Update for 0.10.16

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 0.10.11
+PROJECT_NUMBER         = 0.10.16
 
 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55

RELEASE

@@ -1 +1 @@
-0.10.11
+0.10.16

VERSION

@@ -1 +1 @@
-0.10.11
+0.10.16

cmdutils.c

@@ -56,7 +56,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;
 
-const int this_year = 2014;
+const int this_year = 2015;
 
 static FILE *report_file;
 
@@ -423,7 +423,10 @@ int opt_default(const char *opt, const char *arg)
     const AVOption *oc, *of, *os;
     char opt_stripped[128];
     const char *p;
-    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class(), *sc;
+    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class();
+#if CONFIG_SWSCALE
+    const AVClass *sc = sws_get_class();
+#endif
 
     if (!(p = strchr(opt, ':')))
         p = opt + strlen(opt);
@@ -438,7 +441,6 @@ int opt_default(const char *opt, const char *arg)
                           AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ)))
         av_dict_set(&format_opts, opt, arg, FLAGS(of));
 #if CONFIG_SWSCALE
-    sc = sws_get_class();
     if ((os = av_opt_find(&sc, opt, NULL, 0,
                           AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ))) {
         // XXX we only support sws_flags, not arbitrary sws options

configure

@@ -54,6 +54,8 @@ if test "$E1" != 0 || test "$E2" = 0; then
     exit 1
 fi
 
+test -d /usr/xpg4/bin && PATH=/usr/xpg4/bin:$PATH
+
 show_help(){
 cat <<EOF
 Usage: configure [options]
@@ -688,6 +690,13 @@ check_ld(){
     check_cmd $ld $LDFLAGS $flags -o $TMPE $TMPO $libs $extralibs
 }
 
+print_include(){
+    hdr=$1
+    test "${hdr%.h}" = "${hdr}" &&
+        echo "#include $hdr"    ||
+        echo "#include <$hdr>"
+}
+
 check_cppflags(){
     log check_cppflags "$@"
     set -- $($filter_cppflags "$@")
@@ -765,7 +774,7 @@ check_func_headers(){
     shift 2
     {
         for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
         done
         for func in $funcs; do
             echo "long check_$func(void) { return (long) $func; }"
@@ -2979,6 +2988,7 @@ if enabled asm; then
 fi
 
 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack
 
 if check_func dlopen; then
     ldl=
@@ -3134,7 +3144,7 @@ enabled libdirac   && require_pkg_config dirac                          \
     "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h"  \
     "dirac_decoder_init dirac_encoder_init"
 enabled libfaac    && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac
-enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType
 enabled libgsm     && require  libgsm gsm/gsm.h gsm_create -lgsm
 enabled libmodplug && require  libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug
 enabled libmp3lame && require  "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame
@@ -3367,6 +3377,8 @@ elif enabled clang; then
     check_cflags -mllvm -stack-alignment=16
     check_cflags -Qunused-arguments
     check_cflags -Werror=return-type
+    check_cflags -Werror=implicit-function-declaration
+    check_cflags -Werror=missing-prototypes
 elif enabled armcc; then
     # 2523: use of inline assembler is deprecated
     add_cflags -W${armcc_opt},--diag_suppress=2523

doc/APIchanges

@@ -13,6 +13,9 @@ libavutil:   2011-04-18
 
 API changes, most recent first:
 
+2014-09-16 - 8637f4e - lavu 51.22.3 - cpu.h
+  Add AV_CPU_FLAG_CMOV.
+
 2012-01-24 - xxxxxxx - lavfi 2.60.100
   Add avfilter_graph_dump.
 

doc/platform.texi

@@ -51,14 +51,15 @@ The toolchain provided with Xcode is sufficient to build the basic
 unacelerated code.
 
 Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from
-@url{http://github.com/yuvi/gas-preprocessor} to build the optimized
-assembler functions. Just download the Perl script and put it somewhere
+@url{https://github.com/FFmpeg/gas-preprocessor} or
+@url{https://github.com/yuvi/gas-preprocessor} to build the optimized
+assembler functions. Put the Perl script somewhere
 in your PATH, FFmpeg's configure will pick it up automatically.
 
 Mac OS X on amd64 and x86 requires @command{yasm} to build most of the
 optimized assembler functions. @uref{http://www.finkproject.org/, Fink},
 @uref{http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml, Gentoo Prefix},
-@uref{http://mxcl.github.com/homebrew/, Homebrew}
+@uref{https://mxcl.github.com/homebrew/, Homebrew}
 or @uref{http://www.macports.org, MacPorts} can easily provide it.
 
 

doc/protocols.texi

@@ -242,7 +242,7 @@ data transferred over RDT).
 
 The muxer can be used to send a stream using RTSP ANNOUNCE to a server
 supporting it (currently Darwin Streaming Server and Mischa Spiegelmock's
-@uref{http://github.com/revmischa/rtsp-server, RTSP server}).
+@uref{https://github.com/revmischa/rtsp-server, RTSP server}).
 
 The required syntax for a RTSP url is:
 @example

ffmpeg.c

@@ -4696,7 +4696,8 @@ static int opt_target(OptionsContext *o, const char *opt, const char *arg)
             for (j = 0; j < nb_input_files; j++) {
                 for (i = 0; i < input_files[j].nb_streams; i++) {
                     AVCodecContext *c = input_files[j].ctx->streams[i]->codec;
-                    if (c->codec_type != AVMEDIA_TYPE_VIDEO)
+                    if (c->codec_type != AVMEDIA_TYPE_VIDEO ||
+                        !c->time_base.num)
                         continue;
                     fr = c->time_base.den * 1000 / c->time_base.num;
                     if (fr == 25000) {

ffplay.c

@@ -1611,7 +1611,7 @@ static int input_reget_buffer(AVCodecContext *codec, AVFrame *pic)
 
     if (pic->data[0] == NULL) {
         pic->buffer_hints |= FF_BUFFER_HINTS_READABLE;
-        return codec->get_buffer(codec, pic);
+        return input_get_buffer(codec, pic);
     }
 
     if ((codec->width != ref->video->w) || (codec->height != ref->video->h) ||

libavcodec/8svx.c

@@ -38,6 +38,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 
 /** decoder context */
 typedef struct EightSvxContext {
@@ -151,7 +152,7 @@ static int eightsvx_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     esc->frame.nb_samples = (FFMIN(MAX_FRAME_SIZE, esc->samples_size - esc->samples_idx) +avctx->channels-1)  / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &esc->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &esc->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/a64multienc.c

@@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest)
             for (y = blocky; y < blocky + 8 && y < C64YRES; y++) {
                 for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) {
                     if(x < width && y < height) {
-                        /* build average over 2 pixels */
-                        luma = (src[(x + 0 + y * p->linesize[0])] +
-                                src[(x + 1 + y * p->linesize[0])]) / 2;
+                        if (x + 1 < width) {
+                            /* build average over 2 pixels */
+                            luma = (src[(x + 0 + y * p->linesize[0])] +
+                                    src[(x + 1 + y * p->linesize[0])]) / 2;
+                        } else {
+                            luma = src[(x + y * p->linesize[0])];
+                        }
                         /* write blocks as linear data now so they are suitable for elbg */
                         dest[0] = luma;
                     }

libavcodec/aac_parser.c

@@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
     int size;
     union {
         uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
     } tmp;
 
     tmp.u64 = av_be2ne64(state);

libavcodec/aacdec.c

@@ -2276,7 +2276,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
     if (samples) {
         /* get output buffer */
         ac->frame.nb_samples = samples;
-        if ((err = avctx->get_buffer(avctx, &ac->frame)) < 0) {
+        if ((err = ff_get_buffer(avctx, &ac->frame)) < 0) {
             av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
             return err;
         }

libavcodec/aacenc.c

@@ -164,7 +164,7 @@ static void put_audio_specific_config(AVCodecContext *avctx)
     PutBitContext pb;
     AACEncContext *s = avctx->priv_data;
 
-    init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8);
+    init_put_bits(&pb, avctx->extradata, avctx->extradata_size);
     put_bits(&pb, 5, 2); //object type - AAC-LC
     put_bits(&pb, 4, s->samplerate_index); //sample rate index
     put_bits(&pb, 4, s->channels);

libavcodec/ac3_parser.c

@@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
     int err;
     union {
         uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
     } tmp = { av_be2ne64(state) };
     AC3HeaderInfo hdr;
     GetBitContext gbc;

libavcodec/ac3dec.c

@@ -1415,7 +1415,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->num_blocks * 256;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/ac3enc_template.c

@@ -261,7 +261,7 @@ static void apply_channel_coupling(AC3EncodeContext *s)
                 energy_cpl = energy[blk][CPL_CH][bnd];
                 energy_ch = energy[blk][ch][bnd];
                 blk1 = blk+1;
-                while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) {
+                while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) {
                     if (s->blocks[blk1].cpl_in_use) {
                         energy_cpl += energy[blk1][CPL_CH][bnd];
                         energy_ch += energy[blk1][ch][bnd];

libavcodec/adpcm.c

@@ -18,6 +18,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "put_bits.h"
 #include "bytestream.h"
@@ -556,7 +557,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = nb_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/adpcmenc.c

@@ -551,10 +551,10 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
     {
         int ch, i;
         PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);
 
         for (ch = 0; ch < avctx->channels; ch++) {
-            put_bits(&pb, 9, (c->status[ch].prev_sample + 0x10000) >> 7);
+            put_bits(&pb, 9, (c->status[ch].prev_sample & 0xFFFF) >> 7);
             put_bits(&pb, 7,  c->status[ch].step_index);
             if (avctx->trellis > 0) {
                 uint8_t buf[64];
@@ -582,7 +582,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
     {
         int i;
         PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);
 
         n = avctx->frame_size - 1;
 

libavcodec/adx.c

@@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
     offset = AV_RB16(buf + 2) + 4;
 
     /* if copyright string is within the provided data, validate it */
-    if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6))
+    if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6))
         return AVERROR_INVALIDDATA;
 
     /* check for encoding=3 block_size=18, sample_size=4 */

libavcodec/adxdec.c

@@ -21,6 +21,7 @@
 
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "adx.h"
 #include "get_bits.h"
 
@@ -140,7 +141,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = num_blocks * BLOCK_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/alac.c

@@ -47,6 +47,7 @@
 
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "bytestream.h"
 #include "unary.h"
@@ -417,7 +418,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
     alac->frame.nb_samples = outputsamples;
-    if ((ret = avctx->get_buffer(avctx, &alac->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &alac->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -615,6 +616,12 @@ static int alac_set_info(ALACContext *alac)
 
     /* buffer size / 2 ? */
     alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
+    if (!alac->setinfo_max_samples_per_frame ||
+        alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) {
+        av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n",
+               alac->setinfo_max_samples_per_frame);
+        return AVERROR_INVALIDDATA;
+    }
     ptr++;                          /* compatible version */
     alac->setinfo_sample_size           = *ptr++;
     alac->setinfo_rice_historymult      = *ptr++;

libavcodec/alsdec.c

@@ -30,6 +30,7 @@
 
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "unary.h"
 #include "mpeg4audio.h"
@@ -283,7 +284,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
     GetBitContext gb;
     uint64_t ht_size;
     int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
     ALSSpecificConfig *sconf = &ctx->sconf;
     AVCodecContext *avctx    = ctx->avctx;
     uint32_t als_id, header_size, trailer_size;
@@ -1484,7 +1485,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
 
     /* get output buffer */
     ctx->frame.nb_samples = ctx->cur_frame_length;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/amrnbdec.c

