Update for 0.10.16

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
roqvideoenc: set enc->avctx in roq_encode_init
2015-03-12 18:06:09 +01:00 · 2015-03-12 18:03:50 +01:00 · 2015-03-12 18:03:50 +01:00 · 2015-03-12 18:03:50 +01:00 · 2015-03-12 18:03:50 +01:00 · 2015-03-12 18:03:50 +01:00
237 changed files with 2100 additions and 1035 deletions
--- a/73
+++ b/73
@@ -4,6 +4,79 @@ releases are sorted from youngest to oldest.
 version next:


+version 0.10.11
+
+- pthread: Avoid spurious wakeups
+- pthread: Fix deadlock during thread initialization
+- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
+- vc1dec: Don't decode slices when the latest slice header failed to decode
+- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
+- r3d: Add more input value validation
+- fraps: Make the input buffer size checks more strict
+- svq3: Avoid a division by zero
+- rmdec: Validate the fps value
+- twinvqdec: Check the ibps parameter separately
+- asfdec: Check the return value of asf_read_stream_properties
+- mxfdec: set audio timebase to 1/samplerate
+- pcx: Check the packet size before assuming it fits a palette
+- rpza: Fix a buffer size check
+- xxan: Disallow odd width
+- xan: Only read within the data that actually was initialized
+- xan: Use bytestream2 to limit reading to within the buffer
+- pcx: Consume the whole packet if giving up due to missing palette
+- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
+- mov: Make sure the read sample count is nonnegative
+- bfi: Add some very basic sanity checks for input packet sizes
+- bfi: Avoid divisions by zero
+- electronicarts: Add more sanity checking for the number of channels
+- riffdec: Add sanity checks for the sample rate
+- mvi: Add sanity checking for the audio frame size
+- xwma: Avoid division by zero
+- avidec: Make sure a packet is large enough before reading its data
+- vqf: Make sure the bitrate is in the valid range
+- vqf: Make sure sample_rate is set to a valid value
+- vc1dec: Undo mpegvideo initialization if unable to allocate tables
+- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
+- wnv1: Make sure the input packet is large enough
+- dca: Validate the lfe parameter
+- rl2: Avoid a division by zero
+- wtv: Add more sanity checks for a length read from the file
+- segafilm: Validate the number of audio channels
+- qpeg: Add checks for running out of rows in qpeg_decode_inter
+- mpegaudiodec: Validate that the number of channels fits at the given offset
+- asv1: Verify the amount of extradata
+- idroqdec: Make sure a video stream has been allocated before returning packets
+- rv10: Validate the dimensions set from the container
+- xmv: Add more sanity checks for parameters read from the bitstream
+- ffv1: Make sure at least one slice context is initialized
+- truemotion2: Use av_freep properly in an error path
+- eacmv: Make sure a reference frame exists before referencing it
+- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
+- ivi_common: Make sure color planes have been initialized
+- oggparseogm: Convert to use bytestream2
+- rv34: Check the return value from ff_rv34_decode_init
+- matroskadec: Verify realaudio codec parameters
+- mace: Make sure that the channel count is set to a valid value
+- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
+- vp3: Check the framerate for validity
+- cavsdec: Make sure a sequence header has been decoded before decoding pictures
+- sierravmd: Do sanity checking of frame sizes
+- omadec: Properly check lengths before incrementing the position
+- mpc8: Make sure the first stream exists before parsing the seek table
+- mpc8: Check the seek table size parsed from the bitstream
+- zmbvdec: Check the buffer size for uncompressed data
+- ape: Don't allow the seektable to be omitted
+- shorten: Break out of loop looking for fmt chunk if none is found
+- shorten: Use a checked bytestream reader for the wave header
+- smacker: Make sure we don't fill in huffman codes out of range
+- smacker: Avoid integer overflow when allocating packets
+- smacker: Don't return packets in unallocated streams
+- dsicin: Add some basic sanity checks for fields read from the file
+- roqvideodec: check dimensions validity
+- qdm2: check array index before use, fix out of array accesses
+- alsdec: check block length
+
+
 version 0.10.10

 - x86: fft: Remove 3DNow! optimizations, they break FATE
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.10.10
+PROJECT_NUMBER         = 0.10.16

 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.10
+0.10.16
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.10
+0.10.16
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -56,7 +56,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;

-const int this_year = 2013;
+const int this_year = 2015;

 static FILE *report_file;

@@ -423,7 +423,10 @@ int opt_default(const char *opt, const char *arg)
    const AVOption *oc, *of, *os;
    char opt_stripped[128];
    const char *p;
-    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class(), *sc;
+    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class();
+#if CONFIG_SWSCALE
+    const AVClass *sc = sws_get_class();
+#endif

    if (!(p = strchr(opt, ':')))
        p = opt + strlen(opt);
@@ -438,7 +441,6 @@ int opt_default(const char *opt, const char *arg)
                          AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ)))
        av_dict_set(&format_opts, opt, arg, FLAGS(of));
 #if CONFIG_SWSCALE
-    sc = sws_get_class();
    if ((os = av_opt_find(&sc, opt, NULL, 0,
                          AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ))) {
        // XXX we only support sws_flags, not arbitrary sws options
--- a/16
+++ b/16
@@ -54,6 +54,8 @@ if test "$E1" != 0 || test "$E2" = 0; then
    exit 1
 fi

+test -d /usr/xpg4/bin && PATH=/usr/xpg4/bin:$PATH
+
 show_help(){
 cat <<EOF
 Usage: configure [options]
@@ -688,6 +690,13 @@ check_ld(){
    check_cmd $ld $LDFLAGS $flags -o $TMPE $TMPO $libs $extralibs
 }

+print_include(){
+    hdr=$1
+    test "${hdr%.h}" = "${hdr}" &&
+        echo "#include $hdr"    ||
+        echo "#include <$hdr>"
+}
+
 check_cppflags(){
    log check_cppflags "$@"
    set -- $($filter_cppflags "$@")
@@ -765,7 +774,7 @@ check_func_headers(){
    shift 2
    {
        for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
        done
        for func in $funcs; do
            echo "long check_$func(void) { return (long) $func; }"
@@ -2979,6 +2988,7 @@ if enabled asm; then
 fi

 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack

 if check_func dlopen; then
    ldl=
@@ -3134,7 +3144,7 @@ enabled libdirac   && require_pkg_config dirac                          \
    "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h"  \
    "dirac_decoder_init dirac_encoder_init"
 enabled libfaac    && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac
-enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType
 enabled libgsm     && require  libgsm gsm/gsm.h gsm_create -lgsm
 enabled libmodplug && require  libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug
 enabled libmp3lame && require  "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame
@@ -3367,6 +3377,8 @@ elif enabled clang; then
    check_cflags -mllvm -stack-alignment=16
    check_cflags -Qunused-arguments
    check_cflags -Werror=return-type
+    check_cflags -Werror=implicit-function-declaration
+    check_cflags -Werror=missing-prototypes
 elif enabled armcc; then
    # 2523: use of inline assembler is deprecated
    add_cflags -W${armcc_opt},--diag_suppress=2523
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -13,6 +13,9 @@ libavutil:   2011-04-18

 API changes, most recent first:

+2014-09-16 - 8637f4e - lavu 51.22.3 - cpu.h
+  Add AV_CPU_FLAG_CMOV.
+
 2012-01-24 - xxxxxxx - lavfi 2.60.100
  Add avfilter_graph_dump.

--- a/doc/platform.texi
+++ b/doc/platform.texi
@@ -51,14 +51,15 @@ The toolchain provided with Xcode is sufficient to build the basic
 unacelerated code.

 Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from
-@url{http://github.com/yuvi/gas-preprocessor} to build the optimized
-assembler functions. Just download the Perl script and put it somewhere
+@url{https://github.com/FFmpeg/gas-preprocessor} or
+@url{https://github.com/yuvi/gas-preprocessor} to build the optimized
+assembler functions. Put the Perl script somewhere
 in your PATH, FFmpeg's configure will pick it up automatically.

 Mac OS X on amd64 and x86 requires @command{yasm} to build most of the
 optimized assembler functions. @uref{http://www.finkproject.org/, Fink},
@uref{http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml, Gentoo Prefix},
-@uref{http://mxcl.github.com/homebrew/, Homebrew}
+@uref{https://mxcl.github.com/homebrew/, Homebrew}
 or @uref{http://www.macports.org, MacPorts} can easily provide it.


--- a/doc/protocols.texi
+++ b/doc/protocols.texi
@@ -242,7 +242,7 @@ data transferred over RDT).

 The muxer can be used to send a stream using RTSP ANNOUNCE to a server
 supporting it (currently Darwin Streaming Server and Mischa Spiegelmock's
-@uref{http://github.com/revmischa/rtsp-server, RTSP server}).
+@uref{https://github.com/revmischa/rtsp-server, RTSP server}).

 The required syntax for a RTSP url is:
@example
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -4696,7 +4696,8 @@ static int opt_target(OptionsContext *o, const char *opt, const char *arg)
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j].nb_streams; i++) {
                    AVCodecContext *c = input_files[j].ctx->streams[i]->codec;
-                    if (c->codec_type != AVMEDIA_TYPE_VIDEO)
+                    if (c->codec_type != AVMEDIA_TYPE_VIDEO ||
+                        !c->time_base.num)
                        continue;
                    fr = c->time_base.den * 1000 / c->time_base.num;
                    if (fr == 25000) {
--- a/ffplay.c
+++ b/ffplay.c
@@ -1611,7 +1611,7 @@ static int input_reget_buffer(AVCodecContext *codec, AVFrame *pic)

    if (pic->data[0] == NULL) {
        pic->buffer_hints |= FF_BUFFER_HINTS_READABLE;
-        return codec->get_buffer(codec, pic);
+        return input_get_buffer(codec, pic);
    }

    if ((codec->width != ref->video->w) || (codec->height != ref->video->h) ||
--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -38,6 +38,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"

 /** decoder context */
 typedef struct EightSvxContext {
@@ -151,7 +152,7 @@ static int eightsvx_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    esc->frame.nb_samples = (FFMIN(MAX_FRAME_SIZE, esc->samples_size - esc->samples_idx) +avctx->channels-1)  / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &esc->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &esc->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/a64multienc.c
+++ b/libavcodec/a64multienc.c
@@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest)
            for (y = blocky; y < blocky + 8 && y < C64YRES; y++) {
                for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) {
                    if(x < width && y < height) {
-                        /* build average over 2 pixels */
-                        luma = (src[(x + 0 + y * p->linesize[0])] +
-                                src[(x + 1 + y * p->linesize[0])]) / 2;
+                        if (x + 1 < width) {
+                            /* build average over 2 pixels */
+                            luma = (src[(x + 0 + y * p->linesize[0])] +
+                                    src[(x + 1 + y * p->linesize[0])]) / 2;
+                        } else {
+                            luma = src[(x + y * p->linesize[0])];
+                        }
                        /* write blocks as linear data now so they are suitable for elbg */
                        dest[0] = luma;
                    }
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int size;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp;

    tmp.u64 = av_be2ne64(state);
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -2276,7 +2276,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
    if (samples) {
        /* get output buffer */
        ac->frame.nb_samples = samples;
-        if ((err = avctx->get_buffer(avctx, &ac->frame)) < 0) {
+        if ((err = ff_get_buffer(avctx, &ac->frame)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return err;
        }
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -164,7 +164,7 @@ static void put_audio_specific_config(AVCodecContext *avctx)
    PutBitContext pb;
    AACEncContext *s = avctx->priv_data;

