diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c
index defa1ab88b..a68b122444 100644
--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -140,7 +140,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
         mode += 1 + advance_mode;
         if (mode >= 4)
             mode -= 3;
-        if (FFABS(dst_end - dst) < len)
+        if (len <= 0 || FFABS(dst_end - dst) < len)
             return -1;
         switch (mode) {
         case 1:
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 4018a767b4..166eee49ab 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2245,7 +2245,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
              st->codec->codec_id == AV_CODEC_ID_ATRAC3) &&
              st->codec->block_align && track->audio.sub_packet_size) {
 
-            res = matroska_parse_rm_audio(matroska, track, st, data, size,
+            res = matroska_parse_rm_audio(matroska, track, st, data,
+                                          lace_size[n],
                                           timecode, pos);
             if (res)
                 goto end;
diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index b447d6cd25..7763337d4e 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -124,6 +124,15 @@ static int xmv_probe(AVProbeData *p)
     return 0;
 }
 
+static int xmv_read_close(AVFormatContext *s)
+{
+    XMVDemuxContext *xmv = s->priv_data;
+
+    av_freep(&xmv->audio);
+
+    return 0;
+}
+
 static int xmv_read_header(AVFormatContext *s)
 {
     XMVDemuxContext *xmv = s->priv_data;
@@ -133,6 +142,7 @@ static int xmv_read_header(AVFormatContext *s)
     uint32_t file_version;
     uint32_t this_packet_size;
     uint16_t audio_track;
+    int ret;
 
     avio_skip(pb, 4); /* Next packet size */
 
@@ -171,8 +181,10 @@ static int xmv_read_header(AVFormatContext *s)
     avio_skip(pb, 2); /* Unknown (padding?) */
 
     xmv->audio = av_malloc(xmv->audio_track_count * sizeof(XMVAudioPacket));
-    if (!xmv->audio)
-        return AVERROR(ENOMEM);
+    if (!xmv->audio) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }
 
     for (audio_track = 0; audio_track < xmv->audio_track_count; audio_track++) {
         XMVAudioPacket *packet = &xmv->audio[audio_track];
@@ -208,9 +220,18 @@ static int xmv_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream "
                                       "(0x%04X)\n", packet->flags);
 
+        if (!packet->channels || !packet->sample_rate) {
+            av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n",
+                   audio_track);
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
         ast = avformat_new_stream(s, NULL);
-        if (!ast)
-            return AVERROR(ENOMEM);
+        if (!ast) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
 
         ast->codec->codec_type            = AVMEDIA_TYPE_AUDIO;
         ast->codec->codec_id              = packet->codec_id;
@@ -236,6 +257,10 @@ static int xmv_read_header(AVFormatContext *s)
     xmv->stream_count       = xmv->audio_track_count + 1;
 
     return 0;
+
+fail:
+    xmv_read_close(s);
+    return ret;
 }
 
 static void xmv_read_extradata(uint8_t *extradata, AVIOContext *pb)
@@ -546,15 +571,6 @@ static int xmv_read_packet(AVFormatContext *s,
     return 0;
 }
 
-static int xmv_read_close(AVFormatContext *s)
-{
-    XMVDemuxContext *xmv = s->priv_data;
-
-    av_freep(&xmv->audio);
-
-    return 0;
-}
-
 AVInputFormat ff_xmv_demuxer = {
     .name           = "xmv",
     .long_name      = NULL_IF_CONFIG_SMALL("Microsoft XMV"),