Update for 2.1.8

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
nutdec: fix illegal count check in decode_main_header
2015-04-30 02:04:38 +02:00 · 2015-04-28 23:22:47 +02:00 · 2015-04-28 22:34:31 +02:00 · 2015-04-28 20:55:23 +02:00 · 2015-04-28 16:11:00 +02:00 · 2015-04-28 12:52:02 +02:00
361 changed files with 4181 additions and 2243 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-2.0
+2.1.8
--- a/1
+++ b/1
@ -0,0 +1 @@
+2.1.8
--- a/cmdutils.c
+++ b/cmdutils.c
@ -68,7 +68,7 @@ struct SwsContext *sws_opts;
 AVDictionary *swr_opts;
 AVDictionary *format_opts, *codec_opts, *resample_opts;

-const int this_year = 2013;
+const int this_year = 2015;

 static FILE *report_file;

--- a/63
+++ b/63
@ -105,6 +105,7 @@ Configuration options:
  --disable-all            disable building components, libraries and programs
  --enable-incompatible-libav-abi enable incompatible Libav fork ABI [no]
  --enable-incompatible-fork-abi  enable incompatible Libav fork ABI (deprecated) [no]
+  --enable-raise-major     increase major version numbers in sonames [no]

 Program options:
  --disable-programs       do not build command line programs
@ -728,6 +729,10 @@ add_ldflags(){
    append LDFLAGS $($ldflags_filter "$@")
 }

+add_stripflags(){
+    append ASMSTRIPFLAGS "$@"
+}
+
 add_extralibs(){
    prepend extralibs $($ldflags_filter "$@")
 }
@ -885,6 +890,20 @@ check_ldflags(){
    test_ldflags "$@" && add_ldflags "$@"
 }

+test_stripflags(){
+    log test_stripflags "$@"
+    # call check_cc to get a fresh TMPO
+    check_cc <<EOF
+int main(void) { return 0; }
+EOF
+    check_cmd $strip $ASMSTRIPFLAGS "$@" $TMPO
+}
+
+check_stripflags(){
+    log check_stripflags "$@"
+    test_stripflags "$@" && add_stripflags "$@"
+}
+
 check_header(){
    log check_header "$@"
    header=$1
@ -1102,6 +1121,26 @@ require_pkg_config(){
    add_extralibs $(get_safe ${pkg}_libs)
 }

+require_libfreetype(){
+    log require_libfreetype "$@"
+    pkg="freetype2"
+    check_cmd $pkg_config --exists --print-errors $pkg \
+      || die "ERROR: $pkg not found"
+    pkg_cflags=$($pkg_config --cflags $pkg)
+    pkg_libs=$($pkg_config --libs $pkg)
+    {
+        echo "#include <ft2build.h>"
+        echo "#include FT_FREETYPE_H"
+        echo "long check_func(void) { return (long) FT_Init_FreeType; }"
+        echo "int main(void) { return 0; }"
+    } | check_ld "cc" $pkg_cflags $pkg_libs \
+      && set_safe ${pkg}_cflags $pkg_cflags \
+      && set_safe ${pkg}_libs   $pkg_libs \
+      || die "ERROR: $pkg not found"
+    add_cflags    $(get_safe ${pkg}_cflags)
+    add_extralibs $(get_safe ${pkg}_libs)
+}
+
 hostcc_o(){
    eval printf '%s\\n' $HOSTCC_O
 }
@ -1280,6 +1319,7 @@ CONFIG_LIST="
    network
    nonfree
    pic
+    raise_major
    rdft
    runtime_cpudetect
    safe_bitstream_reader
@ -1426,6 +1466,7 @@ HAVE_LIST="
    alsa_asoundlib_h
    altivec_h
    arpa_inet_h
+    as_object_arch
    asm_mod_q
    asm_mod_y
    asm_types_h
@ -1996,6 +2037,7 @@ wmv3_vdpau_hwaccel_select="vc1_vdpau_hwaccel"

 # parsers
 h264_parser_select="golomb h264chroma h264dsp h264pred h264qpel videodsp"
+hevc_parser_select="hevc_decoder"
 mpeg4video_parser_select="error_resilience mpegvideo"
 mpegvideo_parser_select="error_resilience mpegvideo"
 vc1_parser_select="mpegvideo"
@ -2878,7 +2920,9 @@ probe_cc(){
    unset _depflags _DEPCMD _DEPFLAGS
    _flags_filter=echo

-    if $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then
+    if $_cc --version 2>&1 | grep -q '^GNU assembler'; then
+        true # no-op to avoid reading stdin in following checks
+    elif $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then
        _type=llvm_gcc
        gcc_extra_ver=$(expr "$($_cc --version | head -n1)" : '.*\((.*)\)')
        _ident="llvm-gcc $($_cc -dumpversion) $gcc_extra_ver"
@ -3921,6 +3965,11 @@ EOF

    [ $target_os != win32 ] && enabled_all armv6t2 shared !pic && enable_weak_pic

+    # llvm's integrated assembler supports .object_arch from llvm 3.5
+    [ "$objformat" = elf ] && check_as <<EOF && enable as_object_arch
+.object_arch armv4
+EOF
+
 elif enabled mips; then

    check_inline_asm loongson '"dmult.g $1, $2, $3"'
@ -4049,6 +4098,7 @@ EOF
 fi

 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack

 if check_func dlopen; then
    ldl=
@ -4231,7 +4281,7 @@ enabled ladspa            && { check_header ladspa.h || die "ERROR: ladspa.h hea
 enabled libiec61883       && require libiec61883 libiec61883/iec61883.h iec61883_cmp_connect -lraw1394 -lavc1394 -lrom1394 -liec61883
 enabled libaacplus        && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus
 enabled libass            && require_pkg_config libass ass/ass.h ass_library_init
-enabled libbluray         && require libbluray libbluray/bluray.h bd_open -lbluray
+enabled libbluray         && require_pkg_config libbluray libbluray/bluray.h bd_open
 enabled libcelt           && require libcelt celt/celt.h celt_decode -lcelt0 &&
                             { check_lib celt/celt.h celt_decoder_create_custom -lcelt0 ||
                               die "ERROR: libcelt must be installed and version must be >= 0.11.0."; }
@ -4240,7 +4290,7 @@ enabled libfaac           && require2 libfaac "stdint.h faac.h" faacEncGetVersio
 enabled libfdk_aac        && require libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac
 flite_libs="-lflite_cmu_time_awb -lflite_cmu_us_awb -lflite_cmu_us_kal -lflite_cmu_us_kal16 -lflite_cmu_us_rms -lflite_cmu_us_slt -lflite_usenglish -lflite_cmulex -lflite"
 enabled libflite          && require2 libflite "flite/flite.h" flite_init $flite_libs
-enabled libfreetype       && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype       && require_libfreetype
 enabled libgme            && require  libgme gme/gme.h gme_new_emu -lgme -lstdc++
 enabled libgsm            && { for gsm_hdr in "gsm.h" "gsm/gsm.h"; do
                                   check_lib "${gsm_hdr}" gsm_create -lgsm && break;
@ -4436,6 +4486,10 @@ check_ldflags -Wl,--warn-common
 check_ldflags -Wl,-rpath-link=libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil:libavresample
 test_ldflags -Wl,-Bsymbolic && append SHFLAGS -Wl,-Bsymbolic

+# add some strip flags
+# -wN '..@*' is more selective than -x, but not available everywhere.
+check_stripflags -wN \'..@*\' || check_stripflags -x
+
 enabled xmm_clobber_test &&
    check_ldflags -Wl,--wrap,avcodec_open2              \
                  -Wl,--wrap,avcodec_decode_audio4      \
@ -4786,6 +4840,7 @@ LD_PATH=$LD_PATH
 DLLTOOL=$dlltool
 LDFLAGS=$LDFLAGS
 SHFLAGS=$(echo $($ldflags_filter $SHFLAGS))
+ASMSTRIPFLAGS=$ASMSTRIPFLAGS
 YASMFLAGS=$YASMFLAGS
 BUILDSUF=$build_suffix
 PROGSSUF=$progs_suffix
@ -4849,6 +4904,7 @@ get_version(){
    name=$(toupper $lcname)
    file=$source_path/$lcname/version.h
    eval $(awk "/#define ${name}_VERSION_M/ { print \$2 \"=\" \$3 }" "$file")
+    enabled raise_major && eval ${name}_VERSION_MAJOR=$((${name}_VERSION_MAJOR+100))
    eval ${name}_VERSION=\$${name}_VERSION_MAJOR.\$${name}_VERSION_MINOR.\$${name}_VERSION_MICRO
    eval echo "${lcname}_VERSION=\$${name}_VERSION" >> config.mak
    eval echo "${lcname}_VERSION_MAJOR=\$${name}_VERSION_MAJOR" >> config.mak
@ -4888,6 +4944,7 @@ enabled getenv || echo "#define getenv(x) NULL" >> $TMPH


 mkdir -p doc
+mkdir -p tests
 echo "@c auto-generated by configure" > doc/config.texi

 print_config ARCH_   "$config_files" $ARCH_LIST
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 2.1.8

 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
--- a/doc/encoders.texi
+++ b/doc/encoders.texi
@ -786,7 +786,7 @@ Set maximum frame size, or duration of a frame in milliseconds. The
 argument must be exactly the following: 2.5, 5, 10, 20, 40, 60. Smaller
 frame sizes achieve lower latency but less quality at a given bitrate.
 Sizes greater than 20ms are only interesting at fairly low bitrates.
-The default of FFmpeg is 10ms, but is 20ms in @command{opusenc}.
+The default is 20ms.

@item packet_loss (@emph{expect-loss})
 Set expected packet loss percentage. The default is 0.
--- a/doc/filters.texi
+++ b/doc/filters.texi
@ -6422,9 +6422,11 @@ The main purpose of setting @option{mp} to a chroma plane is to reduce CPU
 load and make pullup usable in realtime on slow machines.
@end table

-For example to inverse telecined NTSC input:
+For best results (without duplicated frames in the output file) it is
+necessary to change the output frame rate. For example, to inverse
+telecine NTSC input:
@example
-pullup,fps=24000/1001
+ffmpeg -i input -vf pullup -r 24000/1001 ...
@end example

@section removelogo
--- a/doc/scaler.texi
+++ b/doc/scaler.texi
@ -35,7 +35,7 @@ Select nearest neighbor rescaling algorithm.
@item area
 Select averaging area rescaling algorithm.

-@item bicubiclin
+@item bicublin
 Select bicubic scaling algorithm for the luma component, bilinear for
 chroma components.

--- a/ffmpeg.c
+++ b/ffmpeg.c
@ -319,7 +319,7 @@ sigterm_handler(int sig)
    received_nb_signals++;
    term_exit();
    if(received_nb_signals > 3)
-        exit_program(123);
+        exit(123);
 }

 void term_init(void)
@ -349,7 +349,6 @@ void term_init(void)
        signal(SIGQUIT, sigterm_handler); /* Quit (POSIX).  */
    }
 #endif
-    avformat_network_deinit();

    signal(SIGINT , sigterm_handler); /* Interrupt (ANSI).    */
    signal(SIGTERM, sigterm_handler); /* Termination (ANSI).  */
@ -817,10 +816,26 @@ static void do_video_out(AVFormatContext *s,
    nb_frames = 1;

    format_video_sync = video_sync_method;
-    if (format_video_sync == VSYNC_AUTO)
+    if (format_video_sync == VSYNC_AUTO) {
        format_video_sync = (s->oformat->flags & AVFMT_VARIABLE_FPS) ? ((s->oformat->flags & AVFMT_NOTIMESTAMPS) ? VSYNC_PASSTHROUGH : VSYNC_VFR) : VSYNC_CFR;
+        if (   ist
+            && format_video_sync == VSYNC_CFR
+            && input_files[ist->file_index]->ctx->nb_streams == 1
+            && input_files[ist->file_index]->input_ts_offset == 0) {
+            format_video_sync = VSYNC_VSCFR;
+        }
+        if (format_video_sync == VSYNC_CFR && copy_ts) {
+            format_video_sync = VSYNC_VSCFR;
+        }
+    }

    switch (format_video_sync) {
+    case VSYNC_VSCFR:
+        if (ost->frame_number == 0 && delta - duration >= 0.5) {
+            av_log(NULL, AV_LOG_DEBUG, "Not duplicating %d initial frames\n", (int)lrintf(delta - duration));
+            delta = duration;
+            ost->sync_opts = lrint(sync_ipts);
+        }
    case VSYNC_CFR:
        // FIXME set to 0.5 after we fix some dts/pts bugs like in avidec.c
        if (delta < -1.1)
@ -1467,7 +1482,7 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p
       && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO
       && ost->st->codec->codec_id != AV_CODEC_ID_VC1
       ) {
-        if (av_parser_change(ist->st->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, pkt->flags & AV_PKT_FLAG_KEY)) {
+        if (av_parser_change(av_stream_get_parser(ist->st), ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, pkt->flags & AV_PKT_FLAG_KEY)) {
            opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0);
            if (!opkt.buf)
                exit_program(1);
@ -1867,7 +1882,7 @@ static int output_packet(InputStream *ist, const AVPacket *pkt)
            if (avpkt.duration) {
                duration = av_rescale_q(avpkt.duration, ist->st->time_base, AV_TIME_BASE_Q);
            } else if(ist->st->codec->time_base.num != 0 && ist->st->codec->time_base.den != 0) {
-                int ticks= ist->st->parser ? ist->st->parser->repeat_pict+1 : ist->st->codec->ticks_per_frame;
+                int ticks= av_stream_get_parser(ist->st) ? av_stream_get_parser(ist->st)->repeat_pict+1 : ist->st->codec->ticks_per_frame;
                duration = ((int64_t)AV_TIME_BASE *
                                ist->st->codec->time_base.num * ticks) /
                                ist->st->codec->time_base.den;
@ -1924,7 +1939,7 @@ static int output_packet(InputStream *ist, const AVPacket *pkt)
            } else if (pkt->duration) {
                ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q);
            } else if(ist->st->codec->time_base.num != 0) {
-                int ticks= ist->st->parser ? ist->st->parser->repeat_pict + 1 : ist->st->codec->ticks_per_frame;
+                int ticks= av_stream_get_parser(ist->st) ? av_stream_get_parser(ist->st)->repeat_pict + 1 : ist->st->codec->ticks_per_frame;
                ist->next_dts += ((int64_t)AV_TIME_BASE *
                                  ist->st->codec->time_base.num * ticks) /
                                  ist->st->codec->time_base.den;
@ -2101,7 +2116,7 @@ static int transcode_init(void)
    AVCodecContext *codec;
    OutputStream *ost;
    InputStream *ist;
-    char error[1024];
+    char error[1024] = {0};
    int want_sdp = 1;

    for (i = 0; i < nb_filtergraphs; i++) {
@ -2357,7 +2372,7 @@ static int transcode_init(void)
                if (ost->filter && !(codec->time_base.num && codec->time_base.den))
                    codec->time_base = ost->filter->filter->inputs[0]->time_base;
                if (   av_q2d(codec->time_base) < 0.001 && video_sync_method != VSYNC_PASSTHROUGH
-                   && (video_sync_method == VSYNC_CFR || (video_sync_method == VSYNC_AUTO && !(oc->oformat->flags & AVFMT_VARIABLE_FPS)))){
+                   && (video_sync_method == VSYNC_CFR || video_sync_method == VSYNC_VSCFR || (video_sync_method == VSYNC_AUTO && !(oc->oformat->flags & AVFMT_VARIABLE_FPS)))){
                    av_log(oc, AV_LOG_WARNING, "Frame rate very high for a muxer not efficiently supporting it.\n"
                                               "Please consider specifying a lower framerate, a different muxer or -vsync 2\n");
                }
--- a/ffmpeg.h
+++ b/ffmpeg.h
@ -51,6 +51,7 @@
 #define VSYNC_PASSTHROUGH 0
 #define VSYNC_CFR         1
 #define VSYNC_VFR         2
+#define VSYNC_VSCFR       0xfe
 #define VSYNC_DROP        0xff

 #define MAX_STREAMS 1024    /* arbitrary sanity check value */
@ -281,6 +282,7 @@ typedef struct InputFile {
    int eof_reached;      /* true if eof reached */
    int eagain;           /* true if last read attempt returned EAGAIN */
    int ist_index;        /* index of first stream in input_streams */
+    int64_t input_ts_offset;
    int64_t ts_offset;
    int64_t last_ts;
    int64_t start_time;   /* user-specified start time in AV_TIME_BASE or AV_NOPTS_VALUE */
--- a/ffmpeg_filter.c
+++ b/ffmpeg_filter.c
@ -42,12 +42,15 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodec *codec, enum AVPixelFo
        const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target);
        int has_alpha = desc ? desc->nb_components % 2 == 0 : 0;
        enum AVPixelFormat best= AV_PIX_FMT_NONE;
+        const enum AVPixelFormat mjpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
+        const enum AVPixelFormat ljpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
+                                                     AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
+
        if (st->codec->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
            if (st->codec->codec_id == AV_CODEC_ID_MJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
+                p = mjpeg_formats;
            } else if (st->codec->codec_id == AV_CODEC_ID_LJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-                                                 AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
+                p =ljpeg_formats;
            }
        }
        for (; *p != AV_PIX_FMT_NONE; p++) {
--- a/ffmpeg_opt.c
+++ b/ffmpeg_opt.c
@ -852,6 +852,7 @@ static int open_input_file(OptionsContext *o, const char *filename)
    f->ist_index  = nb_input_streams - ic->nb_streams;
    f->start_time = o->start_time;
    f->recording_time = o->recording_time;
+    f->input_ts_offset = o->input_ts_offset;
    f->ts_offset  = o->input_ts_offset - (copy_ts ? 0 : timestamp);
    f->nb_streams = ic->nb_streams;
    f->rate_emu   = o->rate_emu;
@ -1689,7 +1690,7 @@ static int open_output_file(OptionsContext *o, const char *filename)
        /* pick the "best" stream of each type */

        /* video: highest resolution */
-        if (!o->video_disable && oc->oformat->video_codec != AV_CODEC_ID_NONE) {
+        if (!o->video_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_VIDEO) != AV_CODEC_ID_NONE) {
            int area = 0, idx = -1;
            int qcr = avformat_query_codec(oc->oformat, oc->oformat->video_codec, 0);
            for (i = 0; i < nb_input_streams; i++) {
@ -1711,7 +1712,7 @@ static int open_output_file(OptionsContext *o, const char *filename)
        }

        /* audio: most channels */
-        if (!o->audio_disable && oc->oformat->audio_codec != AV_CODEC_ID_NONE) {
+        if (!o->audio_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_AUDIO) != AV_CODEC_ID_NONE) {
            int channels = 0, idx = -1;
            for (i = 0; i < nb_input_streams; i++) {
                ist = input_streams[i];
@ -1727,7 +1728,7 @@ static int open_output_file(OptionsContext *o, const char *filename)

        /* subtitles: pick first */
        MATCH_PER_TYPE_OPT(codec_names, str, subtitle_codec_name, oc, "s");
-        if (!o->subtitle_disable && (oc->oformat->subtitle_codec != AV_CODEC_ID_NONE || subtitle_codec_name)) {
+        if (!o->subtitle_disable && (avcodec_find_encoder(oc->oformat->subtitle_codec) || subtitle_codec_name)) {
            for (i = 0; i < nb_input_streams; i++)
                if (input_streams[i]->st->codec->codec_type == AVMEDIA_TYPE_SUBTITLE) {
                    new_subtitle_stream(o, oc, i);
--- a/ffprobe.c
+++ b/ffprobe.c
@ -183,6 +183,7 @@ static const char unit_hertz_str[]          = "Hz"   ;
 static const char unit_byte_str[]           = "byte" ;
 static const char unit_bit_per_second_str[] = "bit/s";

+static int nb_streams;
 static uint64_t *nb_streams_packets;
 static uint64_t *nb_streams_frames;
 static int *selected_streams;
@ -238,6 +239,7 @@ static char *value_string(char *buf, int buf_size, struct unit_value uv)
                vald /= pow(10, index * 3);
                prefix_string = decimal_unit_prefixes[index];
            }
+            vali = vald;
        }

        if (show_float || (use_value_prefix && vald != (long long int)vald))
@ -1455,6 +1457,14 @@ static void writer_register_all(void)
 #define print_section_header(s) writer_print_section_header(w, s)
 #define print_section_footer(s) writer_print_section_footer(w, s)

+#define REALLOCZ_ARRAY_STREAM(ptr, cur_n, new_n)                        \
+{                                                                       \
+    ret = av_reallocp_array(&(ptr), (new_n), sizeof(*(ptr)));           \
+    if (ret < 0)                                                        \
+        goto end;                                                       \
+    memset( (ptr) + (cur_n), 0, ((new_n) - (cur_n)) * sizeof(*(ptr)) ); \
+}
+
 static inline void show_tags(WriterContext *wctx, AVDictionary *tags, int section_id)
 {
    AVDictionaryEntry *tag = NULL;
@ -1580,7 +1590,6 @@ static av_always_inline int process_frame(WriterContext *w,
    AVCodecContext *dec_ctx = fmt_ctx->streams[pkt->stream_index]->codec;
    int ret = 0, got_frame = 0;

-    avcodec_get_frame_defaults(frame);
    if (dec_ctx->codec) {
        switch (dec_ctx->codec_type) {
        case AVMEDIA_TYPE_VIDEO:
@ -1634,7 +1643,7 @@ static int read_interval_packets(WriterContext *w, AVFormatContext *fmt_ctx,
                                 const ReadInterval *interval, int64_t *cur_ts)
 {
    AVPacket pkt, pkt1;
-    AVFrame frame;
+    AVFrame *frame = NULL;
    int ret = 0, i = 0, frame_count = 0;
    int64_t start = -INT64_MAX, end = interval->end;
    int has_start = 0, has_end = interval->has_end && !interval->end_is_offset;
@ -1668,7 +1677,18 @@ static int read_interval_packets(WriterContext *w, AVFormatContext *fmt_ctx,
        }
    }

+    frame = av_frame_alloc();
+    if (!frame) {
+        ret = AVERROR(ENOMEM);
+        goto end;
+    }
    while (!av_read_frame(fmt_ctx, &pkt)) {
+        if (fmt_ctx->nb_streams > nb_streams) {
+            REALLOCZ_ARRAY_STREAM(nb_streams_frames,  nb_streams, fmt_ctx->nb_streams);
+            REALLOCZ_ARRAY_STREAM(nb_streams_packets, nb_streams, fmt_ctx->nb_streams);
+            REALLOCZ_ARRAY_STREAM(selected_streams,   nb_streams, fmt_ctx->nb_streams);
+            nb_streams = fmt_ctx->nb_streams;
+        }
        if (selected_streams[pkt.stream_index]) {
            AVRational tb = fmt_ctx->streams[pkt.stream_index]->time_base;

@ -1700,7 +1720,7 @@ static int read_interval_packets(WriterContext *w, AVFormatContext *fmt_ctx,
            }
            if (do_read_frames) {
                pkt1 = pkt;
-                while (pkt1.size && process_frame(w, fmt_ctx, &frame, &pkt1) > 0);
+                while (pkt1.size && process_frame(w, fmt_ctx, frame, &pkt1) > 0);
            }
        }
        av_free_packet(&pkt);
@ -1712,10 +1732,11 @@ static int read_interval_packets(WriterContext *w, AVFormatContext *fmt_ctx,
    for (i = 0; i < fmt_ctx->nb_streams; i++) {
        pkt.stream_index = i;
        if (do_read_frames)
-            while (process_frame(w, fmt_ctx, &frame, &pkt) > 0);
+            while (process_frame(w, fmt_ctx, frame, &pkt) > 0);
    }

 end:
+    av_frame_free(&frame);
    if (ret < 0) {
        av_log(NULL, AV_LOG_ERROR, "Could not read packets in interval ");
        log_read_interval(interval, NULL, AV_LOG_ERROR);
@ -2111,9 +2132,10 @@ static int probe_file(WriterContext *wctx, const char *filename)
    if (ret < 0)
        return ret;

-    nb_streams_frames  = av_calloc(fmt_ctx->nb_streams, sizeof(*nb_streams_frames));
-    nb_streams_packets = av_calloc(fmt_ctx->nb_streams, sizeof(*nb_streams_packets));
-    selected_streams   = av_calloc(fmt_ctx->nb_streams, sizeof(*selected_streams));
+    nb_streams = fmt_ctx->nb_streams;
+    REALLOCZ_ARRAY_STREAM(nb_streams_frames,0,fmt_ctx->nb_streams);
+    REALLOCZ_ARRAY_STREAM(nb_streams_packets,0,fmt_ctx->nb_streams);
+    REALLOCZ_ARRAY_STREAM(selected_streams,0,fmt_ctx->nb_streams);

    for (i = 0; i < fmt_ctx->nb_streams; i++) {
        if (stream_specifier) {
--- a/ffserver.c
+++ b/ffserver.c
@ -2972,6 +2972,8 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
    AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL);
    int i;

+    *pbuffer = NULL;
+
    avc =  avformat_alloc_context();
    if (avc == NULL || !rtp_format) {
        return -1;
@ -3008,7 +3010,7 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
    av_free(avc);
    av_free(avs);

-    return strlen(*pbuffer);
+    return *pbuffer ? strlen(*pbuffer) : AVERROR(ENOMEM);
 }

 static void rtsp_cmd_options(HTTPContext *c, const char *url)
--- a/libavcodec/012v.c
+++ b/libavcodec/012v.c
@ -38,15 +38,15 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx)
 static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
                                int *got_frame, AVPacket *avpkt)
 {
-    int line = 0, ret;
+    int line, ret;
    const int width = avctx->width;
    AVFrame *pic = data;
    uint16_t *y, *u, *v;
    const uint8_t *line_end, *src = avpkt->data;
    int stride = avctx->width * 8 / 3;

-    if (width == 1) {
-        av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n");
+    if (width <= 1 || avctx->height <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height);
        return AVERROR_INVALIDDATA;
    }

@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
    pic->pict_type = AV_PICTURE_TYPE_I;
    pic->key_frame = 1;

-    y = (uint16_t *)pic->data[0];
-    u = (uint16_t *)pic->data[1];
-    v = (uint16_t *)pic->data[2];
    line_end = avpkt->data + stride;
+    for (line = 0; line < avctx->height; line++) {
+        uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000};
+        uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000};
+        uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000};
+        int x;
+        y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
+        u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
+        v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);

