update for 0.10.13

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
avcodec/mjpegdec: Fix undefined shift
2014-06-09 02:00:04 +02:00 · 2014-06-09 01:50:05 +02:00 · 2014-06-09 01:50:05 +02:00 · 2014-06-09 01:50:04 +02:00 · 2014-06-09 01:13:58 +02:00 · 2014-06-09 01:13:58 +02:00
199 changed files with 2865 additions and 1651 deletions
--- a/214
+++ b/214
@@ -3,6 +3,220 @@ releases are sorted from youngest to oldest.

 version next:

+
+version 0.10.11
+
+- pthread: Avoid spurious wakeups
+- pthread: Fix deadlock during thread initialization
+- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
+- vc1dec: Don't decode slices when the latest slice header failed to decode
+- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
+- r3d: Add more input value validation
+- fraps: Make the input buffer size checks more strict
+- svq3: Avoid a division by zero
+- rmdec: Validate the fps value
+- twinvqdec: Check the ibps parameter separately
+- asfdec: Check the return value of asf_read_stream_properties
+- mxfdec: set audio timebase to 1/samplerate
+- pcx: Check the packet size before assuming it fits a palette
+- rpza: Fix a buffer size check
+- xxan: Disallow odd width
+- xan: Only read within the data that actually was initialized
+- xan: Use bytestream2 to limit reading to within the buffer
+- pcx: Consume the whole packet if giving up due to missing palette
+- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
+- mov: Make sure the read sample count is nonnegative
+- bfi: Add some very basic sanity checks for input packet sizes
+- bfi: Avoid divisions by zero
+- electronicarts: Add more sanity checking for the number of channels
+- riffdec: Add sanity checks for the sample rate
+- mvi: Add sanity checking for the audio frame size
+- xwma: Avoid division by zero
+- avidec: Make sure a packet is large enough before reading its data
+- vqf: Make sure the bitrate is in the valid range
+- vqf: Make sure sample_rate is set to a valid value
+- vc1dec: Undo mpegvideo initialization if unable to allocate tables
+- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
+- wnv1: Make sure the input packet is large enough
+- dca: Validate the lfe parameter
+- rl2: Avoid a division by zero
+- wtv: Add more sanity checks for a length read from the file
+- segafilm: Validate the number of audio channels
+- qpeg: Add checks for running out of rows in qpeg_decode_inter
+- mpegaudiodec: Validate that the number of channels fits at the given offset
+- asv1: Verify the amount of extradata
+- idroqdec: Make sure a video stream has been allocated before returning packets
+- rv10: Validate the dimensions set from the container
+- xmv: Add more sanity checks for parameters read from the bitstream
+- ffv1: Make sure at least one slice context is initialized
+- truemotion2: Use av_freep properly in an error path
+- eacmv: Make sure a reference frame exists before referencing it
+- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
+- ivi_common: Make sure color planes have been initialized
+- oggparseogm: Convert to use bytestream2
+- rv34: Check the return value from ff_rv34_decode_init
+- matroskadec: Verify realaudio codec parameters
+- mace: Make sure that the channel count is set to a valid value
+- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
+- vp3: Check the framerate for validity
+- cavsdec: Make sure a sequence header has been decoded before decoding pictures
+- sierravmd: Do sanity checking of frame sizes
+- omadec: Properly check lengths before incrementing the position
+- mpc8: Make sure the first stream exists before parsing the seek table
+- mpc8: Check the seek table size parsed from the bitstream
+- zmbvdec: Check the buffer size for uncompressed data
+- ape: Don't allow the seektable to be omitted
+- shorten: Break out of loop looking for fmt chunk if none is found
+- shorten: Use a checked bytestream reader for the wave header
+- smacker: Make sure we don't fill in huffman codes out of range
+- smacker: Avoid integer overflow when allocating packets
+- smacker: Don't return packets in unallocated streams
+- dsicin: Add some basic sanity checks for fields read from the file
+- roqvideodec: check dimensions validity
+- qdm2: check array index before use, fix out of array accesses
+- alsdec: check block length
+
+
+version 0.10.10
+
+- x86: fft: Remove 3DNow! optimizations, they break FATE
+- x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16
+- aac: Check init_get_bits return value
+- aac: return meaningful errors
+- dsicinav: K&R formatting cosmetics
+- mov: Seek back if overreading an individual atom
+- vcr1: add sanity checks
+- pictordec: pass correct context to avpriv_request_sample
+- dsicinav: Clip the source size to the expected maximum
+- alsdec: Clean up error paths
+- ogg: Fix potential infinite discard loop
+- nuv: check rtjpeg_decode_frame_yuv420 return value
+- nuv: Reset the frame on resize
+- nuv: Use av_fast_realloc
+- nuv: return meaningful error codes.
+- nuv: Pad the lzo outbuf
+- nuv: Do not ignore lzo decompression failures
+- oma: correctly mark and decrypt partial packets
+- oma: check geob tag boundary
+- oma: refactor seek function
+- 8bps: Bound-check the input buffer
+- rtmp: Do not misuse memcmp
+- rtmp: rename data_size to size
+- lavc: set the default rc_initial_buffer_occupancy
+- 4xm: Reject not a multiple of 16 dimension
+- 4xm: do not overread the prestream buffer
+- 4xm: validate the buffer size before parsing it
+- indeo: Do not reference mismatched tiles
+- indeo: Sanitize ff_ivi_init_planes fail paths
+- indeo: Bound-check before applying motion compensation
+- indeo: Bound-check before applying transform
+- indeo: reject negative array indexes
+- indeo: Cosmetic formatting
+- indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks
+- indeo: Refactor ff_ivi_dec_huff_desc
+- lavf: fix the comparison in an overflow check
+- dv: Add a guard to not overread the ppcm array
+- mpegvideo: Avoid 32-bit wrapping of linesize multiplications
+- mjpegb: Detect changing number of planes in interlaced video
+- matroskadec: Check that .lang was allocated and set before reading it
+- ape demuxer: check for EOF in potentially long loops
+- lavf: avoid integer overflow when estimating bitrate
+- pictordec: break out of both decoding loops when y drops below 0
+- ac3: Return proper error codes
+- ac3: Clean up the error paths
+- ac3: Do not clash with normal AVERROR
+- dxa: Make sure the reference frame exists
+- h261: check the mtype index
+- segafilm: Error out on impossible packet size
+- ogg: Always alloc the private context in vorbis_header
+- vc1: check mb_height validity.
+- vc1: check the source buffer in vc1_mc functions
+- bink: Bound check the quantization matrix.
+- xl: Make sure the width is valid
+- alsdec: Fix the clipping range
+- dsicinav: Bound-check the source buffer when needed
+- mov: Do not allow updating the time scale after it has been set
+- ac3dec: Don't consume more data than the actual input packet size
+- indeo: Reject impossible FRAMETYPE_NULL
+- indeo5: return proper error codes
+- indeo4: Validate scantable dimension
+- indeo4: Check the quantization matrix index
+- indeo4: Do not access missing reference MV
+- adpcm: Unbreak ima-dk4
+- ac3dec: validate channel output mode against channel count
+- dca: Respect the current limits in the downmixing capabilities
+- dca: Error out on missing DSYNC
+- pcm: always use codec->id instead of codec_id
+- mlpdec: Do not set invalid context in read_restart_header
+- pcx: Do not overread source buffer in pcx_rle_decode
+- wmavoice: conceal clearly corrupted blocks
+- iff: Do not read over the source buffer
+- qdm2: Conceal broken samples
+- qdm2: refactor joined stereo support
+- adpcm: Write the correct number of samples for ima-dk4
+- imc: Catch a division by zero
+- atrac3: Error on impossible encoding/channel combinations
+- atrac3: set the getbits context the right buffer_end
+- atrac3: fix error handling
+- qdm2: check and reset dithering index per channel
+- westwood_vqa: do not free extradata on error in read_header
+- vqavideo: check the version
+- rmdec: Use the AVIOContext given as parameter in rm_read_metadata()
+- avio: Handle AVERROR_EOF in the same way as the return value 0
+- wtv: Mark attachment with a negative stream id
+- avidec: Let the inner dv demuxer take care of discarding
+- swfdec: do better validation of tag length
+
+
+version 0.10.8
+- kmvc: Clip pixel position to valid range
+- kmvc: use fixed sized arrays in the context
+- indeo: use a typedef for the mc function pointer
+- lavc: check for overflow in init_get_bits
+- mjpegdec: properly report unsupported disabled features
+- jpegls: return meaningful errors
+- jpegls: factorize return paths
+- jpegls: check the scan offset
+- wavpack: validate samples size parsed in wavpack_decode_block
+- ljpeg: use the correct number of components in yuv
+- mjpeg: Validate sampling factors
+- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
+- wavpack: check packet size early
+- wavpack: return meaningful errors
+- apetag: use int64_t for filesize
+- tiff: do not overread the source buffer
+- Prepare for 0.8.8 Release
+- smacker: fix an off by one in huff.length computation
+- smacker: check the return value of smacker_decode_tree
+- smacker: pad the extradata allocation
+- smacker: check frame size validity
+- vmdav: convert to bytestream2
+- 4xm: don't rely on get_buffer() initializing the frame.
+- 4xm: check the return value of read_huffman_tables().
+- 4xm: use the correct logging context
+- 4xm: reject frames not compatible with the declared version
+- 4xm: check bitstream_size boundary before using it
+- 4xm: do not overread the source buffer in decode_p_block
+- avfiltergraph: check for sws opts being non-NULL before using them
+- bmv: check for len being valid in bmv_decode_frame()
+- dfa: check for invalid access in decode_wdlt()
+- indeo3: check motion vectors
+- indeo3: fix data size check
+- indeo3: switch parsing the header to bytestream2
+- lavf: make sure stream probe data gets freed.
+- oggdec: fix faulty cleanup prototype
+- oma: Validate sample rates
+- qdm2: check that the FFT size is a power of 2
+- rv10: check that extradata is large enough
+- xmv: check audio track parameters validity
+- xmv: do not leak memory in the error paths in xmv_read_header()
+- aac: check the maximum number of channels
+- indeo3: fix off by one in MV validity check, Bug #503
+- id3v2: check for end of file while unescaping tags
+- wav: Always seek to an even offset, Bug #500, LP: #1174737
+- proresdec: support mixed interlaced/non-interlaced content
+
+
 version 0.10.6:

 - many bug fixes that where found with Coverity
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.10.7
+PROJECT_NUMBER         = 0.10.13

 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.7
+0.10.13
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.7
+0.10.13
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -56,7 +56,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;

-const int this_year = 2013;
+const int this_year = 2014;

 static FILE *report_file;

--- a/13
+++ b/13
@@ -54,6 +54,8 @@ if test "$E1" != 0 || test "$E2" = 0; then
    exit 1
 fi

+test -d /usr/xpg4/bin && PATH=/usr/xpg4/bin:$PATH
+
 show_help(){
 cat <<EOF
 Usage: configure [options]
@@ -688,6 +690,13 @@ check_ld(){
    check_cmd $ld $LDFLAGS $flags -o $TMPE $TMPO $libs $extralibs
 }

+print_include(){
+    hdr=$1
+    test "${hdr%.h}" = "${hdr}" &&
+        echo "#include $hdr"    ||
+        echo "#include <$hdr>"
+}
+
 check_cppflags(){
    log check_cppflags "$@"
    set -- $($filter_cppflags "$@")
@@ -765,7 +774,7 @@ check_func_headers(){
    shift 2
    {
        for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
        done
        for func in $funcs; do
            echo "long check_$func(void) { return (long) $func; }"
@@ -3134,7 +3143,7 @@ enabled libdirac   && require_pkg_config dirac                          \
    "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h"  \
    "dirac_decoder_init dirac_encoder_init"
 enabled libfaac    && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac
-enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType
 enabled libgsm     && require  libgsm gsm/gsm.h gsm_create -lgsm
 enabled libmodplug && require  libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug
 enabled libmp3lame && require  "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame
--- a/doc/issue_tracker.txt
+++ b/doc/issue_tracker.txt
@@ -24,7 +24,7 @@ a mail for every change to every issue.
 The subscription URL for the ffmpeg-trac list is:
 http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac
 The URL of the webinterface of the tracker is:
-http(s)://ffmpeg.org/trac/ffmpeg
+http(s)://trac.ffmpeg.org

 Type:
 -----
--- a/doc/platform.texi
+++ b/doc/platform.texi
@@ -51,14 +51,15 @@ The toolchain provided with Xcode is sufficient to build the basic
 unacelerated code.

 Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from
-@url{http://github.com/yuvi/gas-preprocessor} to build the optimized
-assembler functions. Just download the Perl script and put it somewhere
+@url{https://github.com/FFmpeg/gas-preprocessor} or
+@url{https://github.com/yuvi/gas-preprocessor} to build the optimized
+assembler functions. Put the Perl script somewhere
 in your PATH, FFmpeg's configure will pick it up automatically.

 Mac OS X on amd64 and x86 requires @command{yasm} to build most of the
 optimized assembler functions. @uref{http://www.finkproject.org/, Fink},
@uref{http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml, Gentoo Prefix},
-@uref{http://mxcl.github.com/homebrew/, Homebrew}
+@uref{https://mxcl.github.com/homebrew/, Homebrew}
 or @uref{http://www.macports.org, MacPorts} can easily provide it.


--- a/doc/protocols.texi
+++ b/doc/protocols.texi
@@ -242,7 +242,7 @@ data transferred over RDT).

 The muxer can be used to send a stream using RTSP ANNOUNCE to a server
 supporting it (currently Darwin Streaming Server and Mischa Spiegelmock's
-@uref{http://github.com/revmischa/rtsp-server, RTSP server}).
+@uref{https://github.com/revmischa/rtsp-server, RTSP server}).

 The required syntax for a RTSP url is:
@example
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -4057,8 +4057,6 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc)
            if (p) p++;
        }
        video_enc->rc_override_count = i;
-        if (!video_enc->rc_initial_buffer_occupancy)
-            video_enc->rc_initial_buffer_occupancy = video_enc->rc_buffer_size * 3 / 4;
        video_enc->intra_dc_precision = intra_dc_precision - 8;

        if (do_psnr)
--- a/ffserver.c
+++ b/ffserver.c
@@ -562,9 +562,11 @@ static void start_multicast(void)
    default_port = 6000;
    for(stream = first_stream; stream != NULL; stream = stream->next) {
        if (stream->is_multicast) {
+            unsigned random0 = av_lfg_get(&random_state);
+            unsigned random1 = av_lfg_get(&random_state);
            /* open the RTP connection */
            snprintf(session_id, sizeof(session_id), "%08x%08x",
-                     av_lfg_get(&random_state), av_lfg_get(&random_state));
+                     random0, random1);

            /* choose a port if none given */
            if (stream->multicast_port == 0) {
@@ -3086,9 +3088,12 @@ static void rtsp_cmd_setup(HTTPContext *c, const char *url,
 found:

    /* generate session id if needed */
-    if (h->session_id[0] == '\0')
+    if (h->session_id[0] == '\0') {
+        unsigned random0 = av_lfg_get(&random_state);
+        unsigned random1 = av_lfg_get(&random_state);
        snprintf(h->session_id, sizeof(h->session_id), "%08x%08x",
-                 av_lfg_get(&random_state), av_lfg_get(&random_state));
+                 random0, random1);
+    }

    /* find rtp session, and create it if none found */
    rtp_c = find_rtp_session(h->session_id);
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -25,6 +25,7 @@
 */

 #include "libavutil/intreadwrite.h"
+#include "libavutil/avassert.h"
 #include "avcodec.h"
 #include "dsputil.h"
 #include "get_bits.h"
@@ -347,6 +348,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
        decode_p_block(f, dst             , src             , log2w, log2h, stride);
        decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride);
    }else if(code == 3 && f->version<2){
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
        mcdc(dst, src, log2w, h, stride, 1, 0);
    }else if(code == 4){
        if (f->g.buffer_end - f->g.buffer < 1){
@@ -368,6 +373,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
            return;
        }
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
        mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
    }else if(code == 6){
        if (f->g2.buffer_end - f->g2.buffer < 2){
@@ -394,6 +403,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
    unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;

    if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
        extra=20;
        if (length < extra)
            return -1;
@@ -551,7 +562,10 @@ static int decode_i_mb(FourXContext *f){
    return 0;
 }

-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
+static const uint8_t *read_huffman_tables(FourXContext *f,
+                                          const uint8_t * const buf,
+                                          int buf_size)
+{
    int frequency[512];
    uint8_t flag[512];
    int up[512];
@@ -572,6 +586,9 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const

        if (start <= end && ptr_end - ptr < end - start + 1 + 1)
            return NULL;
+        if (end < start || buf_size < 0)
+            return NULL;
+
        for(i=start; i<=end; i++){
            frequency[i]= *ptr++;
        }
@@ -665,8 +682,8 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
            color[0]= bytestream2_get_le16u(&g3);
            color[1]= bytestream2_get_le16u(&g3);

-            if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n");
-            if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n");
+            if(color[0]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n");
+            if(color[1]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n");

            color[2]= mix(color[0], color[1]);
            color[3]= mix(color[1], color[0]);
@@ -694,7 +711,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    unsigned int prestream_size;
    const uint8_t *prestream;

-    if (bitstream_size > (1<<26) || length < bitstream_size + 12) {
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
+    if (length < bitstream_size + 12) {
        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
        return AVERROR_INVALIDDATA;
    }
@@ -702,15 +722,19 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
    prestream      = buf + bitstream_size + 12;

-    if (prestream_size > (1<<26) ||
-        prestream_size != length - (bitstream_size + 12)){
+    if(prestream_size + bitstream_size + 12 != length
+       || prestream_size > (1<<26)){
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
        return -1;
    }

-    prestream= read_huffman_tables(f, prestream, buf + length - prestream);
-    if (!prestream)
-        return -1;
+    prestream = read_huffman_tables(f, prestream, prestream_size);
+    if (!prestream) {
+        av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    av_assert0(prestream <= buf + length);

    init_get_bits(&f->gb, buf + 4, 8*bitstream_size);

@@ -751,25 +775,35 @@ static int decode_frame(AVCodecContext *avctx,
    AVFrame *p, temp;
    int i, frame_4cc, frame_size;

-    if (buf_size < 12)
+    if (buf_size < 20)
+        return AVERROR_INVALIDDATA;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions non-multiple of 16 are invalid.\n");
        return AVERROR_INVALIDDATA;
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
    }

+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
+    }
+
+    frame_4cc = AV_RL32(buf);
+
    if(frame_4cc == AV_RL32("cfrm")){
        int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
        CFrameBuffer *cfrm;

+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
        if (data_size < 0 || whole_size < 0){
            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
            return AVERROR_INVALIDDATA;
        }
-
        for(i=0; i<CFRAME_BUFFER_COUNT; i++){
            if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -805,6 +839,9 @@ static int decode_frame(AVCodecContext *avctx,
                av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number);
            }

+            if (f->version <= 1)
+                return AVERROR_INVALIDDATA;
+
            cfrm->size= cfrm->id= 0;
            frame_4cc= AV_RL32("pfrm");
        }else
@@ -848,6 +885,7 @@ static int decode_frame(AVCodecContext *avctx,
                av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                return -1;
            }
+            memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0]));
        }

        p->pict_type= AV_PICTURE_TYPE_P;
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        unsigned char *pixptr, *pixptr_end;
        unsigned int height = avctx->height; // Real image height
        unsigned int dlen, p, row;
-        const unsigned char *lp, *dp;
+        const unsigned char *lp, *dp, *ep;
        unsigned char count;
        unsigned int planes = c->planes;
        unsigned char *planemap = c->planemap;
@@ -84,6 +84,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                return -1;
        }

+        ep = encoded + buf_size;
+
        /* Set data pointer after line lengths */
        dp = encoded + planes * (height << 1);

