    int dnn_size = 0;
@@ -42,6 +42,10 @@ int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, in
    dnn_size += 8;
    layer->params = params;

+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -71,6 +75,8 @@ int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_ope
    output_operand->dims[3] = new_channels;
    output_operand->data_type = operands[input_operand_index].data_type;
    output_operand->length = calculate_operand_data_length(output_operand);
+    if (output_operand->length <= 0)
+        return -1;
    output_operand->data = av_realloc(output_operand->data, output_operand->length);
    if (!output_operand->data)
        return -1;
@@ -34,7 +34,7 @@ typedef struct DepthToSpaceParams{
    int block_size;
 } DepthToSpaceParams;

-int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_operand_indexes,
                                  int32_t output_operand_index, const void *parameters);

@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_mathbinary.h"

-int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DnnLayerMathBinaryParams *params;
    int dnn_size = 0;
@@ -45,6 +45,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
        params->v = av_int2float(avio_rl32(model_file_context));
    } else {
        layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context);
+        if (layer->input_operand_indexes[input_index] >= operands_num) {
+            return 0;
+        }
        input_index++;
    }
    dnn_size += 4;
@@ -55,6 +58,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
        params->v = av_int2float(avio_rl32(model_file_context));
    } else {
        layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context);
+        if (layer->input_operand_indexes[input_index] >= operands_num) {
+            return 0;
+        }
        input_index++;
    }
    dnn_size += 4;
@@ -63,6 +69,10 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in
    dnn_size += 4;
    layer->params = params;

+    if (layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -81,6 +91,8 @@ int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_ope

    output->data_type = input->data_type;
    output->length = calculate_operand_data_length(output);
+    if (output->length <= 0)
+        return DNN_ERROR;
    output->data = av_realloc(output->data, output->length);
    if (!output->data)
        return DNN_ERROR;
@@ -46,7 +46,7 @@ typedef struct DnnLayerMathBinaryParams{
    float v;
 } DnnLayerMathBinaryParams;

-int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_operand_indexes,
                                 int32_t output_operand_index, const void *parameters);

@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_mathunary.h"

-int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DnnLayerMathUnaryParams *params;
    int dnn_size = 0;
@@ -42,6 +42,10 @@ int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int
    layer->output_operand_index = (int32_t)avio_rl32(model_file_context);
    dnn_size += 8;

+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;

 }
@@ -61,6 +65,8 @@ int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_oper

    output->data_type = input->data_type;
    output->length = calculate_operand_data_length(output);
+    if (output->length <= 0)
+        return DNN_ERROR;
    output->data = av_realloc(output->data, output->length);
    if (!output->data)
        return DNN_ERROR;
@@ -38,7 +38,7 @@ typedef struct DnnLayerMathUnaryParams{
    DNNMathUnaryOperation un_op;
 } DnnLayerMathUnaryParams;

-int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_operand_indexes,
                                int32_t output_operand_index, const void *parameters);

@@ -27,7 +27,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_maximum.h"

-int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    DnnLayerMaximumParams *params;
    int dnn_size = 0;
@@ -42,6 +42,10 @@ int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int fi
    layer->output_operand_index = (int32_t)avio_rl32(model_file_context);
    dnn_size += 8;

+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -60,6 +64,8 @@ int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand

    output->data_type = input->data_type;
    output->length = calculate_operand_data_length(output);
+    if (output->length <= 0)
+        return DNN_ERROR;
    output->data = av_realloc(output->data, output->length);
    if (!output->data)
        return DNN_ERROR;
@@ -37,7 +37,7 @@ typedef struct DnnLayerMaximumParams{
    }val;
 } DnnLayerMaximumParams;

-int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand_indexes,
                              int32_t output_operand_index, const void *parameters);

@@ -22,7 +22,7 @@
 #include "libavutil/avassert.h"
 #include "dnn_backend_native_layer_pad.h"

-int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size)
+int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num)
 {
    LayerPadParams *params;
    int dnn_size = 0;
@@ -42,6 +42,10 @@ int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_s
    dnn_size += 8;
    layer->params = params;

+    if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) {
+        return 0;
+    }
+
    return dnn_size;
 }

@@ -107,6 +111,8 @@ int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_ind
    output_operand->dims[3] = new_channel;
    output_operand->data_type = operands[input_operand_index].data_type;
    output_operand->length = calculate_operand_data_length(output_operand);
+    if (output_operand->length <= 0)
+        return -1;
    output_operand->data = av_realloc(output_operand->data, output_operand->length);
    if (!output_operand->data)
        return -1;
@@ -36,7 +36,7 @@ typedef struct LayerPadParams{
    float constant_values;
 } LayerPadParams;

-int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size);
+int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);
 int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_indexes,
                          int32_t output_operand_index, const void *parameters);

@@ -26,7 +26,7 @@

 typedef int (*LAYER_EXEC_FUNC)(DnnOperand *operands, const int32_t *input_operand_indexes,
                               int32_t output_operand_index, const void *parameters);
-typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size);
+typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num);

 typedef struct LayerFunc {
    LAYER_EXEC_FUNC pf_exec;
@@ -218,6 +218,7 @@ static int fourxm_read_header(AVFormatContext *s)
    fourxm->track_count = 0;
    fourxm->tracks      = NULL;
    fourxm->fps         = (AVRational){1,1};
+    fourxm->video_stream_index = -1;

    /* skip the first 3 32-bit numbers */
    avio_skip(pb, 12);
@@ -326,6 +327,8 @@ static int fourxm_read_packet(AVFormatContext *s,
             * and size */
            if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 8)
                return AVERROR_INVALIDDATA;
+            if (fourxm->video_stream_index < 0)
+                return AVERROR_INVALIDDATA;
            if ((ret = av_new_packet(pkt, size + 8)) < 0)
                return ret;
            pkt->stream_index = fourxm->video_stream_index;
@@ -83,6 +83,8 @@ typedef struct APEContext {
    uint8_t  *bittable;
 } APEContext;