-    while (line++ < avctx->height) {
-        while (1) {
-            uint32_t t = AV_RL32(src);
+        for (x = 0; x < width; x += 6) {
+            uint32_t t;
+
+            if (width - x < 6 || line_end - src < 16) {
+                y = y_temp;
+                u = u_temp;
+                v = v_temp;
+            }
+
+            if (line_end - src < 4)
+                break;
+
+            t = AV_RL32(src);
            src += 4;
            *u++ = t <<  6 & 0xFFC0;
            *y++ = t >>  4 & 0xFFC0;
            *v++ = t >> 14 & 0xFFC0;

-            if (src >= line_end - 1) {
-                *y = 0x80;
-                src++;
-                line_end += stride;
-                y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
-                u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
-                v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+            if (line_end - src < 4)
                break;
-            }

            t = AV_RL32(src);
            src += 4;
            *y++ = t <<  6 & 0xFFC0;
            *u++ = t >>  4 & 0xFFC0;
            *y++ = t >> 14 & 0xFFC0;
-            if (src >= line_end - 2) {
-                if (!(width & 1)) {
-                    *y = 0x80;
-                    src += 2;
-                }
-                line_end += stride;
-                y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
-                u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
-                v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+
+            if (line_end - src < 4)
                break;
-            }

            t = AV_RL32(src);
            src += 4;
@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
            *y++ = t >>  4 & 0xFFC0;
            *u++ = t >> 14 & 0xFFC0;

-            if (src >= line_end - 1) {
-                *y = 0x80;
-                src++;
-                line_end += stride;
-                y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
-                u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
-                v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+            if (line_end - src < 4)
                break;
-            }

            t = AV_RL32(src);
            src += 4;
@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
            *v++ = t >>  4 & 0xFFC0;
            *y++ = t >> 14 & 0xFFC0;

-            if (src >= line_end - 2) {
-                if (width & 1) {
-                    *y = 0x80;
-                    src += 2;
-                }
-                line_end += stride;
-                y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
-                u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
-                v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+            if (width - x < 6)
                break;
        }
+
+        if (x < width) {
+            y = x   + (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
+            u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
+            v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+            memcpy(y, y_temp, sizeof(*y) * (width - x));
+            memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
+            memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
        }
+
+        line_end += stride;
+        src = line_end - stride;
    }

    *got_frame = 1;
--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@ -331,22 +331,22 @@ OBJS-$(CONFIG_NUV_DECODER)             += nuv.o rtjpeg.o
 OBJS-$(CONFIG_PAF_VIDEO_DECODER)       += paf.o
 OBJS-$(CONFIG_PAF_AUDIO_DECODER)       += paf.o
 OBJS-$(CONFIG_PAM_DECODER)             += pnmdec.o pnm.o
-OBJS-$(CONFIG_PAM_ENCODER)             += pamenc.o pnm.o
+OBJS-$(CONFIG_PAM_ENCODER)             += pamenc.o
 OBJS-$(CONFIG_PBM_DECODER)             += pnmdec.o pnm.o
-OBJS-$(CONFIG_PBM_ENCODER)             += pnmenc.o pnm.o
+OBJS-$(CONFIG_PBM_ENCODER)             += pnmenc.o
 OBJS-$(CONFIG_PCX_DECODER)             += pcx.o
 OBJS-$(CONFIG_PCX_ENCODER)             += pcxenc.o
 OBJS-$(CONFIG_PGM_DECODER)             += pnmdec.o pnm.o
-OBJS-$(CONFIG_PGM_ENCODER)             += pnmenc.o pnm.o
+OBJS-$(CONFIG_PGM_ENCODER)             += pnmenc.o
 OBJS-$(CONFIG_PGMYUV_DECODER)          += pnmdec.o pnm.o
-OBJS-$(CONFIG_PGMYUV_ENCODER)          += pnmenc.o pnm.o
+OBJS-$(CONFIG_PGMYUV_ENCODER)          += pnmenc.o
 OBJS-$(CONFIG_PGSSUB_DECODER)          += pgssubdec.o
 OBJS-$(CONFIG_PICTOR_DECODER)          += pictordec.o cga_data.o
 OBJS-$(CONFIG_PJS_DECODER)             += textdec.o ass.o
 OBJS-$(CONFIG_PNG_DECODER)             += png.o pngdec.o pngdsp.o
 OBJS-$(CONFIG_PNG_ENCODER)             += png.o pngenc.o
 OBJS-$(CONFIG_PPM_DECODER)             += pnmdec.o pnm.o
-OBJS-$(CONFIG_PPM_ENCODER)             += pnmenc.o pnm.o
+OBJS-$(CONFIG_PPM_ENCODER)             += pnmenc.o
 OBJS-$(CONFIG_PRORES_DECODER)          += proresdec2.o proresdsp.o proresdata.o
 OBJS-$(CONFIG_PRORES_LGPL_DECODER)     += proresdec_lgpl.o proresdsp.o proresdata.o
 OBJS-$(CONFIG_PRORES_ENCODER)          += proresenc_anatoliy.o
--- a/libavcodec/a64multienc.c
+++ b/libavcodec/a64multienc.c
@ -40,9 +40,6 @@
 #define C64YRES 200

 typedef struct A64Context {
-    /* general variables */
-    AVFrame picture;
-
    /* variables for multicolor modes */
    AVLFG randctx;
    int mc_lifetime;
@ -81,9 +78,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest)
            for (y = blocky; y < blocky + 8 && y < C64YRES; y++) {
                for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) {
                    if(x < width && y < height) {
+                        if (x + 1 < width) {
                            /* build average over 2 pixels */
                            luma = (src[(x + 0 + y * p->linesize[0])] +
                                    src[(x + 1 + y * p->linesize[0])]) / 2;
+                        } else {
+                            luma = src[(x + y * p->linesize[0])];
+                        }
                        /* write blocks as linear data now so they are suitable for elbg */
                        dest[0] = luma;
                    }
@ -189,6 +190,7 @@ static void render_charset(AVCodecContext *avctx, uint8_t *charset,
 static av_cold int a64multi_close_encoder(AVCodecContext *avctx)
 {
    A64Context *c = avctx->priv_data;
+    av_frame_free(&avctx->coded_frame);
    av_free(c->mc_meta_charset);
    av_free(c->mc_best_cb);
    av_free(c->mc_charset);
@ -240,8 +242,12 @@ static av_cold int a64multi_init_encoder(AVCodecContext *avctx)
    AV_WB32(avctx->extradata, c->mc_lifetime);
    AV_WB32(avctx->extradata + 16, INTERLACED);

-    avcodec_get_frame_defaults(&c->picture);
-    avctx->coded_frame            = &c->picture;
+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame) {
+        a64multi_close_encoder(avctx);
+        return AVERROR(ENOMEM);
+    }
+
    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
    avctx->coded_frame->key_frame = 1;
    if (!avctx->codec_tag)
@ -271,7 +277,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                                 const AVFrame *pict, int *got_packet)
 {
    A64Context *c = avctx->priv_data;
-    AVFrame *const p = &c->picture;
+    AVFrame *const p = avctx->coded_frame;

    int frame;
    int x, y;
@ -315,7 +321,9 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    } else {
        /* fill up mc_meta_charset with data until lifetime exceeds */
        if (c->mc_frame_counter < c->mc_lifetime) {
-            *p = *pict;
+            ret = av_frame_ref(p, pict);
+            if (ret < 0)
+                return ret;
            p->pict_type = AV_PICTURE_TYPE_I;
            p->key_frame = 1;
            to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter);
@ -332,8 +340,8 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
        req_size = 0;
        /* any frames to encode? */
        if (c->mc_lifetime) {
-            req_size = charset_size + c->mc_lifetime*(screen_size + colram_size);
-            if ((ret = ff_alloc_packet2(avctx, pkt, req_size)) < 0)
+            int alloc_size = charset_size + c->mc_lifetime*(screen_size + colram_size);
+            if ((ret = ff_alloc_packet2(avctx, pkt, alloc_size)) < 0)
                return ret;
            buf = pkt->data;

@ -350,6 +358,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
            /* advance pointers */
            buf      += charset_size;
            charset  += charset_size;
+            req_size += charset_size;
        }

        /* write x frames to buf */
--- a/libavcodec/aac.h
+++ b/libavcodec/aac.h
@ -81,7 +81,7 @@ enum BandType {
    INTENSITY_BT   = 15,    ///< Scalefactor data are intensity stereo positions.
 };

-#define IS_CODEBOOK_UNSIGNED(x) ((x - 1) & 10)
+#define IS_CODEBOOK_UNSIGNED(x) (((x) - 1) & 10)

 enum ChannelPosition {
    AAC_CHANNEL_OFF   = 0,
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int size;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp;

    tmp.u64 = av_be2ne64(state);
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@ -194,6 +194,9 @@ static int frame_configure_elements(AVCodecContext *avctx)

    /* get output buffer */
    av_frame_unref(ac->frame);
+    if (!avctx->channels)
+        return 1;
+
    ac->frame->nb_samples = 2048;
    if ((ret = ff_get_buffer(avctx, ac->frame, 0)) < 0)
        return ret;
@ -420,7 +423,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 * Save current output configuration if and only if it has been locked.
 */
 static void push_output_configuration(AACContext *ac) {
-    if (ac->oc[1].status == OC_LOCKED) {
+    if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
        ac->oc[0] = ac->oc[1];
    }
    ac->oc[1].status = OC_NONE;
@ -857,7 +860,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx,
        if (len == 15 + 255)
            len += get_bits(gb, 16);
        if (get_bits_left(gb) < len * 8 + 4) {
-            av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+            av_log(avctx, AV_LOG_ERROR, overread_err);
            return AVERROR_INVALIDDATA;
        }
        skip_bits_long(gb, 8 * len);
@ -1402,12 +1405,12 @@ static int decode_pulses(Pulse *pulse, GetBitContext *gb,
        return -1;
    pulse->pos[0]    = swb_offset[pulse_swb];
    pulse->pos[0]   += get_bits(gb, 5);
-    if (pulse->pos[0] > 1023)
+    if (pulse->pos[0] >= swb_offset[num_swb])
        return -1;
    pulse->amp[0]    = get_bits(gb, 4);
    for (i = 1; i < pulse->num_pulse; i++) {
        pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i - 1];
-        if (pulse->pos[i] > 1023)
+        if (pulse->pos[i] >= swb_offset[num_swb])
            return -1;
        pulse->amp[i] = get_bits(gb, 4);
    }
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@ -165,7 +165,7 @@ static void put_audio_specific_config(AVCodecContext *avctx)
    PutBitContext pb;
    AACEncContext *s = avctx->priv_data;

-    init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8);
+    init_put_bits(&pb, avctx->extradata, avctx->extradata_size);
    put_bits(&pb, 5, 2); //object type - AAC-LC
    put_bits(&pb, 4, s->samplerate_index); //sample rate index
    put_bits(&pb, 4, s->channels);
--- a/libavcodec/aacpsy.c
+++ b/libavcodec/aacpsy.c
@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,
                    if (active_lines > 0.0f)
                        band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction);
                    pe += calc_pe_3gpp(band);
+                    if (band->thr > 0.0f)
                        band->norm_fac = band->active_lines / band->thr;
+                    else
+                        band->norm_fac = 0.0f;
                    norm_fac += band->norm_fac;
                }
            }
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@ -137,7 +137,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
        return ret;

    /* report that the buffer was completely consumed */
-    return buf_size;
+    return avpkt->size;
 }

 static av_cold int aasc_decode_end(AVCodecContext *avctx)
--- a/libavcodec/ac3.c
+++ b/libavcodec/ac3.c
@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
    int band_start, band_end, begin, end1;
    int lowcomp, fastleak, slowleak;

+    if (end <= 0)
+        return AVERROR_INVALIDDATA;
+
    /* excitation function */
    band_start = ff_ac3_bin_to_band_tab[start];
    band_end   = ff_ac3_bin_to_band_tab[end-1] + 1;
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int err;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp = { av_be2ne64(state) };
    AC3HeaderInfo hdr;
    GetBitContext gbc;
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@ -488,6 +488,10 @@ static void ac3_decode_transform_coeffs_ch(AC3DecodeContext *s, int ch_index, ma
            break;
        default: /* 6 to 15 */
            /* Shift mantissa and sign-extend it. */
+            if (bap > 15) {
+                av_log(s->avctx, AV_LOG_ERROR, "bap %d is invalid in plain AC-3\n", bap);
+                bap = 15;
+            }
            mantissa = get_sbits(gbc, quantization_tab[bap]);
            mantissa <<= 24 - quantization_tab[bap];
            break;
--- a/libavcodec/ac3enc_template.c
+++ b/libavcodec/ac3enc_template.c
@ -260,7 +260,7 @@ static void apply_channel_coupling(AC3EncodeContext *s)
                energy_cpl = energy[blk][CPL_CH][bnd];
                energy_ch = energy[blk][ch][bnd];
                blk1 = blk+1;
-                while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) {
+                while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) {
                    if (s->blocks[blk1].cpl_in_use) {
                        energy_cpl += energy[blk1][CPL_CH][bnd];
                        energy_ch += energy[blk1][ch][bnd];
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@ -471,9 +471,11 @@ static void adpcm_swf_decode(AVCodecContext *avctx, const uint8_t *buf, int buf_
 * @param[out] coded_samples set to the number of samples as coded in the
 *                           packet, or 0 if the codec does not encode the
 *                           number of samples in each frame.
+ * @param[out] approx_nb_samples set to non-zero if the number of samples
+ *                               returned is an approximation.
 */
 static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
-                          int buf_size, int *coded_samples)
+                          int buf_size, int *coded_samples, int *approx_nb_samples)
 {
    ADPCMDecodeContext *s = avctx->priv_data;
    int nb_samples        = 0;
@ -482,6 +484,7 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
    int header_size;

    *coded_samples = 0;
+    *approx_nb_samples = 0;

    if(ch <= 0)
        return 0;
@ -552,10 +555,12 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
        case AV_CODEC_ID_ADPCM_EA_R2:
            header_size    = 4 + 5 * ch;
            *coded_samples = bytestream2_get_le32(gb);
+            *approx_nb_samples = 1;
            break;
        case AV_CODEC_ID_ADPCM_EA_R3:
            header_size    = 4 + 5 * ch;
            *coded_samples = bytestream2_get_be32(gb);
+            *approx_nb_samples = 1;
            break;
        }
        *coded_samples -= *coded_samples % 28;
@ -663,11 +668,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
    int16_t **samples_p;
    int st; /* stereo */
    int count1, count2;
-    int nb_samples, coded_samples, ret;
+    int nb_samples, coded_samples, approx_nb_samples, ret;
    GetByteContext gb;

    bytestream2_init(&gb, buf, buf_size);
-    nb_samples = get_nb_samples(avctx, &gb, buf_size, &coded_samples);
+    nb_samples = get_nb_samples(avctx, &gb, buf_size, &coded_samples, &approx_nb_samples);
    if (nb_samples <= 0) {
        av_log(avctx, AV_LOG_ERROR, "invalid number of samples in packet\n");
        return AVERROR_INVALIDDATA;
@ -683,7 +688,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
    /* use coded_samples when applicable */
    /* it is always <= nb_samples, so the output buffer will be large enough */
    if (coded_samples) {
-        if (coded_samples != nb_samples)
+        if (!approx_nb_samples && coded_samples != nb_samples)
            av_log(avctx, AV_LOG_WARNING, "mismatch in coded sample count\n");
        frame->nb_samples = nb_samples = coded_samples;
    }
@ -917,6 +922,9 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            *samples++ = c->status[0].predictor + c->status[1].predictor;
            *samples++ = c->status[0].predictor - c->status[1].predictor;
        }
+
+        if ((bytestream2_tell(&gb) & 1))
+            bytestream2_skip(&gb, 1);
        break;
    }
    case AV_CODEC_ID_ADPCM_IMA_ISS:
--- a/libavcodec/adpcmenc.c
+++ b/libavcodec/adpcmenc.c
@ -541,7 +541,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
    case AV_CODEC_ID_ADPCM_IMA_QT:
    {
        PutBitContext pb;
-        init_put_bits(&pb, dst, pkt_size * 8);
+        init_put_bits(&pb, dst, pkt_size);

        for (ch = 0; ch < avctx->channels; ch++) {
            ADPCMChannelStatus *status = &c->status[ch];
@ -549,10 +549,11 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
            put_bits(&pb, 7,  status->step_index);
            if (avctx->trellis > 0) {
                uint8_t buf[64];
-                adpcm_compress_trellis(avctx, &samples_p[ch][1], buf, status,
+                adpcm_compress_trellis(avctx, &samples_p[ch][0], buf, status,
                                       64, 1);
                for (i = 0; i < 64; i++)
                    put_bits(&pb, 4, buf[i ^ 1]);
+                status->prev_sample = status->predictor;
            } else {
                for (i = 0; i < 64; i += 2) {
                    int t1, t2;
@ -570,7 +571,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
    case AV_CODEC_ID_ADPCM_SWF:
    {
        PutBitContext pb;
-        init_put_bits(&pb, dst, pkt_size * 8);
+        init_put_bits(&pb, dst, pkt_size);

        n = frame->nb_samples - 1;

--- a/libavcodec/aic.c
+++ b/libavcodec/aic.c
@ -150,6 +150,7 @@ typedef struct AICContext {
    int16_t        *data_ptr[NUM_BANDS];

    DECLARE_ALIGNED(16, int16_t, block)[64];
+    DECLARE_ALIGNED(16, uint8_t, quant_matrix)[64];
 } AICContext;

 static int aic_decode_header(AICContext *ctx, const uint8_t *src, int size)
@ -285,7 +286,7 @@ static void recombine_block_il(int16_t *dst, const uint8_t *scan,
    }
 }

-static void unquant_block(int16_t *block, int q)
+static void unquant_block(int16_t *block, int q, uint8_t *quant_matrix)
 {
    int i;

@ -293,7 +294,7 @@ static void unquant_block(int16_t *block, int q)
        int val  = (uint16_t)block[i];
        int sign = val & 1;

-        block[i] = (((val >> 1) ^ -sign) * q * aic_quant_matrix[i] >> 4)
+        block[i] = (((val >> 1) ^ -sign) * q * quant_matrix[i] >> 4)
                   + sign;
    }
 }
@ -334,7 +335,7 @@ static int aic_decode_slice(AICContext *ctx, int mb_x, int mb_y,
            else
                recombine_block_il(ctx->block, ctx->scantable.permutated,
                                   &base_y, &ext_y, blk);
-            unquant_block(ctx->block, ctx->quant);
+            unquant_block(ctx->block, ctx->quant, ctx->quant_matrix);
            ctx->dsp.idct(ctx->block);

            if (!ctx->interlaced) {
@ -352,7 +353,7 @@ static int aic_decode_slice(AICContext *ctx, int mb_x, int mb_y,
        for (blk = 0; blk < 2; blk++) {
            recombine_block(ctx->block, ctx->scantable.permutated,
                            &base_c, &ext_c);
-            unquant_block(ctx->block, ctx->quant);
+            unquant_block(ctx->block, ctx->quant, ctx->quant_matrix);
            ctx->dsp.idct(ctx->block);
            ctx->dsp.put_signed_pixels_clamped(ctx->block, C[blk],
                                               ctx->frame->linesize[blk + 1]);
@ -430,12 +431,14 @@ static av_cold int aic_decode_init(AVCodecContext *avctx)
    for (i = 0; i < 64; i++)
        scan[i] = i;
    ff_init_scantable(ctx->dsp.idct_permutation, &ctx->scantable, scan);
+    for (i = 0; i < 64; i++)
+        ctx->quant_matrix[ctx->dsp.idct_permutation[i]] = aic_quant_matrix[i];

    ctx->mb_width  = FFALIGN(avctx->width,  16) >> 4;
    ctx->mb_height = FFALIGN(avctx->height, 16) >> 4;

-    ctx->num_x_slices = 16;
-    ctx->slice_width  = ctx->mb_width / 16;
+    ctx->num_x_slices = (ctx->mb_width + 15) >> 4;
+    ctx->slice_width  = 16;
    for (i = 1; i < 32; i++) {
        if (!(ctx->mb_width % i) && (ctx->mb_width / i < 32)) {
            ctx->slice_width  = ctx->mb_width / i;
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@ -311,6 +311,11 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
        int lpc_quant[2];
        int rice_history_mult[2];

+        if (!alac->rice_limit) {
+            avpriv_request_sample(alac->avctx, "Compression with rice limit 0");
+            return AVERROR(ENOSYS);
+        }
+
        decorr_shift       = get_bits(&alac->gb, 8);
        decorr_left_weight = get_bits(&alac->gb, 8);

@ -490,6 +495,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
               avpkt->size * 8 - get_bits_count(&alac->gb));
    }

+    if (alac->channels == ch)
        *got_frame_ptr = 1;

    return avpkt->size;
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@ -280,7 +280,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    GetBitContext gb;
    uint64_t ht_size;
    int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    uint32_t als_id, header_size, trailer_size;
@ -355,11 +355,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

        ctx->cs_switch = 1;

+        for (i = 0; i < avctx->channels; i++) {
+            sconf->chan_pos[i] = -1;
+        }
+
        for (i = 0; i < avctx->channels; i++) {
            int idx;

            idx = get_bits(&gb, chan_pos_bits);
-            if (idx >= avctx->channels) {
+            if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) {
                av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n");
                ctx->cs_switch = 0;
                break;
@ -676,7 +680,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)


    if (!sconf->rlslms) {
-        if (sconf->adapt_order) {
+        if (sconf->adapt_order && sconf->max_order) {
            int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                2, sconf->max_order + 1));
            *bd->opt_order       = get_bits(gb, opt_order_length);
@ -688,7 +692,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        } else {
            *bd->opt_order = sconf->max_order;
        }
-
+        if (*bd->opt_order > bd->block_length) {
+            *bd->opt_order = bd->block_length;
+            av_log(avctx, AV_LOG_ERROR, "Predictor order too large.\n");
+            return AVERROR_INVALIDDATA;
+        }
        opt_order = *bd->opt_order;

        if (opt_order) {
@ -1234,6 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
    ALSChannelData *ch = cd[c];
    unsigned int   dep = 0;
    unsigned int channels = ctx->avctx->channels;
+    unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;

    if (reverted[c])
        return 0;
@ -1265,9 +1274,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,

    dep = 0;
    while (!ch[dep].stop_flag) {
-        unsigned int smp;
-        unsigned int begin = 1;
-        unsigned int end   = bd->block_length - 1;
+        ptrdiff_t smp;
+        ptrdiff_t begin = 1;
+        ptrdiff_t end   = bd->block_length - 1;
        int64_t y;
        int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset;

@ -1276,11 +1285,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,

            if (ch[dep].time_diff_sign) {
                t      = -t;
+                if (begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                begin -= t;
            } else {
+                if (end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                end   -= t;
            }

+            if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master ||
+                FFMAX(end   + 1,   end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1,   end + 1 + t),
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
            for (smp = begin; smp < end; smp++) {
                y  = (1 << 6) +
                     MUL64(ch[dep].weighting[0], master[smp - 1    ]) +
@ -1293,6 +1319,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
                bd->raw_samples[smp] += y >> 7;
            }
        } else {
+
+            if (begin - 1 < ctx->raw_buffer - master ||
+                end   + 1 > ctx->raw_buffer + channels * channel_size - master) {
+                av_log(ctx->avctx, AV_LOG_ERROR,
+                       "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                       master + begin - 1, master + end + 1,
+                       ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                return AVERROR_INVALIDDATA;
+            }
+
            for (smp = begin; smp < end; smp++) {
                y  = (1 << 6) +
                     MUL64(ch[dep].weighting[0], master[smp - 1]) +
@ -1711,9 +1747,9 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate and assign channel data buffer for mcc mode
    if (sconf->mc_coding) {
-        ctx->chan_data_buffer  = av_malloc(sizeof(*ctx->chan_data_buffer) *
+        ctx->chan_data_buffer  = av_mallocz(sizeof(*ctx->chan_data_buffer) *
                                           num_buffers * num_buffers);
-        ctx->chan_data         = av_malloc(sizeof(*ctx->chan_data) *
+        ctx->chan_data         = av_mallocz(sizeof(*ctx->chan_data) *
                                           num_buffers);
        ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) *
                                           num_buffers);
--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@ -417,7 +417,7 @@ static int decode_frame(AVCodecContext *avctx,
            switch(buf[0]) {
            case '0': case '1': case '2': case '3': case '4':
            case '5': case '6': case '7': case '8': case '9':
-                if (s->nb_args < MAX_NB_ARGS)
+                if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553)
                    s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                break;
            case ';':
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@ -598,15 +598,19 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
    int ksummax, ksummin;

    rice->ksum = 0;
-    for (i = 0; i < 5; i++) {
+    for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
        out[i] = get_rice_ook(&ctx->gb, 10);
        rice->ksum += out[i];
    }
    rice->k = av_log2(rice->ksum / 10) + 1;
-    for (; i < 64; i++) {
+    if (rice->k >= 24)
+        return;
+    for (; i < FFMIN(blockstodecode, 64); i++) {
        out[i] = get_rice_ook(&ctx->gb, rice->k);
        rice->ksum += out[i];
        rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1;
+        if (rice->k >= 24)
+            return;
    }
    ksummax = 1 << rice->k + 7;
    ksummin = rice->k ? (1 << rice->k + 6) : 0;
@ -1467,13 +1471,13 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
            av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
            return AVERROR_INVALIDDATA;
        }
-        s->samples = nblocks;

        /* Initialize the frame decoder */
        if (init_frame_decoder(s) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n");
            return AVERROR_INVALIDDATA;
        }
+        s->samples = nblocks;
    }

    if (!s->data) {
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@ -41,10 +41,10 @@ function ff_scalarproduct_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@ -81,10 +81,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/asv.c
+++ b/libavcodec/asv.c
@ -89,6 +89,5 @@ av_cold void ff_asv_common_init(AVCodecContext *avctx) {
    a->mb_width2  = (avctx->width  + 0) / 16;
    a->mb_height2 = (avctx->height + 0) / 16;

-    avctx->coded_frame= &a->picture;
    a->avctx= avctx;
 }
--- a/libavcodec/asv.h
+++ b/libavcodec/asv.h
@ -38,7 +38,6 @@
 typedef struct ASV1Context{
    AVCodecContext *avctx;
    DSPContext dsp;
-    AVFrame picture;
    PutBitContext pb;
    GetBitContext gb;
    ScanTable scantable;
--- a/libavcodec/asvenc.c
+++ b/libavcodec/asvenc.c
@ -148,14 +148,16 @@ static inline int encode_mb(ASV1Context *a, int16_t block[6][64]){
    return 0;
 }