@@ -95,16 +97,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                for(row = 0; row < height; row++) {
                        pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
                        pixptr_end = pixptr + c->pic.linesize[0];
+                        if (ep - lp < row * 2 + 2)
+                            return AVERROR_INVALIDDATA;
                        dlen = av_be2ne16(*(const unsigned short *)(lp+row*2));
                        /* Decode a row of this plane */
                        while(dlen > 0) {
-                                if(dp + 1 >= buf+buf_size) return -1;
+                                if(ep - dp <= 1) return -1;
                                if ((count = *dp++) <= 127) {
                                        count++;
                                        dlen -= count + 1;
                                        if (pixptr + count * planes > pixptr_end)
                                            break;
-                                        if(dp + count > buf+buf_size) return -1;
+                                        if(ep - dp < count) return -1;
                                        while(count--) {
                                                *pixptr = *dp++;
                                                pixptr += planes;
--- a/libavcodec/aac_ac3_parser.h
+++ b/libavcodec/aac_ac3_parser.h
@@ -28,13 +28,13 @@
 #include "parser.h"

 typedef enum {
-    AAC_AC3_PARSE_ERROR_SYNC        = -1,
-    AAC_AC3_PARSE_ERROR_BSID        = -2,
-    AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -3,
-    AAC_AC3_PARSE_ERROR_FRAME_SIZE  = -4,
-    AAC_AC3_PARSE_ERROR_FRAME_TYPE  = -5,
-    AAC_AC3_PARSE_ERROR_CRC         = -6,
-    AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -7,
+    AAC_AC3_PARSE_ERROR_SYNC        = -0x1030c0a,
+    AAC_AC3_PARSE_ERROR_BSID        = -0x2030c0a,
+    AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -0x3030c0a,
+    AAC_AC3_PARSE_ERROR_FRAME_SIZE  = -0x4030c0a,
+    AAC_AC3_PARSE_ERROR_FRAME_TYPE  = -0x5030c0a,
+    AAC_AC3_PARSE_ERROR_CRC         = -0x6030c0a,
+    AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -0x7030c0a,
 } AACAC3ParseError;

 typedef struct AACAC3ParseContext {
--- a/libavcodec/aaccoder.c
+++ b/libavcodec/aaccoder.c
@@ -713,7 +713,7 @@ static void search_for_quantizers_twoloop(AVCodecContext *avctx,
                                          const float lambda)
 {
    int start = 0, i, w, w2, g;
-    int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels;
+    int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels * (lambda / 120.f);
    float dists[128], uplims[128];
    float maxvals[128];
    int fflag, minscaler;
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac,
                                 enum ChannelPosition che_pos[4][MAX_ELEM_ID],
                                 int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
    if (che_pos[type][id]) {
        if (!ac->che[type][id]) {
            if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
@@ -360,7 +362,7 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
    comment_len = get_bits(gb, 8) * 8;
    if (get_bits_left(gb) < comment_len) {
        av_log(avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    skip_bits_long(gb, comment_len);
    return 0;
@@ -381,7 +383,7 @@ static av_cold int set_default_channel_config(AVCodecContext *avctx,
    if (channel_config < 1 || channel_config > 7) {
        av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n",
               channel_config);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    /* default channel configurations:
@@ -499,20 +501,21 @@ static int decode_audio_specific_config(AACContext *ac,
                                        int sync_extension)
 {
    GetBitContext gb;
-    int i;
+    int i, ret;

    av_dlog(avctx, "extradata size %d\n", avctx->extradata_size);
    for (i = 0; i < avctx->extradata_size; i++)
         av_dlog(avctx, "%02x ", avctx->extradata[i]);
    av_dlog(avctx, "\n");

-    init_get_bits(&gb, data, bit_size);
+    if ((ret = init_get_bits(&gb, data, bit_size)) < 0)
+        return ret;

    if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
    if (m4ac->sampling_index > 12) {
        av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    skip_bits_long(&gb, i);
@@ -521,13 +524,14 @@ static int decode_audio_specific_config(AACContext *ac,
    case AOT_AAC_MAIN:
    case AOT_AAC_LC:
    case AOT_AAC_LTP:
-        if (decode_ga_specific_config(ac, avctx, &gb, m4ac, m4ac->chan_config))
-            return -1;
+        if ((ret = decode_ga_specific_config(ac, avctx, &gb,
+                                             m4ac, m4ac->chan_config)) < 0)
+            return ret;
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n",
               m4ac->sbr == 1? "SBR+" : "", m4ac->object_type);
-        return -1;
+        return AVERROR(ENOSYS);
    }

    av_dlog(avctx, "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n",
@@ -598,16 +602,17 @@ static void reset_predictor_group(PredictorState *ps, int group_num)
 static av_cold int aac_decode_init(AVCodecContext *avctx)
 {
    AACContext *ac = avctx->priv_data;
+    int ret;
    float output_scale_factor;

    ac->avctx = avctx;
    ac->m4ac.sample_rate = avctx->sample_rate;

    if (avctx->extradata_size > 0) {
-        if (decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
+        if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
                                         avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0)
-            return -1;
+                                         avctx->extradata_size*8, 1)) < 0)
+            return ret;
    } else {
        int sr, i;
        enum ChannelPosition new_che_pos[4][MAX_ELEM_ID];
@@ -700,7 +705,7 @@ static int skip_data_stream_element(AACContext *ac, GetBitContext *gb)

    if (get_bits_left(gb) < 8 * count) {
        av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    skip_bits_long(gb, 8 * count);
    return 0;
@@ -714,7 +719,7 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics,
        ics->predictor_reset_group = get_bits(gb, 5);
        if (ics->predictor_reset_group == 0 || ics->predictor_reset_group > 30) {
            av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
    }
    for (sfb = 0; sfb < FFMIN(ics->max_sfb, ff_aac_pred_sfb_max[ac->m4ac.sampling_index]); sfb++) {
@@ -824,20 +829,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
            int sect_band_type = get_bits(gb, 4);
            if (sect_band_type == 12) {
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            do {
                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
                if (get_bits_left(gb) < 0) {
                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                if (sect_end > ics->max_sfb) {
                    av_log(ac->avctx, AV_LOG_ERROR,
                           "Number of bands (%d) exceeds limit (%d).\n",
                           sect_end, ics->max_sfb);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
@@ -909,7 +914,7 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb,
                    if (offset[0] > 255U) {
                        av_log(ac->avctx, AV_LOG_ERROR,
                               "%s (%d) out of range.\n", sf_str[0], offset[0]);
-                        return -1;
+                        return AVERROR_INVALIDDATA;
                    }
                    sf[idx] = -ff_aac_pow2sf_tab[offset[0] - 100 + POW_SF2_ZERO];
                }
@@ -967,7 +972,7 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns,
                    av_log(ac->avctx, AV_LOG_ERROR, "TNS filter order %d is greater than maximum %d.\n",
                           tns->order[w][filt], tns_max_order);
                    tns->order[w][filt] = 0;
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                if (tns->order[w][filt]) {
                    tns->direction[w][filt] = get_bits1(gb);
@@ -1250,7 +1255,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],

                                    if (b > 8) {
                                        av_log(ac->avctx, AV_LOG_ERROR, "error in spectral data, ESC overflow\n");
-                                        return -1;
+                                        return AVERROR_INVALIDDATA;
                                    }

                                    SKIP_BITS(re, gb, b + 1);
@@ -1393,6 +1398,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
    IndividualChannelStream *ics = &sce->ics;
    float *out = sce->coeffs;
    int global_gain, pulse_present = 0;
+    int ret;

    /* This assignment is to silence a GCC warning about the variable being used
     * uninitialized when in fact it always is.
@@ -1406,25 +1412,27 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
            return AVERROR_INVALIDDATA;
    }

-    if (decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics) < 0)
-        return -1;
-    if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end) < 0)
-        return -1;
+    if ((ret = decode_band_types(ac, sce->band_type,
+                                 sce->band_type_run_end, gb, ics)) < 0)
+        return ret;
+    if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
+                                   sce->band_type, sce->band_type_run_end)) < 0)
+        return ret;

    pulse_present = 0;
    if (!scale_flag) {
        if ((pulse_present = get_bits1(gb))) {
            if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
                av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
                av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
        }
        if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics))
-            return -1;
+            return AVERROR_INVALIDDATA;
        if (get_bits1(gb)) {
            av_log_missing_feature(ac->avctx, "SSR", 1);
            return -1;
@@ -1432,7 +1440,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
    }

    if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;

    if (ac->m4ac.object_type == AOT_AAC_MAIN && !common_window)
        apply_prediction(ac, sce);
@@ -1530,7 +1538,7 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe)
        ms_present = get_bits(gb, 2);
        if (ms_present == 3) {
            av_log(ac->avctx, AV_LOG_ERROR, "ms_present = 3 is reserved.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        } else if (ms_present)
            decode_mid_side_stereo(cpe, gb, ms_present);
    }
@@ -2321,7 +2329,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
    }

-    init_get_bits(&gb, buf, buf_size * 8);
+    if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0)
+        return err;

    if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0)
        return err;
@@ -2566,7 +2575,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
    int                 muxlength, err;
    GetBitContext       gb;

-    init_get_bits(&gb, avpkt->data, avpkt->size * 8);
+    if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0)
+        return err;

    // check for LOAS sync word
    if (get_bits(&gb, 11) != LOAS_SYNC_WORD)
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -297,7 +297,7 @@ static int parse_frame_header(AC3DecodeContext *s)
        return ff_eac3_parse_header(s);
    } else {
        av_log(s->avctx, AV_LOG_ERROR, "E-AC-3 support not compiled in\n");
-        return -1;
+        return AVERROR(ENOSYS);
    }
 }

@@ -822,12 +822,12 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
            if (start_subband >= end_subband) {
                av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension "
                       "range (%d >= %d)\n", start_subband, end_subband);
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            if (dst_start_freq >= src_start_freq) {
                av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension "
                       "copy start bin (%d >= %d)\n", dst_start_freq, src_start_freq);
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            s->spx_dst_start_freq = dst_start_freq;
@@ -904,7 +904,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)

            if (channel_mode < AC3_CHMODE_STEREO) {
                av_log(s->avctx, AV_LOG_ERROR, "coupling not allowed in mono or dual-mono\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

            /* check for enhanced coupling */
@@ -934,7 +934,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
            if (cpl_start_subband >= cpl_end_subband) {
                av_log(s->avctx, AV_LOG_ERROR, "invalid coupling range (%d >= %d)\n",
                       cpl_start_subband, cpl_end_subband);
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            s->start_freq[CPL_CH] = cpl_start_subband * 12 + 37;
            s->end_freq[CPL_CH]   = cpl_end_subband   * 12 + 37;
@@ -956,7 +956,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
        if (!blk) {
            av_log(s->avctx, AV_LOG_ERROR, "new coupling strategy must "
                   "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        } else {
            s->cpl_in_use[blk] = s->cpl_in_use[blk-1];
        }
@@ -986,7 +986,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                } else if (!blk) {
                    av_log(s->avctx, AV_LOG_ERROR, "new coupling coordinates must "
                           "be present in block 0\n");
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
            } else {
                /* channel not in coupling */
@@ -1041,7 +1041,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                int bandwidth_code = get_bits(gbc, 6);
                if (bandwidth_code > 60) {
                    av_log(s->avctx, AV_LOG_ERROR, "bandwidth code = %d > 60\n", bandwidth_code);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                s->end_freq[ch] = bandwidth_code * 3 + 73;
            }
@@ -1064,7 +1064,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                                 s->num_exp_groups[ch], s->dexps[ch][0],
                                 &s->dexps[ch][s->start_freq[ch]+!!ch])) {
                av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            if (ch != CPL_CH && ch != s->lfe_ch)
                skip_bits(gbc, 2); /* skip gainrng */
@@ -1084,7 +1084,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
        } else if (!blk) {
            av_log(s->avctx, AV_LOG_ERROR, "new bit allocation info must "
                   "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
    }

@@ -1115,7 +1115,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
            }
        } else if (!s->eac3 && !blk) {
            av_log(s->avctx, AV_LOG_ERROR, "new snr offsets must be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
    }

@@ -1154,7 +1154,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
        } else if (!s->eac3 && !blk) {
            av_log(s->avctx, AV_LOG_ERROR, "new coupling leak info must "
                   "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
        s->first_cpl_leak = 0;
    }
@@ -1166,7 +1166,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
            s->dba_mode[ch] = get_bits(gbc, 2);
            if (s->dba_mode[ch] == DBA_RESERVED) {
                av_log(s->avctx, AV_LOG_ERROR, "delta bit allocation strategy reserved\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            bit_alloc_stages[ch] = FFMAX(bit_alloc_stages[ch], 2);
        }
@@ -1207,7 +1207,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                                           s->dba_offsets[ch], s->dba_lengths[ch],
                                           s->dba_values[ch],  s->mask[ch])) {
                av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
        }
        if (bit_alloc_stages[ch] > 0) {
@@ -1328,7 +1328,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
        switch (err) {
        case AAC_AC3_PARSE_ERROR_SYNC:
            av_log(avctx, AV_LOG_ERROR, "frame sync error\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        case AAC_AC3_PARSE_ERROR_BSID:
            av_log(avctx, AV_LOG_ERROR, "invalid bitstream id\n");
            break;
@@ -1342,17 +1342,20 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
            /* skip frame if CRC is ok. otherwise use error concealment. */
            /* TODO: add support for substreams and dependent frames */
            if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT || s->substreamid) {
-                av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
+                av_log(avctx, AV_LOG_WARNING, "unsupported frame type : "
                       "skipping frame\n");
                *got_frame_ptr = 0;
-                return s->frame_size;
+                return buf_size;
            } else {
                av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
            }
            break;
-        default:
-            av_log(avctx, AV_LOG_ERROR, "invalid header\n");
+        case AAC_AC3_PARSE_ERROR_CRC:
+        case AAC_AC3_PARSE_ERROR_CHANNEL_CFG:
            break;
+        default: // Normal AVERROR do not try to recover.
+            *got_frame_ptr = 0;
+            return err;
        }
    } else {
        /* check that reported frame size fits in input buffer */
@@ -1373,8 +1376,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
    if (!err) {
        avctx->sample_rate = s->sample_rate;
        avctx->bit_rate    = s->bit_rate;
+    }

-        /* channel config */
+    /* channel config */
+    if (!err || (s->channels && s->out_channels != s->channels)) {
        s->out_channels = s->channels;
        s->output_mode  = s->channel_mode;
        if (s->lfe_on)
@@ -1397,18 +1402,18 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
                s->fbw_channels == s->out_channels)) {
            set_downmix_coeffs(s);
        }
-    } else if (!s->out_channels) {
-        s->out_channels = avctx->channels;
-        if (s->out_channels < s->channels)
-            s->output_mode  = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO;
+    } else if (!s->channels) {
+        av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n");
+        return AVERROR_INVALIDDATA;
    }
+    avctx->channels = s->out_channels;
+
    /* set audio service type based on bitstream mode for AC-3 */
    avctx->audio_service_type = s->bitstream_mode;
    if (s->bitstream_mode == 0x7 && s->channels > 1)
        avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;

    /* get output buffer */
-    avctx->channels = s->out_channels;
    s->frame.nb_samples = s->num_blocks * 256;
    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -717,7 +717,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            src++;
            *samples++ = cs->predictor;
        }
-        for (n = nb_samples >> (1 - st); n > 0; n--, src++) {
+        for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--, src++) {
            uint8_t v = *src;
            *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4  , 3);
            *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3);
--- a/libavcodec/adx.c
+++ b/libavcodec/adx.c
@@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
    offset = AV_RB16(buf + 2) + 4;

    /* if copyright string is within the provided data, validate it */
-    if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6))
+    if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6))
        return AVERROR_INVALIDDATA;

    /* check for encoding=3 block_size=18, sample_size=4 */
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -615,6 +615,12 @@ static int alac_set_info(ALACContext *alac)

    /* buffer size / 2 ? */
    alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
+    if (!alac->setinfo_max_samples_per_frame ||
+        alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) {
+        av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n",
+               alac->setinfo_max_samples_per_frame);
+        return AVERROR_INVALIDDATA;
+    }
    ptr++;                          /* compatible version */
    alac->setinfo_sample_size           = *ptr++;
    alac->setinfo_rice_historymult      = *ptr++;
--- a/libavcodec/alacenc.c
+++ b/libavcodec/alacenc.c
@@ -259,7 +259,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)
        // generate warm-up samples
        residual[0] = samples[0];
        for (i = 1; i <= lpc.lpc_order; i++)
-            residual[i] = samples[i] - samples[i-1];
+            residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size);

        // perform lpc on remaining samples
        for (i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) {
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -283,7 +283,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    GetBitContext gb;
    uint64_t ht_size;
    int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    uint32_t als_id, header_size, trailer_size;
@@ -294,12 +294,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
                                                 avctx->extradata_size * 8, 1);

    if (config_offset < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;

    skip_bits_long(&gb, config_offset);

    if (get_bits_left(&gb) < (30 << 3))
-        return -1;
+        return AVERROR_INVALIDDATA;

    // read the fixed items
    als_id                      = get_bits_long(&gb, 32);
@@ -334,7 +334,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

    // check for ALSSpecificConfig struct
    if (als_id != MKBETAG('A','L','S','\0'))
-        return -1;
+        return AVERROR_INVALIDDATA;

    ctx->cur_frame_length = sconf->frame_length;

@@ -349,7 +349,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
        int chan_pos_bits = av_ceil_log2(avctx->channels);
        int bits_needed  = avctx->channels * chan_pos_bits + 7;
        if (get_bits_left(&gb) < bits_needed)
-            return -1;
+            return AVERROR_INVALIDDATA;

        if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos))))
            return AVERROR(ENOMEM);
@@ -367,7 +367,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    // read fixed header and trailer sizes,
    // if size = 0xFFFFFFFF then there is no data field!
    if (get_bits_left(&gb) < 64)
-        return -1;
+        return AVERROR_INVALIDDATA;

    header_size  = get_bits_long(&gb, 32);
    trailer_size = get_bits_long(&gb, 32);
@@ -381,10 +381,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

    // skip the header and trailer data
    if (get_bits_left(&gb) < ht_size)
-        return -1;
+        return AVERROR_INVALIDDATA;

    if (ht_size > INT32_MAX)
-        return -1;
+        return AVERROR_PATCHWELCOME;

    skip_bits_long(&gb, ht_size);

@@ -392,7 +392,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    // initialize CRC calculation
    if (sconf->crc_enabled) {
        if (get_bits_left(&gb) < 32)
-            return -1;
+            return AVERROR_INVALIDDATA;

        if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) {
            ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
@@ -632,7 +632,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
    if (bd->block_length & (sub_blocks - 1)) {
        av_log(avctx, AV_LOG_WARNING,
               "Block length is not evenly divisible by the number of subblocks.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    sb_length = bd->block_length >> log2_sub_blocks;
@@ -963,18 +963,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 */
 static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
+    int ret = 0;
    GetBitContext *gb        = &ctx->gb;

    *bd->shift_lsbs = 0;
    // read block type flag and read the samples accordingly
    if (get_bits1(gb)) {
-        if (read_var_block_data(ctx, bd))
-            return -1;
+        ret = read_var_block_data(ctx, bd);
    } else {
        read_const_block_data(ctx, bd);
    }

-    return 0;
+    return ret;
 }


@@ -983,12 +983,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
    unsigned int smp;
+    int ret = 0;

    // read block type flag and read the samples accordingly
    if (*bd->const_block)
        decode_const_block_data(ctx, bd);
-    else if (decode_var_block_data(ctx, bd))
-        return -1;
+    else
+        ret = decode_var_block_data(ctx, bd); // always return 0
+
+    if (ret < 0)
+        return ret;

    // TODO: read RLSLMS extension data

@@ -1006,14 +1010,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
    int ret;

-    ret = read_block(ctx, bd);
-
-    if (ret)
+    if ((ret = read_block(ctx, bd)) < 0)
        return ret;

-    ret = decode_block(ctx, bd);
-
-    return ret;
+    return decode_block(ctx, bd);
 }


@@ -1039,6 +1039,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
                             unsigned int c, const unsigned int *div_blocks,
                             unsigned int *js_blocks)
 {
+    int ret;
    unsigned int b;
    ALSBlockData bd;

@@ -1061,10 +1062,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
    for (b = 0; b < ctx->num_blocks; b++) {
        bd.block_length     = div_blocks[b];

-        if (read_decode_block(ctx, &bd)) {
+        if ((ret = read_decode_block(ctx, &bd)) < 0) {
            // damaged block, write zero for the rest of the frame
            zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples);
-            return -1;
+            return ret;
        }
        bd.raw_samples += div_blocks[b];
        bd.ra_block     = 0;
@@ -1083,6 +1084,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
    ALSSpecificConfig *sconf = &ctx->sconf;
    unsigned int offset = 0;
    unsigned int b;
+    int ret;
    ALSBlockData bd[2];

    memset(bd, 0, 2 * sizeof(ALSBlockData));
@@ -1126,12 +1128,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
        bd[0].raw_other    = bd[1].raw_samples;
        bd[1].raw_other    = bd[0].raw_samples;

-        if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) {
-            // damaged block, write zero for the rest of the frame
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
-            return -1;
-        }
+        if ((ret = read_decode_block(ctx, &bd[0])) < 0 ||
+            (ret = read_decode_block(ctx, &bd[1])) < 0)
+            goto fail;
+

        // reconstruct joint-stereo blocks
        if (bd[0].js_blocks) {
@@ -1157,8 +1157,19 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
            sizeof(*ctx->raw_samples[c]) * sconf->max_order);

    return 0;
+fail:
+    // damaged block, write zero for the rest of the frame
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
+    return ret;
 }