-    init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8);
+    init_put_bits(&pb, avctx->extradata, avctx->extradata_size);
    put_bits(&pb, 5, 2); //object type - AAC-LC
    put_bits(&pb, 4, s->samplerate_index); //sample rate index
    put_bits(&pb, 4, s->channels);
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int err;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp = { av_be2ne64(state) };
    AC3HeaderInfo hdr;
    GetBitContext gbc;
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1415,7 +1415,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->num_blocks * 256;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/ac3enc_template.c
+++ b/libavcodec/ac3enc_template.c
@@ -261,7 +261,7 @@ static void apply_channel_coupling(AC3EncodeContext *s)
                energy_cpl = energy[blk][CPL_CH][bnd];
                energy_ch = energy[blk][ch][bnd];
                blk1 = blk+1;
-                while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) {
+                while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) {
                    if (s->blocks[blk1].cpl_in_use) {
                        energy_cpl += energy[blk1][CPL_CH][bnd];
                        energy_ch += energy[blk1][ch][bnd];
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -18,6 +18,7 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "put_bits.h"
 #include "bytestream.h"
@@ -556,7 +557,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = nb_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/adpcmenc.c
+++ b/libavcodec/adpcmenc.c
@@ -551,10 +551,10 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
    {
        int ch, i;
        PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);

        for (ch = 0; ch < avctx->channels; ch++) {
-            put_bits(&pb, 9, (c->status[ch].prev_sample + 0x10000) >> 7);
+            put_bits(&pb, 9, (c->status[ch].prev_sample & 0xFFFF) >> 7);
            put_bits(&pb, 7,  c->status[ch].step_index);
            if (avctx->trellis > 0) {
                uint8_t buf[64];
@@ -582,7 +582,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
    {
        int i;
        PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);

        n = avctx->frame_size - 1;

--- a/libavcodec/adx.c
+++ b/libavcodec/adx.c
@@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
    offset = AV_RB16(buf + 2) + 4;

    /* if copyright string is within the provided data, validate it */
-    if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6))
+    if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6))
        return AVERROR_INVALIDDATA;

    /* check for encoding=3 block_size=18, sample_size=4 */
--- a/libavcodec/adxdec.c
+++ b/libavcodec/adxdec.c
@@ -21,6 +21,7 @@

 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "adx.h"
 #include "get_bits.h"

@@ -140,7 +141,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = num_blocks * BLOCK_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -47,6 +47,7 @@


 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "bytestream.h"
 #include "unary.h"
@@ -417,7 +418,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }
    alac->frame.nb_samples = outputsamples;
-    if ((ret = avctx->get_buffer(avctx, &alac->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &alac->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
@@ -615,6 +616,12 @@ static int alac_set_info(ALACContext *alac)

    /* buffer size / 2 ? */
    alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
+    if (!alac->setinfo_max_samples_per_frame ||
+        alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) {
+        av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n",
+               alac->setinfo_max_samples_per_frame);
+        return AVERROR_INVALIDDATA;
+    }
    ptr++;                          /* compatible version */
    alac->setinfo_sample_size           = *ptr++;
    alac->setinfo_rice_historymult      = *ptr++;
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -30,6 +30,7 @@


 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "unary.h"
 #include "mpeg4audio.h"
@@ -283,7 +284,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    GetBitContext gb;
    uint64_t ht_size;
    int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    uint32_t als_id, header_size, trailer_size;
@@ -1386,6 +1387,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

        for (b = 0; b < ctx->num_blocks; b++) {
            bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }

            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
@@ -1479,7 +1485,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,

    /* get output buffer */
    ctx->frame.nb_samples = ctx->cur_frame_length;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/amrnbdec.c
+++ b/libavcodec/amrnbdec.c
@@ -44,6 +44,7 @@
 #include <math.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "libavutil/common.h"
 #include "celp_math.h"
@@ -944,7 +945,7 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    p->avframe.nb_samples = AMR_BLOCK_SIZE;
-    if ((ret = avctx->get_buffer(avctx, &p->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &p->avframe)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -27,6 +27,7 @@
 #include "libavutil/lfg.h"

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "lsp.h"
 #include "celp_math.h"
@@ -1087,7 +1088,7 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    ctx->avframe.nb_samples = 4 * AMRWB_SFR_SIZE_16k;
-    if ((ret = avctx->get_buffer(avctx, &ctx->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->avframe)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@@ -26,6 +26,7 @@

 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "cga_data.h"

 #define ATTR_BOLD         0x01  /**< Bold/Bright-foreground (mode 1) */
@@ -222,7 +223,7 @@ static int execute_code(AVCodecContext * avctx, int c)
            if (s->frame.data[0])
                avctx->release_buffer(avctx, &s->frame);
            avcodec_set_dimensions(avctx, width, height);
-            ret = avctx->get_buffer(avctx, &s->frame);
+            ret = ff_get_buffer(avctx, &s->frame);
            if (ret < 0) {
                av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                return ret;
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -22,6 +22,7 @@

 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "get_bits.h"
 #include "bytestream.h"
@@ -822,7 +823,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    int16_t *samples;
    int i, ret;
    int blockstodecode;
-    int bytes_used = 0;

    /* this should never be negative, but bad things will happen if it is, so
       check it just to make sure. */
@@ -877,7 +877,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
        }

-        bytes_used = buf_size;
    }

    if (!s->data) {
@@ -889,7 +888,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = blockstodecode;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
@@ -920,7 +919,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    *got_frame_ptr   = 1;
    *(AVFrame *)data = s->frame;

-    return bytes_used;
+    return (s->samples == 0) ? buf_size : 0;
 }

 static void ape_flush(AVCodecContext *avctx)
--- a/libavcodec/arm/asm.S
+++ b/libavcodec/arm/asm.S
@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm

+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm
--- a/libavcodec/arm/dsputil_armv6.S
+++ b/libavcodec/arm/dsputil_armv6.S
@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
        eor             r7,  r5,  r7
        uadd8           r10, r10, r6
        and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uadd8           r11, r11, r7
        strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        strd_post       r10, r11, r0,  r2
        bne             1b

@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
        uhadd8          r9,  r5,  r7
        ldr             r5,  [r1, #4]
        uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        stm             r0,  {r8,r9}
        add             r0,  r0,  r2
        stm             r0,  {r12,r14}
--- a/libavcodec/arm/dsputil_neon.S
+++ b/libavcodec/arm/dsputil_neon.S
@@ -44,22 +44,22 @@ endfunc
  .if \avg
        mov             r12, r0
  .endif
-1:      vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-        vld1.64         {q2},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+        vld1.8          {q2},     [r1], r2
        pld             [r1, r2, lsl #2]
-        vld1.64         {q3},     [r1], r2
+        vld1.8          {q3},     [r1], r2
        pld             [r1]
        pld             [r1, r2]
        pld             [r1, r2, lsl #1]
  .if \avg
-        vld1.64         {q8},     [r12,:128], r2
+        vld1.8          {q8},     [r12,:128], r2
        vrhadd.u8       q0,  q0,  q8
-        vld1.64         {q9},     [r12,:128], r2
+        vld1.8          {q9},     [r12,:128], r2
        vrhadd.u8       q1,  q1,  q9
-        vld1.64         {q10},    [r12,:128], r2
+        vld1.8          {q10},    [r12,:128], r2
        vrhadd.u8       q2,  q2,  q10
-        vld1.64         {q11},    [r12,:128], r2
+        vld1.8          {q11},    [r12,:128], r2
        vrhadd.u8       q3,  q3,  q11
  .endif
        subs            r3,  r3,  #4
@@ -72,8 +72,8 @@ endfunc
 .endm

 .macro  pixels16_x2     rnd=1, avg=0
-1:      vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
+1:      vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
        pld             [r1]
        pld             [r1, r2]
        subs            r3,  r3,  #2
@@ -88,20 +88,21 @@ endfunc
        vrhadd.u8       q2,  q2,  q3
        sub             r0,  r0,  r2
  .endif
-        vst1.64         {q0},     [r0,:128], r2
-        vst1.64         {q2},     [r0,:128], r2
+        vst1.8          {q0},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
        bne             1b
        bx              lr
 .endm

 .macro  pixels16_y2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
 1:      subs            r3,  r3,  #2
        avg             q2,  q0,  q1
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
        avg             q3,  q0,  q1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
        pld             [r1]
        pld             [r1, r2]
  .if \avg
@@ -111,18 +112,31 @@ endfunc
        vrhadd.u8       q3,  q3,  q9
        sub             r0,  r0,  r2
  .endif
-        vst1.64         {q2},     [r0,:128], r2
-        vst1.64         {q3},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
        bne             1b
+
+        avg             q2,  q0,  q1
+        vld1.8          {q0},     [r1], r2
+        avg             q3,  q0,  q1
+  .if \avg
+        vld1.8          {q8},     [r0,:128], r2
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q2,  q2,  q8
+        vrhadd.u8       q3,  q3,  q9
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
+
        bx              lr
 .endm

 .macro  pixels16_xy2    rnd=1, avg=0
-        vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
-  .ifeq \rnd
-        vmov.i16        q13, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
+NRND    vmov.i16        q13, #1
        pld             [r1]
        pld             [r1, r2]
        vext.8          q1,  q0,  q1,  #1
@@ -132,38 +146,30 @@ endfunc
        vaddl.u8        q9,  d4,  d6
        vaddl.u8        q11, d5,  d7
 1:      subs            r3,  r3,  #2
-        vld1.64         {d0-d2},  [r1], r2
+        vld1.8          {d0-d2},  [r1], r2
        vadd.u16        q12, q8,  q9
        pld             [r1]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
        vext.8          q15, q0,  q1,  #1
        vadd.u16        q1 , q10, q11
        shrn            d28, q12, #2
-  .ifeq \rnd
-        vadd.u16        q1,  q1,  q13
-  .endif
+NRND    vadd.u16        q1,  q1,  q13
        shrn            d29, q1,  #2
  .if \avg
        vld1.8          {q8},     [r0,:128]
        vrhadd.u8       q14, q14, q8
  .endif
        vaddl.u8        q8,  d0,  d30
-        vld1.64         {d2-d4},  [r1], r2
+        vld1.8          {d2-d4},  [r1], r2
        vaddl.u8        q10, d1,  d31
-        vst1.64         {q14},    [r0,:128], r2
+        vst1.8          {q14},    [r0,:128], r2
        vadd.u16        q12, q8,  q9
        pld             [r1, r2]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
        vext.8          q2,  q1,  q2,  #1
        vadd.u16        q0,  q10, q11
        shrn            d30, q12, #2
-  .ifeq \rnd
-        vadd.u16        q0,  q0,  q13
-  .endif
+NRND    vadd.u16        q0,  q0,  q13
        shrn            d31, q0,  #2
  .if \avg
        vld1.8          {q9},     [r0,:128]
@@ -171,44 +177,72 @@ endfunc
  .endif
        vaddl.u8        q9,  d2,  d4
        vaddl.u8        q11, d3,  d5
-        vst1.64         {q15},    [r0,:128], r2
+        vst1.8          {q15},    [r0,:128], r2
        bgt             1b
+
+        vld1.8          {d0-d2},  [r1], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vext.8          q15, q0,  q1,  #1
+        vadd.u16        q1 , q10, q11
+        shrn            d28, q12, #2
+NRND    vadd.u16        q1,  q1,  q13
+        shrn            d29, q1,  #2
+  .if \avg
+        vld1.8          {q8},     [r0,:128]
+        vrhadd.u8       q14, q14, q8
+  .endif
+        vaddl.u8        q8,  d0,  d30
+        vaddl.u8        q10, d1,  d31
+        vst1.8          {q14},    [r0,:128], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vadd.u16        q0,  q10, q11
+        shrn            d30, q12, #2
+NRND    vadd.u16        q0,  q0,  q13
+        shrn            d31, q0,  #2
+  .if \avg
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q15, q15, q9
+  .endif
+        vst1.8          {q15},    [r0,:128], r2
+
        bx              lr
 .endm