@@ -44,6 +44,7 @@
 #include <math.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "libavutil/common.h"
 #include "celp_math.h"
@@ -944,7 +945,7 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     p->avframe.nb_samples = AMR_BLOCK_SIZE;
-    if ((ret = avctx->get_buffer(avctx, &p->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &p->avframe)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/amrwbdec.c

@@ -27,6 +27,7 @@
 #include "libavutil/lfg.h"
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "lsp.h"
 #include "celp_math.h"
@@ -1087,7 +1088,7 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     ctx->avframe.nb_samples = 4 * AMRWB_SFR_SIZE_16k;
-    if ((ret = avctx->get_buffer(avctx, &ctx->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->avframe)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/ansi.c

@@ -26,6 +26,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "cga_data.h"
 
 #define ATTR_BOLD         0x01  /**< Bold/Bright-foreground (mode 1) */
@@ -222,7 +223,7 @@ static int execute_code(AVCodecContext * avctx, int c)
             if (s->frame.data[0])
                 avctx->release_buffer(avctx, &s->frame);
             avcodec_set_dimensions(avctx, width, height);
-            ret = avctx->get_buffer(avctx, &s->frame);
+            ret = ff_get_buffer(avctx, &s->frame);
             if (ret < 0) {
                 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                 return ret;

libavcodec/apedec.c

@@ -22,6 +22,7 @@
 
 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "get_bits.h"
 #include "bytestream.h"
@@ -822,7 +823,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     int16_t *samples;
     int i, ret;
     int blockstodecode;
-    int bytes_used = 0;
 
     /* this should never be negative, but bad things will happen if it is, so
        check it just to make sure. */
@@ -877,7 +877,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_INVALIDDATA;
         }
 
-        bytes_used = buf_size;
     }
 
     if (!s->data) {
@@ -889,7 +888,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = blockstodecode;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -920,7 +919,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame_ptr   = 1;
     *(AVFrame *)data = s->frame;
 
-    return bytes_used;
+    return (s->samples == 0) ? buf_size : 0;
 }
 
 static void ape_flush(AVCodecContext *avctx)

libavcodec/arm/asm.S

@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm
 
+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm

libavcodec/arm/dsputil_armv6.S

@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
         eor             r7,  r5,  r7
         uadd8           r10, r10, r6
         and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uadd8           r11, r11, r7
         strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         strd_post       r10, r11, r0,  r2
         bne             1b
 
@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
         uhadd8          r9,  r5,  r7
         ldr             r5,  [r1, #4]
         uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         stm             r0,  {r8,r9}
         add             r0,  r0,  r2
         stm             r0,  {r12,r14}

libavcodec/arm/dsputil_neon.S

@@ -44,22 +44,22 @@ endfunc
   .if \avg
         mov             r12, r0
   .endif
-1:      vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-        vld1.64         {q2},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+        vld1.8          {q2},     [r1], r2
         pld             [r1, r2, lsl #2]
-        vld1.64         {q3},     [r1], r2
+        vld1.8          {q3},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
         pld             [r1, r2, lsl #1]
   .if \avg
-        vld1.64         {q8},     [r12,:128], r2
+        vld1.8          {q8},     [r12,:128], r2
         vrhadd.u8       q0,  q0,  q8
-        vld1.64         {q9},     [r12,:128], r2
+        vld1.8          {q9},     [r12,:128], r2
         vrhadd.u8       q1,  q1,  q9
-        vld1.64         {q10},    [r12,:128], r2
+        vld1.8          {q10},    [r12,:128], r2
         vrhadd.u8       q2,  q2,  q10
-        vld1.64         {q11},    [r12,:128], r2
+        vld1.8          {q11},    [r12,:128], r2
         vrhadd.u8       q3,  q3,  q11
   .endif
         subs            r3,  r3,  #4
@@ -72,8 +72,8 @@ endfunc
 .endm
 
 .macro  pixels16_x2     rnd=1, avg=0
-1:      vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
+1:      vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
         pld             [r1]
         pld             [r1, r2]
         subs            r3,  r3,  #2
@@ -88,20 +88,21 @@ endfunc
         vrhadd.u8       q2,  q2,  q3
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {q0},     [r0,:128], r2
-        vst1.64         {q2},     [r0,:128], r2
+        vst1.8          {q0},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels16_y2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
 1:      subs            r3,  r3,  #2
         avg             q2,  q0,  q1
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
         avg             q3,  q0,  q1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
   .if \avg
@@ -111,18 +112,31 @@ endfunc
         vrhadd.u8       q3,  q3,  q9
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {q2},     [r0,:128], r2
-        vst1.64         {q3},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
         bne             1b
+
+        avg             q2,  q0,  q1
+        vld1.8          {q0},     [r1], r2
+        avg             q3,  q0,  q1
+  .if \avg
+        vld1.8          {q8},     [r0,:128], r2
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q2,  q2,  q8
+        vrhadd.u8       q3,  q3,  q9
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
+
         bx              lr
 .endm
 
 .macro  pixels16_xy2    rnd=1, avg=0
-        vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
-  .ifeq \rnd
-        vmov.i16        q13, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
+NRND    vmov.i16        q13, #1
         pld             [r1]
         pld             [r1, r2]
         vext.8          q1,  q0,  q1,  #1
@@ -132,38 +146,30 @@ endfunc
         vaddl.u8        q9,  d4,  d6
         vaddl.u8        q11, d5,  d7
 1:      subs            r3,  r3,  #2
-        vld1.64         {d0-d2},  [r1], r2
+        vld1.8          {d0-d2},  [r1], r2
         vadd.u16        q12, q8,  q9
         pld             [r1]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
         vext.8          q15, q0,  q1,  #1
         vadd.u16        q1 , q10, q11
         shrn            d28, q12, #2
-  .ifeq \rnd
-        vadd.u16        q1,  q1,  q13
-  .endif
+NRND    vadd.u16        q1,  q1,  q13
         shrn            d29, q1,  #2
   .if \avg
         vld1.8          {q8},     [r0,:128]
         vrhadd.u8       q14, q14, q8
   .endif
         vaddl.u8        q8,  d0,  d30
-        vld1.64         {d2-d4},  [r1], r2
+        vld1.8          {d2-d4},  [r1], r2
         vaddl.u8        q10, d1,  d31
-        vst1.64         {q14},    [r0,:128], r2
+        vst1.8          {q14},    [r0,:128], r2
         vadd.u16        q12, q8,  q9
         pld             [r1, r2]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
         vext.8          q2,  q1,  q2,  #1
         vadd.u16        q0,  q10, q11
         shrn            d30, q12, #2
-  .ifeq \rnd
-        vadd.u16        q0,  q0,  q13
-  .endif
+NRND    vadd.u16        q0,  q0,  q13
         shrn            d31, q0,  #2
   .if \avg
         vld1.8          {q9},     [r0,:128]
@@ -171,44 +177,72 @@ endfunc
   .endif
         vaddl.u8        q9,  d2,  d4
         vaddl.u8        q11, d3,  d5
-        vst1.64         {q15},    [r0,:128], r2
+        vst1.8          {q15},    [r0,:128], r2
         bgt             1b
+
+        vld1.8          {d0-d2},  [r1], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vext.8          q15, q0,  q1,  #1
+        vadd.u16        q1 , q10, q11
+        shrn            d28, q12, #2
+NRND    vadd.u16        q1,  q1,  q13
+        shrn            d29, q1,  #2
+  .if \avg
+        vld1.8          {q8},     [r0,:128]
+        vrhadd.u8       q14, q14, q8
+  .endif
+        vaddl.u8        q8,  d0,  d30
+        vaddl.u8        q10, d1,  d31
+        vst1.8          {q14},    [r0,:128], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vadd.u16        q0,  q10, q11
+        shrn            d30, q12, #2
+NRND    vadd.u16        q0,  q0,  q13
+        shrn            d31, q0,  #2
+  .if \avg
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q15, q15, q9
+  .endif
+        vst1.8          {q15},    [r0,:128], r2
+
         bx              lr
 .endm
 
 .macro  pixels8         rnd=1, avg=0
-1:      vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
-        vld1.64         {d2},     [r1], r2
+1:      vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
+        vld1.8          {d2},     [r1], r2
         pld             [r1, r2, lsl #2]
-        vld1.64         {d3},     [r1], r2
+        vld1.8          {d3},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
         pld             [r1, r2, lsl #1]
   .if \avg
-        vld1.64         {d4},     [r0,:64], r2
+        vld1.8          {d4},     [r0,:64], r2
         vrhadd.u8       d0,  d0,  d4
-        vld1.64         {d5},     [r0,:64], r2
+        vld1.8          {d5},     [r0,:64], r2
         vrhadd.u8       d1,  d1,  d5
-        vld1.64         {d6},     [r0,:64], r2
+        vld1.8          {d6},     [r0,:64], r2
         vrhadd.u8       d2,  d2,  d6
-        vld1.64         {d7},     [r0,:64], r2
+        vld1.8          {d7},     [r0,:64], r2
         vrhadd.u8       d3,  d3,  d7
         sub             r0,  r0,  r2,  lsl #2
   .endif
         subs            r3,  r3,  #4
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
-        vst1.64         {d2},     [r0,:64], r2
-        vst1.64         {d3},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
+        vst1.8          {d2},     [r0,:64], r2
+        vst1.8          {d3},     [r0,:64], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels8_x2      rnd=1, avg=0
-1:      vld1.64         {q0},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
         vext.8          d1,  d0,  d1,  #1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         vext.8          d3,  d2,  d3,  #1
         pld             [r1]
         pld             [r1, r2]
@@ -221,20 +255,21 @@ endfunc
         vrhadd.u8       q0,  q0,  q2
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels8_y2      rnd=1, avg=0
-        vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
 1:      subs            r3,  r3,  #2
         avg             d4,  d0,  d1
-        vld1.64         {d0},     [r1], r2
+        vld1.8          {d0},     [r1], r2
         avg             d5,  d0,  d1
-        vld1.64         {d1},     [r1], r2
+        vld1.8          {d1},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
   .if \avg
@@ -243,18 +278,30 @@ endfunc
         vrhadd.u8       q2,  q2,  q1
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {d4},     [r0,:64], r2
-        vst1.64         {d5},     [r0,:64], r2
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
         bne             1b
+
+        avg             d4,  d0,  d1
+        vld1.8          {d0},     [r1], r2
+        avg             d5,  d0,  d1
+  .if \avg
+        vld1.8          {d2},     [r0,:64], r2
+        vld1.8          {d3},     [r0,:64]
+        vrhadd.u8       q2,  q2,  q1
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
+
         bx              lr
 .endm
 
 .macro  pixels8_xy2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-  .ifeq \rnd
-        vmov.i16        q11, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+NRND    vmov.i16        q11, #1
         pld             [r1]
         pld             [r1, r2]
         vext.8          d4,  d0,  d1,  #1
@@ -262,26 +309,22 @@ endfunc
         vaddl.u8        q8,  d0,  d4
         vaddl.u8        q9,  d2,  d6
 1:      subs            r3,  r3,  #2
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
         pld             [r1]
         vadd.u16        q10, q8,  q9
         vext.8          d4,  d0,  d1,  #1
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
+NRND    vadd.u16        q10, q10, q11
         vaddl.u8        q8,  d0,  d4
         shrn            d5,  q10, #2
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         vadd.u16        q10, q8,  q9
         pld             [r1, r2]
   .if \avg
         vld1.8          {d7},     [r0,:64]
         vrhadd.u8       d5,  d5,  d7
   .endif
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
-        vst1.64         {d5},     [r0,:64], r2
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
         shrn            d7,  q10, #2
   .if \avg
         vld1.8          {d5},     [r0,:64]
@@ -289,8 +332,29 @@ endfunc
   .endif
         vext.8          d6,  d2,  d3,  #1
         vaddl.u8        q9,  d2,  d6
-        vst1.64         {d7},     [r0,:64], r2
+        vst1.8          {d7},     [r0,:64], r2
         bgt             1b
+
+        vld1.8          {q0},     [r1], r2
+        vadd.u16        q10, q8,  q9
+        vext.8          d4,  d0,  d1,  #1
+NRND    vadd.u16        q10, q10, q11
+        vaddl.u8        q8,  d0,  d4
+        shrn            d5,  q10, #2
+        vadd.u16        q10, q8,  q9
+  .if \avg
+        vld1.8          {d7},     [r0,:64]
+        vrhadd.u8       d5,  d5,  d7
+  .endif
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
+        shrn            d7,  q10, #2
+  .if \avg
+        vld1.8          {d5},     [r0,:64]
+        vrhadd.u8       d7,  d7,  d5
+  .endif
+        vst1.8          {d7},     [r0,:64], r2
+
         bx              lr
 .endm
 