+static int ape_read_close(AVFormatContext * s);
+
 static int ape_probe(const AVProbeData * p)
 {
    int version = AV_RL16(p->buf+4);
@@ -281,14 +283,18 @@ static int ape_read_header(AVFormatContext * s)

    if (ape->seektablelength > 0) {
        ape->seektable = av_mallocz(ape->seektablelength);
-        if (!ape->seektable)
-            return AVERROR(ENOMEM);
+        if (!ape->seektable) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
        for (i = 0; i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; i++)
            ape->seektable[i] = avio_rl32(pb);
        if (ape->fileversion < 3810) {
            ape->bittable = av_mallocz(ape->totalframes);
-            if (!ape->bittable)
-                return AVERROR(ENOMEM);
+            if (!ape->bittable) {
+                ret = AVERROR(ENOMEM);
+                goto fail;
+            }
            for (i = 0; i < ape->totalframes && !pb->eof_reached; i++)
                ape->bittable[i] = avio_r8(pb);
        }
@@ -341,8 +347,10 @@ static int ape_read_header(AVFormatContext * s)

    /* now we are ready: build format streams */
    st = avformat_new_stream(s, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
+    if (!st) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }

    total_blocks = (ape->totalframes == 0) ? 0 : ((ape->totalframes - 1) * ape->blocksperframe) + ape->finalframeblocks;

@@ -359,7 +367,7 @@ static int ape_read_header(AVFormatContext * s)
    avpriv_set_pts_info(st, 64, 1, ape->samplerate);

    if ((ret = ff_alloc_extradata(st->codecpar, APE_EXTRADATA_SIZE)) < 0)
-        return ret;
+        goto fail;
    AV_WL16(st->codecpar->extradata + 0, ape->fileversion);
    AV_WL16(st->codecpar->extradata + 2, ape->compressiontype);
    AV_WL16(st->codecpar->extradata + 4, ape->formatflags);
@@ -378,6 +386,10 @@ static int ape_read_header(AVFormatContext * s)
    }

    return 0;
+fail:
+    ape_read_close(s);
+
+    return ret;
 }

 static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)
@@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s)
            if (!new_event) {
                sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1);
                if (!sub)
-                    return AVERROR(ENOMEM);
+                    goto fail;
            }
            sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event);
            if (!sub)
-                return AVERROR(ENOMEM);
+                goto fail;
            if (new_event) {
                sub->pts = frame;
                sub->duration = -1;
@@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s)

    ff_subtitles_queue_finalize(s, &aqt->q);
    return 0;
+fail:
+    ff_subtitles_queue_clean(&aqt->q);
+    return AVERROR(ENOMEM);
 }

 static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt)
@@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s)
    ff_subtitles_queue_finalize(s, &ass->q);

 end:
+    if (res < 0)
+        ass_read_close(s);
    av_bprint_finalize(&header, NULL);
    av_bprint_finalize(&line,   NULL);
    av_bprint_finalize(&rline,  NULL);
@@ -196,18 +196,17 @@ int ff_isom_write_avcc(AVIOContext *pb, const uint8_t *data, int len)
    avio_write(pb, pps, pps_size);

    if (sps[3] != 66 && sps[3] != 77 && sps[3] != 88) {
-        H264SequenceParameterSet *seq = ff_avc_decode_sps(sps + 3, sps_size - 3);
-        if (!seq) {
-            ret = AVERROR(ENOMEM);
+        H264SPS seq;
+        ret = ff_avc_decode_sps(&seq, sps + 3, sps_size - 3);
+        if (ret < 0)
            goto fail;
-        }
-        avio_w8(pb, 0xfc | seq->chroma_format_idc); /* 6 bits reserved (111111) + chroma_format_idc */
-        avio_w8(pb, 0xf8 | (seq->bit_depth_luma - 8)); /* 5 bits reserved (11111) + bit_depth_luma_minus8 */
-        avio_w8(pb, 0xf8 | (seq->bit_depth_chroma - 8)); /* 5 bits reserved (11111) + bit_depth_chroma_minus8 */
+
+        avio_w8(pb, 0xfc |  seq.chroma_format_idc); /* 6 bits reserved (111111) + chroma_format_idc */
+        avio_w8(pb, 0xf8 | (seq.bit_depth_luma - 8)); /* 5 bits reserved (11111) + bit_depth_luma_minus8 */
+        avio_w8(pb, 0xf8 | (seq.bit_depth_chroma - 8)); /* 5 bits reserved (11111) + bit_depth_chroma_minus8 */
        avio_w8(pb, nb_sps_ext); /* number of sps ext */
        if (nb_sps_ext)
            avio_write(pb, sps_ext, sps_ext_size);
-        av_free(seq);
    }

 fail:
@@ -332,27 +331,24 @@ static inline int get_se_golomb(GetBitContext *gb) {
    return ((v >> 1) ^ sign) - sign;
 }

-H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size)
+int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size)
 {
    int i, j, ret, rbsp_size, aspect_ratio_idc, pic_order_cnt_type;
    int num_ref_frames_in_pic_order_cnt_cycle;
    int delta_scale, lastScale = 8, nextScale = 8;
    int sizeOfScalingList;
-    H264SequenceParameterSet *sps = NULL;
    GetBitContext gb;
    uint8_t *rbsp_buf;

    rbsp_buf = ff_nal_unit_extract_rbsp(buf, buf_size, &rbsp_size, 0);
    if (!rbsp_buf)
-        return NULL;
+        return AVERROR(ENOMEM);

    ret = init_get_bits8(&gb, rbsp_buf, rbsp_size);
    if (ret < 0)
        goto end;

-    sps = av_mallocz(sizeof(*sps));
-    if (!sps)
-        goto end;
+    memset(sps, 0, sizeof(*sps));

    sps->profile_idc = get_bits(&gb, 8);
    sps->constraint_set_flags |= get_bits1(&gb) << 0; // constraint_set0_flag
@@ -448,7 +444,8 @@ H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size)
        sps->sar.den = 1;
    }