 .macro  pixels8         rnd=1, avg=0
-1:      vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
-        vld1.64         {d2},     [r1], r2
+1:      vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
+        vld1.8          {d2},     [r1], r2
        pld             [r1, r2, lsl #2]
-        vld1.64         {d3},     [r1], r2
+        vld1.8          {d3},     [r1], r2
        pld             [r1]
        pld             [r1, r2]
        pld             [r1, r2, lsl #1]
  .if \avg
-        vld1.64         {d4},     [r0,:64], r2
+        vld1.8          {d4},     [r0,:64], r2
        vrhadd.u8       d0,  d0,  d4
-        vld1.64         {d5},     [r0,:64], r2
+        vld1.8          {d5},     [r0,:64], r2
        vrhadd.u8       d1,  d1,  d5
-        vld1.64         {d6},     [r0,:64], r2
+        vld1.8          {d6},     [r0,:64], r2
        vrhadd.u8       d2,  d2,  d6
-        vld1.64         {d7},     [r0,:64], r2
+        vld1.8          {d7},     [r0,:64], r2
        vrhadd.u8       d3,  d3,  d7
        sub             r0,  r0,  r2,  lsl #2
  .endif
        subs            r3,  r3,  #4
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
-        vst1.64         {d2},     [r0,:64], r2
-        vst1.64         {d3},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
+        vst1.8          {d2},     [r0,:64], r2
+        vst1.8          {d3},     [r0,:64], r2
        bne             1b
        bx              lr
 .endm

 .macro  pixels8_x2      rnd=1, avg=0
-1:      vld1.64         {q0},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
        vext.8          d1,  d0,  d1,  #1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
        vext.8          d3,  d2,  d3,  #1
        pld             [r1]
        pld             [r1, r2]
@@ -221,20 +255,21 @@ endfunc
        vrhadd.u8       q0,  q0,  q2
        sub             r0,  r0,  r2
  .endif
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
        bne             1b
        bx              lr
 .endm

 .macro  pixels8_y2      rnd=1, avg=0
-        vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
 1:      subs            r3,  r3,  #2
        avg             d4,  d0,  d1
-        vld1.64         {d0},     [r1], r2
+        vld1.8          {d0},     [r1], r2
        avg             d5,  d0,  d1
-        vld1.64         {d1},     [r1], r2
+        vld1.8          {d1},     [r1], r2
        pld             [r1]
        pld             [r1, r2]
  .if \avg
@@ -243,18 +278,30 @@ endfunc
        vrhadd.u8       q2,  q2,  q1
        sub             r0,  r0,  r2
  .endif
-        vst1.64         {d4},     [r0,:64], r2
-        vst1.64         {d5},     [r0,:64], r2
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
        bne             1b
+
+        avg             d4,  d0,  d1
+        vld1.8          {d0},     [r1], r2
+        avg             d5,  d0,  d1
+  .if \avg
+        vld1.8          {d2},     [r0,:64], r2
+        vld1.8          {d3},     [r0,:64]
+        vrhadd.u8       q2,  q2,  q1
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
+
        bx              lr
 .endm

 .macro  pixels8_xy2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-  .ifeq \rnd
-        vmov.i16        q11, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+NRND    vmov.i16        q11, #1
        pld             [r1]
        pld             [r1, r2]
        vext.8          d4,  d0,  d1,  #1
@@ -262,26 +309,22 @@ endfunc
        vaddl.u8        q8,  d0,  d4
        vaddl.u8        q9,  d2,  d6
 1:      subs            r3,  r3,  #2
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
        pld             [r1]
        vadd.u16        q10, q8,  q9
        vext.8          d4,  d0,  d1,  #1
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
+NRND    vadd.u16        q10, q10, q11
        vaddl.u8        q8,  d0,  d4
        shrn            d5,  q10, #2
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
        vadd.u16        q10, q8,  q9
        pld             [r1, r2]
  .if \avg
        vld1.8          {d7},     [r0,:64]
        vrhadd.u8       d5,  d5,  d7
  .endif
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
-        vst1.64         {d5},     [r0,:64], r2
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
        shrn            d7,  q10, #2
  .if \avg
        vld1.8          {d5},     [r0,:64]
@@ -289,8 +332,29 @@ endfunc
  .endif
        vext.8          d6,  d2,  d3,  #1
        vaddl.u8        q9,  d2,  d6
-        vst1.64         {d7},     [r0,:64], r2
+        vst1.8          {d7},     [r0,:64], r2
        bgt             1b
+
+        vld1.8          {q0},     [r1], r2
+        vadd.u16        q10, q8,  q9
+        vext.8          d4,  d0,  d1,  #1
+NRND    vadd.u16        q10, q10, q11
+        vaddl.u8        q8,  d0,  d4
+        shrn            d5,  q10, #2
+        vadd.u16        q10, q8,  q9
+  .if \avg
+        vld1.8          {d7},     [r0,:64]
+        vrhadd.u8       d5,  d5,  d7
+  .endif
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
+        shrn            d7,  q10, #2
+  .if \avg
+        vld1.8          {d5},     [r0,:64]
+        vrhadd.u8       d7,  d7,  d5
+  .endif
+        vst1.8          {d7},     [r0,:64], r2
+
        bx              lr
 .endm

@@ -302,6 +366,8 @@ endfunc
    .macro shrn rd, rn, rm
        vrshrn.u16      \rd, \rn, \rm
    .endm
+    .macro NRND insn:vararg
+    .endm
  .else
    .macro avg  rd, rn, rm
        vhadd.u8        \rd, \rn, \rm
@@ -309,12 +375,16 @@ endfunc
    .macro shrn rd, rn, rm
        vshrn.u16       \rd, \rn, \rm
    .endm
+    .macro NRND insn:vararg
+        \insn
+    .endm
  .endif
 function ff_\pfx\name\suf\()_neon, export=1
        \name           \rnd, \avg
 endfunc
        .purgem         avg
        .purgem         shrn
+        .purgem         NRND
 .endm

 .macro  pixfunc2        pfx, name, avg=0
@@ -359,147 +429,147 @@ endfunc
        pixfunc2        avg_, pixels8_xy2, avg=1

 function ff_put_pixels_clamped_neon, export=1
-        vld1.64         {d16-d19}, [r0,:128]!
+        vld1.16         {d16-d19}, [r0,:128]!
        vqmovun.s16     d0, q8
-        vld1.64         {d20-d23}, [r0,:128]!
+        vld1.16         {d20-d23}, [r0,:128]!
        vqmovun.s16     d1, q9
-        vld1.64         {d24-d27}, [r0,:128]!
+        vld1.16         {d24-d27}, [r0,:128]!
        vqmovun.s16     d2, q10
-        vld1.64         {d28-d31}, [r0,:128]!
+        vld1.16         {d28-d31}, [r0,:128]!
        vqmovun.s16     d3, q11
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
        vqmovun.s16     d4, q12
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
        vqmovun.s16     d5, q13
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
        vqmovun.s16     d6, q14
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
        vqmovun.s16     d7, q15
-        vst1.64         {d4},      [r1,:64], r2
-        vst1.64         {d5},      [r1,:64], r2
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
        bx              lr
 endfunc

 function ff_put_signed_pixels_clamped_neon, export=1
        vmov.u8         d31, #128
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
        vqmovn.s16      d0, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
        vqmovn.s16      d1, q9
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
        vqmovn.s16      d2, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
        vadd.u8         d0, d0, d31
-        vld1.64         {d20-d21}, [r0,:128]!
+        vld1.16         {d20-d21}, [r0,:128]!
        vadd.u8         d1, d1, d31
-        vld1.64         {d22-d23}, [r0,:128]!
+        vld1.16         {d22-d23}, [r0,:128]!
        vadd.u8         d2, d2, d31
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
        vqmovn.s16      d3, q9
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
        vqmovn.s16      d4, q10
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
        vqmovn.s16      d5, q11
-        vld1.64         {d24-d25}, [r0,:128]!
+        vld1.16         {d24-d25}, [r0,:128]!
        vadd.u8         d3, d3, d31
-        vld1.64         {d26-d27}, [r0,:128]!
+        vld1.16         {d26-d27}, [r0,:128]!
        vadd.u8         d4, d4, d31
        vadd.u8         d5, d5, d31
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
        vqmovn.s16      d6, q12
-        vst1.64         {d4},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
        vqmovn.s16      d7, q13
-        vst1.64         {d5},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
        vadd.u8         d6, d6, d31
        vadd.u8         d7, d7, d31
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
        bx              lr
 endfunc

 function ff_add_pixels_clamped_neon, export=1
        mov             r3, r1
-        vld1.64         {d16},   [r1,:64], r2
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.8          {d16},   [r1,:64], r2
+        vld1.16         {d0-d1}, [r0,:128]!
        vaddw.u8        q0, q0, d16
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
        vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
+        vld1.8          {d18},   [r1,:64], r2
        vaddw.u8        q1, q1, d17
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.16         {d4-d5}, [r0,:128]!
        vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
        vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.8          {d19},   [r1,:64], r2
+        vld1.16         {d6-d7}, [r0,:128]!
        vaddw.u8        q3, q3, d19
        vqmovun.s16     d4, q2
-        vst1.64         {d2},    [r3,:64], r2
-        vld1.64         {d16},   [r1,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
+        vld1.8          {d16},   [r1,:64], r2
        vqmovun.s16     d6, q3
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.16         {d0-d1}, [r0,:128]!
        vaddw.u8        q0, q0, d16
-        vst1.64         {d4},    [r3,:64], r2
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vst1.8          {d4},    [r3,:64], r2
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
        vaddw.u8        q1, q1, d17
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
        vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.8          {d18},   [r1,:64], r2
+        vld1.16         {d4-d5}, [r0,:128]!
        vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
        vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
+        vld1.8          {d19},   [r1,:64], r2
        vqmovun.s16     d4, q2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.16         {d6-d7}, [r0,:128]!
        vaddw.u8        q3, q3, d19
-        vst1.64         {d2},    [r3,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
        vqmovun.s16     d6, q3
-        vst1.64         {d4},    [r3,:64], r2
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d4},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
        bx              lr
 endfunc

 function ff_vector_fmul_neon, export=1
        subs            r3,  r3,  #8
-        vld1.64         {d0-d3},  [r1,:128]!
-        vld1.64         {d4-d7},  [r2,:128]!
+        vld1.32         {d0-d3},  [r1,:128]!
+        vld1.32         {d4-d7},  [r2,:128]!
        vmul.f32        q8,  q0,  q2
        vmul.f32        q9,  q1,  q3
        beq             3f
        bics            ip,  r3,  #15
        beq             2f
 1:      subs            ip,  ip,  #16
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
        vmul.f32        q10, q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
        vmul.f32        q11, q1,  q3
-        vst1.64         {d16-d19},[r0,:128]!
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d19},[r0,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
        vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
        vmul.f32        q9,  q1,  q3
-        vst1.64         {d20-d23},[r0,:128]!
+        vst1.32         {d20-d23},[r0,:128]!
        bne             1b
        ands            r3,  r3,  #15
        beq             3f
-2:      vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
-        vst1.64         {d16-d17},[r0,:128]!
+2:      vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d17},[r0,:128]!
        vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
-        vst1.64         {d18-d19},[r0,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
+        vst1.32         {d18-d19},[r0,:128]!
        vmul.f32        q9,  q1,  q3
-3:      vst1.64         {d16-d19},[r0,:128]!
+3:      vst1.32         {d16-d19},[r0,:128]!
        bx              lr
 endfunc