@@ -302,6 +366,8 @@ endfunc
     .macro shrn rd, rn, rm
         vrshrn.u16      \rd, \rn, \rm
     .endm
+    .macro NRND insn:vararg
+    .endm
   .else
     .macro avg  rd, rn, rm
         vhadd.u8        \rd, \rn, \rm
@@ -309,12 +375,16 @@ endfunc
     .macro shrn rd, rn, rm
         vshrn.u16       \rd, \rn, \rm
     .endm
+    .macro NRND insn:vararg
+        \insn
+    .endm
   .endif
 function ff_\pfx\name\suf\()_neon, export=1
         \name           \rnd, \avg
 endfunc
         .purgem         avg
         .purgem         shrn
+        .purgem         NRND
 .endm
 
 .macro  pixfunc2        pfx, name, avg=0
@@ -359,147 +429,147 @@ endfunc
         pixfunc2        avg_, pixels8_xy2, avg=1
 
 function ff_put_pixels_clamped_neon, export=1
-        vld1.64         {d16-d19}, [r0,:128]!
+        vld1.16         {d16-d19}, [r0,:128]!
         vqmovun.s16     d0, q8
-        vld1.64         {d20-d23}, [r0,:128]!
+        vld1.16         {d20-d23}, [r0,:128]!
         vqmovun.s16     d1, q9
-        vld1.64         {d24-d27}, [r0,:128]!
+        vld1.16         {d24-d27}, [r0,:128]!
         vqmovun.s16     d2, q10
-        vld1.64         {d28-d31}, [r0,:128]!
+        vld1.16         {d28-d31}, [r0,:128]!
         vqmovun.s16     d3, q11
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
         vqmovun.s16     d4, q12
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
         vqmovun.s16     d5, q13
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
         vqmovun.s16     d6, q14
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
         vqmovun.s16     d7, q15
-        vst1.64         {d4},      [r1,:64], r2
-        vst1.64         {d5},      [r1,:64], r2
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
         bx              lr
 endfunc
 
 function ff_put_signed_pixels_clamped_neon, export=1
         vmov.u8         d31, #128
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
         vqmovn.s16      d0, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
         vqmovn.s16      d1, q9
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
         vqmovn.s16      d2, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
         vadd.u8         d0, d0, d31
-        vld1.64         {d20-d21}, [r0,:128]!
+        vld1.16         {d20-d21}, [r0,:128]!
         vadd.u8         d1, d1, d31
-        vld1.64         {d22-d23}, [r0,:128]!
+        vld1.16         {d22-d23}, [r0,:128]!
         vadd.u8         d2, d2, d31
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
         vqmovn.s16      d3, q9
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
         vqmovn.s16      d4, q10
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
         vqmovn.s16      d5, q11
-        vld1.64         {d24-d25}, [r0,:128]!
+        vld1.16         {d24-d25}, [r0,:128]!
         vadd.u8         d3, d3, d31
-        vld1.64         {d26-d27}, [r0,:128]!
+        vld1.16         {d26-d27}, [r0,:128]!
         vadd.u8         d4, d4, d31
         vadd.u8         d5, d5, d31
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
         vqmovn.s16      d6, q12
-        vst1.64         {d4},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
         vqmovn.s16      d7, q13
-        vst1.64         {d5},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
         vadd.u8         d6, d6, d31
         vadd.u8         d7, d7, d31
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
         bx              lr
 endfunc
 
 function ff_add_pixels_clamped_neon, export=1
         mov             r3, r1
-        vld1.64         {d16},   [r1,:64], r2
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.8          {d16},   [r1,:64], r2
+        vld1.16         {d0-d1}, [r0,:128]!
         vaddw.u8        q0, q0, d16
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
         vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
+        vld1.8          {d18},   [r1,:64], r2
         vaddw.u8        q1, q1, d17
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.16         {d4-d5}, [r0,:128]!
         vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
         vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.8          {d19},   [r1,:64], r2
+        vld1.16         {d6-d7}, [r0,:128]!
         vaddw.u8        q3, q3, d19
         vqmovun.s16     d4, q2
-        vst1.64         {d2},    [r3,:64], r2
-        vld1.64         {d16},   [r1,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
+        vld1.8          {d16},   [r1,:64], r2
         vqmovun.s16     d6, q3
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.16         {d0-d1}, [r0,:128]!
         vaddw.u8        q0, q0, d16
-        vst1.64         {d4},    [r3,:64], r2
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vst1.8          {d4},    [r3,:64], r2
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
         vaddw.u8        q1, q1, d17
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
         vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.8          {d18},   [r1,:64], r2
+        vld1.16         {d4-d5}, [r0,:128]!
         vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
         vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
+        vld1.8          {d19},   [r1,:64], r2
         vqmovun.s16     d4, q2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.16         {d6-d7}, [r0,:128]!
         vaddw.u8        q3, q3, d19
-        vst1.64         {d2},    [r3,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
         vqmovun.s16     d6, q3
-        vst1.64         {d4},    [r3,:64], r2
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d4},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
         bx              lr
 endfunc
 
 function ff_vector_fmul_neon, export=1
         subs            r3,  r3,  #8
-        vld1.64         {d0-d3},  [r1,:128]!
-        vld1.64         {d4-d7},  [r2,:128]!
+        vld1.32         {d0-d3},  [r1,:128]!
+        vld1.32         {d4-d7},  [r2,:128]!
         vmul.f32        q8,  q0,  q2
         vmul.f32        q9,  q1,  q3
         beq             3f
         bics            ip,  r3,  #15
         beq             2f
 1:      subs            ip,  ip,  #16
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
         vmul.f32        q10, q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
         vmul.f32        q11, q1,  q3
-        vst1.64         {d16-d19},[r0,:128]!
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d19},[r0,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
         vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
         vmul.f32        q9,  q1,  q3
-        vst1.64         {d20-d23},[r0,:128]!
+        vst1.32         {d20-d23},[r0,:128]!
         bne             1b
         ands            r3,  r3,  #15
         beq             3f
-2:      vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
-        vst1.64         {d16-d17},[r0,:128]!
+2:      vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d17},[r0,:128]!
         vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
-        vst1.64         {d18-d19},[r0,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
+        vst1.32         {d18-d19},[r0,:128]!
         vmul.f32        q9,  q1,  q3
-3:      vst1.64         {d16-d19},[r0,:128]!
+3:      vst1.32         {d16-d19},[r0,:128]!
         bx              lr
 endfunc
 
@@ -512,10 +582,10 @@ function ff_vector_fmul_window_neon, export=1
         add             r4,  r3,  r5, lsl #3
         add             ip,  r0,  r5, lsl #3
         mov             r5,  #-16
-        vld1.64         {d0,d1},  [r1,:128]!
-        vld1.64         {d2,d3},  [r2,:128], r5
-        vld1.64         {d4,d5},  [r3,:128]!
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d0,d1},  [r1,:128]!
+        vld1.32         {d2,d3},  [r2,:128], r5
+        vld1.32         {d4,d5},  [r3,:128]!
+        vld1.32         {d6,d7},  [r4,:128], r5
 1:      subs            lr,  lr,  #4
         vmul.f32        d22, d0,  d4
         vrev64.32       q3,  q3
@@ -525,19 +595,19 @@ function ff_vector_fmul_window_neon, export=1
         vmul.f32        d21, d1,  d6
         beq             2f
         vmla.f32        d22, d3,  d7
-        vld1.64         {d0,d1},  [r1,:128]!
+        vld1.32         {d0,d1},  [r1,:128]!
         vmla.f32        d23, d2,  d6
-        vld1.64         {d18,d19},[r2,:128], r5
+        vld1.32         {d18,d19},[r2,:128], r5
         vmls.f32        d20, d3,  d4
-        vld1.64         {d24,d25},[r3,:128]!
+        vld1.32         {d24,d25},[r3,:128]!
         vmls.f32        d21, d2,  d5
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d6,d7},  [r4,:128], r5
         vmov            q1,  q9
         vrev64.32       q11, q11
         vmov            q2,  q12
         vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
         b               1b
 2:      vmla.f32        d22, d3,  d7
         vmla.f32        d23, d2,  d6
@@ -545,8 +615,8 @@ function ff_vector_fmul_window_neon, export=1
         vmls.f32        d21, d2,  d5
         vrev64.32       q11, q11
         vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
         pop             {r4,r5,pc}
 endfunc
 

libavcodec/arm/h264dsp_init_arm.c

@@ -89,7 +89,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i
     c->h264_idct_dc_add     = ff_h264_idct_dc_add_neon;
     c->h264_idct_add16      = ff_h264_idct_add16_neon;
     c->h264_idct_add16intra = ff_h264_idct_add16intra_neon;
-    if (chroma_format_idc == 1)
+    if (chroma_format_idc <= 1)
         c->h264_idct_add8   = ff_h264_idct_add8_neon;
     c->h264_idct8_add       = ff_h264_idct8_add_neon;
     c->h264_idct8_dc_add    = ff_h264_idct8_dc_add_neon;

libavcodec/atrac1.c

@@ -33,6 +33,7 @@
 #include <stdio.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -291,7 +292,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     q->frame.nb_samples = AT1_SU_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/atrac3.c

@@ -37,6 +37,7 @@
 #include <stdio.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -852,7 +853,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     q->frame.nb_samples = SAMPLES_PER_FRAME;
-    if ((result = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &q->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return result;
     }

libavcodec/binkaudio.c

@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #define BITSTREAM_READER_LE
 #include "get_bits.h"
 #include "dsputil.h"
@@ -340,7 +341,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->block_size / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/bmv.c

@@ -20,6 +20,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 #include "libavutil/avassert.h"
 
@@ -274,7 +275,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     }
 
     c->pic.reference = 1;
-    if (avctx->get_buffer(avctx, &c->pic) < 0) {
+    if (ff_get_buffer(avctx, &c->pic) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return -1;
     }
@@ -339,7 +340,7 @@ static int bmv_aud_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = total_blocks * 32;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/bytestream.h

@@ -198,6 +198,16 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p)
     return (int)(p->buffer - p->buffer_start);
 }
 
+static av_always_inline int bytestream2_size(GetByteContext *g)
+{
+    return (int)(g->buffer_end - g->buffer_start);
+}
+
+static av_always_inline int bytestream2_size_p(PutByteContext *p)
+{
+    return (int)(p->buffer_end - p->buffer_start);
+}
+
 static av_always_inline int bytestream2_seek(GetByteContext *g,
                                              int offset,
                                              int whence)
@@ -323,6 +333,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p)
     return p->eof;
 }
 