-static inline void dct_get(ASV1Context *a, int mb_x, int mb_y){
+static inline void dct_get(ASV1Context *a, const AVFrame *frame,
+                           int mb_x, int mb_y)
+{
    int16_t (*block)[64]= a->block;
-    int linesize= a->picture.linesize[0];
+    int linesize = frame->linesize[0];
    int i;

-    uint8_t *ptr_y  = a->picture.data[0] + (mb_y * 16* linesize              ) + mb_x * 16;
-    uint8_t *ptr_cb = a->picture.data[1] + (mb_y * 8 * a->picture.linesize[1]) + mb_x * 8;
-    uint8_t *ptr_cr = a->picture.data[2] + (mb_y * 8 * a->picture.linesize[2]) + mb_x * 8;
+    uint8_t *ptr_y  = frame->data[0] + (mb_y * 16* linesize              ) + mb_x * 16;
+    uint8_t *ptr_cb = frame->data[1] + (mb_y * 8 * frame->linesize[1]) + mb_x * 8;
+    uint8_t *ptr_cr = frame->data[2] + (mb_y * 8 * frame->linesize[2]) + mb_x * 8;

    a->dsp.get_pixels(block[0], ptr_y                 , linesize);
    a->dsp.get_pixels(block[1], ptr_y              + 8, linesize);
@ -165,8 +167,8 @@ static inline void dct_get(ASV1Context *a, int mb_x, int mb_y){
        a->dsp.fdct(block[i]);

    if(!(a->avctx->flags&CODEC_FLAG_GRAY)){
-        a->dsp.get_pixels(block[4], ptr_cb, a->picture.linesize[1]);
-        a->dsp.get_pixels(block[5], ptr_cr, a->picture.linesize[2]);
+        a->dsp.get_pixels(block[4], ptr_cb, frame->linesize[1]);
+        a->dsp.get_pixels(block[5], ptr_cr, frame->linesize[2]);
        for(i=4; i<6; i++)
            a->dsp.fdct(block[i]);
    }
@ -176,7 +178,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                        const AVFrame *pict, int *got_packet)
 {
    ASV1Context * const a = avctx->priv_data;
-    AVFrame * const p= &a->picture;
    int size, ret;
    int mb_x, mb_y;

@ -186,13 +187,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,

    init_put_bits(&a->pb, pkt->data, pkt->size);

-    *p = *pict;
-    p->pict_type= AV_PICTURE_TYPE_I;
-    p->key_frame= 1;
-
    for(mb_y=0; mb_y<a->mb_height2; mb_y++){
        for(mb_x=0; mb_x<a->mb_width2; mb_x++){
-            dct_get(a, mb_x, mb_y);
+            dct_get(a, pict, mb_x, mb_y);
            encode_mb(a, a->block);
        }
    }
@ -200,7 +197,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    if(a->mb_width2 != a->mb_width){
        mb_x= a->mb_width2;
        for(mb_y=0; mb_y<a->mb_height2; mb_y++){
-            dct_get(a, mb_x, mb_y);
+            dct_get(a, pict, mb_x, mb_y);
            encode_mb(a, a->block);
        }
    }
@ -208,7 +205,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    if(a->mb_height2 != a->mb_height){
        mb_y= a->mb_height2;
        for(mb_x=0; mb_x<a->mb_width; mb_x++){
-            dct_get(a, mb_x, mb_y);
+            dct_get(a, pict, mb_x, mb_y);
            encode_mb(a, a->block);
        }
    }
@ -240,6 +237,12 @@ static av_cold int encode_init(AVCodecContext *avctx){
    int i;
    const int scale= avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2;

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
+    avctx->coded_frame->key_frame = 1;
+
    ff_asv_common_init(avctx);

    if(avctx->global_quality == 0) avctx->global_quality= 4*FF_QUALITY_SCALE;
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@ -380,7 +380,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 int av_packet_split_side_data(AVPacket *pkt){
    if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){
        int i;
-        unsigned int size, orig_pktsize = pkt->size;
+        unsigned int size;
        uint8_t *p;

        p = pkt->data + pkt->size - 8 - 5;
@ -413,13 +413,6 @@ int av_packet_split_side_data(AVPacket *pkt){
            p-= size+5;
        }
        pkt->size -= 8;
-        /* FFMIN() prevents overflow in case the packet wasn't allocated with
-         * proper padding.
-         * If the side data is smaller than the buffer padding size, the
-         * remaining bytes should have already been filled with zeros by the
-         * original packet allocation anyway. */
-        memset(pkt->data + pkt->size, 0,
-               FFMIN(orig_pktsize - pkt->size, FF_INPUT_BUFFER_PADDING_SIZE));
        pkt->side_data_elems = i+1;
        return 1;
    }
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@ -25,7 +25,7 @@


 typedef struct {
-    AVFrame picture;
+    AVFrame *frame;
 } AvsContext;

 typedef enum {
@ -52,7 +52,7 @@ avs_decode_frame(AVCodecContext * avctx,
    int buf_size = avpkt->size;
    AvsContext *const avs = avctx->priv_data;
    AVFrame *picture = data;
-    AVFrame *const p =  &avs->picture;
+    AVFrame *const p =  avs->frame;
    const uint8_t *table, *vect;
    uint8_t *out;
    int i, j, x, y, stride, ret, vect_w = 3, vect_h = 3;
@ -65,8 +65,8 @@ avs_decode_frame(AVCodecContext * avctx,
    p->pict_type = AV_PICTURE_TYPE_P;
    p->key_frame = 0;

-    out = avs->picture.data[0];
-    stride = avs->picture.linesize[0];
+    out    = p->data[0];
+    stride = p->linesize[0];

    if (buf_end - buf < 4)
        return AVERROR_INVALIDDATA;
@ -76,7 +76,7 @@ avs_decode_frame(AVCodecContext * avctx,

    if (type == AVS_PALETTE) {
        int first, last;
-        uint32_t *pal = (uint32_t *) avs->picture.data[1];
+        uint32_t *pal = (uint32_t *) p->data[1];

        first = AV_RL16(buf);
        last = first + AV_RL16(buf + 2);
@ -149,7 +149,7 @@ avs_decode_frame(AVCodecContext * avctx,
            align_get_bits(&change_map);
    }

-    if ((ret = av_frame_ref(picture, &avs->picture)) < 0)
+    if ((ret = av_frame_ref(picture, p)) < 0)
        return ret;
    *got_frame = 1;

@ -159,16 +159,21 @@ avs_decode_frame(AVCodecContext * avctx,
 static av_cold int avs_decode_init(AVCodecContext * avctx)
 {
    AvsContext *s = avctx->priv_data;
+
+    s->frame = av_frame_alloc();
+    if (!s->frame)
+        return AVERROR(ENOMEM);
+
    avctx->pix_fmt = AV_PIX_FMT_PAL8;
    avcodec_set_dimensions(avctx, 318, 198);
-    avcodec_get_frame_defaults(&s->picture);
+
    return 0;
 }

 static av_cold int avs_decode_end(AVCodecContext *avctx)
 {
    AvsContext *s = avctx->priv_data;
-    av_frame_unref(&s->picture);
+    av_frame_free(&s->frame);
    return 0;
 }

--- a/libavcodec/bethsoftvideo.c
+++ b/libavcodec/bethsoftvideo.c
@ -34,21 +34,25 @@
 #include "internal.h"

 typedef struct BethsoftvidContext {
-    AVFrame frame;
+    AVFrame *frame;
    GetByteContext g;
 } BethsoftvidContext;

 static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
 {
    BethsoftvidContext *vid = avctx->priv_data;
-    avcodec_get_frame_defaults(&vid->frame);
    avctx->pix_fmt = AV_PIX_FMT_PAL8;
+
+    vid->frame = av_frame_alloc();
+    if (!vid->frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

 static int set_palette(BethsoftvidContext *ctx)
 {
-    uint32_t *palette = (uint32_t *)ctx->frame.data[1];
+    uint32_t *palette = (uint32_t *)ctx->frame->data[1];
    int a;

    if (bytestream2_get_bytes_left(&ctx->g) < 256*3)
@ -58,7 +62,7 @@ static int set_palette(BethsoftvidContext *ctx)
        palette[a] = 0xFFU << 24 | bytestream2_get_be24u(&ctx->g) * 4;
        palette[a] |= palette[a] >> 6 & 0x30303;
    }
-    ctx->frame.palette_has_changed = 1;
+    ctx->frame->palette_has_changed = 1;
    return 0;
 }

@ -75,9 +79,9 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
    int code, ret;
    int yoffset;

-    if ((ret = ff_reget_buffer(avctx, &vid->frame)) < 0)
+    if ((ret = ff_reget_buffer(avctx, vid->frame)) < 0)
        return ret;
-    wrap_to_next_line = vid->frame.linesize[0] - avctx->width;
+    wrap_to_next_line = vid->frame->linesize[0] - avctx->width;

    if (avpkt->side_data_elems > 0 &&
        avpkt->side_data[0].type == AV_PKT_DATA_PALETTE) {
@ -88,8 +92,8 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
    }

    bytestream2_init(&vid->g, avpkt->data, avpkt->size);
-    dst = vid->frame.data[0];
-    frame_end = vid->frame.data[0] + vid->frame.linesize[0] * avctx->height;
+    dst = vid->frame->data[0];
+    frame_end = vid->frame->data[0] + vid->frame->linesize[0] * avctx->height;

    switch(block_type = bytestream2_get_byte(&vid->g)){
        case PALETTE_BLOCK: {
@ -104,7 +108,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
            yoffset = bytestream2_get_le16(&vid->g);
            if(yoffset >= avctx->height)
                return AVERROR_INVALIDDATA;
-            dst += vid->frame.linesize[0] * yoffset;
+            dst += vid->frame->linesize[0] * yoffset;
    }

    // main code
@ -134,7 +138,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
    }
    end:

-    if ((ret = av_frame_ref(data, &vid->frame)) < 0)
+    if ((ret = av_frame_ref(data, vid->frame)) < 0)
        return ret;

    *got_frame = 1;
@ -145,7 +149,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
 static av_cold int bethsoftvid_decode_end(AVCodecContext *avctx)
 {
    BethsoftvidContext * vid = avctx->priv_data;
-    av_frame_unref(&vid->frame);
+    av_frame_free(&vid->frame);
    return 0;
 }

--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@ -120,6 +120,7 @@ typedef struct BinkContext {
    int            version;              ///< internal Bink file version
    int            has_alpha;
    int            swap_planes;
+    unsigned       frame_num;

    Bundle         bundle[BINKB_NB_SRC]; ///< bundles for decoding all data types
    Tree           col_high[16];         ///< trees for decoding high nibble in "colours" data type
@ -1206,6 +1207,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
    if (c->version >= 'i')
        skip_bits_long(&gb, 32);

+    c->frame_num++;
+
    for (plane = 0; plane < 3; plane++) {
        plane_idx = (!plane || !c->swap_planes) ? plane : (plane ^ 3);

@ -1214,7 +1217,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                return ret;
        } else {
            if ((ret = binkb_decode_plane(c, frame, &gb, plane_idx,
-                                          !avctx->frame_number, !!plane)) < 0)
+                                          c->frame_num == 1, !!plane)) < 0)
                return ret;
        }
        if (get_bits_count(&gb) >= bits_count)
@ -1332,6 +1335,13 @@ static av_cold int decode_end(AVCodecContext *avctx)
    return 0;
 }

+static void flush(AVCodecContext *avctx)
+{
+    BinkContext * const c = avctx->priv_data;
+
+    c->frame_num = 0;
+}
+
 AVCodec ff_bink_decoder = {
    .name           = "binkvideo",
    .long_name      = NULL_IF_CONFIG_SMALL("Bink video"),
@ -1341,5 +1351,6 @@ AVCodec ff_bink_decoder = {
    .init           = decode_init,
    .close          = decode_end,
    .decode         = decode_frame,
+    .flush          = flush,
    .capabilities   = CODEC_CAP_DR1,
 };
--- a/libavcodec/bmpenc.c
+++ b/libavcodec/bmpenc.c
@ -60,22 +60,26 @@ static av_cold int bmp_encode_init(AVCodecContext *avctx){
        return AVERROR(EINVAL);
    }

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

 static int bmp_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                            const AVFrame *pict, int *got_packet)
 {
+    const AVFrame * const p = pict;
    int n_bytes_image, n_bytes_per_row, n_bytes, i, n, hsize, ret;
    const uint32_t *pal = NULL;
    uint32_t palette256[256];
    int pad_bytes_per_row, pal_entries = 0, compression = BMP_RGB;
    int bit_count = avctx->bits_per_coded_sample;
    uint8_t *ptr, *buf;
-    AVFrame * const p = (AVFrame *)pict;

-    p->pict_type= AV_PICTURE_TYPE_I;
-    p->key_frame= 1;
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
+    avctx->coded_frame->key_frame = 1;
    switch (avctx->pix_fmt) {
    case AV_PIX_FMT_RGB444:
        compression = BMP_BITFIELDS;
@ -159,6 +163,12 @@ static int bmp_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    return 0;
 }

+static av_cold int bmp_encode_close(AVCodecContext *avctx)
+{
+    av_frame_free(&avctx->coded_frame);
+    return 0;
+}
+
 AVCodec ff_bmp_encoder = {
    .name           = "bmp",
    .long_name      = NULL_IF_CONFIG_SMALL("BMP (Windows and OS/2 bitmap)"),
@ -166,6 +176,7 @@ AVCodec ff_bmp_encoder = {
    .id             = AV_CODEC_ID_BMP,
    .init           = bmp_encode_init,
    .encode2        = bmp_encode_frame,
+    .close          = bmp_encode_close,
    .pix_fmts       = (const enum AVPixelFormat[]){
        AV_PIX_FMT_BGRA, AV_PIX_FMT_BGR24,
        AV_PIX_FMT_RGB565, AV_PIX_FMT_RGB555, AV_PIX_FMT_RGB444,
--- a/libavcodec/c93.c
+++ b/libavcodec/c93.c
@ -24,7 +24,7 @@
 #include "internal.h"

 typedef struct {
-    AVFrame pictures[2];
+    AVFrame *pictures[2];
    int currentpic;
 } C93DecoderContext;

@ -46,21 +46,27 @@ typedef enum {
 #define C93_HAS_PALETTE 0x01
 #define C93_FIRST_FRAME 0x02

-static av_cold int decode_init(AVCodecContext *avctx)
-{
-    C93DecoderContext *s = avctx->priv_data;
-    avctx->pix_fmt = AV_PIX_FMT_PAL8;
-    avcodec_get_frame_defaults(&s->pictures[0]);
-    avcodec_get_frame_defaults(&s->pictures[1]);
-    return 0;
-}
-
 static av_cold int decode_end(AVCodecContext *avctx)
 {
    C93DecoderContext * const c93 = avctx->priv_data;

-    av_frame_unref(&c93->pictures[0]);
-    av_frame_unref(&c93->pictures[1]);
+    av_frame_free(&c93->pictures[0]);
+    av_frame_free(&c93->pictures[1]);
+
+    return 0;
+}
+
+static av_cold int decode_init(AVCodecContext *avctx)
+{
+    C93DecoderContext *s = avctx->priv_data;
+    avctx->pix_fmt = AV_PIX_FMT_PAL8;
+
+    s->pictures[0] = av_frame_alloc();
+    s->pictures[1] = av_frame_alloc();
+    if (!s->pictures[0] || !s->pictures[1]) {
+        decode_end(avctx);
+        return AVERROR(ENOMEM);
+    }

    return 0;
 }
@ -121,8 +127,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    C93DecoderContext * const c93 = avctx->priv_data;
-    AVFrame * const newpic = &c93->pictures[c93->currentpic];
-    AVFrame * const oldpic = &c93->pictures[c93->currentpic^1];
+    AVFrame * const newpic = c93->pictures[c93->currentpic];
+    AVFrame * const oldpic = c93->pictures[c93->currentpic^1];
    GetByteContext gb;
    uint8_t *out;
    int stride, ret, i, x, y, b, bt = 0;
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@ -301,7 +301,7 @@ STOP_TIMER("get_cabac_bypass")

    for(i=0; i<SIZE; i++){
 START_TIMER
-        if( (r[i]&1) != get_cabac(&c, state) )
+        if( (r[i]&1) != get_cabac_noinline(&c, state) )
            av_log(NULL, AV_LOG_ERROR, "CABAC failure at %d\n", i);
 STOP_TIMER("get_cabac")
    }
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@ -49,6 +49,9 @@ static void refill(CABACContext *c){
        c->low+= c->bytestream[0]<<1;
 #endif
    c->low -= CABAC_MASK;
+#if !UNCHECKED_BITSTREAM_READER
+    if (c->bytestream < c->bytestream_end)
+#endif
        c->bytestream += CABAC_BITS / 8;
 }

@ -76,6 +79,9 @@ static void refill2(CABACContext *c){
 #endif

    c->low += x<<i;
+#if !UNCHECKED_BITSTREAM_READER
+    if (c->bytestream < c->bytestream_end)
+#endif
        c->bytestream += CABAC_BITS/8;
 }

--- a/libavcodec/cavs.h
+++ b/libavcodec/cavs.h
@ -214,6 +214,7 @@ typedef struct AVSContext {
    int luma_scan[4];
    int qp;
    int qp_fixed;
+    int pic_qp_fixed;
    int cbp;
    ScanTable scantable;

--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@ -900,7 +900,7 @@ static inline int decode_slice_header(AVSContext *h, GetBitContext *gb)

    /* mark top macroblocks as unavailable */
    h->flags &= ~(B_AVAIL | C_AVAIL);
-    if ((h->mby == 0) && (!h->qp_fixed)) {
+    if (!h->pic_qp_fixed) {
        h->qp_fixed = get_bits1(gb);
        h->qp       = get_bits(gb, 6);
    }
@ -1023,6 +1023,7 @@ static int decode_pic(AVSContext *h)
        skip_bits1(&h->gb);     //advanced_pred_mode_disable
    skip_bits1(&h->gb);        //top_field_first
    skip_bits1(&h->gb);        //repeat_first_field
+    h->pic_qp_fixed =
    h->qp_fixed = get_bits1(&h->gb);
    h->qp       = get_bits(&h->gb, 6);
    if (h->cur.f->pict_type == AV_PICTURE_TYPE_I) {
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@ -353,10 +353,9 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        *got_frame = 1;
    } else {
        *got_frame = 0;
-        buf_size   = 0;
    }

-    return buf_size;
+    return avpkt->size;
 }

 static av_cold int cdg_decode_end(AVCodecContext *avctx)
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@ -135,7 +135,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip,
    const uint8_t   *eod = (data + size);
    uint32_t         flag, mask;
    uint8_t         *cb0, *cb1, *cb2, *cb3;
-    unsigned int     x, y;
+    int             x, y;
    char            *ip0, *ip1, *ip2, *ip3;

    flag = 0;
--- a/libavcodec/cljr.c
+++ b/libavcodec/cljr.c
@ -99,16 +99,21 @@ AVCodec ff_cljr_decoder = {
 #if CONFIG_CLJR_ENCODER
 typedef struct CLJRContext {
    AVClass        *avclass;
-    AVFrame         picture;
    int             dither_type;
 } CLJRContext;

 static av_cold int encode_init(AVCodecContext *avctx)
 {
-    CLJRContext * const a = avctx->priv_data;
+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);

-    avctx->coded_frame = &a->picture;
+    return 0;
+}

+static av_cold int encode_close(AVCodecContext *avctx)
+{
+    av_frame_free(&avctx->coded_frame);
    return 0;
 }

@ -183,6 +188,7 @@ AVCodec ff_cljr_encoder = {
    .priv_data_size = sizeof(CLJRContext),
    .init           = encode_init,
    .encode2        = encode_frame,
+    .close          = encode_close,
    .pix_fmts       = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV411P,
                                                   AV_PIX_FMT_NONE },
    .priv_class     = &cljr_class,
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@ -1217,8 +1217,8 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)

        q->num_subpackets++;
        s++;
-        if (s > MAX_SUBPACKETS) {
-            avpriv_request_sample(avctx, "subpackets > %d", MAX_SUBPACKETS);
+        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
            return AVERROR_PATCHWELCOME;
        }
    }
--- a/libavcodec/dirac_arith.h
+++ b/libavcodec/dirac_arith.h
@ -28,6 +28,7 @@
 #ifndef AVCODEC_DIRAC_ARITH_H
 #define AVCODEC_DIRAC_ARITH_H

+#include "libavutil/x86/asm.h"
 #include "bytestream.h"
 #include "get_bits.h"

@ -134,7 +135,7 @@ static inline int dirac_get_arith_bit(DiracArith *c, int ctx)

    range_times_prob = (c->range * prob_zero) >> 16;

-#if HAVE_FAST_CMOV && HAVE_INLINE_ASM
+#if HAVE_FAST_CMOV && HAVE_INLINE_ASM && HAVE_6REGS
    low   -= range_times_prob << 16;
    range -= range_times_prob;
    bit = 0;
@ -170,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c
 {
    int ret = 1;
    while (!dirac_get_arith_bit(c, follow_ctx)) {
+        if (ret >= 0x40000000) {
+            av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n");
+            return -1;
+        }
        ret <<= 1;
        ret += dirac_get_arith_bit(c, data_ctx);
        follow_ctx = ff_dirac_next_ctx[follow_ctx];
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@ -80,7 +80,7 @@
 #define DIVRNDUP(a, b) (((a) + (b) - 1) / (b))

 typedef struct {
-    AVFrame avframe;
+    AVFrame *avframe;
    int interpolated[3];    /* 1 if hpel[] is valid */
    uint8_t *hpel[3][4];
    uint8_t *hpel_base[3][4];
@ -201,6 +201,7 @@ typedef struct DiracContext {

    uint16_t *mctmp;            /* buffer holding the MC data multipled by OBMC weights */
    uint8_t *mcscratch;
+    int buffer_stride;

    DECLARE_ALIGNED(16, uint8_t, obmc_weight)[3][MAX_BLOCKSIZE*MAX_BLOCKSIZE];

@ -291,7 +292,7 @@ static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum)
    int i, remove_idx = -1;

    for (i = 0; framelist[i]; i++)
-        if (framelist[i]->avframe.display_picture_number == picnum) {
+        if (framelist[i]->avframe->display_picture_number == picnum) {
            remove_pic = framelist[i];
            remove_idx = i;
        }
@ -343,29 +344,51 @@ static int alloc_sequence_buffers(DiracContext *s)
            return AVERROR(ENOMEM);
    }

-    w = s->source.width;
-    h = s->source.height;
-
    /* fixme: allocate using real stride here */
-    s->sbsplit  = av_malloc(sbwidth * sbheight);
-    s->blmotion = av_malloc(sbwidth * sbheight * 16 * sizeof(*s->blmotion));
-    s->edge_emu_buffer_base = av_malloc((w+64)*MAX_BLOCKSIZE);
+    s->sbsplit  = av_malloc_array(sbwidth, sbheight);
+    s->blmotion = av_malloc_array(sbwidth, sbheight * 16 * sizeof(*s->blmotion));

-    s->mctmp     = av_malloc((w+64+MAX_BLOCKSIZE) * (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp));
-    s->mcscratch = av_malloc((w+64)*MAX_BLOCKSIZE);
-
-    if (!s->sbsplit || !s->blmotion || !s->mctmp || !s->mcscratch)
+    if (!s->sbsplit || !s->blmotion)
        return AVERROR(ENOMEM);
    return 0;
 }

+static int alloc_buffers(DiracContext *s, int stride)
+{
+    int w = s->source.width;
+    int h = s->source.height;
+
+    av_assert0(stride >= w);
+    stride += 64;
+
+    if (s->buffer_stride >= stride)
+        return 0;
+    s->buffer_stride = 0;
+
+    av_freep(&s->edge_emu_buffer_base);
+    memset(s->edge_emu_buffer, 0, sizeof(s->edge_emu_buffer));
+    av_freep(&s->mctmp);
+    av_freep(&s->mcscratch);
+
+    s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
+
+    s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp));
+    s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
+
+    if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch)
+        return AVERROR(ENOMEM);
+
+    s->buffer_stride = stride;
+    return 0;
+}
+
 static void free_sequence_buffers(DiracContext *s)
 {
    int i, j, k;

    for (i = 0; i < MAX_FRAMES; i++) {
-        if (s->all_frames[i].avframe.data[0]) {
-            av_frame_unref(&s->all_frames[i].avframe);
+        if (s->all_frames[i].avframe->data[0]) {
+            av_frame_unref(s->all_frames[i].avframe);
            memset(s->all_frames[i].interpolated, 0, sizeof(s->all_frames[i].interpolated));
        }

@ -382,6 +405,7 @@ static void free_sequence_buffers(DiracContext *s)
        av_freep(&s->plane[i].idwt_tmp);
    }

+    s->buffer_stride = 0;
    av_freep(&s->sbsplit);
    av_freep(&s->blmotion);
    av_freep(&s->edge_emu_buffer_base);
@ -393,6 +417,8 @@ static void free_sequence_buffers(DiracContext *s)
 static av_cold int dirac_decode_init(AVCodecContext *avctx)
 {
    DiracContext *s = avctx->priv_data;
+    int i;
+
    s->avctx = avctx;
    s->frame_number = -1;

@ -404,6 +430,15 @@ static av_cold int dirac_decode_init(AVCodecContext *avctx)
    ff_dsputil_init(&s->dsp, avctx);
    ff_diracdsp_init(&s->diracdsp);

+    for (i = 0; i < MAX_FRAMES; i++) {
+        s->all_frames[i].avframe = av_frame_alloc();
+        if (!s->all_frames[i].avframe) {
+            while (i > 0)
+                av_frame_free(&s->all_frames[--i].avframe);
+            return AVERROR(ENOMEM);
+        }
+    }
+
    return 0;
 }

@ -417,7 +452,13 @@ static void dirac_decode_flush(AVCodecContext *avctx)

 static av_cold int dirac_decode_end(AVCodecContext *avctx)
 {
+    DiracContext *s = avctx->priv_data;
+    int i;
+
    dirac_decode_flush(avctx);
+    for (i = 0; i < MAX_FRAMES; i++)
+        av_frame_free(&s->all_frames[i].avframe);
+
    return 0;
 }