@@ -512,10 +582,10 @@ function ff_vector_fmul_window_neon, export=1
        add             r4,  r3,  r5, lsl #3
        add             ip,  r0,  r5, lsl #3
        mov             r5,  #-16
-        vld1.64         {d0,d1},  [r1,:128]!
-        vld1.64         {d2,d3},  [r2,:128], r5
-        vld1.64         {d4,d5},  [r3,:128]!
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d0,d1},  [r1,:128]!
+        vld1.32         {d2,d3},  [r2,:128], r5
+        vld1.32         {d4,d5},  [r3,:128]!
+        vld1.32         {d6,d7},  [r4,:128], r5
 1:      subs            lr,  lr,  #4
        vmul.f32        d22, d0,  d4
        vrev64.32       q3,  q3
@@ -525,19 +595,19 @@ function ff_vector_fmul_window_neon, export=1
        vmul.f32        d21, d1,  d6
        beq             2f
        vmla.f32        d22, d3,  d7
-        vld1.64         {d0,d1},  [r1,:128]!
+        vld1.32         {d0,d1},  [r1,:128]!
        vmla.f32        d23, d2,  d6
-        vld1.64         {d18,d19},[r2,:128], r5
+        vld1.32         {d18,d19},[r2,:128], r5
        vmls.f32        d20, d3,  d4
-        vld1.64         {d24,d25},[r3,:128]!
+        vld1.32         {d24,d25},[r3,:128]!
        vmls.f32        d21, d2,  d5
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d6,d7},  [r4,:128], r5
        vmov            q1,  q9
        vrev64.32       q11, q11
        vmov            q2,  q12
        vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
        b               1b
 2:      vmla.f32        d22, d3,  d7
        vmla.f32        d23, d2,  d6
@@ -545,8 +615,8 @@ function ff_vector_fmul_window_neon, export=1
        vmls.f32        d21, d2,  d5
        vrev64.32       q11, q11
        vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
        pop             {r4,r5,pc}
 endfunc

--- a/libavcodec/arm/h264dsp_init_arm.c
+++ b/libavcodec/arm/h264dsp_init_arm.c
@@ -89,7 +89,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i
    c->h264_idct_dc_add     = ff_h264_idct_dc_add_neon;
    c->h264_idct_add16      = ff_h264_idct_add16_neon;
    c->h264_idct_add16intra = ff_h264_idct_add16intra_neon;
-    if (chroma_format_idc == 1)
+    if (chroma_format_idc <= 1)
        c->h264_idct_add8   = ff_h264_idct_add8_neon;
    c->h264_idct8_add       = ff_h264_idct8_add_neon;
    c->h264_idct8_dc_add    = ff_h264_idct8_dc_add_neon;
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1

 3:      vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/asv1.c
+++ b/libavcodec/asv1.c
@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
    int i;
    const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;

+    if (avctx->extradata_size < 1) {
+        av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    common_init(avctx);
    init_vlcs(a);
    ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);
--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -33,6 +33,7 @@
 #include <stdio.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -291,7 +292,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    q->frame.nb_samples = AT1_SU_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -37,6 +37,7 @@
 #include <stdio.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -852,7 +853,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    q->frame.nb_samples = SAMPLES_PER_FRAME;
-    if ((result = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &q->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return result;
    }
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -29,6 +29,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #define BITSTREAM_READER_LE
 #include "get_bits.h"
 #include "dsputil.h"
@@ -340,7 +341,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->block_size / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -20,6 +20,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 #include "libavutil/avassert.h"

@@ -274,7 +275,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }

    c->pic.reference = 1;
-    if (avctx->get_buffer(avctx, &c->pic) < 0) {
+    if (ff_get_buffer(avctx, &c->pic) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return -1;
    }
@@ -339,7 +340,7 @@ static int bmv_aud_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = total_blocks * 32;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -198,6 +198,16 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p)
    return (int)(p->buffer - p->buffer_start);
 }

+static av_always_inline int bytestream2_size(GetByteContext *g)
+{
+    return (int)(g->buffer_end - g->buffer_start);
+}
+
+static av_always_inline int bytestream2_size_p(PutByteContext *p)
+{
+    return (int)(p->buffer_end - p->buffer_start);
+}
+
 static av_always_inline int bytestream2_seek(GetByteContext *g,
                                             int offset,
                                             int whence)
@@ -323,6 +333,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p)
    return p->eof;
 }

+static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p,
+                                                              GetByteContext *g,
+                                                              unsigned int size)
+{
+    memcpy(p->buffer, g->buffer, size);
+    p->buffer += size;
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p,
+                                                             GetByteContext *g,
+                                                             unsigned int size)
+{
+    int size2;
+
+    if (p->eof)
+        return 0;
+    size  = FFMIN(g->buffer_end - g->buffer, size);
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+
+    return bytestream2_copy_bufferu(p, g, size2);
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b,
                                                           uint8_t *dst,
                                                           unsigned int size)
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {

    /* get coded block pattern */
    int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
        return -1;
    }
    h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
    /* get coded block pattern */
    if(h->pic_type == AV_PICTURE_TYPE_I)
        cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
        av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
        return -1;
    }
@@ -468,6 +468,11 @@ static int decode_pic(AVSContext *h) {
    int skip_count = -1;
    enum cavs_mb mb_type;

+    if (!h->top_qp) {
+        av_log(h, AV_LOG_ERROR, "No sequence header decoded yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (!s->context_initialized) {
        s->avctx->idct_algo = FF_IDCT_CAVS;
        if (MPV_common_init(s) < 0)
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -20,6 +20,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 /**
@@ -268,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                            void *data, int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
    int buf_size       = avpkt->size;
    int ret;
    uint8_t command, inst;
@@ -285,17 +286,19 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        return AVERROR(EINVAL);
    }

+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+
    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
        av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
        return ret;
    }

-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
    inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));

    if ((command & CDG_MASK) == CDG_COMMAND) {
        switch (inst) {
@@ -337,7 +340,7 @@ static int cdg_decode_frame(AVCodecContext *avctx,
            }

            cdg_init_frame(&new_frame);
-            ret = avctx->get_buffer(avctx, &new_frame);
+            ret = ff_get_buffer(avctx, &new_frame);
            if (ret) {
                av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                return ret;
@@ -354,11 +357,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        *data_size = sizeof(AVFrame);
    } else {
        *data_size = 0;
-        buf_size   = 0;
    }

    *(AVFrame *) data = cc->frame;
-    return buf_size;
+    return avpkt->size;
 }

 static av_cold int cdg_decode_end(AVCodecContext *avctx)
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -44,6 +44,7 @@

 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -991,7 +992,7 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data,
    /* get output buffer */
    if (q->discarded_packets >= 2) {
        q->frame.nb_samples = q->samples_per_channel;
-        if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+        if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return ret;
        }
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -32,6 +32,7 @@
 #include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "fft.h"
 #include "get_bits.h"
@@ -577,6 +578,11 @@ static int dca_parse_frame_header(DCAContext *s)
    s->lfe               = get_bits(&s->gb, 2);
    s->predictor_history = get_bits(&s->gb, 1);

+    if (s->lfe > 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
+    }
+
    /* TODO: check CRC */
    if (s->crc_present)
        s->header_crc    = get_bits(&s->gb, 16);
@@ -1890,7 +1896,7 @@ static int dca_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = 256 * (s->sample_blocks / 8);
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -21,6 +21,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 #include "libavutil/imgutils.h"
@@ -325,7 +326,7 @@ static int dfa_decode_frame(AVCodecContext *avctx,
    if (s->pic.data[0])
        avctx->release_buffer(avctx, &s->pic);

-    if ((ret = avctx->get_buffer(avctx, &s->pic))) {
+    if ((ret = ff_get_buffer(avctx, &s->pic))) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1332,8 +1332,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
        motion_y >>= s->chroma_y_shift;
    }

-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
    motion_x >>= s->mv_precision;
    motion_y >>= s->mv_precision;
    /* normalize subpel coordinates to epel */
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -38,6 +38,7 @@ typedef struct DNXHDContext {
    GetBitContext gb;
    int cid;                            ///< compression id
    unsigned int width, height;
+    enum PixelFormat pix_fmt;
    unsigned int mb_width, mb_height;
    uint32_t mb_scan_index[68];         /* max for 1080p */
    int cur_field;                      ///< current interlaced field
@@ -129,7 +130,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
    av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height);

    if (buf[0x21] & 0x40) {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P10;
+        ctx->pix_fmt = PIX_FMT_YUV422P10;
        ctx->avctx->bits_per_raw_sample = 10;
        if (ctx->bit_depth != 10) {
            dsputil_init(&ctx->dsp, ctx->avctx);
@@ -137,7 +138,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
            ctx->decode_dct_block = dnxhd_decode_dct_block_10;
        }
    } else {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P;
+        ctx->pix_fmt = PIX_FMT_YUV422P;
        ctx->avctx->bits_per_raw_sample = 8;
        if (ctx->bit_depth != 8) {
            dsputil_init(&ctx->dsp, ctx->avctx);
@@ -380,9 +381,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
               avctx->width, avctx->height, ctx->width, ctx->height);
        first_field = 1;
    }
+    if (avctx->pix_fmt != PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) {
+        av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt));
+        first_field = 1;
+    }

    if (av_image_check_size(ctx->width, ctx->height, 0, avctx))
        return -1;
+    avctx->pix_fmt = ctx->pix_fmt;
    avcodec_set_dimensions(avctx, ctx->width, ctx->height);

    if (first_field) {
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -39,6 +39,7 @@

 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"

 typedef struct DPCMContext {
@@ -216,7 +217,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = (out + s->channels - 1) / s->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -25,6 +25,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 #include "mathops.h"

@@ -363,7 +364,7 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    cin->frame.nb_samples = avpkt->size - cin->initial_decode_frame;
-    if ((ret = avctx->get_buffer(avctx, &cin->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &cin->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){

 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
    long i;
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src+i);
        long b = *(long*)(dst+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
        }
    }else
 #endif
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -94,6 +94,12 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
    int x, y, len, color;
    uint8_t *d;

+    if (start >= buf_size)
+        return -1;
+
+    if (w <= 0 || h <= 0)
+        return -1;
+
    bit_len = (buf_size - start) * 8;
    init_get_bits(&gb, buf + start, bit_len);

@@ -336,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
                sub_header->num_rects = 1;
                sub_header->rects[0]->pict.data[0] = bitmap;
-                decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-                           buf, offset1, buf_size, is_8bit);
-                decode_rle(bitmap + w, w * 2, w, h / 2,
-                           buf, offset2, buf_size, is_8bit);
+                if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+                               buf, offset1, buf_size, is_8bit) < 0)
+                    goto fail;
+                if (decode_rle(bitmap + w, w * 2, w, h / 2,
+                               buf, offset2, buf_size, is_8bit) < 0)
+                    goto fail;
                sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
                if (is_8bit) {
                    if (yuv_palette == 0)
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -301,6 +301,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
    c->avctx = avctx;
    avctx->pix_fmt = PIX_FMT_PAL8;

+    if (avctx->width%4 || avctx->height%4) {
+        av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }
+
    avcodec_get_frame_defaults(&c->pic);
    avcodec_get_frame_defaults(&c->prev);