+    ret = 0;
 end:
    av_free(rbsp_buf);
-    return sps;
+    return ret;
 }
@@ -46,8 +46,8 @@ typedef struct {
    uint8_t bit_depth_chroma;
    uint8_t frame_mbs_only_flag;
    AVRational sar;
-} H264SequenceParameterSet;
+} H264SPS;

-H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *src, int src_len);
+int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size);

 #endif /* AVFORMAT_AVC_H */
@@ -1275,7 +1275,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size)
    unsigned new_size, new_allocated_size;

    /* reallocate buffer if needed */
-    new_size = d->pos + buf_size;
+    new_size = (unsigned)d->pos + buf_size;
    new_allocated_size = d->allocated_size;
    if (new_size < d->pos || new_size > INT_MAX/2)
        return -1;
@@ -1369,13 +1369,13 @@ int avio_get_dyn_buf(AVIOContext *s, uint8_t **pbuffer)
 {
    DynBuffer *d;

-    if (!s || s->error) {
+    if (!s) {
        *pbuffer = NULL;
        return 0;
    }
    d = s->opaque;

-    if (!d->size) {
+    if (!s->error && !d->size) {
        *pbuffer = d->io_buffer;
        return FFMAX(s->buf_ptr, s->buf_ptr_max) - s->buffer;
    }
@@ -311,6 +311,8 @@ static struct playlist *new_playlist(HLSContext *c, const char *url,
        return NULL;
    reset_packet(&pls->pkt);
    ff_make_absolute_url(pls->url, sizeof(pls->url), base, url);
+    if (!pls->url[0])
+        return NULL;
    pls->seek_timestamp = AV_NOPTS_VALUE;

    pls->is_id3_timestamped = -1;
@@ -416,6 +418,10 @@ static struct segment *new_init_section(struct playlist *pls,
        ptr = info->uri;
    } else {
        ff_make_absolute_url(tmp_str, sizeof(tmp_str), url_base, info->uri);
+        if (!tmp_str[0]) {
+            av_free(sec);
+            return NULL;
+        }
    }
    sec->url = av_strdup(ptr);
    if (!sec->url) {
@@ -841,6 +847,11 @@ static int parse_playlist(HLSContext *c, const char *url,

            if (key_type != KEY_NONE) {
                ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key);
+                if (!tmp_str[0]) {
+                    av_free(cur_init_section);
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                cur_init_section->key = av_strdup(tmp_str);
                if (!cur_init_section->key) {
                    av_free(cur_init_section);
@@ -883,8 +894,6 @@ static int parse_playlist(HLSContext *c, const char *url,
                    ret = AVERROR(ENOMEM);
                    goto fail;
                }
-                seg->duration = duration;
-                seg->key_type = key_type;
                if (has_iv) {
                    memcpy(seg->iv, iv, sizeof(iv));
                } else {
@@ -895,6 +904,11 @@ static int parse_playlist(HLSContext *c, const char *url,

                if (key_type != KEY_NONE) {
                    ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key);
+                    if (!tmp_str[0]) {
+                        ret = AVERROR_INVALIDDATA;
+                        av_free(seg);
+                        goto fail;
+                    }
                    seg->key = av_strdup(tmp_str);
                    if (!seg->key) {
                        av_free(seg);
@@ -906,6 +920,13 @@ static int parse_playlist(HLSContext *c, const char *url,
                }

                ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, line);
+                if (!tmp_str[0]) {
+                    ret = AVERROR_INVALIDDATA;
+                    if (seg->key)
+                        av_free(seg->key);
+                    av_free(seg);
+                    goto fail;
+                }
                seg->url = av_strdup(tmp_str);
                if (!seg->url) {
                    av_free(seg->key);
@@ -914,6 +935,13 @@ static int parse_playlist(HLSContext *c, const char *url,
                    goto fail;
                }

+                if (duration < 0.001 * AV_TIME_BASE) {
+                    av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s,"
+                                    " set to default value to 1ms.\n", seg->url);
+                    duration = 0.001 * AV_TIME_BASE;
+                }
+                seg->duration = duration;
+                seg->key_type = key_type;
                dynarray_add(&pls->segments, &pls->n_segments, seg);
                is_segment = 0;

@@ -1904,6 +1932,7 @@ static int hls_read_header(AVFormatContext *s)
    /* Open the demuxer for each playlist */
    for (i = 0; i < c->n_playlists; i++) {
        struct playlist *pls = c->playlists[i];
+        char *url;
        ff_const59 AVInputFormat *in_fmt = NULL;

        if (!(pls->ctx = avformat_alloc_context())) {
@@ -1941,8 +1970,9 @@ static int hls_read_header(AVFormatContext *s)
                          read_data, NULL, NULL);
        pls->ctx->probesize = s->probesize > 0 ? s->probesize : 1024 * 4;
        pls->ctx->max_analyze_duration = s->max_analyze_duration > 0 ? s->max_analyze_duration : 4 * AV_TIME_BASE;
-        ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url,
-                                    NULL, 0, 0);
+        url = av_strdup(pls->segments[0]->url);
+        ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0);
+        av_free(url);
        if (ret < 0) {
            /* Free the ctx - it isn't initialized properly at this point,
             * so avformat_close_input shouldn't be called. If
@@ -1993,7 +1993,7 @@ static int parse_variant_stream_mapstring(AVFormatContext *s)
                return AVERROR(EINVAL);
            }