@ -574,10 +615,10 @@ static av_always_inline void decode_subband_internal(DiracContext *s, SubBand *b

    top = 0;
    for (cb_y = 0; cb_y < cb_height; cb_y++) {
-        bottom = (b->height * (cb_y+1)) / cb_height;
+        bottom = (b->height * (cb_y+1LL)) / cb_height;
        left = 0;
        for (cb_x = 0; cb_x < cb_width; cb_x++) {
-            right = (b->width * (cb_x+1)) / cb_width;
+            right = (b->width * (cb_x+1LL)) / cb_width;
            codeblock(s, b, &gb, &c, left, right, top, bottom, blockcnt_one, is_arith);
            left = right;
        }
@ -966,8 +1007,8 @@ static int dirac_unpack_idwt_params(DiracContext *s)
        /* Codeblock parameters (core syntax only) */
        if (get_bits1(gb)) {
            for (i = 0; i <= s->wavelet_depth; i++) {
-                CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n")
-                CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n")
+                CHECKEDREAD(s->codeblock[i].width , tmp < 1 || tmp > (s->avctx->width >>s->wavelet_depth-i), "codeblock width invalid\n")
+                CHECKEDREAD(s->codeblock[i].height, tmp < 1 || tmp > (s->avctx->height>>s->wavelet_depth-i), "codeblock height invalid\n")
            }

            CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n")
@ -1343,8 +1384,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
        motion_y >>= s->chroma_y_shift;
    }

-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
    motion_x >>= s->mv_precision;
    motion_y >>= s->mv_precision;
    /* normalize subpel coordinates to epel */
@ -1519,8 +1560,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in
       just use 8 for everything for the moment */
    int i, edge = EDGE_WIDTH/2;

-    ref->hpel[plane][0] = ref->avframe.data[plane];
-    s->dsp.draw_edges(ref->hpel[plane][0], ref->avframe.linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); /* EDGE_TOP | EDGE_BOTTOM values just copied to make it build, this needs to be ensured */
+    ref->hpel[plane][0] = ref->avframe->data[plane];
+    s->dsp.draw_edges(ref->hpel[plane][0], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); /* EDGE_TOP | EDGE_BOTTOM values just copied to make it build, this needs to be ensured */

    /* no need for hpel if we only have fpel vectors */
    if (!s->mv_precision)
@ -1528,18 +1569,18 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in

    for (i = 1; i < 4; i++) {
        if (!ref->hpel_base[plane][i])
-            ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe.linesize[plane] + 32);
+            ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32);
        /* we need to be 16-byte aligned even for chroma */
-        ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe.linesize[plane] + 16;
+        ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16;
    }

    if (!ref->interpolated[plane]) {
        s->diracdsp.dirac_hpel_filter(ref->hpel[plane][1], ref->hpel[plane][2],
                                      ref->hpel[plane][3], ref->hpel[plane][0],
-                                      ref->avframe.linesize[plane], width, height);
-        s->dsp.draw_edges(ref->hpel[plane][1], ref->avframe.linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
-        s->dsp.draw_edges(ref->hpel[plane][2], ref->avframe.linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
-        s->dsp.draw_edges(ref->hpel[plane][3], ref->avframe.linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
+                                      ref->avframe->linesize[plane], width, height);
+        s->dsp.draw_edges(ref->hpel[plane][1], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
+        s->dsp.draw_edges(ref->hpel[plane][2], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
+        s->dsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM);
    }
    ref->interpolated[plane] = 1;
 }
@ -1565,7 +1606,7 @@ static int dirac_decode_frame_internal(DiracContext *s)

    for (comp = 0; comp < 3; comp++) {
        Plane *p       = &s->plane[comp];
-        uint8_t *frame = s->current_picture->avframe.data[comp];
+        uint8_t *frame = s->current_picture->avframe->data[comp];

        /* FIXME: small resolutions */
        for (i = 0; i < 4; i++)
@ -1640,7 +1681,7 @@ static int dirac_decode_picture_header(DiracContext *s)
    GetBitContext *gb = &s->gb;

    /* [DIRAC_STD] 11.1.1 Picture Header. picture_header() PICTURE_NUM */
-    picnum = s->current_picture->avframe.display_picture_number = get_bits_long(gb, 32);
+    picnum = s->current_picture->avframe->display_picture_number = get_bits_long(gb, 32);


    av_log(s->avctx,AV_LOG_DEBUG,"PICTURE_NUM: %d\n",picnum);
@ -1659,9 +1700,9 @@ static int dirac_decode_picture_header(DiracContext *s)
        /* Jordi: this is needed if the referenced picture hasn't yet arrived */
        for (j = 0; j < MAX_REFERENCE_FRAMES && refdist; j++)
            if (s->ref_frames[j]
-                && FFABS(s->ref_frames[j]->avframe.display_picture_number - refnum) < refdist) {
+                && FFABS(s->ref_frames[j]->avframe->display_picture_number - refnum) < refdist) {
                s->ref_pics[i] = s->ref_frames[j];
-                refdist = FFABS(s->ref_frames[j]->avframe.display_picture_number - refnum);
+                refdist = FFABS(s->ref_frames[j]->avframe->display_picture_number - refnum);
            }

        if (!s->ref_pics[i] || refdist)
@ -1670,21 +1711,21 @@ static int dirac_decode_picture_header(DiracContext *s)
        /* if there were no references at all, allocate one */
        if (!s->ref_pics[i])
            for (j = 0; j < MAX_FRAMES; j++)
-                if (!s->all_frames[j].avframe.data[0]) {
+                if (!s->all_frames[j].avframe->data[0]) {
                    s->ref_pics[i] = &s->all_frames[j];
-                    ff_get_buffer(s->avctx, &s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF);
+                    ff_get_buffer(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF);
                    break;
                }
    }

    /* retire the reference frames that are not used anymore */
-    if (s->current_picture->avframe.reference) {
+    if (s->current_picture->avframe->reference) {
        retire = picnum + dirac_get_se_golomb(gb);
        if (retire != picnum) {
            DiracFrame *retire_pic = remove_frame(s->ref_frames, retire);

            if (retire_pic)
-                retire_pic->avframe.reference &= DELAYED_PIC_REF;
+                retire_pic->avframe->reference &= DELAYED_PIC_REF;
            else
                av_log(s->avctx, AV_LOG_DEBUG, "Frame to retire not found\n");
        }
@ -1692,7 +1733,7 @@ static int dirac_decode_picture_header(DiracContext *s)
        /* if reference array is full, remove the oldest as per the spec */
        while (add_frame(s->ref_frames, MAX_REFERENCE_FRAMES, s->current_picture)) {
            av_log(s->avctx, AV_LOG_ERROR, "Reference frame overflow\n");
-            remove_frame(s->ref_frames, s->ref_frames[0]->avframe.display_picture_number)->avframe.reference &= DELAYED_PIC_REF;
+            remove_frame(s->ref_frames, s->ref_frames[0]->avframe->display_picture_number)->avframe->reference &= DELAYED_PIC_REF;
        }
    }

@ -1717,7 +1758,7 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)

    /* find frame with lowest picture number */
    for (i = 1; s->delay_frames[i]; i++)
-        if (s->delay_frames[i]->avframe.display_picture_number < out->avframe.display_picture_number) {
+        if (s->delay_frames[i]->avframe->display_picture_number < out->avframe->display_picture_number) {
            out     = s->delay_frames[i];
            out_idx = i;
        }
@ -1726,9 +1767,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)
        s->delay_frames[i] = s->delay_frames[i+1];

    if (out) {
-        out->avframe.reference ^= DELAYED_PIC_REF;
+        out->avframe->reference ^= DELAYED_PIC_REF;
        *got_frame = 1;
-        if((ret = av_frame_ref(picture, &out->avframe)) < 0)
+        if((ret = av_frame_ref(picture, out->avframe)) < 0)
            return ret;
    }

@ -1790,14 +1831,14 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int

        /* find an unused frame */
        for (i = 0; i < MAX_FRAMES; i++)
-            if (s->all_frames[i].avframe.data[0] == NULL)
+            if (s->all_frames[i].avframe->data[0] == NULL)
                pic = &s->all_frames[i];
        if (!pic) {
            av_log(avctx, AV_LOG_ERROR, "framelist full\n");
            return -1;
        }

-        avcodec_get_frame_defaults(&pic->avframe);
+        av_frame_unref(pic->avframe);

        /* [DIRAC_STD] Defined in 9.6.1 ... */
        tmp            =  parse_code & 0x03;                   /* [DIRAC_STD] num_refs()      */
@ -1808,16 +1849,19 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
        s->num_refs    = tmp;
        s->is_arith    = (parse_code & 0x48) == 0x08;          /* [DIRAC_STD] using_ac()      */
        s->low_delay   = (parse_code & 0x88) == 0x88;          /* [DIRAC_STD] is_low_delay()  */
-        pic->avframe.reference = (parse_code & 0x0C) == 0x0C;  /* [DIRAC_STD]  is_reference() */
-        pic->avframe.key_frame = s->num_refs == 0;             /* [DIRAC_STD] is_intra()      */
-        pic->avframe.pict_type = s->num_refs + 1;              /* Definition of AVPictureType in avutil.h */
+        pic->avframe->reference = (parse_code & 0x0C) == 0x0C;  /* [DIRAC_STD]  is_reference() */
+        pic->avframe->key_frame = s->num_refs == 0;             /* [DIRAC_STD] is_intra()      */
+        pic->avframe->pict_type = s->num_refs + 1;              /* Definition of AVPictureType in avutil.h */

-        if ((ret = ff_get_buffer(avctx, &pic->avframe, (parse_code & 0x0C) == 0x0C ? AV_GET_BUFFER_FLAG_REF : 0)) < 0)
+        if ((ret = ff_get_buffer(avctx, pic->avframe, (parse_code & 0x0C) == 0x0C ? AV_GET_BUFFER_FLAG_REF : 0)) < 0)
            return ret;
        s->current_picture = pic;
-        s->plane[0].stride = pic->avframe.linesize[0];
-        s->plane[1].stride = pic->avframe.linesize[1];
-        s->plane[2].stride = pic->avframe.linesize[2];
+        s->plane[0].stride = pic->avframe->linesize[0];
+        s->plane[1].stride = pic->avframe->linesize[1];
+        s->plane[2].stride = pic->avframe->linesize[2];
+
+        if (alloc_buffers(s, FFMAX3(FFABS(s->plane[0].stride), FFABS(s->plane[1].stride), FFABS(s->plane[2].stride))) < 0)
+            return AVERROR(ENOMEM);

        /* [DIRAC_STD] 11.1 Picture parse. picture_parse() */
        if (dirac_decode_picture_header(s))
@ -1833,7 +1877,7 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
 static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *pkt)
 {
    DiracContext *s     = avctx->priv_data;
-    DiracFrame *picture = data;
+    AVFrame *picture    = data;
    uint8_t *buf        = pkt->data;
    int buf_size        = pkt->size;
    int i, data_unit_size, buf_idx = 0;
@ -1841,8 +1885,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,

    /* release unused frames */
    for (i = 0; i < MAX_FRAMES; i++)
-        if (s->all_frames[i].avframe.data[0] && !s->all_frames[i].avframe.reference) {
-            av_frame_unref(&s->all_frames[i].avframe);
+        if (s->all_frames[i].avframe->data[0] && !s->all_frames[i].avframe->reference) {
+            av_frame_unref(s->all_frames[i].avframe);
            memset(s->all_frames[i].interpolated, 0, sizeof(s->all_frames[i].interpolated));
        }

@ -1887,40 +1931,40 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    if (!s->current_picture)
        return buf_size;

-    if (s->current_picture->avframe.display_picture_number > s->frame_number) {
+    if (s->current_picture->avframe->display_picture_number > s->frame_number) {
        DiracFrame *delayed_frame = remove_frame(s->delay_frames, s->frame_number);

-        s->current_picture->avframe.reference |= DELAYED_PIC_REF;
+        s->current_picture->avframe->reference |= DELAYED_PIC_REF;

        if (add_frame(s->delay_frames, MAX_DELAY, s->current_picture)) {
-            int min_num = s->delay_frames[0]->avframe.display_picture_number;
+            int min_num = s->delay_frames[0]->avframe->display_picture_number;
            /* Too many delayed frames, so we display the frame with the lowest pts */
            av_log(avctx, AV_LOG_ERROR, "Delay frame overflow\n");
            delayed_frame = s->delay_frames[0];

            for (i = 1; s->delay_frames[i]; i++)
-                if (s->delay_frames[i]->avframe.display_picture_number < min_num)
-                    min_num = s->delay_frames[i]->avframe.display_picture_number;
+                if (s->delay_frames[i]->avframe->display_picture_number < min_num)
+                    min_num = s->delay_frames[i]->avframe->display_picture_number;

            delayed_frame = remove_frame(s->delay_frames, min_num);
            add_frame(s->delay_frames, MAX_DELAY, s->current_picture);
        }

        if (delayed_frame) {
-            delayed_frame->avframe.reference ^= DELAYED_PIC_REF;
-            if((ret=av_frame_ref(data, &delayed_frame->avframe)) < 0)
+            delayed_frame->avframe->reference ^= DELAYED_PIC_REF;
+            if((ret=av_frame_ref(data, delayed_frame->avframe)) < 0)
                return ret;
            *got_frame = 1;
        }
-    } else if (s->current_picture->avframe.display_picture_number == s->frame_number) {
+    } else if (s->current_picture->avframe->display_picture_number == s->frame_number) {
        /* The right frame at the right time :-) */
-        if((ret=av_frame_ref(data, &s->current_picture->avframe)) < 0)
+        if((ret=av_frame_ref(data, s->current_picture->avframe)) < 0)
            return ret;
        *got_frame = 1;
    }

    if (*got_frame)
-        s->frame_number = picture->avframe.display_picture_number + 1;
+        s->frame_number = picture->display_picture_number + 1;

    return buf_idx;
 }
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@ -35,6 +35,7 @@ typedef struct DNXHDContext {
    GetBitContext gb;
    int64_t cid;                        ///< compression id
    unsigned int width, height;
+    enum AVPixelFormat pix_fmt;
    unsigned int mb_width, mb_height;
    uint32_t mb_scan_index[68];         /* max for 1080p */
    int cur_field;                      ///< current interlaced field
@ -128,7 +129,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
    av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height);

    if (buf[0x21] & 0x40) {
-        ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
+        ctx->pix_fmt = AV_PIX_FMT_YUV422P10;
        ctx->avctx->bits_per_raw_sample = 10;
        if (ctx->bit_depth != 10) {
            ff_dsputil_init(&ctx->dsp, ctx->avctx);
@ -136,7 +137,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
            ctx->decode_dct_block = dnxhd_decode_dct_block_10;
        }
    } else {
-        ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P;
+        ctx->pix_fmt = AV_PIX_FMT_YUV422P;
        ctx->avctx->bits_per_raw_sample = 8;
        if (ctx->bit_depth != 8) {
            ff_dsputil_init(&ctx->dsp, ctx->avctx);
@ -311,7 +312,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, int x, int
    dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1));
    dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1));

-    if (ctx->cur_field) {
+    if (frame->interlaced_frame && ctx->cur_field) {
        dest_y += frame->linesize[0];
        dest_u += frame->linesize[1];
        dest_v += frame->linesize[2];
@ -376,9 +377,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
               avctx->width, avctx->height, ctx->width, ctx->height);
        first_field = 1;
    }
+    if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) {
+        av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt));
+        first_field = 1;
+    }

    if (av_image_check_size(ctx->width, ctx->height, 0, avctx))
        return -1;
+    avctx->pix_fmt = ctx->pix_fmt;
    avcodec_set_dimensions(avctx, ctx->width, ctx->height);

    if (first_field) {
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@ -235,7 +235,7 @@ static av_cold int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static av_cold int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

@ -329,9 +329,12 @@ static av_cold int dnxhd_encode_init(AVCodecContext *avctx)
    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_bits,    ctx->m.mb_num   *sizeof(uint16_t), fail);
    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_qscale,  ctx->m.mb_num   *sizeof(uint8_t),  fail);

-    ctx->frame.key_frame = 1;
-    ctx->frame.pict_type = AV_PICTURE_TYPE_I;
-    ctx->m.avctx->coded_frame = &ctx->frame;
+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+
+    avctx->coded_frame->key_frame = 1;
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;

    if (avctx->thread_count > MAX_THREADS) {
        av_log(avctx, AV_LOG_ERROR, "too many threads\n");
@ -922,19 +925,14 @@ static void dnxhd_load_picture(DNXHDEncContext *ctx, const AVFrame *frame)
 {
    int i;

-    for (i = 0; i < 3; i++) {
-        ctx->frame.data[i]     = frame->data[i];
-        ctx->frame.linesize[i] = frame->linesize[i];
-    }
-
    for (i = 0; i < ctx->m.avctx->thread_count; i++) {
-        ctx->thread[i]->m.linesize    = ctx->frame.linesize[0]<<ctx->interlaced;
-        ctx->thread[i]->m.uvlinesize  = ctx->frame.linesize[1]<<ctx->interlaced;
+        ctx->thread[i]->m.linesize    = frame->linesize[0] << ctx->interlaced;
+        ctx->thread[i]->m.uvlinesize  = frame->linesize[1] << ctx->interlaced;
        ctx->thread[i]->dct_y_offset  = ctx->m.linesize  *8;
        ctx->thread[i]->dct_uv_offset = ctx->m.uvlinesize*8;
    }

-    ctx->frame.interlaced_frame = frame->interlaced_frame;
+    ctx->m.avctx->coded_frame->interlaced_frame = frame->interlaced_frame;
    ctx->cur_field = frame->interlaced_frame && !frame->top_field_first;
 }

@ -954,9 +952,9 @@ static int dnxhd_encode_picture(AVCodecContext *avctx, AVPacket *pkt,

 encode_coding_unit:
    for (i = 0; i < 3; i++) {
-        ctx->src[i] = ctx->frame.data[i];
+        ctx->src[i] = frame->data[i];
        if (ctx->interlaced && ctx->cur_field)
-            ctx->src[i] += ctx->frame.linesize[i];
+            ctx->src[i] += frame->linesize[i];
    }

    dnxhd_write_header(avctx, buf);
@ -994,7 +992,7 @@ static int dnxhd_encode_picture(AVCodecContext *avctx, AVPacket *pkt,
        goto encode_coding_unit;
    }

-    ctx->frame.quality = ctx->qscale*FF_QP2LAMBDA;
+    avctx->coded_frame->quality = ctx->qscale * FF_QP2LAMBDA;

    pkt->flags |= AV_PKT_FLAG_KEY;
    *got_packet = 1;
@ -1027,6 +1025,8 @@ static av_cold int dnxhd_encode_end(AVCodecContext *avctx)
    for (i = 1; i < avctx->thread_count; i++)
        av_freep(&ctx->thread[i]);

+    av_frame_free(&avctx->coded_frame);
+
    return 0;
 }

--- a/libavcodec/dnxhdenc.h
+++ b/libavcodec/dnxhdenc.h
@ -43,7 +43,6 @@ typedef struct DNXHDEncContext {
    AVClass *class;
    MpegEncContext m; ///< Used for quantization dsp functions

-    AVFrame frame;
    int cid;
    const CIDEntry *cid_table;
    uint8_t *msip; ///< Macroblock Scan Indexes Payload
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@ -39,7 +39,7 @@ typedef enum CinVideoBitmapIndex {

 typedef struct CinVideoContext {
    AVCodecContext *avctx;
-    AVFrame frame;
+    AVFrame *frame;
    unsigned int bitmap_size;
    uint32_t palette[256];
    uint8_t *bitmap_table[3];
@ -118,7 +118,9 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
    cin->avctx = avctx;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;

-    avcodec_get_frame_defaults(&cin->frame);
+    cin->frame = av_frame_alloc();
+    if (!cin->frame)
+        return AVERROR(ENOMEM);

    cin->bitmap_size = avctx->width * avctx->height;
    if (allocate_buffers(cin))
@ -315,20 +317,20 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
        break;
    }

-    if ((res = ff_reget_buffer(avctx, &cin->frame)) < 0)
+    if ((res = ff_reget_buffer(avctx, cin->frame)) < 0)
        return res;

-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;
+    memcpy(cin->frame->data[1], cin->palette, sizeof(cin->palette));
+    cin->frame->palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
-        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
+        memcpy(cin->frame->data[0] + (cin->avctx->height - 1 - y) * cin->frame->linesize[0],
               cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
               cin->avctx->width);

    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
                      cin->bitmap_table[CIN_PRE_BMP]);

-    if ((res = av_frame_ref(data, &cin->frame)) < 0)
+    if ((res = av_frame_ref(data, cin->frame)) < 0)
        return res;

    *got_frame = 1;
@ -340,7 +342,7 @@ static av_cold int cinvideo_decode_end(AVCodecContext *avctx)
 {
    CinVideoContext *cin = avctx->priv_data;

-    av_frame_unref(&cin->frame);
+    av_frame_free(&cin->frame);

    destroy_buffers(cin);

--- a/libavcodec/dv.c
+++ b/libavcodec/dv.c
@ -320,8 +320,6 @@ av_cold int ff_dvvideo_init(AVCodecContext *avctx)
    }else
        memcpy(s->dv_zigzag[1], ff_zigzag248_direct, 64);

-    avcodec_get_frame_defaults(&s->picture);
-    avctx->coded_frame = &s->picture;
    s->avctx = avctx;
    avctx->chroma_sample_location = AVCHROMA_LOC_TOPLEFT;

@ -342,6 +340,10 @@ static av_cold int dvvideo_init_encoder(AVCodecContext *avctx)
        return AVERROR_PATCHWELCOME;
    }

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+
    dv_vlc_map_tableinit();

    return ff_dvvideo_init(avctx);
@ -687,12 +689,12 @@ static int dv_encode_video_segment(AVCodecContext *avctx, void *arg)
        if ((s->sys->pix_fmt == AV_PIX_FMT_YUV420P) ||
            (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) ||
            (s->sys->height >= 720 && mb_y != 134)) {
-            y_stride = s->picture.linesize[0] << 3;
+            y_stride = s->frame->linesize[0] << 3;
        } else {
            y_stride = 16;
        }
-        y_ptr    = s->picture.data[0] + ((mb_y * s->picture.linesize[0] + mb_x) << 3);
-        linesize = s->picture.linesize[0];
+        y_ptr    = s->frame->data[0] + ((mb_y * s->frame->linesize[0] + mb_x) << 3);
+        linesize = s->frame->linesize[0];

        if (s->sys->video_stype == 4) { /* SD 422 */
            vs_bit_size +=
@ -710,12 +712,12 @@ static int dv_encode_video_segment(AVCodecContext *avctx, void *arg)
        enc_blk += 4;

        /* initializing chrominance blocks */
-        c_offset = (((mb_y >>  (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->picture.linesize[1] +
+        c_offset = (((mb_y >>  (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->frame->linesize[1] +
                     (mb_x >> ((s->sys->pix_fmt == AV_PIX_FMT_YUV411P) ? 2 : 1))) << 3);
        for (j = 2; j; j--) {
-            uint8_t *c_ptr = s->picture.data[j] + c_offset;
-            linesize = s->picture.linesize[j];
-            y_stride = (mb_y == 134) ? 8 : (s->picture.linesize[j] << 3);
+            uint8_t *c_ptr = s->frame->data[j] + c_offset;
+            linesize = s->frame->linesize[j];
+            y_stride = (mb_y == 134) ? 8 : (s->frame->linesize[j] << 3);
            if (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) {
                uint8_t* d;
                uint8_t* b = scratch;
@ -814,7 +816,7 @@ static inline int dv_write_pack(enum dv_pack_type pack_id, DVVideoContext *c,
     *      compression scheme (if any).
     */
    int apt   = (c->sys->pix_fmt == AV_PIX_FMT_YUV420P ? 0 : 1);
-    int fs    = c->picture.top_field_first ? 0x00 : 0x40;
+    int fs    = c->frame->top_field_first ? 0x00 : 0x40;

    uint8_t aspect = 0;
    if ((int)(av_q2d(c->avctx->sample_aspect_ratio) * c->avctx->width / c->avctx->height * 10) >= 17) /* 16:9 */
@ -964,9 +966,9 @@ static int dvvideo_encode_frame(AVCodecContext *c, AVPacket *pkt,
        return ret;

    c->pix_fmt                = s->sys->pix_fmt;
-    s->picture           = *frame;
-    s->picture.key_frame = 1;
-    s->picture.pict_type = AV_PICTURE_TYPE_I;
+    s->frame                  = frame;
+    c->coded_frame->key_frame = 1;
+    c->coded_frame->pict_type = AV_PICTURE_TYPE_I;

    s->buf = pkt->data;
    c->execute(c, dv_encode_video_segment, s->sys->work_chunks, NULL,
@ -982,6 +984,12 @@ static int dvvideo_encode_frame(AVCodecContext *c, AVPacket *pkt,
    return 0;
 }

+static int dvvideo_encode_close(AVCodecContext *avctx)
+{
+    av_frame_free(&avctx->coded_frame);
+    return 0;
+}
+
 AVCodec ff_dvvideo_encoder = {
    .name           = "dvvideo",
    .long_name      = NULL_IF_CONFIG_SMALL("DV (Digital Video)"),
@ -990,6 +998,7 @@ AVCodec ff_dvvideo_encoder = {
    .priv_data_size = sizeof(DVVideoContext),
    .init           = dvvideo_init_encoder,
    .encode2        = dvvideo_encode_frame,
+    .close          = dvvideo_encode_close,
    .capabilities   = CODEC_CAP_SLICE_THREADS,
    .pix_fmts       = (const enum AVPixelFormat[]) {
        AV_PIX_FMT_YUV411P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE
--- a/libavcodec/dvdata.h
+++ b/libavcodec/dvdata.h
@ -34,7 +34,7 @@

 typedef struct DVVideoContext {
    const DVprofile *sys;
-    AVFrame          picture;
+    AVFrame         *frame;
    AVCodecContext  *avctx;
    uint8_t         *buf;