--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -21,6 +21,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "libavutil/intreadwrite.h"

 static av_cold int decode_init(AVCodecContext *avctx)
@@ -51,7 +52,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    }

    pic->reference = 0;
-    if ((ret = avctx->get_buffer(avctx, pic)) < 0)
+    if ((ret = ff_get_buffer(avctx, pic)) < 0)
        return ret;

    pic->pict_type = AV_PICTURE_TYPE_I;
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -112,8 +112,8 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
            int yoffset = ((buf[i] >> 4)) - 7;
            if (s->last_frame.data[0])
                cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
-                          s->last_frame.data[0], s->last_frame.linesize[0],
-                          x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+                            s->last_frame.data[0], s->last_frame.linesize[0],
+                            x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
        }
        i++;
    }
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -29,6 +29,7 @@
 */

 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "aandcttab.h"
@@ -143,6 +144,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                break;
            } else if (level != 0) {
                i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                j = scantable[i];
                level = (level*quant_matrix[j]) >> 4;
                level = (level-1)|1;
@@ -157,6 +163,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);

                i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                j = scantable[i];
                if (level < 0) {
                    level = -level;
@@ -168,10 +179,6 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                    level = (level-1)|1;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            block[j] = level;
        }
@@ -246,32 +253,34 @@ static int decode_frame(AVCodecContext *avctx,
 {
    const uint8_t *buf = avpkt->data;
    int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
    MadContext *t     = avctx->priv_data;
+    GetByteContext gb;
    MpegEncContext *s = &t->s;
    int chunk_type;
    int inter;

-    if (buf_size < 17) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *data_size = 0;
-        return -1;
-    }
+    bytestream2_init(&gb, buf, buf_size);

-    chunk_type = AV_RL32(&buf[0]);
+    chunk_type = bytestream2_get_le32(&gb);
    inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
+    bytestream2_skip(&gb, 10);

    av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
+              bytestream2_get_le16(&gb), 1000, 1<<30);

-    s->width  = AV_RL16(&buf[8]);
-    s->height = AV_RL16(&buf[10]);
-    calc_intra_matrix(t, buf[13]);
-    buf += 16;
+    s->width  = bytestream2_get_le16(&gb);
+    s->height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_intra_matrix(t, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
+
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
+        return AVERROR_INVALIDDATA;
+    }

    if (avctx->width != s->width || avctx->height != s->height) {
-        if((s->width * s->height)/2048*7 > buf_end-buf)
+        if((s->width * s->height)/2048*7 > bytestream2_get_bytes_left(&gb))
            return -1;
        if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
            return -1;
@@ -290,13 +299,14 @@ static int decode_frame(AVCodecContext *avctx,
        }
    }

-    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, (buf_end-buf) + FF_INPUT_BUFFER_PADDING_SIZE);
+    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size,
+                   bytestream2_get_bytes_left(&gb) + FF_INPUT_BUFFER_PADDING_SIZE);
    if (!t->bitstream_buf)
        return AVERROR(ENOMEM);
-    bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
-    init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
-
+    bswap16_buf(t->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                bytestream2_get_bytes_left(&gb) / 2);
+    memset((uint8_t*)t->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE);
+    init_get_bits(&s->gb, t->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
    for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
        for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
            if(decode_mb(t, inter) < 0)
--- a/libavcodec/elbg.c
+++ b/libavcodec/elbg.c
@@ -110,7 +110,7 @@ static int get_high_utility_cell(elbg_data *elbg)
    while (elbg->utility_inc[i] < r)
        i++;

-    assert(!elbg->cells[i]);
+    assert(elbg->cells[i]);

    return i;
 }
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -921,6 +921,12 @@ void ff_er_frame_end(MpegEncContext *s)
        return;
    };

+    if (s->picture_structure == PICT_FRAME &&
+        s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) {
+        av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
+        return;
+    }
+
    if (s->current_picture.f.motion_val[0] == NULL) {
        av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");

--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs)
    PutBitContext pb;
    int run, mode = ~0, pix_left = width, run_idx = 0;

-    init_put_bits(&pb, dst, size*8);
+    init_put_bits(&pb, dst, size);
    while(pix_left > 0){
        run = runs[run_idx++];
        mode = ~mode;
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
    int i;

    f->slice_count= f->num_h_slices * f->num_v_slices;
+    if (f->slice_count <= 0) {
+        av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+        return AVERROR(EINVAL);
+    }

    for(i=0; i<f->slice_count; i++){
        FFV1Context *fs= av_mallocz(sizeof(*fs));
@@ -1547,20 +1551,48 @@ static int read_header(FFV1Context *f){
    memset(state, 128, sizeof(state));

    if(f->version < 2){
-        f->version= get_symbol(c, state, 0);
-        f->ac= f->avctx->coder_type= get_symbol(c, state, 0);
-        if(f->ac>1){
-            for(i=1; i<256; i++){
-                f->state_transition[i]= get_symbol(c, state, 1) + c->one_state[i];
+        int chroma_h_shift, chroma_v_shift, colorspace, bits_per_raw_sample;
+        int transparency;
+        unsigned v = get_symbol(c, state, 0);
+        if (v > 1) {
+            av_log(f->avctx, AV_LOG_ERROR,
+                   "invalid version %d in version 1 header\n", v);
+            return AVERROR_INVALIDDATA;
+        }
+        f->version = v;
+
+        f->ac = f->avctx->coder_type = get_symbol(c, state, 0);
+
+        if (f->ac > 1) {
+            for (i = 1; i < 256; i++)
+                f->state_transition[i] =
+                    get_symbol(c, state, 1) + c->one_state[i];
+        }
+
+        colorspace          = get_symbol(c, state, 0); //YUV cs type
+        bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample;
+        get_rac(c, state); //no chroma = false
+        chroma_h_shift      = get_symbol(c, state, 0);
+        chroma_v_shift      = get_symbol(c, state, 0);
+        transparency        = get_rac(c, state);
+
+        if (f->plane_count) {
+            if (colorspace          != f->colorspace                 ||
+                bits_per_raw_sample != f->avctx->bits_per_raw_sample ||
+                chroma_h_shift      != f->chroma_h_shift             ||
+                chroma_v_shift      != f->chroma_v_shift             ||
+                transparency        != f->transparency) {
+                av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n");
+                return AVERROR_INVALIDDATA;
            }
        }
-        f->colorspace= get_symbol(c, state, 0); //YUV cs type
-        if(f->version>0)
-            f->avctx->bits_per_raw_sample= get_symbol(c, state, 0);
-        get_rac(c, state); //no chroma = false
-        f->chroma_h_shift= get_symbol(c, state, 0);
-        f->chroma_v_shift= get_symbol(c, state, 0);
-        f->transparency= get_rac(c, state);
+
+        f->colorspace                 = colorspace;
+        f->avctx->bits_per_raw_sample = bits_per_raw_sample;
+        f->chroma_h_shift             = chroma_h_shift;
+        f->chroma_v_shift             = chroma_v_shift;
+        f->transparency               = transparency;
+
        f->plane_count= 2 + f->transparency;
    }

--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -646,7 +646,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 handle_error:
    *poutbuf      = NULL;
    *poutbuf_size = 0;
-    return read_end - buf;
+    return buf_size ? read_end - buf : 0;
 }

 static int flac_parse_init(AVCodecParserContext *c)
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -599,7 +599,7 @@ static int flac_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->blocksize;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -389,7 +389,9 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    s->diff_start  = get_bits(&gb, 8);
                    s->diff_height = get_bits(&gb, 8);
                    if (s->diff_start + s->diff_height > cur_blk_height) {
-                        av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n");
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
                        return AVERROR_INVALIDDATA;
                    }
                    av_log(avctx, AV_LOG_DEBUG,
--- a/libavcodec/flashsv2enc.c
+++ b/libavcodec/flashsv2enc.c
@@ -270,7 +270,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size)
    if (buf_size < 5)
        return -1;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb, 4, (s->block_width  >> 4) - 1);
    put_bits(&pb, 12, s->image_width);
--- a/libavcodec/flashsvenc.c
+++ b/libavcodec/flashsvenc.c
@@ -130,7 +130,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf,
    int buf_pos, res;
    int pred_blocks = 0;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb,  4, block_width / 16 - 1);
    put_bits(&pb, 12, s->image_width);
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -142,6 +142,11 @@ static int decode_frame(AVCodecContext *avctx,
    const int planes = 3;
    enum PixelFormat pix_fmt;

+    if (buf_size < 4) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too short\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    header = AV_RL32(buf);
    version = header & 0xff;
    header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */
@@ -180,7 +185,7 @@ static int decode_frame(AVCodecContext *avctx,
    }
    avctx->pix_fmt = pix_fmt;

-    switch(version) {
+    switch (version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
@@ -219,6 +224,7 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
+
        if (avctx->reget_buffer(avctx, f)) {
            av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
            return -1;
--- a/libavcodec/g722dec.c
+++ b/libavcodec/g722dec.c
@@ -35,6 +35,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "g722.h"
 #include "libavutil/opt.h"
@@ -96,7 +97,7 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = avpkt->size * 2;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -448,7 +448,7 @@ static int g726_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    c->frame.nb_samples = out_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -355,7 +355,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
    int buffer_size;
    int ret = 0;

-    if (bit_size > INT_MAX - 7 || bit_size < 0) {
+    if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) {
        buffer_size = bit_size = 0;
        buffer = NULL;
        ret = AVERROR_INVALIDDATA;
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -125,26 +125,21 @@ static int gif_read_image(GifState *s)
            case 1:
                y1 += 8;
                ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                break;
            case 2:
                y1 += 4;
                ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                break;
            case 3:
                y1 += 2;
                ptr += linesize * 2;
                break;
            }
+            while (y1 >= height) {
+                y1  = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
        } else {
            ptr += linesize;
        }
--- a/libavcodec/gsmdec.c
+++ b/libavcodec/gsmdec.c
@@ -25,6 +25,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "msgsmdec.h"

@@ -72,7 +73,7 @@ static int gsm_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = avctx->frame_size;
-    if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return res;
    }
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -106,10 +106,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){

 int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
-    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
-    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
+    static const int8_t top[4]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
+    static const int8_t left[5] = { TOP_DC_PRED8x8, -1,  2, -1, DC_128_PRED8x8 };

-    if(mode > 6U) {
+    if(mode > 3U) {
        av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y);
        return -1;
    }
@@ -1224,6 +1224,19 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex
        memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc
        memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
        memset(h->pps_buffers, 0, sizeof(h->pps_buffers));
+
+        h->intra4x4_pred_mode= NULL;
+        h->non_zero_count    = NULL;
+        h->slice_table_base  = NULL;
+        h->slice_table       = NULL;
+        h->cbp_table         = NULL;
+        h->chroma_pred_mode_table = NULL;
+        memset(h->mvd_table, 0, sizeof(h->mvd_table));
+        h->direct_table      = NULL;
+        h->list_counts       = NULL;
+        h->mb2b_xy           = NULL;
+        h->mb2br_xy          = NULL;
+
        if (ff_h264_alloc_tables(h) < 0) {
            av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n");
            return AVERROR(ENOMEM);
@@ -1300,6 +1313,8 @@ int ff_h264_frame_start(H264Context *h){
    int i;
    const int pixel_shift = h->pixel_shift;

+    h->next_output_pic = NULL;
+
    if(MPV_frame_start(s, s->avctx) < 0)
        return -1;
    ff_er_frame_start(s);
@@ -1349,8 +1364,6 @@ int ff_h264_frame_start(H264Context *h){
    s->current_picture_ptr->field_poc[0]=
    s->current_picture_ptr->field_poc[1]= INT_MAX;