+static inline int als_weighting(GetBitContext *gb, int k, int off)
+{
+    int idx = av_clip(decode_rice(gb, k) + off,
+                      0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
+    return mcc_weightings[idx];
+}

 /** Read the channel data.
  */
@@ -1174,19 +1185,19 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)

        if (current->master_channel >= channels) {
            av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (current->master_channel != c) {
            current->time_diff_flag = get_bits1(gb);
-            current->weighting[0]   = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
-            current->weighting[1]   = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)];
-            current->weighting[2]   = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
+            current->weighting[0]   = als_weighting(gb, 1, 16);
+            current->weighting[1]   = als_weighting(gb, 2, 14);
+            current->weighting[2]   = als_weighting(gb, 1, 16);

            if (current->time_diff_flag) {
-                current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
-                current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
-                current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)];
+                current->weighting[3] = als_weighting(gb, 1, 16);
+                current->weighting[4] = als_weighting(gb, 1, 16);
+                current->weighting[5] = als_weighting(gb, 1, 16);

                current->time_diff_sign  = get_bits1(gb);
                current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
@@ -1199,7 +1210,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)

    if (entries == channels) {
        av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    align_get_bits(gb);
@@ -1231,7 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,

    if (dep == channels) {
        av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    bd->const_block = ctx->const_block + c;
@@ -1304,6 +1315,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
    unsigned int js_blocks[2];

    uint32_t bs_info = 0;
+    int ret;

    // skip the size of the ra unit if present in the frame
    if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame)
@@ -1334,13 +1346,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                independent_bs = 1;

            if (independent_bs) {
-                if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
-
+                ret = decode_blocks_ind(ctx, ra_frame, c,
+                                        div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;
                independent_bs--;
            } else {
-                if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
+                ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;

                c++;
            }
@@ -1359,7 +1373,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
        for (c = 0; c < avctx->channels; c++)
            if (ctx->chan_data[c] < ctx->chan_data_buffer) {
                av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

        memset(&bd,               0, sizeof(ALSBlockData));
@@ -1372,6 +1386,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

        for (b = 0; b < ctx->num_blocks; b++) {
            bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }

            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
@@ -1391,11 +1410,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                    return -1;
            }

-            for (c = 0; c < avctx->channels; c++)
-                if (revert_channel_correlation(ctx, &bd, ctx->chan_data,
-                                               reverted_channels, offset, c))
-                    return -1;
-
+            for (c = 0; c < avctx->channels; c++) {
+                ret = revert_channel_correlation(ctx, &bd, ctx->chan_data,
+                                                 reverted_channels, offset, c);
+                if (ret < 0)
+                    return ret;
+            }
            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
                bd.shift_lsbs  = ctx->shift_lsbs + c;
@@ -1592,29 +1612,30 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
    unsigned int c;
    unsigned int channel_size;
-    int num_buffers;
+    int num_buffers, ret;
    ALSDecContext *ctx = avctx->priv_data;
    ALSSpecificConfig *sconf = &ctx->sconf;
    ctx->avctx = avctx;

    if (!avctx->extradata) {
        av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

-    if (read_specific_config(ctx)) {
+    if ((ret = read_specific_config(ctx)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n");
-        decode_end(avctx);
-        return -1;
+        goto fail;
    }

-    if (check_specific_config(ctx)) {
-        decode_end(avctx);
-        return -1;
+    if ((ret = check_specific_config(ctx)) < 0) {
+        goto fail;
    }

-    if (sconf->bgmc)
-        ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+    if (sconf->bgmc) {
+        ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+        if (ret < 0)
+            goto fail;
+    }

    if (sconf->floating) {
        avctx->sample_fmt          = AV_SAMPLE_FMT_FLT;
@@ -1650,7 +1671,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
        !ctx->quant_cof_buffer       || !ctx->lpc_cof_buffer ||
        !ctx->lpc_cof_reversed_buffer) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    // assign quantized parcor coefficient buffers
@@ -1675,8 +1697,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
        !ctx->use_ltp  || !ctx->ltp_lag ||
        !ctx->ltp_gain || !ctx->ltp_gain_buffer) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    for (c = 0; c < num_buffers; c++)
@@ -1693,8 +1715,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

        if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) {
            av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
        }

        for (c = 0; c < num_buffers; c++)
@@ -1715,8 +1737,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    // allocate previous raw sample buffer
    if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    // assign raw samples buffers
@@ -1733,8 +1755,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                    av_get_bytes_per_sample(avctx->sample_fmt));
        if (!ctx->crc_buffer) {
            av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
        }
    }

@@ -1744,6 +1766,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avctx->coded_frame = &ctx->frame;

    return 0;
+
+fail:
+    decode_end(avctx);
+    return ret;
 }


--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -822,7 +822,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    int16_t *samples;
    int i, ret;
    int blockstodecode;
-    int bytes_used = 0;

    /* this should never be negative, but bad things will happen if it is, so
       check it just to make sure. */
@@ -877,7 +876,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
        }

-        bytes_used = buf_size;
    }

    if (!s->data) {
@@ -920,7 +918,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    *got_frame_ptr   = 1;
    *(AVFrame *)data = s->frame;

-    return bytes_used;
+    return (s->samples == 0) ? buf_size : 0;
 }

 static void ape_flush(AVCodecContext *avctx)
--- a/libavcodec/arm/asm.S
+++ b/libavcodec/arm/asm.S
@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm

+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm
--- a/libavcodec/arm/dsputil_armv6.S
+++ b/libavcodec/arm/dsputil_armv6.S
@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
        eor             r7,  r5,  r7
        uadd8           r10, r10, r6
        and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uadd8           r11, r11, r7
        strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        strd_post       r10, r11, r0,  r2
        bne             1b

@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
        uhadd8          r9,  r5,  r7
        ldr             r5,  [r1, #4]
        uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        stm             r0,  {r8,r9}
        add             r0,  r0,  r2
        stm             r0,  {r12,r14}
--- a/libavcodec/arm/h264dsp_init_arm.c
+++ b/libavcodec/arm/h264dsp_init_arm.c
@@ -89,7 +89,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i
    c->h264_idct_dc_add     = ff_h264_idct_dc_add_neon;
    c->h264_idct_add16      = ff_h264_idct_add16_neon;
    c->h264_idct_add16intra = ff_h264_idct_add16intra_neon;
-    if (chroma_format_idc == 1)
+    if (chroma_format_idc <= 1)
        c->h264_idct_add8   = ff_h264_idct_add8_neon;
    c->h264_idct8_add       = ff_h264_idct8_add_neon;
    c->h264_idct8_dc_add    = ff_h264_idct8_dc_add_neon;
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1

 3:      vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/asv1.c
+++ b/libavcodec/asv1.c
@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
    int i;
    const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;

+    if (avctx->extradata_size < 1) {
+        av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    common_init(avctx);
    init_vlcs(a);
    ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -690,7 +690,8 @@ static int decodeChannelSoundUnit (ATRAC3Context *q, GetBitContext *gb, channel_
    if (result) return result;

    pSnd->numComponents = decodeTonalComponents (gb, pSnd->components, pSnd->bandsCoded);
-    if (pSnd->numComponents == -1) return -1;
+    if (pSnd->numComponents < 0)
+        return pSnd->numComponents;

    numSubbands = decodeSpectrum (gb, pSnd->spectrum);

@@ -772,7 +773,7 @@ static int decodeFrame(ATRAC3Context *q, const uint8_t* databuf,


        /* set the bitstream reader at the start of the second Sound Unit*/
-        init_get_bits(&q->gb,ptr1,q->bits_per_frame);
+        init_get_bits(&q->gb, ptr1, (q->bytes_per_frame - i) * 8);

        /* Fill the Weighting coeffs delay buffer */
        memmove(q->weighting_delay,&(q->weighting_delay[2]),4*sizeof(int));
@@ -975,6 +976,8 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
    if (q->codingMode == STEREO) {
        av_log(avctx,AV_LOG_DEBUG,"Normal stereo detected.\n");
    } else if (q->codingMode == JOINT_STEREO) {
+        if (avctx->channels != 2)
+            return AVERROR_INVALIDDATA;
        av_log(avctx,AV_LOG_DEBUG,"Joint stereo detected.\n");
    } else {
        av_log(avctx,AV_LOG_ERROR,"Unknown channel coding mode %x!\n",q->codingMode);
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -679,6 +679,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
        quant_idx = q;
    }

+    if (quant_idx >= 16)
+        return AVERROR_INVALIDDATA;
+
    quant = quant_matrices[quant_idx];

    block[0] = (block[0] * quant[0]) >> 11;
--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -138,7 +138,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
        mode += 1 + advance_mode;
        if (mode >= 4)
            mode -= 3;
-        if (FFABS(dst_end - dst) < len)
+        if (len <= 0 || FFABS(dst_end - dst) < len)
            return -1;
        switch (mode) {
        case 1:
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -198,6 +198,16 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p)
    return (int)(p->buffer - p->buffer_start);
 }

+static av_always_inline int bytestream2_size(GetByteContext *g)
+{
+    return (int)(g->buffer_end - g->buffer_start);
+}
+
+static av_always_inline int bytestream2_size_p(PutByteContext *p)
+{
+    return (int)(p->buffer_end - p->buffer_start);
+}
+
 static av_always_inline int bytestream2_seek(GetByteContext *g,
                                             int offset,
                                             int whence)
@@ -323,6 +333,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p)
    return p->eof;
 }

+static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p,
+                                                              GetByteContext *g,
+                                                              unsigned int size)
+{
+    memcpy(p->buffer, g->buffer, size);
+    p->buffer += size;
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p,
+                                                             GetByteContext *g,
+                                                             unsigned int size)
+{
+    int size2;
+
+    if (p->eof)
+        return 0;
+    size  = FFMIN(g->buffer_end - g->buffer, size);
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+
+    return bytestream2_copy_bufferu(p, g, size2);
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b,
                                                           uint8_t *dst,
                                                           unsigned int size)
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {

    /* get coded block pattern */
    int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
        return -1;
    }
    h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
    /* get coded block pattern */
    if(h->pic_type == AV_PICTURE_TYPE_I)
        cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
        av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
        return -1;
    }
@@ -468,6 +468,11 @@ static int decode_pic(AVSContext *h) {
    int skip_count = -1;
    enum cavs_mb mb_type;

+    if (!h->top_qp) {
+        av_log(h, AV_LOG_ERROR, "No sequence header decoded yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (!s->context_initialized) {
        s->avctx->idct_algo = FF_IDCT_CAVS;
        if (MPV_common_init(s) < 0)
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -577,6 +577,11 @@ static int dca_parse_frame_header(DCAContext *s)
    s->lfe               = get_bits(&s->gb, 2);
    s->predictor_history = get_bits(&s->gb, 1);

+    if (s->lfe > 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
+    }
+
    /* TODO: check CRC */
    if (s->crc_present)
        s->header_crc    = get_bits(&s->gb, 16);
@@ -804,6 +809,13 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
                       "Invalid channel mode %d\n", am);
                return AVERROR_INVALIDDATA;
            }
+
+            if (s->prim_channels > FF_ARRAY_ELEMS(dca_default_coeffs[0])) {
+                av_log_ask_for_sample(s->avctx, "Downmixing %d channels",
+                                      s->prim_channels);
+                return AVERROR_PATCHWELCOME;
+            }
+
            for (j = base_channel; j < s->prim_channels; j++) {
                s->downmix_coef[j][0] = dca_default_coeffs[am][j][0];
                s->downmix_coef[j][1] = dca_default_coeffs[am][j][1];
@@ -1253,6 +1265,7 @@ static int dca_subsubframe(DCAContext *s, int base_channel, int block_index)
 #endif
        } else {
            av_log(s->avctx, AV_LOG_ERROR, "Didn't get subframe DSYNC\n");
+            return AVERROR_INVALIDDATA;
        }
    }

--- a/libavcodec/dct-test.c
+++ b/libavcodec/dct-test.c
@@ -234,8 +234,10 @@ static void init_block(DCTELEM block[64], int test, int is_idct, AVLFG *prng, in
        break;
    case 1:
        j = av_lfg_get(prng) % 10 + 1;
-        for (i = 0; i < j; i++)
-            block[av_lfg_get(prng) % 64] = av_lfg_get(prng) % (2*vals) -vals;
+        for (i = 0; i < j; i++) {
+            int idx = av_lfg_get(prng) % 64;
+            block[idx] = av_lfg_get(prng) % (2*vals) -vals;
+        }
        break;
    case 2:
        block[ 0] = av_lfg_get(prng) % (16*vals) - (8*vals);
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -258,6 +258,8 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
            segments = bytestream2_get_le16(gb);
        }
        line_ptr = frame;
+        if (frame_end - frame < width)
+            return AVERROR_INVALIDDATA;
        frame += width;
        y++;
        while (segments--) {
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1332,8 +1332,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
        motion_y >>= s->chroma_y_shift;
    }

-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
    motion_x >>= s->mv_precision;
    motion_y >>= s->mv_precision;
    /* normalize subpel coordinates to epel */
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -108,27 +108,31 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size)
+static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst,
+                                 int size)
 {
    while (size--)
        *dst++ += *src++;
 }

-static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_huffman(const unsigned char *src, int src_size,
+                              unsigned char *dst, int dst_size)
 {
    int b, huff_code = 0;
    unsigned char huff_code_table[15];
-    unsigned char *dst_cur = dst;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_cur       = dst;
+    unsigned char *dst_end       = dst + dst_size;
    const unsigned char *src_end = src + src_size;

-    memcpy(huff_code_table, src, 15); src += 15; src_size -= 15;
+    memcpy(huff_code_table, src, 15);
+    src += 15;
+    src_size -= 15;

    while (src < src_end) {
        huff_code = *src++;
        if ((huff_code >> 4) == 15) {
-            b = huff_code << 4;
-            huff_code = *src++;
+            b          = huff_code << 4;
+            huff_code  = *src++;
            *dst_cur++ = b | (huff_code >> 4);
        } else
            *dst_cur++ = huff_code_table[huff_code >> 4];
@@ -147,11 +151,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
+    unsigned char *dst_end       = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -160,13 +165,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
            if (code & (1 << i)) {
                *dst++ = *src++;
            } else {
-                cmd = AV_RL16(src); src += 2;
+                cmd  = AV_RL16(src);
+                src += 2;
                offset = cmd >> 4;
-                if ((int) (dst - dst_start) < offset + 1)
+                if ((int)(dst - dst_start) < offset + 1)
                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
-                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
-                /* buffer overlappings to repeat bytes in the destination */
+                /* don't use memcpy/memmove here as the decoding routine
+                 * (ab)uses buffer overlappings to repeat bytes in the
+                 * destination */
                sz = FFMIN(sz, dst_end - dst);
                while (sz--) {
                    *dst = *(dst - offset - 1);
@@ -179,20 +186,23 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
    return 0;
 }

-static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static void cin_decode_rle(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
    int len, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end       = dst + dst_size;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
        code = *src++;
        if (code & 0x80) {
+            if (src >= src_end)
+                break;
            len = code - 0x7F;
            memset(dst, *src++, FFMIN(len, dst_end - dst));
        } else {
            len = code + 1;
-            memcpy(dst, src, FFMIN(len, dst_end - dst));
+            memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
            src += len;
        }
        dst += len;
@@ -203,15 +213,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
                                 void *data, int *data_size,
                                 AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    int buf_size = avpkt->size;
+    const uint8_t *buf   = avpkt->data;
+    int buf_size         = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;
+    int i, y, palette_type, palette_colors_count,
+        bitmap_frame_type, bitmap_frame_size, res = 0;

-    palette_type = buf[0];
+    palette_type         = buf[0];
    palette_colors_count = AV_RL16(buf+1);
-    bitmap_frame_type = buf[3];
-    buf += 4;
+    bitmap_frame_type    = buf[3];
+    buf                 += 4;

    bitmap_frame_size = buf_size - 4;

@@ -222,46 +233,50 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
        if (palette_colors_count > 256)
            return AVERROR_INVALIDDATA;
        for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[i] = 0xFF << 24 | bytestream_get_le24(&buf);
+            cin->palette[i]    = 0xFF << 24 | bytestream_get_le24(&buf);
            bitmap_frame_size -= 3;
        }
    } else {
        for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf+1);
-            buf += 4;
-            bitmap_frame_size -= 4;
+            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf + 1);
+            buf                 += 4;
+            bitmap_frame_size   -= 4;
        }
    }

-    /* note: the decoding routines below assumes that surface.width = surface.pitch */
+    bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size);
+
+    /* note: the decoding routines below assumes that
+     * surface.width = surface.pitch */
    switch (bitmap_frame_type) {
    case 9:
        cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 34:
        cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 35:
        cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 36:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                                               cin->bitmap_table[CIN_INT_BMP],
+                                               cin->bitmap_size);
        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 37:
        cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
        res = cin_decode_lzss(buf, bitmap_frame_size,
@@ -277,24 +292,26 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
        if (res < 0)
            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
+    if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) {
+        av_log(cin->avctx, AV_LOG_ERROR,
+               "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return res;
    }

    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
-          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
-          cin->avctx->width);
+               cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
+               cin->avctx->width);

-    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]);
+    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
+                      cin->bitmap_table[CIN_PRE_BMP]);

    *data_size = sizeof(AVFrame);
    *(AVFrame *)data = cin->frame;
@@ -338,8 +355,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx)
 static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
                                 int *got_frame_ptr, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    CinAudioContext *cin = avctx->priv_data;
+    const uint8_t *buf     = avpkt->data;
+    CinAudioContext *cin   = avctx->priv_data;
    const uint8_t *buf_end = buf + avpkt->size;
    int16_t *samples;
    int delta, ret;
@@ -355,13 +372,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
    delta = cin->delta;
    if (cin->initial_decode_frame) {
        cin->initial_decode_frame = 0;
-        delta = sign_extend(AV_RL16(buf), 16);
-        buf += 2;
-        *samples++ = delta;
+        delta                     = sign_extend(AV_RL16(buf), 16);
+        buf                      += 2;
+        *samples++                = delta;
    }
    while (buf < buf_end) {
-        delta += cinaudio_delta16_table[*buf++];
-        delta = av_clip_int16(delta);
+        delta     += cinaudio_delta16_table[*buf++];
+        delta      = av_clip_int16(delta);
        *samples++ = delta;
    }
    cin->delta = delta;
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){

 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
    long i;
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src+i);
        long b = *(long*)(dst+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
        }
    }else
 #endif
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
--- a/libavcodec/dsputil.h
+++ b/libavcodec/dsputil.h
@@ -33,6 +33,7 @@
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"

+typedef int emuedge_linesize_type;

 //#define DEBUG
 /* dct code */
--- a/libavcodec/dv.c
+++ b/libavcodec/dv.c
@@ -372,11 +372,6 @@ typedef struct BlockInfo {
 static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5;
 static const int mb_area_start[5] = { 1, 6, 21, 43, 64 };

-static inline int put_bits_left(PutBitContext* s)
-{
-    return (s->buf_end - s->buf) * 8 - put_bits_count(s);
-}
-
 /* decode AC coefficients */
 static void dv_decode_ac(GetBitContext *gb, BlockInfo *mb, DCTELEM *block)
 {
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -255,6 +255,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    case 5:
        c->pic.key_frame = !(compr & 1);
        c->pic.pict_type = (compr & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I;
+
+        if (!tmpptr && !c->pic.key_frame) {
+            av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        for(j = 0; j < avctx->height; j++){
            if(compr & 1){
                for(i = 0; i < avctx->width; i++)
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -112,8 +112,8 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
            int yoffset = ((buf[i] >> 4)) - 7;
            if (s->last_frame.data[0])
                cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
-                          s->last_frame.data[0], s->last_frame.linesize[0],
-                          x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+                            s->last_frame.data[0], s->last_frame.linesize[0],
+                            x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
        }
        i++;
    }
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -451,7 +451,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w,
    int run_mode=0;

    if(s->ac){
-        if(c->bytestream_end - c->bytestream < w*20){
+        if(c->bytestream_end - c->bytestream < w*35){
            av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
            return -1;
        }
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
    int i;

    f->slice_count= f->num_h_slices * f->num_v_slices;
+    if (f->slice_count <= 0) {
+        av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+        return AVERROR(EINVAL);
+    }

    for(i=0; i<f->slice_count; i++){
        FFV1Context *fs= av_mallocz(sizeof(*fs));
--- a/libavcodec/flacdata.c
+++ b/libavcodec/flacdata.c
@@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] =
  8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000,
  0, 0, 0, 0 };

-const int16_t ff_flac_blocksize_table[16] = {
+const int32_t ff_flac_blocksize_table[16] = {
     0,    192, 576<<0, 576<<1, 576<<2, 576<<3,      0,      0,
 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7
 };
--- a/libavcodec/flacdata.h
+++ b/libavcodec/flacdata.h
@@ -26,6 +26,6 @@

 extern const int ff_flac_sample_rate_table[16];