-            num = strtoll(val, &end, 0);
+            num = strtoll(val, &end, 10);
            if (!av_isdigit(*val) || *end != '\0') {
                av_log(s, AV_LOG_ERROR, "Invalid stream number: '%s'\n", val);
                return AVERROR(EINVAL);
@@ -188,8 +188,10 @@ static int jacosub_read_header(AVFormatContext *s)
            AVPacket *sub;

            sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line);
-            if (!sub)
-                return AVERROR(ENOMEM);
+            if (!sub) {
+                ret = AVERROR(ENOMEM);
+                goto fail;
+            }
            sub->pos = pos;
            merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n");
            continue;
@@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s)
                sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength,
                                                line.len - ts_strlength, 0);
                if(!sub) {
+                    ff_subtitles_queue_clean(&lrc->q);
                    return AVERROR(ENOMEM);
                }
                sub->pos = pos;
@@ -2938,9 +2938,8 @@ static int matroska_read_header(AVFormatContext *s)
                st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;

                av_init_packet(pkt);
-                pkt->buf = av_buffer_ref(attachments[j].bin.buf);
-                if (!pkt->buf)
-                    return AVERROR(ENOMEM);
+                pkt->buf          = attachments[j].bin.buf;
+                attachments[j].bin.buf = NULL;
                pkt->data         = attachments[j].bin.data;
                pkt->size         = attachments[j].bin.size;
                pkt->stream_index = st->index;
@@ -3569,7 +3568,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf

    if (st->discard >= AVDISCARD_ALL)
        return res;
-    av_assert1(block_duration != AV_NOPTS_VALUE);
+    if (block_duration > INT64_MAX)
+        block_duration = INT64_MAX;

    block_time = sign_extend(AV_RB16(data), 16);
    data      += 2;
@@ -4180,15 +4180,18 @@ static int webm_dash_manifest_read_header(AVFormatContext *s)
        av_log(s, AV_LOG_ERROR, "Failed to read file headers\n");
        return -1;
    }
-    if (!s->nb_streams) {
-        matroska_read_close(s);
-        av_log(s, AV_LOG_ERROR, "No streams found\n");
-        return AVERROR_INVALIDDATA;
+    if (!matroska->tracks.nb_elem || !s->nb_streams) {
+        av_log(s, AV_LOG_ERROR, "No track found\n");
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
    }

    if (!matroska->is_live) {
        buf = av_asprintf("%g", matroska->duration);
-        if (!buf) return AVERROR(ENOMEM);
+        if (!buf) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
        av_dict_set(&s->streams[0]->metadata, DURATION,
                    buf, AV_DICT_DONT_STRDUP_VAL);

@@ -4211,7 +4214,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s)
        ret = webm_dash_manifest_cues(s, init_range);
        if (ret < 0) {
            av_log(s, AV_LOG_ERROR, "Error parsing Cues\n");
-            return ret;
+            goto fail;
        }
    }

@@ -4221,6 +4224,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s)
                        matroska->bandwidth, 0);
    }
    return 0;
+fail:
+    matroska_read_close(s);
+    return ret;
 }

 static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt)
@@ -2118,17 +2118,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
    mkv_track *track = &mkv->tracks[pkt->stream_index];
    ebml_master blockgroup;
    int id_size, settings_size, size;
-    uint8_t *id, *settings;
+    const char *id, *settings;
    int64_t ts = track->write_dts ? pkt->dts : pkt->pts;
    const int flags = 0;

    id_size = 0;
    id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER,
                                 &id_size);
+    id = id ? id : "";

    settings_size = 0;
    settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS,
                                       &settings_size);
+    settings = settings ? settings : "";

    size = id_size + 1 + settings_size + 1 + pkt->size;

@@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s)
    AVRational pts_info = (AVRational){ 2997, 125 };  /* default: 23.976 fps */
    MicroDVDContext *microdvd = s->priv_data;
    AVStream *st = avformat_new_stream(s, NULL);
-    int i = 0;
+    int i = 0, ret;
    char line_buf[MAX_LINESIZE];
    int has_real_fps = 0;

@@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s)
        int64_t pos = avio_tell(s->pb);
        int len = ff_get_line(s->pb, line_buf, sizeof(line_buf));
        char *line = line_buf;
+        int64_t pts;

        if (!strncmp(line, bom, 3))
            line += 3;
@@ -117,10 +118,10 @@ static int microdvd_read_header(AVFormatContext *s)
                continue;
            }
            if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) {
-                int ret, size = strlen(line + 11);
+                int size = strlen(line + 11);
                ret = ff_alloc_extradata(st->codecpar, size);
                if (ret < 0)
-                    return ret;
+                    goto fail;
                memcpy(st->codecpar->extradata, line + 11, size);
                continue;
            }
@@ -137,11 +138,16 @@ static int microdvd_read_header(AVFormatContext *s)
        SKIP_FRAME_ID;
        if (!*p)
            continue;
+        pts = get_pts(line);
+        if (pts == AV_NOPTS_VALUE)
+            continue;
        sub = ff_subtitles_queue_insert(&microdvd->q, p, strlen(p), 0);
-        if (!sub)
-            return AVERROR(ENOMEM);
+        if (!sub) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
        sub->pos = pos;
-        sub->pts = get_pts(line);
+        sub->pts = pts;
        sub->duration = get_duration(line);
    }
    ff_subtitles_queue_finalize(s, &microdvd->q);
@@ -156,6 +162,9 @@ static int microdvd_read_header(AVFormatContext *s)
    st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
    st->codecpar->codec_id   = AV_CODEC_ID_MICRODVD;
    return 0;
+fail:
+    ff_subtitles_queue_clean(&microdvd->q);
+    return ret;
 }

 static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt)
@@ -175,6 +175,8 @@ static int read_packet(AVFormatContext *s,
            return 0;

        case MM_TYPE_AUDIO :
+            if (s->nb_streams < 2)
+                return AVERROR_INVALIDDATA;
            if ((ret = av_get_packet(s->pb, pkt, length)) < 0)
                return ret;
            pkt->stream_index = 1;
@@ -2342,7 +2342,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
                uint32_t format = AV_RB32(st->codecpar->extradata + 22);
                if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) {
                    uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */
-                    if (str_size > 0 && size >= (int)str_size + 26) {
+                    if (str_size > 0 && size >= (int)str_size + 30) {
                        char *reel_name = av_malloc(str_size + 1);
                        if (!reel_name)
                            return AVERROR(ENOMEM);
@@ -4434,6 +4434,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        } else
            break;