+static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p,
+                                                              GetByteContext *g,
+                                                              unsigned int size)
+{
+    memcpy(p->buffer, g->buffer, size);
+    p->buffer += size;
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p,
+                                                             GetByteContext *g,
+                                                             unsigned int size)
+{
+    int size2;
+
+    if (p->eof)
+        return 0;
+    size  = FFMIN(g->buffer_end - g->buffer, size);
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+
+    return bytestream2_copy_bufferu(p, g, size2);
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b,
                                                            uint8_t *dst,
                                                            unsigned int size)

libavcodec/cavsdec.c

@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
         return -1;
     }
     h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }

libavcodec/cdgraphics.c

@@ -20,6 +20,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 
 /**
@@ -268,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                             void *data, int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
     int buf_size       = avpkt->size;
     int ret;
     uint8_t command, inst;
@@ -285,17 +286,19 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         return AVERROR(EINVAL);
     }
 
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+
     ret = avctx->reget_buffer(avctx, &cc->frame);
     if (ret) {
         av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
         return ret;
     }
 
-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
     inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
 
     if ((command & CDG_MASK) == CDG_COMMAND) {
         switch (inst) {
@@ -337,7 +340,7 @@ static int cdg_decode_frame(AVCodecContext *avctx,
             }
 
             cdg_init_frame(&new_frame);
-            ret = avctx->get_buffer(avctx, &new_frame);
+            ret = ff_get_buffer(avctx, &new_frame);
             if (ret) {
                 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                 return ret;
@@ -354,11 +357,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         *data_size = sizeof(AVFrame);
     } else {
         *data_size = 0;
-        buf_size   = 0;
     }
 
     *(AVFrame *) data = cc->frame;
-    return buf_size;
+    return avpkt->size;
 }
 
 static av_cold int cdg_decode_end(AVCodecContext *avctx)

libavcodec/cook.c

@@ -44,6 +44,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -991,7 +992,7 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data,
     /* get output buffer */
     if (q->discarded_packets >= 2) {
         q->frame.nb_samples = q->samples_per_channel;
-        if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+        if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
             av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
             return ret;
         }

libavcodec/dca.c

@@ -32,6 +32,7 @@
 #include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "fft.h"
 #include "get_bits.h"
@@ -1895,7 +1896,7 @@ static int dca_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = 256 * (s->sample_blocks / 8);
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/dfa.c

@@ -21,6 +21,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 
 #include "libavutil/imgutils.h"
@@ -325,7 +326,7 @@ static int dfa_decode_frame(AVCodecContext *avctx,
     if (s->pic.data[0])
         avctx->release_buffer(avctx, &s->pic);
 
-    if ((ret = avctx->get_buffer(avctx, &s->pic))) {
+    if ((ret = ff_get_buffer(avctx, &s->pic))) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/diracdec.c

@@ -1332,8 +1332,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
         motion_y >>= s->chroma_y_shift;
     }
 
-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
     motion_x >>= s->mv_precision;
     motion_y >>= s->mv_precision;
     /* normalize subpel coordinates to epel */

libavcodec/dnxhddec.c

@@ -38,6 +38,7 @@ typedef struct DNXHDContext {
     GetBitContext gb;
     int cid;                            ///< compression id
     unsigned int width, height;
+    enum PixelFormat pix_fmt;
     unsigned int mb_width, mb_height;
     uint32_t mb_scan_index[68];         /* max for 1080p */
     int cur_field;                      ///< current interlaced field
@@ -129,7 +130,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
     av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height);
 
     if (buf[0x21] & 0x40) {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P10;
+        ctx->pix_fmt = PIX_FMT_YUV422P10;
         ctx->avctx->bits_per_raw_sample = 10;
         if (ctx->bit_depth != 10) {
             dsputil_init(&ctx->dsp, ctx->avctx);
@@ -137,7 +138,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
             ctx->decode_dct_block = dnxhd_decode_dct_block_10;
         }
     } else {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P;
+        ctx->pix_fmt = PIX_FMT_YUV422P;
         ctx->avctx->bits_per_raw_sample = 8;
         if (ctx->bit_depth != 8) {
             dsputil_init(&ctx->dsp, ctx->avctx);
@@ -380,9 +381,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                avctx->width, avctx->height, ctx->width, ctx->height);
         first_field = 1;
     }
+    if (avctx->pix_fmt != PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) {
+        av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt));
+        first_field = 1;
+    }
 
     if (av_image_check_size(ctx->width, ctx->height, 0, avctx))
         return -1;
+    avctx->pix_fmt = ctx->pix_fmt;
     avcodec_set_dimensions(avctx, ctx->width, ctx->height);
 
     if (first_field) {

libavcodec/dnxhdenc.c

@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)
 
 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
     if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
         FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);
 

libavcodec/dpcm.c

@@ -39,6 +39,7 @@
 
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 
 typedef struct DPCMContext {
@@ -216,7 +217,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = (out + s->channels - 1) / s->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/dsicinav.c

@@ -25,6 +25,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 #include "mathops.h"
 
@@ -363,7 +364,7 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     cin->frame.nb_samples = avpkt->size - cin->initial_decode_frame;
-    if ((ret = avctx->get_buffer(avctx, &cin->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &cin->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/dsputil.c

@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
 
 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
     long i;
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src+i);
         long b = *(long*)(dst+i);
         *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
         }
     }else
 #endif
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src1+i);
         long b = *(long*)(src2+i);
         *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);

libavcodec/dvdsubdec.c

@@ -94,6 +94,12 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
     int x, y, len, color;
     uint8_t *d;
 
+    if (start >= buf_size)
+        return -1;
+
+    if (w <= 0 || h <= 0)
+        return -1;
+
     bit_len = (buf_size - start) * 8;
     init_get_bits(&gb, buf + start, bit_len);
 
@@ -336,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
                 sub_header->num_rects = 1;
                 sub_header->rects[0]->pict.data[0] = bitmap;
-                decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-                           buf, offset1, buf_size, is_8bit);
-                decode_rle(bitmap + w, w * 2, w, h / 2,
-                           buf, offset2, buf_size, is_8bit);
+                if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+                               buf, offset1, buf_size, is_8bit) < 0)
+                    goto fail;
+                if (decode_rle(bitmap + w, w * 2, w, h / 2,
+                               buf, offset2, buf_size, is_8bit) < 0)
+                    goto fail;
                 sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
                 if (is_8bit) {
                     if (yuv_palette == 0)

libavcodec/dxa.c

@@ -301,6 +301,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
     c->avctx = avctx;
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if (avctx->width%4 || avctx->height%4) {
+        av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }
+
     avcodec_get_frame_defaults(&c->pic);
     avcodec_get_frame_defaults(&c->prev);
 

libavcodec/dxtory.c

@@ -21,6 +21,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "libavutil/intreadwrite.h"
 
 static av_cold int decode_init(AVCodecContext *avctx)
@@ -51,7 +52,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     }
 
     pic->reference = 0;
-    if ((ret = avctx->get_buffer(avctx, pic)) < 0)
+    if ((ret = ff_get_buffer(avctx, pic)) < 0)
         return ret;
 
     pic->pict_type = AV_PICTURE_TYPE_I;

libavcodec/eamad.c

@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "aandcttab.h"
@@ -143,6 +144,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -157,6 +163,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -168,10 +179,6 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             block[j] = level;
         }
@@ -246,32 +253,34 @@ static int decode_frame(AVCodecContext *avctx,
 {
     const uint8_t *buf = avpkt->data;
     int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
     MadContext *t     = avctx->priv_data;
+    GetByteContext gb;
     MpegEncContext *s = &t->s;
     int chunk_type;
     int inter;
 
-    if (buf_size < 17) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *data_size = 0;
-        return -1;
-    }
+    bytestream2_init(&gb, buf, buf_size);
 
-    chunk_type = AV_RL32(&buf[0]);
+    chunk_type = bytestream2_get_le32(&gb);
     inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
+    bytestream2_skip(&gb, 10);
 
     av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
+              bytestream2_get_le16(&gb), 1000, 1<<30);
 
-    s->width  = AV_RL16(&buf[8]);
-    s->height = AV_RL16(&buf[10]);
-    calc_intra_matrix(t, buf[13]);
-    buf += 16;
+    s->width  = bytestream2_get_le16(&gb);
+    s->height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_intra_matrix(t, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
+
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     if (avctx->width != s->width || avctx->height != s->height) {
-        if((s->width * s->height)/2048*7 > buf_end-buf)
+        if((s->width * s->height)/2048*7 > bytestream2_get_bytes_left(&gb))
             return -1;
         if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
             return -1;
@@ -290,13 +299,14 @@ static int decode_frame(AVCodecContext *avctx,
         }
     }
 
-    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, (buf_end-buf) + FF_INPUT_BUFFER_PADDING_SIZE);
+    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size,
+                   bytestream2_get_bytes_left(&gb) + FF_INPUT_BUFFER_PADDING_SIZE);
     if (!t->bitstream_buf)
         return AVERROR(ENOMEM);
-    bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
-    init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
-
+    bswap16_buf(t->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                bytestream2_get_bytes_left(&gb) / 2);
+    memset((uint8_t*)t->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE);
+    init_get_bits(&s->gb, t->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
     for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
         for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
             if(decode_mb(t, inter) < 0)

libavcodec/elbg.c

@@ -110,7 +110,7 @@ static int get_high_utility_cell(elbg_data *elbg)
     while (elbg->utility_inc[i] < r)
         i++;
 
-    assert(!elbg->cells[i]);
+    assert(elbg->cells[i]);
 
     return i;
 }

libavcodec/error_resilience.c

@@ -921,6 +921,12 @@ void ff_er_frame_end(MpegEncContext *s)
         return;
     };
 
+    if (s->picture_structure == PICT_FRAME &&
+        s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) {
+        av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
+        return;
+    }
+
     if (s->current_picture.f.motion_val[0] == NULL) {
         av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
 

libavcodec/faxcompr.c

@@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs)
     PutBitContext pb;
     int run, mode = ~0, pix_left = width, run_idx = 0;
 
-    init_put_bits(&pb, dst, size*8);
+    init_put_bits(&pb, dst, size);
     while(pix_left > 0){
         run = runs[run_idx++];
         mode = ~mode;

libavcodec/ffv1.c

@@ -1551,20 +1551,48 @@ static int read_header(FFV1Context *f){
     memset(state, 128, sizeof(state));
 
     if(f->version < 2){
-        f->version= get_symbol(c, state, 0);
-        f->ac= f->avctx->coder_type= get_symbol(c, state, 0);
-        if(f->ac>1){
-            for(i=1; i<256; i++){
-                f->state_transition[i]= get_symbol(c, state, 1) + c->one_state[i];
+        int chroma_h_shift, chroma_v_shift, colorspace, bits_per_raw_sample;
+        int transparency;
+        unsigned v = get_symbol(c, state, 0);
+        if (v > 1) {
+            av_log(f->avctx, AV_LOG_ERROR,
+                   "invalid version %d in version 1 header\n", v);
+            return AVERROR_INVALIDDATA;
+        }
+        f->version = v;
+
+        f->ac = f->avctx->coder_type = get_symbol(c, state, 0);
+
+        if (f->ac > 1) {
+            for (i = 1; i < 256; i++)
+                f->state_transition[i] =
+                    get_symbol(c, state, 1) + c->one_state[i];
+        }
+
+        colorspace          = get_symbol(c, state, 0); //YUV cs type
+        bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample;
+        get_rac(c, state); //no chroma = false
+        chroma_h_shift      = get_symbol(c, state, 0);
+        chroma_v_shift      = get_symbol(c, state, 0);
+        transparency        = get_rac(c, state);
+
+        if (f->plane_count) {
+            if (colorspace          != f->colorspace                 ||
+                bits_per_raw_sample != f->avctx->bits_per_raw_sample ||
+                chroma_h_shift      != f->chroma_h_shift             ||
+                chroma_v_shift      != f->chroma_v_shift             ||
+                transparency        != f->transparency) {
+                av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n");
+                return AVERROR_INVALIDDATA;
             }
         }
-        f->colorspace= get_symbol(c, state, 0); //YUV cs type
-        if(f->version>0)
-            f->avctx->bits_per_raw_sample= get_symbol(c, state, 0);
-        get_rac(c, state); //no chroma = false
-        f->chroma_h_shift= get_symbol(c, state, 0);
-        f->chroma_v_shift= get_symbol(c, state, 0);
-        f->transparency= get_rac(c, state);
+
+        f->colorspace                 = colorspace;
+        f->avctx->bits_per_raw_sample = bits_per_raw_sample;
+        f->chroma_h_shift             = chroma_h_shift;
+        f->chroma_v_shift             = chroma_v_shift;
+        f->transparency               = transparency;
+
         f->plane_count= 2 + f->transparency;
     }
 

libavcodec/flac_parser.c

@@ -646,7 +646,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 handle_error:
     *poutbuf      = NULL;
     *poutbuf_size = 0;
-    return read_end - buf;
+    return buf_size ? read_end - buf : 0;
 }
 
 static int flac_parse_init(AVCodecParserContext *c)

libavcodec/flacdec.c

@@ -599,7 +599,7 @@ static int flac_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->blocksize;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/flashsv.c