-extern const int16_t ff_flac_blocksize_table[16];
+extern const int32_t ff_flac_blocksize_table[16];

 #endif /* AVCODEC_FLACDATA_H */
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -388,6 +388,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    }
                    s->diff_start  = get_bits(&gb, 8);
                    s->diff_height = get_bits(&gb, 8);
+                    if (s->diff_start + s->diff_height > cur_blk_height) {
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
+                        return AVERROR_INVALIDDATA;
+                    }
                    av_log(avctx, AV_LOG_DEBUG,
                           "%dx%d diff start %d height %d\n",
                           i, j, s->diff_start, s->diff_height);
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -142,6 +142,11 @@ static int decode_frame(AVCodecContext *avctx,
    const int planes = 3;
    enum PixelFormat pix_fmt;

+    if (buf_size < 4) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too short\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    header = AV_RL32(buf);
    version = header & 0xff;
    header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */
@@ -180,7 +185,7 @@ static int decode_frame(AVCodecContext *avctx,
    }
    avctx->pix_fmt = pix_fmt;

-    switch(version) {
+    switch (version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
@@ -219,6 +224,7 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
+
        if (avctx->reget_buffer(avctx, f)) {
            av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
            return -1;
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -342,25 +342,33 @@ static inline int check_marker(GetBitContext *s, const char *msg)
 }

 /**
- * Inititalize GetBitContext.
- * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes larger than the actual read bits
- * because some optimized bitstream readers read 32 or 64 bit at once and could read over the end
+ * Initialize GetBitContext.
+ * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes
+ *        larger than the actual read bits because some optimized bitstream
+ *        readers read 32 or 64 bit at once and could read over the end
 * @param bit_size the size of the buffer in bits
+ * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow.
 */
-static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer,
-                                 int bit_size)
+static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
+                                int bit_size)
 {
-    int buffer_size = (bit_size+7)>>3;
-    if (buffer_size < 0 || bit_size < 0) {
+    int buffer_size;
+    int ret = 0;
+
+    if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) {
        buffer_size = bit_size = 0;
        buffer = NULL;
+        ret = AVERROR_INVALIDDATA;
    }

+    buffer_size = (bit_size + 7) >> 3;
+
    s->buffer       = buffer;
    s->size_in_bits = bit_size;
    s->size_in_bits_plus8 = bit_size + 8;
    s->buffer_end   = buffer + buffer_size;
    s->index        = 0;
+    return ret;
 }

 static inline void align_get_bits(GetBitContext *s)
--- a/libavcodec/h261dec.c
+++ b/libavcodec/h261dec.c
@@ -287,7 +287,8 @@ static int h261_decode_mb(H261Context *h){
    // Read mtype
    h->mtype = get_vlc2(&s->gb, h261_mtype_vlc.table, H261_MTYPE_VLC_BITS, 2);
    if (h->mtype < 0) {
-        av_log(s->avctx, AV_LOG_ERROR, "illegal mtype %d\n", h->mtype);
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid mtype index %d\n",
+               h->mtype);
        return SLICE_ERROR;
    }
    h->mtype = h261_mtype_map[h->mtype];
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -106,10 +106,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){

 int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
-    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
-    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
+    static const int8_t top[4]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
+    static const int8_t left[5] = { TOP_DC_PRED8x8, -1,  2, -1, DC_128_PRED8x8 };

-    if(mode > 6U) {
+    if(mode > 3U) {
        av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y);
        return -1;
    }
@@ -1300,6 +1300,8 @@ int ff_h264_frame_start(H264Context *h){
    int i;
    const int pixel_shift = h->pixel_shift;

+    h->next_output_pic = NULL;
+
    if(MPV_frame_start(s, s->avctx) < 0)
        return -1;
    ff_er_frame_start(s);
@@ -1349,8 +1351,6 @@ int ff_h264_frame_start(H264Context *h){
    s->current_picture_ptr->field_poc[0]=
    s->current_picture_ptr->field_poc[1]= INT_MAX;

-    h->next_output_pic = NULL;
-
    assert(s->current_picture_ptr->long_ref==0);

    return 0;
@@ -2607,6 +2607,52 @@ int ff_h264_get_profile(SPS *sps)
    return profile;
 }

+static int h264_set_parameter_from_sps(H264Context *h)
+{
+    MpegEncContext *s = &h->s;
+
+    if (s->flags & CODEC_FLAG_LOW_DELAY ||
+        (h->sps.bitstream_restriction_flag &&
+         !h->sps.num_reorder_frames)) {
+        if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
+            av_log(h->s.avctx, AV_LOG_WARNING, "Delayed frames seen. "
+                   "Reenabling low delay requires a codec flush.\n");
+        else
+            s->low_delay = 1;
+    }
+
+    if (s->avctx->has_b_frames < 2)
+        s->avctx->has_b_frames = !s->low_delay;
+
+    if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
+        h->cur_chroma_format_idc      != h->sps.chroma_format_idc) {
+        if (s->avctx->codec &&
+            s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU &&
+            (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "VDPAU decoding does not support video colorspace.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
+            s->avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
+            h->cur_chroma_format_idc      = h->sps.chroma_format_idc;
+            h->pixel_shift                = h->sps.bit_depth_luma > 8;
+
+            ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma,
+                            h->sps.chroma_format_idc);
+            ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma,
+                              h->sps.chroma_format_idc);
+            s->dsp.dct_bits = h->sps.bit_depth_luma > 8 ? 32 : 16;
+            dsputil_init(&s->dsp, s->avctx);
+        } else {
+            av_log(s->avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n",
+                   h->sps.bit_depth_luma);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+    return 0;
+}
+
 /**
 * Decode a slice header.
 * This will also call MPV_common_init() and frame_start() as needed.
@@ -2624,7 +2670,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    int num_ref_idx_active_override_flag;
    unsigned int slice_type, tmp, i, j;
    int default_ref_list_done = 0;
-    int last_pic_structure, last_pic_dropable;
+    int last_pic_structure, last_pic_dropable, ret;

    /* FIXME: 2tap qpel isn't implemented for high bit depth. */
    if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){
@@ -2672,7 +2718,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->slice_type= slice_type;
    h->slice_type_nos= slice_type & 3;

-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;

    pps_id= get_ue_golomb(&s->gb);
    if(pps_id>=MAX_PPS_COUNT){
@@ -2689,7 +2742,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id);
        return -1;
    }
-    h->sps = *h0->sps_buffers[h->pps.sps_id];
+
+    if (h->pps.sps_id != h->current_sps_id ||
+        h0->sps_buffers[h->pps.sps_id]->new) {
+        h0->sps_buffers[h->pps.sps_id]->new = 0;
+
+        h->current_sps_id = h->pps.sps_id;
+        h->sps            = *h0->sps_buffers[h->pps.sps_id];
+
+        if ((ret = h264_set_parameter_from_sps(h)) < 0)
+            return ret;
+    }

    s->avctx->profile = ff_h264_get_profile(&h->sps);
    s->avctx->level   = h->sps.level_idc;
@@ -2989,8 +3052,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
               h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) {
            Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL;
            av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num);
-            if (ff_h264_frame_start(h) < 0)
+            if (ff_h264_frame_start(h) < 0) {
+                h0->s.first_field = 0;
                return -1;
+            }
            h->prev_frame_num++;
            h->prev_frame_num %= 1<<h->sps.log2_max_frame_num;
            s->current_picture_ptr->frame_num= h->prev_frame_num;
@@ -3224,8 +3289,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    }

    h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset = 0;
    if( h->pps.deblocking_filter_parameters_present ) {
        tmp= get_ue_golomb_31(&s->gb);
        if(tmp > 2){
@@ -3236,12 +3301,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        if(h->deblocking_filter < 2)
            h->deblocking_filter^= 1; // 1<->0

-        if( h->deblocking_filter ) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if(   h->slice_alpha_c0_offset > 104U
-               || h->slice_beta_offset     > 104U){
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+        if (h->deblocking_filter) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                return -1;
            }
        }
@@ -3270,14 +3339,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
            }
        }
    }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
-                 + 6 * (h->sps.bit_depth_luma - 8);
-
-#if 0 //FMO
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
+    h->qp_thresh = 15 -
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
+                   FFMAX3(0,
+                          h->pps.chroma_qp_index_offset[0],
+                          h->pps.chroma_qp_index_offset[1]) +
+                   6 * (h->sps.bit_depth_luma - 8);

    h0->last_slice_type = slice_type;
    h->slice_num = ++h0->current_slice;
@@ -3338,7 +3405,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
               s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
               h->ref_count[0], h->ref_count[1],
               s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
               h->use_weight,
               h->use_weight==1 && h->use_weight_chroma ? "c" : "",
               h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""
@@ -3821,6 +3889,12 @@ static int execute_decode_slices(H264Context *h, int context_count){
    H264Context *hx;
    int i;

+    if (s->mb_y >= s->mb_height) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "Input contains more MB rows than the frame height.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (s->avctx->hwaccel || s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU)
        return 0;
    if(context_count == 1) {
@@ -4033,12 +4107,24 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            }
            break;
        case NAL_DPA:
+            if (s->flags2 & CODEC_FLAG2_CHUNKS) {
+                av_log(h->s.avctx, AV_LOG_ERROR,
+                       "Decoding in chunks is not supported for "
+                       "partitioned slices.\n");
+                return AVERROR(ENOSYS);
+            }
+
            init_get_bits(&hx->s.gb, ptr, bit_length);
            hx->intra_gb_ptr=
            hx->inter_gb_ptr= NULL;

-            if ((err = decode_slice_header(hx, h)) < 0)
+            if ((err = decode_slice_header(hx, h)) < 0) {
+                /* make sure data_partitioning is cleared if it was set
+                 * before, so we don't try decoding a slice without a valid
+                 * slice header later */
+                s->data_partitioning = 0;
                break;
+            }

            hx->s.data_partitioning = 1;

@@ -4073,24 +4159,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                ff_h264_decode_seq_parameter_set(h);
            }

-            if (s->flags & CODEC_FLAG_LOW_DELAY ||
-                (h->sps.bitstream_restriction_flag &&
-                 !h->sps.num_reorder_frames)) {
-                if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
-                    av_log(avctx, AV_LOG_WARNING, "Delayed frames seen "
-                           "reenabling low delay requires a codec "
-                           "flush.\n");
-                else
-                    s->low_delay = 1;
-            }
-
-            if(avctx->has_b_frames < 2)
-                avctx->has_b_frames= !s->low_delay;
-
-            if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
-                av_log_missing_feature(s->avctx,
-                    "Different bit depth between chroma and luma", 1);
-                return AVERROR_PATCHWELCOME;
+            if (h264_set_parameter_from_sps(h) < 0) {
+                buf_index = -1;
+                goto end;
            }
            break;
        case NAL_PPS:
@@ -4115,9 +4186,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            context_count = 0;
        }

-        if (err < 0)
+        if (err < 0) {
            av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
-        else if(err == 1) {
+            h->ref_count[0] = h->ref_count[1] = h->list_count = 0;
+        } else if (err == 1) {
            /* Slice could not be decoded in parallel mode, copy down
             * NAL unit stuff to context 0 and restart. Note that
             * rbsp_buffer is not transferred, but since we no longer
@@ -4168,6 +4240,9 @@ static int decode_frame(AVCodecContext *avctx,

    s->flags= avctx->flags;
    s->flags2= avctx->flags2;
+    /* reset data partitioning here, to ensure GetBitContexts from previous
+     * packets do not get used. */
+    s->data_partitioning = 0;

   /* end of stream, output what is still in the buffers */
    if (buf_size == 0) {
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -206,6 +206,7 @@ typedef struct SPS{
    int bit_depth_chroma;              ///< bit_depth_chroma_minus8 + 8
    int residual_color_transform_flag; ///< residual_colour_transform_flag
    int constraint_set_flags;          ///< constraint_set[0-3]_flag
+    int new;                           ///< flag to keep track if the decoder context needs re-init due to changed SPS
 }SPS;

 /**
@@ -332,6 +333,7 @@ typedef struct H264Context{
    int emu_edge_width;
    int emu_edge_height;

+    unsigned current_sps_id; ///< id of the current SPS
    SPS sps; ///< current sps

    /**
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -708,7 +708,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){
                down the code */
    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
        if(s->mb_skip_run==-1)
-            s->mb_skip_run= get_ue_golomb(&s->gb);
+            s->mb_skip_run= get_ue_golomb_long(&s->gb);

        if (s->mb_skip_run--) {
            if(FRAME_MBAFF && (s->mb_y&1) == 0){
@@ -770,6 +770,10 @@ decode_intra_mb:

        // We assume these blocks are very rare so we do not optimize it.
        align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }

        // The pixels are stored in the same order as levels in h->mb array.
        for(x=0; x < mb_size; x++){
--- a/libavcodec/h264_loopfilter.c
+++ b/libavcodec/h264_loopfilter.c
@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
    int top_type= h->top_type;

    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    int mb_type = s->current_picture.f.mb_type[mb_xy];
    int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
    av_unused int dir;
    int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    if (FRAME_MBAFF
            // and current and left pair do not have the same interlaced type
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -156,7 +156,7 @@ pps:
            goto fail;

        /* prepend only to the first type 5 NAL unit of an IDR picture */
-        if (ctx->first_idr && unit_type == 5) {
+        if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) {
            if ((ret=alloc_and_copy(poutbuf, poutbuf_size,
                               avctx->extradata, avctx->extradata_size,
                               buf, nal_size)) < 0)
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -250,7 +250,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
        }

        if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
            return -1;
        }
    }
@@ -368,6 +370,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
                   sps->bit_depth_luma, sps->bit_depth_chroma);
            goto fail;
        }
+        if (sps->bit_depth_chroma != sps->bit_depth_luma) {
+            av_log_missing_feature(s->avctx,
+                "Different bit depth between chroma and luma", 1);
+            goto fail;
+        }
        sps->transform_bypass = get_bits1(&s->gb);
        decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
    }else{
@@ -487,10 +494,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
               sps->bit_depth_luma
               );
    }
+    sps->new = 1;

    av_free(h->sps_buffers[sps_id]);
-    h->sps_buffers[sps_id]= sps;
-    h->sps = *sps;
+    h->sps_buffers[sps_id] = sps;
+    h->sps                 = *sps;
+    h->current_sps_id      = sps_id;
+
    return 0;
 fail:
    av_free(sps);
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -63,20 +63,22 @@ static int split_field_copy(Picture *dest, Picture *src,
    return match;
 }

-static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){
+static int build_def_list(Picture *def, int def_len,
+                          Picture **in, int len, int is_long, int sel)
+{
    int i[2]={0};
    int index=0;

-    while(i[0]<len || i[1]<len){
+    while ((i[0] < len || i[1] < len) && index < def_len) {
        while (i[0] < len && !(in[ i[0] ] && (in[ i[0] ]->f.reference & sel)))
            i[0]++;
        while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3))))
            i[1]++;
-        if(i[0] < len){
+        if (i[0] < len && index < def_len) {
            in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num;
            split_field_copy(&def[index++], in[ i[0]++ ], sel  , 1);
        }
-        if(i[1] < len){
+        if (i[1] < len && index < def_len) {
            in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num;
            split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0);
        }
@@ -124,9 +126,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
            len= add_sorted(sorted    , h->short_ref, h->short_ref_count, cur_poc, 1^list);
            len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list);
            assert(len<=32);
-            len= build_def_list(h->default_ref_list[list]    , sorted     , len, 0, s->picture_structure);
-            len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure);
-            assert(len<=32);
+
+            len  = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                                  sorted, len, 0, s->picture_structure);
+            len += build_def_list(h->default_ref_list[list] + len,
+                                  FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                                  h->long_ref, 16, 1, s->picture_structure);

            if(len < h->ref_count[list])
                memset(&h->default_ref_list[list][len], 0, sizeof(Picture)*(h->ref_count[list] - len));
@@ -139,9 +144,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
                FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]);
        }
    }else{
-        len = build_def_list(h->default_ref_list[0]    , h->short_ref, h->short_ref_count, 0, s->picture_structure);
-        len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16                , 1, s->picture_structure);
-        assert(len <= 32);
+        len  = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                              h->short_ref, h->short_ref_count, 0, s->picture_structure);
+        len += build_def_list(h->default_ref_list[0] + len,
+                              FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                              h-> long_ref, 16, 1, s->picture_structure);
+
        if(len < h->ref_count[0])
            memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len));
    }
@@ -516,7 +524,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
            if(!pic){
                if(mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg]
                   || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) {
-                    av_log(h->s.avctx, AV_LOG_ERROR, "mmco: unref short failure\n");
+                    av_log(h->s.avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n");
                    err = AVERROR_INVALIDDATA;
                }
                continue;
@@ -653,7 +661,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
    print_short_term(h);
    print_long_term(h);

-    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
+    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
        s->current_picture_ptr->sync |= 1;
        if(!h->s.avctx->has_b_frames)
            h->sync = 2;
--- a/libavcodec/h264dsp.c
+++ b/libavcodec/h264dsp.c
@@ -53,13 +53,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\
    c->h264_idct_add16     = FUNC(ff_h264_idct_add16, depth);\
    c->h264_idct8_add4     = FUNC(ff_h264_idct8_add4, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8, depth);\
    else\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8_422, depth);\
    c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\
    c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\
    else\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\
@@ -80,20 +80,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\
    c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\
    c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\
    else\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\
    c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -434,7 +434,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    h->pred8x8l[TOP_DC_PRED         ]= FUNCC(pred8x8l_top_dc              , depth);\
    h->pred8x8l[DC_128_PRED         ]= FUNCC(pred8x8l_128_dc              , depth);\
 \
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[VERT_PRED8x8   ]= FUNCC(pred8x8_vertical               , depth);\
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x8_horizontal             , depth);\
    } else {\
@@ -442,7 +442,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x16_horizontal            , depth);\
    }\
    if (codec_id != CODEC_ID_VP8) {\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane                , depth);\
        } else {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane               , depth);\
@@ -450,7 +450,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    } else\
        h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\
    if(codec_id != CODEC_ID_RV40 && codec_id != CODEC_ID_VP8){\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[DC_PRED8x8     ]= FUNCC(pred8x8_dc                     , depth);\
            h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc                , depth);\
            h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc                 , depth);\
@@ -476,7 +476,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
            h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc              , depth);\
        }\
    }\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc                 , depth);\
    } else {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc                , depth);\
@@ -510,7 +510,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co
    h->pred4x4_add  [ HOR_PRED   ]= FUNCC(pred4x4_horizontal_add          , depth);\
    h->pred8x8l_add [VERT_PRED   ]= FUNCC(pred8x8l_vertical_add           , depth);\
    h->pred8x8l_add [ HOR_PRED   ]= FUNCC(pred8x8l_horizontal_add         , depth);\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
    h->pred8x8_add  [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add            , depth);\
    h->pred8x8_add  [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add          , depth);\
    } else {\
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -514,7 +514,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx,
        }
    } else if (avctx->codec_tag == MKTAG('I','L','B','M')) { // interleaved
        if (avctx->pix_fmt == PIX_FMT_PAL8 || avctx->pix_fmt == PIX_FMT_GRAY8) {
-            for(y = 0; y < avctx->height; y++ ) {
+            for (y = 0; y < avctx->height && buf < buf_end; y++ ) {
                uint8_t *row = &s->frame.data[0][ y*s->frame.linesize[0] ];
                memset(row, 0, avctx->width);
                for (plane = 0; plane < s->bpp && buf < buf_end; plane++) {
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -365,6 +365,10 @@ static int bit_allocation (IMCContext* q, int stream_format_code, int freebits,
        iacc += q->bandWidthT[i];
        summa += q->bandWidthT[i] * q->flcoeffs4[i];
    }
+
+    if (!iacc)
+        return AVERROR_INVALIDDATA;
+
    q->bandWidthT[BANDS-1] = 0;
    summa = (summa * 0.5 - freebits) / iacc;

--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -222,7 +222,7 @@ static av_cold void free_frame_buffers(Indeo3DecodeContext *ctx)
 *  @param plane    pointer to the plane descriptor
 *  @param cell     pointer to the cell  descriptor
 */
-static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
+static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
 {
    int     h, w, mv_x, mv_y, offset, offset_dst;
    uint8_t *src, *dst;
@@ -235,6 +235,16 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
    mv_x        = cell->mv_ptr[1];
    }else
        mv_x= mv_y= 0;
+
+    /* -1 because there is an extra line on top for prediction */
+    if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
+        ((cell->ypos + cell->height) << 2) + mv_y > plane->height     ||
+        ((cell->xpos + cell->width)  << 2) + mv_x > plane->width) {
+        av_log(ctx->avctx, AV_LOG_ERROR,
+               "Motion vectors point out of the frame.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    offset      = offset_dst + mv_y * plane->pitch + mv_x;
    src         = plane->pixels[ctx->buf_sel ^ 1] + offset;