+        if (*p)
+            break;
+
        *p = av_malloc(len + 1);
        if (!*p) {
            ret = AVERROR(ENOMEM);
@@ -6974,13 +6977,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
                  a.type == MKTAG('h','o','o','v')) &&
                a.size >= 8 &&
                c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT) {
-                uint8_t buf[8];
-                uint32_t *type = (uint32_t *)buf + 1;
-                if (avio_read(pb, buf, 8) != 8)
-                    return AVERROR_INVALIDDATA;
+                uint32_t type;
+                avio_skip(pb, 4);
+                type = avio_rl32(pb);
                avio_seek(pb, -8, SEEK_CUR);
-                if (*type == MKTAG('m','v','h','d') ||
-                    *type == MKTAG('c','m','o','v')) {
+                if (type == MKTAG('m','v','h','d') ||
+                    type == MKTAG('c','m','o','v')) {
                    av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free or hoov atom.\n");
                    a.type = MKTAG('m','o','o','v');
                }
@@ -7388,10 +7390,9 @@ static int mov_read_close(AVFormatContext *s)
        av_freep(&sc->coll);
    }

-    if (mov->dv_demux) {
-        avformat_free_context(mov->dv_fctx);
-        mov->dv_fctx = NULL;
-    }
+    av_freep(&mov->dv_demux);
+    avformat_free_context(mov->dv_fctx);
+    mov->dv_fctx = NULL;

    if (mov->meta_keys) {
        for (i = 1; i < mov->meta_keys_count; i++) {
@@ -7580,14 +7581,13 @@ static int mov_read_header(AVFormatContext *s)
            avio_seek(pb, 0, SEEK_SET);
        if ((err = mov_read_default(mov, pb, atom)) < 0) {
            av_log(s, AV_LOG_ERROR, "error reading header\n");
-            mov_read_close(s);
-            return err;
+            goto fail;
        }
    } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++);
    if (!mov->found_moov) {
        av_log(s, AV_LOG_ERROR, "moov atom not found\n");
-        mov_read_close(s);
-        return AVERROR_INVALIDDATA;
+        err = AVERROR_INVALIDDATA;
+        goto fail;
    }
    av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb));

@@ -7640,7 +7640,7 @@ static int mov_read_header(AVFormatContext *s)
            }
            if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) {
                if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0)
-                    return err;
+                    goto fail;
            }
        }
        if (mov->handbrake_version &&
@@ -7660,8 +7660,8 @@ static int mov_read_header(AVFormatContext *s)
                if (sc->data_size > INT64_MAX / sc->time_scale / 8) {
                    av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n",
                           sc->data_size, sc->time_scale);
-                    mov_read_close(s);
-                    return AVERROR_INVALIDDATA;
+                    err = AVERROR_INVALIDDATA;
+                    goto fail;
                }
                st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration;
            }
@@ -7676,8 +7676,8 @@ static int mov_read_header(AVFormatContext *s)
                if (sc->data_size > INT64_MAX / sc->time_scale / 8) {
                    av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n",
                           sc->data_size, sc->time_scale);
-                    mov_read_close(s);
-                    return AVERROR_INVALIDDATA;
+                    err = AVERROR_INVALIDDATA;
+                    goto fail;
                }
                st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale /
                    sc->duration_for_fps;
@@ -7701,8 +7701,7 @@ static int mov_read_header(AVFormatContext *s)
        case AVMEDIA_TYPE_AUDIO:
            err = ff_replaygain_export(st, s->metadata);
            if (err < 0) {
-                mov_read_close(s);
-                return err;
+                goto fail;
            }
            break;
        case AVMEDIA_TYPE_VIDEO:
@@ -7710,7 +7709,7 @@ static int mov_read_header(AVFormatContext *s)
                err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix,
                                              sizeof(int32_t) * 9);
                if (err < 0)
-                    return err;
+                    goto fail;

                sc->display_matrix = NULL;
            }
@@ -7719,7 +7718,7 @@ static int mov_read_header(AVFormatContext *s)
                                              (uint8_t *)sc->stereo3d,
                                              sizeof(*sc->stereo3d));
                if (err < 0)
-                    return err;
+                    goto fail;

                sc->stereo3d = NULL;
            }
@@ -7728,7 +7727,7 @@ static int mov_read_header(AVFormatContext *s)
                                              (uint8_t *)sc->spherical,
                                              sc->spherical_size);
                if (err < 0)
-                    return err;
+                    goto fail;

                sc->spherical = NULL;
            }
@@ -7737,7 +7736,7 @@ static int mov_read_header(AVFormatContext *s)
                                              (uint8_t *)sc->mastering,
                                              sizeof(*sc->mastering));
                if (err < 0)
-                    return err;
+                    goto fail;

                sc->mastering = NULL;
            }
@@ -7746,7 +7745,7 @@ static int mov_read_header(AVFormatContext *s)
                                              (uint8_t *)sc->coll,
                                              sc->coll_size);
                if (err < 0)
-                    return err;
+                    goto fail;

                sc->coll = NULL;
            }
@@ -7760,6 +7759,9 @@ static int mov_read_header(AVFormatContext *s)
            mov->frag_index.item[i].headers_read = 1;

    return 0;
+fail:
+    mov_read_close(s);
+    return err;
 }

 static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st)
@@ -7776,7 +7778,7 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st)
            av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts);
            if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) ||
                ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) &&
-                 ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb &&
+                 ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE &&
                 ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) ||
                  (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) {
                sample = current_sample;
@@ -7905,6 +7907,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
            }
            return ret;
        }
+#if CONFIG_DV_DEMUXER
+        if (mov->dv_demux && sc->dv_audio_container) {
+            AVBufferRef *buf = pkt->buf;
+            ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos);
+            pkt->buf = buf;
+            av_packet_unref(pkt);
+            if (ret < 0)
+                return ret;
+            ret = avpriv_dv_get_packet(mov->dv_demux, pkt);
+            if (ret < 0)
+                return ret;
+        }
+#endif
        if (sc->has_palette) {
            uint8_t *pal;