@@ -389,7 +389,9 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                     s->diff_start  = get_bits(&gb, 8);
                     s->diff_height = get_bits(&gb, 8);
                     if (s->diff_start + s->diff_height > cur_blk_height) {
-                        av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n");
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
                         return AVERROR_INVALIDDATA;
                     }
                     av_log(avctx, AV_LOG_DEBUG,

libavcodec/flashsv2enc.c

@@ -270,7 +270,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size)
     if (buf_size < 5)
         return -1;
 
-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);
 
     put_bits(&pb, 4, (s->block_width  >> 4) - 1);
     put_bits(&pb, 12, s->image_width);

libavcodec/flashsvenc.c

@@ -130,7 +130,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf,
     int buf_pos, res;
     int pred_blocks = 0;
 
-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);
 
     put_bits(&pb,  4, block_width / 16 - 1);
     put_bits(&pb, 12, s->image_width);

libavcodec/g722dec.c

@@ -35,6 +35,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "g722.h"
 #include "libavutil/opt.h"
@@ -96,7 +97,7 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = avpkt->size * 2;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/g726.c

@@ -448,7 +448,7 @@ static int g726_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = out_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/get_bits.h

@@ -355,7 +355,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
     int buffer_size;
     int ret = 0;
 
-    if (bit_size > INT_MAX - 7 || bit_size < 0) {
+    if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) {
         buffer_size = bit_size = 0;
         buffer = NULL;
         ret = AVERROR_INVALIDDATA;

libavcodec/gifdec.c

@@ -125,26 +125,21 @@ static int gif_read_image(GifState *s)
             case 1:
                 y1 += 8;
                 ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                 break;
             case 2:
                 y1 += 4;
                 ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                 break;
             case 3:
                 y1 += 2;
                 ptr += linesize * 2;
                 break;
             }
+            while (y1 >= height) {
+                y1  = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
         } else {
             ptr += linesize;
         }

libavcodec/gsmdec.c

@@ -25,6 +25,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "msgsmdec.h"
 
@@ -72,7 +73,7 @@ static int gsm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = avctx->frame_size;
-    if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return res;
     }

libavcodec/h264.c

@@ -106,10 +106,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
 
 int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
     MpegEncContext * const s = &h->s;
-    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
-    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
+    static const int8_t top[4]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
+    static const int8_t left[5] = { TOP_DC_PRED8x8, -1,  2, -1, DC_128_PRED8x8 };
 
-    if(mode > 6U) {
+    if(mode > 3U) {
         av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y);
         return -1;
     }
@@ -1224,6 +1224,19 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex
         memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc
         memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
         memset(h->pps_buffers, 0, sizeof(h->pps_buffers));
+
+        h->intra4x4_pred_mode= NULL;
+        h->non_zero_count    = NULL;
+        h->slice_table_base  = NULL;
+        h->slice_table       = NULL;
+        h->cbp_table         = NULL;
+        h->chroma_pred_mode_table = NULL;
+        memset(h->mvd_table, 0, sizeof(h->mvd_table));
+        h->direct_table      = NULL;
+        h->list_counts       = NULL;
+        h->mb2b_xy           = NULL;
+        h->mb2br_xy          = NULL;
+
         if (ff_h264_alloc_tables(h) < 0) {
             av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n");
             return AVERROR(ENOMEM);
@@ -1300,6 +1313,8 @@ int ff_h264_frame_start(H264Context *h){
     int i;
     const int pixel_shift = h->pixel_shift;
 
+    h->next_output_pic = NULL;
+
     if(MPV_frame_start(s, s->avctx) < 0)
         return -1;
     ff_er_frame_start(s);
@@ -1349,8 +1364,6 @@ int ff_h264_frame_start(H264Context *h){
     s->current_picture_ptr->field_poc[0]=
     s->current_picture_ptr->field_poc[1]= INT_MAX;
 
-    h->next_output_pic = NULL;
-
     assert(s->current_picture_ptr->long_ref==0);
 
     return 0;
@@ -2607,6 +2620,52 @@ int ff_h264_get_profile(SPS *sps)
     return profile;
 }
 
+static int h264_set_parameter_from_sps(H264Context *h)
+{
+    MpegEncContext *s = &h->s;
+
+    if (s->flags & CODEC_FLAG_LOW_DELAY ||
+        (h->sps.bitstream_restriction_flag &&
+         !h->sps.num_reorder_frames)) {
+        if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
+            av_log(h->s.avctx, AV_LOG_WARNING, "Delayed frames seen. "
+                   "Reenabling low delay requires a codec flush.\n");
+        else
+            s->low_delay = 1;
+    }
+
+    if (s->avctx->has_b_frames < 2)
+        s->avctx->has_b_frames = !s->low_delay;
+
+    if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
+        h->cur_chroma_format_idc      != h->sps.chroma_format_idc) {
+        if (s->avctx->codec &&
+            s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU &&
+            (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "VDPAU decoding does not support video colorspace.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
+            s->avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
+            h->cur_chroma_format_idc      = h->sps.chroma_format_idc;
+            h->pixel_shift                = h->sps.bit_depth_luma > 8;
+
+            ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma,
+                            h->sps.chroma_format_idc);
+            ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma,
+                              h->sps.chroma_format_idc);
+            s->dsp.dct_bits = h->sps.bit_depth_luma > 8 ? 32 : 16;
+            dsputil_init(&s->dsp, s->avctx);
+        } else {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n",
+                   h->sps.bit_depth_luma);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+    return 0;
+}
+
 /**
  * Decode a slice header.
  * This will also call MPV_common_init() and frame_start() as needed.
@@ -2624,7 +2683,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     int num_ref_idx_active_override_flag;
     unsigned int slice_type, tmp, i, j;
     int default_ref_list_done = 0;
-    int last_pic_structure, last_pic_dropable;
+    int last_pic_structure, last_pic_dropable, ret;
 
     /* FIXME: 2tap qpel isn't implemented for high bit depth. */
     if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){
@@ -2672,7 +2731,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     h->slice_type= slice_type;
     h->slice_type_nos= slice_type & 3;
 
-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;
 
     pps_id= get_ue_golomb(&s->gb);
     if(pps_id>=MAX_PPS_COUNT){
@@ -2689,7 +2755,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id);
         return -1;
     }
-    h->sps = *h0->sps_buffers[h->pps.sps_id];
+
+    if (h->pps.sps_id != h->current_sps_id ||
+        h0->sps_buffers[h->pps.sps_id]->new) {
+        h0->sps_buffers[h->pps.sps_id]->new = 0;
+
+        h->current_sps_id = h->pps.sps_id;
+        h->sps            = *h0->sps_buffers[h->pps.sps_id];
+
+        if ((ret = h264_set_parameter_from_sps(h)) < 0)
+            return ret;
+    }
 
     s->avctx->profile = ff_h264_get_profile(&h->sps);
     s->avctx->level   = h->sps.level_idc;
@@ -2989,8 +3065,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
                h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {
             Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;
             av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num);
-            if (ff_h264_frame_start(h) < 0)
+            if (ff_h264_frame_start(h) < 0) {
+                h0->s.first_field = 0;
                 return -1;
+            }
             h->prev_frame_num++;
             h->prev_frame_num %= 1<<h->sps.log2_max_frame_num;
             s->current_picture_ptr->frame_num= h->prev_frame_num;
@@ -3050,7 +3128,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
 
         } else {
             /* Frame or first field in a potentially complementary pair */
-            assert(!s0->current_picture_ptr);
             s0->first_field = FIELD_PICTURE;
         }
 
@@ -3224,8 +3301,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     }
 
     h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset = 0;
     if( h->pps.deblocking_filter_parameters_present ) {
         tmp= get_ue_golomb_31(&s->gb);
         if(tmp > 2){
@@ -3236,12 +3313,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         if(h->deblocking_filter < 2)
             h->deblocking_filter^= 1; // 1<->0
 
-        if( h->deblocking_filter ) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if(   h->slice_alpha_c0_offset > 104U
-               || h->slice_beta_offset     > 104U){
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+        if (h->deblocking_filter) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                 return -1;
             }
         }
@@ -3270,14 +3351,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
             }
         }
     }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
-                 + 6 * (h->sps.bit_depth_luma - 8);
-
-#if 0 //FMO
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
+    h->qp_thresh = 15 -
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
+                   FFMAX3(0,
+                          h->pps.chroma_qp_index_offset[0],
+                          h->pps.chroma_qp_index_offset[1]) +
+                   6 * (h->sps.bit_depth_luma - 8);
 
     h0->last_slice_type = slice_type;
     h->slice_num = ++h0->current_slice;
@@ -3338,7 +3417,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
                s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
                h->ref_count[0], h->ref_count[1],
                s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
                h->use_weight,
                h->use_weight==1 && h->use_weight_chroma ? "c" : "",
                h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""
@@ -3821,6 +3901,12 @@ static int execute_decode_slices(H264Context *h, int context_count){
     H264Context *hx;
     int i;
 
+    if (s->mb_y >= s->mb_height) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "Input contains more MB rows than the frame height.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->avctx->hwaccel || s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU)
         return 0;
     if(context_count == 1) {
@@ -4033,12 +4119,24 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
             }
             break;
         case NAL_DPA:
+            if (s->flags2 & CODEC_FLAG2_CHUNKS) {
+                av_log(h->s.avctx, AV_LOG_ERROR,
+                       "Decoding in chunks is not supported for "
+                       "partitioned slices.\n");
+                return AVERROR(ENOSYS);
+            }
+
             init_get_bits(&hx->s.gb, ptr, bit_length);
             hx->intra_gb_ptr=
             hx->inter_gb_ptr= NULL;
 
-            if ((err = decode_slice_header(hx, h)) < 0)
+            if ((err = decode_slice_header(hx, h)) < 0) {
+                /* make sure data_partitioning is cleared if it was set
+                 * before, so we don't try decoding a slice without a valid
+                 * slice header later */
+                s->data_partitioning = 0;
                 break;
+            }
 
             hx->s.data_partitioning = 1;
 