@@ -262,6 +272,8 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
            dst += 4;
        }
    }
+
+    return 0;
 }


@@ -587,11 +599,23 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    } else if (mode >= 10) {
        /* for mode 10 and 11 INTER first copy the predicted cell into the current one */
        /* so we don't need to do data copying for each RLE code later */
-        copy_cell(ctx, plane, cell);
+        int ret = copy_cell(ctx, plane, cell);
+        if (ret < 0)
+            return ret;
    } else {
        /* set the pointer to the reference pixels for modes 0-4 INTER */
        mv_y      = cell->mv_ptr[0];
        mv_x      = cell->mv_ptr[1];
+
+        /* -1 because there is an extra line on top for prediction */
+        if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
+            ((cell->ypos + cell->height) << 2) + mv_y > plane->height     ||
+            ((cell->xpos + cell->width)  << 2) + mv_x > plane->width) {
+            av_log(ctx->avctx, AV_LOG_ERROR,
+                   "Motion vectors point out of the frame.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        offset   += mv_y * plane->pitch + mv_x;
        ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset;
    }
@@ -723,7 +747,7 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                         const int depth, const int strip_width)
 {
    Cell    curr_cell;
-    int     bytes_used;
+    int     bytes_used, ret;

    if (depth <= 0) {
        av_log(avctx, AV_LOG_ERROR, "Stack overflow (corrupted binary tree)!\n");
@@ -774,8 +798,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                CHECK_CELL
                if (!curr_cell.mv_ptr)
                    return AVERROR_INVALIDDATA;
-                copy_cell(ctx, plane, &curr_cell);
-                return 0;
+                ret = copy_cell(ctx, plane, &curr_cell);
+                return ret;
            }
            break;
        case INTER_DATA:
@@ -858,17 +882,20 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
 static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                                const uint8_t *buf, int buf_size)
 {
-    const uint8_t   *buf_ptr = buf, *bs_hdr;
+    GetByteContext gb;
+    const uint8_t   *bs_hdr;
    uint32_t        frame_num, word2, check_sum, data_size;
    uint32_t        y_offset, u_offset, v_offset, starts[3], ends[3];
    uint16_t        height, width;
    int             i, j;

+    bytestream2_init(&gb, buf, buf_size);
+
    /* parse and check the OS header */
-    frame_num = bytestream_get_le32(&buf_ptr);
-    word2     = bytestream_get_le32(&buf_ptr);
-    check_sum = bytestream_get_le32(&buf_ptr);
-    data_size = bytestream_get_le32(&buf_ptr);
+    frame_num = bytestream2_get_le32(&gb);
+    word2     = bytestream2_get_le32(&gb);
+    check_sum = bytestream2_get_le32(&gb);
+    data_size = bytestream2_get_le32(&gb);

    if ((frame_num ^ word2 ^ data_size ^ OS_HDR_ID) != check_sum) {
        av_log(avctx, AV_LOG_ERROR, "OS header checksum mismatch!\n");
@@ -876,28 +903,27 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    }

    /* parse the bitstream header */
-    bs_hdr = buf_ptr;
+    bs_hdr = gb.buffer;

-    if (bytestream_get_le16(&buf_ptr) != 32) {
+    if (bytestream2_get_le16(&gb) != 32) {
        av_log(avctx, AV_LOG_ERROR, "Unsupported codec version!\n");
        return AVERROR_INVALIDDATA;
    }

    ctx->frame_num   =  frame_num;
-    ctx->frame_flags =  bytestream_get_le16(&buf_ptr);
-    ctx->data_size   = (bytestream_get_le32(&buf_ptr) + 7) >> 3;
-    ctx->cb_offset   = *buf_ptr++;
+    ctx->frame_flags =  bytestream2_get_le16(&gb);
+    ctx->data_size   = (bytestream2_get_le32(&gb) + 7) >> 3;
+    ctx->cb_offset   =  bytestream2_get_byte(&gb);

    if (ctx->data_size == 16)
        return 4;
-    if (ctx->data_size > buf_size)
-        ctx->data_size = buf_size;
+    ctx->data_size = FFMIN(ctx->data_size, buf_size - 16);

-    buf_ptr += 3; // skip reserved byte and checksum
+    bytestream2_skip(&gb, 3); // skip reserved byte and checksum

    /* check frame dimensions */
-    height = bytestream_get_le16(&buf_ptr);
-    width  = bytestream_get_le16(&buf_ptr);
+    height = bytestream2_get_le16(&gb);
+    width  = bytestream2_get_le16(&gb);
    if (av_image_check_size(width, height, 0, avctx))
        return AVERROR_INVALIDDATA;

@@ -923,9 +949,10 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
        avcodec_set_dimensions(avctx, width, height);
    }

-    y_offset = bytestream_get_le32(&buf_ptr);
-    v_offset = bytestream_get_le32(&buf_ptr);
-    u_offset = bytestream_get_le32(&buf_ptr);
+    y_offset = bytestream2_get_le32(&gb);
+    v_offset = bytestream2_get_le32(&gb);
+    u_offset = bytestream2_get_le32(&gb);
+    bytestream2_skip(&gb, 4);

    /* unfortunately there is no common order of planes in the buffer */
    /* so we use that sorting algo for determining planes data sizes  */
@@ -944,6 +971,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    ctx->v_data_size = ends[1] - starts[1];
    ctx->u_data_size = ends[2] - starts[2];
    if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
+        FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 ||
        FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) {
        av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n");
        return AVERROR_INVALIDDATA;
@@ -952,7 +980,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    ctx->y_data_ptr = bs_hdr + y_offset;
    ctx->v_data_ptr = bs_hdr + v_offset;
    ctx->u_data_ptr = bs_hdr + u_offset;
-    ctx->alt_quant  = buf_ptr + sizeof(uint32_t);
+    ctx->alt_quant  = gb.buffer;

    if (ctx->data_size == 16) {
        av_log(avctx, AV_LOG_DEBUG, "Sync frame encountered!\n");
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -211,6 +211,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
        if (ff_ivi_init_planes(ctx->planes, &pic_conf)) {
            av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
+            ctx->pic_conf.luma_bands = 0;
            return AVERROR(ENOMEM);
        }

@@ -348,12 +349,25 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
            band->inv_transform = transforms[transform_id].inv_trans;
            band->dc_transform  = transforms[transform_id].dc_trans;
            band->is_2d_trans   = transforms[transform_id].is_2d_trans;
+            if (transform_id < 10)
+                band->transform_size = 8;
+            else
+                band->transform_size = 4;
+
+            if (band->blk_size != band->transform_size)
+                return AVERROR_INVALIDDATA;

            scan_indx = get_bits(&ctx->gb, 4);
            if (scan_indx == 15) {
                av_log(avctx, AV_LOG_ERROR, "Custom scan pattern encountered!\n");
                return AVERROR_INVALIDDATA;
            }
+            if (scan_indx > 4 && scan_indx < 10) {
+                if (band->blk_size != 4)
+                    return AVERROR_INVALIDDATA;
+            } else if (band->blk_size != 8)
+                return AVERROR_INVALIDDATA;
+
            band->scan = scan_index_to_tab[scan_indx];

            band->quant_mat = get_bits(&ctx->gb, 5);
@@ -361,6 +375,11 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
                av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n");
                return AVERROR_INVALIDDATA;
            }
+            if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) {
+                av_log_ask_for_sample(avctx, "Quantization matrix %d",
+                                      band->quant_mat);
+                return AVERROR_INVALIDDATA;
+            }
        }

        /* decode block huffman codebook */
@@ -463,7 +482,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                }

                mb->mv_x = mb->mv_y = 0; /* no motion vector coded */
-                if (band->inherit_mv) {
+                if (band->inherit_mv && ref_mb) {
                    /* motion vector inheritance */
                    if (mv_scale) {
                        mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
@@ -475,7 +494,10 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                }
            } else {
                if (band->inherit_mv) {
-                    mb->type = ref_mb->type; /* copy mb_type from corresponding reference mb */
+                    /* copy mb_type from corresponding reference mb */
+                    if (!ref_mb)
+                        return AVERROR_INVALIDDATA;
+                    mb->type = ref_mb->type;
                } else if (ctx->frame_type == FRAMETYPE_INTRA) {
                    mb->type = 0; /* mb_type is always INTRA for intra-frames */
                } else {
@@ -498,14 +520,15 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                    mb->mv_x = mb->mv_y = 0; /* there is no motion vector in intra-macroblocks */
                } else {
                    if (band->inherit_mv) {
-                        /* motion vector inheritance */
-                        if (mv_scale) {
-                            mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
-                            mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale);
-                        } else {
-                            mb->mv_x = ref_mb->mv_x;
-                            mb->mv_y = ref_mb->mv_y;
-                        }
+                        if (ref_mb)
+                            /* motion vector inheritance */
+                            if (mv_scale) {
+                                mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
+                                mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale);
+                            } else {
+                                mb->mv_x = ref_mb->mv_x;
+                                mb->mv_y = ref_mb->mv_y;
+                            }
                    } else {
                        /* decode motion vector deltas */
                        mv_delta = get_vlc2(&ctx->gb, ctx->mb_vlc.tab->table,
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -74,7 +74,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    tile_size = (ctx->gop_flags & 0x40) ? 64 << get_bits(&ctx->gb, 2) : 0;
    if (tile_size > 256) {
        av_log(avctx, AV_LOG_ERROR, "Invalid tile size: %d\n", tile_size);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    /* decode number of wavelet bands */
@@ -85,7 +85,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    if (is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands != 1)) {
        av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! Luma bands: %d, chroma bands: %d\n",
               pic_conf.luma_bands, pic_conf.chroma_bands);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    pic_size_indx = get_bits(&ctx->gb, 4);
@@ -98,8 +98,8 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    }

    if (ctx->gop_flags & 2) {
-        av_log(avctx, AV_LOG_ERROR, "YV12 picture format not supported!\n");
-        return -1;
+        av_log_missing_feature(avctx, "YV12 picture format", 0);
+        return AVERROR_PATCHWELCOME;
    }

    pic_conf.chroma_height = (pic_conf.pic_height + 3) >> 2;
@@ -113,11 +113,11 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    }

    /* check if picture layout was changed and reallocate buffers */
-    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
+    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf) || ctx->gop_invalid) {
        result = ff_ivi_init_planes(ctx->planes, &pic_conf);
-        if (result) {
+        if (result < 0) {
            av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
-            return -1;
+            return result;
        }
        ctx->pic_conf = pic_conf;
        ctx->is_scalable = is_scalable;
@@ -141,46 +141,54 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
            }

            if (get_bits1(&ctx->gb)) {
-                av_log(avctx, AV_LOG_ERROR, "Extended transform info encountered!\n");
-                return -1;
+                av_log_missing_feature(avctx, "Extended transform info", 0);
+                return AVERROR_PATCHWELCOME;
            }

            /* select transform function and scan pattern according to plane and band number */
            switch ((p << 2) + i) {
            case 0:
-                band->inv_transform = ff_ivi_inverse_slant_8x8;
-                band->dc_transform  = ff_ivi_dc_slant_2d;
-                band->scan          = ff_zigzag_direct;
+                band->inv_transform  = ff_ivi_inverse_slant_8x8;
+                band->dc_transform   = ff_ivi_dc_slant_2d;
+                band->scan           = ff_zigzag_direct;
+                band->transform_size = 8;
                break;

            case 1:
-                band->inv_transform = ff_ivi_row_slant8;
-                band->dc_transform  = ff_ivi_dc_row_slant;
-                band->scan          = ff_ivi_vertical_scan_8x8;
+                band->inv_transform  = ff_ivi_row_slant8;
+                band->dc_transform   = ff_ivi_dc_row_slant;
+                band->scan           = ff_ivi_vertical_scan_8x8;
+                band->transform_size = 8;
                break;

            case 2:
-                band->inv_transform = ff_ivi_col_slant8;
-                band->dc_transform  = ff_ivi_dc_col_slant;
-                band->scan          = ff_ivi_horizontal_scan_8x8;
+                band->inv_transform  = ff_ivi_col_slant8;
+                band->dc_transform   = ff_ivi_dc_col_slant;
+                band->scan           = ff_ivi_horizontal_scan_8x8;
+                band->transform_size = 8;
                break;

            case 3:
-                band->inv_transform = ff_ivi_put_pixels_8x8;
-                band->dc_transform  = ff_ivi_put_dc_pixel_8x8;
-                band->scan          = ff_ivi_horizontal_scan_8x8;
+                band->inv_transform  = ff_ivi_put_pixels_8x8;
+                band->dc_transform   = ff_ivi_put_dc_pixel_8x8;
+                band->scan           = ff_ivi_horizontal_scan_8x8;
+                band->transform_size = 8;
                break;

            case 4:
-                band->inv_transform = ff_ivi_inverse_slant_4x4;
-                band->dc_transform  = ff_ivi_dc_slant_2d;
-                band->scan          = ff_ivi_direct_scan_4x4;
+                band->inv_transform  = ff_ivi_inverse_slant_4x4;
+                band->dc_transform   = ff_ivi_dc_slant_2d;
+                band->scan           = ff_ivi_direct_scan_4x4;
+                band->transform_size = 4;
                break;
            }

            band->is_2d_trans = band->inv_transform == ff_ivi_inverse_slant_8x8 ||
                                band->inv_transform == ff_ivi_inverse_slant_4x4;

+            if (band->transform_size != band->blk_size)
+                return AVERROR_INVALIDDATA;
+
            /* select dequant matrix according to plane and band number */
            if (!p) {
                quant_mat = (pic_conf.luma_bands > 1) ? i+1 : 0;
@@ -206,7 +214,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)

            if (get_bits(&ctx->gb, 2)) {
                av_log(avctx, AV_LOG_ERROR, "End marker missing!\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
        }
    }
@@ -235,17 +243,17 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    if (blk_size_changed) {
        result = ff_ivi_init_tiles(ctx->planes, pic_conf.tile_width,
                                   pic_conf.tile_height);
-        if (result) {
+        if (result < 0) {
            av_log(avctx, AV_LOG_ERROR,
                   "Couldn't reallocate internal structures!\n");
-            return -1;
+            return result;
        }
    }

    if (ctx->gop_flags & 8) {
        if (get_bits(&ctx->gb, 3)) {
            av_log(avctx, AV_LOG_ERROR, "Alignment bits are not zero!\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (get_bits1(&ctx->gb))
@@ -294,25 +302,27 @@ static inline void skip_hdr_extension(GetBitContext *gb)
 */
 static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
 {
+    int ret;
+
    if (get_bits(&ctx->gb, 5) != 0x1F) {
        av_log(avctx, AV_LOG_ERROR, "Invalid picture start code!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    ctx->prev_frame_type = ctx->frame_type;
    ctx->frame_type      = get_bits(&ctx->gb, 3);
    if (ctx->frame_type >= 5) {
        av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    ctx->frame_num = get_bits(&ctx->gb, 8);

    if (ctx->frame_type == FRAMETYPE_INTRA) {
-        ctx->gop_invalid = 1;
-        if (decode_gop_header(ctx, avctx)) {
+        if ((ret = decode_gop_header(ctx, avctx)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
-            return AVERROR_INVALIDDATA;
+            ctx->gop_invalid = 1;
+            return ret;
        }
        ctx->gop_invalid = 0;
    }
@@ -329,8 +339,10 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
            skip_hdr_extension(&ctx->gb); /* XXX: untested */

        /* decode macroblock huffman codebook */
-        if (ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40, IVI_MB_HUFF, &ctx->mb_vlc, avctx))
-            return -1;
+        ret = ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40,
+                                   IVI_MB_HUFF, &ctx->mb_vlc, avctx);
+        if (ret < 0)
+            return ret;

        skip_bits(&ctx->gb, 3); /* FIXME: unknown meaning! */
    }
@@ -352,7 +364,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
 static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
                           AVCodecContext *avctx)
 {
-    int         i;
+    int         i, ret;
    uint8_t     band_flags;

    band_flags = get_bits(&ctx->gb, 8);
@@ -376,7 +388,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
        if (band->num_corr > 61) {
            av_log(avctx, AV_LOG_ERROR, "Too many corrections: %d\n",
                   band->num_corr);
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        /* read correction pairs */
@@ -388,8 +400,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
    band->rvmap_sel = (band_flags & 0x40) ? get_bits(&ctx->gb, 3) : 8;

    /* decode block huffman codebook */
-    if (ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF, &band->blk_vlc, avctx))
-        return -1;
+    ret = ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF,
+                               &band->blk_vlc, avctx);
+    if (ret < 0)
+        return ret;

    band->checksum_present = get_bits1(&ctx->gb);
    if (band->checksum_present)
@@ -456,7 +470,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
            if (get_bits1(&ctx->gb)) {
                if (ctx->frame_type == FRAMETYPE_INTRA) {
                    av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n");
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                mb->type = 1; /* empty macroblocks are always INTER */
                mb->cbp  = 0; /* all blocks are empty */
@@ -622,7 +636,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    result = ff_ivi_init_planes(ctx->planes, &ctx->pic_conf);
    if (result) {
        av_log(avctx, AV_LOG_ERROR, "Couldn't allocate color planes!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    ctx->buf_switch = 0;
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -755,6 +755,8 @@ int ff_h263_decode_mb(MpegEncContext *s,
        }

        if(IS_DIRECT(mb_type)){
+            if (!s->pp_time)
+                return AVERROR_INVALIDDATA;
            s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT;
            mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0);
        }else{
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -39,6 +39,29 @@ extern const IVIHuffDesc ff_ivi_blk_huff_desc[8]; ///< static block huffman tabl
 VLC ff_ivi_mb_vlc_tabs [8];
 VLC ff_ivi_blk_vlc_tabs[8];

+typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
+                             uint32_t pitch, int mc_type);
+
+static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc,
+                  int offs, int mv_x, int mv_y, int mc_type)
+{
+    int ref_offs = offs + mv_y * band->pitch + mv_x;
+    int buf_size = band->pitch * band->aheight;
+    int min_size = band->pitch * (band->blk_size - 1) + band->blk_size;
+    int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1);
+
+    if (offs < 0 || ref_offs < 0 || !band->ref_buf)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size < offs)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size - ref_size < ref_offs)
+        return AVERROR_INVALIDDATA;
+
+    mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type);
+
+    return 0;
+}
+
 /**
 *  Reverse "nbits" bits of the value "val" and return the result
 *  in the least significant bits.
@@ -48,9 +71,10 @@ static uint16_t inv_bits(uint16_t val, int nbits)
    uint16_t res;

    if (nbits <= 8) {
-        res = av_reverse[val] >> (8-nbits);
+        res = av_reverse[val] >> (8 - nbits);
    } else
-        res = ((av_reverse[val & 0xFF] << 8) + (av_reverse[val >> 8])) >> (16-nbits);
+        res = ((av_reverse[val & 0xFF] << 8) +
+               (av_reverse[val >> 8])) >> (16 - nbits);

    return res;
 }
@@ -74,7 +98,7 @@ int ff_ivi_create_huff_from_desc(const IVIHuffDesc *cb, VLC *vlc, int flag)

            bits[pos] = i + cb->xbits[i] + not_last_row;
            if (bits[pos] > IVI_VLC_BITS)
-                return -1; /* invalid descriptor */
+                return AVERROR_INVALIDDATA; /* invalid descriptor */

            codewords[pos] = inv_bits((prefix | j), bits[pos]);
            if (!bits[pos])
@@ -100,10 +124,12 @@ void ff_ivi_init_static_vlc(void)
    for (i = 0; i < 8; i++) {
        ff_ivi_mb_vlc_tabs[i].table = table_data + i * 2 * 8192;
        ff_ivi_mb_vlc_tabs[i].table_allocated = 8192;
-        ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i],  &ff_ivi_mb_vlc_tabs[i],  1);
+        ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i],
+                                     &ff_ivi_mb_vlc_tabs[i],  1);
        ff_ivi_blk_vlc_tabs[i].table = table_data + (i * 2 + 1) * 8192;
        ff_ivi_blk_vlc_tabs[i].table_allocated = 8192;
-        ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], &ff_ivi_blk_vlc_tabs[i], 1);
+        ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i],
+                                     &ff_ivi_blk_vlc_tabs[i], 1);
    }
    initialized_vlcs = 1;
 }
@@ -111,47 +137,48 @@ void ff_ivi_init_static_vlc(void)
 int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab,
                         IVIHuffTab *huff_tab, AVCodecContext *avctx)
 {
-    int         i, result;
+    int i, result;
    IVIHuffDesc new_huff;

    if (!desc_coded) {
        /* select default table */
        huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[7]
-            : &ff_ivi_mb_vlc_tabs [7];
-    } else {
-        huff_tab->tab_sel = get_bits(gb, 3);
-        if (huff_tab->tab_sel == 7) {
-            /* custom huffman table (explicitly encoded) */
-            new_huff.num_rows = get_bits(gb, 4);
-            if (!new_huff.num_rows) {
-                av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n");
-                return AVERROR_INVALIDDATA;
-            }
+                                    : &ff_ivi_mb_vlc_tabs [7];
+        return 0;
+    }