@@ -7916,16 +7931,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
                sc->has_palette = 0;
            }
        }
-#if CONFIG_DV_DEMUXER
-        if (mov->dv_demux && sc->dv_audio_container) {
-            avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos);
-            av_freep(&pkt->data);
-            pkt->size = 0;
-            ret = avpriv_dv_get_packet(mov->dv_demux, pkt);
-            if (ret < 0)
-                return ret;
-        }
-#endif
        if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) {
            if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0)
                st->need_parsing = AVSTREAM_PARSE_FULL;
@@ -55,7 +55,7 @@ static int mpl2_probe(const AVProbeData *p)
    return AVPROBE_SCORE_MAX;
 }

-static int read_ts(char **line, int64_t *pts_start, int *duration)
+static int read_ts(char **line, int64_t *pts_start, int64_t *duration)
 {
    char c;
    int len;
@@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration)
    }
    if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n",
               pts_start, &end, &c, &len) >= 3) {
-        *duration = end - *pts_start;
+        if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) {
+            *duration = -1;
+        } else
+            *duration = end - *pts_start;
        *line += len - 1;
        return 0;
    }
@@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s)
        const int64_t pos = avio_tell(s->pb);
        int len = ff_get_line(s->pb, line, sizeof(line));
        int64_t pts_start;
-        int duration;
+        int64_t duration;

        if (!len)
            break;
@@ -108,8 +111,10 @@ static int mpl2_read_header(AVFormatContext *s)
            AVPacket *sub;

            sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0);
-            if (!sub)
+            if (!sub) {
+                ff_subtitles_queue_clean(&mpl2->q);
                return AVERROR(ENOMEM);
+            }
            sub->pos = pos;
            sub->pts = pts_start;
            sub->duration = duration;
@@ -154,8 +154,10 @@ static int mpsub_read_header(AVFormatContext *s)
    }

    st = avformat_new_stream(s, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
+    if (!st) {
+        res = AVERROR(ENOMEM);
+        goto end;
+    }
    avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num);
    st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
    st->codecpar->codec_id   = AV_CODEC_ID_TEXT;
@@ -268,7 +268,7 @@ static void read_index(AVIOContext *pb, AVStream *st)
        avio_skip(pb, 8);
        av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME);
        if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) {
-            timestamp += size / (st->codecpar->channels * 2);
+            timestamp += size / (st->codecpar->channels * 2LL);
        } else {
            timestamp++;
        }
@@ -355,7 +355,7 @@ static int mv_read_header(AVFormatContext *avctx)
            avio_skip(pb, 8);
            av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
            av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
-            timestamp += asize / (ast->codecpar->channels * 2);
+            timestamp += asize / (ast->codecpar->channels * 2LL);
        }
    } else if (!version && avio_rb16(pb) == 3) {
        avio_skip(pb, 4);
@@ -867,6 +867,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i
        return AVERROR(EINVAL);

    buf_size = size + size / 2 + 1;
+    av_free(*str);
    *str = av_malloc(buf_size);
    if (!*str)
        return AVERROR(ENOMEM);
@@ -2171,14 +2171,14 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st,
 {
    MXFContext *mxf = s->priv_data;
    MXFStreamContext *sc = st->priv_data;
-    H264SequenceParameterSet *sps = NULL;
+    H264SPS seq, *const sps = &seq;
    GetBitContext gb;
    const uint8_t *buf = pkt->data;
    const uint8_t *buf_end = pkt->data + pkt->size;
    const uint8_t *nal_end;
    uint32_t state = -1;
    int extra_size = 512; // support AVC Intra files without SPS/PPS header
-    int i, frame_size, slice_type, intra_only = 0;
+    int i, frame_size, slice_type, has_sps = 0, intra_only = 0, ret;

    for (;;) {
        buf = avpriv_find_start_code(buf, buf_end, &state);
@@ -2193,11 +2193,12 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st,
                break;

            nal_end = ff_avc_find_startcode(buf, buf_end);
-            sps = ff_avc_decode_sps(buf, nal_end - buf);
-            if (!sps) {
+            ret = ff_avc_decode_sps(sps, buf, nal_end - buf);
+            if (ret < 0) {
                av_log(s, AV_LOG_ERROR, "error parsing sps\n");
                return 0;
            }
+            has_sps = 1;

            sc->aspect_ratio.num = st->codecpar->width * sps->sar.num;
            sc->aspect_ratio.den = st->codecpar->height * sps->sar.den;
@@ -2243,7 +2244,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st,
    if (mxf->header_written)
        return 1;

-    if (!sps)
+    if (!has_sps)
        sc->interlaced = st->codecpar->field_order != AV_FIELD_PROGRESSIVE ? 1 : 0;
    sc->codec_ul = NULL;
    frame_size = pkt->size + extra_size;
@@ -2260,7 +2261,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st,
            if (sc->interlaced)
                sc->field_dominance = 1; // top field first is mandatory for AVC Intra
            break;
-        } else if (sps && mxf_h264_codec_uls[i].frame_size == 0 &&
+        } else if (has_sps && mxf_h264_codec_uls[i].frame_size == 0 &&
                   mxf_h264_codec_uls[i].profile == sps->profile_idc &&
                   (mxf_h264_codec_uls[i].intra_only < 0 ||
                    mxf_h264_codec_uls[i].intra_only == intra_only)) {
@@ -2271,8 +2272,6 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st,
        }
    }

-    av_free(sps);
-
    if (!sc->codec_ul) {
        av_log(s, AV_LOG_ERROR, "h264 profile not supported\n");
        return 0;
@@ -226,9 +226,10 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic,
        return AVERROR_INVALIDDATA;
    }

-    /* We only have a single stream anyway, so if there's a new stream with
-     * a different codec just replace it */
    os = &ogg->streams[0];
+    if (os->codec != codec)
+        return AVERROR(EINVAL);
+
    os->serial  = serial;
    os->codec   = codec;
    os->serial  = serial;
@@ -79,6 +79,13 @@ typedef struct OMAContext {
    int (*read_packet)(AVFormatContext *s, AVPacket *pkt);
 } OMAContext;