@@ -4073,24 +4171,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                 ff_h264_decode_seq_parameter_set(h);
             }
 
-            if (s->flags & CODEC_FLAG_LOW_DELAY ||
-                (h->sps.bitstream_restriction_flag &&
-                 !h->sps.num_reorder_frames)) {
-                if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
-                    av_log(avctx, AV_LOG_WARNING, "Delayed frames seen "
-                           "reenabling low delay requires a codec "
-                           "flush.\n");
-                else
-                    s->low_delay = 1;
-            }
-
-            if(avctx->has_b_frames < 2)
-                avctx->has_b_frames= !s->low_delay;
-
-            if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
-                av_log_missing_feature(s->avctx,
-                    "Different bit depth between chroma and luma", 1);
-                return AVERROR_PATCHWELCOME;
+            if (h264_set_parameter_from_sps(h) < 0) {
+                buf_index = -1;
+                goto end;
             }
             break;
         case NAL_PPS:
@@ -4115,9 +4198,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
             context_count = 0;
         }
 
-        if (err < 0)
+        if (err < 0) {
             av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
-        else if(err == 1) {
+            h->ref_count[0] = h->ref_count[1] = h->list_count = 0;
+        } else if (err == 1) {
             /* Slice could not be decoded in parallel mode, copy down
              * NAL unit stuff to context 0 and restart. Note that
              * rbsp_buffer is not transferred, but since we no longer
@@ -4168,6 +4252,9 @@ static int decode_frame(AVCodecContext *avctx,
 
     s->flags= avctx->flags;
     s->flags2= avctx->flags2;
+    /* reset data partitioning here, to ensure GetBitContexts from previous
+     * packets do not get used. */
+    s->data_partitioning = 0;
 
    /* end of stream, output what is still in the buffers */
     if (buf_size == 0) {

libavcodec/h264.h

@@ -206,6 +206,7 @@ typedef struct SPS{
     int bit_depth_chroma;              ///< bit_depth_chroma_minus8 + 8
     int residual_color_transform_flag; ///< residual_colour_transform_flag
     int constraint_set_flags;          ///< constraint_set[0-3]_flag
+    int new;                           ///< flag to keep track if the decoder context needs re-init due to changed SPS
 }SPS;
 
 /**
@@ -332,6 +333,7 @@ typedef struct H264Context{
     int emu_edge_width;
     int emu_edge_height;
 
+    unsigned current_sps_id; ///< id of the current SPS
     SPS sps; ///< current sps
 
     /**

libavcodec/h264_cabac.c

@@ -1721,7 +1721,7 @@ decode_cabac_residual_internal(H264Context *h, DCTELEM *block,
 \
             if( coeff_abs >= 15 ) { \
                 int j = 0; \
-                while( get_cabac_bypass( CC ) ) { \
+                while (get_cabac_bypass(CC) && j < 30) { \
                     j++; \
                 } \
 \

libavcodec/h264_cavlc.c

@@ -770,6 +770,10 @@ decode_intra_mb:
 
         // We assume these blocks are very rare so we do not optimize it.
         align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         // The pixels are stored in the same order as levels in h->mb array.
         for(x=0; x < mb_size; x++){

libavcodec/h264_loopfilter.c

@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
     int top_type= h->top_type;
 
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     int mb_type = s->current_picture.f.mb_type[mb_xy];
     int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
     av_unused int dir;
     int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     if (FRAME_MBAFF
             // and current and left pair do not have the same interlaced type

libavcodec/h264_mp4toannexb_bsf.c

@@ -156,7 +156,7 @@ pps:
             goto fail;
 
         /* prepend only to the first type 5 NAL unit of an IDR picture */
-        if (ctx->first_idr && unit_type == 5) {
+        if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) {
             if ((ret=alloc_and_copy(poutbuf, poutbuf_size,
                                avctx->extradata, avctx->extradata_size,
                                buf, nal_size)) < 0)

libavcodec/h264_ps.c

@@ -250,7 +250,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
         }
 
         if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
             return -1;
         }
     }
@@ -363,11 +365,18 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
         }
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
         sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
-        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
+        if (sps->bit_depth_luma   < 8 || sps->bit_depth_luma   > 12 ||
+            sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 12 ||
+            sps->bit_depth_luma != sps->bit_depth_chroma) {
             av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
                    sps->bit_depth_luma, sps->bit_depth_chroma);
             goto fail;
         }
+        if (sps->bit_depth_chroma != sps->bit_depth_luma) {
+            av_log_missing_feature(s->avctx,
+                "Different bit depth between chroma and luma", 1);
+            goto fail;
+        }
         sps->transform_bypass = get_bits1(&s->gb);
         decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
     }else{
@@ -487,10 +496,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
                sps->bit_depth_luma
                );
     }
+    sps->new = 1;
 
     av_free(h->sps_buffers[sps_id]);
-    h->sps_buffers[sps_id]= sps;
-    h->sps = *sps;
+    h->sps_buffers[sps_id] = sps;
+    h->sps                 = *sps;
+    h->current_sps_id      = sps_id;
+
     return 0;
 fail:
     av_free(sps);

libavcodec/h264_refs.c

@@ -63,20 +63,22 @@ static int split_field_copy(Picture *dest, Picture *src,
     return match;
 }
 
-static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){
+static int build_def_list(Picture *def, int def_len,
+                          Picture **in, int len, int is_long, int sel)
+{
     int i[2]={0};
     int index=0;
 
-    while(i[0]<len || i[1]<len){
+    while ((i[0] < len || i[1] < len) && index < def_len) {
         while (i[0] < len && !(in[ i[0] ] && (in[ i[0] ]->f.reference & sel)))
             i[0]++;
         while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3))))
             i[1]++;
-        if(i[0] < len){
+        if (i[0] < len && index < def_len) {
             in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num;
             split_field_copy(&def[index++], in[ i[0]++ ], sel  , 1);
         }
-        if(i[1] < len){
+        if (i[1] < len && index < def_len) {
             in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num;
             split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0);
         }
@@ -124,9 +126,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
             len= add_sorted(sorted    , h->short_ref, h->short_ref_count, cur_poc, 1^list);
             len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list);
             assert(len<=32);
-            len= build_def_list(h->default_ref_list[list]    , sorted     , len, 0, s->picture_structure);
-            len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure);
-            assert(len<=32);
+
+            len  = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                                  sorted, len, 0, s->picture_structure);
+            len += build_def_list(h->default_ref_list[list] + len,
+                                  FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                                  h->long_ref, 16, 1, s->picture_structure);
 
             if(len < h->ref_count[list])
                 memset(&h->default_ref_list[list][len], 0, sizeof(Picture)*(h->ref_count[list] - len));
@@ -139,19 +144,22 @@ int ff_h264_fill_default_ref_list(H264Context *h){
                 FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]);
         }
     }else{
-        len = build_def_list(h->default_ref_list[0]    , h->short_ref, h->short_ref_count, 0, s->picture_structure);
-        len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16                , 1, s->picture_structure);
-        assert(len <= 32);
+        len  = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                              h->short_ref, h->short_ref_count, 0, s->picture_structure);
+        len += build_def_list(h->default_ref_list[0] + len,
+                              FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                              h-> long_ref, 16, 1, s->picture_structure);
+
         if(len < h->ref_count[0])
             memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len));
     }
 #ifdef TRACE
     for (i=0; i<h->ref_count[0]; i++) {
-        tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].data[0]);
+        tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].f.data[0]);
     }
     if(h->slice_type_nos==AV_PICTURE_TYPE_B){
         for (i=0; i<h->ref_count[1]; i++) {
-            tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].data[0]);
+            tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].f.data[0]);
         }
     }
 #endif

libavcodec/h264_sei.c

@@ -184,6 +184,12 @@ int ff_h264_decode_sei(H264Context *h){
         if(s->avctx->debug&FF_DEBUG_STARTCODE)
             av_log(h->s.avctx, AV_LOG_DEBUG, "SEI %d len:%d\n", type, size);
 
+        if (size > get_bits_left(&s->gb) / 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+                   type, get_bits_left(&s->gb));
+            return AVERROR_INVALIDDATA;
+        }
+
         switch(type){
         case SEI_TYPE_PIC_TIMING: // Picture timing SEI
             if(decode_picture_timing(h) < 0)

libavcodec/h264dsp.c

@@ -53,13 +53,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
     c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\
     c->h264_idct_add16     = FUNC(ff_h264_idct_add16, depth);\
     c->h264_idct8_add4     = FUNC(ff_h264_idct8_add4, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_idct_add8  = FUNC(ff_h264_idct_add8, depth);\
     else\
         c->h264_idct_add8  = FUNC(ff_h264_idct_add8_422, depth);\
     c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\
     c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\
     else\
         c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\
@@ -80,20 +80,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
     c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\
     c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\
     c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\
     else\
         c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\
     else\
         c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\
     c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\
     else\
         c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
         c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\
     else\
         c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\

libavcodec/h264pred.c

@@ -434,7 +434,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
     h->pred8x8l[TOP_DC_PRED         ]= FUNCC(pred8x8l_top_dc              , depth);\
     h->pred8x8l[DC_128_PRED         ]= FUNCC(pred8x8l_128_dc              , depth);\
 \
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
         h->pred8x8[VERT_PRED8x8   ]= FUNCC(pred8x8_vertical               , depth);\
         h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x8_horizontal             , depth);\
     } else {\
@@ -442,7 +442,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
         h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x16_horizontal            , depth);\
     }\
     if (codec_id != CODEC_ID_VP8) {\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
             h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane                , depth);\
         } else {\
             h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane               , depth);\
@@ -450,7 +450,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
     } else\
         h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\
     if(codec_id != CODEC_ID_RV40 && codec_id != CODEC_ID_VP8){\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
             h->pred8x8[DC_PRED8x8     ]= FUNCC(pred8x8_dc                     , depth);\
             h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc                , depth);\
             h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc                 , depth);\
@@ -476,7 +476,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
             h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc              , depth);\
         }\
     }\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
         h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc                 , depth);\
     } else {\
         h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc                , depth);\
@@ -510,7 +510,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
     h->pred4x4_add  [ HOR_PRED   ]= FUNCC(pred4x4_horizontal_add          , depth);\
     h->pred8x8l_add [VERT_PRED   ]= FUNCC(pred8x8l_vertical_add           , depth);\
     h->pred8x8l_add [ HOR_PRED   ]= FUNCC(pred8x8l_horizontal_add         , depth);\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
     h->pred8x8_add  [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add            , depth);\
     h->pred8x8_add  [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add          , depth);\
     } else {\

libavcodec/huffyuv.c

@@ -302,10 +302,12 @@ static void generate_len_table(uint8_t *dst, const uint64_t *stats){
 }
 #endif /* CONFIG_HUFFYUV_ENCODER || CONFIG_FFVHUFF_ENCODER */
 
-static void generate_joint_tables(HYuvContext *s){
+static int generate_joint_tables(HYuvContext *s){
     uint16_t symbols[1<<VLC_BITS];
     uint16_t bits[1<<VLC_BITS];
     uint8_t len[1<<VLC_BITS];
+    int ret;
+
     if(s->bitstream_bpp < 24){
         int p, i, y, u;
         for(p=0; p<3; p++){
@@ -327,7 +329,9 @@ static void generate_joint_tables(HYuvContext *s){
                 }
             }
             ff_free_vlc(&s->vlc[3+p]);
-            ff_init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0);
+            if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1,
+                                          bits, 2, 2, symbols, 2, 2, 0)) < 0)
+                return ret;
         }
     }else{
         uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map;
@@ -369,29 +373,33 @@ static void generate_joint_tables(HYuvContext *s){
             }
         }
         ff_free_vlc(&s->vlc[3]);
-        init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+        if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1,
+                            bits, 2, 2, 0)) < 0)
+            return ret;
     }
+    return 0;
 }
 
 static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
     GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;
 