-            for (i = 0; i < new_huff.num_rows; i++)
-                new_huff.xbits[i] = get_bits(gb, 4);
-
-            /* Have we got the same custom table? Rebuild if not. */
-            if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) {
-                ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff);
-
-                if (huff_tab->cust_tab.table)
-                    ff_free_vlc(&huff_tab->cust_tab);
-                result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc,
-                        &huff_tab->cust_tab, 0);
-                if (result) {
-                    huff_tab->cust_desc.num_rows = 0; // reset faulty description
-                    av_log(avctx, AV_LOG_ERROR,
-                           "Error while initializing custom vlc table!\n");
-                    return result;
-                }
-            }
-            huff_tab->tab = &huff_tab->cust_tab;
-        } else {
-            /* select one of predefined tables */
-            huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel]
-                : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel];
+    huff_tab->tab_sel = get_bits(gb, 3);
+    if (huff_tab->tab_sel == 7) {
+        /* custom huffman table (explicitly encoded) */
+        new_huff.num_rows = get_bits(gb, 4);
+        if (!new_huff.num_rows) {
+            av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n");
+            return AVERROR_INVALIDDATA;
        }
+
+        for (i = 0; i < new_huff.num_rows; i++)
+            new_huff.xbits[i] = get_bits(gb, 4);
+
+        /* Have we got the same custom table? Rebuild if not. */
+        if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) {
+            ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff);
+
+            if (huff_tab->cust_tab.table)
+                ff_free_vlc(&huff_tab->cust_tab);
+            result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc,
+                    &huff_tab->cust_tab, 0);
+            if (result) {
+                huff_tab->cust_desc.num_rows = 0; // reset faulty description
+                av_log(avctx, AV_LOG_ERROR,
+                       "Error while initializing custom vlc table!\n");
+                return result;
+            }
+        }
+        huff_tab->tab = &huff_tab->cust_tab;
+    } else {
+        /* select one of predefined tables */
+        huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel]
+                                    : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel];
    }

    return 0;
@@ -171,12 +198,17 @@ void ff_ivi_huff_desc_copy(IVIHuffDesc *dst, const IVIHuffDesc *src)

 int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
 {
-    int         p, b;
-    uint32_t    b_width, b_height, align_fac, width_aligned, height_aligned, buf_size;
+    int p, b;
+    uint32_t b_width, b_height, align_fac, width_aligned,
+             height_aligned, buf_size;
    IVIBandDesc *band;

    ff_ivi_free_buffers(planes);

+    if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+        cfg->luma_bands < 1 || cfg->chroma_bands < 1)
+        return AVERROR_INVALIDDATA;
+
    /* fill in the descriptor of the luminance plane */
    planes[0].width     = cfg->pic_width;
    planes[0].height    = cfg->pic_height;
@@ -195,8 +227,10 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
        /* select band dimensions: if there is only one band then it
         *  has the full size, if there are several bands each of them
         *  has only half size */
-        b_width  = planes[p].num_bands == 1 ? planes[p].width  : (planes[p].width  + 1) >> 1;
-        b_height = planes[p].num_bands == 1 ? planes[p].height : (planes[p].height + 1) >> 1;
+        b_width  = planes[p].num_bands == 1 ? planes[p].width
+                                            : (planes[p].width  + 1) >> 1;
+        b_height = planes[p].num_bands == 1 ? planes[p].height
+                                            : (planes[p].height + 1) >> 1;

        /* luma   band buffers will be aligned on 16x16 (max macroblock size) */
        /* chroma band buffers will be aligned on   8x8 (max macroblock size) */
@@ -224,8 +258,8 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
                if (!band->bufs[2])
                    return AVERROR(ENOMEM);
            }
-
-            planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; /* reset custom vlc */
+            /* reset custom vlc */
+            planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0;
        }
    }

@@ -249,14 +283,51 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes)
            av_freep(&planes[p].bands[b].tiles);
        }
        av_freep(&planes[p].bands);
+        planes[p].num_bands = 0;
    }
 }

+static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile,
+                          int p, int b, int t_height, int t_width)
+{
+    int x, y;
+    IVITile *tile = band->tiles;
+
+    for (y = 0; y < band->height; y += t_height) {
+        for (x = 0; x < band->width; x += t_width) {
+            tile->xpos     = x;
+            tile->ypos     = y;
+            tile->mb_size  = band->mb_size;
+            tile->width    = FFMIN(band->width - x,  t_width);
+            tile->height   = FFMIN(band->height - y, t_height);
+            tile->is_empty = tile->data_size = 0;
+            /* calculate number of macroblocks */
+            tile->num_MBs  = IVI_MBs_PER_TILE(tile->width, tile->height,
+                                              band->mb_size);
+
+            av_freep(&tile->mbs);
+            tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo));
+            if (!tile->mbs)
+                return AVERROR(ENOMEM);
+
+            tile->ref_mbs = 0;
+            if (p || b) {
+                if (tile->num_MBs != ref_tile->num_MBs)
+                    return AVERROR_INVALIDDATA;
+                tile->ref_mbs = ref_tile->mbs;
+                ref_tile++;
+            }
+            tile++;
+        }
+    }
+
+    return 0;
+}
+
 int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_height)
 {
-    int         p, b, x, y, x_tiles, y_tiles, t_width, t_height;
+    int         p, b, x_tiles, y_tiles, t_width, t_height, ret;
    IVIBandDesc *band;
-    IVITile     *tile, *ref_tile;

    for (p = 0; p < 3; p++) {
        t_width  = !p ? tile_width  : (tile_width  + 3) >> 2;
@@ -280,41 +351,14 @@ int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_hei
            if (!band->tiles)
                return AVERROR(ENOMEM);

-            tile = band->tiles;
-
            /* use the first luma band as reference for motion vectors
             * and quant */
-            ref_tile = planes[0].bands[0].tiles;
-
-            for (y = 0; y < band->height; y += t_height) {
-                for (x = 0; x < band->width; x += t_width) {
-                    tile->xpos     = x;
-                    tile->ypos     = y;
-                    tile->mb_size  = band->mb_size;
-                    tile->width    = FFMIN(band->width - x,  t_width);
-                    tile->height   = FFMIN(band->height - y, t_height);
-                    tile->is_empty = tile->data_size = 0;
-                    /* calculate number of macroblocks */
-                    tile->num_MBs  = IVI_MBs_PER_TILE(tile->width, tile->height,
-                                                      band->mb_size);
-
-                    av_freep(&tile->mbs);
-                    tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo));
-                    if (!tile->mbs)
-                        return AVERROR(ENOMEM);
-
-                    tile->ref_mbs = 0;
-                    if (p || b) {
-                        tile->ref_mbs = ref_tile->mbs;
-                        ref_tile++;
-                    }
-
-                    tile++;
-                }
-            }
-
-        }// for b
-    }// for p
+            ret = ivi_init_tiles(band, planes[0].bands[0].tiles,
+                                 p, b, t_height, t_width);
+            if (ret < 0)
+                return ret;
+        }
+    }

    return 0;
 }
@@ -336,26 +380,125 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb)
    return len;
 }

+static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
+                            int blk_size)
+{
+    int buf_size = band->pitch * band->aheight - buf_offs;
+    int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+    if (!band->dc_transform)
+        return 0;
+
+
+    if (min_size > buf_size)
+        return AVERROR_INVALIDDATA;
+
+    band->dc_transform(prev_dc, band->buf + buf_offs,
+                       band->pitch, blk_size);
+
+    return 0;
+}
+
+static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
+                                   ivi_mc_func mc, int mv_x, int mv_y,
+                                   int *prev_dc, int is_intra, int mc_type,
+                                   uint32_t quant, int offs)
+{
+    const uint16_t *base_tab  = is_intra ? band->intra_base : band->inter_base;
+    RVMapDesc *rvmap = band->rv_map;
+    uint8_t col_flags[8];
+    int32_t trvec[64];
+    uint32_t sym = 0, lo, hi, q;
+    int pos, run, val;
+    int blk_size   = band->blk_size;
+    int num_coeffs = blk_size * blk_size;
+    int col_mask   = blk_size - 1;
+    int scan_pos   = -1;
+    int min_size   = band->pitch * (band->transform_size - 1) +
+                     band->transform_size;
+    int buf_size   = band->pitch * band->aheight - offs;
+
+    if (min_size > buf_size)
+        return AVERROR_INVALIDDATA;
+
+    if (!band->scan)
+        return AVERROR_INVALIDDATA;
+
+    /* zero transform vector */
+    memset(trvec, 0, num_coeffs * sizeof(trvec[0]));
+    /* zero column flags */
+    memset(col_flags, 0, sizeof(col_flags));
+    while (scan_pos <= num_coeffs) {
+        sym = get_vlc2(gb, band->blk_vlc.tab->table,
+                       IVI_VLC_BITS, 1);
+        if (sym == rvmap->eob_sym)
+            break; /* End of block */
+
+        /* Escape - run/val explicitly coded using 3 vlc codes */
+        if (sym == rvmap->esc_sym) {
+            run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1;
+            lo  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
+            hi  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
+            /* merge them and convert into signed val */
+            val = IVI_TOSIGNED((hi << 6) | lo);
+        } else {
+            if (sym >= 256U)
+                return AVERROR_INVALIDDATA;
+
+            run = rvmap->runtab[sym];
+            val = rvmap->valtab[sym];
+        }
+
+        /* de-zigzag and dequantize */
+        scan_pos += run;
+        if (scan_pos >= num_coeffs || scan_pos < 0)
+            break;
+        pos = band->scan[scan_pos];
+
+        q = (base_tab[pos] * quant) >> 9;
+        if (q > 1)
+            val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1);
+        trvec[pos] = val;
+        /* track columns containing non-zero coeffs */
+        col_flags[pos & col_mask] |= !!val;
+    }
+
+    if (scan_pos < 0 || scan_pos >= num_coeffs && sym != rvmap->eob_sym)
+        return AVERROR_INVALIDDATA; /* corrupt block data */
+
+    /* undoing DC coeff prediction for intra-blocks */
+    if (is_intra && band->is_2d_trans) {
+        *prev_dc     += trvec[0];
+        trvec[0]      = *prev_dc;
+        col_flags[0] |= !!*prev_dc;
+    }
+
+    /* apply inverse transform */
+    band->inv_transform(trvec, band->buf + offs,
+                        band->pitch, col_flags);
+
+    /* apply motion compensation */
+    if (!is_intra)
+        return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type);
+
+    return 0;
+}
+
 int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
 {
-    int         mbn, blk, num_blocks, num_coeffs, blk_size, scan_pos, run, val,
-                pos, is_intra, mc_type, mv_x, mv_y, col_mask;
-    uint8_t     col_flags[8];
-    int32_t     prev_dc, trvec[64];
-    uint32_t    cbp, sym, lo, hi, quant, buf_offs, q;
-    IVIMbInfo   *mb;
-    RVMapDesc   *rvmap = band->rv_map;
-    void (*mc_with_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type);
-    void (*mc_no_delta_func)  (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type);
-    const uint16_t  *base_tab;
-    const uint8_t   *scale_tab;
-
-    prev_dc = 0; /* init intra prediction for the DC coefficient */
+    int mbn, blk, num_blocks, blk_size, ret, is_intra, mc_type = 0;
+    int mv_x = 0, mv_y = 0;
+    int32_t prev_dc;
+    uint32_t cbp, quant, buf_offs;
+    IVIMbInfo *mb;
+    ivi_mc_func mc_with_delta_func, mc_no_delta_func;
+    const uint8_t *scale_tab;

+    /* init intra prediction for the DC coefficient */
+    prev_dc = 0;
    blk_size   = band->blk_size;
-    col_mask   = blk_size - 1; /* column mask for tracking non-zero coeffs */
-    num_blocks = (band->mb_size != blk_size) ? 4 : 1; /* number of blocks per mb */
-    num_coeffs = blk_size * blk_size;
+    /* number of blocks per mb */
+    num_blocks = (band->mb_size != blk_size) ? 4 : 1;
    if (blk_size == 8) {
        mc_with_delta_func = ff_ivi_mc_8x8_delta;
        mc_no_delta_func   = ff_ivi_mc_8x8_no_delta;
@@ -371,7 +514,6 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)

        quant = av_clip(band->glob_quant + mb->q_delta, 0, 23);

-        base_tab  = is_intra ? band->intra_base  : band->inter_base;
        scale_tab = is_intra ? band->intra_scale : band->inter_scale;
        if (scale_tab)
            quant = scale_tab[quant];
@@ -394,10 +536,10 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                cx    = mb->mv_x &  band->is_halfpel;
                cy    = mb->mv_y &  band->is_halfpel;

-                if (   mb->xpos + dmv_x < 0
-                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
-                    || mb->ypos + dmv_y < 0
-                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                if (mb->xpos + dmv_x < 0 ||
+                    mb->xpos + dmv_x + band->mb_size + cx > band->pitch ||
+                    mb->ypos + dmv_y < 0 ||
+                    mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
                    return AVERROR_INVALIDDATA;
                }
            }
@@ -413,81 +555,25 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
            }

            if (cbp & 1) { /* block coded ? */
-                if (!band->scan) {
-                    av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n");
-                    return AVERROR_INVALIDDATA;
-                }
-
-                scan_pos = -1;
-                memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */
-                memset(col_flags, 0, sizeof(col_flags));      /* zero column flags */
-
-                while (scan_pos <= num_coeffs) {
-                    sym = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                    if (sym == rvmap->eob_sym)
-                        break; /* End of block */
-
-                    if (sym == rvmap->esc_sym) { /* Escape - run/val explicitly coded using 3 vlc codes */
-                        run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1;
-                        lo  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                        hi  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                        val = IVI_TOSIGNED((hi << 6) | lo); /* merge them and convert into signed val */
-                    } else {
-                        if (sym >= 256U) {
-                            av_log(NULL, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym);
-                            return -1;
-                        }
-                        run = rvmap->runtab[sym];
-                        val = rvmap->valtab[sym];
-                    }
-
-                    /* de-zigzag and dequantize */
-                    scan_pos += run;
-                    if (scan_pos >= num_coeffs)
-                        break;
-                    pos = band->scan[scan_pos];
-
-                    if (!val)
-                        av_dlog(NULL, "Val = 0 encountered!\n");
-
-                    q = (base_tab[pos] * quant) >> 9;
-                    if (q > 1)
-                        val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1);
-                    trvec[pos] = val;
-                    col_flags[pos & col_mask] |= !!val; /* track columns containing non-zero coeffs */
-                }// while
-
-                if (scan_pos >= num_coeffs && sym != rvmap->eob_sym)
-                    return -1; /* corrupt block data */
-
-                /* undoing DC coeff prediction for intra-blocks */
-                if (is_intra && band->is_2d_trans) {
-                    prev_dc      += trvec[0];
-                    trvec[0]      = prev_dc;
-                    col_flags[0] |= !!prev_dc;
-                }
-
-                /* apply inverse transform */
-                band->inv_transform(trvec, band->buf + buf_offs,
-                                    band->pitch, col_flags);
-
-                /* apply motion compensation */
-                if (!is_intra)
-                    mc_with_delta_func(band->buf + buf_offs,
-                                       band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
-                                       band->pitch, mc_type);
+                ret = ivi_decode_coded_blocks(gb, band, mc_with_delta_func,
+                                              mv_x, mv_y, &prev_dc, is_intra,
+                                              mc_type, quant, buf_offs);
+                if (ret < 0)
+                    return ret;
            } else {
                /* block not coded */
                /* for intra blocks apply the dc slant transform */
                /* for inter - perform the motion compensation without delta */
                if (is_intra) {
-                    if (band->dc_transform)
-                        band->dc_transform(&prev_dc, band->buf + buf_offs,
-                                           band->pitch, blk_size);
-                } else
-                    mc_no_delta_func(band->buf + buf_offs,
-                                     band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
-                                     band->pitch, mc_type);
+                    ret = ivi_dc_transform(band, &prev_dc, buf_offs, blk_size);
+                    if (ret < 0)
+                        return ret;
+                } else {
+                    ret = ivi_mc(band, mc_no_delta_func, buf_offs,
+                                 mv_x, mv_y, mc_type);
+                    if (ret < 0)
+                        return ret;
+                }
            }

            cbp >>= 1;
@@ -512,12 +598,11 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                                  IVITile *tile, int32_t mv_scale)
 {
    int             x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
-    int             offs, mb_offset, row_offset;
+    int             offs, mb_offset, row_offset, ret;
    IVIMbInfo       *mb, *ref_mb;
    const int16_t   *src;
    int16_t         *dst;
-    void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch,
-                             int mc_type);
+    ivi_mc_func     mc_no_delta_func;

    if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) {
        av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches "
@@ -591,9 +676,10 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
            for (blk = 0; blk < num_blocks; blk++) {
                /* adjust block position in the buffer according with its number */
                offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
-                mc_no_delta_func(band->buf + offs,
-                                 band->ref_buf + offs + mv_y * band->pitch + mv_x,
-                                 band->pitch, mc_type);
+                ret = ivi_mc(band, mc_no_delta_func, offs,
+                             mv_x, mv_y, mc_type);
+                if (ret < 0)
+                    return ret;
            }
        }
    } else {
@@ -739,8 +825,16 @@ static int decode_band(IVI45DecContext *ctx, int plane_num,
                break;

            result = ff_ivi_decode_blocks(&ctx->gb, band, tile);
-            if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) {
-                av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n");
+            if (result < 0) {
+                av_log(avctx, AV_LOG_ERROR,
+                       "Corrupted tile data encountered!\n");
+                break;
+            }
+
+            if (((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) {
+                av_log(avctx, AV_LOG_ERROR,
+                       "Tile data_size mismatch!\n");
+                result = AVERROR_INVALIDDATA;
                break;
            }

@@ -748,7 +842,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num,
        }
    }

-    /* restore the selected rvmap table by applying its corrections in reverse order */
+    /* restore the selected rvmap table by applying its corrections in
+     * reverse order */
    for (i = band->num_corr-1; i >= 0; i--) {
        idx1 = band->corr[i*2];
        idx2 = band->corr[i*2+1];
@@ -761,7 +856,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num,
        uint16_t chksum = ivi_calc_band_checksum(band);
        if (chksum != band->checksum) {
            av_log(avctx, AV_LOG_ERROR,
-                   "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n",
+                   "Band checksum mismatch! Plane %d, band %d, "
+                   "received: %x, calculated: %x\n",
                   band->plane, band->band_num, band->checksum, chksum);
        }
    }
@@ -788,14 +884,19 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    if (result) {
        av_log(avctx, AV_LOG_ERROR,
               "Error while decoding picture header: %d\n", result);
-        return -1;
+        return result;
    }
    if (ctx->gop_invalid)
        return AVERROR_INVALIDDATA;

    if (ctx->gop_flags & IVI5_IS_PROTECTED) {
        av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
-        return -1;
+        return AVERROR_PATCHWELCOME;
+    }
+
+    if (!ctx->planes[0].bands) {
+        av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n");
+        return AVERROR_INVALIDDATA;
    }

    ctx->switch_buffers(ctx);
@@ -806,13 +907,21 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        for (p = 0; p < 3; p++) {
            for (b = 0; b < ctx->planes[p].num_bands; b++) {
                result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx);
-                if (result) {
+                if (result < 0) {
                    av_log(avctx, AV_LOG_ERROR,
                           "Error while decoding band: %d, plane: %d\n", b, p);
-                    return -1;
+                    return result;
                }
            }
        }
+    } else {
+        if (ctx->is_scalable)
+            return AVERROR_INVALIDDATA;
+
+        for (p = 0; p < 3; p++) {
+            if (!ctx->planes[p].bands[0].buf)
+                return AVERROR_INVALIDDATA;
+        }
    }

    //STOP_TIMER("decode_planes"); }
@@ -820,7 +929,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    /* If the bidirectional mode is enabled, next I and the following P frame will */
    /* be sent together. Unfortunately the approach below seems to be the only way */
    /* to handle the B-frames mode. That's exactly the same Intel decoders do.     */
-    if (avctx->codec_id == CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) {
+    if (avctx->codec_id == CODEC_ID_INDEO4 &&
+        ctx->frame_type == 0/*FRAMETYPE_INTRA*/) {
        while (get_bits(&ctx->gb, 8)); // skip version string
        skip_bits_long(&ctx->gb, 64);  // skip padding, TODO: implement correct 8-bytes alignment
        if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8)
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -162,6 +162,7 @@ typedef struct {
    int             num_tiles;      ///< number of tiles in this band
    IVITile         *tiles;         ///< array of tile descriptors
    InvTransformPtr *inv_transform;
+    int             transform_size;
    DCTransformPtr  *dc_transform;
    int             is_2d_trans;    ///< 1 indicates that the two-dimensional inverse transform is used
    int32_t         checksum;       ///< for debug purposes
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -28,6 +28,7 @@
 #include "avcodec.h"
 #include "bytestream.h"
 #include "j2k.h"
+#include "libavutil/avassert.h"
 #include "libavutil/common.h"

 #define JP2_SIG_TYPE    0x6A502020
@@ -289,6 +290,10 @@ static int get_cox(J2kDecoderContext *s, J2kCodingStyle *c)
     c->log2_cblk_width = bytestream_get_byte(&s->buf) + 2; // cblk width
    c->log2_cblk_height = bytestream_get_byte(&s->buf) + 2; // cblk height

+    if (c->log2_cblk_width > 6 || c->log2_cblk_height > 6) {
+        return AVERROR_PATCHWELCOME;
+    }
+
    c->cblk_style = bytestream_get_byte(&s->buf);
    if (c->cblk_style != 0){ // cblk style
        av_log(s->avctx, AV_LOG_WARNING, "extra cblk styles %X\n", c->cblk_style);
@@ -705,6 +710,9 @@ static int decode_cblk(J2kDecoderContext *s, J2kCodingStyle *codsty, J2kT1Contex
    int bpass_csty_symbol = J2K_CBLK_BYPASS & codsty->cblk_style;
    int vert_causal_ctx_csty_symbol = J2K_CBLK_VSC & codsty->cblk_style;

+    av_assert0(width  <= J2K_MAX_CBLKW);
+    av_assert0(height <= J2K_MAX_CBLKH);
+
    for (y = 0; y < height+2; y++)
        memset(t1->flags[y], 0, (width+2)*sizeof(int));

--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -71,13 +71,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
    case 2:
    case 3:
        av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n");
-        return -1;
+        return AVERROR(ENOSYS);
    case 4:
        av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n");
-        return -1;
+        return AVERROR(ENOSYS);
    default:
        av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
 //    av_log(s->avctx, AV_LOG_DEBUG, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3);

@@ -143,6 +143,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, int RI
        ret = ret >> 1;
    }

+    if(FFABS(ret) > 0xFFFF)
+        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
    ret *= state->twonear;
@@ -263,7 +265,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
    int i, t = 0;
    uint8_t *zero, *last, *cur;
    JLSState *state;
-    int off = 0, stride = 1, width, shift;
+    int off = 0, stride = 1, width, shift, ret = 0;

    zero = av_mallocz(s->picture.linesize[0]);
    last = zero;
@@ -289,6 +291,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range);
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan);
    if(ilv == 0) { /* separate planes */
+        if (s->cur_scan > s->nb_components) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
        stride = (s->nb_components > 1) ? 3 : 1;
        off = av_clip(s->cur_scan - 1, 0, stride - 1);
        width = s->width * stride;
@@ -328,11 +334,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
            last = cur;
            cur += s->picture.linesize[0];
        }
-    } else if(ilv == 2) { /* sample interleaving */
+    } else if (ilv == 2) { /* sample interleaving */
        av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n");
-        av_free(state);
-        av_free(zero);
-        return -1;
+        ret = AVERROR_PATCHWELCOME;
+        goto end;
    }

    if(shift){ /* we need to do point transform or normalize samples */
@@ -360,10 +365,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
            }
        }
    }
+
+end:
    av_free(state);
    av_free(zero);

-    return 0;
+    return ret;
 }


--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -29,6 +29,8 @@

 #include "avcodec.h"
 #include "bytestream.h"
+#include "internal.h"
+#include "libavutil/common.h"

 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
@@ -46,7 +48,7 @@ typedef struct KmvcContext {
    int palsize;
    uint32_t pal[MAX_PALSIZE];
    uint8_t *cur, *prev;
-    uint8_t *frm0, *frm1;
+    uint8_t frm0[320 * 200], frm1[320 * 200];
    GetByteContext g;
 } KmvcContext;

@@ -55,7 +57,7 @@ typedef struct BitBuf {
    int bitbuf;
 } BitBuf;

-#define BLK(data, x, y)  data[(x) + (y) * 320]
+#define BLK(data, x, y)  data[av_clip((x) + (y) * 320, 0, 320 * 200 -1)]

 #define kmvc_init_getbits(bb, g)  bb.bits = 7; bb.bitbuf = bytestream2_get_byte(g);

@@ -367,8 +369,6 @@ static av_cold int decode_init(AVCodecContext * avctx)
        return -1;
    }

-    c->frm0 = av_mallocz(320 * 200);
-    c->frm1 = av_mallocz(320 * 200);
    c->cur = c->frm0;
    c->prev = c->frm1;

@@ -403,30 +403,12 @@ static av_cold int decode_init(AVCodecContext * avctx)
    return 0;
 }

-
-
-/*
- * Uninit kmvc decoder
- */
-static av_cold int decode_end(AVCodecContext * avctx)
-{
-    KmvcContext *const c = avctx->priv_data;
-
-    av_freep(&c->frm0);
-    av_freep(&c->frm1);
-    if (c->pic.data[0])
-        avctx->release_buffer(avctx, &c->pic);
-
-    return 0;
-}
-
 AVCodec ff_kmvc_decoder = {
    .name           = "kmvc",
    .type           = AVMEDIA_TYPE_VIDEO,
    .id             = CODEC_ID_KMVC,
    .priv_data_size = sizeof(KmvcContext),
    .init           = decode_init,
-    .close          = decode_end,
    .decode         = decode_frame,
    .capabilities   = CODEC_CAP_DR1,
    .long_name = NULL_IF_CONFIG_SMALL("Karl Morton's video codec"),
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -52,6 +52,7 @@ typedef struct LagarithContext {
    int zeros;                  /**< number of consecutive zero bytes encountered */
    int zeros_rem;              /**< number of zero bytes remaining to output */
    uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
    int rgb_stride;
 } LagarithContext;

@@ -507,13 +508,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
        offs[2] = 13;
        offs[3] = AV_RL32(buf + 9);

+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * 4 + 1);
        if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
+            return AVERROR(ENOMEM);
        }
        for (i = 0; i < 4; i++)
            srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
--- a/libavcodec/lagarithrac.h
+++ b/libavcodec/lagarithrac.h
@@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l)
        l->range -= range_scaled * l->prob[255];
    }

+    if (!l->range)
+        l->range = 0x80;
+
    l->low -= range_scaled * l->prob[val];

    return val;
--- a/libavcodec/mace.c
+++ b/libavcodec/mace.c
@@ -231,8 +231,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx)
 {
    MACEContext *ctx = avctx->priv_data;

-    if (avctx->channels > 2)
-        return -1;
+    if (avctx->channels > 2 || avctx->channels < 1)
+        return AVERROR(EINVAL);
    avctx->sample_fmt = AV_SAMPLE_FMT_S16;

    avcodec_get_frame_defaults(&ctx->frame);
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -255,6 +255,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
    if (nb_components <= 0 ||
        nb_components > MAX_COMPONENTS)
        return -1;
+    if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) {
+        if (nb_components != s->nb_components) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "nb_components changing in interlaced picture\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
    if (s->ls && !(s->bits <= 8 || nb_components == 1)) {
        av_log(s->avctx, AV_LOG_ERROR,
               "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
@@ -276,6 +283,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
        s->quant_index[i] = get_bits(&s->gb, 8);
        if (s->quant_index[i] >= 4)
            return -1;
+        if (!s->h_count[i] || !s->v_count[i]) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid sampling factor in component %d %d:%d\n",
+                   i, s->h_count[i], s->v_count[i]);
+            return AVERROR_INVALIDDATA;
+        }
+
        av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n",
               i, s->h_count[i], s->v_count[i],
               s->component_id[i], s->quant_index[i]);
@@ -705,6 +719,12 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
    int resync_mb_y = 0;
    int resync_mb_x = 0;

+    if (s->nb_components != 3 && s->nb_components != 4)
+        return AVERROR_INVALIDDATA;
+    if (s->v_max != 1 || s->h_max != 1 || !s->lossless)
+        return AVERROR_INVALIDDATA;
+
+
    s->restart_count = s->restart_interval;

    av_fast_malloc(&s->ljpeg_buffer, &s->ljpeg_buffer_size,
@@ -783,10 +803,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
 }

 static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
-                                 int point_transform)
+                                 int point_transform, int nb_components)
 {
    int i, mb_x, mb_y;
-    const int nb_components=s->nb_components;
    int bits= (s->bits+7)&~7;
    int resync_mb_y = 0;
    int resync_mb_x = 0;
@@ -1085,8 +1104,14 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
    int last_scan = 0;
    int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];

+
+    if (ss < 0  || ss >= 64 ||
+        se < ss || se >= 64 ||
+        Ah < 0  || Al < 0)
+        return AVERROR_INVALIDDATA;
+
    if (!Al) {
-        s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
+        s->coefs_finished[c] |= (2LL << se) - (1LL << ss);
        last_scan = !~s->coefs_finished[c];
    }

@@ -1226,7 +1251,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
                if (ljpeg_decode_rgb_scan(s, nb_components, predictor, point_transform) < 0)
                    return -1;
            } else {
-                if (ljpeg_decode_yuv_scan(s, predictor, point_transform) < 0)
+                if (ljpeg_decode_yuv_scan(s, predictor, point_transform,
+                                          nb_components))
                    return -1;
            }
        }
@@ -1597,6 +1623,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
            else if (start_code == COM)
                mjpeg_decode_com(s);

+            if (!CONFIG_JPEGLS_DECODER &&
+                (start_code == SOF48 || start_code == LSE)) {
+                av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n");
+                return AVERROR(ENOSYS);
+            }
+
            switch (start_code) {
            case SOI:
                s->restart_interval = 0;
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -369,9 +369,10 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
    uint8_t checksum;
    uint8_t lossless_check;
    int start_count = get_bits_count(gbp);
-    const int max_matrix_channel = m->avctx->codec_id == CODEC_ID_MLP
-                                 ? MAX_MATRIX_CHANNEL_MLP
-                                 : MAX_MATRIX_CHANNEL_TRUEHD;
+    int min_channel, max_channel, max_matrix_channel;
+    const int std_max_matrix_channel = m->avctx->codec_id == CODEC_ID_MLP
+                                     ? MAX_MATRIX_CHANNEL_MLP
+                                     : MAX_MATRIX_CHANNEL_TRUEHD;

    sync_word = get_bits(gbp, 13);

@@ -390,18 +391,18 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,

    skip_bits(gbp, 16); /* Output timestamp */

-    s->min_channel        = get_bits(gbp, 4);
-    s->max_channel        = get_bits(gbp, 4);
-    s->max_matrix_channel = get_bits(gbp, 4);
+    min_channel        = get_bits(gbp, 4);
+    max_channel        = get_bits(gbp, 4);
+    max_matrix_channel = get_bits(gbp, 4);

-    if (s->max_matrix_channel > max_matrix_channel) {
+    if (max_matrix_channel > std_max_matrix_channel) {
        av_log(m->avctx, AV_LOG_ERROR,
               "Max matrix channel cannot be greater than %d.\n",
               max_matrix_channel);
        return AVERROR_INVALIDDATA;
    }

-    if (s->max_channel != s->max_matrix_channel) {
+    if (max_channel != max_matrix_channel) {
        av_log(m->avctx, AV_LOG_ERROR,
               "Max channel must be equal max matrix channel.\n");
        return AVERROR_INVALIDDATA;
@@ -416,15 +417,20 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
        return AVERROR_INVALIDDATA;
    }

-    if (s->min_channel > s->max_channel) {
+    if (min_channel > max_channel) {
        av_log(m->avctx, AV_LOG_ERROR,
               "Substream min channel cannot be greater than max channel.\n");
        return AVERROR_INVALIDDATA;
    }

-    if (m->avctx->request_channels > 0
-        && s->max_channel + 1 >= m->avctx->request_channels
-        && substr < m->max_decoded_substream) {
+
+    s->min_channel        = min_channel;
+    s->max_channel        = max_channel;
+    s->max_matrix_channel = max_matrix_channel;
+
+    if (m->avctx->request_channels > 0 &&
+        m->avctx->request_channels <= s->max_channel + 1 &&
+        m->max_decoded_substream > substr) {
        av_log(m->avctx, AV_LOG_DEBUG,
               "Extracting %d channel downmix from substream %d. "
               "Further substreams will be skipped.\n",
--- a/libavcodec/mpeg12.c
+++ b/libavcodec/mpeg12.c
@@ -83,6 +83,15 @@ static int mpeg_decode_motion(MpegEncContext *s, int fcode, int pred)
    return sign_extend(val, 5 + shift);
 }

+#define check_scantable_index(ctx, x)                                     \
+    do {                                                                  \
+        if ((x) > 63) {                                                   \
+            av_log(ctx->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", \
+                   ctx->mb_x, ctx->mb_y);                                 \
+            return AVERROR_INVALIDDATA;                                   \
+        }                                                                 \
+    } while (0)                                                           \
+
 static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
    int level, dc, diff, i, j, run;
@@ -114,6 +123,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                break;
            } else if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level - 1) | 1;
@@ -130,6 +140,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = SHOW_UBITS(re, &s->gb, 8)      ; LAST_SKIP_BITS(re, &s->gb, 8);
                }
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = -level;
@@ -141,10 +152,6 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = (level - 1) | 1;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            block[j] = level;
        }
@@ -264,6 +271,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc

            if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = ((level * 2 + 1) * qscale) >> 1;
                level = (level - 1) | 1;
@@ -280,6 +288,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc
                    level = SHOW_UBITS(re, &s->gb, 8)      ; SKIP_BITS(re, &s->gb, 8);
                }
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = -level;
@@ -345,6 +354,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block

            if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -356,6 +366,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);

                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = ((-level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
@@ -364,10 +375,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                    level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            mismatch ^= level;
            block[j]  = level;
@@ -414,6 +421,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,

        if (level != 0) {
            i += run;
+            check_scantable_index(s, i);
            j  = scantable[i];
            level = ((level * 2 + 1) * qscale) >> 1;
            level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -425,6 +433,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,
            level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);

            i += run;
+            check_scantable_index(s, i);
            j  = scantable[i];
            if (level < 0) {
                level = ((-level * 2 + 1) * qscale) >> 1;
@@ -491,6 +500,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                break;
            } else if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j  = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -501,6 +511,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                UPDATE_CACHE(re, &s->gb);
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
                i += run;
+                check_scantable_index(s, i);
                j  = scantable[i];
                if (level < 0) {
                    level = (-level * qscale * quant_matrix[j]) >> 4;
@@ -509,10 +520,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = (level * qscale * quant_matrix[j]) >> 4;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            mismatch ^= level;
            block[j]  = level;
@@ -527,10 +534,10 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in

 static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
-    int level, dc, diff, j, run;
+    int level, dc, diff, i, j, run;
    int component;
    RLTable *rl;
-    uint8_t * scantable = s->intra_scantable.permutated;
+    uint8_t * const scantable = s->intra_scantable.permutated;
    const uint16_t *quant_matrix;
    const int qscale = s->qscale;

@@ -549,6 +556,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
    dc += diff;
    s->last_dc[component] = dc;
    block[0] = dc << (3 - s->intra_dc_precision);
+    i = 0;
    if (s->intra_vlc_format)
        rl = &ff_rl_mpeg2;
    else
@@ -564,8 +572,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
            if (level == 127) {
                break;
            } else if (level != 0) {
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
                LAST_SKIP_BITS(re, &s->gb, 1);
@@ -574,8 +583,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
                run = SHOW_UBITS(re, &s->gb, 6) + 1; LAST_SKIP_BITS(re, &s->gb, 6);
                UPDATE_CACHE(re, &s->gb);
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                if (level < 0) {
                    level = (-level * qscale * quant_matrix[j]) >> 4;
                    level = -level;
@@ -589,7 +599,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
        CLOSE_READER(re, &s->gb);
    }

-    s->block_last_index[n] = scantable - s->intra_scantable.permutated;
+    s->block_last_index[n] = i;
    return 0;
 }

@@ -1250,7 +1260,7 @@ static int mpeg_decode_postinit(AVCodecContext *avctx)
        s1->save_width           != s->width                ||
        s1->save_height          != s->height               ||
        s1->save_aspect_info     != s->aspect_ratio_info    ||
-        s1->save_progressive_seq != s->progressive_sequence ||
+        (s1->save_progressive_seq != s->progressive_sequence && (s->height&31)) ||
        0)
    {

--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -160,7 +160,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){
    return 0;
 }

-static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
+static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb)
 {
    int i;
    int a= 2<<s->sprite_warping_accuracy;
@@ -176,8 +176,8 @@ static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
    int h= s->height;
    int min_ab;

-    if(w<=0 || h<=0)
-        return -1;
+    if (w <= 0 || h <= 0)
+        return AVERROR_INVALIDDATA;

    for(i=0; i<s->num_sprite_warping_points; i++){
        int length;
@@ -415,8 +415,8 @@ int mpeg4_decode_video_packet_header(MpegEncContext *s)
            skip_bits(&s->gb, 3); /* intra dc vlc threshold */
 //FIXME don't just ignore everything
            if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){
-                if(mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
-                    return -1;
+                if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
+                    return AVERROR_INVALIDDATA;
                av_log(s->avctx, AV_LOG_ERROR, "untested\n");
            }

@@ -2056,8 +2056,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){
     }

     if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){
-         if(mpeg4_decode_sprite_trajectory(s, gb) < 0)
-             return -1;
+         if (mpeg4_decode_sprite_trajectory(s, gb) < 0)
+             return AVERROR_INVALIDDATA;
         if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n");
         if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
     }
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1941,7 +1941,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,

        avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);

-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
            av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                        "channel count\n");
            return AVERROR_INVALIDDATA;
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -1237,8 +1237,13 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx)
            i = ff_find_unused_picture(s, 0);
            if (i < 0)
                return i;
-            s->last_picture_ptr= &s->picture[i];
+
+            s->last_picture_ptr = &s->picture[i];
+
+            s->last_picture_ptr->f.reference   = 3;
            s->last_picture_ptr->f.key_frame = 0;
+            s->last_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P;
+
            if (ff_alloc_picture(s, s->last_picture_ptr, 0) < 0)
                return -1;

@@ -1259,8 +1264,13 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx)
            i = ff_find_unused_picture(s, 0);
            if (i < 0)
                return i;
-            s->next_picture_ptr= &s->picture[i];
+
+            s->next_picture_ptr = &s->picture[i];
+
+            s->next_picture_ptr->f.reference   = 3;
            s->next_picture_ptr->f.key_frame = 0;
+            s->next_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P;
+
            if (ff_alloc_picture(s, s->next_picture_ptr, 0) < 0)
                return -1;
            ff_thread_report_progress((AVFrame *) s->next_picture_ptr,
--- a/libavcodec/mpegvideo_common.h
+++ b/libavcodec/mpegvideo_common.h
@@ -244,7 +244,8 @@ void mpeg_motion_internal(MpegEncContext *s,
 {
    uint8_t *ptr_y, *ptr_cb, *ptr_cr;
    int dxy, uvdxy, mx, my, src_x, src_y,
-        uvsrc_x, uvsrc_y, v_edge_pos, uvlinesize, linesize;
+        uvsrc_x, uvsrc_y, v_edge_pos;
+    emuedge_linesize_type uvlinesize, linesize;

 #if 0
 if(s->quarter_sample)
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -35,6 +35,7 @@
 #include "avcodec.h"
 #include "dsputil.h"
 #include "msrledec.h"
+#include "libavutil/imgutils.h"

 typedef struct MsrleContext {
    AVCodecContext *avctx;
@@ -108,7 +109,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,

    /* FIXME how to correctly detect RLE ??? */
    if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
-        int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8;
+        int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
        uint8_t *ptr = s->frame.data[0];
        uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
        int i, j;
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -85,7 +85,7 @@ static int get_quant(AVCodecContext *avctx, NuvContext *c,
    int i;
    if (size < 2 * 64 * 4) {
        av_log(avctx, AV_LOG_ERROR, "insufficient rtjpeg quant data\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    for (i = 0; i < 64; i++, buf += 4)
        c->lq[i] = AV_RL32(buf);
@@ -108,6 +108,8 @@ static void get_quant_quality(NuvContext *c, int quality) {

 static int codec_reinit(AVCodecContext *avctx, int width, int height, int quality) {
    NuvContext *c = avctx->priv_data;
+    int ret;
+
    width  = FFALIGN(width,  2);
    height = FFALIGN(height, 2);
    if (quality >= 0)
@@ -115,12 +117,14 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit
    if (width != c->width || height != c->height) {
        // also reserve space for a possible additional header
        int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING;
-        if (av_image_check_size(height, width, 0, avctx) < 0 ||
-            buf_size > INT_MAX/8)
+        if (buf_size > INT_MAX/8)
            return -1;
+        if ((ret = av_image_check_size(height, width, 0, avctx)) < 0)
+            return ret;
        avctx->width = c->width = width;
        avctx->height = c->height = height;
-        av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size);
+        av_fast_malloc(&c->decomp_buf, &c->decomp_size,
+                       buf_size);
        if (!c->decomp_buf) {
            av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
            return AVERROR(ENOMEM);
@@ -142,13 +146,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    int keyframe;
    int size_change = 0;
    int result;
+    int ret;
    enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1',
          NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3',
          NUV_BLACK = 'N', NUV_COPY_LAST = 'L'} comptype;

    if (buf_size < 12) {
        av_log(avctx, AV_LOG_ERROR, "coded frame too small\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    // codec data (rtjpeg quant tables)
@@ -166,7 +171,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    if (buf[0] != 'V' || buf_size < 12) {
        av_log(avctx, AV_LOG_ERROR, "not a nuv video frame\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    comptype = buf[1];
    switch (comptype) {
@@ -183,14 +188,17 @@ retry:
    buf = &buf[12];
    buf_size -= 12;
    if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) {
-        int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size;
-        if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen))
+        int outlen = c->decomp_size - FFMAX(FF_INPUT_BUFFER_PADDING_SIZE, AV_LZO_OUTPUT_PADDING);
+        int inlen  = buf_size;
+        if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) {
            av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
+            return AVERROR_INVALIDDATA;
+        }
        buf = c->decomp_buf;
-        buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING - outlen;
+        buf_size = c->decomp_size - FFMAX(FF_INPUT_BUFFER_PADDING_SIZE, AV_LZO_OUTPUT_PADDING) - outlen;
    }
    if (c->codec_frameheader) {
-        int w, h, q, res;
+        int w, h, q;
        if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE ||
            buf[5] != RTJPEG_FILE_VERSION) {
            av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
@@ -199,11 +207,10 @@ retry:
        w = AV_RL16(&buf[6]);
        h = AV_RL16(&buf[8]);
        q = buf[10];
+        if ((result = codec_reinit(avctx, w, h, q)) < 0)
+            return result;

-        res = codec_reinit(avctx, w, h, q);
-        if (res < 0)
-            return res;
-        if (res) {
+        if (result) {
            buf = avpkt->data;
            buf_size = avpkt->size;
            size_change = 1;
@@ -221,7 +228,7 @@ retry:
    result = avctx->reget_buffer(avctx, &c->pic);
    if (result < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
-        return -1;
+        return result;
    }

    c->pic.pict_type = keyframe ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
@@ -240,7 +247,9 @@ retry:
        }
        case NUV_RTJPEG_IN_LZO:
        case NUV_RTJPEG: {
-            rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size);
+            ret = rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size);
+            if (ret < 0)
+                return ret;
            break;
        }
        case NUV_BLACK: {
@@ -255,7 +264,7 @@ retry:
        }
        default:
            av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
    }

    *picture = c->pic;
@@ -265,6 +274,8 @@ retry:

 static av_cold int decode_init(AVCodecContext *avctx) {
    NuvContext *c = avctx->priv_data;
+    int ret;
+
    avctx->pix_fmt = PIX_FMT_YUV420P;
    c->pic.data[0] = NULL;
    c->decomp_buf = NULL;
@@ -275,8 +286,9 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    if (avctx->extradata_size)
        get_quant(avctx, c, avctx->extradata, avctx->extradata_size);
    dsputil_init(&c->dsp, avctx);
-    if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0)
-        return 1;
+    if ((ret = codec_reinit(avctx, avctx->width, avctx->height, -1)) < 0)
+        return ret;
+
    return 0;
 }

--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
    if(next == END_NOT_FOUND){
        void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);

-        if(!new_buffer)
+        if(!new_buffer) {
+            pc->index = 0;
            return AVERROR(ENOMEM);
+        }
        pc->buffer = new_buffer;
        memcpy(&pc->buffer[pc->index], *buf, *buf_size);
        pc->index += *buf_size;
@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
    /* append to buffer */
    if(pc->index){
        void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
-
-        if(!new_buffer)
+        if(!new_buffer) {
+            pc->overread_index =
+            pc->index = 0;
            return AVERROR(ENOMEM);
+        }
        pc->buffer = new_buffer;
        if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
            memcpy(&pc->buffer[pc->index], *buf,
--- a/libavcodec/pcm.c
+++ b/libavcodec/pcm.c
@@ -268,7 +268,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data,

    /* av_get_bits_per_sample returns 0 for CODEC_ID_PCM_DVD */
    samples_per_block = 1;
-    if (CODEC_ID_PCM_DVD == avctx->codec_id) {
+    if (avctx->codec->id == CODEC_ID_PCM_DVD) {
        if (avctx->bits_per_coded_sample != 20 &&
            avctx->bits_per_coded_sample != 24) {
            av_log(avctx, AV_LOG_ERROR,
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -43,16 +43,19 @@ static av_cold int pcx_init(AVCodecContext *avctx) {
 /**
 * @return advanced src pointer
 */
-static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst,
-                            unsigned int bytes_per_scanline, int compressed) {
+static const uint8_t *pcx_rle_decode(const uint8_t *src,
+                                     const uint8_t *end,
+                                     uint8_t *dst,
+                                     unsigned int bytes_per_scanline,
+                                     int compressed) {
    unsigned int i = 0;
    unsigned char run, value;

    if (compressed) {
-        while (i<bytes_per_scanline) {
+        while (i < bytes_per_scanline && src < end) {
            run = 1;
            value = *src++;
-            if (value >= 0xc0) {
+            if (value >= 0xc0 && src < end) {
                run = value & 0x3f;
                value = *src++;
            }
@@ -87,6 +90,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x,
                 bytes_per_scanline;
    uint8_t *ptr;
+    const uint8_t *buf_end = buf + buf_size;
    uint8_t const *bufstart = buf;
    uint8_t *scanline;
    int ret = -1;
@@ -115,7 +119,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    nplanes            = buf[65];
    bytes_per_scanline = nplanes * bytes_per_line;

-    if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8) {
+    if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 ||
+        (!compressed && bytes_per_scanline > buf_size / h)) {
        av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n");
        return -1;
    }
@@ -163,7 +168,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    if (nplanes == 3 && bits_per_pixel == 8) {
        for (y=0; y<h; y++) {
-            buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+            buf = pcx_rle_decode(buf, buf_end,
+                                 scanline, bytes_per_scanline, compressed);

            for (x=0; x<w; x++) {
                ptr[3*x  ] = scanline[x                    ];
@@ -177,8 +183,15 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    } else if (nplanes == 1 && bits_per_pixel == 8) {
        const uint8_t *palstart = bufstart + buf_size - 769;

-        for (y=0; y<h; y++, ptr+=stride) {
-            buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+        if (buf_size < 769) {
+            av_log(avctx, AV_LOG_ERROR, "File is too short\n");
+            ret = buf_size;
+            goto end;
+        }
+
+        for (y = 0; y < h; y++, ptr += stride) {
+            buf = pcx_rle_decode(buf, buf_end,
+                                 scanline, bytes_per_scanline, compressed);
            memcpy(ptr, scanline, w);
        }

@@ -188,6 +201,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        }
        if (*buf++ != 12) {
            av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n");
+            ret = buf_size;
            goto end;
        }

@@ -197,7 +211,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        for (y=0; y<h; y++) {
            init_get_bits(&s, scanline, bytes_per_scanline<<3);

-            buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+            buf = pcx_rle_decode(buf, buf_end,
+                                 scanline, bytes_per_scanline, compressed);

            for (x=0; x<w; x++)
                ptr[x] = get_bits(&s, bits_per_pixel);
@@ -208,7 +223,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        int i;

        for (y=0; y<h; y++) {
-            buf = pcx_rle_decode(buf, scanline, bytes_per_scanline, compressed);
+            buf = pcx_rle_decode(buf, buf_end,
+                                 scanline, bytes_per_scanline, compressed);

            for (x=0; x<w; x++) {
                int m = 0x80 >> (x&7), v = 0;
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -235,6 +235,8 @@ static int decode_frame(AVCodecContext *avctx,

                if (bits_per_plane == 8) {
                    picmemset_8bpp(s, val, run, &x, &y);
+                    if (y < 0)
+                        goto finish;
                } else {
                    picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                }
@@ -247,6 +249,7 @@ static int decode_frame(AVCodecContext *avctx,
            y--;
        }
    }
+finish:

    *data_size = sizeof(AVFrame);
    *(AVFrame*)data = s->frame;
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -121,7 +121,7 @@ static void png_put_interlaced_row(uint8_t *dst, int width,
 static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w)
 {
    long i;
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length)
            s->zstream.avail_out = s->crow_size;
            s->zstream.next_out = s->crow_buf;
        }
+        if (ret == Z_STREAM_END && s->zstream.avail_in > 0) {
+            av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in);
+            return 0;
+        }
    }
    return 0;
 }
--- a/libavcodec/ppc/h264_altivec.c
+++ b/libavcodec/ppc/h264_altivec.c
@@ -1004,7 +1004,7 @@ void ff_h264dsp_init_ppc(H264DSPContext *c, const int bit_depth, const int chrom
    if (av_get_cpu_flags() & AV_CPU_FLAG_ALTIVEC) {
    if (bit_depth == 8) {
        c->h264_idct_add = ff_h264_idct_add_altivec;
-        if (chroma_format_idc == 1)
+        if (chroma_format_idc <= 1)
            c->h264_idct_add8 = ff_h264_idct_add8_altivec;
        c->h264_idct_add16 = ff_h264_idct_add16_altivec;
        c->h264_idct_add16intra = ff_h264_idct_add16intra_altivec;
--- a/libavcodec/proresdec_lgpl.c
+++ b/libavcodec/proresdec_lgpl.c
@@ -186,6 +186,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
    if (ctx->frame_type) {      /* if interlaced */
        ctx->picture.interlaced_frame = 1;
        ctx->picture.top_field_first  = ctx->frame_type & 1;
+    } else {
+        ctx->picture.interlaced_frame = 0;
    }

    ctx->alpha_info = buf[17] & 0xf;
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -78,8 +78,8 @@ typedef struct ThreadContext {
    pthread_cond_t last_job_cond;
    pthread_cond_t current_job_cond;
    pthread_mutex_t current_job_lock;
+    unsigned current_execute;
    int current_job;
-    unsigned int current_execute;
    int done;
 } ThreadContext;

@@ -203,8 +203,8 @@ static void* attribute_align_arg worker(void *v)
 {
    AVCodecContext *avctx = v;
    ThreadContext *c = avctx->thread_opaque;
+    unsigned last_execute = 0;
    int our_job = c->job_count;
-    int last_execute = 0;
    int thread_count = avctx->thread_count;
    int self_id;

--- a/libavcodec/put_bits.h
+++ b/libavcodec/put_bits.h
@@ -72,6 +72,14 @@ static inline int put_bits_count(PutBitContext *s)
    return (s->buf_ptr - s->buf) * 8 + 32 - s->bit_left;
 }

+/**
+ * @return the number of bits available in the bitstream.
+ */
+static inline int put_bits_left(PutBitContext* s)
+{
+    return (s->buf_end - s->buf_ptr) * 8 - 32 + s->bit_left;
+}
+
 /**
 * Pad the end of the output stream with zeros.
 */
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -498,7 +498,8 @@ static void build_sb_samples_from_noise (QDM2Context *q, int sb)
 * @param channels         number of channels
 * @param coding_method    q->coding_method[0][0][0]
 */
-static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_method)
+static int fix_coding_method_array(int sb, int channels,
+                                   sb_int8_array coding_method)
 {
    int j,k;
    int ch;
@@ -507,8 +508,10 @@ static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_

    for (ch = 0; ch < channels; ch++) {
        for (j = 0; j < 64; ) {
-            if((coding_method[ch][sb][j] - 8) > 22) {
-                run = 1;
+            if (coding_method[ch][sb][j] < 8)
+                return -1;
+            if ((coding_method[ch][sb][j] - 8) > 22) {
+                run      = 1;
                case_val = 8;
            } else {
                switch (switchtable[coding_method[ch][sb][j]-8]) {
@@ -533,6 +536,7 @@ static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_
            j += run;
        }
    }
+    return 0;
 }


@@ -769,7 +773,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra
 static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max)
 {
    int sb, j, k, n, ch, run, channels;
-    int joined_stereo, zero_encoding, chs;
+    int joined_stereo, zero_encoding;
    int type34_first;
    float type34_div = 0;
    float type34_predictor;
@@ -784,8 +788,6 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
    }

    for (sb = sb_min; sb < sb_max; sb++) {
-        FIX_NOISE_IDX(q->noise_idx);
-
        channels = q->nb_channels;

        if (q->nb_channels <= 1 || sb < 12)
@@ -804,11 +806,16 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                if (q->coding_method[1][sb][j] > q->coding_method[0][sb][j])
                    q->coding_method[0][sb][j] = q->coding_method[1][sb][j];

-            fix_coding_method_array(sb, q->nb_channels, q->coding_method);
+            if (fix_coding_method_array(sb, q->nb_channels,
+                                            q->coding_method)) {
+                build_sb_samples_from_noise(q, sb);
+                continue;
+            }
            channels = 1;
        }

        for (ch = 0; ch < channels; ch++) {
+            FIX_NOISE_IDX(q->noise_idx);
            zero_encoding = (BITS_LEFT(length,gb) >= 1) ? get_bits1(gb) : 0;
            type34_predictor = 0.0;
            type34_first = 1;
@@ -924,16 +931,18 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                }

                if (joined_stereo) {
-                    float tmp[10][MPA_MAX_CHANNELS];
-
-                    for (k = 0; k < run; k++) {
-                        tmp[k][0] = samples[k];
-                        tmp[k][1] = (sign_bits[(j + k) / 8]) ? -samples[k] : samples[k];
+                    for (k = 0; k < run && j + k < 128; k++) {
+                        q->sb_samples[0][j + k][sb] =
+                            q->tone_level[0][sb][(j + k) / 2] * samples[k];
+                        if (q->nb_channels == 2) {
+                            if (sign_bits[(j + k) / 8])
+                                q->sb_samples[1][j + k][sb] =
+                                    q->tone_level[1][sb][(j + k) / 2] * -samples[k];
+                            else
+                                q->sb_samples[1][j + k][sb] =
+                                    q->tone_level[1][sb][(j + k) / 2] * samples[k];
+                        }
                    }
-                    for (chs = 0; chs < q->nb_channels; chs++)
-                        for (k = 0; k < run; k++)
-                            if ((j + k) < 128)
-                                q->sb_samples[chs][j + k][sb] = q->tone_level[chs][sb][((j + k)/2)] * tmp[k][chs];
                } else {
                    for (k = 0; k < run; k++)
                        if ((j + k) < 128)
@@ -1241,6 +1250,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
    for (i = 0; packet_bytes > 0; i++) {
        int j;

+        if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+            SAMPLES_NEEDED_2("too many packet bytes");
+            return;
+        }
+
        q->sub_packet_list_A[i].next = NULL;

        if (i > 0) {
@@ -1882,6 +1896,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "Unknown FFT order (%d), contact the developers!\n", s->fft_order);
        return -1;
    }
+    if (s->fft_size != (1 << (s->fft_order - 1))) {
+        av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size);
+        return AVERROR_INVALIDDATA;
+    }

    ff_rdft_init(&s->rdft_ctx, s->fft_order, IDFT_C2R);
    ff_mpadsp_init(&s->mpadsp);
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,7 +203,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
-                    if(height < 0)
+                    if (height < 0)
                        break;
                }
            }
@@ -216,7 +216,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
-                    if(height < 0)
+                    if (height < 0)
                        break;
                }
            }
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -77,7 +77,7 @@ static void qtrle_decode_1bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
     * line' at the beginning. Since we always interpret it as 'go to next line'
     * in the decoding loop (which makes code simpler/faster), the first line
     * would not be counted, so we count one more.
-     * See: https://ffmpeg.org/trac/ffmpeg/ticket/226
+     * See: https://trac.ffmpeg.org/ticket/226
     * In the following decoding loop, row_ptr will be the position of the
     * _next_ row. */
    lines_to_change++;
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -173,6 +173,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
    RoqContext *s = avctx->priv_data;

    s->avctx = avctx;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions must be a multiple of 16\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->width = avctx->width;
    s->height = avctx->height;
    avcodec_get_frame_defaults(&s->frames[0]);
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>

+#include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"

@@ -83,7 +84,7 @@ static void rpza_decode_stream(RpzaContext *s)
    unsigned short *pixels = (unsigned short *)s->frame.data[0];

    int row_ptr = 0;
-    int pixel_ptr = 0;
+    int pixel_ptr = -4;
    int block_ptr;
    int pixel_x, pixel_y;
    int total_blocks;
@@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s)
            }
        }

+        n_blocks = FFMIN(n_blocks, total_blocks);
+
        switch (opcode & 0xe0) {

        /* Skip blocks */
@@ -139,6 +142,7 @@ static void rpza_decode_stream(RpzaContext *s)
            colorA = AV_RB16 (&s->buf[stream_ptr]);
            stream_ptr += 2;
            while (n_blocks--) {
+                ADVANCE_BLOCK()
                block_ptr = row_ptr + pixel_ptr;
                for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                    for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -147,7 +151,6 @@ static void rpza_decode_stream(RpzaContext *s)
                    }
                    block_ptr += row_inc;
                }
-                ADVANCE_BLOCK();
            }
            break;

@@ -186,6 +189,7 @@ static void rpza_decode_stream(RpzaContext *s)
            if (s->size - stream_ptr < n_blocks * 4)
                return;
            while (n_blocks--) {
+                ADVANCE_BLOCK();
                block_ptr = row_ptr + pixel_ptr;
                for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                    index = s->buf[stream_ptr++];
@@ -196,14 +200,14 @@ static void rpza_decode_stream(RpzaContext *s)
                    }
                    block_ptr += row_inc;
                }
-                ADVANCE_BLOCK();
            }
            break;

        /* Fill block with 16 colors */
        case 0x00:
-            if (s->size - stream_ptr < 16)
+            if (s->size - stream_ptr < 30)
                return;
+            ADVANCE_BLOCK();
            block_ptr = row_ptr + pixel_ptr;
            for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -217,7 +221,6 @@ static void rpza_decode_stream(RpzaContext *s)
                }
                block_ptr += row_inc;
            }
-            ADVANCE_BLOCK();
            break;

        /* Unknown opcode */
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -358,6 +358,11 @@ static int rv20_decode_picture_header(MpegEncContext *s)
        f = get_bits(&s->gb, rpr_bits);

        if(f){
+            if (s->avctx->extradata_size < 8 + 2 * f) {
+                av_log(s->avctx, AV_LOG_ERROR, "Extradata too small.\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            new_w= 4*((uint8_t*)s->avctx->extradata)[6+2*f];
            new_h= 4*((uint8_t*)s->avctx->extradata)[7+2*f];
        }else{
@@ -437,12 +442,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
 {
    MpegEncContext *s = avctx->priv_data;
    static int done=0;
-    int major_ver, minor_ver, micro_ver;
+    int major_ver, minor_ver, micro_ver, ret;

    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
        return -1;
    }
+    if ((ret = av_image_check_size(avctx->coded_width,
+                                   avctx->coded_height, 0, avctx)) < 0)
+        return ret;

    MPV_decode_defaults(s);

--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -249,9 +249,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row)
 static av_cold int rv30_decode_init(AVCodecContext *avctx)
 {
    RV34DecContext *r = avctx->priv_data;
+    int ret;

    r->rv30 = 1;
-    ff_rv34_decode_init(avctx);
+    if ((ret = ff_rv34_decode_init(avctx)) < 0)
+        return ret;
    if(avctx->extradata_size < 2){
        av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
        return -1;
--- a/libavcodec/rv40.c
+++ b/libavcodec/rv40.c
@@ -544,9 +544,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row)
 static av_cold int rv40_decode_init(AVCodecContext *avctx)
 {
    RV34DecContext *r = avctx->priv_data;
+    int ret;

    r->rv30 = 0;
-    ff_rv34_decode_init(avctx);
+    if ((ret = ff_rv34_decode_init(avctx)) < 0)
+        return ret;
    if(!aic_top_vlc.bits)
        rv40_init_tables();
    r->parse_slice_header = rv40_parse_slice_header;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10.7
 .10.13