+static int oma_read_close(AVFormatContext *s)
+{
+    OMAContext *oc = s->priv_data;
+    av_freep(&oc->av_des);
+    return 0;
+}
+
 static void hex_log(AVFormatContext *s, int level,
                    const char *name, const uint8_t *value, int len)
 {
@@ -402,11 +409,14 @@ static int oma_read_header(AVFormatContext *s)
    }

    ret = avio_read(s->pb, buf, EA3_HEADER_SIZE);
-    if (ret < EA3_HEADER_SIZE)
+    if (ret < EA3_HEADER_SIZE) {
+        ff_id3v2_free_extra_meta(&extra_meta);
        return -1;
+    }

    if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) ||
        buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) {
+        ff_id3v2_free_extra_meta(&extra_meta);
        av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n");
        return AVERROR_INVALIDDATA;
    }
@@ -425,8 +435,10 @@ static int oma_read_header(AVFormatContext *s)
    codec_params = AV_RB24(&buf[33]);

    st = avformat_new_stream(s, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
+    if (!st) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }

    st->start_time = 0;
    st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -441,7 +453,8 @@ static int oma_read_header(AVFormatContext *s)
        samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100;
        if (!samplerate) {
            av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n");
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }
        if (samplerate != 44100)
            avpriv_request_sample(s, "Sample rate %d", samplerate);
@@ -459,7 +472,7 @@ static int oma_read_header(AVFormatContext *s)
        /* fake the ATRAC3 extradata
         * (wav format, makes stream copy to wav work) */
        if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0)
-            return ret;
+            goto fail;

        edata = st->codecpar->extradata;
        AV_WL16(&edata[0],  1);             // always 1
@@ -476,7 +489,8 @@ static int oma_read_header(AVFormatContext *s)
        if (!channel_id) {
            av_log(s, AV_LOG_ERROR,
                   "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id);
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }
        st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1];
        st->codecpar->channels       = ff_oma_chid_to_num_channels[channel_id - 1];
@@ -484,7 +498,8 @@ static int oma_read_header(AVFormatContext *s)
        samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100;
        if (!samplerate) {
            av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n");
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }
        st->codecpar->sample_rate = samplerate;
        st->codecpar->bit_rate    = samplerate * framesize / (2048 / 8);
@@ -524,12 +539,16 @@ static int oma_read_header(AVFormatContext *s)
        break;
    default:
        av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]);
-        return AVERROR(ENOSYS);
+        ret = AVERROR(ENOSYS);
+        goto fail;
    }

    st->codecpar->block_align = framesize;

    return 0;
+fail:
+    oma_read_close(s);
+    return ret;
 }

 static int oma_read_packet(AVFormatContext *s, AVPacket *pkt)
@@ -591,13 +610,6 @@ wipe:
    return err;
 }

-static int oma_read_close(AVFormatContext *s)
-{
-    OMAContext *oc = s->priv_data;
-    av_free(oc->av_des);
-    return 0;
-}
-
 AVInputFormat ff_oma_demuxer = {
    .name           = "oma",
    .long_name      = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"),
@@ -94,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s)

            p[strcspn(p, "\"")] = 0;
            sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0);
-            if (!sub)
+            if (!sub) {
+                ff_subtitles_queue_clean(&pjs->q);
                return AVERROR(ENOMEM);
+            }
            sub->pos = pos;
            sub->pts = pts_start;
            sub->duration = duration;
@@ -387,7 +387,7 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) {
    PrompegFec *fec_tmp;
    uint8_t *bitstring = NULL;
    int col_idx, col_out_idx, row_idx;
-    int ret, written = 0;
+    int ret = 0;

    if (s->init && ((ret = prompeg_init(h, buf, size)) < 0))
        goto end;
@@ -403,7 +403,6 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) {
        if (!s->first || s->packet_idx > 0) {
            if ((ret = prompeg_write_fec(h, s->fec_row, PROMPEG_FEC_ROW)) < 0)
                goto end;
-            written += ret;
        }
        memcpy(s->fec_row->bitstring, bitstring, s->bitstring_size);
        s->fec_row->sn = AV_RB16(buf + 2);
@@ -434,7 +433,6 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) {
        col_out_idx = s->packet_idx / s->d;
        if ((ret = prompeg_write_fec(h, s->fec_col[col_out_idx], PROMPEG_FEC_COL)) < 0)
            goto end;
-        written += ret;
    }

    if (++s->packet_idx >= s->packet_idx_max) {
@@ -443,7 +441,7 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) {
            s->first = 0;
    }

-    ret = written;
+    ret = size;

 end:
    av_free(bitstring);
@@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s)
    ff_subtitles_queue_finalize(s, &sami->q);

 end:
+    if (res < 0)
+        ff_subtitles_queue_clean(&sami->q);
    av_bprint_finalize(&buf, NULL);
    return res;
 }
@@ -136,7 +136,7 @@ try_again:

        sub = ff_subtitles_queue_insert(&scc->q, out, i, 0);
        if (!sub)
-            return AVERROR(ENOMEM);
+            goto fail;

        sub->pos = current_pos;
        sub->pts = ts_start;
@@ -155,6 +155,9 @@ try_again:
    ff_subtitles_queue_finalize(s, &scc->q);

    return ret;
+fail:
+    ff_subtitles_queue_clean(&scc->q);
+    return AVERROR(ENOMEM);
 }

 static int scc_read_packet(AVFormatContext *s, AVPacket *pkt)
@@ -212,7 +212,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par)
        p += strlen(p);
        r = r1;
    }
-    if (sps && sps_end - sps >= 4) {
+    if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) {
        memcpy(p, profile_string, strlen(profile_string));
        p += strlen(p);
        ff_data_to_hex(p, sps + 1, 3, 0);
@@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s)
    uint32_t version, htype, hlength, duration;
    char *comment;