-    h->next_output_pic = NULL;
-
    assert(s->current_picture_ptr->long_ref==0);

    return 0;
@@ -2607,6 +2620,52 @@ int ff_h264_get_profile(SPS *sps)
    return profile;
 }

+static int h264_set_parameter_from_sps(H264Context *h)
+{
+    MpegEncContext *s = &h->s;
+
+    if (s->flags & CODEC_FLAG_LOW_DELAY ||
+        (h->sps.bitstream_restriction_flag &&
+         !h->sps.num_reorder_frames)) {
+        if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
+            av_log(h->s.avctx, AV_LOG_WARNING, "Delayed frames seen. "
+                   "Reenabling low delay requires a codec flush.\n");
+        else
+            s->low_delay = 1;
+    }
+
+    if (s->avctx->has_b_frames < 2)
+        s->avctx->has_b_frames = !s->low_delay;
+
+    if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
+        h->cur_chroma_format_idc      != h->sps.chroma_format_idc) {
+        if (s->avctx->codec &&
+            s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU &&
+            (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "VDPAU decoding does not support video colorspace.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
+            s->avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
+            h->cur_chroma_format_idc      = h->sps.chroma_format_idc;
+            h->pixel_shift                = h->sps.bit_depth_luma > 8;
+
+            ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma,
+                            h->sps.chroma_format_idc);
+            ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma,
+                              h->sps.chroma_format_idc);
+            s->dsp.dct_bits = h->sps.bit_depth_luma > 8 ? 32 : 16;
+            dsputil_init(&s->dsp, s->avctx);
+        } else {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n",
+                   h->sps.bit_depth_luma);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+    return 0;
+}
+
 /**
 * Decode a slice header.
 * This will also call MPV_common_init() and frame_start() as needed.
@@ -2624,7 +2683,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    int num_ref_idx_active_override_flag;
    unsigned int slice_type, tmp, i, j;
    int default_ref_list_done = 0;
-    int last_pic_structure, last_pic_dropable;
+    int last_pic_structure, last_pic_dropable, ret;

    /* FIXME: 2tap qpel isn't implemented for high bit depth. */
    if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){
@@ -2672,7 +2731,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->slice_type= slice_type;
    h->slice_type_nos= slice_type & 3;

-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;

    pps_id= get_ue_golomb(&s->gb);
    if(pps_id>=MAX_PPS_COUNT){
@@ -2689,7 +2755,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id);
        return -1;
    }
-    h->sps = *h0->sps_buffers[h->pps.sps_id];
+
+    if (h->pps.sps_id != h->current_sps_id ||
+        h0->sps_buffers[h->pps.sps_id]->new) {
+        h0->sps_buffers[h->pps.sps_id]->new = 0;
+
+        h->current_sps_id = h->pps.sps_id;
+        h->sps            = *h0->sps_buffers[h->pps.sps_id];
+
+        if ((ret = h264_set_parameter_from_sps(h)) < 0)
+            return ret;
+    }

    s->avctx->profile = ff_h264_get_profile(&h->sps);
    s->avctx->level   = h->sps.level_idc;
@@ -2989,8 +3065,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
               h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {
            Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;
            av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num);
-            if (ff_h264_frame_start(h) < 0)
+            if (ff_h264_frame_start(h) < 0) {
+                h0->s.first_field = 0;
                return -1;
+            }
            h->prev_frame_num++;
            h->prev_frame_num %= 1<<h->sps.log2_max_frame_num;
            s->current_picture_ptr->frame_num= h->prev_frame_num;
@@ -3050,7 +3128,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){

        } else {
            /* Frame or first field in a potentially complementary pair */
-            assert(!s0->current_picture_ptr);
            s0->first_field = FIELD_PICTURE;
        }

@@ -3224,8 +3301,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    }

    h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset = 0;
    if( h->pps.deblocking_filter_parameters_present ) {
        tmp= get_ue_golomb_31(&s->gb);
        if(tmp > 2){
@@ -3236,12 +3313,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        if(h->deblocking_filter < 2)
            h->deblocking_filter^= 1; // 1<->0

-        if( h->deblocking_filter ) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if(   h->slice_alpha_c0_offset > 104U
-               || h->slice_beta_offset     > 104U){
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+        if (h->deblocking_filter) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                return -1;
            }
        }
@@ -3270,14 +3351,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
            }
        }
    }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
-                 + 6 * (h->sps.bit_depth_luma - 8);
-
-#if 0 //FMO
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
+    h->qp_thresh = 15 -
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
+                   FFMAX3(0,
+                          h->pps.chroma_qp_index_offset[0],
+                          h->pps.chroma_qp_index_offset[1]) +
+                   6 * (h->sps.bit_depth_luma - 8);

    h0->last_slice_type = slice_type;
    h->slice_num = ++h0->current_slice;
@@ -3338,7 +3417,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
               s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
               h->ref_count[0], h->ref_count[1],
               s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
               h->use_weight,
               h->use_weight==1 && h->use_weight_chroma ? "c" : "",
               h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""
@@ -3821,6 +3901,12 @@ static int execute_decode_slices(H264Context *h, int context_count){
    H264Context *hx;
    int i;

+    if (s->mb_y >= s->mb_height) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "Input contains more MB rows than the frame height.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (s->avctx->hwaccel || s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU)
        return 0;
    if(context_count == 1) {
@@ -4033,12 +4119,24 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            }
            break;
        case NAL_DPA:
+            if (s->flags2 & CODEC_FLAG2_CHUNKS) {
+                av_log(h->s.avctx, AV_LOG_ERROR,
+                       "Decoding in chunks is not supported for "
+                       "partitioned slices.\n");
+                return AVERROR(ENOSYS);
+            }
+
            init_get_bits(&hx->s.gb, ptr, bit_length);
            hx->intra_gb_ptr=
            hx->inter_gb_ptr= NULL;

-            if ((err = decode_slice_header(hx, h)) < 0)
+            if ((err = decode_slice_header(hx, h)) < 0) {
+                /* make sure data_partitioning is cleared if it was set
+                 * before, so we don't try decoding a slice without a valid
+                 * slice header later */
+                s->data_partitioning = 0;
                break;
+            }

            hx->s.data_partitioning = 1;

@@ -4073,24 +4171,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                ff_h264_decode_seq_parameter_set(h);
            }

-            if (s->flags & CODEC_FLAG_LOW_DELAY ||
-                (h->sps.bitstream_restriction_flag &&
-                 !h->sps.num_reorder_frames)) {
-                if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
-                    av_log(avctx, AV_LOG_WARNING, "Delayed frames seen "
-                           "reenabling low delay requires a codec "
-                           "flush.\n");
-                else
-                    s->low_delay = 1;
-            }
-
-            if(avctx->has_b_frames < 2)
-                avctx->has_b_frames= !s->low_delay;
-
-            if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
-                av_log_missing_feature(s->avctx,
-                    "Different bit depth between chroma and luma", 1);
-                return AVERROR_PATCHWELCOME;
+            if (h264_set_parameter_from_sps(h) < 0) {
+                buf_index = -1;
+                goto end;
            }
            break;
        case NAL_PPS:
@@ -4115,9 +4198,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            context_count = 0;
        }

-        if (err < 0)
+        if (err < 0) {
            av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
-        else if(err == 1) {
+            h->ref_count[0] = h->ref_count[1] = h->list_count = 0;
+        } else if (err == 1) {
            /* Slice could not be decoded in parallel mode, copy down
             * NAL unit stuff to context 0 and restart. Note that
             * rbsp_buffer is not transferred, but since we no longer
@@ -4168,6 +4252,9 @@ static int decode_frame(AVCodecContext *avctx,

    s->flags= avctx->flags;
    s->flags2= avctx->flags2;
+    /* reset data partitioning here, to ensure GetBitContexts from previous
+     * packets do not get used. */
+    s->data_partitioning = 0;

   /* end of stream, output what is still in the buffers */
    if (buf_size == 0) {
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -206,6 +206,7 @@ typedef struct SPS{
    int bit_depth_chroma;              ///< bit_depth_chroma_minus8 + 8
    int residual_color_transform_flag; ///< residual_colour_transform_flag
    int constraint_set_flags;          ///< constraint_set[0-3]_flag
+    int new;                           ///< flag to keep track if the decoder context needs re-init due to changed SPS
 }SPS;

 /**
@@ -332,6 +333,7 @@ typedef struct H264Context{
    int emu_edge_width;
    int emu_edge_height;

+    unsigned current_sps_id; ///< id of the current SPS
    SPS sps; ///< current sps

    /**
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1721,7 +1721,7 @@ decode_cabac_residual_internal(H264Context *h, DCTELEM *block,
 \
            if( coeff_abs >= 15 ) { \
                int j = 0; \
-                while( get_cabac_bypass( CC ) ) { \
+                while (get_cabac_bypass(CC) && j < 30) { \
                    j++; \
                } \
 \
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -770,6 +770,10 @@ decode_intra_mb:

        // We assume these blocks are very rare so we do not optimize it.
        align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }

        // The pixels are stored in the same order as levels in h->mb array.
        for(x=0; x < mb_size; x++){
--- a/libavcodec/h264_loopfilter.c
+++ b/libavcodec/h264_loopfilter.c
@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
    int top_type= h->top_type;

    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    int mb_type = s->current_picture.f.mb_type[mb_xy];
    int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
    av_unused int dir;
    int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    if (FRAME_MBAFF
            // and current and left pair do not have the same interlaced type
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -156,7 +156,7 @@ pps:
            goto fail;

        /* prepend only to the first type 5 NAL unit of an IDR picture */
-        if (ctx->first_idr && unit_type == 5) {
+        if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) {
            if ((ret=alloc_and_copy(poutbuf, poutbuf_size,
                               avctx->extradata, avctx->extradata_size,
                               buf, nal_size)) < 0)
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -250,7 +250,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
        }

        if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
            return -1;
        }
    }
@@ -363,11 +365,18 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
        }
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
-        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
+        if (sps->bit_depth_luma   < 8 || sps->bit_depth_luma   > 12 ||
+            sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 12 ||
+            sps->bit_depth_luma != sps->bit_depth_chroma) {
            av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
                   sps->bit_depth_luma, sps->bit_depth_chroma);
            goto fail;
        }
+        if (sps->bit_depth_chroma != sps->bit_depth_luma) {
+            av_log_missing_feature(s->avctx,
+                "Different bit depth between chroma and luma", 1);
+            goto fail;
+        }
        sps->transform_bypass = get_bits1(&s->gb);
        decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
    }else{
@@ -487,10 +496,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
               sps->bit_depth_luma
               );
    }
+    sps->new = 1;

    av_free(h->sps_buffers[sps_id]);
-    h->sps_buffers[sps_id]= sps;
-    h->sps = *sps;
+    h->sps_buffers[sps_id] = sps;
+    h->sps                 = *sps;
+    h->current_sps_id      = sps_id;
+
    return 0;
 fail:
    av_free(sps);
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -63,20 +63,22 @@ static int split_field_copy(Picture *dest, Picture *src,
    return match;
 }

-static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){
+static int build_def_list(Picture *def, int def_len,
+                          Picture **in, int len, int is_long, int sel)
+{
    int i[2]={0};
    int index=0;

-    while(i[0]<len || i[1]<len){
+    while ((i[0] < len || i[1] < len) && index < def_len) {
        while (i[0] < len && !(in[ i[0] ] && (in[ i[0] ]->f.reference & sel)))
            i[0]++;
        while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3))))
            i[1]++;
-        if(i[0] < len){
+        if (i[0] < len && index < def_len) {
            in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num;
            split_field_copy(&def[index++], in[ i[0]++ ], sel  , 1);
        }
-        if(i[1] < len){
+        if (i[1] < len && index < def_len) {
            in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num;
            split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0);
        }
@@ -124,9 +126,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
            len= add_sorted(sorted    , h->short_ref, h->short_ref_count, cur_poc, 1^list);
            len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list);
            assert(len<=32);
-            len= build_def_list(h->default_ref_list[list]    , sorted     , len, 0, s->picture_structure);
-            len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure);
-            assert(len<=32);
+
+            len  = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                                  sorted, len, 0, s->picture_structure);
+            len += build_def_list(h->default_ref_list[list] + len,
+                                  FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                                  h->long_ref, 16, 1, s->picture_structure);

            if(len < h->ref_count[list])
                memset(&h->default_ref_list[list][len], 0, sizeof(Picture)*(h->ref_count[list] - len));
@@ -139,19 +144,22 @@ int ff_h264_fill_default_ref_list(H264Context *h){
                FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]);
        }
    }else{
-        len = build_def_list(h->default_ref_list[0]    , h->short_ref, h->short_ref_count, 0, s->picture_structure);
-        len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16                , 1, s->picture_structure);
-        assert(len <= 32);
+        len  = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                              h->short_ref, h->short_ref_count, 0, s->picture_structure);
+        len += build_def_list(h->default_ref_list[0] + len,
+                              FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                              h-> long_ref, 16, 1, s->picture_structure);
+
        if(len < h->ref_count[0])
            memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len));
    }
 #ifdef TRACE
    for (i=0; i<h->ref_count[0]; i++) {
-        tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].data[0]);
+        tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].f.data[0]);
    }
    if(h->slice_type_nos==AV_PICTURE_TYPE_B){
        for (i=0; i<h->ref_count[1]; i++) {
-            tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].data[0]);
+            tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].f.data[0]);
        }
    }
 #endif
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -184,6 +184,12 @@ int ff_h264_decode_sei(H264Context *h){
        if(s->avctx->debug&FF_DEBUG_STARTCODE)
            av_log(h->s.avctx, AV_LOG_DEBUG, "SEI %d len:%d\n", type, size);

+        if (size > get_bits_left(&s->gb) / 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+                   type, get_bits_left(&s->gb));
+            return AVERROR_INVALIDDATA;
+        }
+
        switch(type){
        case SEI_TYPE_PIC_TIMING: // Picture timing SEI
            if(decode_picture_timing(h) < 0)
--- a/libavcodec/h264dsp.c
+++ b/libavcodec/h264dsp.c
@@ -53,13 +53,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\
    c->h264_idct_add16     = FUNC(ff_h264_idct_add16, depth);\
    c->h264_idct8_add4     = FUNC(ff_h264_idct8_add4, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8, depth);\
    else\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8_422, depth);\
    c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\
    c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\
    else\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\
@@ -80,20 +80,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\
    c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\
    c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\
    else\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\
    c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -434,7 +434,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    h->pred8x8l[TOP_DC_PRED         ]= FUNCC(pred8x8l_top_dc              , depth);\
    h->pred8x8l[DC_128_PRED         ]= FUNCC(pred8x8l_128_dc              , depth);\
 \
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[VERT_PRED8x8   ]= FUNCC(pred8x8_vertical               , depth);\
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x8_horizontal             , depth);\
    } else {\
@@ -442,7 +442,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x16_horizontal            , depth);\
    }\
    if (codec_id != CODEC_ID_VP8) {\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane                , depth);\
        } else {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane               , depth);\
@@ -450,7 +450,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    } else\
        h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\
    if(codec_id != CODEC_ID_RV40 && codec_id != CODEC_ID_VP8){\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[DC_PRED8x8     ]= FUNCC(pred8x8_dc                     , depth);\
            h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc                , depth);\
            h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc                 , depth);\
@@ -476,7 +476,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
            h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc              , depth);\
        }\
    }\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc                 , depth);\
    } else {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc                , depth);\
@@ -510,7 +510,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    h->pred4x4_add  [ HOR_PRED   ]= FUNCC(pred4x4_horizontal_add          , depth);\
    h->pred8x8l_add [VERT_PRED   ]= FUNCC(pred8x8l_vertical_add           , depth);\
    h->pred8x8l_add [ HOR_PRED   ]= FUNCC(pred8x8l_horizontal_add         , depth);\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
    h->pred8x8_add  [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add            , depth);\
    h->pred8x8_add  [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add          , depth);\
    } else {\
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -302,10 +302,12 @@ static void generate_len_table(uint8_t *dst, const uint64_t *stats){
 }
 #endif /* CONFIG_HUFFYUV_ENCODER || CONFIG_FFVHUFF_ENCODER */

-static void generate_joint_tables(HYuvContext *s){
+static int generate_joint_tables(HYuvContext *s){
    uint16_t symbols[1<<VLC_BITS];
    uint16_t bits[1<<VLC_BITS];
    uint8_t len[1<<VLC_BITS];
+    int ret;
+
    if(s->bitstream_bpp < 24){
        int p, i, y, u;
        for(p=0; p<3; p++){
@@ -327,7 +329,9 @@ static void generate_joint_tables(HYuvContext *s){
                }
            }
            ff_free_vlc(&s->vlc[3+p]);
-            ff_init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0);
+            if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1,
+                                          bits, 2, 2, symbols, 2, 2, 0)) < 0)
+                return ret;
        }
    }else{
        uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map;
@@ -369,29 +373,33 @@ static void generate_joint_tables(HYuvContext *s){
            }
        }
        ff_free_vlc(&s->vlc[3]);
-        init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+        if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1,
+                            bits, 2, 2, 0)) < 0)
+            return ret;
    }
+    return 0;
 }

 static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
    GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;

-    init_get_bits(&gb, src, length*8);
+    if ((ret = init_get_bits(&gb, src, length * 8)) < 0)
+        return ret;

    for(i=0; i<3; i++){
-        if(read_len_table(s->len[i], &gb)<0)
-            return -1;
-        if(generate_bits_table(s->bits[i], s->len[i])<0){
-            return -1;
-        }
+        if ((ret = read_len_table(s->len[i], &gb)) < 0)
+            return ret;
+        if ((ret = generate_bits_table(s->bits[i], s->len[i])) < 0)
+            return ret;
        ff_free_vlc(&s->vlc[i]);
-        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                            s->bits[i], 4, 4, 0)) < 0)
            return ret;
    }

-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;

    return (get_bits_count(&gb)+7)/8;
 }
@@ -399,15 +407,18 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
 static int read_old_huffman_tables(HYuvContext *s){
 #if 1
    GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;

-    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
-    if(read_len_table(s->len[0], &gb)<0)
-        return -1;
-    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
-    if(read_len_table(s->len[1], &gb)<0)
-        return -1;
+    if ((ret = init_get_bits(&gb, classic_shift_luma,
+                             classic_shift_luma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[0], &gb)) < 0)
+        return ret;
+    if ((ret = init_get_bits(&gb, classic_shift_chroma,
+                             classic_shift_chroma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[1], &gb)) < 0)
+        return ret;

    for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma  [i];
    for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];
@@ -421,11 +432,13 @@ static int read_old_huffman_tables(HYuvContext *s){

    for(i=0; i<3; i++){
        ff_free_vlc(&s->vlc[i]);
-        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                            s->bits[i], 4, 4, 0)) < 0)
            return ret;
    }

-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;

    return 0;
 #else
@@ -465,6 +478,7 @@ static av_cold int common_init(AVCodecContext *avctx){
 static av_cold int decode_init(AVCodecContext *avctx)
 {
    HYuvContext *s = avctx->priv_data;
+    int ret;

    common_init(avctx);
    memset(s->vlc, 0, 3*sizeof(VLC));
@@ -500,8 +514,9 @@ s->bgr32=1;
        s->interlaced= (interlace==1) ? 1 : (interlace==2) ? 0 : s->interlaced;
        s->context= ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0;

-        if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size-4) < 0)
-            return -1;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size - 4)) < 0)
+            return ret;
    }else{
        switch(avctx->bits_per_coded_sample&7){
        case 1:
@@ -528,8 +543,8 @@ s->bgr32=1;
        s->bitstream_bpp= avctx->bits_per_coded_sample & ~7;
        s->context= 0;

-        if(read_old_huffman_tables(s) < 0)
-            return -1;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
    }

    switch(s->bitstream_bpp){
@@ -555,6 +570,13 @@ s->bgr32=1;
        return AVERROR_INVALIDDATA;
    }

+    if (s->predictor == MEDIAN && avctx->pix_fmt == PIX_FMT_YUV422P &&
+        avctx->width % 4) {
+        av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 "
+               "for this combination of colorspace and predictor type.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    alloc_temp(s);

 //    av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
@@ -565,7 +587,7 @@ s->bgr32=1;
 static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
 {
    HYuvContext *s = avctx->priv_data;
-    int i;
+    int i, ret;

    avctx->coded_frame= &s->picture;
    alloc_temp(s);
@@ -574,11 +596,12 @@ static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
        s->vlc[i].table = NULL;

    if(s->version==2){
-        if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size) < 0)
-            return -1;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size)) < 0)
+            return ret;
    }else{
-        if(read_old_huffman_tables(s) < 0)
-            return -1;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
    }

    return 0;
@@ -1001,7 +1024,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    const int height= s->height;
    int fake_ystride, fake_ustride, fake_vstride;
    AVFrame * const p= &s->picture;
-    int table_size= 0;
+    int table_size = 0, ret;

    AVFrame *picture = data;

@@ -1016,21 +1039,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        ff_thread_release_buffer(avctx, p);

    p->reference= 0;
-    if(ff_thread_get_buffer(avctx, p) < 0){
+    if ((ret = ff_thread_get_buffer(avctx, p)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
-        return -1;
+        return ret;
    }

    if(s->context){
        table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size);
        if(table_size < 0)
-            return -1;
+            return table_size;
    }

    if((unsigned)(buf_size-table_size) >= INT_MAX/8)
        return -1;

-    init_get_bits(&s->gb, s->bitstream_buffer+table_size, (buf_size-table_size)*8);
+    if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size,
+                             (buf_size - table_size) * 8)) < 0)
+        return ret;

    fake_ystride= s->interlaced ? p->linesize[0]*2  : p->linesize[0];
    fake_ustride= s->interlaced ? p->linesize[1]*2  : p->linesize[1];
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -28,6 +28,7 @@
 #include "libavutil/imgutils.h"
 #include "bytestream.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"

 // TODO: masking bits
@@ -479,7 +480,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx,
            av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
            return res;
        }
-    } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return res;
    } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt == PIX_FMT_PAL8) {
@@ -579,7 +580,7 @@ static int decode_frame_byterun1(AVCodecContext *avctx,
            av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
            return res;
        }
-    } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return res;
    } else if (avctx->pix_fmt == PIX_FMT_PAL8) {
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -36,6 +36,7 @@
 #include <stdio.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -680,7 +681,7 @@ static int imc_decode_frame(AVCodecContext * avctx, void *data,