--- a/libavcodec/dvdec.c
+++ b/libavcodec/dvdec.c
@ -258,12 +258,12 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg)
        if ((s->sys->pix_fmt == AV_PIX_FMT_YUV420P) ||
            (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) ||
            (s->sys->height >= 720 && mb_y != 134)) {
-            y_stride = (s->picture.linesize[0] << ((!is_field_mode[mb_index]) * log2_blocksize));
+            y_stride = (s->frame->linesize[0] << ((!is_field_mode[mb_index]) * log2_blocksize));
        } else {
            y_stride = (2 << log2_blocksize);
        }
-        y_ptr = s->picture.data[0] + ((mb_y * s->picture.linesize[0] + mb_x) << log2_blocksize);
-        linesize = s->picture.linesize[0] << is_field_mode[mb_index];
+        y_ptr = s->frame->data[0] + ((mb_y * s->frame->linesize[0] + mb_x) << log2_blocksize);
+        linesize = s->frame->linesize[0] << is_field_mode[mb_index];
        mb[0]    .idct_put(y_ptr                                   , linesize, block + 0*64);
        if (s->sys->video_stype == 4) { /* SD 422 */
            mb[2].idct_put(y_ptr + (1 << log2_blocksize)           , linesize, block + 2*64);
@ -276,19 +276,19 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg)
        block += 4*64;

        /* idct_put'ting chrominance */
-        c_offset = (((mb_y >>  (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->picture.linesize[1] +
+        c_offset = (((mb_y >>  (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->frame->linesize[1] +
                     (mb_x >> ((s->sys->pix_fmt == AV_PIX_FMT_YUV411P) ? 2 : 1))) << log2_blocksize);
        for (j = 2; j; j--) {
-            uint8_t *c_ptr = s->picture.data[j] + c_offset;
+            uint8_t *c_ptr = s->frame->data[j] + c_offset;
            if (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) {
                  uint64_t aligned_pixels[64/8];
                  uint8_t *pixels = (uint8_t*)aligned_pixels;
                  uint8_t *c_ptr1, *ptr1;
                  int x, y;
                  mb->idct_put(pixels, 8, block);
-                  for (y = 0; y < (1 << log2_blocksize); y++, c_ptr += s->picture.linesize[j], pixels += 8) {
+                  for (y = 0; y < (1 << log2_blocksize); y++, c_ptr += s->frame->linesize[j], pixels += 8) {
                      ptr1   = pixels + ((1 << (log2_blocksize))>>1);
-                      c_ptr1 = c_ptr + (s->picture.linesize[j] << log2_blocksize);
+                      c_ptr1 = c_ptr + (s->frame->linesize[j] << log2_blocksize);
                      for (x = 0; x < (1 << FFMAX(log2_blocksize - 1, 0)); x++) {
                          c_ptr[x]  = pixels[x];
                          c_ptr1[x] = ptr1[x];
@ -297,8 +297,8 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg)
                  block += 64; mb++;
            } else {
                  y_stride = (mb_y == 134) ? (1 << log2_blocksize) :
-                                             s->picture.linesize[j] << ((!is_field_mode[mb_index]) * log2_blocksize);
-                  linesize = s->picture.linesize[j] << is_field_mode[mb_index];
+                                             s->frame->linesize[j] << ((!is_field_mode[mb_index]) * log2_blocksize);
+                  linesize = s->frame->linesize[j] << is_field_mode[mb_index];
                  (mb++)->    idct_put(c_ptr           , linesize, block); block += 64;
                  if (s->sys->bpm == 8) {
                      (mb++)->idct_put(c_ptr + y_stride, linesize, block); block += 64;
@ -327,15 +327,16 @@ static int dvvideo_decode_frame(AVCodecContext *avctx,
        return -1; /* NOTE: we only accept several full frames */
    }

-    s->picture.key_frame = 1;
-    s->picture.pict_type = AV_PICTURE_TYPE_I;
+    s->frame            = data;
+    s->frame->key_frame = 1;
+    s->frame->pict_type = AV_PICTURE_TYPE_I;
    avctx->pix_fmt   = s->sys->pix_fmt;
    avctx->time_base = s->sys->time_base;
    avcodec_set_dimensions(avctx, s->sys->width, s->sys->height);
-    if ((ret = ff_get_buffer(avctx, &s->picture, 0)) < 0)
+    if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0)
        return ret;
-    s->picture.interlaced_frame = 1;
-    s->picture.top_field_first  = 0;
+    s->frame->interlaced_frame = 1;
+    s->frame->top_field_first  = 0;

    /* Determine the codec's sample_aspect ratio and field order from the packet */
    vsc_pack = buf + 80*5 + 48 + 5;
@ -343,7 +344,7 @@ static int dvvideo_decode_frame(AVCodecContext *avctx,
        apt = buf[4] & 0x07;
        is16_9 = (vsc_pack[2] & 0x07) == 0x02 || (!apt && (vsc_pack[2] & 0x07) == 0x07);
        avctx->sample_aspect_ratio = s->sys->sar[is16_9];
-        s->picture.top_field_first = !(vsc_pack[3] & 0x40);
+        s->frame->top_field_first = !(vsc_pack[3] & 0x40);
    }

    s->buf = buf;
@ -354,20 +355,10 @@ static int dvvideo_decode_frame(AVCodecContext *avctx,

    /* return image */
    *got_frame = 1;
-    av_frame_move_ref(data, &s->picture);

    return s->sys->frame_size;
 }

-static int dvvideo_close(AVCodecContext *c)
-{
-    DVVideoContext *s = c->priv_data;
-
-    av_frame_unref(&s->picture);
-
-    return 0;
-}
-
 AVCodec ff_dvvideo_decoder = {
    .name           = "dvvideo",
    .long_name      = NULL_IF_CONFIG_SMALL("DV (Digital Video)"),
@ -375,7 +366,6 @@ AVCodec ff_dvvideo_decoder = {
    .id             = AV_CODEC_ID_DVVIDEO,
    .priv_data_size = sizeof(DVVideoContext),
    .init           = ff_dvvideo_init,
-    .close          = dvvideo_close,
    .decode         = dvvideo_decode_frame,
    .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_SLICE_THREADS,
    .max_lowres     = 3,
--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@ -45,8 +45,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
    DVDSubParseContext *pc = s->priv_data;

    if (pc->packet_index == 0) {
-        if (buf_size < 2)
-            return 0;
+        if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
+            if (buf_size)
+                av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size);
+            return buf_size;
+        }
        pc->packet_len = AV_RB16(buf);
        if (pc->packet_len == 0) /* HD-DVD subpicture packet */
            pc->packet_len = AV_RB32(buf+2);
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@ -35,7 +35,7 @@ typedef struct DVDSubContext
  int      has_palette;
  uint8_t  colormap[4];
  uint8_t  alpha[256];
-  uint8_t *buf;
+  uint8_t  buf[0x10000];
  int      buf_size;
 #ifdef DEBUG
  int sub_id;
@ -103,6 +103,12 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
    int x, y, len, color;
    uint8_t *d;

+    if (start >= buf_size)
+        return -1;
+
+    if (w <= 0 || h <= 0)
+        return -1;
+
    bit_len = (buf_size - start) * 8;
    init_get_bits(&gb, buf + start, bit_len);

@ -354,10 +360,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
                sub_header->num_rects = 1;
                sub_header->rects[0]->pict.data[0] = bitmap;
-                decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-                           buf, offset1, buf_size, is_8bit);
-                decode_rle(bitmap + w, w * 2, w, h / 2,
-                           buf, offset2, buf_size, is_8bit);
+                if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+                               buf, offset1, buf_size, is_8bit) < 0)
+                    goto fail;
+                if (decode_rle(bitmap + w, w * 2, w, h / 2,
+                               buf, offset2, buf_size, is_8bit) < 0)
+                    goto fail;
                sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
                if (is_8bit) {
                    if (yuv_palette == 0)
@ -495,15 +503,11 @@ static int append_to_cached_buf(AVCodecContext *avctx,
 {
    DVDSubContext *ctx = avctx->priv_data;

-    if (ctx->buf_size > 0xffff - buf_size) {
+    if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) {
        av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct "
               "too large SPU packets aborted.\n");
-        av_freep(&ctx->buf);
        return AVERROR_INVALIDDATA;
    }
-    ctx->buf = av_realloc(ctx->buf, ctx->buf_size + buf_size);
-    if (!ctx->buf)
-        return AVERROR(ENOMEM);
    memcpy(ctx->buf + ctx->buf_size, buf, buf_size);
    ctx->buf_size += buf_size;
    return 0;
@ -519,7 +523,7 @@ static int dvdsub_decode(AVCodecContext *avctx,
    AVSubtitle *sub = data;
    int is_menu;

-    if (ctx->buf) {
+    if (ctx->buf_size) {
        int ret = append_to_cached_buf(avctx, buf, buf_size);
        if (ret < 0) {
            *data_size = 0;
@ -557,7 +561,6 @@ static int dvdsub_decode(AVCodecContext *avctx,
    }
 #endif

-    av_freep(&ctx->buf);
    ctx->buf_size = 0;
    *data_size = 1;
    return buf_size;
@ -635,7 +638,6 @@ static av_cold int dvdsub_init(AVCodecContext *avctx)
 static av_cold int dvdsub_close(AVCodecContext *avctx)
 {
    DVDSubContext *ctx = avctx->priv_data;
-    av_freep(&ctx->buf);
    ctx->buf_size = 0;
    return 0;
 }
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@ -321,12 +321,17 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
    DxaDecContext * const c = avctx->priv_data;

-    avctx->pix_fmt = AV_PIX_FMT_PAL8;
+    if (avctx->width%4 || avctx->height%4) {
+        avpriv_request_sample(avctx, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }

    c->prev = av_frame_alloc();
    if (!c->prev)
        return AVERROR(ENOMEM);

+    avctx->pix_fmt = AV_PIX_FMT_PAL8;
+
    c->dsize = avctx->width * avctx->height * 2;
    c->decomp_buf = av_malloc(c->dsize);
    if (!c->decomp_buf) {
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@ -45,7 +45,7 @@
 typedef struct MadContext {
    AVCodecContext *avctx;
    DSPContext dsp;
-    AVFrame last_frame;
+    AVFrame *last_frame;
    GetBitContext gb;
    void *bitstream_buf;
    unsigned int bitstream_buf_size;
@ -65,6 +65,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
    ff_init_scantable_permutation(s->dsp.idct_permutation, FF_NO_IDCT_PERM);
    ff_init_scantable(s->dsp.idct_permutation, &s->scantable, ff_zigzag_direct);
    ff_mpeg12_init_vlcs();
+
+    s->last_frame = av_frame_alloc();
+    if (!s->last_frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

@ -82,22 +87,22 @@ static inline void comp_block(MadContext *t, AVFrame *frame,
                              int j, int mv_x, int mv_y, int add)
 {
    if (j < 4) {
-        unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
-        if (offset >= (t->avctx->height - 7) * t->last_frame.linesize[0] - 7)
+        unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame->linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+        if (offset >= (t->avctx->height - 7) * t->last_frame->linesize[0] - 7)
            return;
        comp(frame->data[0] + (mb_y*16 + ((j&2)<<2))*frame->linesize[0] + mb_x*16 + ((j&1)<<3),
             frame->linesize[0],
-             t->last_frame.data[0] + offset,
-             t->last_frame.linesize[0], add);
+             t->last_frame->data[0] + offset,
+             t->last_frame->linesize[0], add);
    } else if (!(t->avctx->flags & CODEC_FLAG_GRAY)) {
        int index = j - 3;
-        unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
-        if (offset >= (t->avctx->height/2 - 7) * t->last_frame.linesize[index] - 7)
+        unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame->linesize[index] + mb_x * 8 + (mv_x/2);
+        if (offset >= (t->avctx->height/2 - 7) * t->last_frame->linesize[index] - 7)
            return;
        comp(frame->data[index] + (mb_y*8)*frame->linesize[index] + mb_x * 8,
             frame->linesize[index],
-             t->last_frame.data[index] + offset,
-             t->last_frame.linesize[index], add);
+             t->last_frame->data[index] + offset,
+             t->last_frame->linesize[index], add);
    }
 }

@ -205,7 +210,7 @@ static int decode_mb(MadContext *s, AVFrame *frame, int inter)
    for (j=0; j<6; j++) {
        if (mv_map & (1<<j)) {  // mv_x and mv_y are guarded by mv_map
            int add = 2*decode_motion(&s->gb);
-            if (s->last_frame.data[0])
+            if (s->last_frame->data[0])
                comp_block(s, frame, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
        } else {
            s->dsp.clear_block(s->block);
@ -263,28 +268,28 @@ static int decode_frame(AVCodecContext *avctx,
    }

    if (avctx->width != width || avctx->height != height) {
+        av_frame_unref(s->last_frame);
        if((width * height)/2048*7 > buf_end-buf)
            return AVERROR_INVALIDDATA;
        if ((ret = av_image_check_size(width, height, 0, avctx)) < 0)
            return ret;
        avcodec_set_dimensions(avctx, width, height);
-        av_frame_unref(&s->last_frame);
    }

    if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
        return ret;

-    if (inter && !s->last_frame.data[0]) {
+    if (inter && !s->last_frame->data[0]) {
        av_log(avctx, AV_LOG_WARNING, "Missing reference frame.\n");
-        ret = ff_get_buffer(avctx, &s->last_frame, AV_GET_BUFFER_FLAG_REF);
+        ret = ff_get_buffer(avctx, s->last_frame, AV_GET_BUFFER_FLAG_REF);
        if (ret < 0)
            return ret;
-        memset(s->last_frame.data[0], 0, s->last_frame.height *
-               s->last_frame.linesize[0]);
-        memset(s->last_frame.data[1], 0x80, s->last_frame.height / 2 *
-               s->last_frame.linesize[1]);
-        memset(s->last_frame.data[2], 0x80, s->last_frame.height / 2 *
-               s->last_frame.linesize[2]);
+        memset(s->last_frame->data[0], 0, s->last_frame->height *
+               s->last_frame->linesize[0]);
+        memset(s->last_frame->data[1], 0x80, s->last_frame->height / 2 *
+               s->last_frame->linesize[1]);
+        memset(s->last_frame->data[2], 0x80, s->last_frame->height / 2 *
+               s->last_frame->linesize[2]);
    }

    av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size,
@ -303,8 +308,8 @@ static int decode_frame(AVCodecContext *avctx,
    *got_frame = 1;

    if (chunk_type != MADe_TAG) {
-        av_frame_unref(&s->last_frame);
-        if ((ret = av_frame_ref(&s->last_frame, frame)) < 0)
+        av_frame_unref(s->last_frame);
+        if ((ret = av_frame_ref(s->last_frame, frame)) < 0)
            return ret;
    }

@ -314,7 +319,7 @@ static int decode_frame(AVCodecContext *avctx,
 static av_cold int decode_end(AVCodecContext *avctx)
 {
    MadContext *t = avctx->priv_data;
-    av_frame_unref(&t->last_frame);
+    av_frame_free(&t->last_frame);
    av_free(t->bitstream_buf);
    return 0;
 }
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@ -40,7 +40,7 @@

 typedef struct TgvContext {
    AVCodecContext *avctx;
-    AVFrame last_frame;
+    AVFrame *last_frame;
    uint8_t *frame_buffer;
    int width,height;
    uint32_t palette[AVPALETTE_COUNT];
@ -57,7 +57,11 @@ static av_cold int tgv_decode_init(AVCodecContext *avctx)
    s->avctx         = avctx;
    avctx->time_base = (AVRational){1, 15};
    avctx->pix_fmt   = AV_PIX_FMT_PAL8;
-    avcodec_get_frame_defaults(&s->last_frame);
+
+    s->last_frame = av_frame_alloc();
+    if (!s->last_frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

@ -232,8 +236,8 @@ static int tgv_decode_inter(TgvContext *s, AVFrame *frame,
                    continue;
                }

-                src = s->last_frame.data[0] + mx + my * s->last_frame.linesize[0];
-                src_stride = s->last_frame.linesize[0];
+                src = s->last_frame->data[0] + mx + my * s->last_frame->linesize[0];
+                src_stride = s->last_frame->linesize[0];
            } else {
                int offset = vector - num_mvs;
                if (offset < num_blocks_raw)
@ -283,7 +287,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
        if (s->avctx->width != s->width || s->avctx->height != s->height) {
            avcodec_set_dimensions(s->avctx, s->width, s->height);
            av_freep(&s->frame_buffer);
-            av_frame_unref(&s->last_frame);
+            av_frame_unref(s->last_frame);
        }

        pal_count = AV_RL16(&buf[6]);
@ -320,7 +324,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
                   s->frame_buffer + y * s->width,
                   s->width);
    } else {
-        if (!s->last_frame.data[0]) {
+        if (!s->last_frame->data[0]) {
            av_log(avctx, AV_LOG_WARNING, "inter frame without corresponding intra frame\n");
            return buf_size;
        }
@ -332,8 +336,8 @@ static int tgv_decode_frame(AVCodecContext *avctx,
        }
    }

-    av_frame_unref(&s->last_frame);
-    if ((ret = av_frame_ref(&s->last_frame, frame)) < 0)
+    av_frame_unref(s->last_frame);
+    if ((ret = av_frame_ref(s->last_frame, frame)) < 0)
        return ret;

    *got_frame = 1;
@ -344,7 +348,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
 static av_cold int tgv_decode_end(AVCodecContext *avctx)
 {
    TgvContext *s = avctx->priv_data;
-    av_frame_unref(&s->last_frame);
+    av_frame_free(&s->last_frame);
    av_freep(&s->frame_buffer);
    av_free(s->mv_codebook);
    av_free(s->block_codebook);
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@ -762,6 +762,17 @@ void ff_er_frame_start(ERContext *s)
    s->error_occurred = 0;
 }

+static int er_supported(ERContext *s)
+{
+    if(s->avctx->hwaccel                                              ||
+       s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU          ||
+       !s->cur_pic                                                    ||
+       s->cur_pic->field_picture
+    )
+        return 0;
+    return 1;
+}
+
 /**
 * Add a slice.
 * @param endx   x component of the last macroblock, can be -1
@ -828,7 +839,7 @@ void ff_er_add_slice(ERContext *s, int startx, int starty,
    s->error_status_table[start_xy] |= VP_START;

    if (start_xy > 0 && !(s->avctx->active_thread_type & FF_THREAD_SLICE) &&
-        s->avctx->skip_top * s->mb_width < start_i) {
+        er_supported(s) && s->avctx->skip_top * s->mb_width < start_i) {
        int prev_status = s->error_status_table[s->mb_index2xy[start_i - 1]];

        prev_status &= ~ VP_START;
@ -853,9 +864,7 @@ void ff_er_frame_end(ERContext *s)
     * though it should not crash if enabled. */
    if (!s->avctx->error_concealment || s->error_count == 0            ||
        s->avctx->lowres                                               ||
-        s->avctx->hwaccel                                              ||
-        s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU          ||
-        !s->cur_pic || s->cur_pic->field_picture                               ||
+        !er_supported(s)                                               ||
        s->error_count == 3 * s->mb_width *
                          (s->avctx->skip_top + s->avctx->skip_bottom)) {
        return;
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@ -42,7 +42,7 @@ typedef struct CodeBook {
 } CodeBook;

 typedef struct Escape124Context {
-    AVFrame frame;
+    AVFrame *frame;

    unsigned num_superblocks;

@ -58,12 +58,15 @@ static av_cold int escape124_decode_init(AVCodecContext *avctx)
 {
    Escape124Context *s = avctx->priv_data;

-    avcodec_get_frame_defaults(&s->frame);
    avctx->pix_fmt = AV_PIX_FMT_RGB555;

    s->num_superblocks = ((unsigned)avctx->width / 8) *
                         ((unsigned)avctx->height / 8);

+    s->frame = av_frame_alloc();
+    if (!s->frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

@ -75,7 +78,7 @@ static av_cold int escape124_decode_close(AVCodecContext *avctx)
    for (i = 0; i < 3; i++)
        av_free(s->codebooks[i].blocks);

-    av_frame_unref(&s->frame);
+    av_frame_free(&s->frame);

    return 0;
 }
@ -227,13 +230,13 @@ static int escape124_decode_frame(AVCodecContext *avctx,
    // Leave last frame unchanged
    // FIXME: Is this necessary?  I haven't seen it in any real samples
    if (!(frame_flags & 0x114) || !(frame_flags & 0x7800000)) {
-        if (!s->frame.data[0])
+        if (!s->frame->data[0])
            return AVERROR_INVALIDDATA;

        av_log(avctx, AV_LOG_DEBUG, "Skipping frame\n");

        *got_frame = 1;
-        if ((ret = av_frame_ref(frame, &s->frame)) < 0)
+        if ((ret = av_frame_ref(frame, s->frame)) < 0)
            return ret;

        return frame_size;
@ -272,8 +275,8 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    new_frame_data = (uint16_t*)frame->data[0];
    new_stride = frame->linesize[0] / 2;
-    old_frame_data = (uint16_t*)s->frame.data[0];
-    old_stride = s->frame.linesize[0] / 2;
+    old_frame_data = (uint16_t*)s->frame->data[0];
+    old_stride = s->frame->linesize[0] / 2;

    for (superblock_index = 0; superblock_index < s->num_superblocks;
         superblock_index++) {
@ -350,8 +353,8 @@ static int escape124_decode_frame(AVCodecContext *avctx,
           "Escape sizes: %i, %i, %i\n",
           frame_size, buf_size, get_bits_count(&gb) / 8);

-    av_frame_unref(&s->frame);
-    if ((ret = av_frame_ref(&s->frame, frame)) < 0)
+    av_frame_unref(s->frame);
+    if ((ret = av_frame_ref(s->frame, frame)) < 0)
        return ret;

    *got_frame = 1;
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@ -251,7 +251,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs)
    PutBitContext pb;
    int run, mode = ~0, pix_left = width, run_idx = 0;

-    init_put_bits(&pb, dst, size * 8);
+    init_put_bits(&pb, dst, size);
    while (pix_left > 0) {
        run       = runs[run_idx++];
        mode      = ~mode;
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@ -53,6 +53,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx)
    s->last_picture.f = av_frame_alloc();
    if (!s->picture.f || !s->last_picture.f)
        return AVERROR(ENOMEM);
+
    ff_dsputil_init(&s->dsp, avctx);

    s->width  = avctx->width;
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@ -938,12 +938,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            uint8_t *dst[4];
            ff_thread_await_progress(&f->last_picture, INT_MAX, 0);
            for (j = 0; j < 4; j++) {
-                int sh = (j==1 || j==2) ? f->chroma_h_shift : 0;
-                int sv = (j==1 || j==2) ? f->chroma_v_shift : 0;
-                dst[j] = p->data[j] + p->linesize[j]*
-                         (fs->slice_y>>sv) + (fs->slice_x>>sh);
-                src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j]*
-                         (fs->slice_y>>sv) + (fs->slice_x>>sh);
+                int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0;
+                int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0;
+                dst[j] = p->data[j] + p->linesize[j] *
+                         (fs->slice_y >> sv) + (fs->slice_x >> sh);
+                src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] *
+                         (fs->slice_y >> sv) + (fs->slice_x >> sh);
            }
            av_image_copy(dst, p->linesize, (const uint8_t **)src,
                          f->last_picture.f->linesize,
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@ -771,6 +771,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
        s->colorspace = 1;
        s->chroma_planes = 1;
        s->version = FFMAX(s->version, 1);
+        if (!s->ac) {
+            av_log(avctx, AV_LOG_ERROR, "bits_per_raw_sample of more than 8 needs -coder 1 currently\n");
+            return AVERROR(ENOSYS);
+        }
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "format not supported\n");
@ -826,6 +830,12 @@ static av_cold int encode_init(AVCodecContext *avctx)
    if ((ret = ffv1_allocate_initial_states(s)) < 0)
        return ret;

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
+
    if (!s->transparency)
        s->plane_count = 2;
    if (!s->chroma_planes && s->version > 3)
@ -996,7 +1006,7 @@ static int encode_slice(AVCodecContext *c, void *arg)
    int height       = fs->slice_height;
    int x            = fs->slice_x;
    int y            = fs->slice_y;
-    AVFrame *const p = f->picture.f;
+    const AVFrame *const p = f->picture.f;
    const int ps     = av_pix_fmt_desc_get(c->pix_fmt)->comp[0].step_minus1 + 1;
    int ret;
    RangeCoder c_bak = fs->c;
@ -1004,7 +1014,7 @@ static int encode_slice(AVCodecContext *c, void *arg)
    fs->slice_coding_mode = 0;

 retry:
-    if (p->key_frame)
+    if (c->coded_frame->key_frame)
        ffv1_clear_slice_state(f, fs);
    if (f->version > 2) {
        encode_slice_header(f, fs);
@ -1080,16 +1090,16 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    av_frame_unref(p);
    if ((ret = av_frame_ref(p, pict)) < 0)
        return ret;
-    p->pict_type = AV_PICTURE_TYPE_I;
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;

    if (avctx->gop_size == 0 || f->picture_number % avctx->gop_size == 0) {
        put_rac(c, &keystate, 1);
-        p->key_frame = 1;
+        avctx->coded_frame->key_frame = 1;
        f->gob_count++;
        write_header(f);
    } else {
        put_rac(c, &keystate, 0);
-        p->key_frame = 0;
+        avctx->coded_frame->key_frame = 0;
    }

    if (f->ac > 1) {
@ -1184,12 +1194,19 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,

    f->picture_number++;
    pkt->size   = buf_p - pkt->data;
-    pkt->flags |= AV_PKT_FLAG_KEY * p->key_frame;
+    pkt->flags |= AV_PKT_FLAG_KEY * avctx->coded_frame->key_frame;
    *got_packet = 1;

    return 0;
 }

+static av_cold int encode_close(AVCodecContext *avctx)
+{
+    av_frame_free(&avctx->coded_frame);
+    ffv1_close(avctx);
+    return 0;
+}
+
 #define OFFSET(x) offsetof(FFV1Context, x)
 #define VE AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_ENCODING_PARAM
 static const AVOption options[] = {
@ -1217,7 +1234,7 @@ AVCodec ff_ffv1_encoder = {
    .priv_data_size = sizeof(FFV1Context),
    .init           = encode_init,
    .encode2        = encode_frame,
-    .close          = ffv1_close,
+    .close          = encode_close,
    .capabilities   = CODEC_CAP_SLICE_THREADS,
    .pix_fmts       = (const enum AVPixelFormat[]) {
        AV_PIX_FMT_YUV420P,   AV_PIX_FMT_YUVA420P,  AV_PIX_FMT_YUVA422P,  AV_PIX_FMT_YUV444P,
--- a/libavcodec/ffwavesynth.c
+++ b/libavcodec/ffwavesynth.c
@ -93,7 +93,6 @@ struct wavesynth_context {
    int64_t cur_ts;
    int64_t next_ts;
    int32_t *sin;
-    AVFrame frame;
    struct ws_interval *inter;
    uint32_t dither_state;
    uint32_t pink_state;
@ -341,8 +340,6 @@ static av_cold int wavesynth_init(AVCodecContext *avc)
        ws->pink_need += ws->inter[i].type == WS_NOISE;
    ws->pink_state = MKTAG('P','I','N','K');
    ws->pink_pos = PINK_UNIT;
-    avcodec_get_frame_defaults(&ws->frame);
-    avc->coded_frame = &ws->frame;
    wavesynth_seek(ws, 0);
    avc->sample_fmt = AV_SAMPLE_FMT_S16;
    return 0;
@ -428,6 +425,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
                            AVPacket *packet)
 {
    struct wavesynth_context *ws = avc->priv_data;
+    AVFrame *frame = rframe;
    int64_t ts;
    int duration;
    int s, c, r;
@ -443,11 +441,11 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    duration = AV_RL32(packet->data + 8);
    if (duration <= 0)
        return AVERROR(EINVAL);
-    ws->frame.nb_samples = duration;
-    r = ff_get_buffer(avc, &ws->frame, 0);
+    frame->nb_samples = duration;
+    r = ff_get_buffer(avc, frame, 0);
    if (r < 0)
        return r;
-    pcm = (int16_t *)ws->frame.data[0];
+    pcm = (int16_t *)frame->data[0];
    for (s = 0; s < duration; s++, ts++) {
        memset(channels, 0, avc->channels * sizeof(*channels));
        if (ts >= ws->next_ts)
@ -458,7 +456,6 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
    }
    ws->cur_ts += duration;
    *rgot_frame = 1;
-    *(AVFrame *)rframe = ws->frame;
    return packet->size;
 }

--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@ -685,7 +685,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 handle_error:
    *poutbuf      = NULL;
    *poutbuf_size = 0;
-    return read_end - buf;
+    return buf_size ? read_end - buf : 0;
 }

 static av_cold int flac_parse_init(AVCodecParserContext *c)
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@ -465,10 +465,10 @@ static int decode_frame(FLACContext *s)
        ret = allocate_buffers(s);
        if (ret < 0)
            return ret;
-        ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps);
        s->got_streaminfo = 1;
        dump_headers(s->avctx, (FLACStreaminfo *)s);
    }
+    ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps);

 //    dump_headers(s->avctx, (FLACStreaminfo *)s);

--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@ -50,7 +50,7 @@ typedef struct BlockInfo {

 typedef struct FlashSVContext {
    AVCodecContext *avctx;
-    AVFrame         frame;
+    AVFrame        *frame;
    int             image_width, image_height;
    int             block_width, block_height;
    uint8_t        *tmpblock;
@ -100,6 +100,19 @@ static int decode_hybrid(const uint8_t *sptr, uint8_t *dptr, int dx, int dy,
    return sptr - orig_src;
 }

+static av_cold int flashsv_decode_end(AVCodecContext *avctx)
+{
+    FlashSVContext *s = avctx->priv_data;
+    inflateEnd(&s->zstream);
+    /* release the frame if needed */
+    av_frame_free(&s->frame);
+
+    /* free the tmpblock */
+    av_freep(&s->tmpblock);
+
+    return 0;
+}
+
 static av_cold int flashsv_decode_init(AVCodecContext *avctx)
 {
    FlashSVContext *s = avctx->priv_data;
@ -115,7 +128,12 @@ static av_cold int flashsv_decode_init(AVCodecContext *avctx)
        return 1;
    }
    avctx->pix_fmt = AV_PIX_FMT_BGR24;
-    avcodec_get_frame_defaults(&s->frame);
+
+    s->frame = av_frame_alloc();
+    if (!s->frame) {
+        flashsv_decode_end(avctx);
+        return AVERROR(ENOMEM);
+    }

    return 0;
 }
@ -205,18 +223,18 @@ static int flashsv_decode_block(AVCodecContext *avctx, AVPacket *avpkt,
        /* Flash Screen Video stores the image upside down, so copy
         * lines to destination in reverse order. */
        for (k = 1; k <= s->diff_height; k++) {
-            memcpy(s->frame.data[0] + x_pos * 3 +
-                   (s->image_height - y_pos - s->diff_start - k) * s->frame.linesize[0],
+            memcpy(s->frame->data[0] + x_pos * 3 +
+                   (s->image_height - y_pos - s->diff_start - k) * s->frame->linesize[0],
                   line, width * 3);
            /* advance source pointer to next line */
            line += width * 3;
        }
    } else {
        /* hybrid 15-bit/palette mode */
-        decode_hybrid(s->tmpblock, s->frame.data[0],
+        decode_hybrid(s->tmpblock, s->frame->data[0],
                      s->image_height - (y_pos + 1 + s->diff_start + s->diff_height),
                      x_pos, s->diff_height, width,
-                      s->frame.linesize[0], s->pal);
+                      s->frame->linesize[0], s->pal);
    }
    skip_bits_long(gb, 8 * block_size); /* skip the consumed bits */
    return 0;
@ -337,7 +355,7 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
            s->image_width, s->image_height, s->block_width, s->block_height,
            h_blocks, v_blocks, h_part, v_part);

-    if ((ret = ff_reget_buffer(avctx, &s->frame)) < 0)
+    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

    /* loop over all block columns */
@ -362,7 +380,7 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
            s->diff_height    = cur_blk_height;

            if (8 * size > get_bits_left(&gb)) {
-                av_frame_unref(&s->frame);
+                av_frame_unref(s->frame);
                return AVERROR_INVALIDDATA;
            }

@ -418,11 +436,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,

            if (has_diff) {
                int k;
-                int off = (s->image_height - y_pos - 1) * s->frame.linesize[0];
+                int off = (s->image_height - y_pos - 1) * s->frame->linesize[0];

                for (k = 0; k < cur_blk_height; k++)
-                    memcpy(s->frame.data[0] + off - k*s->frame.linesize[0] + x_pos*3,
-                           s->keyframe + off - k*s->frame.linesize[0] + x_pos*3,
+                    memcpy(s->frame->data[0] + off - k*s->frame->linesize[0] + x_pos*3,
+                           s->keyframe + off - k*s->frame->linesize[0] + x_pos*3,
                           cur_blk_width * 3);
            }

@ -439,16 +457,16 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
    }
    if (s->is_keyframe && s->ver == 2) {
        if (!s->keyframe) {
-            s->keyframe = av_malloc(s->frame.linesize[0] * avctx->height);
+            s->keyframe = av_malloc(s->frame->linesize[0] * avctx->height);
            if (!s->keyframe) {
                av_log(avctx, AV_LOG_ERROR, "Cannot allocate image data\n");
                return AVERROR(ENOMEM);
            }
        }
-        memcpy(s->keyframe, s->frame.data[0], s->frame.linesize[0] * avctx->height);
+        memcpy(s->keyframe, s->frame->data[0], s->frame->linesize[0] * avctx->height);
    }

-    if ((ret = av_frame_ref(data, &s->frame)) < 0)
+    if ((ret = av_frame_ref(data, s->frame)) < 0)
        return ret;

    *got_frame = 1;
@ -461,21 +479,6 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
    return buf_size;
 }

-
-static av_cold int flashsv_decode_end(AVCodecContext *avctx)
-{
-    FlashSVContext *s = avctx->priv_data;
-    inflateEnd(&s->zstream);
-    /* release the frame if needed */
-    av_frame_unref(&s->frame);
-
-    /* free the tmpblock */
-    av_free(s->tmpblock);
-
-    return 0;
-}
-
-
 #if CONFIG_FLASHSV_DECODER
 AVCodec ff_flashsv_decoder = {
    .name           = "flashsv",
--- a/libavcodec/flashsv2enc.c
+++ b/libavcodec/flashsv2enc.c
@ -87,7 +87,6 @@ typedef struct FlashSV2Context {
    AVCodecContext *avctx;
    uint8_t *current_frame;
    uint8_t *key_frame;
-    AVFrame frame;
    uint8_t *encbuffer;
    uint8_t *keybuffer;
    uint8_t *databuffer;
@ -288,7 +287,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size)
    if (buf_size < 5)
        return -1;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb, 4, (s->block_width  >> 4) - 1);
    put_bits(&pb, 12, s->image_width);
@ -849,15 +848,12 @@ static int reconfigure_at_keyframe(FlashSV2Context * s, const uint8_t * image,
 }

 static int flashsv2_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
-                                 const AVFrame *pict, int *got_packet)
+                                 const AVFrame *p, int *got_packet)
 {
    FlashSV2Context *const s = avctx->priv_data;
-    AVFrame *const p = &s->frame;
    int res;
    int keyframe = 0;

-    *p = *pict;
-
    if ((res = ff_alloc_packet2(avctx, pkt, s->frame_size + FF_MIN_BUFFER_SIZE)) < 0)
        return res;

@ -891,18 +887,11 @@ static int flashsv2_encode_frame(AVCodecContext *avctx, AVPacket *pkt,

    if (keyframe) {
        new_key_frame(s);
-        p->pict_type = AV_PICTURE_TYPE_I;
-        p->key_frame = 1;
        s->last_key_frame = avctx->frame_number;
        pkt->flags |= AV_PKT_FLAG_KEY;
        av_log(avctx, AV_LOG_DEBUG, "Inserting key frame at frame %d\n", avctx->frame_number);
-    } else {
-        p->pict_type = AV_PICTURE_TYPE_P;
-        p->key_frame = 0;
    }

-    avctx->coded_frame = p;
-
    pkt->size = res;
    *got_packet = 1;

--- a/libavcodec/flashsvenc.c
+++ b/libavcodec/flashsvenc.c
@ -57,7 +57,6 @@
 typedef struct FlashSVContext {
    AVCodecContext *avctx;
    uint8_t        *previous_frame;
-    AVFrame         frame;
    int             image_width, image_height;
    int             block_width, block_height;
    uint8_t        *tmpblock;
@ -89,6 +88,21 @@ static int copy_region_enc(uint8_t *sptr, uint8_t *dptr, int dx, int dy,
    return 0;
 }

+static av_cold int flashsv_encode_end(AVCodecContext *avctx)
+{
+    FlashSVContext *s = avctx->priv_data;
+
+    deflateEnd(&s->zstream);
+
+    av_free(s->encbuffer);
+    av_free(s->previous_frame);
+    av_free(s->tmpblock);
+
+    av_frame_free(&avctx->coded_frame);
+
+    return 0;
+}
+
 static av_cold int flashsv_encode_init(AVCodecContext *avctx)
 {
    FlashSVContext *s = avctx->priv_data;
@ -117,11 +131,17 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx)
        return AVERROR(ENOMEM);
    }

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame) {
+        flashsv_encode_end(avctx);
+        return AVERROR(ENOMEM);
+    }
+
    return 0;
 }


-static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf,
+static int encode_bitstream(FlashSVContext *s, const AVFrame *p, uint8_t *buf,
                            int buf_size, int block_width, int block_height,
                            uint8_t *previous_frame, int *I_frame)
 {
@ -131,7 +151,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf,
    int buf_pos, res;
    int pred_blocks = 0;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb,  4, block_width / 16 - 1);
    put_bits(&pb, 12, s->image_width);
@ -199,14 +219,12 @@ static int flashsv_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                                const AVFrame *pict, int *got_packet)
 {
    FlashSVContext * const s = avctx->priv_data;
-    AVFrame * const p = &s->frame;
+    const AVFrame * const p = pict;
    uint8_t *pfptr;
    int res;
    int I_frame = 0;
    int opt_w = 4, opt_h = 4;

-    *p = *pict;
-
    /* First frame needs to be a keyframe */
    if (avctx->frame_number == 0) {
        s->previous_frame = av_mallocz(FFABS(p->linesize[0]) * s->image_height);
@ -244,37 +262,22 @@ static int flashsv_encode_frame(AVCodecContext *avctx, AVPacket *pkt,

    //mark the frame type so the muxer can mux it correctly
    if (I_frame) {
-        p->pict_type      = AV_PICTURE_TYPE_I;
-        p->key_frame      = 1;
+        avctx->coded_frame->pict_type      = AV_PICTURE_TYPE_I;
+        avctx->coded_frame->key_frame      = 1;
        s->last_key_frame = avctx->frame_number;
        av_dlog(avctx, "Inserting keyframe at frame %d\n", avctx->frame_number);
    } else {
-        p->pict_type = AV_PICTURE_TYPE_P;
-        p->key_frame = 0;
+        avctx->coded_frame->pict_type = AV_PICTURE_TYPE_P;
+        avctx->coded_frame->key_frame = 0;
    }

-    avctx->coded_frame = p;
-
-    if (p->key_frame)
+    if (avctx->coded_frame->key_frame)
        pkt->flags |= AV_PKT_FLAG_KEY;
    *got_packet = 1;

    return 0;
 }

-static av_cold int flashsv_encode_end(AVCodecContext *avctx)
-{
-    FlashSVContext *s = avctx->priv_data;
-
-    deflateEnd(&s->zstream);
-
-    av_free(s->encbuffer);
-    av_free(s->previous_frame);
-    av_free(s->tmpblock);
-
-    return 0;
-}
-
 AVCodec ff_flashsv_encoder = {
    .name           = "flashsv",
    .long_name      = NULL_IF_CONFIG_SMALL("Flash Screen Video"),
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@ -71,7 +71,7 @@

 typedef struct FlicDecodeContext {
    AVCodecContext *avctx;
-    AVFrame frame;
+    AVFrame *frame;

    unsigned int palette[256];
    int new_palette;
@ -141,7 +141,10 @@ static av_cold int flic_decode_init(AVCodecContext *avctx)
                  return AVERROR_INVALIDDATA;
    }

-    avcodec_get_frame_defaults(&s->frame);
+    s->frame = av_frame_alloc();
+    if (!s->frame)
+        return AVERROR(ENOMEM);
+
    s->new_palette = 0;

    return 0;
@ -185,11 +188,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,

    bytestream2_init(&g2, buf, buf_size);

-    if ((ret = ff_reget_buffer(avctx, &s->frame)) < 0)
+    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

-    pixels = s->frame.data[0];
-    pixel_limit = s->avctx->height * s->frame.linesize[0];
+    pixels = s->frame->data[0];
+    pixel_limit = s->avctx->height * s->frame->linesize[0];
    if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
        return AVERROR_INVALIDDATA;
    frame_size = bytestream2_get_le32(&g2);
@ -273,12 +276,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                if ((line_packets & 0xC000) == 0xC000) {
                    // line skip opcode
                    line_packets = -line_packets;
-                    y_ptr += line_packets * s->frame.linesize[0];
+                    y_ptr += line_packets * s->frame->linesize[0];
                } else if ((line_packets & 0xC000) == 0x4000) {
                    av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
                } else if ((line_packets & 0xC000) == 0x8000) {
                    // "last byte" opcode
-                    pixel_ptr= y_ptr + s->frame.linesize[0] - 1;
+                    pixel_ptr= y_ptr + s->frame->linesize[0] - 1;
                    CHECK_PIXEL_PTR(0);
                    pixels[pixel_ptr] = line_packets & 0xff;
                } else {
@ -313,7 +316,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                        }
                    }

-                    y_ptr += s->frame.linesize[0];
+                    y_ptr += s->frame->linesize[0];
                }
            }
            break;
@ -322,7 +325,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
            /* line compressed */
            starting_line = bytestream2_get_le16(&g2);
            y_ptr = 0;
-            y_ptr += starting_line * s->frame.linesize[0];
+            y_ptr += starting_line * s->frame->linesize[0];

            compressed_lines = bytestream2_get_le16(&g2);
            while (compressed_lines > 0) {
@ -359,7 +362,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    }
                }

-                y_ptr += s->frame.linesize[0];
+                y_ptr += s->frame->linesize[0];
                compressed_lines--;
            }
            break;
@ -367,7 +370,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
        case FLI_BLACK:
            /* set the whole frame to color 0 (which is usually black) */
            memset(pixels, 0,
-                s->frame.linesize[0] * s->avctx->height);
+                s->frame->linesize[0] * s->avctx->height);
            break;

        case FLI_BRUN:
@ -414,7 +417,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    }
                }

-                y_ptr += s->frame.linesize[0];
+                y_ptr += s->frame->linesize[0];
            }
            break;

@ -425,8 +428,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                       "has incorrect size, skipping chunk\n", chunk_size - 6);
                bytestream2_skip(&g2, chunk_size - 6);
            } else {
-                for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
-                     y_ptr += s->frame.linesize[0]) {
+                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
+                     y_ptr += s->frame->linesize[0]) {
                    bytestream2_get_buffer(&g2, &pixels[y_ptr],
                                           s->avctx->width);
                }
@ -457,13 +460,13 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
               buf_size - bytestream2_get_bytes_left(&g2));

    /* make the palette available on the way out */
-    memcpy(s->frame.data[1], s->palette, AVPALETTE_SIZE);
+    memcpy(s->frame->data[1], s->palette, AVPALETTE_SIZE);
    if (s->new_palette) {
-        s->frame.palette_has_changed = 1;
+        s->frame->palette_has_changed = 1;
        s->new_palette = 0;
    }

-    if ((ret = av_frame_ref(data, &s->frame)) < 0)
+    if ((ret = av_frame_ref(data, s->frame)) < 0)
        return ret;

    *got_frame = 1;
@ -504,11 +507,11 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,

    bytestream2_init(&g2, buf, buf_size);

-    if ((ret = ff_reget_buffer(avctx, &s->frame)) < 0)
+    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

-    pixels = s->frame.data[0];
-    pixel_limit = s->avctx->height * s->frame.linesize[0];
+    pixels = s->frame->data[0];
+    pixel_limit = s->avctx->height * s->frame->linesize[0];

    frame_size = bytestream2_get_le32(&g2);
    bytestream2_skip(&g2, 2);  /* skip the magic number */
@ -556,7 +559,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                line_packets = bytestream2_get_le16(&g2);
                if (line_packets < 0) {
                    line_packets = -line_packets;
-                    y_ptr += line_packets * s->frame.linesize[0];
+                    y_ptr += line_packets * s->frame->linesize[0];
                } else {
                    compressed_lines--;
                    pixel_ptr = y_ptr;
@ -589,7 +592,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                        }
                    }

-                    y_ptr += s->frame.linesize[0];
+                    y_ptr += s->frame->linesize[0];
                }
            }
            break;
@ -602,7 +605,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
        case FLI_BLACK:
            /* set the whole frame to 0x0000 which is black in both 15Bpp and 16Bpp modes. */
            memset(pixels, 0x0000,
-                   s->frame.linesize[0] * s->avctx->height);
+                   s->frame->linesize[0] * s->avctx->height);
            break;

        case FLI_BRUN:
@ -657,7 +660,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                    pixel_ptr += 2;
                }
 #endif
-                y_ptr += s->frame.linesize[0];
+                y_ptr += s->frame->linesize[0];
            }
            break;

@ -701,7 +704,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                    }
                }

-                y_ptr += s->frame.linesize[0];
+                y_ptr += s->frame->linesize[0];
            }
            break;

@ -714,8 +717,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                bytestream2_skip(&g2, chunk_size - 6);
            } else {

-                for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
-                     y_ptr += s->frame.linesize[0]) {
+                for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
+                     y_ptr += s->frame->linesize[0]) {

                    pixel_countdown = s->avctx->width;
                    pixel_ptr = 0;
@ -748,7 +751,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "Processed FLI chunk where chunk size = %d " \
               "and final chunk ptr = %d\n", buf_size, bytestream2_tell(&g2));

-    if ((ret = av_frame_ref(data, &s->frame)) < 0)
+    if ((ret = av_frame_ref(data, s->frame)) < 0)
        return ret;

    *got_frame = 1;
@ -797,7 +800,7 @@ static av_cold int flic_decode_end(AVCodecContext *avctx)
 {
    FlicDecodeContext *s = avctx->priv_data;

-    av_frame_unref(&s->frame);
+    av_frame_free(&s->frame);

    return 0;
 }
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@ -375,6 +375,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
        src += 3;
    }
    npal = *src++ + 1;
+    if (src_end - src < npal * 3)
+        return AVERROR_INVALIDDATA;
    memcpy(pal, src, npal * 3); src += npal * 3;
    if (sub_type != 2) {
        for (i = 0; i < npal; i++) {
@ -490,7 +492,7 @@ static int g2m_load_cursor(AVCodecContext *avctx, G2MContext *c,
    cursor_hot_y  = bytestream2_get_byte(gb);
    cursor_fmt    = bytestream2_get_byte(gb);

-    cursor_stride = FFALIGN(cursor_w, c->cursor_fmt==1 ? 32 : 1) * 4;
+    cursor_stride = FFALIGN(cursor_w, cursor_fmt==1 ? 32 : 1) * 4;

    if (cursor_w < 1 || cursor_w > 256 ||
        cursor_h < 1 || cursor_h > 256) {
@ -707,11 +709,15 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,
                av_log(avctx, AV_LOG_ERROR,
                       "Unknown compression method %d\n",
                       c->compression);
-                return AVERROR_PATCHWELCOME;
+                ret = AVERROR_PATCHWELCOME;
+                goto header_fail;
            }
            c->tile_width  = bytestream2_get_be32(&bc);
            c->tile_height = bytestream2_get_be32(&bc);
-            if (!c->tile_width || !c->tile_height) {
+            if (c->tile_width <= 0 || c->tile_height <= 0 ||
+                ((c->tile_width | c->tile_height) & 0xF) ||
+                c->tile_width * 4LL * c->tile_height >= INT_MAX
+            ) {
                av_log(avctx, AV_LOG_ERROR,
                       "Invalid tile dimensions %dx%d\n",
                       c->tile_width, c->tile_height);
--- a/libavcodec/g723_1.c
+++ b/libavcodec/g723_1.c
@ -2285,7 +2285,8 @@ static int pack_bitstream(G723_1_Context *p, unsigned char *frame, int size)
    if (p->cur_rate == RATE_6300) {
        info_bits = 0;
        put_bits(&pb, 2, info_bits);
-    }
+    }else
+        av_assert0(0);

    put_bits(&pb, 8, p->lsp_index[2]);
    put_bits(&pb, 8, p->lsp_index[1]);
--- a/libavcodec/gif.c
+++ b/libavcodec/gif.c
@ -216,6 +216,13 @@ static av_cold int gif_encode_init(AVCodecContext *avctx)
        return AVERROR(EINVAL);
    }

+    avctx->coded_frame = av_frame_alloc();
+    if (!avctx->coded_frame)
+        return AVERROR(ENOMEM);
+
+    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
+    avctx->coded_frame->key_frame = 1;
+
    s->lzw = av_mallocz(ff_lzw_encode_state_size);
    s->buf = av_malloc(avctx->width*avctx->height*2);
    s->tmpl = av_malloc(avctx->width);
@ -232,7 +239,6 @@ static int gif_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                            const AVFrame *pict, int *got_packet)
 {
    GIFContext *s = avctx->priv_data;
-    AVFrame *const p = (AVFrame *)pict;
    uint8_t *outbuf_ptr, *end;
    const uint32_t *palette = NULL;
    int ret;
@ -242,15 +248,12 @@ static int gif_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    outbuf_ptr = pkt->data;
    end        = pkt->data + pkt->size;

-    p->pict_type = AV_PICTURE_TYPE_I;
-    p->key_frame = 1;
-
    if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
        uint8_t *pal_exdata = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, AVPALETTE_SIZE);
        if (!pal_exdata)
            return AVERROR(ENOMEM);
-        memcpy(pal_exdata, p->data[1], AVPALETTE_SIZE);
-        palette = (uint32_t*)p->data[1];
+        memcpy(pal_exdata, pict->data[1], AVPALETTE_SIZE);
+        palette = (uint32_t*)pict->data[1];
    }

    gif_image_write_image(avctx, &outbuf_ptr, end, palette,
@ -276,6 +279,8 @@ static int gif_encode_close(AVCodecContext *avctx)
 {
    GIFContext *s = avctx->priv_data;

+    av_frame_free(&avctx->coded_frame);
+
    av_freep(&s->lzw);
    av_freep(&s->buf);
    av_frame_free(&s->last_frame);
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@ -251,26 +251,21 @@ static int gif_read_image(GifState *s, AVFrame *frame)
            case 1:
                y1 += 8;
                ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                break;
            case 2:
                y1 += 4;
                ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                break;
            case 3:
                y1 += 2;
                ptr += linesize * 2;
                break;
            }
+            while (y1 >= height) {
+                y1 = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
        } else {
            ptr += linesize;
        }
--- a/libavcodec/golomb-test.c
+++ b/libavcodec/golomb-test.c
@ -58,7 +58,7 @@ int main(void)
        }
    }

-#define EXTEND(i) (i << 3 | i & 7)
+#define EXTEND(i) ((i) << 3 | (i) & 7)
    init_put_bits(&pb, temp, SIZE);
    for (i = 0; i < COUNT; i++)
        set_ue_golomb(&pb, EXTEND(i));
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@ -755,10 +755,9 @@ frame_end:
        }

        if (startcode_found) {
-            av_fast_malloc(&s->bitstream_buffer,
+            av_fast_padded_mallocz(&s->bitstream_buffer,
                           &s->allocated_bitstream_buffer_size,
-                           buf_size - current_pos +
-                           FF_INPUT_BUFFER_PADDING_SIZE);
+                           buf_size - current_pos);
            if (!s->bitstream_buffer)
                return AVERROR(ENOMEM);
            memcpy(s->bitstream_buffer, buf + current_pos,
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@ -452,6 +452,18 @@ static int alloc_picture(H264Context *h, Picture *pic)
            pic->hwaccel_picture_private = pic->hwaccel_priv_buf->data;
        }
    }
+    if (!h->avctx->hwaccel && CONFIG_GRAY && h->flags & CODEC_FLAG_GRAY && pic->f.data[2]) {
+        int h_chroma_shift, v_chroma_shift;
+        av_pix_fmt_get_chroma_sub_sample(pic->f.format,
+                                         &h_chroma_shift, &v_chroma_shift);
+
+        for(i=0; i<FF_CEIL_RSHIFT(h->avctx->height, v_chroma_shift); i++) {
+            memset(pic->f.data[1] + pic->f.linesize[1]*i,
+                   0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift));
+            memset(pic->f.data[2] + pic->f.linesize[2]*i,
+                   0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift));
+        }
+    }

    if (!h->qscale_table_pool) {
        ret = init_table_pools(h);
@ -586,18 +598,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma)

    if ((h->left_samples_available & 0x8080) != 0x8080) {
        mode = left[mode];
-        if (is_chroma && (h->left_samples_available & 0x8080)) {
-            // mad cow disease mode, aka MBAFF + constrained_intra_pred
-            mode = ALZHEIMER_DC_L0T_PRED8x8 +
-                   (!(h->left_samples_available & 0x8000)) +
-                   2 * (mode == DC_128_PRED8x8);
-        }
        if (mode < 0) {
            av_log(h->avctx, AV_LOG_ERROR,
                   "left block unavailable for requested intra mode at %d %d\n",
                   h->mb_x, h->mb_y);
            return AVERROR_INVALIDDATA;
        }
+        if (is_chroma && (h->left_samples_available & 0x8080)) {
+            // mad cow disease mode, aka MBAFF + constrained_intra_pred
+            mode = ALZHEIMER_DC_L0T_PRED8x8 +
+                   (!(h->left_samples_available & 0x8000)) +
+                   2 * (mode == DC_128_PRED8x8);
+        }
    }

    return mode;
@ -619,7 +631,7 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src,

 #define STARTCODE_TEST                                                  \
    if (i + 2 < length && src[i + 1] == 0 && src[i + 2] <= 3) {         \
-        if (src[i + 2] != 3) {                                          \
+        if (src[i + 2] != 3 && src[i + 2] != 0) {                       \
            /* startcode, so we must be past the end */                 \
            length = i;                                                 \
        }                                                               \
@ -692,7 +704,7 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src,
        if (src[si + 2] > 3) {
            dst[di++] = src[si++];
            dst[di++] = src[si++];
-        } else if (src[si] == 0 && src[si + 1] == 0) {
+        } else if (src[si] == 0 && src[si + 1] == 0 && src[si + 2] != 0) {
            if (src[si + 2] == 3) { // escape
                dst[di++]  = 0;
                dst[di++]  = 0;
@ -1219,6 +1231,7 @@ static void free_tables(H264Context *h, int free_rbsp)
    av_buffer_pool_uninit(&h->ref_index_pool);

    if (free_rbsp && h->DPB) {
+        memset(h->delayed_pic, 0, sizeof(h->delayed_pic));
        for (i = 0; i < MAX_PICTURE_COUNT; i++)
            unref_picture(h, &h->DPB[i]);
        av_freep(&h->DPB);
@ -1686,6 +1699,7 @@ static int decode_init_thread_copy(AVCodecContext *avctx)
    memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
    memset(h->pps_buffers, 0, sizeof(h->pps_buffers));

+    h->avctx          = avctx;
    h->rbsp_buffer[0] = NULL;
    h->rbsp_buffer[1] = NULL;
    h->rbsp_buffer_size[0] = 0;
@ -1787,6 +1801,7 @@ static int decode_update_thread_context(AVCodecContext *dst,
        memset(&h->mb, 0, sizeof(h->mb));
        memset(&h->mb_luma_dc, 0, sizeof(h->mb_luma_dc));
        memset(&h->mb_padding, 0, sizeof(h->mb_padding));
+        memset(&h->cur_pic, 0, sizeof(h->cur_pic));

        h->avctx             = dst;
        h->DPB               = NULL;
@ -1794,6 +1809,17 @@ static int decode_update_thread_context(AVCodecContext *dst,
        h->mb_type_pool      = NULL;
        h->ref_index_pool    = NULL;
        h->motion_val_pool   = NULL;
+        h->intra4x4_pred_mode= NULL;
+        h->non_zero_count    = NULL;
+        h->slice_table_base  = NULL;
+        h->slice_table       = NULL;
+        h->cbp_table         = NULL;
+        h->chroma_pred_mode_table = NULL;
+        memset(h->mvd_table, 0, sizeof(h->mvd_table));
+        h->direct_table      = NULL;
+        h->list_counts       = NULL;
+        h->mb2b_xy           = NULL;
+        h->mb2br_xy          = NULL;
        for (i = 0; i < 2; i++) {
            h->rbsp_buffer[i] = NULL;
            h->rbsp_buffer_size[i] = 0;
@ -1839,7 +1865,7 @@ static int decode_update_thread_context(AVCodecContext *dst,

    for (i = 0; h->DPB && i < MAX_PICTURE_COUNT; i++) {
        unref_picture(h, &h->DPB[i]);
-        if (h1->DPB[i].f.data[0] &&
+        if (h1->DPB && h1->DPB[i].f.data[0] &&
            (ret = ref_picture(h, &h->DPB[i], &h1->DPB[i])) < 0)
            return ret;
    }
@ -1957,6 +1983,10 @@ static int h264_frame_start(H264Context *h)

    h->cur_pic_ptr = pic;
    unref_picture(h, &h->cur_pic);
+    if (CONFIG_ERROR_RESILIENCE) {
+        h->er.cur_pic = NULL;
+    }
+
    if ((ret = ref_picture(h, &h->cur_pic, h->cur_pic_ptr)) < 0)
        return ret;

@ -2612,6 +2642,16 @@ int ff_pred_weight_table(H264Context *h)
    h->luma_log2_weight_denom = get_ue_golomb(&h->gb);
    if (h->sps.chroma_format_idc)
        h->chroma_log2_weight_denom = get_ue_golomb(&h->gb);
+
+    if (h->luma_log2_weight_denom > 7U) {
+        av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom);
+        h->luma_log2_weight_denom = 0;
+    }
+    if (h->chroma_log2_weight_denom > 7U) {
+        av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom);
+        h->chroma_log2_weight_denom = 0;
+    }
+
    luma_def   = 1 << h->luma_log2_weight_denom;
    chroma_def = 1 << h->chroma_log2_weight_denom;

@ -3354,6 +3394,17 @@ int ff_set_ref_count(H264Context *h)
    return 0;
 }

+static enum AVPixelFormat non_j_pixfmt(enum AVPixelFormat a)
+{
+    switch (a) {
+    case AV_PIX_FMT_YUVJ420P: return AV_PIX_FMT_YUV420P;
+    case AV_PIX_FMT_YUVJ422P: return AV_PIX_FMT_YUV422P;
+    case AV_PIX_FMT_YUVJ444P: return AV_PIX_FMT_YUV444P;
+    default:
+        return a;
+    }
+}
+
 /**
 * Decode a slice header.
 * This will also call ff_MPV_common_init() and frame_start() as needed.
@ -3374,6 +3425,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    int must_reinit;
    int needs_reinit = 0;
    int field_pic_flag, bottom_field_flag;
+    int first_slice = h == h0 && !h0->current_slice;
+    int frame_num, picture_structure, droppable;
+    PPS *pps;

    h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;
    h->me.qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab;
@ -3426,20 +3480,33 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
               pps_id);
        return AVERROR_INVALIDDATA;
    }
-    h->pps = *h0->pps_buffers[pps_id];
+    if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) {
+        av_log(h->avctx, AV_LOG_ERROR,
+               "PPS change from %d to %d forbidden\n",
+               h0->au_pps_id, pps_id);
+        return AVERROR_INVALIDDATA;
+    }

-    if (!h0->sps_buffers[h->pps.sps_id]) {
+    pps = h0->pps_buffers[pps_id];
+
+    if (!h0->sps_buffers[pps->sps_id]) {
        av_log(h->avctx, AV_LOG_ERROR,
               "non-existing SPS %u referenced\n",
               h->pps.sps_id);
        return AVERROR_INVALIDDATA;
    }
+    if (first_slice)
+        h->pps = *h0->pps_buffers[pps_id];

-    if (h->pps.sps_id != h->current_sps_id ||
-        h0->sps_buffers[h->pps.sps_id]->new) {
-        h0->sps_buffers[h->pps.sps_id]->new = 0;
+    if (pps->sps_id != h->current_sps_id ||
+        h0->sps_buffers[pps->sps_id]->new) {
+
+        if (!first_slice) {
+            av_log(h->avctx, AV_LOG_ERROR,
+               "SPS changed in the middle of the frame\n");
+            return AVERROR_INVALIDDATA;
+        }

-        h->current_sps_id = h->pps.sps_id;
        h->sps            = *h0->sps_buffers[h->pps.sps_id];

        if (h->mb_width  != h->sps.mb_width ||
@ -3468,11 +3535,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                     || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height
                     || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma
                     || h->cur_chroma_format_idc != h->sps.chroma_format_idc
-                     || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)
                     || h->mb_width  != h->sps.mb_width
                     || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag)
                    ));
-    if (h0->avctx->pix_fmt != get_pixel_format(h0, 0))
+    if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0)))
+        must_reinit = 1;
+
+    if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio))
        must_reinit = 1;

    h->mb_width  = h->sps.mb_width;
@ -3547,44 +3616,48 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
        }
    }

-    if (h == h0 && h->dequant_coeff_pps != pps_id) {
+    if (first_slice && h->dequant_coeff_pps != pps_id) {
        h->dequant_coeff_pps = pps_id;
        init_dequant_tables(h);
    }

-    h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);
+    frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);
+    if (!first_slice) {
+        if (h0->frame_num != frame_num) {
+            av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n",
+                   h0->frame_num, frame_num);
+            return AVERROR_INVALIDDATA;
+        }
+    }

    h->mb_mbaff        = 0;
    h->mb_aff_frame    = 0;
    last_pic_structure = h0->picture_structure;
    last_pic_droppable = h0->droppable;
-    h->droppable       = h->nal_ref_idc == 0;
+    droppable          = h->nal_ref_idc == 0;
    if (h->sps.frame_mbs_only_flag) {
-        h->picture_structure = PICT_FRAME;
+        picture_structure = PICT_FRAME;
    } else {
        if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) {
            av_log(h->avctx, AV_LOG_ERROR, "This stream was generated by a broken encoder, invalid 8x8 inference\n");
            return -1;
        }
        field_pic_flag = get_bits1(&h->gb);
+
        if (field_pic_flag) {
            bottom_field_flag = get_bits1(&h->gb);
-            h->picture_structure = PICT_TOP_FIELD + bottom_field_flag;
+            picture_structure = PICT_TOP_FIELD + bottom_field_flag;
        } else {
-            h->picture_structure = PICT_FRAME;
+            picture_structure = PICT_FRAME;
            h->mb_aff_frame      = h->sps.mb_aff;
        }
    }
-    h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME;
-
-    if (h0->current_slice != 0) {
-        if (last_pic_structure != h->picture_structure ||
-            last_pic_droppable != h->droppable) {
+    if (h0->current_slice) {
+        if (last_pic_structure != picture_structure ||
+            last_pic_droppable != droppable) {
            av_log(h->avctx, AV_LOG_ERROR,
                   "Changing field mode (%d -> %d) between slices is not allowed\n",
                   last_pic_structure, h->picture_structure);
-            h->picture_structure = last_pic_structure;
-            h->droppable         = last_pic_droppable;
            return AVERROR_INVALIDDATA;
        } else if (!h0->cur_pic_ptr) {
            av_log(h->avctx, AV_LOG_ERROR,
@ -3592,10 +3665,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                   h0->current_slice + 1);
            return AVERROR_INVALIDDATA;
        }
-    } else {
+    }
+
+    h->picture_structure = picture_structure;
+    h->droppable         = droppable;
+    h->frame_num         = frame_num;
+    h->mb_field_decoding_flag = picture_structure != PICT_FRAME;
+
+    if (h0->current_slice == 0) {
        /* Shorten frame num gaps so we don't have to allocate reference
         * frames just to throw them away */
-        if (h->frame_num != h->prev_frame_num && h->prev_frame_num >= 0) {
+        if (h->frame_num != h->prev_frame_num) {
            int unwrap_prev_frame_num = h->prev_frame_num;
            int max_frame_num         = 1 << h->sps.log2_max_frame_num;

@ -3668,7 +3748,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            }
        }

-        while (h->frame_num != h->prev_frame_num && h->prev_frame_num >= 0 && !h0->first_field &&
+        while (h->frame_num != h->prev_frame_num && !h0->first_field &&
               h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {
            Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;
            av_log(h->avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n",
@ -3924,8 +4004,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
        if (h->deblocking_filter) {
            h->slice_alpha_c0_offset += get_se_golomb(&h->gb) << 1;
            h->slice_beta_offset     += get_se_golomb(&h->gb) << 1;
-            if (h->slice_alpha_c0_offset > 104U ||
-                h->slice_beta_offset     > 104U) {
+            if (h->slice_alpha_c0_offset < 52 - 12 || h->slice_alpha_c0_offset > 52 + 12 ||
+                h->slice_beta_offset     < 52 - 12 || h->slice_beta_offset     > 52 + 12) {
                av_log(h->avctx, AV_LOG_ERROR,
                       "deblocking filter parameters %d %d out of range\n",
                       h->slice_alpha_c0_offset, h->slice_beta_offset);
@ -4018,6 +4098,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0];
    if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0];
    h->er.ref_count = h->ref_count[0];
+    h0->au_pps_id = pps_id;
+    h->sps.new =
+    h0->sps_buffers[h->pps.sps_id]->new = 0;
+    h->current_sps_id = h->pps.sps_id;

    if (h->avctx->debug & FF_DEBUG_PICT_INFO) {
        av_log(h->avctx, AV_LOG_DEBUG,
@ -4601,6 +4685,8 @@ static int execute_decode_slices(H264Context *h, int context_count)
    H264Context *hx;
    int i;

+    av_assert0(h->mb_y < h->mb_height);
+
    if (h->avctx->hwaccel ||
        h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)
        return 0;
@ -4782,6 +4868,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,
                continue;

 again:
+            if (   !(avctx->active_thread_type & FF_THREAD_FRAME)
+                || nals_needed >= nal_index)
+                h->au_pps_id = -1;
            /* Ignore per frame NAL unit type during extradata
             * parsing. Decoding slices is not possible in codec init
             * with frame-mt */
@ -4814,6 +4903,7 @@ again:
                if(!idr_cleared)
                    idr(h); // FIXME ensure we don't lose some frames if there is reordering
                idr_cleared = 1;
+                h->has_recovery_point = 1;
            case NAL_SLICE:
                init_get_bits(&hx->gb, ptr, bit_length);
                hx->intra_gb_ptr      =
@ -5004,6 +5094,7 @@ static int get_consumed_bytes(int pos, int buf_size)
 static int output_frame(H264Context *h, AVFrame *dst, Picture *srcp)
 {
    AVFrame *src = &srcp->f;
+    const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(src->format);
    int i;
    int ret = av_frame_ref(dst, src);
    if (ret < 0)
@ -5014,9 +5105,9 @@ static int output_frame(H264Context *h, AVFrame *dst, Picture *srcp)
    if (!srcp->crop)
        return 0;

-    for (i = 0; i < 3; i++) {
-        int hshift = (i > 0) ? h->chroma_x_shift : 0;
-        int vshift = (i > 0) ? h->chroma_y_shift : 0;
+    for (i = 0; i < desc->nb_components; i++) {
+        int hshift = (i > 0) ? desc->log2_chroma_w : 0;
+        int vshift = (i > 0) ? desc->log2_chroma_h : 0;
        int off    = ((srcp->crop_left >> hshift) << h->pixel_shift) +
                      (srcp->crop_top  >> vshift) * dst->linesize[i];
        dst->data[i] += off;
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@ -61,10 +61,10 @@
 #define MAX_SLICES 16

 #ifdef ALLOW_INTERLACE
-#define MB_MBAFF(h)    h->mb_mbaff
-#define MB_FIELD(h)    h->mb_field_decoding_flag
-#define FRAME_MBAFF(h) h->mb_aff_frame
-#define FIELD_PICTURE(h) (h->picture_structure != PICT_FRAME)
+#define MB_MBAFF(h)    (h)->mb_mbaff
+#define MB_FIELD(h)    (h)->mb_field_decoding_flag
+#define FRAME_MBAFF(h) (h)->mb_aff_frame
+#define FIELD_PICTURE(h) ((h)->picture_structure != PICT_FRAME)
 #define LEFT_MBS 2
 #define LTOP     0
 #define LBOT     1
@ -84,12 +84,12 @@
 #define FIELD_OR_MBAFF_PICTURE(h) (FRAME_MBAFF(h) || FIELD_PICTURE(h))

 #ifndef CABAC
-#define CABAC(h) h->pps.cabac
+#define CABAC(h) (h)->pps.cabac
 #endif

-#define CHROMA(h)    (h->sps.chroma_format_idc)
-#define CHROMA422(h) (h->sps.chroma_format_idc == 2)
-#define CHROMA444(h) (h->sps.chroma_format_idc == 3)
+#define CHROMA(h)    ((h)->sps.chroma_format_idc)
+#define CHROMA422(h) ((h)->sps.chroma_format_idc == 2)
+#define CHROMA444(h) ((h)->sps.chroma_format_idc == 3)

 #define EXTENDED_SAR       255

@ -284,6 +284,7 @@ typedef struct MMCO {
 * H264Context
 */
 typedef struct H264Context {
+    AVClass *av_class;
    AVCodecContext *avctx;
    VideoDSPContext vdsp;
    H264DSPContext h264dsp;
@ -390,6 +391,8 @@ typedef struct H264Context {
     */
    PPS pps; // FIXME move to Picture perhaps? (->no) do we need that?

+    int au_pps_id; ///< pps_id of current access unit
+
    uint32_t dequant4_buffer[6][QP_MAX_NUM + 1][16]; // FIXME should these be moved down?
    uint32_t dequant8_buffer[6][QP_MAX_NUM + 1][64];
    uint32_t(*dequant4_coeff[6])[16];
@ -656,6 +659,8 @@ typedef struct H264Context {

    FPA sei_fpa;

+    int has_recovery_point;
+
    int luma_weight_flag[2];    ///< 7.4.3.2 luma_weight_lX_flag
    int chroma_weight_flag[2];  ///< 7.4.3.2 chroma_weight_lX_flag

--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@ -1279,7 +1279,7 @@ void ff_h264_init_cabac_states(H264Context *h) {
 }

 static int decode_cabac_field_decoding_flag(H264Context *h) {
-    const long mbb_xy = h->mb_xy - 2L*h->mb_stride;
+    const int mbb_xy = h->mb_xy - 2*h->mb_stride;

    unsigned long ctx = 0;

--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@ -178,7 +178,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
            goto fail;

        /* prepend only to the first type 5 NAL unit of an IDR picture */
-        if (ctx->first_idr && unit_type == 5) {
+        if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) {
            if ((ret=alloc_and_copy(poutbuf, poutbuf_size,
                               avctx->extradata, avctx->extradata_size,
                               buf, nal_size)) < 0)
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@ -376,7 +376,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h)
        }
        sps->bit_depth_luma   = get_ue_golomb(&h->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&h->gb) + 8;
-        if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U || sps->bit_depth_luma != sps->bit_depth_chroma) {
+        if (sps->bit_depth_luma   < 8 || sps->bit_depth_luma   > 14 ||
+            sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14 ||
+            sps->bit_depth_luma != sps->bit_depth_chroma) {
            av_log(h->avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
                   sps->bit_depth_luma, sps->bit_depth_chroma);
            goto fail;
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@ -562,6 +562,7 @@ int ff_generate_sliding_window_mmcos(H264Context *h, int first_slice)
 int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
 {
    int i, av_uninit(j);
+    int pps_count;
    int current_ref_assigned = 0, err = 0;
    Picture *av_uninit(pic);

@ -680,7 +681,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
         */
        if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) {
            /* Just mark the second field valid */
-            h->cur_pic_ptr->reference = PICT_FRAME;
+            h->cur_pic_ptr->reference |= h->picture_structure;
        } else if (h->cur_pic_ptr->long_ref) {
            av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference "
                                           "assignment for second field "
@ -732,7 +733,15 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
    print_short_term(h);
    print_long_term(h);

-    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (h->picture_structure != PICT_FRAME) && h->cur_pic_ptr->f.pict_type == AV_PICTURE_TYPE_I){
+    pps_count = 0;
+    for (i = 0; i < FF_ARRAY_ELEMS(h->pps_buffers); i++)
+        pps_count += !!h->pps_buffers[i];
+
+    if (   err >= 0
+        && h->long_ref_count==0
+        && (h->short_ref_count<=2 || h->pps.ref_count[0] <= 1 && h->pps.ref_count[1] <= 1 && pps_count == 1)
+        && h->pps.ref_count[0]<=2 + (h->picture_structure != PICT_FRAME) + (2*!h->has_recovery_point)
+        && h->cur_pic_ptr->f.pict_type == AV_PICTURE_TYPE_I){
        h->cur_pic_ptr->sync |= 1;
        if(!h->avctx->has_b_frames)
            h->sync = 2;
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@ -184,6 +184,8 @@ static int decode_recovery_point(H264Context *h)
    if (h->avctx->debug & FF_DEBUG_PICT_INFO)
        av_log(h->avctx, AV_LOG_DEBUG, "sei_recovery_frame_cnt: %d\n", h->sei_recovery_frame_cnt);

+    h->has_recovery_point = 1;
+
    return 0;
 }

--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@ -105,24 +105,26 @@ static int pic_arrays_init(HEVCContext *s)
        goto fail;

    s->skip_flag    = av_malloc(pic_size_in_ctb);
-    s->tab_ct_depth = av_malloc(s->sps->min_cb_height * s->sps->min_cb_width);
+    s->tab_ct_depth = av_malloc_array(s->sps->min_cb_height, s->sps->min_cb_width);
    if (!s->skip_flag || !s->tab_ct_depth)
        goto fail;

-    s->tab_ipm  = av_malloc(pic_size_in_min_pu);
-    s->cbf_luma = av_malloc(pic_width_in_min_tu * pic_height_in_min_tu);
+    s->tab_ipm  = av_mallocz(pic_size_in_min_pu);
+    s->cbf_luma = av_malloc_array(pic_width_in_min_tu, pic_height_in_min_tu);
    s->is_pcm   = av_malloc(pic_size_in_min_pu);
    if (!s->tab_ipm || !s->cbf_luma || !s->is_pcm)
        goto fail;

-    s->filter_slice_edges = av_malloc(ctb_count);
-    s->tab_slice_address  = av_malloc(pic_size_in_ctb * sizeof(*s->tab_slice_address));
-    s->qp_y_tab           = av_malloc(pic_size_in_ctb * sizeof(*s->qp_y_tab));
+    s->filter_slice_edges = av_mallocz(ctb_count);
+    s->tab_slice_address  = av_malloc_array(pic_size_in_ctb,
+                                      sizeof(*s->tab_slice_address));
+    s->qp_y_tab           = av_malloc_array(pic_size_in_ctb,
+                                      sizeof(*s->qp_y_tab));
    if (!s->qp_y_tab || !s->filter_slice_edges || !s->tab_slice_address)
        goto fail;

-    s->horizontal_bs = av_mallocz(2 * s->bs_width * (s->bs_height + 1));
-    s->vertical_bs   = av_mallocz(2 * s->bs_width * (s->bs_height + 1));
+    s->horizontal_bs = av_mallocz_array(2 * s->bs_width, (s->bs_height + 1));
+    s->vertical_bs   = av_mallocz_array(2 * s->bs_width, (s->bs_height + 1));
    if (!s->horizontal_bs || !s->vertical_bs)
        goto fail;

@ -599,9 +601,14 @@ static int hls_slice_header(HEVCContext *s)
            av_freep(&sh->entry_point_offset);
            av_freep(&sh->offset);
            av_freep(&sh->size);
-            sh->entry_point_offset = av_malloc(sh->num_entry_point_offsets * sizeof(int));
-            sh->offset = av_malloc(sh->num_entry_point_offsets * sizeof(int));
-            sh->size = av_malloc(sh->num_entry_point_offsets * sizeof(int));
+            sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+            sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+            sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+            if (!sh->entry_point_offset || !sh->offset || !sh->size) {
+                sh->num_entry_point_offsets = 0;
+                av_log(s->avctx, AV_LOG_ERROR, "Failed to allocate memory\n");
+                return AVERROR(ENOMEM);
+            }
            for (i = 0; i < sh->num_entry_point_offsets; i++) {
                int val = 0;
                for (j = 0; j < segments; j++) {
@ -630,14 +637,24 @@ static int hls_slice_header(HEVCContext *s)
    }

    // Inferred parameters
-    sh->slice_qp          = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+    sh->slice_qp = 26U + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+    if (sh->slice_qp > 51 ||
+        sh->slice_qp < -s->sps->qp_bd_offset) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "The slice_qp %d is outside the valid range "
+               "[%d, 51].\n",
+               sh->slice_qp,
+               -s->sps->qp_bd_offset);
+        return AVERROR_INVALIDDATA;
+    }
+
    sh->slice_ctb_addr_rs = sh->slice_segment_addr;

    s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag;

    if (!s->pps->cu_qp_delta_enabled_flag)
-        s->HEVClc->qp_y = ((s->sh.slice_qp + 52 + 2 * s->sps->qp_bd_offset) %
-                          (52 + s->sps->qp_bd_offset)) - s->sps->qp_bd_offset;
+        s->HEVClc->qp_y = FFUMOD(s->sh.slice_qp + 52 + 2 * s->sps->qp_bd_offset,
+                                 52 + s->sps->qp_bd_offset) - s->sps->qp_bd_offset;

    s->slice_initialized = 1;

@ -728,8 +745,7 @@ static void hls_sao_param(HEVCContext *s, int rx, int ry)
 #undef SET_SAO
 #undef CTB

-
-static void hls_transform_unit(HEVCContext *s, int x0, int y0,
+static int hls_transform_unit(HEVCContext *s, int x0, int y0,
                              int xBase, int yBase, int cb_xBase, int cb_yBase,
                              int log2_cb_size, int log2_trafo_size,
                              int trafo_depth, int blk_idx)
@ -766,6 +782,18 @@ static void hls_transform_unit(HEVCContext *s, int x0, int y0,
                if (ff_hevc_cu_qp_delta_sign_flag(s) == 1)
                    lc->tu.cu_qp_delta = -lc->tu.cu_qp_delta;
            lc->tu.is_cu_qp_delta_coded = 1;
+
+            if (lc->tu.cu_qp_delta < -(26 + s->sps->qp_bd_offset / 2) ||
+                lc->tu.cu_qp_delta >  (25 + s->sps->qp_bd_offset / 2)) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "The cu_qp_delta %d is outside the valid range "
+                       "[%d, %d].\n",
+                       lc->tu.cu_qp_delta,
+                       -(26 + s->sps->qp_bd_offset / 2),
+                        (25 + s->sps->qp_bd_offset / 2));
+                return AVERROR_INVALIDDATA;
+            }
+
            ff_hevc_set_qPy(s, x0, y0, cb_xBase, cb_yBase, log2_cb_size);
        }