+    sc->audio_stream_index =
+    sc->video_stream_index = -1;
+
    avio_skip(pb, 8); // magic
    version = avio_rb32(pb);
    if (version)
@@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt)
    dtype = avio_rl32(s->pb);
    switch (dtype) {
    case SMJPEG_SNDD:
+        if (sc->audio_stream_index < 0)
+            return AVERROR_INVALIDDATA;
        timestamp = avio_rb32(s->pb);
        size = avio_rb32(s->pb);
        ret = av_get_packet(s->pb, pkt, size);
@@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt)
        pkt->pos = pos;
        break;
    case SMJPEG_VIDD:
+        if (sc->video_stream_index < 0)
+            return AVERROR_INVALIDDATA;
        timestamp = avio_rb32(s->pb);
        size = avio_rb32(s->pb);
        ret = av_get_packet(s->pb, pkt, size);
@@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s)
    ff_subtitles_queue_finalize(s, &srt->q);

 end:
+    if (res < 0)
+        ff_subtitles_queue_clean(&srt->q);
    av_bprint_finalize(&buf, NULL);
    return res;
 }
@@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s)
        if (pts_start != AV_NOPTS_VALUE) {
            AVPacket *sub;
            sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0);
-            if (!sub)
+            if (!sub) {
+                ff_subtitles_queue_clean(&stl->q);
                return AVERROR(ENOMEM);
+            }
            sub->pos = pos;
            sub->pts = pts_start;
            sub->duration = duration;
@@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s)
                    sub->duration = pts_start - sub->pts;
            } else {
                sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0);
-                if (!sub)
+                if (!sub) {
+                    ff_subtitles_queue_clean(&subviewer1->q);
                    return AVERROR(ENOMEM);
+                }
                sub->pos = pos;
                sub->pts = pts_start;
                sub->duration = -1;
@@ -172,6 +172,8 @@ static int subviewer_read_header(AVFormatContext *s)
    ff_subtitles_queue_finalize(s, &subviewer->q);

 end:
+    if (res < 0)
+        ff_subtitles_queue_clean(&subviewer->q);
    av_bprint_finalize(&header, NULL);
    return res;
 }
@@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs)
 static av_cold int tedcaptions_read_header(AVFormatContext *avf)
 {
    TEDCaptionsDemuxer *tc = avf->priv_data;
-    AVStream *st;
+    AVStream *st = avformat_new_stream(avf, NULL);
    int ret, i;
    AVPacket *last;

+    if (!st)
+        return AVERROR(ENOMEM);
+
    ret = parse_file(avf->pb, &tc->subs);
    if (ret < 0) {
        if (ret == AVERROR_INVALIDDATA)
@@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf)
        tc->subs.subs[i].pts += tc->start_time;

    last = &tc->subs.subs[tc->subs.nb_subs - 1];
-    st = avformat_new_stream(avf, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
    st->codecpar->codec_type     = AVMEDIA_TYPE_SUBTITLE;
    st->codecpar->codec_id       = AV_CODEC_ID_TEXT;
    avpriv_set_pts_info(st, 64, 1, 1000);
@@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s)
                           avio_rb32(pb); /* Max samples.  */

    thp->fps             = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
+    if (thp->fps.den <= 0 || thp->fps.num < 0)
+        return AVERROR_INVALIDDATA;
    thp->framecnt        = avio_rb32(pb);
    thp->first_framesz   = avio_rb32(pb);
    pb->maxsize          = avio_rb32(pb);
@@ -90,6 +90,8 @@ static void trim_double_dot_url(char *buf, const char *rel, int size)
    if (p && (sep = strstr(p, "://"))) {
        sep += 3;
        root = strchr(sep, '/');
+        if (!root)
+            return;
    }

    /* set new current position if the root node is changed */
@@ -150,6 +152,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
    }
    /* If rel actually is an absolute url, just copy it */
    if (!base || strstr(rel, "://") || rel[0] == '/') {
+        memset(buf, 0, size);
        trim_double_dot_url(buf, rel, size);
        return;
    }
@@ -177,6 +180,8 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
        if (sep) {
            sep += 3;
            root = strchr(sep, '/');
+            if (!root)
+                return;
        }
    }

@@ -2782,7 +2782,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic)
                st      = ic->streams[i];
                if (   st->time_base.num <= INT64_MAX / ic->bit_rate
                    && st->duration == AV_NOPTS_VALUE) {
-                    duration = av_rescale(8 * filesize, st->time_base.den,
+                    duration = av_rescale(filesize, 8LL * st->time_base.den,
                                          ic->bit_rate *
                                          (int64_t) st->time_base.num);
                    st->duration = duration;
@@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s)
            AVPacket *sub;

            sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0);
-            if (!sub)
+            if (!sub) {
+                ff_subtitles_queue_clean(&vplayer->q);
                return AVERROR(ENOMEM);
+            }
            sub->pos = pos;
            sub->pts = pts_start;
            sub->duration = -1;
@@ -164,6 +164,8 @@ static int webvtt_read_header(AVFormatContext *s)
    ff_subtitles_queue_finalize(s, &webvtt->q);

 end:
+    if (res < 0)
+        ff_subtitles_queue_clean(&webvtt->q);
    av_bprint_finalize(&cue,    NULL);
    return res;
 }
@@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok)
        return LLONG_MIN;
    }
    for (x=0; c-'0'<10U && x<INT_MAX/10; c = shgetc(f))
-        x = 10*x + c-'0';
+        x = 10*x + (c-'0');
    for (y=x; c-'0'<10U && y<LLONG_MAX/100; c = shgetc(f))
-        y = 10*y + c-'0';
+        y = 10*y + (c-'0');
    for (; c-'0'<10U; c = shgetc(f));
    shunget(f);
    return neg ? -y : y;
@@ -371,7 +371,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double
 */
 static av_always_inline av_const int av_ceil_log2_c(int x)
 {
-    return av_log2((x - 1) << 1);
+    return av_log2((x - 1U) << 1);
 }

 /**
@@ -1 +1 @@
 .2.git
 .3.1