-    init_get_bits(&gb, src, length*8);
+    if ((ret = init_get_bits(&gb, src, length * 8)) < 0)
+        return ret;
 
     for(i=0; i<3; i++){
-        if(read_len_table(s->len[i], &gb)<0)
-            return -1;
-        if(generate_bits_table(s->bits[i], s->len[i])<0){
-            return -1;
-        }
+        if ((ret = read_len_table(s->len[i], &gb)) < 0)
+            return ret;
+        if ((ret = generate_bits_table(s->bits[i], s->len[i])) < 0)
+            return ret;
         ff_free_vlc(&s->vlc[i]);
-        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                            s->bits[i], 4, 4, 0)) < 0)
             return ret;
     }
 
-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;
 
     return (get_bits_count(&gb)+7)/8;
 }
@@ -399,15 +407,18 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
 static int read_old_huffman_tables(HYuvContext *s){
 #if 1
     GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;
 
-    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
-    if(read_len_table(s->len[0], &gb)<0)
-        return -1;
-    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
-    if(read_len_table(s->len[1], &gb)<0)
-        return -1;
+    if ((ret = init_get_bits(&gb, classic_shift_luma,
+                             classic_shift_luma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[0], &gb)) < 0)
+        return ret;
+    if ((ret = init_get_bits(&gb, classic_shift_chroma,
+                             classic_shift_chroma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[1], &gb)) < 0)
+        return ret;
 
     for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma  [i];
     for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];
@@ -421,11 +432,13 @@ static int read_old_huffman_tables(HYuvContext *s){
 
     for(i=0; i<3; i++){
         ff_free_vlc(&s->vlc[i]);
-        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                            s->bits[i], 4, 4, 0)) < 0)
             return ret;
     }
 
-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;
 
     return 0;
 #else
@@ -465,6 +478,7 @@ static av_cold int common_init(AVCodecContext *avctx){
 static av_cold int decode_init(AVCodecContext *avctx)
 {
     HYuvContext *s = avctx->priv_data;
+    int ret;
 
     common_init(avctx);
     memset(s->vlc, 0, 3*sizeof(VLC));
@@ -500,8 +514,9 @@ s->bgr32=1;
         s->interlaced= (interlace==1) ? 1 : (interlace==2) ? 0 : s->interlaced;
         s->context= ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0;
 
-        if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size-4) < 0)
-            return -1;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size - 4)) < 0)
+            return ret;
     }else{
         switch(avctx->bits_per_coded_sample&7){
         case 1:
@@ -528,8 +543,8 @@ s->bgr32=1;
         s->bitstream_bpp= avctx->bits_per_coded_sample & ~7;
         s->context= 0;
 
-        if(read_old_huffman_tables(s) < 0)
-            return -1;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
     }
 
     switch(s->bitstream_bpp){
@@ -555,6 +570,13 @@ s->bgr32=1;
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->predictor == MEDIAN && avctx->pix_fmt == PIX_FMT_YUV422P &&
+        avctx->width % 4) {
+        av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 "
+               "for this combination of colorspace and predictor type.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     alloc_temp(s);
 
 //    av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
@@ -565,7 +587,7 @@ s->bgr32=1;
 static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
 {
     HYuvContext *s = avctx->priv_data;
-    int i;
+    int i, ret;
 
     avctx->coded_frame= &s->picture;
     alloc_temp(s);
@@ -574,11 +596,12 @@ static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
         s->vlc[i].table = NULL;
 
     if(s->version==2){
-        if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size) < 0)
-            return -1;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size)) < 0)
+            return ret;
     }else{
-        if(read_old_huffman_tables(s) < 0)
-            return -1;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
     }
 
     return 0;
@@ -1001,7 +1024,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     const int height= s->height;
     int fake_ystride, fake_ustride, fake_vstride;
     AVFrame * const p= &s->picture;
-    int table_size= 0;
+    int table_size = 0, ret;
 
     AVFrame *picture = data;
 
@@ -1016,21 +1039,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         ff_thread_release_buffer(avctx, p);
 
     p->reference= 0;
-    if(ff_thread_get_buffer(avctx, p) < 0){
+    if ((ret = ff_thread_get_buffer(avctx, p)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
-        return -1;
+        return ret;
     }
 
     if(s->context){
         table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size);
         if(table_size < 0)
-            return -1;
+            return table_size;
     }
 
     if((unsigned)(buf_size-table_size) >= INT_MAX/8)
         return -1;
 
-    init_get_bits(&s->gb, s->bitstream_buffer+table_size, (buf_size-table_size)*8);
+    if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size,
+                             (buf_size - table_size) * 8)) < 0)
+        return ret;
 
     fake_ystride= s->interlaced ? p->linesize[0]*2  : p->linesize[0];
     fake_ustride= s->interlaced ? p->linesize[1]*2  : p->linesize[1];

libavcodec/iff.c

@@ -28,6 +28,7 @@
 #include "libavutil/imgutils.h"
 #include "bytestream.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 
 // TODO: masking bits
@@ -479,7 +480,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx,
             av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
             return res;
         }
-    } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return res;
     } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt == PIX_FMT_PAL8) {
@@ -579,7 +580,7 @@ static int decode_frame_byterun1(AVCodecContext *avctx,
             av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
             return res;
         }
-    } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return res;
     } else if (avctx->pix_fmt == PIX_FMT_PAL8) {

libavcodec/imc.c

@@ -36,6 +36,7 @@
 #include <stdio.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -680,7 +681,7 @@ static int imc_decode_frame(AVCodecContext * avctx, void *data,
 
     /* get output buffer */
     q->frame.nb_samples = COEFFS;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/indeo3.c

@@ -32,6 +32,7 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "bytestream.h"
 #include "get_bits.h"
@@ -93,7 +94,7 @@ typedef struct Indeo3DecodeContext {
 
     int16_t         width, height;
     uint32_t        frame_num;      ///< current frame number (zero-based)
-    uint32_t        data_size;      ///< size of the frame data in bytes
+    int             data_size;      ///< size of the frame data in bytes
     uint16_t        frame_flags;    ///< frame properties
     uint8_t         cb_offset;      ///< needed for selecting VQ tables
     uint8_t         buf_sel;        ///< active frame buffer: 0 - primary, 1 -secondary
@@ -885,7 +886,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
     GetByteContext gb;
     const uint8_t   *bs_hdr;
     uint32_t        frame_num, word2, check_sum, data_size;
-    uint32_t        y_offset, u_offset, v_offset, starts[3], ends[3];
+    int             y_offset, u_offset, v_offset;
+    uint32_t        starts[3], ends[3];
     uint16_t        height, width;
     int             i, j;
 
@@ -970,7 +972,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
     ctx->y_data_size = ends[0] - starts[0];
     ctx->v_data_size = ends[1] - starts[1];
     ctx->u_data_size = ends[2] - starts[2];
-    if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
+    if (FFMIN3(y_offset, v_offset, u_offset) < 0 ||
+        FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
         FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 ||
         FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) {
         av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n");
@@ -1097,7 +1100,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         avctx->release_buffer(avctx, &ctx->frame);
 
     ctx->frame.reference = 0;
-    if ((res = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((res = ff_get_buffer(avctx, &ctx->frame)) < 0) {
         av_log(ctx->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return res;
     }

libavcodec/internal.h

@@ -136,4 +136,7 @@ int avpriv_unlock_avformat(void);
  */
 int ff_alloc_packet(AVPacket *avpkt, int size);
 
+
+int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame);
+
 #endif /* AVCODEC_INTERNAL_H */

libavcodec/ituh263dec.c

@@ -755,6 +755,8 @@ int ff_h263_decode_mb(MpegEncContext *s,
         }
 
         if(IS_DIRECT(mb_type)){
+            if (!s->pp_time)
+                return AVERROR_INVALIDDATA;
             s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT;
             mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0);
         }else{

libavcodec/ivi_common.c

@@ -28,6 +28,7 @@
 
 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "ivi_common.h"
 #include "libavutil/common.h"
@@ -942,7 +943,7 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
 
     ctx->frame.reference = 0;
     avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height);
-    if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &ctx->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return result;
     }

libavcodec/jpeglsdec.c

@@ -208,6 +208,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void *
                 x += stride;
             }
 
+            if (x >= w) {
+                av_log(NULL, AV_LOG_ERROR, "run overflow\n");
+                return;
+            }
+
             /* decode run termination value */
             Rb = R(last, x);
             RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0;

libavcodec/jvdec.c

@@ -42,6 +42,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
     JvContext *s = avctx->priv_data;
     avctx->pix_fmt = PIX_FMT_PAL8;
     dsputil_init(&s->dsp, avctx);
+
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 7) || (avctx->height & 7)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
     return 0;
 }
 

libavcodec/kgv1dec.c

@@ -27,6 +27,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/imgutils.h"
 #include "avcodec.h"
+#include "internal.h"
 
 typedef struct {
     AVCodecContext *avctx;
@@ -70,7 +71,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     maxcnt = w * h;
 
     c->cur.reference = 3;
-    if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+    if ((res = ff_get_buffer(avctx, &c->cur)) < 0)
         return res;
     out  = (uint16_t *) c->cur.data[0];
     if (c->prev.data[0]) {

libavcodec/lagarith.c

@@ -52,6 +52,7 @@ typedef struct LagarithContext {
     int zeros;                  /**< number of consecutive zero bytes encountered */
     int zeros_rem;              /**< number of zero bytes remaining to output */
     uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
     int rgb_stride;
 } LagarithContext;
 
@@ -507,13 +508,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
         offs[2] = 13;
         offs[3] = AV_RL32(buf + 9);
 
+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * 4 + 1);
         if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
+            return AVERROR(ENOMEM);
         }
         for (i = 0; i < 4; i++)
             srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;

libavcodec/lagarithrac.h

@@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l)
         l->range -= range_scaled * l->prob[255];
     }
 
+    if (!l->range)
+        l->range = 0x80;
+
     l->low -= range_scaled * l->prob[val];
 
     return val;

libavcodec/libgsm.c

@@ -30,6 +30,7 @@
 #include <gsm/gsm.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "gsm.h"
 
 static av_cold int libgsm_encode_init(AVCodecContext *avctx) {
@@ -188,7 +189,7 @@ static int libgsm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = avctx->frame_size;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/libopencore-amr.c

@@ -20,6 +20,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "libavutil/avstring.h"
 #include "libavutil/opt.h"
 
@@ -143,7 +144,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = 160;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -295,7 +296,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = 320;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/libspeexdec.c

@@ -23,6 +23,7 @@
 #include <speex/speex_stereo.h>
 #include <speex/speex_callbacks.h>
 #include "avcodec.h"
+#include "internal.h"
 
 typedef struct {
     AVFrame frame;
@@ -108,7 +109,7 @@ static int libspeex_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->frame_size;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/mace.c

@@ -25,6 +25,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 
 /*
  * Adapted to libavcodec by Francois Revol <revol@free.fr>
@@ -253,7 +254,7 @@ static int mace_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     ctx->frame.nb_samples = 3 * (buf_size << (1 - is_mace3)) / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/mjpegdec.c

@@ -216,21 +216,21 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)
 
 int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 {
-    int len, nb_components, i, width, height, pix_fmt_id;
+    int len, nb_components, i, width, height, bits, pix_fmt_id;
 
     s->cur_scan = 0;
     s->upscale_h = s->upscale_v = 0;
 