@ -801,6 +829,7 @@ static void hls_transform_unit(HEVCContext *s, int x0, int y0,
                ff_hevc_hls_residual_coding(s, xBase, yBase, log2_trafo_size, scan_idx_c, 2);
        }
    }
+    return 0;
 }

 static void set_deblocking_bypass(HEVCContext *s, int x0, int y0, int log2_cb_size)
@ -818,13 +847,14 @@ static void set_deblocking_bypass(HEVCContext *s, int x0, int y0, int log2_cb_si
            s->is_pcm[i + j * min_pu_width] = 2;
 }

-static void hls_transform_tree(HEVCContext *s, int x0, int y0,
+static int hls_transform_tree(HEVCContext *s, int x0, int y0,
                              int xBase, int yBase, int cb_xBase, int cb_yBase,
                              int log2_cb_size, int log2_trafo_size,
                              int trafo_depth, int blk_idx)
 {
    HEVCLocalContext *lc = s->HEVClc;
    uint8_t split_transform_flag;
+    int ret;

    if (trafo_depth > 0 && log2_trafo_size == 2) {
        SAMPLE_CBF(lc->tt.cbf_cb[trafo_depth], x0, y0) =
@ -877,14 +907,26 @@ static void hls_transform_tree(HEVCContext *s, int x0, int y0,
        int x1 = x0 + ((1 << log2_trafo_size) >> 1);
        int y1 = y0 + ((1 << log2_trafo_size) >> 1);

-        hls_transform_tree(s, x0, y0, x0, y0, cb_xBase, cb_yBase, log2_cb_size,
-                           log2_trafo_size - 1, trafo_depth + 1, 0);
-        hls_transform_tree(s, x1, y0, x0, y0, cb_xBase, cb_yBase, log2_cb_size,
-                           log2_trafo_size - 1, trafo_depth + 1, 1);
-        hls_transform_tree(s, x0, y1, x0, y0, cb_xBase, cb_yBase, log2_cb_size,
-                           log2_trafo_size - 1, trafo_depth + 1, 2);
-        hls_transform_tree(s, x1, y1, x0, y0, cb_xBase, cb_yBase, log2_cb_size,
-                           log2_trafo_size - 1, trafo_depth + 1, 3);
+        ret = hls_transform_tree(s, x0, y0, x0, y0, cb_xBase, cb_yBase,
+                                 log2_cb_size, log2_trafo_size - 1,
+                                 trafo_depth + 1, 0);
+        if (ret < 0)
+            return ret;
+        ret = hls_transform_tree(s, x1, y0, x0, y0, cb_xBase, cb_yBase,
+                                 log2_cb_size, log2_trafo_size - 1,
+                                 trafo_depth + 1, 1);
+        if (ret < 0)
+            return ret;
+        ret = hls_transform_tree(s, x0, y1, x0, y0, cb_xBase, cb_yBase,
+                                 log2_cb_size, log2_trafo_size - 1,
+                                 trafo_depth + 1, 2);
+        if (ret < 0)
+            return ret;
+        ret = hls_transform_tree(s, x1, y1, x0, y0, cb_xBase, cb_yBase,
+                                 log2_cb_size, log2_trafo_size - 1,
+                                 trafo_depth + 1, 3);
+        if (ret < 0)
+            return ret;
    } else {
        int min_tu_size      = 1 << s->sps->log2_min_tb_size;
        int log2_min_tu_size = s->sps->log2_min_tb_size;
@ -896,9 +938,11 @@ static void hls_transform_tree(HEVCContext *s, int x0, int y0,
            lc->tt.cbf_luma = ff_hevc_cbf_luma_decode(s, trafo_depth);
        }

-        hls_transform_unit(s, x0, y0, xBase, yBase, cb_xBase, cb_yBase,
-                           log2_cb_size, log2_trafo_size, trafo_depth, blk_idx);
-
+        ret = hls_transform_unit(s, x0, y0, xBase, yBase, cb_xBase, cb_yBase,
+                                 log2_cb_size, log2_trafo_size, trafo_depth,
+                                 blk_idx);
+        if (ret < 0)
+            return ret;
        // TODO: store cbf_luma somewhere else
        if (lc->tt.cbf_luma) {
            int i, j;
@ -917,6 +961,7 @@ static void hls_transform_tree(HEVCContext *s, int x0, int y0,
                set_deblocking_bypass(s, x0, y0, log2_trafo_size);
        }
    }
+    return 0;
 }

 static int hls_pcm_sample(HEVCContext *s, int x0, int y0, int log2_cb_size)
@ -1505,7 +1550,8 @@ static int hls_coding_unit(HEVCContext *s, int x0, int y0, int log2_cb_size)
    int min_cb_width     = s->sps->min_cb_width;
    int x_cb             = x0 >> log2_min_cb_size;
    int y_cb             = y0 >> log2_min_cb_size;
-    int x, y;
+    int x, y, ret;
+    int qp_block_mask = (1<<(s->sps->log2_ctb_size - s->pps->diff_cu_qp_delta_depth)) - 1;

    lc->cu.x            = x0;
    lc->cu.y            = y0;
@ -1562,7 +1608,6 @@ static int hls_coding_unit(HEVCContext *s, int x0, int y0, int log2_cb_size)
                lc->cu.pcm_flag = ff_hevc_pcm_flag_decode(s);
            }
            if (lc->cu.pcm_flag) {
-                int ret;
                intra_prediction_unit_default_value(s, x0, y0, log2_cb_size);
                ret = hls_pcm_sample(s, x0, y0, log2_cb_size);
                if (s->sps->pcm.loop_filter_disable_flag)
@ -1621,8 +1666,11 @@ static int hls_coding_unit(HEVCContext *s, int x0, int y0, int log2_cb_size)
                lc->cu.max_trafo_depth = lc->cu.pred_mode == MODE_INTRA ?
                                         s->sps->max_transform_hierarchy_depth_intra + lc->cu.intra_split_flag :
                                         s->sps->max_transform_hierarchy_depth_inter;
-                hls_transform_tree(s, x0, y0, x0, y0, x0, y0, log2_cb_size,
+                ret = hls_transform_tree(s, x0, y0, x0, y0, x0, y0,
+                                         log2_cb_size,
                                         log2_cb_size, 0, 0);
+                if (ret < 0)
+                    return ret;
            } else {
                if (!s->sh.disable_deblocking_filter_flag)
                    ff_hevc_deblocking_boundary_strengths(s, x0, y0, log2_cb_size,
@ -1641,6 +1689,11 @@ static int hls_coding_unit(HEVCContext *s, int x0, int y0, int log2_cb_size)
        x += min_cb_width;
    }

+    if(((x0 + (1<<log2_cb_size)) & qp_block_mask) == 0 &&
+       ((y0 + (1<<log2_cb_size)) & qp_block_mask) == 0) {
+        lc->qPy_pred = lc->qp_y;
+    }
+
    set_ct_depth(s, x0, y0, log2_cb_size, lc->ct.depth);

    return 0;
@ -1652,6 +1705,7 @@ static int hls_coding_quadtree(HEVCContext *s, int x0, int y0,
    HEVCLocalContext *lc = s->HEVClc;
    const int cb_size    = 1 << log2_cb_size;
    int ret;
+    int qp_block_mask = (1<<(s->sps->log2_ctb_size - s->pps->diff_cu_qp_delta_depth)) - 1;

    lc->ct.depth = cb_depth;
    if ((x0 + cb_size <= s->sps->width) &&
@ -1679,14 +1733,27 @@ static int hls_coding_quadtree(HEVCContext *s, int x0, int y0,
        if (more_data < 0)
            return more_data;

-        if (more_data && x1 < s->sps->width)
+        if (more_data && x1 < s->sps->width) {
            more_data = hls_coding_quadtree(s, x1, y0, log2_cb_size - 1, cb_depth + 1);
-        if (more_data && y1 < s->sps->height)
+            if (more_data < 0)
+                return more_data;
+        }
+        if (more_data && y1 < s->sps->height) {
            more_data = hls_coding_quadtree(s, x0, y1, log2_cb_size - 1, cb_depth + 1);
+            if (more_data < 0)
+                return more_data;
+        }
        if (more_data && x1 < s->sps->width &&
            y1 < s->sps->height) {
-            return hls_coding_quadtree(s, x1, y1, log2_cb_size - 1, cb_depth + 1);
+            more_data = hls_coding_quadtree(s, x1, y1, log2_cb_size - 1, cb_depth + 1);
+            if (more_data < 0)
+                return more_data;
        }
+
+        if(((x0 + (1<<log2_cb_size)) & qp_block_mask) == 0 &&
+            ((y0 + (1<<log2_cb_size)) & qp_block_mask) == 0)
+            lc->qPy_pred = lc->qp_y;
+
        if (more_data)
            return ((x1 + cb_size_split) < s->sps->width ||
                    (y1 + cb_size_split) < s->sps->height);
@ -1775,6 +1842,19 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
    int y_ctb       = 0;
    int ctb_addr_ts = s->pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs];

+    if (!ctb_addr_ts && s->sh.dependent_slice_segment_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Impossible initial tile.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (s->sh.dependent_slice_segment_flag) {
+        int prev_rs = s->pps->ctb_addr_ts_to_rs[ctb_addr_ts - 1];
+        if (s->tab_slice_address[prev_rs] != s->sh.slice_addr) {
+            av_log(s->avctx, AV_LOG_ERROR, "Previous slice segment missing\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
    while (more_data && ctb_addr_ts < s->sps->ctb_size) {
        int ctb_addr_rs = s->pps->ctb_addr_ts_to_rs[ctb_addr_ts];

@ -1791,8 +1871,11 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
        s->filter_slice_edges[ctb_addr_rs]  = s->sh.slice_loop_filter_across_slices_enabled_flag;

        more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->sps->log2_ctb_size, 0);
-        if (more_data < 0)
+        if (more_data < 0) {
+            s->tab_slice_address[ctb_addr_rs] = -1;
            return more_data;
+        }
+

        ctb_addr_ts++;
        ff_hevc_save_states(s, ctb_addr_ts);
@ -1858,8 +1941,10 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
        hls_sao_param(s, x_ctb >> s->sps->log2_ctb_size, y_ctb >> s->sps->log2_ctb_size);
        more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->sps->log2_ctb_size, 0);

-        if (more_data < 0)
+        if (more_data < 0) {
+            s->tab_slice_address[ctb_addr_rs] = -1;
            return more_data;
+        }

        ctb_addr_ts++;

@ -1893,8 +1978,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
 static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length)
 {
    HEVCLocalContext *lc = s->HEVClc;
-    int *ret = av_malloc((s->sh.num_entry_point_offsets + 1) * sizeof(int));
-    int *arg = av_malloc((s->sh.num_entry_point_offsets + 1) * sizeof(int));
+    int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
+    int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
    int offset;
    int startheader, cmpt = 0;
    int i, j, res = 0;
@ -2024,12 +2109,15 @@ static void restore_tqb_pixels(HEVCContext *s)
 static int hevc_frame_start(HEVCContext *s)
 {
    HEVCLocalContext *lc = s->HEVClc;
+    int pic_size_in_ctb  = ((s->sps->width  >> s->sps->log2_min_cb_size) + 1) *
+                           ((s->sps->height >> s->sps->log2_min_cb_size) + 1);
    int ret;

    memset(s->horizontal_bs, 0, 2 * s->bs_width * (s->bs_height + 1));
    memset(s->vertical_bs,   0, 2 * s->bs_width * (s->bs_height + 1));
    memset(s->cbf_luma,      0, s->sps->min_tb_width * s->sps->min_tb_height);
    memset(s->is_pcm,        0, s->sps->min_pu_width * s->sps->min_pu_height);
+    memset(s->tab_slice_address, -1, pic_size_in_ctb * sizeof(*s->tab_slice_address));

    lc->start_of_tiles_x = 0;
    s->is_decoded        = 0;
@ -2060,6 +2148,7 @@ static int hevc_frame_start(HEVCContext *s)
    if (ret < 0)
        goto fail;

+    if (!s->avctx->hwaccel)
        ff_thread_finish_setup(s->avctx);

    return 0;
@ -2584,6 +2673,7 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)

    pic_arrays_free(s);

+    if (lc)
        av_freep(&lc->edge_emu_buffer);
    av_freep(&s->md5_ctx);

@ -2611,6 +2701,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)
    for (i = 0; i < FF_ARRAY_ELEMS(s->pps_list); i++)
        av_buffer_unref(&s->pps_list[i]);

+    av_buffer_unref(&s->current_sps);
+
    av_freep(&s->sh.entry_point_offset);
    av_freep(&s->sh.offset);
    av_freep(&s->sh.size);
@ -2624,6 +2716,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)
            av_freep(&s->sList[i]);
        }
    }
+    if (s->HEVClc == s->HEVClcList[0])
+        s->HEVClc = NULL;
    av_freep(&s->HEVClcList[0]);

    for (i = 0; i < s->nals_allocated; i++)
@ -2722,6 +2816,13 @@ static int hevc_update_thread_context(AVCodecContext *dst,
        }
    }

+    av_buffer_unref(&s->current_sps);
+    if (s0->current_sps) {
+        s->current_sps = av_buffer_ref(s0->current_sps);
+        if (!s->current_sps)
+            return AVERROR(ENOMEM);
+    }
+
    s->seq_decode = s0->seq_decode;
    s->seq_output = s0->seq_output;
    s->pocTid0    = s0->pocTid0;
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@ -280,10 +280,10 @@ typedef struct RefPicListTab {
 } RefPicListTab;

 typedef struct HEVCWindow {
-    int left_offset;
-    int right_offset;
-    int top_offset;
-    int bottom_offset;
+    unsigned int left_offset;
+    unsigned int right_offset;
+    unsigned int top_offset;
+    unsigned int bottom_offset;
 } HEVCWindow;

 typedef struct VUI {
@ -373,7 +373,7 @@ typedef struct ScalingList {
 } ScalingList;

 typedef struct HEVCSPS {
-    int vps_id;
+    unsigned vps_id;
    int chroma_format_idc;
    uint8_t separate_colour_plane_flag;

@ -454,7 +454,7 @@ typedef struct HEVCSPS {
 } HEVCSPS;

 typedef struct HEVCPPS {
-    int sps_id; ///< seq_parameter_set_id
+    unsigned sps_id; ///< seq_parameter_set_id

    uint8_t sign_data_hiding_flag;

@ -733,6 +733,8 @@ typedef struct HEVCLocalContext {
    int8_t qp_y;
    int8_t curr_qp_y;

+    int qPy_pred;
+
    TransformUnit tu;

    uint8_t ctb_left_flag;
@ -784,6 +786,8 @@ typedef struct HEVCContext {
    AVBufferRef *sps_list[MAX_SPS_COUNT];
    AVBufferRef *pps_list[MAX_PPS_COUNT];

+    AVBufferRef *current_sps;
+
    AVBufferPool *tab_mvf_pool;
    AVBufferPool *rpl_tab_pool;

--- a/libavcodec/hevc_filter.c
+++ b/libavcodec/hevc_filter.c
@ -93,45 +93,7 @@ static int get_qPy_pred(HEVCContext *s, int xC, int yC, int xBase, int yBase, in
        lc->first_qp_group = !lc->tu.is_cu_qp_delta_coded;
        qPy_pred = s->sh.slice_qp;
    } else {
-        qPy_pred = lc->qp_y;
-        if (log2_cb_size < s->sps->log2_ctb_size - s->pps->diff_cu_qp_delta_depth) {
-            static const int offsetX[8][8] = {
-                    {-1, 1, 3, 1, 7, 1, 3, 1},
-                    { 0, 0, 0, 0, 0, 0, 0, 0},
-                    { 1, 3, 1, 3, 1, 3, 1, 3},
-                    { 2, 2, 2, 2, 2, 2, 2, 2},
-                    { 3, 5, 7, 5, 3, 5, 7, 5},
-                    { 4, 4, 4, 4, 4, 4, 4, 4},
-                    { 5, 7, 5, 7, 5, 7, 5, 7},
-                    { 6, 6, 6, 6, 6, 6, 6, 6}
-            };
-            static const int offsetY[8][8] = {
-                    { 7, 0, 1, 2, 3, 4, 5, 6},
-                    { 0, 1, 2, 3, 4, 5, 6, 7},
-                    { 1, 0, 3, 2, 5, 4, 7, 6},
-                    { 0, 1, 2, 3, 4, 5, 6, 7},
-                    { 3, 0, 1, 2, 7, 4, 5, 6},
-                    { 0, 1, 2, 3, 4, 5, 6, 7},
-                    { 1, 0, 3, 2, 5, 4, 7, 6},
-                    { 0, 1, 2, 3, 4, 5, 6, 7}
-            };
-            int xC0b = (xC - (xC & ctb_size_mask)) >> s->sps->log2_min_cb_size;
-            int yC0b = (yC - (yC & ctb_size_mask)) >> s->sps->log2_min_cb_size;
-            int idxX = (xQgBase & ctb_size_mask)   >> s->sps->log2_min_cb_size;
-            int idxY = (yQgBase & ctb_size_mask)   >> s->sps->log2_min_cb_size;
-            int idx_mask = ctb_size_mask >> s->sps->log2_min_cb_size;
-            int x, y;
-
-            x = FFMIN(xC0b +  offsetX[idxX][idxY],             min_cb_width  - 1);
-            y = FFMIN(yC0b + (offsetY[idxX][idxY] & idx_mask), min_cb_height - 1);
-
-            if (xC0b == (lc->start_of_tiles_x >> s->sps->log2_min_cb_size) &&
-                offsetX[idxX][idxY] == -1) {
-                x = (lc->end_of_tiles_x >> s->sps->log2_min_cb_size) - 1;
-                y = yC0b - 1;
-            }
-            qPy_pred = s->qp_y_tab[y * min_cb_width + x];
-        }
+        qPy_pred = lc->qPy_pred;
    }

    // qPy_a
@ -155,7 +117,8 @@ void ff_hevc_set_qPy(HEVCContext *s, int xC, int yC, int xBase, int yBase, int l

    if (s->HEVClc->tu.cu_qp_delta != 0) {
        int off = s->sps->qp_bd_offset;
-        s->HEVClc->qp_y = ((qp_y + s->HEVClc->tu.cu_qp_delta + 52 + 2 * off) % (52 + off)) - off;
+        s->HEVClc->qp_y = FFUMOD(qp_y + s->HEVClc->tu.cu_qp_delta + 52 + 2 * off,
+                                 52 + off) - off;
    } else
        s->HEVClc->qp_y = qp_y;
 }
--- a/libavcodec/hevc_parser.c
+++ b/libavcodec/hevc_parser.c
@ -329,6 +329,9 @@ static void hevc_close(AVCodecParserContext *s)
    for (i = 0; i < FF_ARRAY_ELEMS(h->pps_list); i++)
        av_buffer_unref(&h->pps_list[i]);

+    av_buffer_unref(&h->current_sps);
+    h->sps = NULL;
+
    for (i = 0; i < h->nals_allocated; i++)
        av_freep(&h->nals[i].rbsp_buffer);
    av_freep(&h->nals);
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@ -489,8 +489,8 @@ static void decode_vui(HEVCContext *s, HEVCSPS *sps)

    vui->vui_timing_info_present_flag = get_bits1(gb);
    if (vui->vui_timing_info_present_flag) {
-        vui->vui_num_units_in_tick               = get_bits(gb, 32);
-        vui->vui_time_scale                      = get_bits(gb, 32);
+        vui->vui_num_units_in_tick               = get_bits_long(gb, 32);
+        vui->vui_time_scale                      = get_bits_long(gb, 32);
        vui->vui_poc_proportional_to_timing_flag = get_bits1(gb);
        if (vui->vui_poc_proportional_to_timing_flag)
            vui->vui_num_ticks_poc_diff_one_minus1 = get_ue_golomb_long(gb);
@ -621,6 +621,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
        goto err;
    }

+    if (!s->vps_list[sps->vps_id]) {
+        av_log(s->avctx, AV_LOG_ERROR, "VPS does not exist \n");
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
    sps->max_sub_layers = get_bits(gb, 3) + 1;
    if (sps->max_sub_layers > MAX_SUB_LAYERS) {
        av_log(s->avctx, AV_LOG_ERROR, "sps_max_sub_layers out of range: %d\n",
@ -762,11 +768,30 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
    log2_diff_max_min_transform_block_size      = get_ue_golomb_long(gb);
    sps->log2_max_trafo_size                    = log2_diff_max_min_transform_block_size + sps->log2_min_tb_size;

-    if (sps->log2_min_tb_size >= sps->log2_min_cb_size) {
+    if (sps->log2_min_cb_size < 3 || sps->log2_min_cb_size > 30) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_min_cb_size", sps->log2_min_cb_size);
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
+    if (sps->log2_diff_max_min_coding_block_size > 30) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_coding_block_size", sps->log2_diff_max_min_coding_block_size);
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
+    if (sps->log2_min_tb_size >= sps->log2_min_cb_size || sps->log2_min_tb_size < 2) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid value for log2_min_tb_size");
        ret = AVERROR_INVALIDDATA;
        goto err;
    }
+
+    if (log2_diff_max_min_transform_block_size < 0 || log2_diff_max_min_transform_block_size > 30) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_transform_block_size", log2_diff_max_min_transform_block_size);
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
    sps->max_transform_hierarchy_depth_inter = get_ue_golomb_long(gb);
    sps->max_transform_hierarchy_depth_intra = get_ue_golomb_long(gb);

@ -818,6 +843,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
    sps->long_term_ref_pics_present_flag = get_bits1(gb);
    if (sps->long_term_ref_pics_present_flag) {
        sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+        if (sps->num_long_term_ref_pics_sps > 31U) {
+            av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n",
+                   sps->num_long_term_ref_pics_sps);
+            goto err;
+        }
        for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
            sps->lt_ref_pic_poc_lsb_sps[i]       = get_bits(gb, sps->log2_max_poc_lsb);
            sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
@ -849,7 +879,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
                         (sps->output_window.left_offset + sps->output_window.right_offset);
    sps->output_height = sps->height -
                         (sps->output_window.top_offset + sps->output_window.bottom_offset);
-    if (sps->output_width <= 0 || sps->output_height <= 0) {
+    if (sps->width  <= sps->output_window.left_offset + (int64_t)sps->output_window.right_offset  ||
+        sps->height <= sps->output_window.top_offset  + (int64_t)sps->output_window.bottom_offset) {
        av_log(s->avctx, AV_LOG_WARNING, "Invalid visible frame dimensions: %dx%d.\n",
               sps->output_width, sps->output_height);
        if (s->avctx->err_recognition & AV_EF_EXPLODE) {
@ -857,10 +888,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
            goto err;
        }
        av_log(s->avctx, AV_LOG_WARNING, "Displaying the whole video surface.\n");
-        sps->pic_conf_win.left_offset   =
-        sps->pic_conf_win.right_offset  =
-        sps->pic_conf_win.top_offset    =
-        sps->pic_conf_win.bottom_offset = 0;
+        memset(&sps->pic_conf_win, 0, sizeof(sps->pic_conf_win));
+        memset(&sps->output_window, 0, sizeof(sps->output_window));
        sps->output_width  = sps->width;
        sps->output_height = sps->height;
    }
@ -928,6 +957,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
            if (s->pps_list[i] && ((HEVCPPS*)s->pps_list[i]->data)->sps_id == sps_id)
                av_buffer_unref(&s->pps_list[i]);
        }
+        if (s->sps_list[sps_id] && s->sps == (HEVCSPS*)s->sps_list[sps_id]->data) {
+            av_buffer_unref(&s->current_sps);
+            s->current_sps = av_buffer_ref(s->sps_list[sps_id]);
+            if (!s->current_sps)
+                s->sps = NULL;
+        }
        av_buffer_unref(&s->sps_list[sps_id]);
        s->sps_list[sps_id] = sps_buf;
    }
@ -1032,6 +1067,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s)
    if (pps->cu_qp_delta_enabled_flag)
        pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb);

+    if (pps->diff_cu_qp_delta_depth < 0 ||
+        pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) {
+        av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n",
+               pps->diff_cu_qp_delta_depth);
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
    pps->cb_qp_offset = get_se_golomb(gb);
    if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) {
        av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n",
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@ -51,7 +51,7 @@ static void FUNC(transquant_bypass4x4)(uint8_t *_dst, int16_t *coeffs, ptrdiff_t

    for (y = 0; y < 4; y++) {
        for (x = 0; x < 4; x++) {
-            dst[x] += *coeffs;
+            dst[x] = av_clip_pixel(dst[x] + *coeffs);
            coeffs++;
        }
        dst += stride;
@ -67,7 +67,7 @@ static void FUNC(transquant_bypass8x8)(uint8_t *_dst, int16_t *coeffs, ptrdiff_t

    for (y = 0; y < 8; y++) {
        for (x = 0; x < 8; x++) {
-            dst[x] += *coeffs;
+            dst[x] = av_clip_pixel(dst[x] + *coeffs);
            coeffs++;
        }
        dst += stride;
@ -82,7 +82,7 @@ static void FUNC(transquant_bypass16x16)(uint8_t *_dst, int16_t *coeffs, ptrdiff

    for (y = 0; y < 16; y++) {
        for (x = 0; x < 16; x++) {
-            dst[x] += *coeffs;
+            dst[x] = av_clip_pixel(dst[x] + *coeffs);
            coeffs++;
        }
        dst += stride;
@ -98,7 +98,7 @@ static void FUNC(transquant_bypass32x32)(uint8_t *_dst, int16_t *coeffs, ptrdiff

    for (y = 0; y < 32; y++) {
        for (x = 0; x < 32; x++) {
-            dst[x] += *coeffs;
+            dst[x] = av_clip_pixel(dst[x] + *coeffs);
            coeffs++;
        }
        dst += stride;
@ -391,7 +391,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src,
        offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1];
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
-            dst[x] = av_clip_pixel(src[x] + offset_table[av_clip_pixel(src[x] >> shift)]);
+            dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]);
        dst += stride;
        src += stride;
    }
--- a/libavcodec/huffyuv.h
+++ b/libavcodec/huffyuv.h
@ -78,7 +78,6 @@ typedef struct HYuvContext {
    uint32_t bits[3][256];
    uint32_t pix_bgr_map[1<<VLC_BITS];
    VLC vlc[6];                             //Y,U,V,YY,YU,YV
-    AVFrame picture;
    uint8_t *bitstream_buffer;
    unsigned int bitstream_buffer_size;
    DSPContext dsp;
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@ -256,7 +256,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    ff_huffyuv_common_init(avctx);
    memset(s->vlc, 0, 3 * sizeof(VLC));

-    avcodec_get_frame_defaults(&s->picture);
    s->interlaced = s->height > 288;

    s->bgr32 = 1;
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .0
 .1.8