    /* get output buffer */
    q->frame.nb_samples = COEFFS;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -32,6 +32,7 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "bytestream.h"
 #include "get_bits.h"
@@ -93,7 +94,7 @@ typedef struct Indeo3DecodeContext {

    int16_t         width, height;
    uint32_t        frame_num;      ///< current frame number (zero-based)
-    uint32_t        data_size;      ///< size of the frame data in bytes
+    int             data_size;      ///< size of the frame data in bytes
    uint16_t        frame_flags;    ///< frame properties
    uint8_t         cb_offset;      ///< needed for selecting VQ tables
    uint8_t         buf_sel;        ///< active frame buffer: 0 - primary, 1 -secondary
@@ -885,7 +886,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    GetByteContext gb;
    const uint8_t   *bs_hdr;
    uint32_t        frame_num, word2, check_sum, data_size;
-    uint32_t        y_offset, u_offset, v_offset, starts[3], ends[3];
+    int             y_offset, u_offset, v_offset;
+    uint32_t        starts[3], ends[3];
    uint16_t        height, width;
    int             i, j;

@@ -970,7 +972,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    ctx->y_data_size = ends[0] - starts[0];
    ctx->v_data_size = ends[1] - starts[1];
    ctx->u_data_size = ends[2] - starts[2];
-    if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
+    if (FFMIN3(y_offset, v_offset, u_offset) < 0 ||
+        FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
        FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 ||
        FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) {
        av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n");
@@ -1097,7 +1100,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        avctx->release_buffer(avctx, &ctx->frame);

    ctx->frame.reference = 0;
-    if ((res = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((res = ff_get_buffer(avctx, &ctx->frame)) < 0) {
        av_log(ctx->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return res;
    }
--- a/libavcodec/internal.h
+++ b/libavcodec/internal.h
@@ -136,4 +136,7 @@ int avpriv_unlock_avformat(void);
 */
 int ff_alloc_packet(AVPacket *avpkt, int size);

+
+int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame);
+
 #endif /* AVCODEC_INTERNAL_H */
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -755,6 +755,8 @@ int ff_h263_decode_mb(MpegEncContext *s,
        }

        if(IS_DIRECT(mb_type)){
+            if (!s->pp_time)
+                return AVERROR_INVALIDDATA;
            s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT;
            mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0);
        }else{
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -28,6 +28,7 @@

 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "ivi_common.h"
 #include "libavutil/common.h"
@@ -894,6 +895,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        return AVERROR_PATCHWELCOME;
    }

+    if (!ctx->planes[0].bands) {
+        av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    ctx->switch_buffers(ctx);

    //{ START_TIMER;
@@ -937,7 +943,7 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    ctx->frame.reference = 0;
    avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height);
-    if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &ctx->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return result;
    }
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -208,6 +208,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void *
                x += stride;
            }

+            if (x >= w) {
+                av_log(NULL, AV_LOG_ERROR, "run overflow\n");
+                return;
+            }
+
            /* decode run termination value */
            Rb = R(last, x);
            RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0;
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -42,6 +42,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
    JvContext *s = avctx->priv_data;
    avctx->pix_fmt = PIX_FMT_PAL8;
    dsputil_init(&s->dsp, avctx);
+
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 7) || (avctx->height & 7)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
    return 0;
 }

--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -27,6 +27,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/imgutils.h"
 #include "avcodec.h"
+#include "internal.h"

 typedef struct {
    AVCodecContext *avctx;
@@ -70,7 +71,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    maxcnt = w * h;

    c->cur.reference = 3;
-    if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+    if ((res = ff_get_buffer(avctx, &c->cur)) < 0)
        return res;
    out  = (uint16_t *) c->cur.data[0];
    if (c->prev.data[0]) {
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -52,6 +52,7 @@ typedef struct LagarithContext {
    int zeros;                  /**< number of consecutive zero bytes encountered */
    int zeros_rem;              /**< number of zero bytes remaining to output */
    uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
    int rgb_stride;
 } LagarithContext;

@@ -507,13 +508,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
        offs[2] = 13;
        offs[3] = AV_RL32(buf + 9);

+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * 4 + 1);
        if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
+            return AVERROR(ENOMEM);
        }
        for (i = 0; i < 4; i++)
            srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
--- a/libavcodec/lagarithrac.h
+++ b/libavcodec/lagarithrac.h
@@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l)
        l->range -= range_scaled * l->prob[255];
    }

+    if (!l->range)
+        l->range = 0x80;
+
    l->low -= range_scaled * l->prob[val];

    return val;
--- a/libavcodec/libgsm.c
+++ b/libavcodec/libgsm.c
@@ -30,6 +30,7 @@
 #include <gsm/gsm.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "gsm.h"

 static av_cold int libgsm_encode_init(AVCodecContext *avctx) {
@@ -188,7 +189,7 @@ static int libgsm_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = avctx->frame_size;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/libopencore-amr.c
+++ b/libavcodec/libopencore-amr.c
@@ -20,6 +20,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"
 #include "libavutil/avstring.h"
 #include "libavutil/opt.h"

@@ -143,7 +144,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = 160;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
@@ -295,7 +296,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = 320;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/libspeexdec.c
+++ b/libavcodec/libspeexdec.c
@@ -23,6 +23,7 @@
 #include <speex/speex_stereo.h>
 #include <speex/speex_callbacks.h>
 #include "avcodec.h"
+#include "internal.h"

 typedef struct {
    AVFrame frame;
@@ -108,7 +109,7 @@ static int libspeex_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    s->frame.nb_samples = s->frame_size;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/mace.c
+++ b/libavcodec/mace.c
@@ -25,6 +25,7 @@
 */

 #include "avcodec.h"
+#include "internal.h"

 /*
 * Adapted to libavcodec by Francois Revol <revol@free.fr>
@@ -231,8 +232,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx)
 {
    MACEContext *ctx = avctx->priv_data;

-    if (avctx->channels > 2)
-        return -1;
+    if (avctx->channels > 2 || avctx->channels < 1)
+        return AVERROR(EINVAL);
    avctx->sample_fmt = AV_SAMPLE_FMT_S16;

    avcodec_get_frame_defaults(&ctx->frame);
@@ -253,7 +254,7 @@ static int mace_decode_frame(AVCodecContext *avctx, void *data,

    /* get output buffer */
    ctx->frame.nb_samples = 3 * (buf_size << (1 - is_mace3)) / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -216,21 +216,21 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)

 int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 {
-    int len, nb_components, i, width, height, pix_fmt_id;
+    int len, nb_components, i, width, height, bits, pix_fmt_id;

    s->cur_scan = 0;
    s->upscale_h = s->upscale_v = 0;

    /* XXX: verify len field validity */
    len     = get_bits(&s->gb, 16);
-    s->bits = get_bits(&s->gb, 8);
+    bits = get_bits(&s->gb, 8);

    if (s->pegasus_rct)
-        s->bits = 9;
-    if (s->bits == 9 && !s->pegasus_rct)
+        bits = 9;
+    if (bits == 9 && !s->pegasus_rct)
        s->rct  = 1;    // FIXME ugly

-    if (s->bits != 8 && !s->lossless) {
+    if (bits != 8 && !s->lossless) {
        av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
        return -1;
    }
@@ -262,7 +262,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
            return AVERROR_INVALIDDATA;
        }
    }
-    if (s->ls && !(s->bits <= 8 || nb_components == 1)) {
+    if (s->ls && !(bits <= 8 || nb_components == 1)) {
        av_log(s->avctx, AV_LOG_ERROR,
               "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
        return -1;
@@ -306,11 +306,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)

    /* if different size, realloc/alloc picture */
    /* XXX: also check h_count and v_count */
-    if (width != s->width || height != s->height) {
+    if (   width != s->width || height != s->height
+        || bits != s->bits
+       ) {
        av_freep(&s->qscale_table);

        s->width      = width;
        s->height     = height;
+        s->bits       = bits;
        s->interlaced = 0;

        /* test interlaced mode */
@@ -415,9 +418,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
    }
    if (s->ls) {
        s->upscale_h = s->upscale_v = 0;
-        if (s->nb_components > 1)
+        if (s->nb_components == 3) {
            s->avctx->pix_fmt = PIX_FMT_RGB24;
-        else if (s->bits <= 8)
+        } else if (s->nb_components != 1) {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components);
+            return AVERROR_PATCHWELCOME;
+        } else if (s->bits <= 8)
            s->avctx->pix_fmt = PIX_FMT_GRAY8;
        else
            s->avctx->pix_fmt = PIX_FMT_GRAY16;
@@ -1023,12 +1029,17 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,

                    if (s->interlaced && s->bottom_field)
                        block_offset += linesize[c] >> 1;
-                    ptr = data[c] + block_offset;
+                    if (   8*(h * mb_x + x) < s->width
+                        && 8*(v * mb_y + y) < s->height) {
+                        ptr = data[c] + block_offset;
+                    } else
+                        ptr = NULL;
                    if (!s->progressive) {
-                        if (copy_mb)
-                            mjpeg_copy_block(ptr, reference_data[c] + block_offset,
-                                             linesize[c], s->avctx->lowres);
-                        else {
+                        if (copy_mb) {
+                            if (ptr)
+                                mjpeg_copy_block(ptr, reference_data[c] + block_offset,
+                                                linesize[c], s->avctx->lowres);
+                        } else {
                            s->dsp.clear_block(s->block);
                            if (decode_block(s, s->block, i,
                                             s->dc_index[i], s->ac_index[i],
@@ -1037,7 +1048,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
                                       "error y=%d x=%d\n", mb_y, mb_x);
                                return -1;
                            }
-                            s->dsp.idct_put(ptr, linesize[c], s->block);
+                            if (ptr) {
+                                s->dsp.idct_put(ptr, linesize[c], s->block);
+                            }
                        }
                    } else {
                        int block_idx  = s->block_stride[c] * (v * mb_y + y) +
@@ -1111,7 +1124,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
        return AVERROR_INVALIDDATA;

    if (!Al) {
-        s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
+        s->coefs_finished[c] |= (2LL << se) - (1LL << ss);
        last_scan = !~s->coefs_finished[c];
    }

@@ -1373,6 +1386,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
    }

    if (id == AV_RL32("LJIF")) {
+        int rgb = s->rgb;
+        int pegasus_rct = s->pegasus_rct;
        if (s->avctx->debug & FF_DEBUG_PICT_INFO)
            av_log(s->avctx, AV_LOG_INFO,
                   "Pegasus lossless jpeg header found\n");
@@ -1382,17 +1397,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
        skip_bits(&s->gb, 16); /* unknwon always 0? */
        switch (get_bits(&s->gb, 8)) {
        case 1:
-            s->rgb         = 1;
-            s->pegasus_rct = 0;
+            rgb         = 1;
+            pegasus_rct = 0;
            break;
        case 2:
-            s->rgb         = 1;
-            s->pegasus_rct = 1;
+            rgb         = 1;
+            pegasus_rct = 1;
            break;
        default:
            av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n");
        }
+
        len -= 9;
+        if (s->got_picture)
+            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
+                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
+                goto out;
+            }
+
+        s->rgb = rgb;
+        s->pegasus_rct = pegasus_rct;
+
        goto out;
    }

@@ -1558,6 +1583,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s,
            put_bits(&pb, 8, x);
            if (x == 0xFF) {
                x = src[b++];
+                if (x & 0x80) {
+                    av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n");
+                    x &= 0x7f;
+                }
                put_bits(&pb, 7, x);
                bit_count--;
            }
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -27,6 +27,7 @@
 #include <stdint.h>

 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "libavutil/intreadwrite.h"
 #include "get_bits.h"
@@ -982,7 +983,7 @@ static int output_data(MLPDecodeContext *m, unsigned int substr,

    /* get output buffer */
    m->frame.nb_samples = s->blockpos;
-    if ((ret = avctx->get_buffer(avctx, &m->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &m->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;
    }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10.10
 .10.16