     /* XXX: verify len field validity */
     len     = get_bits(&s->gb, 16);
-    s->bits = get_bits(&s->gb, 8);
+    bits = get_bits(&s->gb, 8);
 
     if (s->pegasus_rct)
-        s->bits = 9;
-    if (s->bits == 9 && !s->pegasus_rct)
+        bits = 9;
+    if (bits == 9 && !s->pegasus_rct)
         s->rct  = 1;    // FIXME ugly
 
-    if (s->bits != 8 && !s->lossless) {
+    if (bits != 8 && !s->lossless) {
         av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
         return -1;
     }
@@ -262,7 +262,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
             return AVERROR_INVALIDDATA;
         }
     }
-    if (s->ls && !(s->bits <= 8 || nb_components == 1)) {
+    if (s->ls && !(bits <= 8 || nb_components == 1)) {
         av_log(s->avctx, AV_LOG_ERROR,
                "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
         return -1;
@@ -306,11 +306,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 
     /* if different size, realloc/alloc picture */
     /* XXX: also check h_count and v_count */
-    if (width != s->width || height != s->height) {
+    if (   width != s->width || height != s->height
+        || bits != s->bits
+       ) {
         av_freep(&s->qscale_table);
 
         s->width      = width;
         s->height     = height;
+        s->bits       = bits;
         s->interlaced = 0;
 
         /* test interlaced mode */
@@ -415,9 +418,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     }
     if (s->ls) {
         s->upscale_h = s->upscale_v = 0;
-        if (s->nb_components > 1)
+        if (s->nb_components == 3) {
             s->avctx->pix_fmt = PIX_FMT_RGB24;
-        else if (s->bits <= 8)
+        } else if (s->nb_components != 1) {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components);
+            return AVERROR_PATCHWELCOME;
+        } else if (s->bits <= 8)
             s->avctx->pix_fmt = PIX_FMT_GRAY8;
         else
             s->avctx->pix_fmt = PIX_FMT_GRAY16;
@@ -1023,12 +1029,17 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
 
                     if (s->interlaced && s->bottom_field)
                         block_offset += linesize[c] >> 1;
-                    ptr = data[c] + block_offset;
+                    if (   8*(h * mb_x + x) < s->width
+                        && 8*(v * mb_y + y) < s->height) {
+                        ptr = data[c] + block_offset;
+                    } else
+                        ptr = NULL;
                     if (!s->progressive) {
-                        if (copy_mb)
-                            mjpeg_copy_block(ptr, reference_data[c] + block_offset,
-                                             linesize[c], s->avctx->lowres);
-                        else {
+                        if (copy_mb) {
+                            if (ptr)
+                                mjpeg_copy_block(ptr, reference_data[c] + block_offset,
+                                                linesize[c], s->avctx->lowres);
+                        } else {
                             s->dsp.clear_block(s->block);
                             if (decode_block(s, s->block, i,
                                              s->dc_index[i], s->ac_index[i],
@@ -1037,7 +1048,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah,
                                        "error y=%d x=%d\n", mb_y, mb_x);
                                 return -1;
                             }
-                            s->dsp.idct_put(ptr, linesize[c], s->block);
+                            if (ptr) {
+                                s->dsp.idct_put(ptr, linesize[c], s->block);
+                            }
                         }
                     } else {
                         int block_idx  = s->block_stride[c] * (v * mb_y + y) +
@@ -1111,7 +1124,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
         return AVERROR_INVALIDDATA;
 
     if (!Al) {
-        s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
+        s->coefs_finished[c] |= (2LL << se) - (1LL << ss);
         last_scan = !~s->coefs_finished[c];
     }
 
@@ -1373,6 +1386,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
     }
 
     if (id == AV_RL32("LJIF")) {
+        int rgb = s->rgb;
+        int pegasus_rct = s->pegasus_rct;
         if (s->avctx->debug & FF_DEBUG_PICT_INFO)
             av_log(s->avctx, AV_LOG_INFO,
                    "Pegasus lossless jpeg header found\n");
@@ -1382,17 +1397,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
         skip_bits(&s->gb, 16); /* unknwon always 0? */
         switch (get_bits(&s->gb, 8)) {
         case 1:
-            s->rgb         = 1;
-            s->pegasus_rct = 0;
+            rgb         = 1;
+            pegasus_rct = 0;
             break;
         case 2:
-            s->rgb         = 1;
-            s->pegasus_rct = 1;
+            rgb         = 1;
+            pegasus_rct = 1;
             break;
         default:
             av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n");
         }
+
         len -= 9;
+        if (s->got_picture)
+            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
+                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
+                goto out;
+            }
+
+        s->rgb = rgb;
+        s->pegasus_rct = pegasus_rct;
+
         goto out;
     }
 
@@ -1558,6 +1583,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s,
             put_bits(&pb, 8, x);
             if (x == 0xFF) {
                 x = src[b++];
+                if (x & 0x80) {
+                    av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n");
+                    x &= 0x7f;
+                }
                 put_bits(&pb, 7, x);
                 bit_count--;
             }

libavcodec/mlpdec.c

@@ -27,6 +27,7 @@
 #include <stdint.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "libavutil/intreadwrite.h"
 #include "get_bits.h"
@@ -982,7 +983,7 @@ static int output_data(MLPDecodeContext *m, unsigned int substr,
 
     /* get output buffer */
     m->frame.nb_samples = s->blockpos;
-    if ((ret = avctx->get_buffer(avctx, &m->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &m->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/mmvideo.c

@@ -60,6 +60,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx)
 
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 1) || (avctx->height & 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
     avcodec_get_frame_defaults(&s->frame);
     s->frame.reference = 3;
 
@@ -107,7 +114,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)
 
         if (color) {
             memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length);
-            if (half_vert)
+            if (half_vert && y + half_vert < s->avctx->height)
                 memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length);
         }
         x+= run_length;
@@ -152,6 +159,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
             int replace_array = bytestream2_get_byte(&s->gb);
             for(j=0; j<8; j++) {
                 int replace = (replace_array >> (7-j)) & 1;
+                if (x + half_horiz >= s->avctx->width)
+                    return AVERROR_INVALIDDATA;
                 if (replace) {
                     int color = bytestream2_get_byte(&data_ptr);
                     s->frame.data[0][y*s->frame.linesize[0] + x] = color;

libavcodec/mpc7.c

@@ -27,6 +27,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "mpegaudiodsp.h"
@@ -217,7 +218,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = buf[1] ? c->lastframelen : MPC_FRAME_SIZE;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/mpc8.c

@@ -27,6 +27,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "mpegaudiodsp.h"
@@ -253,7 +254,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = MPC_FRAME_SIZE;
-    if ((res = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((res = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return res;
     }

libavcodec/mpeg12.c

@@ -83,6 +83,15 @@ static int mpeg_decode_motion(MpegEncContext *s, int fcode, int pred)
     return sign_extend(val, 5 + shift);
 }
 
+#define check_scantable_index(ctx, x)                                     \
+    do {                                                                  \
+        if ((x) > 63) {                                                   \
+            av_log(ctx->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", \
+                   ctx->mb_x, ctx->mb_y);                                 \
+            return AVERROR_INVALIDDATA;                                   \
+        }                                                                 \
+    } while (0)                                                           \
+
 static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
     int level, dc, diff, i, j, run;
@@ -114,6 +123,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                 break;
             } else if (level != 0) {
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 level = (level * qscale * quant_matrix[j]) >> 4;
                 level = (level - 1) | 1;
@@ -130,6 +140,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                     level = SHOW_UBITS(re, &s->gb, 8)      ; LAST_SKIP_BITS(re, &s->gb, 8);
                 }
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -141,10 +152,6 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                     level = (level - 1) | 1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             block[j] = level;
         }
@@ -264,6 +271,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc
 
             if (level != 0) {
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 level = ((level * 2 + 1) * qscale) >> 1;
                 level = (level - 1) | 1;
@@ -280,6 +288,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc
                     level = SHOW_UBITS(re, &s->gb, 8)      ; SKIP_BITS(re, &s->gb, 8);
                 }
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -345,6 +354,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
 
             if (level != 0) {
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                 level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -356,6 +366,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                 level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
 
                 i += run;
+                check_scantable_index(s, i);
                 j = scantable[i];
                 if (level < 0) {
                     level = ((-level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
@@ -364,10 +375,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                     level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             mismatch ^= level;
             block[j]  = level;
@@ -414,6 +421,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,
 
         if (level != 0) {
             i += run;
+            check_scantable_index(s, i);
             j  = scantable[i];
             level = ((level * 2 + 1) * qscale) >> 1;
             level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -425,6 +433,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,
             level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
 
             i += run;
+            check_scantable_index(s, i);
             j  = scantable[i];
             if (level < 0) {
                 level = ((-level * 2 + 1) * qscale) >> 1;
@@ -491,6 +500,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                 break;
             } else if (level != 0) {
                 i += run;
+                check_scantable_index(s, i);
                 j  = scantable[i];
                 level = (level * qscale * quant_matrix[j]) >> 4;
                 level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -501,6 +511,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                 UPDATE_CACHE(re, &s->gb);
                 level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
                 i += run;
+                check_scantable_index(s, i);
                 j  = scantable[i];
                 if (level < 0) {
                     level = (-level * qscale * quant_matrix[j]) >> 4;
@@ -509,10 +520,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                     level = (level * qscale * quant_matrix[j]) >> 4;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             mismatch ^= level;
             block[j]  = level;
@@ -527,10 +534,10 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
 
 static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
-    int level, dc, diff, j, run;
+    int level, dc, diff, i, j, run;
     int component;
     RLTable *rl;
-    uint8_t * scantable = s->intra_scantable.permutated;
+    uint8_t * const scantable = s->intra_scantable.permutated;
     const uint16_t *quant_matrix;
     const int qscale = s->qscale;
 
@@ -549,6 +556,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
     dc += diff;
     s->last_dc[component] = dc;
     block[0] = dc << (3 - s->intra_dc_precision);
+    i = 0;
     if (s->intra_vlc_format)
         rl = &ff_rl_mpeg2;
     else
@@ -564,8 +572,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
             if (level == 127) {
                 break;
             } else if (level != 0) {
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                 level = (level * qscale * quant_matrix[j]) >> 4;
                 level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
                 LAST_SKIP_BITS(re, &s->gb, 1);
@@ -574,8 +583,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
                 run = SHOW_UBITS(re, &s->gb, 6) + 1; LAST_SKIP_BITS(re, &s->gb, 6);
                 UPDATE_CACHE(re, &s->gb);
                 level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                 if (level < 0) {
                     level = (-level * qscale * quant_matrix[j]) >> 4;
                     level = -level;
@@ -589,7 +599,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
         CLOSE_READER(re, &s->gb);
     }
 
-    s->block_last_index[n] = scantable - s->intra_scantable.permutated;
+    s->block_last_index[n] = i;
     return 0;
 }
 

libavcodec/mpegaudiodec.c

@@ -28,6 +28,7 @@
 
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "mathops.h"
 #include "mpegaudiodsp.h"
@@ -1602,7 +1603,7 @@ static int mp_decode_frame(MPADecodeContext *s, OUT_INT *samples,
     /* get output buffer */
     if (!samples) {
         s->frame.nb_samples = s->avctx->frame_size;
-        if ((ret = s->avctx->get_buffer(s->avctx, &s->frame)) < 0) {
+        if ((ret = ff_get_buffer(s->avctx, &s->frame)) < 0) {
             av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
             return ret;
         }
@@ -1908,7 +1909,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame->nb_samples = MPA_FRAME_SIZE;
-    if ((ret = avctx->get_buffer(avctx, s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }