update for 0.10.12

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
avcodec/snow: split block clipping checks
2014-03-10 19:00:59 +01:00 · 2014-03-10 18:51:50 +01:00 · 2014-03-10 18:51:50 +01:00 · 2014-03-10 18:51:50 +01:00 · 2014-03-10 18:51:50 +01:00 · 2014-03-10 18:51:50 +01:00
113 changed files with 1459 additions and 914 deletions
--- a/164
+++ b/164
@@ -4,6 +4,170 @@ releases are sorted from youngest to oldest.
 version next:


+version 0.10.11
+
+- pthread: Avoid spurious wakeups
+- pthread: Fix deadlock during thread initialization
+- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
+- vc1dec: Don't decode slices when the latest slice header failed to decode
+- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
+- r3d: Add more input value validation
+- fraps: Make the input buffer size checks more strict
+- svq3: Avoid a division by zero
+- rmdec: Validate the fps value
+- twinvqdec: Check the ibps parameter separately
+- asfdec: Check the return value of asf_read_stream_properties
+- mxfdec: set audio timebase to 1/samplerate
+- pcx: Check the packet size before assuming it fits a palette
+- rpza: Fix a buffer size check
+- xxan: Disallow odd width
+- xan: Only read within the data that actually was initialized
+- xan: Use bytestream2 to limit reading to within the buffer
+- pcx: Consume the whole packet if giving up due to missing palette
+- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
+- mov: Make sure the read sample count is nonnegative
+- bfi: Add some very basic sanity checks for input packet sizes
+- bfi: Avoid divisions by zero
+- electronicarts: Add more sanity checking for the number of channels
+- riffdec: Add sanity checks for the sample rate
+- mvi: Add sanity checking for the audio frame size
+- xwma: Avoid division by zero
+- avidec: Make sure a packet is large enough before reading its data
+- vqf: Make sure the bitrate is in the valid range
+- vqf: Make sure sample_rate is set to a valid value
+- vc1dec: Undo mpegvideo initialization if unable to allocate tables
+- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
+- wnv1: Make sure the input packet is large enough
+- dca: Validate the lfe parameter
+- rl2: Avoid a division by zero
+- wtv: Add more sanity checks for a length read from the file
+- segafilm: Validate the number of audio channels
+- qpeg: Add checks for running out of rows in qpeg_decode_inter
+- mpegaudiodec: Validate that the number of channels fits at the given offset
+- asv1: Verify the amount of extradata
+- idroqdec: Make sure a video stream has been allocated before returning packets
+- rv10: Validate the dimensions set from the container
+- xmv: Add more sanity checks for parameters read from the bitstream
+- ffv1: Make sure at least one slice context is initialized
+- truemotion2: Use av_freep properly in an error path
+- eacmv: Make sure a reference frame exists before referencing it
+- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
+- ivi_common: Make sure color planes have been initialized
+- oggparseogm: Convert to use bytestream2
+- rv34: Check the return value from ff_rv34_decode_init
+- matroskadec: Verify realaudio codec parameters
+- mace: Make sure that the channel count is set to a valid value
+- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
+- vp3: Check the framerate for validity
+- cavsdec: Make sure a sequence header has been decoded before decoding pictures
+- sierravmd: Do sanity checking of frame sizes
+- omadec: Properly check lengths before incrementing the position
+- mpc8: Make sure the first stream exists before parsing the seek table
+- mpc8: Check the seek table size parsed from the bitstream
+- zmbvdec: Check the buffer size for uncompressed data
+- ape: Don't allow the seektable to be omitted
+- shorten: Break out of loop looking for fmt chunk if none is found
+- shorten: Use a checked bytestream reader for the wave header
+- smacker: Make sure we don't fill in huffman codes out of range
+- smacker: Avoid integer overflow when allocating packets
+- smacker: Don't return packets in unallocated streams
+- dsicin: Add some basic sanity checks for fields read from the file
+- roqvideodec: check dimensions validity
+- qdm2: check array index before use, fix out of array accesses
+- alsdec: check block length
+
+
+version 0.10.10
+
+- x86: fft: Remove 3DNow! optimizations, they break FATE
+- x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16
+- aac: Check init_get_bits return value
+- aac: return meaningful errors
+- dsicinav: K&R formatting cosmetics
+- mov: Seek back if overreading an individual atom
+- vcr1: add sanity checks
+- pictordec: pass correct context to avpriv_request_sample
+- dsicinav: Clip the source size to the expected maximum
+- alsdec: Clean up error paths
+- ogg: Fix potential infinite discard loop
+- nuv: check rtjpeg_decode_frame_yuv420 return value
+- nuv: Reset the frame on resize
+- nuv: Use av_fast_realloc
+- nuv: return meaningful error codes.
+- nuv: Pad the lzo outbuf
+- nuv: Do not ignore lzo decompression failures
+- oma: correctly mark and decrypt partial packets
+- oma: check geob tag boundary
+- oma: refactor seek function
+- 8bps: Bound-check the input buffer
+- rtmp: Do not misuse memcmp
+- rtmp: rename data_size to size
+- lavc: set the default rc_initial_buffer_occupancy
+- 4xm: Reject not a multiple of 16 dimension
+- 4xm: do not overread the prestream buffer
+- 4xm: validate the buffer size before parsing it
+- indeo: Do not reference mismatched tiles
+- indeo: Sanitize ff_ivi_init_planes fail paths
+- indeo: Bound-check before applying motion compensation
+- indeo: Bound-check before applying transform
+- indeo: reject negative array indexes
+- indeo: Cosmetic formatting
+- indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks
+- indeo: Refactor ff_ivi_dec_huff_desc
+- lavf: fix the comparison in an overflow check
+- dv: Add a guard to not overread the ppcm array
+- mpegvideo: Avoid 32-bit wrapping of linesize multiplications
+- mjpegb: Detect changing number of planes in interlaced video
+- matroskadec: Check that .lang was allocated and set before reading it
+- ape demuxer: check for EOF in potentially long loops
+- lavf: avoid integer overflow when estimating bitrate
+- pictordec: break out of both decoding loops when y drops below 0
+- ac3: Return proper error codes
+- ac3: Clean up the error paths
+- ac3: Do not clash with normal AVERROR
+- dxa: Make sure the reference frame exists
+- h261: check the mtype index
+- segafilm: Error out on impossible packet size
+- ogg: Always alloc the private context in vorbis_header
+- vc1: check mb_height validity.
+- vc1: check the source buffer in vc1_mc functions
+- bink: Bound check the quantization matrix.
+- xl: Make sure the width is valid
+- alsdec: Fix the clipping range
+- dsicinav: Bound-check the source buffer when needed
+- mov: Do not allow updating the time scale after it has been set
+- ac3dec: Don't consume more data than the actual input packet size
+- indeo: Reject impossible FRAMETYPE_NULL
+- indeo5: return proper error codes
+- indeo4: Validate scantable dimension
+- indeo4: Check the quantization matrix index
+- indeo4: Do not access missing reference MV
+- adpcm: Unbreak ima-dk4
+- ac3dec: validate channel output mode against channel count
+- dca: Respect the current limits in the downmixing capabilities
+- dca: Error out on missing DSYNC
+- pcm: always use codec->id instead of codec_id
+- mlpdec: Do not set invalid context in read_restart_header
+- pcx: Do not overread source buffer in pcx_rle_decode
+- wmavoice: conceal clearly corrupted blocks
+- iff: Do not read over the source buffer
+- qdm2: Conceal broken samples
+- qdm2: refactor joined stereo support
+- adpcm: Write the correct number of samples for ima-dk4
+- imc: Catch a division by zero
+- atrac3: Error on impossible encoding/channel combinations
+- atrac3: set the getbits context the right buffer_end
+- atrac3: fix error handling
+- qdm2: check and reset dithering index per channel
+- westwood_vqa: do not free extradata on error in read_header
+- vqavideo: check the version
+- rmdec: Use the AVIOContext given as parameter in rm_read_metadata()
+- avio: Handle AVERROR_EOF in the same way as the return value 0
+- wtv: Mark attachment with a negative stream id
+- avidec: Let the inner dv demuxer take care of discarding
+- swfdec: do better validation of tag length
+
+
 version 0.10.8
 - kmvc: Clip pixel position to valid range
 - kmvc: use fixed sized arrays in the context
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.10.9
+PROJECT_NUMBER         = 0.10.12

 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.9
+0.10.12
--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.9
+0.10.12
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -56,7 +56,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;

-const int this_year = 2013;
+const int this_year = 2014;

 static FILE *report_file;

--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -4057,8 +4057,6 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc)
            if (p) p++;
        }
        video_enc->rc_override_count = i;
-        if (!video_enc->rc_initial_buffer_occupancy)
-            video_enc->rc_initial_buffer_occupancy = video_enc->rc_buffer_size * 3 / 4;
        video_enc->intra_dc_precision = intra_dc_precision - 8;

        if (do_psnr)
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -403,6 +403,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
    unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;

    if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
        extra=20;
        if (length < extra)
            return -1;
@@ -560,7 +562,10 @@ static int decode_i_mb(FourXContext *f){
    return 0;
 }

-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
+static const uint8_t *read_huffman_tables(FourXContext *f,
+                                          const uint8_t * const buf,
+                                          int buf_size)
+{
    int frequency[512];
    uint8_t flag[512];
    int up[512];
@@ -581,6 +586,9 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const

        if (start <= end && ptr_end - ptr < end - start + 1 + 1)
            return NULL;
+        if (end < start || buf_size < 0)
+            return NULL;
+
        for(i=start; i<=end; i++){
            frequency[i]= *ptr++;
        }
@@ -767,25 +775,35 @@ static int decode_frame(AVCodecContext *avctx,
    AVFrame *p, temp;
    int i, frame_4cc, frame_size;

-    if (buf_size < 12)
+    if (buf_size < 20)
+        return AVERROR_INVALIDDATA;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions non-multiple of 16 are invalid.\n");
        return AVERROR_INVALIDDATA;
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
    }

+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
+    }
+
+    frame_4cc = AV_RL32(buf);
+
    if(frame_4cc == AV_RL32("cfrm")){
        int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
        CFrameBuffer *cfrm;

+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
        if (data_size < 0 || whole_size < 0){
            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
            return AVERROR_INVALIDDATA;
        }
-
        for(i=0; i<CFRAME_BUFFER_COUNT; i++){
            if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        unsigned char *pixptr, *pixptr_end;
        unsigned int height = avctx->height; // Real image height
        unsigned int dlen, p, row;
-        const unsigned char *lp, *dp;
+        const unsigned char *lp, *dp, *ep;
        unsigned char count;
        unsigned int planes = c->planes;
        unsigned char *planemap = c->planemap;
@@ -84,6 +84,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                return -1;
        }

+        ep = encoded + buf_size;
+
        /* Set data pointer after line lengths */
        dp = encoded + planes * (height << 1);

@@ -95,16 +97,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                for(row = 0; row < height; row++) {
                        pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
                        pixptr_end = pixptr + c->pic.linesize[0];
+                        if (ep - lp < row * 2 + 2)
+                            return AVERROR_INVALIDDATA;
                        dlen = av_be2ne16(*(const unsigned short *)(lp+row*2));
                        /* Decode a row of this plane */
                        while(dlen > 0) {
-                                if(dp + 1 >= buf+buf_size) return -1;
+                                if(ep - dp <= 1) return -1;
                                if ((count = *dp++) <= 127) {
                                        count++;
                                        dlen -= count + 1;
                                        if (pixptr + count * planes > pixptr_end)
                                            break;
-                                        if(dp + count > buf+buf_size) return -1;
+                                        if(ep - dp < count) return -1;
                                        while(count--) {
                                                *pixptr = *dp++;
                                                pixptr += planes;
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -362,7 +362,7 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
    comment_len = get_bits(gb, 8) * 8;
    if (get_bits_left(gb) < comment_len) {
        av_log(avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    skip_bits_long(gb, comment_len);
    return 0;
@@ -383,7 +383,7 @@ static av_cold int set_default_channel_config(AVCodecContext *avctx,
    if (channel_config < 1 || channel_config > 7) {
        av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n",
               channel_config);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    /* default channel configurations:
@@ -501,20 +501,21 @@ static int decode_audio_specific_config(AACContext *ac,
                                        int sync_extension)
 {
    GetBitContext gb;
-    int i;
+    int i, ret;

    av_dlog(avctx, "extradata size %d\n", avctx->extradata_size);
    for (i = 0; i < avctx->extradata_size; i++)
         av_dlog(avctx, "%02x ", avctx->extradata[i]);
    av_dlog(avctx, "\n");

-    init_get_bits(&gb, data, bit_size);
+    if ((ret = init_get_bits(&gb, data, bit_size)) < 0)
+        return ret;

    if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
    if (m4ac->sampling_index > 12) {
        av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    skip_bits_long(&gb, i);
@@ -523,13 +524,14 @@ static int decode_audio_specific_config(AACContext *ac,
    case AOT_AAC_MAIN:
    case AOT_AAC_LC:
    case AOT_AAC_LTP:
-        if (decode_ga_specific_config(ac, avctx, &gb, m4ac, m4ac->chan_config))
-            return -1;
+        if ((ret = decode_ga_specific_config(ac, avctx, &gb,
+                                             m4ac, m4ac->chan_config)) < 0)
+            return ret;
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n",
               m4ac->sbr == 1? "SBR+" : "", m4ac->object_type);
-        return -1;
+        return AVERROR(ENOSYS);
    }

    av_dlog(avctx, "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n",
@@ -600,16 +602,17 @@ static void reset_predictor_group(PredictorState *ps, int group_num)
 static av_cold int aac_decode_init(AVCodecContext *avctx)
 {
    AACContext *ac = avctx->priv_data;
+    int ret;
    float output_scale_factor;

    ac->avctx = avctx;
    ac->m4ac.sample_rate = avctx->sample_rate;

    if (avctx->extradata_size > 0) {
-        if (decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
+        if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
                                         avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0)
-            return -1;
+                                         avctx->extradata_size*8, 1)) < 0)
+            return ret;
    } else {
        int sr, i;
        enum ChannelPosition new_che_pos[4][MAX_ELEM_ID];
@@ -702,7 +705,7 @@ static int skip_data_stream_element(AACContext *ac, GetBitContext *gb)

    if (get_bits_left(gb) < 8 * count) {
        av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    skip_bits_long(gb, 8 * count);
    return 0;
@@ -716,7 +719,7 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics,
        ics->predictor_reset_group = get_bits(gb, 5);
        if (ics->predictor_reset_group == 0 || ics->predictor_reset_group > 30) {
            av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
    }
    for (sfb = 0; sfb < FFMIN(ics->max_sfb, ff_aac_pred_sfb_max[ac->m4ac.sampling_index]); sfb++) {
@@ -826,20 +829,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
            int sect_band_type = get_bits(gb, 4);
            if (sect_band_type == 12) {
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            do {
                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
                if (get_bits_left(gb) < 0) {
                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                if (sect_end > ics->max_sfb) {
                    av_log(ac->avctx, AV_LOG_ERROR,
                           "Number of bands (%d) exceeds limit (%d).\n",
                           sect_end, ics->max_sfb);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
@@ -911,7 +914,7 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb,
                    if (offset[0] > 255U) {
                        av_log(ac->avctx, AV_LOG_ERROR,
                               "%s (%d) out of range.\n", sf_str[0], offset[0]);
-                        return -1;
+                        return AVERROR_INVALIDDATA;
                    }
                    sf[idx] = -ff_aac_pow2sf_tab[offset[0] - 100 + POW_SF2_ZERO];
                }
@@ -969,7 +972,7 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns,
                    av_log(ac->avctx, AV_LOG_ERROR, "TNS filter order %d is greater than maximum %d.\n",
                           tns->order[w][filt], tns_max_order);
                    tns->order[w][filt] = 0;
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                }
                if (tns->order[w][filt]) {
                    tns->direction[w][filt] = get_bits1(gb);
@@ -1252,7 +1255,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],

                                    if (b > 8) {
                                        av_log(ac->avctx, AV_LOG_ERROR, "error in spectral data, ESC overflow\n");
-                                        return -1;
+                                        return AVERROR_INVALIDDATA;
                                    }

                                    SKIP_BITS(re, gb, b + 1);
@@ -1395,6 +1398,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
    IndividualChannelStream *ics = &sce->ics;
    float *out = sce->coeffs;
    int global_gain, pulse_present = 0;
+    int ret;

    /* This assignment is to silence a GCC warning about the variable being used
     * uninitialized when in fact it always is.
@@ -1408,25 +1412,27 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
            return AVERROR_INVALIDDATA;
    }

-    if (decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics) < 0)
-        return -1;
-    if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end) < 0)
-        return -1;
+    if ((ret = decode_band_types(ac, sce->band_type,
+                                 sce->band_type_run_end, gb, ics)) < 0)
+        return ret;
+    if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
+                                   sce->band_type, sce->band_type_run_end)) < 0)
+        return ret;

    pulse_present = 0;
    if (!scale_flag) {
        if ((pulse_present = get_bits1(gb))) {
            if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
                av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
            if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
                av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }
        }
        if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics))
-            return -1;
+            return AVERROR_INVALIDDATA;
        if (get_bits1(gb)) {
            av_log_missing_feature(ac->avctx, "SSR", 1);
            return -1;
@@ -1434,7 +1440,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
    }

    if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;

    if (ac->m4ac.object_type == AOT_AAC_MAIN && !common_window)
        apply_prediction(ac, sce);
@@ -1532,7 +1538,7 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe)
        ms_present = get_bits(gb, 2);
        if (ms_present == 3) {
            av_log(ac->avctx, AV_LOG_ERROR, "ms_present = 3 is reserved.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        } else if (ms_present)
            decode_mid_side_stereo(cpe, gb, ms_present);
    }
@@ -2323,7 +2329,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_INVALIDDATA;
    }

-    init_get_bits(&gb, buf, buf_size * 8);
+    if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0)
+        return err;

    if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0)
        return err;
@@ -2568,7 +2575,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
    int                 muxlength, err;
    GetBitContext       gb;

-    init_get_bits(&gb, avpkt->data, avpkt->size * 8);
+    if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0)
+        return err;

    // check for LOAS sync word
    if (get_bits(&gb, 11) != LOAS_SYNC_WORD)
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -294,12 +294,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
                                                 avctx->extradata_size * 8, 1);

    if (config_offset < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;

    skip_bits_long(&gb, config_offset);

    if (get_bits_left(&gb) < (30 << 3))
-        return -1;
+        return AVERROR_INVALIDDATA;

    // read the fixed items
    als_id                      = get_bits_long(&gb, 32);
@@ -334,7 +334,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

    // check for ALSSpecificConfig struct
    if (als_id != MKBETAG('A','L','S','\0'))
-        return -1;
+        return AVERROR_INVALIDDATA;

    ctx->cur_frame_length = sconf->frame_length;

@@ -349,7 +349,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
        int chan_pos_bits = av_ceil_log2(avctx->channels);
        int bits_needed  = avctx->channels * chan_pos_bits + 7;
        if (get_bits_left(&gb) < bits_needed)
-            return -1;
+            return AVERROR_INVALIDDATA;

        if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos))))
            return AVERROR(ENOMEM);
@@ -367,7 +367,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    // read fixed header and trailer sizes,
    // if size = 0xFFFFFFFF then there is no data field!
    if (get_bits_left(&gb) < 64)
-        return -1;
+        return AVERROR_INVALIDDATA;

    header_size  = get_bits_long(&gb, 32);
    trailer_size = get_bits_long(&gb, 32);
@@ -381,10 +381,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx)

    // skip the header and trailer data
    if (get_bits_left(&gb) < ht_size)
-        return -1;
+        return AVERROR_INVALIDDATA;

    if (ht_size > INT32_MAX)
-        return -1;
+        return AVERROR_PATCHWELCOME;

    skip_bits_long(&gb, ht_size);

@@ -392,7 +392,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    // initialize CRC calculation
    if (sconf->crc_enabled) {
        if (get_bits_left(&gb) < 32)
-            return -1;
+            return AVERROR_INVALIDDATA;

        if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) {
            ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
@@ -632,7 +632,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
    if (bd->block_length & (sub_blocks - 1)) {
        av_log(avctx, AV_LOG_WARNING,
               "Block length is not evenly divisible by the number of subblocks.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    sb_length = bd->block_length >> log2_sub_blocks;
@@ -963,18 +963,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 */
 static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
+    int ret = 0;
    GetBitContext *gb        = &ctx->gb;

    *bd->shift_lsbs = 0;
    // read block type flag and read the samples accordingly
    if (get_bits1(gb)) {
-        if (read_var_block_data(ctx, bd))
-            return -1;
+        ret = read_var_block_data(ctx, bd);
    } else {
        read_const_block_data(ctx, bd);
    }

-    return 0;
+    return ret;
 }


@@ -983,12 +983,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
    unsigned int smp;
+    int ret = 0;

    // read block type flag and read the samples accordingly
    if (*bd->const_block)
        decode_const_block_data(ctx, bd);
-    else if (decode_var_block_data(ctx, bd))
-        return -1;
+    else
+        ret = decode_var_block_data(ctx, bd); // always return 0
+
+    if (ret < 0)
+        return ret;

    // TODO: read RLSLMS extension data

@@ -1006,14 +1010,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
    int ret;

-    ret = read_block(ctx, bd);
-
-    if (ret)
+    if ((ret = read_block(ctx, bd)) < 0)
        return ret;

-    ret = decode_block(ctx, bd);
-
-    return ret;
+    return decode_block(ctx, bd);
 }


@@ -1039,6 +1039,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
                             unsigned int c, const unsigned int *div_blocks,
                             unsigned int *js_blocks)
 {
+    int ret;
    unsigned int b;
    ALSBlockData bd;

@@ -1061,10 +1062,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
    for (b = 0; b < ctx->num_blocks; b++) {
        bd.block_length     = div_blocks[b];

-        if (read_decode_block(ctx, &bd)) {
+        if ((ret = read_decode_block(ctx, &bd)) < 0) {
            // damaged block, write zero for the rest of the frame
            zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples);
-            return -1;
+            return ret;
        }
        bd.raw_samples += div_blocks[b];
        bd.ra_block     = 0;
@@ -1083,6 +1084,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
    ALSSpecificConfig *sconf = &ctx->sconf;
    unsigned int offset = 0;
    unsigned int b;
+    int ret;
    ALSBlockData bd[2];

    memset(bd, 0, 2 * sizeof(ALSBlockData));
@@ -1126,12 +1128,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
        bd[0].raw_other    = bd[1].raw_samples;
        bd[1].raw_other    = bd[0].raw_samples;

-        if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) {
-            // damaged block, write zero for the rest of the frame
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
-            return -1;
-        }
+        if ((ret = read_decode_block(ctx, &bd[0])) < 0 ||
+            (ret = read_decode_block(ctx, &bd[1])) < 0)
+            goto fail;
+

        // reconstruct joint-stereo blocks
        if (bd[0].js_blocks) {
@@ -1157,6 +1157,11 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
            sizeof(*ctx->raw_samples[c]) * sconf->max_order);

    return 0;
+fail:
+    // damaged block, write zero for the rest of the frame
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
+    return ret;
 }

 static inline int als_weighting(GetBitContext *gb, int k, int off)
@@ -1180,7 +1185,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)

        if (current->master_channel >= channels) {
            av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }

        if (current->master_channel != c) {
@@ -1205,7 +1210,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)

    if (entries == channels) {
        av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    align_get_bits(gb);
@@ -1237,7 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,

    if (dep == channels) {
        av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    bd->const_block = ctx->const_block + c;
@@ -1310,6 +1315,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
    unsigned int js_blocks[2];

    uint32_t bs_info = 0;
+    int ret;

    // skip the size of the ra unit if present in the frame
    if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame)
@@ -1340,13 +1346,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                independent_bs = 1;

            if (independent_bs) {
-                if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
-
+                ret = decode_blocks_ind(ctx, ra_frame, c,
+                                        div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;
                independent_bs--;
            } else {
-                if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
+                ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;

                c++;
            }
@@ -1365,7 +1373,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
        for (c = 0; c < avctx->channels; c++)
            if (ctx->chan_data[c] < ctx->chan_data_buffer) {
                av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
            }

        memset(&bd,               0, sizeof(ALSBlockData));
@@ -1378,6 +1386,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

        for (b = 0; b < ctx->num_blocks; b++) {
            bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }

            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
@@ -1397,11 +1410,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                    return -1;
            }

-            for (c = 0; c < avctx->channels; c++)
-                if (revert_channel_correlation(ctx, &bd, ctx->chan_data,
-                                               reverted_channels, offset, c))
-                    return -1;
-
+            for (c = 0; c < avctx->channels; c++) {
+                ret = revert_channel_correlation(ctx, &bd, ctx->chan_data,
+                                                 reverted_channels, offset, c);
+                if (ret < 0)
+                    return ret;
+            }
            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
                bd.shift_lsbs  = ctx->shift_lsbs + c;
@@ -1598,29 +1612,30 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
    unsigned int c;
    unsigned int channel_size;
-    int num_buffers;
+    int num_buffers, ret;
    ALSDecContext *ctx = avctx->priv_data;
    ALSSpecificConfig *sconf = &ctx->sconf;
    ctx->avctx = avctx;

    if (!avctx->extradata) {
        av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

-    if (read_specific_config(ctx)) {
+    if ((ret = read_specific_config(ctx)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n");
-        decode_end(avctx);
-        return -1;
+        goto fail;
    }

-    if (check_specific_config(ctx)) {
-        decode_end(avctx);
-        return -1;
+    if ((ret = check_specific_config(ctx)) < 0) {
+        goto fail;
    }

-    if (sconf->bgmc)
-        ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+    if (sconf->bgmc) {
+        ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+        if (ret < 0)
+            goto fail;
+    }

    if (sconf->floating) {
        avctx->sample_fmt          = AV_SAMPLE_FMT_FLT;
@@ -1656,7 +1671,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
        !ctx->quant_cof_buffer       || !ctx->lpc_cof_buffer ||
        !ctx->lpc_cof_reversed_buffer) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    // assign quantized parcor coefficient buffers
@@ -1681,8 +1697,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
        !ctx->use_ltp  || !ctx->ltp_lag ||
        !ctx->ltp_gain || !ctx->ltp_gain_buffer) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    for (c = 0; c < num_buffers; c++)
@@ -1699,8 +1715,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

        if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) {
            av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
        }

        for (c = 0; c < num_buffers; c++)
@@ -1721,8 +1737,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    // allocate previous raw sample buffer
    if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) {
        av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
    }

    // assign raw samples buffers
@@ -1739,8 +1755,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                    av_get_bytes_per_sample(avctx->sample_fmt));
        if (!ctx->crc_buffer) {
            av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
        }
    }

@@ -1750,6 +1766,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avctx->coded_frame = &ctx->frame;

    return 0;
+
+fail:
+    decode_end(avctx);
+    return ret;
 }


--- a/libavcodec/arm/asm.S
+++ b/libavcodec/arm/asm.S
@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm

+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm
--- a/libavcodec/arm/dsputil_armv6.S
+++ b/libavcodec/arm/dsputil_armv6.S
@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
        eor             r7,  r5,  r7
        uadd8           r10, r10, r6
        and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uadd8           r11, r11, r7
        strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        strd_post       r10, r11, r0,  r2
        bne             1b

@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
        uhadd8          r9,  r5,  r7
        ldr             r5,  [r1, #4]
        uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        stm             r0,  {r8,r9}
        add             r0,  r0,  r2
        stm             r0,  {r12,r14}
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1

 3:      vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/asv1.c
+++ b/libavcodec/asv1.c
@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
    int i;
    const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;

+    if (avctx->extradata_size < 1) {
+        av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    common_init(avctx);
    init_vlcs(a);
    ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {

    /* get coded block pattern */
    int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
        return -1;
    }
    h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
    /* get coded block pattern */
    if(h->pic_type == AV_PICTURE_TYPE_I)
        cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
        av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
        return -1;
    }
@@ -468,6 +468,11 @@ static int decode_pic(AVSContext *h) {
    int skip_count = -1;
    enum cavs_mb mb_type;

+    if (!h->top_qp) {
+        av_log(h, AV_LOG_ERROR, "No sequence header decoded yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    if (!s->context_initialized) {
        s->avctx->idct_algo = FF_IDCT_CAVS;
        if (MPV_common_init(s) < 0)
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -577,6 +577,11 @@ static int dca_parse_frame_header(DCAContext *s)
    s->lfe               = get_bits(&s->gb, 2);
    s->predictor_history = get_bits(&s->gb, 1);

+    if (s->lfe > 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
+    }
+
    /* TODO: check CRC */
    if (s->crc_present)
        s->header_crc    = get_bits(&s->gb, 16);
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -108,27 +108,31 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size)
+static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst,
+                                 int size)
 {
    while (size--)
        *dst++ += *src++;
 }

-static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_huffman(const unsigned char *src, int src_size,
+                              unsigned char *dst, int dst_size)
 {
    int b, huff_code = 0;
    unsigned char huff_code_table[15];
-    unsigned char *dst_cur = dst;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_cur       = dst;
+    unsigned char *dst_end       = dst + dst_size;
    const unsigned char *src_end = src + src_size;

-    memcpy(huff_code_table, src, 15); src += 15; src_size -= 15;
+    memcpy(huff_code_table, src, 15);
+    src += 15;
+    src_size -= 15;

    while (src < src_end) {
        huff_code = *src++;
        if ((huff_code >> 4) == 15) {
-            b = huff_code << 4;
-            huff_code = *src++;
+            b          = huff_code << 4;
+            huff_code  = *src++;
            *dst_cur++ = b | (huff_code >> 4);
        } else
            *dst_cur++ = huff_code_table[huff_code >> 4];
@@ -147,11 +151,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
+    unsigned char *dst_end       = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -160,13 +165,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
            if (code & (1 << i)) {
                *dst++ = *src++;
            } else {
-                cmd = AV_RL16(src); src += 2;
+                cmd  = AV_RL16(src);
+                src += 2;
                offset = cmd >> 4;
-                if ((int) (dst - dst_start) < offset + 1)
+                if ((int)(dst - dst_start) < offset + 1)
                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
-                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
-                /* buffer overlappings to repeat bytes in the destination */
+                /* don't use memcpy/memmove here as the decoding routine
+                 * (ab)uses buffer overlappings to repeat bytes in the
+                 * destination */
                sz = FFMIN(sz, dst_end - dst);
                while (sz--) {
                    *dst = *(dst - offset - 1);
@@ -179,10 +186,11 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
    return 0;
 }

-static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static void cin_decode_rle(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
    int len, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end       = dst + dst_size;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -205,15 +213,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
                                 void *data, int *data_size,
                                 AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    int buf_size = avpkt->size;
+    const uint8_t *buf   = avpkt->data;
+    int buf_size         = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;
+    int i, y, palette_type, palette_colors_count,
+        bitmap_frame_type, bitmap_frame_size, res = 0;

-    palette_type = buf[0];
+    palette_type         = buf[0];
    palette_colors_count = AV_RL16(buf+1);
-    bitmap_frame_type = buf[3];
-    buf += 4;
+    bitmap_frame_type    = buf[3];
+    buf                 += 4;

    bitmap_frame_size = buf_size - 4;

@@ -224,46 +233,50 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
        if (palette_colors_count > 256)
            return AVERROR_INVALIDDATA;
        for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[i] = 0xFF << 24 | bytestream_get_le24(&buf);
+            cin->palette[i]    = 0xFF << 24 | bytestream_get_le24(&buf);
            bitmap_frame_size -= 3;
        }
    } else {
        for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf+1);
-            buf += 4;
-            bitmap_frame_size -= 4;
+            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf + 1);
+            buf                 += 4;
+            bitmap_frame_size   -= 4;
        }
    }

-    /* note: the decoding routines below assumes that surface.width = surface.pitch */
+    bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size);
+
+    /* note: the decoding routines below assumes that
+     * surface.width = surface.pitch */
    switch (bitmap_frame_type) {
    case 9:
        cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 34:
        cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 35:
        cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 36:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                                               cin->bitmap_table[CIN_INT_BMP],
+                                               cin->bitmap_size);
        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 37:
        cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
        res = cin_decode_lzss(buf, bitmap_frame_size,
@@ -279,24 +292,26 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
        if (res < 0)
            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
+    if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) {
+        av_log(cin->avctx, AV_LOG_ERROR,
+               "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return res;
    }

    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
-          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
-          cin->avctx->width);
+               cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
+               cin->avctx->width);

-    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]);
+    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
+                      cin->bitmap_table[CIN_PRE_BMP]);

    *data_size = sizeof(AVFrame);
    *(AVFrame *)data = cin->frame;
@@ -340,8 +355,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx)
 static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
                                 int *got_frame_ptr, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    CinAudioContext *cin = avctx->priv_data;
+    const uint8_t *buf     = avpkt->data;
+    CinAudioContext *cin   = avctx->priv_data;
    const uint8_t *buf_end = buf + avpkt->size;
    int16_t *samples;
    int delta, ret;
@@ -357,13 +372,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
    delta = cin->delta;
    if (cin->initial_decode_frame) {
        cin->initial_decode_frame = 0;
-        delta = sign_extend(AV_RL16(buf), 16);
-        buf += 2;
-        *samples++ = delta;
+        delta                     = sign_extend(AV_RL16(buf), 16);
+        buf                      += 2;
+        *samples++                = delta;
    }
    while (buf < buf_end) {
-        delta += cinaudio_delta16_table[*buf++];
-        delta = av_clip_int16(delta);
+        delta     += cinaudio_delta16_table[*buf++];
+        delta      = av_clip_int16(delta);
        *samples++ = delta;
    }
    cin->delta = delta;
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){

 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
    long i;
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src+i);
        long b = *(long*)(dst+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
        }
    }else
 #endif
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -112,8 +112,8 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
            int yoffset = ((buf[i] >> 4)) - 7;
            if (s->last_frame.data[0])
                cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
-                          s->last_frame.data[0], s->last_frame.linesize[0],
-                          x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+                            s->last_frame.data[0], s->last_frame.linesize[0],
+                            x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
        }
        i++;
    }
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
    int i;

    f->slice_count= f->num_h_slices * f->num_v_slices;
+    if (f->slice_count <= 0) {
+        av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+        return AVERROR(EINVAL);
+    }

    for(i=0; i<f->slice_count; i++){
        FFV1Context *fs= av_mallocz(sizeof(*fs));
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -389,7 +389,9 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    s->diff_start  = get_bits(&gb, 8);
                    s->diff_height = get_bits(&gb, 8);
                    if (s->diff_start + s->diff_height > cur_blk_height) {
-                        av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n");
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
                        return AVERROR_INVALIDDATA;
                    }
                    av_log(avctx, AV_LOG_DEBUG,
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -142,6 +142,11 @@ static int decode_frame(AVCodecContext *avctx,
    const int planes = 3;
    enum PixelFormat pix_fmt;

+    if (buf_size < 4) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too short\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    header = AV_RL32(buf);
    version = header & 0xff;
    header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */
@@ -180,7 +185,7 @@ static int decode_frame(AVCodecContext *avctx,
    }
    avctx->pix_fmt = pix_fmt;

-    switch(version) {
+    switch (version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
@@ -219,6 +224,7 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
+
        if (avctx->reget_buffer(avctx, f)) {
            av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
            return -1;
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -355,7 +355,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
    int buffer_size;
    int ret = 0;

-    if (bit_size > INT_MAX - 7 || bit_size < 0) {
+    if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) {
        buffer_size = bit_size = 0;
        buffer = NULL;
        ret = AVERROR_INVALIDDATA;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2672,7 +2672,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->slice_type= slice_type;
    h->slice_type_nos= slice_type & 3;

-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;

    pps_id= get_ue_golomb(&s->gb);
    if(pps_id>=MAX_PPS_COUNT){
@@ -3224,8 +3231,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    }

    h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset = 0;
    if( h->pps.deblocking_filter_parameters_present ) {
        tmp= get_ue_golomb_31(&s->gb);
        if(tmp > 2){
@@ -3236,12 +3243,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        if(h->deblocking_filter < 2)
            h->deblocking_filter^= 1; // 1<->0

-        if( h->deblocking_filter ) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if(   h->slice_alpha_c0_offset > 104U
-               || h->slice_beta_offset     > 104U){
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+        if (h->deblocking_filter) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                return -1;
            }
        }
@@ -3270,14 +3281,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
            }
        }
    }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
-                 + 6 * (h->sps.bit_depth_luma - 8);
-
-#if 0 //FMO
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
+    h->qp_thresh = 15 -
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
+                   FFMAX3(0,
+                          h->pps.chroma_qp_index_offset[0],
+                          h->pps.chroma_qp_index_offset[1]) +
+                   6 * (h->sps.bit_depth_luma - 8);

    h0->last_slice_type = slice_type;
    h->slice_num = ++h0->current_slice;
@@ -3338,7 +3347,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
               s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
               h->ref_count[0], h->ref_count[1],
               s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
               h->use_weight,
               h->use_weight==1 && h->use_weight_chroma ? "c" : "",
               h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -770,6 +770,10 @@ decode_intra_mb:

        // We assume these blocks are very rare so we do not optimize it.
        align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }

        // The pixels are stored in the same order as levels in h->mb array.
        for(x=0; x < mb_size; x++){
--- a/libavcodec/h264_loopfilter.c
+++ b/libavcodec/h264_loopfilter.c
@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
    int top_type= h->top_type;

    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    int mb_type = s->current_picture.f.mb_type[mb_xy];
    int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
    av_unused int dir;
    int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    if (FRAME_MBAFF
            // and current and left pair do not have the same interlaced type
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -250,7 +250,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
        }

        if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
            return -1;
        }
    }
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -516,7 +516,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
            if(!pic){
                if(mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg]
                   || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) {
-                    av_log(h->s.avctx, AV_LOG_ERROR, "mmco: unref short failure\n");
+                    av_log(h->s.avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n");
                    err = AVERROR_INVALIDDATA;
                }
                continue;
@@ -653,7 +653,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
    print_short_term(h);
    print_long_term(h);

-    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
+    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
        s->current_picture_ptr->sync |= 1;
        if(!h->s.avctx->has_b_frames)
            h->sync = 2;
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -211,6 +211,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
        if (ff_ivi_init_planes(ctx->planes, &pic_conf)) {
            av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
+            ctx->pic_conf.luma_bands = 0;
            return AVERROR(ENOMEM);
        }

@@ -348,6 +349,13 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
            band->inv_transform = transforms[transform_id].inv_trans;
            band->dc_transform  = transforms[transform_id].dc_trans;
            band->is_2d_trans   = transforms[transform_id].is_2d_trans;
+            if (transform_id < 10)
+                band->transform_size = 8;
+            else
+                band->transform_size = 4;
+
+            if (band->blk_size != band->transform_size)
+                return AVERROR_INVALIDDATA;

            scan_indx = get_bits(&ctx->gb, 4);
            if (scan_indx == 15) {
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -113,7 +113,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
    }

    /* check if picture layout was changed and reallocate buffers */
-    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) {
+    if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf) || ctx->gop_invalid) {
        result = ff_ivi_init_planes(ctx->planes, &pic_conf);
        if (result < 0) {
            av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n");
@@ -148,39 +148,47 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
            /* select transform function and scan pattern according to plane and band number */
            switch ((p << 2) + i) {
            case 0:
-                band->inv_transform = ff_ivi_inverse_slant_8x8;
-                band->dc_transform  = ff_ivi_dc_slant_2d;
-                band->scan          = ff_zigzag_direct;
+                band->inv_transform  = ff_ivi_inverse_slant_8x8;
+                band->dc_transform   = ff_ivi_dc_slant_2d;
+                band->scan           = ff_zigzag_direct;
+                band->transform_size = 8;
                break;

            case 1:
-                band->inv_transform = ff_ivi_row_slant8;
-                band->dc_transform  = ff_ivi_dc_row_slant;
-                band->scan          = ff_ivi_vertical_scan_8x8;
+                band->inv_transform  = ff_ivi_row_slant8;
+                band->dc_transform   = ff_ivi_dc_row_slant;
+                band->scan           = ff_ivi_vertical_scan_8x8;
+                band->transform_size = 8;
                break;

            case 2:
-                band->inv_transform = ff_ivi_col_slant8;
-                band->dc_transform  = ff_ivi_dc_col_slant;
-                band->scan          = ff_ivi_horizontal_scan_8x8;
+                band->inv_transform  = ff_ivi_col_slant8;
+                band->dc_transform   = ff_ivi_dc_col_slant;
+                band->scan           = ff_ivi_horizontal_scan_8x8;
+                band->transform_size = 8;
                break;

            case 3:
-                band->inv_transform = ff_ivi_put_pixels_8x8;
-                band->dc_transform  = ff_ivi_put_dc_pixel_8x8;
-                band->scan          = ff_ivi_horizontal_scan_8x8;
+                band->inv_transform  = ff_ivi_put_pixels_8x8;
+                band->dc_transform   = ff_ivi_put_dc_pixel_8x8;
+                band->scan           = ff_ivi_horizontal_scan_8x8;
+                band->transform_size = 8;
                break;

            case 4:
-                band->inv_transform = ff_ivi_inverse_slant_4x4;
-                band->dc_transform  = ff_ivi_dc_slant_2d;
-                band->scan          = ff_ivi_direct_scan_4x4;
+                band->inv_transform  = ff_ivi_inverse_slant_4x4;
+                band->dc_transform   = ff_ivi_dc_slant_2d;
+                band->scan           = ff_ivi_direct_scan_4x4;
+                band->transform_size = 4;
                break;
            }

            band->is_2d_trans = band->inv_transform == ff_ivi_inverse_slant_8x8 ||
                                band->inv_transform == ff_ivi_inverse_slant_4x4;

+            if (band->transform_size != band->blk_size)
+                return AVERROR_INVALIDDATA;
+
            /* select dequant matrix according to plane and band number */
            if (!p) {
                quant_mat = (pic_conf.luma_bands > 1) ? i+1 : 0;
@@ -311,9 +319,9 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
    ctx->frame_num = get_bits(&ctx->gb, 8);

    if (ctx->frame_type == FRAMETYPE_INTRA) {
-        ctx->gop_invalid = 1;
        if ((ret = decode_gop_header(ctx, avctx)) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            ctx->gop_invalid = 1;
            return ret;
        }
        ctx->gop_invalid = 0;
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -42,6 +42,26 @@ VLC ff_ivi_blk_vlc_tabs[8];
 typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
                             uint32_t pitch, int mc_type);

+static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc,
+                  int offs, int mv_x, int mv_y, int mc_type)
+{
+    int ref_offs = offs + mv_y * band->pitch + mv_x;
+    int buf_size = band->pitch * band->aheight;
+    int min_size = band->pitch * (band->blk_size - 1) + band->blk_size;
+    int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1);
+
+    if (offs < 0 || ref_offs < 0 || !band->ref_buf)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size < offs)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size - ref_size < ref_offs)
+        return AVERROR_INVALIDDATA;
+
+    mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type);
+
+    return 0;
+}
+
 /**
 *  Reverse "nbits" bits of the value "val" and return the result
 *  in the least significant bits.
@@ -51,9 +71,10 @@ static uint16_t inv_bits(uint16_t val, int nbits)
    uint16_t res;

    if (nbits <= 8) {
-        res = av_reverse[val] >> (8-nbits);
+        res = av_reverse[val] >> (8 - nbits);
    } else
-        res = ((av_reverse[val & 0xFF] << 8) + (av_reverse[val >> 8])) >> (16-nbits);
+        res = ((av_reverse[val & 0xFF] << 8) +
+               (av_reverse[val >> 8])) >> (16 - nbits);

    return res;
 }
@@ -103,10 +124,12 @@ void ff_ivi_init_static_vlc(void)
    for (i = 0; i < 8; i++) {
        ff_ivi_mb_vlc_tabs[i].table = table_data + i * 2 * 8192;
        ff_ivi_mb_vlc_tabs[i].table_allocated = 8192;
-        ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i],  &ff_ivi_mb_vlc_tabs[i],  1);
+        ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i],
+                                     &ff_ivi_mb_vlc_tabs[i],  1);
        ff_ivi_blk_vlc_tabs[i].table = table_data + (i * 2 + 1) * 8192;
        ff_ivi_blk_vlc_tabs[i].table_allocated = 8192;
-        ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], &ff_ivi_blk_vlc_tabs[i], 1);
+        ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i],
+                                     &ff_ivi_blk_vlc_tabs[i], 1);
    }
    initialized_vlcs = 1;
 }
@@ -114,47 +137,48 @@ void ff_ivi_init_static_vlc(void)
 int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab,
                         IVIHuffTab *huff_tab, AVCodecContext *avctx)
 {
-    int         i, result;
+    int i, result;
    IVIHuffDesc new_huff;

    if (!desc_coded) {
        /* select default table */
        huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[7]
-            : &ff_ivi_mb_vlc_tabs [7];
-    } else {
-        huff_tab->tab_sel = get_bits(gb, 3);
-        if (huff_tab->tab_sel == 7) {
-            /* custom huffman table (explicitly encoded) */
-            new_huff.num_rows = get_bits(gb, 4);
-            if (!new_huff.num_rows) {
-                av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n");
-                return AVERROR_INVALIDDATA;
-            }
+                                    : &ff_ivi_mb_vlc_tabs [7];
+        return 0;
+    }

-            for (i = 0; i < new_huff.num_rows; i++)
-                new_huff.xbits[i] = get_bits(gb, 4);
-
-            /* Have we got the same custom table? Rebuild if not. */
-            if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) {
-                ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff);
-
-                if (huff_tab->cust_tab.table)
-                    ff_free_vlc(&huff_tab->cust_tab);
-                result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc,
-                        &huff_tab->cust_tab, 0);
-                if (result) {
-                    huff_tab->cust_desc.num_rows = 0; // reset faulty description
-                    av_log(avctx, AV_LOG_ERROR,
-                           "Error while initializing custom vlc table!\n");
-                    return result;
-                }
-            }
-            huff_tab->tab = &huff_tab->cust_tab;
-        } else {
-            /* select one of predefined tables */
-            huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel]
-                : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel];
+    huff_tab->tab_sel = get_bits(gb, 3);
+    if (huff_tab->tab_sel == 7) {
+        /* custom huffman table (explicitly encoded) */
+        new_huff.num_rows = get_bits(gb, 4);
+        if (!new_huff.num_rows) {
+            av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n");
+            return AVERROR_INVALIDDATA;
        }
+
+        for (i = 0; i < new_huff.num_rows; i++)
+            new_huff.xbits[i] = get_bits(gb, 4);
+
+        /* Have we got the same custom table? Rebuild if not. */
+        if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) {
+            ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff);
+
+            if (huff_tab->cust_tab.table)
+                ff_free_vlc(&huff_tab->cust_tab);
+            result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc,
+                    &huff_tab->cust_tab, 0);
+            if (result) {
+                huff_tab->cust_desc.num_rows = 0; // reset faulty description
+                av_log(avctx, AV_LOG_ERROR,
+                       "Error while initializing custom vlc table!\n");
+                return result;
+            }
+        }
+        huff_tab->tab = &huff_tab->cust_tab;
+    } else {
+        /* select one of predefined tables */
+        huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel]
+                                    : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel];
    }

    return 0;
@@ -174,12 +198,17 @@ void ff_ivi_huff_desc_copy(IVIHuffDesc *dst, const IVIHuffDesc *src)

 int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
 {
-    int         p, b;
-    uint32_t    b_width, b_height, align_fac, width_aligned, height_aligned, buf_size;
+    int p, b;
+    uint32_t b_width, b_height, align_fac, width_aligned,
+             height_aligned, buf_size;
    IVIBandDesc *band;

    ff_ivi_free_buffers(planes);

+    if (cfg->pic_width < 1 || cfg->pic_height < 1 ||
+        cfg->luma_bands < 1 || cfg->chroma_bands < 1)
+        return AVERROR_INVALIDDATA;
+
    /* fill in the descriptor of the luminance plane */
    planes[0].width     = cfg->pic_width;
    planes[0].height    = cfg->pic_height;
@@ -198,8 +227,10 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
        /* select band dimensions: if there is only one band then it
         *  has the full size, if there are several bands each of them
         *  has only half size */
-        b_width  = planes[p].num_bands == 1 ? planes[p].width  : (planes[p].width  + 1) >> 1;
-        b_height = planes[p].num_bands == 1 ? planes[p].height : (planes[p].height + 1) >> 1;
+        b_width  = planes[p].num_bands == 1 ? planes[p].width
+                                            : (planes[p].width  + 1) >> 1;
+        b_height = planes[p].num_bands == 1 ? planes[p].height
+                                            : (planes[p].height + 1) >> 1;

        /* luma   band buffers will be aligned on 16x16 (max macroblock size) */
        /* chroma band buffers will be aligned on   8x8 (max macroblock size) */
@@ -227,8 +258,8 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
                if (!band->bufs[2])
                    return AVERROR(ENOMEM);
            }
-
-            planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; /* reset custom vlc */
+            /* reset custom vlc */
+            planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0;
        }
    }

@@ -252,14 +283,51 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes)
            av_freep(&planes[p].bands[b].tiles);
        }
        av_freep(&planes[p].bands);
+        planes[p].num_bands = 0;
    }
 }

+static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile,
+                          int p, int b, int t_height, int t_width)
+{
+    int x, y;
+    IVITile *tile = band->tiles;
+
+    for (y = 0; y < band->height; y += t_height) {
+        for (x = 0; x < band->width; x += t_width) {
+            tile->xpos     = x;
+            tile->ypos     = y;
+            tile->mb_size  = band->mb_size;
+            tile->width    = FFMIN(band->width - x,  t_width);
+            tile->height   = FFMIN(band->height - y, t_height);
+            tile->is_empty = tile->data_size = 0;
+            /* calculate number of macroblocks */
+            tile->num_MBs  = IVI_MBs_PER_TILE(tile->width, tile->height,
+                                              band->mb_size);
+
+            av_freep(&tile->mbs);
+            tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo));
+            if (!tile->mbs)
+                return AVERROR(ENOMEM);
+
+            tile->ref_mbs = 0;
+            if (p || b) {
+                if (tile->num_MBs != ref_tile->num_MBs)
+                    return AVERROR_INVALIDDATA;
+                tile->ref_mbs = ref_tile->mbs;
+                ref_tile++;
+            }
+            tile++;
+        }
+    }
+
+    return 0;
+}
+
 int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_height)
 {
-    int         p, b, x, y, x_tiles, y_tiles, t_width, t_height;
+    int         p, b, x_tiles, y_tiles, t_width, t_height, ret;
    IVIBandDesc *band;
-    IVITile     *tile, *ref_tile;

    for (p = 0; p < 3; p++) {
        t_width  = !p ? tile_width  : (tile_width  + 3) >> 2;
@@ -283,41 +351,14 @@ int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_hei
            if (!band->tiles)
                return AVERROR(ENOMEM);

-            tile = band->tiles;
-
            /* use the first luma band as reference for motion vectors
             * and quant */
-            ref_tile = planes[0].bands[0].tiles;
-
-            for (y = 0; y < band->height; y += t_height) {
-                for (x = 0; x < band->width; x += t_width) {
-                    tile->xpos     = x;
-                    tile->ypos     = y;
-                    tile->mb_size  = band->mb_size;
-                    tile->width    = FFMIN(band->width - x,  t_width);
-                    tile->height   = FFMIN(band->height - y, t_height);
-                    tile->is_empty = tile->data_size = 0;
-                    /* calculate number of macroblocks */
-                    tile->num_MBs  = IVI_MBs_PER_TILE(tile->width, tile->height,
-                                                      band->mb_size);
-
-                    av_freep(&tile->mbs);
-                    tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo));
-                    if (!tile->mbs)
-                        return AVERROR(ENOMEM);
-
-                    tile->ref_mbs = 0;
-                    if (p || b) {
-                        tile->ref_mbs = ref_tile->mbs;
-                        ref_tile++;
-                    }
-
-                    tile++;
-                }
-            }
-
-        }// for b
-    }// for p
+            ret = ivi_init_tiles(band, planes[0].bands[0].tiles,
+                                 p, b, t_height, t_width);
+            if (ret < 0)
+                return ret;
+        }
+    }

    return 0;
 }
@@ -339,25 +380,125 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb)
    return len;
 }

+static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
+                            int blk_size)
+{
+    int buf_size = band->pitch * band->aheight - buf_offs;
+    int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+    if (!band->dc_transform)
+        return 0;
+
+
+    if (min_size > buf_size)
+        return AVERROR_INVALIDDATA;
+
+    band->dc_transform(prev_dc, band->buf + buf_offs,
+                       band->pitch, blk_size);
+
+    return 0;
+}
+
+static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
+                                   ivi_mc_func mc, int mv_x, int mv_y,
+                                   int *prev_dc, int is_intra, int mc_type,
+                                   uint32_t quant, int offs)
+{
+    const uint16_t *base_tab  = is_intra ? band->intra_base : band->inter_base;
+    RVMapDesc *rvmap = band->rv_map;
+    uint8_t col_flags[8];
+    int32_t trvec[64];
+    uint32_t sym = 0, lo, hi, q;
+    int pos, run, val;
+    int blk_size   = band->blk_size;
+    int num_coeffs = blk_size * blk_size;
+    int col_mask   = blk_size - 1;
+    int scan_pos   = -1;
+    int min_size   = band->pitch * (band->transform_size - 1) +
+                     band->transform_size;
+    int buf_size   = band->pitch * band->aheight - offs;
+
+    if (min_size > buf_size)
+        return AVERROR_INVALIDDATA;
+
+    if (!band->scan)
+        return AVERROR_INVALIDDATA;
+
+    /* zero transform vector */
+    memset(trvec, 0, num_coeffs * sizeof(trvec[0]));
+    /* zero column flags */
+    memset(col_flags, 0, sizeof(col_flags));
+    while (scan_pos <= num_coeffs) {
+        sym = get_vlc2(gb, band->blk_vlc.tab->table,
+                       IVI_VLC_BITS, 1);
+        if (sym == rvmap->eob_sym)
+            break; /* End of block */
+
+        /* Escape - run/val explicitly coded using 3 vlc codes */
+        if (sym == rvmap->esc_sym) {
+            run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1;
+            lo  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
+            hi  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
+            /* merge them and convert into signed val */
+            val = IVI_TOSIGNED((hi << 6) | lo);
+        } else {
+            if (sym >= 256U)
+                return AVERROR_INVALIDDATA;
+
+            run = rvmap->runtab[sym];
+            val = rvmap->valtab[sym];
+        }
+
+        /* de-zigzag and dequantize */
+        scan_pos += run;
+        if (scan_pos >= num_coeffs || scan_pos < 0)
+            break;
+        pos = band->scan[scan_pos];
+
+        q = (base_tab[pos] * quant) >> 9;
+        if (q > 1)
+            val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1);
+        trvec[pos] = val;
+        /* track columns containing non-zero coeffs */
+        col_flags[pos & col_mask] |= !!val;
+    }
+
+    if (scan_pos < 0 || scan_pos >= num_coeffs && sym != rvmap->eob_sym)
+        return AVERROR_INVALIDDATA; /* corrupt block data */
+
+    /* undoing DC coeff prediction for intra-blocks */
+    if (is_intra && band->is_2d_trans) {
+        *prev_dc     += trvec[0];
+        trvec[0]      = *prev_dc;
+        col_flags[0] |= !!*prev_dc;
+    }
+
+    /* apply inverse transform */
+    band->inv_transform(trvec, band->buf + offs,
+                        band->pitch, col_flags);
+
+    /* apply motion compensation */
+    if (!is_intra)
+        return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type);
+
+    return 0;
+}
+
 int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
 {
-    int         mbn, blk, num_blocks, num_coeffs, blk_size, scan_pos, run, val,
-                pos, is_intra, mc_type, mv_x, mv_y, col_mask;
-    uint8_t     col_flags[8];
-    int32_t     prev_dc, trvec[64];
-    uint32_t    cbp, sym, lo, hi, quant, buf_offs, q;
-    IVIMbInfo   *mb;
-    RVMapDesc   *rvmap = band->rv_map;
+    int mbn, blk, num_blocks, blk_size, ret, is_intra, mc_type = 0;
+    int mv_x = 0, mv_y = 0;
+    int32_t prev_dc;
+    uint32_t cbp, quant, buf_offs;
+    IVIMbInfo *mb;
    ivi_mc_func mc_with_delta_func, mc_no_delta_func;
-    const uint16_t  *base_tab;
-    const uint8_t   *scale_tab;
-
-    prev_dc = 0; /* init intra prediction for the DC coefficient */
+    const uint8_t *scale_tab;

+    /* init intra prediction for the DC coefficient */
+    prev_dc = 0;
    blk_size   = band->blk_size;
-    col_mask   = blk_size - 1; /* column mask for tracking non-zero coeffs */
-    num_blocks = (band->mb_size != blk_size) ? 4 : 1; /* number of blocks per mb */
-    num_coeffs = blk_size * blk_size;
+    /* number of blocks per mb */
+    num_blocks = (band->mb_size != blk_size) ? 4 : 1;
    if (blk_size == 8) {
        mc_with_delta_func = ff_ivi_mc_8x8_delta;
        mc_no_delta_func   = ff_ivi_mc_8x8_no_delta;
@@ -373,7 +514,6 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)

        quant = av_clip(band->glob_quant + mb->q_delta, 0, 23);

-        base_tab  = is_intra ? band->intra_base  : band->inter_base;
        scale_tab = is_intra ? band->intra_scale : band->inter_scale;
        if (scale_tab)
            quant = scale_tab[quant];
@@ -396,10 +536,10 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                cx    = mb->mv_x &  band->is_halfpel;
                cy    = mb->mv_y &  band->is_halfpel;

-                if (   mb->xpos + dmv_x < 0
-                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
-                    || mb->ypos + dmv_y < 0
-                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                if (mb->xpos + dmv_x < 0 ||
+                    mb->xpos + dmv_x + band->mb_size + cx > band->pitch ||
+                    mb->ypos + dmv_y < 0 ||
+                    mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
                    return AVERROR_INVALIDDATA;
                }
            }
@@ -415,81 +555,25 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
            }

            if (cbp & 1) { /* block coded ? */
-                if (!band->scan) {
-                    av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n");
-                    return AVERROR_INVALIDDATA;
-                }
-
-                scan_pos = -1;
-                memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */
-                memset(col_flags, 0, sizeof(col_flags));      /* zero column flags */
-
-                while (scan_pos <= num_coeffs) {
-                    sym = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                    if (sym == rvmap->eob_sym)
-                        break; /* End of block */
-
-                    if (sym == rvmap->esc_sym) { /* Escape - run/val explicitly coded using 3 vlc codes */
-                        run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1;
-                        lo  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                        hi  = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1);
-                        val = IVI_TOSIGNED((hi << 6) | lo); /* merge them and convert into signed val */
-                    } else {
-                        if (sym >= 256U) {
-                            av_log(NULL, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym);
-                            return AVERROR_INVALIDDATA;
-                        }
-                        run = rvmap->runtab[sym];
-                        val = rvmap->valtab[sym];
-                    }
-
-                    /* de-zigzag and dequantize */
-                    scan_pos += run;
-                    if (scan_pos >= num_coeffs)
-                        break;
-                    pos = band->scan[scan_pos];
-
-                    if (!val)
-                        av_dlog(NULL, "Val = 0 encountered!\n");
-
-                    q = (base_tab[pos] * quant) >> 9;
-                    if (q > 1)
-                        val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1);
-                    trvec[pos] = val;
-                    col_flags[pos & col_mask] |= !!val; /* track columns containing non-zero coeffs */
-                }// while
-
-                if (scan_pos >= num_coeffs && sym != rvmap->eob_sym)
-                    return AVERROR_INVALIDDATA; /* corrupt block data */
-
-                /* undoing DC coeff prediction for intra-blocks */
-                if (is_intra && band->is_2d_trans) {
-                    prev_dc      += trvec[0];
-                    trvec[0]      = prev_dc;
-                    col_flags[0] |= !!prev_dc;
-                }
-
-                /* apply inverse transform */
-                band->inv_transform(trvec, band->buf + buf_offs,
-                                    band->pitch, col_flags);
-
-                /* apply motion compensation */
-                if (!is_intra)
-                    mc_with_delta_func(band->buf + buf_offs,
-                                       band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
-                                       band->pitch, mc_type);
+                ret = ivi_decode_coded_blocks(gb, band, mc_with_delta_func,
+                                              mv_x, mv_y, &prev_dc, is_intra,
+                                              mc_type, quant, buf_offs);
+                if (ret < 0)
+                    return ret;
            } else {
                /* block not coded */
                /* for intra blocks apply the dc slant transform */
                /* for inter - perform the motion compensation without delta */
                if (is_intra) {
-                    if (band->dc_transform)
-                        band->dc_transform(&prev_dc, band->buf + buf_offs,
-                                           band->pitch, blk_size);
-                } else
-                    mc_no_delta_func(band->buf + buf_offs,
-                                     band->ref_buf + buf_offs + mv_y * band->pitch + mv_x,
-                                     band->pitch, mc_type);
+                    ret = ivi_dc_transform(band, &prev_dc, buf_offs, blk_size);
+                    if (ret < 0)
+                        return ret;
+                } else {
+                    ret = ivi_mc(band, mc_no_delta_func, buf_offs,
+                                 mv_x, mv_y, mc_type);
+                    if (ret < 0)
+                        return ret;
+                }
            }

            cbp >>= 1;
@@ -514,7 +598,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                                  IVITile *tile, int32_t mv_scale)
 {
    int             x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
-    int             offs, mb_offset, row_offset;
+    int             offs, mb_offset, row_offset, ret;
    IVIMbInfo       *mb, *ref_mb;
    const int16_t   *src;
    int16_t         *dst;
@@ -592,9 +676,10 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
            for (blk = 0; blk < num_blocks; blk++) {
                /* adjust block position in the buffer according with its number */
                offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
-                mc_no_delta_func(band->buf + offs,
-                                 band->ref_buf + offs + mv_y * band->pitch + mv_x,
-                                 band->pitch, mc_type);
+                ret = ivi_mc(band, mc_no_delta_func, offs,
+                             mv_x, mv_y, mc_type);
+                if (ret < 0)
+                    return ret;
            }
        }
    } else {
@@ -757,7 +842,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num,
        }
    }

-    /* restore the selected rvmap table by applying its corrections in reverse order */
+    /* restore the selected rvmap table by applying its corrections in
+     * reverse order */
    for (i = band->num_corr-1; i >= 0; i--) {
        idx1 = band->corr[i*2];
        idx2 = band->corr[i*2+1];
@@ -770,7 +856,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num,
        uint16_t chksum = ivi_calc_band_checksum(band);
        if (chksum != band->checksum) {
            av_log(avctx, AV_LOG_ERROR,
-                   "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n",
+                   "Band checksum mismatch! Plane %d, band %d, "
+                   "received: %x, calculated: %x\n",
                   band->plane, band->band_num, band->checksum, chksum);
        }
    }
@@ -807,6 +894,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        return AVERROR_PATCHWELCOME;
    }

+    if (!ctx->planes[0].bands) {
+        av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    ctx->switch_buffers(ctx);

    //{ START_TIMER;
@@ -837,7 +929,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    /* If the bidirectional mode is enabled, next I and the following P frame will */
    /* be sent together. Unfortunately the approach below seems to be the only way */
    /* to handle the B-frames mode. That's exactly the same Intel decoders do.     */
-    if (avctx->codec_id == CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) {
+    if (avctx->codec_id == CODEC_ID_INDEO4 &&
+        ctx->frame_type == 0/*FRAMETYPE_INTRA*/) {
        while (get_bits(&ctx->gb, 8)); // skip version string
        skip_bits_long(&ctx->gb, 64);  // skip padding, TODO: implement correct 8-bytes alignment
        if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8)
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -162,6 +162,7 @@ typedef struct {
    int             num_tiles;      ///< number of tiles in this band
    IVITile         *tiles;         ///< array of tile descriptors
    InvTransformPtr *inv_transform;
+    int             transform_size;
    DCTransformPtr  *dc_transform;
    int             is_2d_trans;    ///< 1 indicates that the two-dimensional inverse transform is used
    int32_t         checksum;       ///< for debug purposes
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -143,6 +143,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, int RI
        ret = ret >> 1;
    }

+    if(FFABS(ret) > 0xFFFF)
+        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
    ret *= state->twonear;
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -52,6 +52,7 @@ typedef struct LagarithContext {
    int zeros;                  /**< number of consecutive zero bytes encountered */
    int zeros_rem;              /**< number of zero bytes remaining to output */
    uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
    int rgb_stride;
 } LagarithContext;

@@ -507,13 +508,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
        offs[2] = 13;
        offs[3] = AV_RL32(buf + 9);

+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * 4 + 1);
        if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
+            return AVERROR(ENOMEM);
        }
        for (i = 0; i < 4; i++)
            srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
--- a/libavcodec/lagarithrac.h
+++ b/libavcodec/lagarithrac.h
@@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l)
        l->range -= range_scaled * l->prob[255];
    }

+    if (!l->range)
+        l->range = 0x80;
+
    l->low -= range_scaled * l->prob[val];

    return val;
--- a/libavcodec/mace.c
+++ b/libavcodec/mace.c
@@ -231,8 +231,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx)
 {
    MACEContext *ctx = avctx->priv_data;

-    if (avctx->channels > 2)
-        return -1;
+    if (avctx->channels > 2 || avctx->channels < 1)
+        return AVERROR(EINVAL);
    avctx->sample_fmt = AV_SAMPLE_FMT_S16;

    avcodec_get_frame_defaults(&ctx->frame);
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -160,7 +160,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){
    return 0;
 }

-static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
+static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb)
 {
    int i;
    int a= 2<<s->sprite_warping_accuracy;
@@ -176,8 +176,8 @@ static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
    int h= s->height;
    int min_ab;

-    if(w<=0 || h<=0)
-        return -1;
+    if (w <= 0 || h <= 0)
+        return AVERROR_INVALIDDATA;

    for(i=0; i<s->num_sprite_warping_points; i++){
        int length;
@@ -415,8 +415,8 @@ int mpeg4_decode_video_packet_header(MpegEncContext *s)
            skip_bits(&s->gb, 3); /* intra dc vlc threshold */
 //FIXME don't just ignore everything
            if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){
-                if(mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
-                    return -1;
+                if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
+                    return AVERROR_INVALIDDATA;
                av_log(s->avctx, AV_LOG_ERROR, "untested\n");
            }

@@ -2056,8 +2056,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){
     }

     if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){
-         if(mpeg4_decode_sprite_trajectory(s, gb) < 0)
-             return -1;
+         if (mpeg4_decode_sprite_trajectory(s, gb) < 0)
+             return AVERROR_INVALIDDATA;
         if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n");
         if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
     }
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1941,7 +1941,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,

        avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);

-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
            av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                        "channel count\n");
            return AVERROR_INVALIDDATA;
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -35,6 +35,7 @@
 #include "avcodec.h"
 #include "dsputil.h"
 #include "msrledec.h"
+#include "libavutil/imgutils.h"

 typedef struct MsrleContext {
    AVCodecContext *avctx;
@@ -108,7 +109,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,

    /* FIXME how to correctly detect RLE ??? */
    if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
-        int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8;
+        int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
        uint8_t *ptr = s->frame.data[0];
        uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
        int i, j;
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -85,7 +85,7 @@ static int get_quant(AVCodecContext *avctx, NuvContext *c,
    int i;
    if (size < 2 * 64 * 4) {
        av_log(avctx, AV_LOG_ERROR, "insufficient rtjpeg quant data\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    for (i = 0; i < 64; i++, buf += 4)
        c->lq[i] = AV_RL32(buf);
@@ -108,6 +108,8 @@ static void get_quant_quality(NuvContext *c, int quality) {

 static int codec_reinit(AVCodecContext *avctx, int width, int height, int quality) {
    NuvContext *c = avctx->priv_data;
+    int ret;
+
    width  = FFALIGN(width,  2);
    height = FFALIGN(height, 2);
    if (quality >= 0)
@@ -115,12 +117,14 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit
    if (width != c->width || height != c->height) {
        // also reserve space for a possible additional header
        int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING;
-        if (av_image_check_size(height, width, 0, avctx) < 0 ||
-            buf_size > INT_MAX/8)
+        if (buf_size > INT_MAX/8)
            return -1;
+        if ((ret = av_image_check_size(height, width, 0, avctx)) < 0)
+            return ret;
        avctx->width = c->width = width;
        avctx->height = c->height = height;
-        av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size);
+        av_fast_malloc(&c->decomp_buf, &c->decomp_size,
+                       buf_size);
        if (!c->decomp_buf) {
            av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
            return AVERROR(ENOMEM);
@@ -142,13 +146,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    int keyframe;
    int size_change = 0;
    int result;
+    int ret;
    enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1',
          NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3',
          NUV_BLACK = 'N', NUV_COPY_LAST = 'L'} comptype;

    if (buf_size < 12) {
        av_log(avctx, AV_LOG_ERROR, "coded frame too small\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }

    // codec data (rtjpeg quant tables)
@@ -166,7 +171,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    if (buf[0] != 'V' || buf_size < 12) {
        av_log(avctx, AV_LOG_ERROR, "not a nuv video frame\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    comptype = buf[1];
    switch (comptype) {
@@ -183,14 +188,17 @@ retry:
    buf = &buf[12];
    buf_size -= 12;
    if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) {
-        int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size;
-        if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen))
+        int outlen = c->decomp_size - FFMAX(FF_INPUT_BUFFER_PADDING_SIZE, AV_LZO_OUTPUT_PADDING);
+        int inlen  = buf_size;
+        if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) {
            av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
+            return AVERROR_INVALIDDATA;
+        }
        buf = c->decomp_buf;
-        buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING - outlen;
+        buf_size = c->decomp_size - FFMAX(FF_INPUT_BUFFER_PADDING_SIZE, AV_LZO_OUTPUT_PADDING) - outlen;
    }
    if (c->codec_frameheader) {
-        int w, h, q, res;
+        int w, h, q;
        if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE ||
            buf[5] != RTJPEG_FILE_VERSION) {
            av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
@@ -199,11 +207,10 @@ retry:
        w = AV_RL16(&buf[6]);
        h = AV_RL16(&buf[8]);
        q = buf[10];
+        if ((result = codec_reinit(avctx, w, h, q)) < 0)
+            return result;

-        res = codec_reinit(avctx, w, h, q);
-        if (res < 0)
-            return res;
-        if (res) {
+        if (result) {
            buf = avpkt->data;
            buf_size = avpkt->size;
            size_change = 1;
@@ -221,7 +228,7 @@ retry:
    result = avctx->reget_buffer(avctx, &c->pic);
    if (result < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
-        return -1;
+        return result;
    }

    c->pic.pict_type = keyframe ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
@@ -240,7 +247,9 @@ retry:
        }
        case NUV_RTJPEG_IN_LZO:
        case NUV_RTJPEG: {
-            rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size);
+            ret = rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size);
+            if (ret < 0)
+                return ret;
            break;
        }
        case NUV_BLACK: {
@@ -255,7 +264,7 @@ retry:
        }
        default:
            av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
    }

    *picture = c->pic;
@@ -265,6 +274,8 @@ retry:

 static av_cold int decode_init(AVCodecContext *avctx) {
    NuvContext *c = avctx->priv_data;
+    int ret;
+
    avctx->pix_fmt = PIX_FMT_YUV420P;
    c->pic.data[0] = NULL;
    c->decomp_buf = NULL;
@@ -275,8 +286,9 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    if (avctx->extradata_size)
        get_quant(avctx, c, avctx->extradata, avctx->extradata_size);
    dsputil_init(&c->dsp, avctx);
-    if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0)
-        return 1;
+    if ((ret = codec_reinit(avctx, avctx->width, avctx->height, -1)) < 0)
+        return ret;
+
    return 0;
 }

--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -183,7 +183,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    } else if (nplanes == 1 && bits_per_pixel == 8) {
        const uint8_t *palstart = bufstart + buf_size - 769;

-        for (y=0; y<h; y++, ptr+=stride) {
+        if (buf_size < 769) {
+            av_log(avctx, AV_LOG_ERROR, "File is too short\n");
+            ret = buf_size;
+            goto end;
+        }
+
+        for (y = 0; y < h; y++, ptr += stride) {
            buf = pcx_rle_decode(buf, buf_end,
                                 scanline, bytes_per_scanline, compressed);
            memcpy(ptr, scanline, w);
@@ -195,6 +201,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
        }
        if (*buf++ != 12) {
            av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n");
+            ret = buf_size;
            goto end;
        }

--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length)
            s->zstream.avail_out = s->crow_size;
            s->zstream.next_out = s->crow_buf;
        }
+        if (ret == Z_STREAM_END && s->zstream.avail_in > 0) {
+            av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in);
+            return 0;
+        }
    }
    return 0;
 }
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -78,8 +78,8 @@ typedef struct ThreadContext {
    pthread_cond_t last_job_cond;
    pthread_cond_t current_job_cond;
    pthread_mutex_t current_job_lock;
+    unsigned current_execute;
    int current_job;
-    unsigned int current_execute;
    int done;
 } ThreadContext;

@@ -203,8 +203,8 @@ static void* attribute_align_arg worker(void *v)
 {
    AVCodecContext *avctx = v;
    ThreadContext *c = avctx->thread_opaque;
+    unsigned last_execute = 0;
    int our_job = c->job_count;
-    int last_execute = 0;
    int thread_count = avctx->thread_count;
    int self_id;

--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1250,6 +1250,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
    for (i = 0; packet_bytes > 0; i++) {
        int j;

+        if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+            SAMPLES_NEEDED_2("too many packet bytes");
+            return;
+        }
+
        q->sub_packet_list_A[i].next = NULL;

        if (i > 0) {
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,7 +203,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
-                    if(height < 0)
+                    if (height < 0)
                        break;
                }
            }
@@ -216,7 +216,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
-                    if(height < 0)
+                    if (height < 0)
                        break;
                }
            }
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -173,6 +173,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
    RoqContext *s = avctx->priv_data;

    s->avctx = avctx;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions must be a multiple of 16\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    s->width = avctx->width;
    s->height = avctx->height;
    avcodec_get_frame_defaults(&s->frames[0]);
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>

+#include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"

@@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s)
            }
        }

+        n_blocks = FFMIN(n_blocks, total_blocks);
+
        switch (opcode & 0xe0) {

        /* Skip blocks */
@@ -202,7 +205,7 @@ static void rpza_decode_stream(RpzaContext *s)

        /* Fill block with 16 colors */
        case 0x00:
-            if (s->size - stream_ptr < 16)
+            if (s->size - stream_ptr < 30)
                return;
            ADVANCE_BLOCK();
            block_ptr = row_ptr + pixel_ptr;
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -442,12 +442,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
 {
    MpegEncContext *s = avctx->priv_data;
    static int done=0;
-    int major_ver, minor_ver, micro_ver;
+    int major_ver, minor_ver, micro_ver, ret;

    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
        return -1;
    }
+    if ((ret = av_image_check_size(avctx->coded_width,
+                                   avctx->coded_height, 0, avctx)) < 0)
+        return ret;

    MPV_decode_defaults(s);

--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -249,9 +249,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row)
 static av_cold int rv30_decode_init(AVCodecContext *avctx)
 {
    RV34DecContext *r = avctx->priv_data;
+    int ret;

    r->rv30 = 1;
-    ff_rv34_decode_init(avctx);
+    if ((ret = ff_rv34_decode_init(avctx)) < 0)
+        return ret;
    if(avctx->extradata_size < 2){
        av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n");
        return -1;
--- a/libavcodec/rv40.c
+++ b/libavcodec/rv40.c
@@ -544,9 +544,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row)
 static av_cold int rv40_decode_init(AVCodecContext *avctx)
 {
    RV34DecContext *r = avctx->priv_data;
+    int ret;

    r->rv30 = 0;
-    ff_rv34_decode_init(avctx);
+    if ((ret = ff_rv34_decode_init(avctx)) < 0)
+        return ret;
    if(!aic_top_vlc.bits)
        rv40_init_tables();
    r->parse_slice_header = rv40_parse_slice_header;
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -205,34 +205,38 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
 {
    int len;
    short wave_format;
-    const uint8_t *end= header + header_size;
+    GetByteContext gb;

-    if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) {
+    bytestream2_init(&gb, header, header_size);
+
+    if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) {
        av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n");
        return AVERROR_INVALIDDATA;
    }

-    header += 4; /* chunk size */
+    bytestream2_skip(&gb, 4); /* chunk size */

-    if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) {
+    if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) {
        av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n");
        return AVERROR_INVALIDDATA;
    }

-    while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) {
-        len     = bytestream_get_le32(&header);
-        if (len < 0 || end - header - 8 < len)
+    while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) {
+        len = bytestream2_get_le32(&gb);
+        bytestream2_skip(&gb, len);
+        if (bytestream2_get_bytes_left(&gb) < 16) {
+            av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n");
            return AVERROR_INVALIDDATA;
-        header += len;
+        }
    }
-    len = bytestream_get_le32(&header);
+    len = bytestream2_get_le32(&gb);

    if (len < 16) {
        av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n");
        return AVERROR_INVALIDDATA;
    }

-    wave_format = bytestream_get_le16(&header);
+    wave_format = bytestream2_get_le16(&gb);

    switch (wave_format) {
    case WAVE_FORMAT_PCM:
@@ -242,11 +246,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
        return AVERROR(ENOSYS);
    }

-    header += 2;        // skip channels    (already got from shorten header)
-    avctx->sample_rate = bytestream_get_le32(&header);
-    header += 4;        // skip bit rate    (represents original uncompressed bit rate)
-    header += 2;        // skip block align (not needed)
-    avctx->bits_per_coded_sample = bytestream_get_le16(&header);
+    bytestream2_skip(&gb, 2); // skip channels    (already got from shorten header)
+    avctx->sample_rate = bytestream2_get_le32(&gb);
+    bytestream2_skip(&gb, 4); // skip bit rate    (represents original uncompressed bit rate)
+    bytestream2_skip(&gb, 2); // skip block align (not needed)
+    avctx->bits_per_coded_sample = bytestream2_get_le16(&gb);

    if (avctx->bits_per_coded_sample != 16) {
        av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n");
@@ -427,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
        void *tmp_ptr;
        s->max_framesize = 1024; // should hopefully be enough for the first header
        tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
        if (!tmp_ptr) {
            av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
            return AVERROR(ENOMEM);
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -263,10 +263,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
    if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
    if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
-    if(huff.current > huff.length){
-        ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
-        av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
-        return -1;
+    if (ctx.last[0] >= huff.length ||
+        ctx.last[1] >= huff.length ||
+        ctx.last[2] >= huff.length) {
+        av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
+        err = AVERROR_INVALIDDATA;
    }

    *recodes = huff.values;
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -311,7 +311,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
        if(!sliced && !offset_dst)
            dst -= src_x;
        src_x=0;
-    }else if(src_x + b_w > w){
+    }
+    if(src_x + b_w > w){
        b_w = w - src_x;
    }
    if(src_y<0){
@@ -320,7 +321,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
        if(!sliced && !offset_dst)
            dst -= src_y*dst_stride;
        src_y=0;
-    }else if(src_y + b_h> h){
+    }
+    if(src_y + b_h> h){
        b_h = h - src_y;
    }

--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -613,9 +613,9 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
        dir = i_mb_type_info[mb_type - 8].pred_mode;
        dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;

-        if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
-            av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
-            return -1;
+        if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) < 0) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "ff_h264_check_intra_pred_mode < 0\n");
+            return h->intra16x16_pred_mode;
        }

        cbp = i_mb_type_info[mb_type - 8].cbp;
@@ -905,7 +905,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
                int offset = (get_bits_count(&gb)+7)>>3;
                uint8_t *buf;

-                if ((uint64_t)watermark_width*4 > UINT_MAX/watermark_height)
+                if (watermark_height > 0 &&
+                    (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height)
                    return -1;

                buf = av_malloc(buf_len);
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
        return -1;
    }

+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    /* unscramble the header bytes with a XOR operation */
    memset(header_buffer, 0, 128);
    for (i = 1; i < header.header_size; i++)
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -996,7 +996,7 @@ static void linear_perm(int16_t *out, int16_t *in, int n_blocks, int size)
        out[i] = block_size * (in[i] % n_blocks) + in[i] / n_blocks;
 }

-static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype)
+static av_cold void construct_perm_table(TwinContext *tctx, int ftype)
 {
    int block_size;
    const ModeTab *mtab = tctx->mtab;
@@ -1137,6 +1137,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx)
        return -1;
    }
    ibps = avctx->bit_rate / (1000 * avctx->channels);
+    if (ibps < 8 || ibps > 48) {
+        av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps);
+        return AVERROR_INVALIDDATA;
+    }

    switch ((isampf << 8) +  ibps) {
    case (8 <<8) +  8: tctx->mtab = &mode_08_08; break;
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -895,6 +895,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD
        } else if (avctx->channel_layout) {
            avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout);
        }
+
+        if (!avctx->rc_initial_buffer_occupancy)
+            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
    }

    avctx->pts_correction_num_faulty_pts =
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -578,6 +578,8 @@ int vc1_parse_frame_header(VC1Context *v, GetBitContext* gb)
 {
    int pqindex, lowquant, status;

+    v->field_mode = 0;
+    v->fcm = 0;
    if (v->finterpflag)
        v->interpfrm = get_bits1(gb);
    skip_bits(gb, 2); //framecnt unused
@@ -824,7 +826,7 @@ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
    int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */
    int scale, shift, i; /* for initializing LUT for intensity compensation */

-    v->numref=0;
+    v->numref          = 0;
    v->p_frame_skipped = 0;
    if (v->second_field) {
        if(v->fcm!=2 || v->field_mode!=1)
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -4741,6 +4741,9 @@ static void vc1_decode_skip_blocks(VC1Context *v)
 {
    MpegEncContext *s = &v->s;

+    if (!v->s.last_picture.f.data[0])
+        return;
+
    ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END);
    s->first_slice_line = 1;
    for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) {
@@ -5126,8 +5129,19 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v)

    if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
        !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
-        !v->mb_type_base)
-            return -1;
+        !v->mb_type_base) {
+        av_freep(&v->mv_type_mb_plane);
+        av_freep(&v->direct_mb_plane);
+        av_freep(&v->acpred_plane);
+        av_freep(&v->over_flags_plane);
+        av_freep(&v->block);
+        av_freep(&v->cbp_base);
+        av_freep(&v->ttblk_base);
+        av_freep(&v->is_intra_base);
+        av_freep(&v->luma_mv_base);
+        av_freep(&v->mb_type_base);
+        return AVERROR(ENOMEM);
+    }

    return 0;
 }
@@ -5475,8 +5489,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
    }

    if (!s->context_initialized) {
-        if (ff_msmpeg4_decode_init(avctx) < 0 || vc1_decode_init_alloc_tables(v) < 0)
+        if (ff_msmpeg4_decode_init(avctx) < 0)
            return -1;
+        if (vc1_decode_init_alloc_tables(v) < 0) {
+            MPV_common_end(s);
+            return -1;
+        }

        s->low_delay = !avctx->has_b_frames || v->res_sprite;

@@ -5564,6 +5582,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
        if (avctx->hwaccel->end_frame(avctx) < 0)
            goto err;
    } else {
+        int header_ret = 0;
+
        ff_er_frame_start(s);

        v->bits = buf_size * 8;
@@ -5608,13 +5628,21 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
            }
            if (i) {
                v->pic_header_flag = 0;
-                if (v->field_mode && i == n_slices1 + 2)
-                    vc1_parse_frame_header_adv(v, &s->gb);
-                else if (get_bits1(&s->gb)) {
+                if (v->field_mode && i == n_slices1 + 2) {
+                    if ((header_ret = vc1_parse_frame_header_adv(v, &s->gb)) < 0) {
+                        av_log(v->s.avctx, AV_LOG_ERROR, "Field header damaged\n");
+                        continue;
+                    }
+                } else if (get_bits1(&s->gb)) {
                    v->pic_header_flag = 1;
-                    vc1_parse_frame_header_adv(v, &s->gb);
+                    if ((header_ret = vc1_parse_frame_header_adv(v, &s->gb)) < 0) {
+                        av_log(v->s.avctx, AV_LOG_ERROR, "Slice header damaged\n");
+                        continue;
+                    }
                }
            }
+            if (header_ret < 0)
+                continue;
            s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height);
            if (!v->field_mode || v->second_field)
                s->end_mb_y = (i == n_slices     ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
--- a/libavcodec/vcr1.c
+++ b/libavcodec/vcr1.c
@@ -69,9 +69,13 @@ static int decode_frame(AVCodecContext *avctx,
    p->pict_type= AV_PICTURE_TYPE_I;
    p->key_frame= 1;

+    if (buf_size < 32)
+        goto packet_small;
+
    for(i=0; i<16; i++){
        a->delta[i]= *(bytestream++);
        bytestream++;
+        buf_size--;
    }

    for(y=0; y<avctx->height; y++){
@@ -82,8 +86,12 @@ static int decode_frame(AVCodecContext *avctx,
            uint8_t *cb= &a->picture.data[1][ (y>>2)*a->picture.linesize[1] ];
            uint8_t *cr= &a->picture.data[2][ (y>>2)*a->picture.linesize[2] ];

+            if (buf_size < 4 + avctx->width)
+                goto packet_small;
+
            for(i=0; i<4; i++)
                a->offset[i]= *(bytestream++);
+            buf_size -= 4;

            offset= a->offset[0] - a->delta[ bytestream[2]&0xF ];
            for(x=0; x<avctx->width; x+=4){
@@ -97,8 +105,12 @@ static int decode_frame(AVCodecContext *avctx,
                *(cr++) = bytestream[1];

                bytestream+= 4;
+                buf_size  -= 4;
            }
        }else{
+            if (buf_size < avctx->width / 2)
+                goto packet_small;
+
            offset= a->offset[y&3] - a->delta[ bytestream[2]&0xF ];

            for(x=0; x<avctx->width; x+=8){
@@ -112,6 +124,7 @@ static int decode_frame(AVCodecContext *avctx,
                luma[7]=( offset += a->delta[ bytestream[1]>>4  ]);
                luma += 8;
                bytestream+= 4;
+                buf_size  -= 4;
            }
        }
    }
@@ -120,6 +133,9 @@ static int decode_frame(AVCodecContext *avctx,
    *data_size = sizeof(AVPicture);

    return buf_size;
+packet_small:
+    av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n");
+    return AVERROR_INVALIDDATA;
 }

 #if CONFIG_VCR1_ENCODER
@@ -157,6 +173,11 @@ static av_cold int decode_init(AVCodecContext *avctx){

    avctx->pix_fmt= PIX_FMT_YUV410P;

+    if (avctx->width & 7) {
+        av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
+
    return 0;
 }

--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -275,6 +275,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int
                    }
                    xy = *src++;
                    wh = *src++;
+                    if (   (xy >> 4) + (wh >> 4) + 1 > w - i
+                        || (xy & 0xF) + (wh & 0xF)+1 > h - j) {
+                        av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
                }
            }
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2150,6 +2150,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
    fps.num = get_bits_long(gb, 32);
    fps.den = get_bits_long(gb, 32);
    if (fps.num && fps.den) {
+        if (fps.num < 0 || fps.den < 0) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid framerate\n");
+            return AVERROR_INVALIDDATA;
+        }
        av_reduce(&avctx->time_base.num, &avctx->time_base.den,
                  fps.den, fps.num, 1<<30);
    }
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -534,6 +534,12 @@ static int vqa_decode_chunk(VqaContext *s)
        bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET);
        chunk_size = bytestream2_get_be32(&s->gb);

+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
        /* accumulate partial codebook */
        bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                               chunk_size);
@@ -557,6 +563,12 @@ static int vqa_decode_chunk(VqaContext *s)
        bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET);
        chunk_size = bytestream2_get_be32(&s->gb);

+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
        /* accumulate partial codebook */
        bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                               chunk_size);
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -238,11 +238,11 @@ typedef struct WmallDecodeCtx {

    int8_t mclms_order;
    int8_t mclms_scaling;
-    int16_t mclms_coeffs[128];
-    int16_t mclms_coeffs_cur[4];
-    int16_t mclms_prevvalues[64];   // FIXME: should be 32-bit / 16-bit depending on bit-depth
-    int16_t mclms_updates[64];
-    int mclms_recent;
+    int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32];
+    int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS];
+    int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32];
+    int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32];
+    int     mclms_recent;

    int movave_scaling;
    int quant_stepsize;
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -70,7 +70,7 @@ static int decode_frame(AVCodecContext *avctx,
    int prev_y = 0, prev_u = 0, prev_v = 0;
    uint8_t *rbuf;

-    if(buf_size<=8) {
+    if (buf_size<=8) {
        av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
        return AVERROR_INVALIDDATA;
    }
--- a/libavcodec/x86/Makefile
+++ b/libavcodec/x86/Makefile
@@ -3,8 +3,6 @@ OBJS-$(CONFIG_TRUEHD_DECODER)          += x86/mlpdsp.o

 YASM-OBJS-$(CONFIG_DCT)                += x86/dct32_sse.o

-YASM-OBJS-FFT-$(HAVE_AMD3DNOW)         += x86/fft_3dn.o
-YASM-OBJS-FFT-$(HAVE_AMD3DNOWEXT)      += x86/fft_3dn2.o
 YASM-OBJS-FFT-$(HAVE_SSE)              += x86/fft_sse.o
 YASM-OBJS-$(CONFIG_FFT)                += x86/fft_mmx.o                 \
                                          $(YASM-OBJS-FFT-yes)
--- a/libavcodec/x86/ac3dsp.asm
+++ b/libavcodec/x86/ac3dsp.asm
@@ -86,7 +86,6 @@ AC3_EXPONENT_MIN sse2
 ; This function uses 2 different methods to calculate a valid result.
 ; 1) logical 'or' of abs of each element
 ;        This is used for ssse3 because of the pabsw instruction.
-;        It is also used for mmx because of the lack of min/max instructions.
 ; 2) calculate min/max for the array, then or(abs(min),abs(max))
 ;        This is used for mmxext and sse2 because they have pminsw/pmaxsw.
 ;-----------------------------------------------------------------------------
@@ -104,15 +103,9 @@ cglobal ac3_max_msb_abs_int16_%1, 2,2,5, src, len
    pmaxsw      m3, m0
    pmaxsw      m3, m1
 %else ; or_abs
-%ifidn %1, mmx
-    mova        m0, [srcq]
-    mova        m1, [srcq+mmsize]
-    ABS2        m0, m1, m3, m4
-%else ; ssse3
    ; using memory args is faster for ssse3
    pabsw       m0, [srcq]
    pabsw       m1, [srcq+mmsize]
-%endif
    por         m2, m0
    por         m2, m1
 %endif
@@ -137,9 +130,7 @@ cglobal ac3_max_msb_abs_int16_%1, 2,2,5, src, len
 %endmacro

 INIT_MMX
-%define ABS2 ABS2_MMX
 %define PSHUFLW pshufw
-AC3_MAX_MSB_ABS_INT16 mmx, or_abs
 %define ABS2 ABS2_MMX2
 AC3_MAX_MSB_ABS_INT16 mmxext, min_max
 INIT_XMM
--- a/libavcodec/x86/ac3dsp_mmx.c
+++ b/libavcodec/x86/ac3dsp_mmx.c
@@ -27,7 +27,6 @@ extern void ff_ac3_exponent_min_mmx   (uint8_t *exp, int num_reuse_blocks, int n
 extern void ff_ac3_exponent_min_mmxext(uint8_t *exp, int num_reuse_blocks, int nb_coefs);
 extern void ff_ac3_exponent_min_sse2  (uint8_t *exp, int num_reuse_blocks, int nb_coefs);

-extern int ff_ac3_max_msb_abs_int16_mmx   (const int16_t *src, int len);
 extern int ff_ac3_max_msb_abs_int16_mmxext(const int16_t *src, int len);
 extern int ff_ac3_max_msb_abs_int16_sse2  (const int16_t *src, int len);
 extern int ff_ac3_max_msb_abs_int16_ssse3 (const int16_t *src, int len);
@@ -55,7 +54,6 @@ av_cold void ff_ac3dsp_init_x86(AC3DSPContext *c, int bit_exact)

    if (mm_flags & AV_CPU_FLAG_MMX) {
        c->ac3_exponent_min = ff_ac3_exponent_min_mmx;
-        c->ac3_max_msb_abs_int16 = ff_ac3_max_msb_abs_int16_mmx;
        c->ac3_lshift_int16 = ff_ac3_lshift_int16_mmx;
        c->ac3_rshift_int32 = ff_ac3_rshift_int32_mmx;
    }
--- a/libavcodec/x86/fft.c
+++ b/libavcodec/x86/fft.c
@@ -39,16 +39,6 @@ av_cold void ff_fft_init_mmx(FFTContext *s)
        s->fft_permute = ff_fft_permute_sse;
        s->fft_calc    = ff_fft_calc_sse;
        s->fft_permutation = FF_FFT_PERM_SWAP_LSBS;
-    } else if (has_vectors & AV_CPU_FLAG_3DNOWEXT && HAVE_AMD3DNOWEXT) {
-        /* 3DNowEx for K7 */
-        s->imdct_calc = ff_imdct_calc_3dn2;
-        s->imdct_half = ff_imdct_half_3dn2;
-        s->fft_calc   = ff_fft_calc_3dn2;
-    } else if (has_vectors & AV_CPU_FLAG_3DNOW && HAVE_AMD3DNOW) {
-        /* 3DNow! for K6-2/3 */
-        s->imdct_calc = ff_imdct_calc_3dn;
-        s->imdct_half = ff_imdct_half_3dn;
-        s->fft_calc   = ff_fft_calc_3dn;
    }
 #endif
 }
--- a/libavcodec/x86/fft_3dn.c
+++ b/libavcodec/x86/fft_3dn.c
@@ -1,23 +0,0 @@
-/*
- * FFT/MDCT transform with 3DNow! optimizations
- * Copyright (c) 2008 Loren Merritt
- *
- * This file is part of FFmpeg.
- *
- * FFmpeg is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * FFmpeg is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with FFmpeg; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#define EMULATE_3DNOWEXT
-#include "fft_3dn2.c"
--- a/libavcodec/x86/fft_3dn2.c
+++ b/libavcodec/x86/fft_3dn2.c
@@ -1,174 +0,0 @@
-/*
- * FFT/MDCT transform with Extended 3DNow! optimizations
- * Copyright (c) 2006-2008 Zuxy MENG Jie, Loren Merritt
- *
- * This file is part of FFmpeg.
- *
- * FFmpeg is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * FFmpeg is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with FFmpeg; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#include "libavutil/x86_cpu.h"
-#include "libavcodec/dsputil.h"
-#include "fft.h"
-
-DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 };
-
-#ifdef EMULATE_3DNOWEXT
-#define PSWAPD(s,d)\
-    "movq "#s","#d"\n"\
-    "psrlq $32,"#d"\n"\
-    "punpckldq "#s","#d"\n"
-#define ff_fft_calc_3dn2 ff_fft_calc_3dn
-#define ff_fft_dispatch_3dn2 ff_fft_dispatch_3dn
-#define ff_fft_dispatch_interleave_3dn2 ff_fft_dispatch_interleave_3dn
-#define ff_imdct_calc_3dn2 ff_imdct_calc_3dn
-#define ff_imdct_half_3dn2 ff_imdct_half_3dn
-#else
-#define PSWAPD(s,d) "pswapd "#s","#d"\n"
-#endif
-
-void ff_fft_dispatch_3dn2(FFTComplex *z, int nbits);
-void ff_fft_dispatch_interleave_3dn2(FFTComplex *z, int nbits);
-
-void ff_fft_calc_3dn2(FFTContext *s, FFTComplex *z)
-{
-    int n = 1<<s->nbits;
-    int i;
-    ff_fft_dispatch_interleave_3dn2(z, s->nbits);
-    __asm__ volatile("femms");
-    if(n <= 8)
-        for(i=0; i<n; i+=2)
-            FFSWAP(FFTSample, z[i].im, z[i+1].re);
-}
-
-void ff_imdct_half_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input)
-{
-    x86_reg j, k;
-    long n = s->mdct_size;
-    long n2 = n >> 1;
-    long n4 = n >> 2;
-    long n8 = n >> 3;
-    const uint16_t *revtab = s->revtab;
-    const FFTSample *tcos = s->tcos;
-    const FFTSample *tsin = s->tsin;
-    const FFTSample *in1, *in2;
-    FFTComplex *z = (FFTComplex *)output;
-
-    /* pre rotation */
-    in1 = input;
-    in2 = input + n2 - 1;
-#ifdef EMULATE_3DNOWEXT
-    __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31));
-#endif
-    for(k = 0; k < n4; k++) {
-        // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it
-        __asm__ volatile(
-            "movd         %0, %%mm0 \n"
-            "movd         %2, %%mm1 \n"
-            "punpckldq    %1, %%mm0 \n"
-            "punpckldq    %3, %%mm1 \n"
-            "movq      %%mm0, %%mm2 \n"
-            PSWAPD(    %%mm1, %%mm3 )
-            "pfmul     %%mm1, %%mm0 \n"
-            "pfmul     %%mm3, %%mm2 \n"
-#ifdef EMULATE_3DNOWEXT
-            "movq      %%mm0, %%mm1 \n"
-            "punpckhdq %%mm2, %%mm0 \n"
-            "punpckldq %%mm2, %%mm1 \n"
-            "pxor      %%mm7, %%mm0 \n"
-            "pfadd     %%mm1, %%mm0 \n"
-#else
-            "pfpnacc   %%mm2, %%mm0 \n"
-#endif
-            ::"m"(in2[-2*k]), "m"(in1[2*k]),
-              "m"(tcos[k]), "m"(tsin[k])
-        );
-        __asm__ volatile(
-            "movq    %%mm0, %0    \n\t"
-            :"=m"(z[revtab[k]])
-        );
-    }
-
-    ff_fft_dispatch_3dn2(z, s->nbits);
-
-#define CMUL(j,mm0,mm1)\
-        "movq  (%2,"#j",2), %%mm6 \n"\
-        "movq 8(%2,"#j",2), "#mm0"\n"\
-        "movq        %%mm6, "#mm1"\n"\
-        "movq        "#mm0",%%mm7 \n"\
-        "pfmul   (%3,"#j"), %%mm6 \n"\
-        "pfmul   (%4,"#j"), "#mm0"\n"\
-        "pfmul   (%4,"#j"), "#mm1"\n"\
-        "pfmul   (%3,"#j"), %%mm7 \n"\
-        "pfsub       %%mm6, "#mm0"\n"\
-        "pfadd       %%mm7, "#mm1"\n"
-
-    /* post rotation */
-    j = -n2;
-    k = n2-8;
-    __asm__ volatile(
-        "1: \n"
-        CMUL(%0, %%mm0, %%mm1)
-        CMUL(%1, %%mm2, %%mm3)
-        "movd   %%mm0,  (%2,%0,2) \n"
-        "movd   %%mm1,12(%2,%1,2) \n"
-        "movd   %%mm2,  (%2,%1,2) \n"
-        "movd   %%mm3,12(%2,%0,2) \n"
-        "psrlq  $32,   %%mm0 \n"
-        "psrlq  $32,   %%mm1 \n"
-        "psrlq  $32,   %%mm2 \n"
-        "psrlq  $32,   %%mm3 \n"
-        "movd   %%mm0, 8(%2,%0,2) \n"
-        "movd   %%mm1, 4(%2,%1,2) \n"
-        "movd   %%mm2, 8(%2,%1,2) \n"
-        "movd   %%mm3, 4(%2,%0,2) \n"
-        "sub $8, %1 \n"
-        "add $8, %0 \n"
-        "jl 1b \n"
-        :"+r"(j), "+r"(k)
-        :"r"(z+n8), "r"(tcos+n8), "r"(tsin+n8)
-        :"memory"
-    );
-    __asm__ volatile("femms");
-}
-
-void ff_imdct_calc_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input)
-{
-    x86_reg j, k;
-    long n = s->mdct_size;
-    long n4 = n >> 2;
-
-    ff_imdct_half_3dn2(s, output+n4, input);
-
-    j = -n;
-    k = n-8;
-    __asm__ volatile(
-        "movq %4, %%mm7 \n"
-        "1: \n"
-        PSWAPD((%2,%1), %%mm0)
-        PSWAPD((%3,%0), %%mm1)
-        "pxor    %%mm7, %%mm0 \n"
-        "movq    %%mm1, (%3,%1) \n"
-        "movq    %%mm0, (%2,%0) \n"
-        "sub $8, %1 \n"
-        "add $8, %0 \n"
-        "jl 1b \n"
-        :"+r"(j), "+r"(k)
-        :"r"(output+n4), "r"(output+n4*3),
-         "m"(*m1m1)
-    );
-    __asm__ volatile("femms");
-}
-
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -106,6 +106,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
    int ptr_len = src_len - 1 - byte*2;
    unsigned char val = ival;
    unsigned char *dest_end = dest + dest_len;
+    unsigned char *dest_start = dest;
    GetBitContext gb;

    if (ptr_len < 0)
@@ -121,13 +122,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,

        if (val < 0x16) {
            if (dest >= dest_end)
-                return 0;
+                return dest_len;
            *dest++ = val;
            val = ival;
        }
    }

-    return 0;
+    return dest - dest_start;
 }

 /**
@@ -276,7 +277,7 @@ static int xan_wc3_decode_frame(XanContext *s) {
    unsigned char flag = 0;
    int size = 0;
    int motion_x, motion_y;
-    int x, y;
+    int x, y, ret;

    unsigned char *opcode_buffer = s->buffer1;
    unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
@@ -285,8 +286,8 @@ static int xan_wc3_decode_frame(XanContext *s) {

    /* pointers to segments inside the compressed chunk */
    const unsigned char *huffman_segment;
-    const unsigned char *size_segment;
-    const unsigned char *vector_segment;
+    GetByteContext       size_segment;
+    GetByteContext       vector_segment;
    const unsigned char *imagedata_segment;
    int huffman_offset, size_offset, vector_offset, imagedata_offset,
        imagedata_size;
@@ -306,13 +307,14 @@ static int xan_wc3_decode_frame(XanContext *s) {
        return AVERROR_INVALIDDATA;

    huffman_segment   = s->buf + huffman_offset;
-    size_segment      = s->buf + size_offset;
-    vector_segment    = s->buf + vector_offset;
+    bytestream2_init(&size_segment,   s->buf + size_offset,   s->size - size_offset);
+    bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
    imagedata_segment = s->buf + imagedata_offset;

-    if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
-                           huffman_segment, s->size - huffman_offset) < 0)
+    if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                                  huffman_segment, s->size - huffman_offset)) < 0)
        return AVERROR_INVALIDDATA;
+    opcode_buffer_end = opcode_buffer + ret;

    if (imagedata_segment[0] == 2) {
        xan_unpack(s->buffer2, s->buffer2_size,
@@ -359,19 +361,17 @@ static int xan_wc3_decode_frame(XanContext *s) {

        case 9:
        case 19:
-            size = *size_segment++;
+            size = bytestream2_get_byte(&size_segment);
            break;

        case 10:
        case 20:
-            size = AV_RB16(&size_segment[0]);
-            size_segment += 2;
+            size = bytestream2_get_be16(&size_segment);
            break;

        case 11:
        case 21:
-            size = AV_RB24(size_segment);
-            size_segment += 3;
+            size = bytestream2_get_be24(&size_segment);
            break;
        }

@@ -393,9 +393,9 @@ static int xan_wc3_decode_frame(XanContext *s) {
            }
        } else {
            /* run-based motion compensation from last frame */
-            motion_x = sign_extend(*vector_segment >> 4,  4);
-            motion_y = sign_extend(*vector_segment & 0xF, 4);
-            vector_segment++;
+            uint8_t vector = bytestream2_get_byte(&vector_segment);
+            motion_x = sign_extend(vector >> 4,  4);
+            motion_y = sign_extend(vector & 0xF, 4);

            /* copy a run of pixels from the previous frame */
            xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y);
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -46,6 +46,11 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)

    avctx->pix_fmt = PIX_FMT_YUV420P;

+    if (avctx->width & 1) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width);
+        return AVERROR(EINVAL);
+    }
+
    s->buffer_size = avctx->width * avctx->height;
    s->y_buffer = av_malloc(s->buffer_size);
    if (!s->y_buffer)
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -500,10 +500,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        return -1;
    }

-    if (c->comp == 0) { //Uncompressed data
-        memcpy(c->decomp_buf, buf, len);
-        c->decomp_size = 1;
-    } else { // ZLIB-compressed data
+     if (c->comp == 0) { //Uncompressed data
+         if (c->decomp_size < len) {
+             av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
+             return AVERROR_INVALIDDATA;
+         }
+         memcpy(c->decomp_buf, buf, len);
+     } else { // ZLIB-compressed data
        c->zstream.total_in = c->zstream.total_out = 0;
        c->zstream.next_in = buf;
        c->zstream.avail_in = len;
--- a/libavfilter/avfilter.c
+++ b/libavfilter/avfilter.c
@@ -176,9 +176,9 @@ void avfilter_insert_pad(unsigned idx, unsigned *count, size_t padidx_off,
    (*links)[idx] = NULL;

    (*count)++;
-    for (i = idx+1; i < *count; i++)
-        if (*links[i])
-            (*(unsigned *)((uint8_t *) *links[i] + padidx_off))++;
+    for (i = idx + 1; i < *count; i++)
+        if ((*links)[i])
+            (*(unsigned *)((uint8_t *) (*links)[i] + padidx_off))++;
 }

 int avfilter_link(AVFilterContext *src, unsigned srcpad,
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -255,7 +255,7 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
               ape->totalframes);
        return -1;
    }
-    if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) {
+    if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) {
        av_log(s, AV_LOG_ERROR,
               "Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n",
               ape->seektablelength / sizeof(*ape->seektable), ape->totalframes);
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -618,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
            if (ret < 0)
                return ret;
        } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
-            asf_read_stream_properties(s, gsize);
+            int ret = asf_read_stream_properties(s, gsize);
+            if (ret < 0)
+                return ret;
        } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
            asf_read_content_desc(s, gsize);
        } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) {
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -807,8 +807,10 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
    return 0;
 }

-static int read_gab2_sub(AVStream *st, AVPacket *pkt) {
-    if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) {
+static int read_gab2_sub(AVStream *st, AVPacket *pkt)
+{
+    if (pkt->size >= 7 &&
+        !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
        uint8_t desc[256];
        int score = AVPROBE_SCORE_MAX / 2, ret;
        AVIStream *ast = st->priv_data;
@@ -938,7 +940,7 @@ start_sync:
            goto start_sync;
        }

-        n= get_stream_idx(d);
+        n = avi->dv_demux ? 0 : get_stream_idx(d);

        if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams)
            continue;
@@ -1049,6 +1051,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
        int size = avpriv_dv_get_packet(avi->dv_demux, pkt);
        if (size >= 0)
            return size;
+        else
+            goto resync;
    }

    if(avi->non_interleaved){
@@ -1390,12 +1394,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
    int64_t pos, pos_min;
    AVIStream *ast;

+    /* Does not matter which stream is requested dv in avi has the
+     * stream information in the first video stream.
+     */
+    if (avi->dv_demux)
+        stream_index = 0;
+
    if (!avi->index_loaded) {
        /* we only load the index on demand */
        avi_load_index(s);
        avi->index_loaded |= 1;
    }
-    assert(stream_index>= 0);

    st = s->streams[stream_index];
    ast= st->priv_data;
@@ -1413,7 +1422,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
        /* One and only one real stream for DV in AVI, and it has video  */
        /* offsets. Calling with other stream indexes should have failed */
        /* the av_index_search_timestamp call above.                     */
-        assert(stream_index == 0);

        if(avio_seek(s->pb, pos, SEEK_SET) < 0)
            return -1;
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -130,6 +130,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
        video_offset    = avio_rl32(pb);
        audio_size      = video_offset - audio_offset;
        bfi->video_size = chunk_size - video_offset;
+        if (audio_size < 0 || bfi->video_size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
+            return AVERROR_INVALIDDATA;
+        }

        //Tossing an audio packet at the audio decoder.
        ret = av_get_packet(pb, pkt, audio_size);
@@ -138,9 +142,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)

        pkt->pts          = bfi->audio_frame;
        bfi->audio_frame += ret;
-    }
-
-    else {
+    } else if (bfi->video_size > 0) {

        //Tossing a video packet at the video decoder.
        ret = av_get_packet(pb, pkt, bfi->video_size);
@@ -152,6 +154,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)

        /* One less frame to read. A cursory decrement. */
        bfi->nframes--;
+    } else {
+        /* Empty video packet */
+        ret = AVERROR(EAGAIN);
    }

    bfi->avflag       = !bfi->avflag;
--- a/libavformat/dsicin.c
+++ b/libavformat/dsicin.c
@@ -153,6 +153,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) {

    if (avio_rl32(pb) != 0xAA55AA55)
        return AVERROR_INVALIDDATA;
+    if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0)
+        return AVERROR_INVALIDDATA;

    return 0;
 }
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -426,8 +426,9 @@ static int ea_read_header(AVFormatContext *s,
    }

    if (ea->audio_codec) {
-        if (ea->num_channels <= 0) {
-            av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels);
+        if (ea->num_channels <= 0 || ea->num_channels > 2) {
+            av_log(s, AV_LOG_WARNING,
+                   "Unsupported number of channels: %d\n", ea->num_channels);
            ea->audio_codec = 0;
            return 1;
        }
--- a/libavformat/idroqdec.c
+++ b/libavformat/idroqdec.c
@@ -145,6 +145,8 @@ static int roq_read_packet(AVFormatContext *s,
            break;

        case RoQ_QUAD_CODEBOOK:
+            if (roq->video_stream_index < 0)
+                return AVERROR_INVALIDDATA;
            /* packet needs to contain both this codebook and next VQ chunk */
            codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE;
            codebook_size = chunk_size;
@@ -187,6 +189,11 @@ static int roq_read_packet(AVFormatContext *s,
                st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample;
            }
        case RoQ_QUAD_VQ:
+            if (chunk_type == RoQ_QUAD_VQ) {
+                if (roq->video_stream_index < 0)
+                    return AVERROR_INVALIDDATA;
+            }
+
            /* load up the packet */
            if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE))
                return AVERROR(EIO);
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1536,6 +1536,10 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap)
            track->audio.sub_packet_h    = avio_rb16(&b);
            track->audio.frame_size      = avio_rb16(&b);
            track->audio.sub_packet_size = avio_rb16(&b);
+            if (flavor <= 0 || track->audio.coded_framesize <= 0 ||
+                track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 ||
+                track->audio.sub_packet_size <= 0)
+                return AVERROR_INVALIDDATA;
            track->audio.buf = av_malloc(track->audio.frame_size * track->audio.sub_packet_h);
            if (codec_id == CODEC_ID_RA_288) {
                st->codec->block_align = track->audio.coded_framesize;
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -360,6 +360,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
            left = a.size - avio_tell(pb) + start_pos;
            if (left > 0) /* skip garbage at atom end */
                avio_skip(pb, left);
+            else if (left < 0) {
+                av_log(c->fc, AV_LOG_WARNING,
+                       "overread end of atom '%.4s' by %"PRId64" bytes\n",
+                       (char*)&a.type, -left);
+                avio_seek(pb, left, SEEK_CUR);
+            }
        }

        total_size += a.size;
@@ -1688,6 +1694,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    if (entries >= UINT_MAX / sizeof(*sc->stts_data))
        return -1;

+    av_free(sc->stts_data);
    sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data));
    if (!sc->stts_data)
        return AVERROR(ENOMEM);
@@ -1705,6 +1712,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
            av_log(c->fc, AV_LOG_ERROR, "Invalid SampleDelta in STTS %d\n", sample_duration);
            sample_duration = 1;
        }
+        if (sample_count < 0) {
+            av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count);
+            return AVERROR_INVALIDDATA;
+        }
        sc->stts_data[i].count= sample_count;
        sc->stts_data[i].duration= sample_duration;

--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -137,12 +137,21 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
    int i, t, seekd;
    GetBitContext gb;

+    if (s->nb_streams == 0) {
+        av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n");
+        return;
+    }
+
    avio_seek(s->pb, off, SEEK_SET);
    mpc8_get_chunk_header(s->pb, &tag, &size);
    if(tag != TAG_SEEKTABLE){
        av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
        return;
    }
+    if (size < 0 || size >= INT_MAX / 2) {
+        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
+        return;
+    }
    if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
        return;
    avio_read(s->pb, buf, size);
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -235,7 +235,7 @@ static void mpegts_write_pat(AVFormatContext *s)
                          data, q - data);
 }

-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
 {
    //    MpegTSWrite *ts = s->priv_data;
    uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
@@ -288,6 +288,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
            stream_type = STREAM_TYPE_PRIVATE_DATA;
            break;
        }
+
+        if (q - data > sizeof(data) - 32)
+            return AVERROR(EINVAL);
+
        *q++ = stream_type;
        put16(&q, 0xe000 | ts_st->pid);
        desc_length_ptr = q;
@@ -311,7 +315,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                len_ptr = q++;
                *len_ptr = 0;

-                for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+                for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) {
                    next = strchr(p, ',');
                    if (strlen(p) != 3 && (!next || next != p + 3))
                        continue; /* not a 3-letter code */
@@ -373,6 +377,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
    }
    mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
                          data, q - data);
+    return 0;
 }

 /* NOTE: str == NULL is accepted for an empty string */
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -91,6 +91,12 @@ static int read_header(AVFormatContext *s, AVFormatParameters *ap)
    mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24;

    mvi->audio_frame_size   = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
+    if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
+        av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n",
+               mvi->audio_data_size, frames_count);
+        return AVERROR_INVALIDDATA;
+    }
+
    mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
    mvi->audio_size_left    = mvi->audio_data_size;

--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1397,8 +1397,17 @@ static int mxf_parse_structural_metadata(MXFContext *mxf)
                st->codec->codec_id = container_ul->id;
            st->codec->channels = descriptor->channels;
            st->codec->bits_per_coded_sample = descriptor->bits_per_sample;
-            if (descriptor->sample_rate.den > 0)
-            st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den;
+            if (descriptor->sample_rate.den > 0) {
+                st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den;
+                avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num);
+            } else {
+                av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) "
+                       "found for stream #%d, time base forced to 1/48000\n",
+                       descriptor->sample_rate.num, descriptor->sample_rate.den,
+                       st->index);
+                avpriv_set_pts_info(st, 64, 1, 48000);
+            }
+
            /* TODO: implement CODEC_ID_RAWAUDIO */
            if (st->codec->codec_id == CODEC_ID_PCM_S16LE) {
                if (descriptor->bits_per_sample > 16 && descriptor->bits_per_sample <= 24)
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -375,7 +375,11 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize,

        if (!complete && os->segp == os->nsegs){
            ogg->curidx = -1;
-            os->incomplete = 1;
+            // Do not set incomplete for empty packets.
+            // Together with the code in ogg_read_page
+            // that discards all continuation of empty packets
+            // we would get an infinite loop.
+            os->incomplete = !!os->psize;
        }
    }while (!complete);

--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -37,62 +37,69 @@ ogm_header(AVFormatContext *s, int idx)
    struct ogg *ogg = s->priv_data;
    struct ogg_stream *os = ogg->streams + idx;
    AVStream *st = s->streams[idx];
-    const uint8_t *p = os->buf + os->pstart;
+    GetByteContext p;
    uint64_t time_unit;
    uint64_t spu;

-    if(!(*p & 1))
+    bytestream2_init(&p, os->buf + os->pstart, os->psize);
+    if (!(bytestream2_peek_byte(&p) & 1))
        return 0;

-    if(*p == 1) {
-        p++;
+    if (bytestream2_peek_byte(&p) == 1) {
+        bytestream2_skip(&p, 1);

-        if(*p == 'v'){
+        if (bytestream2_peek_byte(&p) == 'v'){
            int tag;
            st->codec->codec_type = AVMEDIA_TYPE_VIDEO;
-            p += 8;
-            tag = bytestream_get_le32(&p);
+            bytestream2_skip(&p, 8);
+            tag = bytestream2_get_le32(&p);
            st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
            st->codec->codec_tag = tag;
-        } else if (*p == 't') {
+        } else if (bytestream2_peek_byte(&p) == 't') {
            st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE;
            st->codec->codec_id = CODEC_ID_TEXT;
-            p += 12;
+            bytestream2_skip(&p, 12);
        } else {
-            uint8_t acid[5];
+            uint8_t acid[5] = { 0 };
            int cid;
            st->codec->codec_type = AVMEDIA_TYPE_AUDIO;
-            p += 8;
-            bytestream_get_buffer(&p, acid, 4);
+            bytestream2_skip(&p, 8);
+            bytestream2_get_buffer(&p, acid, 4);
            acid[4] = 0;
            cid = strtol(acid, NULL, 16);
            st->codec->codec_id = ff_codec_get_id(ff_codec_wav_tags, cid);
            st->need_parsing = AVSTREAM_PARSE_FULL;
        }

-        p += 4;                     /* useless size field */
+        bytestream2_skip(&p, 4);    /* useless size field */

-        time_unit   = bytestream_get_le64(&p);
-        spu         = bytestream_get_le64(&p);
-        p += 4;                     /* default_len */
-        p += 8;                     /* buffersize + bits_per_sample */
+        time_unit   = bytestream2_get_le64(&p);
+        spu         = bytestream2_get_le64(&p);
+        if (!time_unit || !spu) {
+            av_log(s, AV_LOG_ERROR, "Invalid timing values.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
+        bytestream2_skip(&p, 4);    /* default_len */
+        bytestream2_skip(&p, 8);    /* buffersize + bits_per_sample */

        if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO){
-            st->codec->width = bytestream_get_le32(&p);
-            st->codec->height = bytestream_get_le32(&p);
+            st->codec->width = bytestream2_get_le32(&p);
+            st->codec->height = bytestream2_get_le32(&p);
            st->codec->time_base.den = spu * 10000000;
            st->codec->time_base.num = time_unit;
            avpriv_set_pts_info(st, 64, st->codec->time_base.num, st->codec->time_base.den);
        } else {
-            st->codec->channels = bytestream_get_le16(&p);
-            p += 2;                 /* block_align */
-            st->codec->bit_rate = bytestream_get_le32(&p) * 8;
+            st->codec->channels = bytestream2_get_le16(&p);
+            bytestream2_skip(&p, 2); /* block_align */
+            st->codec->bit_rate = bytestream2_get_le32(&p) * 8;
            st->codec->sample_rate = spu * 10000000 / time_unit;
            avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate);
        }
-    } else if (*p == 3) {
-        if (os->psize > 8)
-            ff_vorbis_comment(s, &st->metadata, p+7, os->psize-8);
+    } else if (bytestream2_peek_byte(&p) == 3) {
+        bytestream2_skip(&p, 7);
+        if (bytestream2_get_bytes_left(&p) > 1)
+            ff_vorbis_comment(s, &st->metadata, p.buffer, bytestream2_get_bytes_left(&p) - 1);
    }

    return 1;
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -113,13 +113,18 @@ static int kset(AVFormatContext *s, const uint8_t *r_val, const uint8_t *n_val,
    return 0;
 }

-static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val)
+#define OMA_RPROBE_M_VAL 48 + 1
+
+static int rprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
+                  const uint8_t *r_val)
 {
    OMAContext *oc = s->priv_data;
    unsigned int pos;
    struct AVDES av_des;

-    if (!enc_header || !r_val)
+    if (!enc_header || !r_val ||
+        size < OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size ||
+        size < OMA_RPROBE_M_VAL)
        return -1;

    /* m_val */
@@ -140,19 +145,25 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val)
    return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0;
 }

-static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8_t *n_val)
+static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
+                  const uint8_t *n_val)
 {
    OMAContext *oc = s->priv_data;
-    uint32_t pos, taglen, datalen;
+    uint64_t pos;
+    uint32_t taglen, datalen;
    struct AVDES av_des;

-    if (!enc_header || !n_val)
+    if (!enc_header || !n_val ||
+        size < OMA_ENC_HEADER_SIZE + oc->k_size + 4)
        return -1;

    pos = OMA_ENC_HEADER_SIZE + oc->k_size;
    if (!memcmp(&enc_header[pos], "EKB ", 4))
        pos += 32;

+    if (size < pos + 44)
+        return -1;
+
    if (AV_RB32(&enc_header[pos]) != oc->rid)
        av_log(s, AV_LOG_DEBUG, "Mismatching RID\n");

@@ -162,13 +173,20 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8
    if(taglen + (((uint64_t)datalen)<<4) + 44 > size)
        return -1;

-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
+
+    if (datalen << 4 > size - pos)
+        return -1;

    av_des_init(&av_des, n_val, 192, 1);
    while (datalen-- > 0) {
        av_des_crypt(&av_des, oc->r_val, &enc_header[pos], 2, NULL, 1);
        kset(s, oc->r_val, NULL, 16);
-        if (!rprobe(s, enc_header, oc->r_val))
+        if (!rprobe(s, enc_header, size, oc->r_val))
            return 0;
        pos += 16;
    }
@@ -231,7 +249,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
        kset(s, s->key, s->key, s->keylen);
    }
    if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) ||
-        rprobe(s, gdata, oc->r_val) < 0 &&
+        rprobe(s, gdata, geob->datasize, oc->r_val) < 0 &&
        nprobe(s, gdata, geob->datasize, oc->n_val) < 0) {
        int i;
        for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) {
@@ -239,7 +257,8 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
            AV_WL64(buf, leaf_table[i]);
            AV_WL64(&buf[8], leaf_table[i+1]);
            kset(s, buf, buf, 16);
-            if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, geob->datasize, oc->n_val))
+            if (!rprobe(s, gdata, geob->datasize, oc->r_val) ||
+                !nprobe(s, gdata, geob->datasize, oc->n_val))
                break;
        }
        if (i >= sizeof(leaf_table)) {
@@ -380,14 +399,22 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt)
    int packet_size = s->streams[0]->codec->block_align;
    int ret = av_get_packet(s->pb, pkt, packet_size);

+    if (ret < packet_size)
+        pkt->flags |= AV_PKT_FLAG_CORRUPT;
+
    if (ret <= 0)
        return AVERROR(EIO);

    pkt->stream_index = 0;

    if (oc->encrypted) {
-        /* previous unencrypted block saved in IV for the next packet (CBC mode) */
-        av_des_crypt(&oc->av_des, pkt->data, pkt->data, (packet_size >> 3), oc->iv, 1);
+        /* previous unencrypted block saved in IV for
+         * the next packet (CBC mode) */
+        if (ret == packet_size)
+            av_des_crypt(&oc->av_des, pkt->data, pkt->data,
+                         (packet_size >> 3), oc->iv, 1);
+        else
+            memset(oc->iv, 0, 8);
    }

    return ret;
@@ -425,22 +452,26 @@ static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t ti
 {
    OMAContext *oc = s->priv_data;

-    pcm_read_seek(s, stream_index, timestamp, flags);
+    int err = pcm_read_seek(s, stream_index, timestamp, flags);

-    if (oc->encrypted) {
-        /* readjust IV for CBC */
-        int64_t pos = avio_tell(s->pb);
-        if (pos < oc->content_start)
-            memset(oc->iv, 0, 8);
-        else {
-            if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) {
-                memset(oc->iv, 0, 8);
-                return -1;
-            }
-        }
+    if (!oc->encrypted)
+        return err;
+
+    /* readjust IV for CBC */
+    if (err || avio_tell(s->pb) < oc->content_start)
+        goto wipe;
+    if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0)
+        goto wipe;
+    if ((err = avio_read(s->pb, oc->iv, 8)) < 8) {
+        if (err >= 0)
+            err = AVERROR_EOF;
+        goto wipe;
    }

    return 0;
+wipe:
+    memset(oc->iv, 0, 8);
+    return err;
 }

 AVInputFormat ff_oma_demuxer = {
--- a/libavformat/r3d.c
+++ b/libavformat/r3d.c
@@ -277,6 +277,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom)
    dts = avio_rb32(s->pb);

    st->codec->sample_rate = avio_rb32(s->pb);
+    if (st->codec->sample_rate <= 0) {
+        av_log(s, AV_LOG_ERROR, "Bad sample rate\n");
+        return AVERROR_INVALIDDATA;
+    }

    samples = avio_rb32(s->pb);

--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -600,6 +600,11 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
        if (size > 0)
            avio_skip(pb, size);
    }
+    if (codec->sample_rate <= 0) {
+        av_log(NULL, AV_LOG_ERROR,
+               "Invalid sample rate: %d\n", codec->sample_rate);
+        return AVERROR_INVALIDDATA;
+    }
    if (codec->codec_id == CODEC_ID_AAC_LATM) {
        /* channels and sample_rate values are those prior to applying SBR and/or PS */
        codec->channels    = 0;
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -109,6 +109,10 @@ static av_cold int rl2_read_header(AVFormatContext *s,
    rate = avio_rl16(pb);
    channels = avio_rl16(pb);
    def_sound_size = avio_rl16(pb);
+    if (!channels || channels > 42) {
+        av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels);
+        return AVERROR_INVALIDDATA;
+    }

    /** setup video stream */
    st = avformat_new_stream(s, NULL);
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -336,8 +336,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb,
        if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0)
            return ret;

-        av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num,
-                  0x10000, fps, (1 << 30) - 1);
+        if (fps > 0) {
+            av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num,
+                      0x10000, fps, (1 << 30) - 1);
+        } else if (s->error_recognition & AV_EF_EXPLODE) {
+            av_log(s, AV_LOG_ERROR, "Invalid framerate\n");
+            return AVERROR_INVALIDDATA;
+        }
        st->avg_frame_rate = st->r_frame_rate;
    }

--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -75,26 +75,26 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p,
                        int chunk_size, RTMPPacket *prev_pkt)
 {
    uint8_t hdr, t, buf[16];
-    int channel_id, timestamp, data_size, offset = 0;
+    int channel_id, timestamp, size, offset = 0;
    uint32_t extra = 0;
    enum RTMPPacketType type;
-    int size = 0;
+    int written = 0;

    if (ffurl_read(h, &hdr, 1) != 1)
        return AVERROR(EIO);
-    size++;
+    written++;
    channel_id = hdr & 0x3F;

    if (channel_id < 2) { //special case for channel number >= 64
        buf[1] = 0;
        if (ffurl_read_complete(h, buf, channel_id + 1) != channel_id + 1)
            return AVERROR(EIO);
-        size += channel_id + 1;
+        written += channel_id + 1;
        channel_id = AV_RL16(buf) + 64;
    }
-    data_size = prev_pkt[channel_id].data_size;
-    type      = prev_pkt[channel_id].type;
-    extra     = prev_pkt[channel_id].extra;
+    size  = prev_pkt[channel_id].size;
+    type  = prev_pkt[channel_id].type;
+    extra = prev_pkt[channel_id].extra;

    hdr >>= 6;
    if (hdr == RTMP_PS_ONEBYTE) {
@@ -102,21 +102,21 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p,
    } else {
        if (ffurl_read_complete(h, buf, 3) != 3)
            return AVERROR(EIO);
-        size += 3;
+        written += 3;
        timestamp = AV_RB24(buf);
        if (hdr != RTMP_PS_FOURBYTES) {
            if (ffurl_read_complete(h, buf, 3) != 3)
                return AVERROR(EIO);
-            size += 3;
-            data_size = AV_RB24(buf);
+            written += 3;
+            size = AV_RB24(buf);
            if (ffurl_read_complete(h, buf, 1) != 1)
                return AVERROR(EIO);
-            size++;
+            written++;
            type = buf[0];
            if (hdr == RTMP_PS_TWELVEBYTES) {
                if (ffurl_read_complete(h, buf, 4) != 4)
                    return AVERROR(EIO);
-                size += 4;
+                written += 4;
                extra = AV_RL32(buf);
            }
        }
@@ -129,33 +129,33 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p,
    if (hdr != RTMP_PS_TWELVEBYTES)
        timestamp += prev_pkt[channel_id].timestamp;

-    if (ff_rtmp_packet_create(p, channel_id, type, timestamp, data_size))
+    if (ff_rtmp_packet_create(p, channel_id, type, timestamp, size))
        return -1;
    p->extra = extra;
    // save history
    prev_pkt[channel_id].channel_id = channel_id;
    prev_pkt[channel_id].type       = type;
-    prev_pkt[channel_id].data_size  = data_size;
+    prev_pkt[channel_id].size       = size;
    prev_pkt[channel_id].ts_delta   = timestamp - prev_pkt[channel_id].timestamp;
    prev_pkt[channel_id].timestamp  = timestamp;
    prev_pkt[channel_id].extra      = extra;
-    while (data_size > 0) {
-        int toread = FFMIN(data_size, chunk_size);
+    while (size > 0) {
+        int toread = FFMIN(size, chunk_size);
        if (ffurl_read_complete(h, p->data + offset, toread) != toread) {
            ff_rtmp_packet_destroy(p);
            return AVERROR(EIO);
        }
-        data_size -= chunk_size;
-        offset    += chunk_size;
-        size      += chunk_size;
-        if (data_size > 0) {
+        size    -= chunk_size;
+        offset  += chunk_size;
+        written += chunk_size;
+        if (size > 0) {
            ffurl_read_complete(h, &t, 1); //marker
-            size++;
+            written++;
            if (t != (0xC0 + channel_id))
                return -1;
        }
    }
-    return size;
+    return written;
 }

 int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
@@ -164,7 +164,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
    uint8_t pkt_hdr[16], *p = pkt_hdr;
    int mode = RTMP_PS_TWELVEBYTES;
    int off = 0;
-    int size = 0;
+    int written = 0;

    pkt->ts_delta = pkt->timestamp - prev_pkt[pkt->channel_id].timestamp;

@@ -172,7 +172,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
    if (prev_pkt[pkt->channel_id].channel_id &&
        pkt->extra == prev_pkt[pkt->channel_id].extra) {
        if (pkt->type == prev_pkt[pkt->channel_id].type &&
-            pkt->data_size == prev_pkt[pkt->channel_id].data_size) {
+            pkt->size == prev_pkt[pkt->channel_id].size) {
            mode = RTMP_PS_FOURBYTES;
            if (pkt->ts_delta == prev_pkt[pkt->channel_id].ts_delta)
                mode = RTMP_PS_ONEBYTE;
@@ -196,7 +196,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
            timestamp = pkt->ts_delta;
        bytestream_put_be24(&p, timestamp >= 0xFFFFFF ? 0xFFFFFF : timestamp);
        if (mode != RTMP_PS_FOURBYTES) {
-            bytestream_put_be24(&p, pkt->data_size);
+            bytestream_put_be24(&p, pkt->size);
            bytestream_put_byte(&p, pkt->type);
            if (mode == RTMP_PS_TWELVEBYTES)
                bytestream_put_le32(&p, pkt->extra);
@@ -207,7 +207,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
    // save history
    prev_pkt[pkt->channel_id].channel_id = pkt->channel_id;
    prev_pkt[pkt->channel_id].type       = pkt->type;
-    prev_pkt[pkt->channel_id].data_size  = pkt->data_size;
+    prev_pkt[pkt->channel_id].size  = pkt->size;
    prev_pkt[pkt->channel_id].timestamp  = pkt->timestamp;
    if (mode != RTMP_PS_TWELVEBYTES) {
        prev_pkt[pkt->channel_id].ts_delta   = pkt->ts_delta;
@@ -217,18 +217,18 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
    prev_pkt[pkt->channel_id].extra      = pkt->extra;

    ffurl_write(h, pkt_hdr, p-pkt_hdr);
-    size = p - pkt_hdr + pkt->data_size;
-    while (off < pkt->data_size) {
-        int towrite = FFMIN(chunk_size, pkt->data_size - off);
+    written = p - pkt_hdr + pkt->size;
+    while (off < pkt->size) {
+        int towrite = FFMIN(chunk_size, pkt->size - off);
        ffurl_write(h, pkt->data + off, towrite);
        off += towrite;
-        if (off < pkt->data_size) {
+        if (off < pkt->size) {
            uint8_t marker = 0xC0 | pkt->channel_id;
            ffurl_write(h, &marker, 1);
-            size++;
+            written++;
        }
    }
-    return size;
+    return written;
 }

 int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
@@ -239,7 +239,7 @@ int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
        if (!pkt->data)
            return AVERROR(ENOMEM);
    }
-    pkt->data_size  = size;
+    pkt->size  = size;
    pkt->channel_id = channel_id;
    pkt->type       = type;
    pkt->timestamp  = timestamp;
@@ -254,7 +254,7 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt)
    if (!pkt)
        return;
    av_freep(&pkt->data);
-    pkt->data_size = 0;
+    pkt->size = 0;
 }

 int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
@@ -425,9 +425,9 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
 void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p)
 {
    av_log(ctx, AV_LOG_DEBUG, "RTMP packet type '%s'(%d) for channel %d, timestamp %d, extra field %d size %d\n",
-           rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->data_size);
+           rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->size);
    if (p->type == RTMP_PT_INVOKE || p->type == RTMP_PT_NOTIFY) {
-        uint8_t *src = p->data, *src_end = p->data + p->data_size;
+        uint8_t *src = p->data, *src_end = p->data + p->size;
        while (src < src_end) {
            int sz;
            ff_amf_tag_contents(ctx, src, src_end);
@@ -442,8 +442,41 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p)
        av_log(ctx, AV_LOG_DEBUG, "Client BW = %d\n", AV_RB32(p->data));
    } else if (p->type != RTMP_PT_AUDIO && p->type != RTMP_PT_VIDEO && p->type != RTMP_PT_METADATA) {
        int i;
-        for (i = 0; i < p->data_size; i++)
+        for (i = 0; i < p->size; i++)
            av_log(ctx, AV_LOG_DEBUG, " %02X", p->data[i]);
        av_log(ctx, AV_LOG_DEBUG, "\n");
    }
 }
+
+int ff_amf_match_string(const uint8_t *data, int size, const char *str)
+{
+    int len = strlen(str);
+    int amf_len, type;
+
+    if (size < 1)
+        return 0;
+
+    type = *data++;
+
+    if (type != AMF_DATA_TYPE_LONG_STRING &&
+        type != AMF_DATA_TYPE_STRING)
+        return 0;
+
+    if (type == AMF_DATA_TYPE_LONG_STRING) {
+        if ((size -= 4 + 1) < 0)
+            return 0;
+        amf_len = bytestream_get_be32(&data);
+    } else {
+        if ((size -= 2 + 1) < 0)
+            return 0;
+        amf_len = bytestream_get_be16(&data);
+    }
+
+    if (amf_len > size)
+        return 0;
+
+    if (amf_len != len)
+        return 0;
+
+    return !memcmp(data, str, len);
+}
--- a/libavformat/rtmppkt.h
+++ b/libavformat/rtmppkt.h
@@ -80,7 +80,7 @@ typedef struct RTMPPacket {
    uint32_t       ts_delta;   ///< timestamp increment to the previous one in milliseconds (latter only for media packets)
    uint32_t       extra;      ///< probably an additional channel ID used during streaming data
    uint8_t        *data;      ///< packet payload
-    int            data_size;  ///< packet payload size
+    int            size;       ///< packet payload size
 } RTMPPacket;

 /**
@@ -218,6 +218,13 @@ void ff_amf_write_field_name(uint8_t **dst, const char *str);
 */
 void ff_amf_write_object_end(uint8_t **dst);

+/**
+ * Match AMF string with a NULL-terminated string.
+ *
+ * @return 0 if the strings do not match.
+ */
+int ff_amf_match_string(const uint8_t *data, int size, const char *str);
+
 /** @} */ // AMF funcs

 #endif /* AVFORMAT_RTMPPKT_H */
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -147,7 +147,7 @@ static void gen_connect(URLContext *s, RTMPContext *rt, const char *proto,
    }
    ff_amf_write_object_end(&p);

-    pkt.data_size = p - pkt.data;
+    pkt.size = p - pkt.data;

    ff_rtmp_packet_write(rt->stream, &pkt, rt->chunk_size, rt->prev_pkt[1]);
    ff_rtmp_packet_destroy(&pkt);
@@ -549,7 +549,7 @@ static int rtmp_handshake(URLContext *s, RTMPContext *rt)
 static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt)
 {
    int i, t;
-    const uint8_t *data_end = pkt->data + pkt->data_size;
+    const uint8_t *data_end = pkt->data + pkt->size;

 #ifdef DEBUG
    ff_rtmp_packet_dump(s, pkt);
@@ -557,9 +557,9 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt)

    switch (pkt->type) {
    case RTMP_PT_CHUNK_SIZE:
-        if (pkt->data_size != 4) {
+        if (pkt->size != 4) {
            av_log(s, AV_LOG_ERROR,
-                   "Chunk size change packet is not 4 bytes long (%d)\n", pkt->data_size);
+                   "Chunk size change packet is not 4 bytes long (%d)\n", pkt->size);
            return -1;
        }
        if (!rt->is_input)
@@ -577,10 +577,10 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt)
            gen_pong(s, rt, pkt);
        break;
    case RTMP_PT_CLIENT_BW:
-        if (pkt->data_size < 4) {
+        if (pkt->size < 4) {
            av_log(s, AV_LOG_ERROR,
                   "Client bandwidth report packet is less than 4 bytes long (%d)\n",
-                   pkt->data_size);
+                   pkt->size);
            return -1;
        }
        av_log(s, AV_LOG_DEBUG, "Client bandwidth = %d\n", AV_RB32(pkt->data));
@@ -588,14 +588,14 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt)
        break;
    case RTMP_PT_INVOKE:
        //TODO: check for the messages sent for wrong state?
-        if (!memcmp(pkt->data, "\002\000\006_error", 9)) {
+        if (ff_amf_match_string(pkt->data, pkt->size, "_error")) {
            uint8_t tmpstr[256];

            if (!ff_amf_get_field_value(pkt->data + 9, data_end,
                                        "description", tmpstr, sizeof(tmpstr)))
                av_log(s, AV_LOG_ERROR, "Server error: %s\n",tmpstr);
            return -1;
-        } else if (!memcmp(pkt->data, "\002\000\007_result", 10)) {
+        } else if (ff_amf_match_string(pkt->data, pkt->size, "_result")) {
            switch (rt->state) {
            case STATE_HANDSHAKED:
                if (!rt->is_input) {
@@ -636,7 +636,7 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt)
                rt->state = STATE_READY;
                break;
            }
-        } else if (!memcmp(pkt->data, "\002\000\010onStatus", 11)) {
+        } else if (ff_amf_match_string(pkt->data, pkt->size, "onStatus")) {
            const uint8_t* ptr = pkt->data + 11;
            uint8_t tmpstr[256];

@@ -683,7 +683,7 @@ static int get_packet(URLContext *s, int for_header)
    int ret;
    uint8_t *p;
    const uint8_t *next;
-    uint32_t data_size;
+    uint32_t size;
    uint32_t ts, cts, pts=0;

    if (rt->state == STATE_STOPPED)
@@ -719,38 +719,39 @@ static int get_packet(URLContext *s, int for_header)
            ff_rtmp_packet_destroy(&rpkt);
            return 0;
        }
-        if (!rpkt.data_size || !rt->is_input) {
+        if (!rpkt.size || !rt->is_input) {
            ff_rtmp_packet_destroy(&rpkt);
            continue;
        }
        if (rpkt.type == RTMP_PT_VIDEO || rpkt.type == RTMP_PT_AUDIO ||
-           (rpkt.type == RTMP_PT_NOTIFY && !memcmp("\002\000\012onMetaData", rpkt.data, 13))) {
+           (rpkt.type == RTMP_PT_NOTIFY &&
+            ff_amf_match_string(rpkt.data, rpkt.size, "onMetaData"))) {
            ts = rpkt.timestamp;

            // generate packet header and put data into buffer for FLV demuxer
            rt->flv_off  = 0;
-            rt->flv_size = rpkt.data_size + 15;
+            rt->flv_size = rpkt.size + 15;
            rt->flv_data = p = av_realloc(rt->flv_data, rt->flv_size);
            bytestream_put_byte(&p, rpkt.type);
-            bytestream_put_be24(&p, rpkt.data_size);
+            bytestream_put_be24(&p, rpkt.size);
            bytestream_put_be24(&p, ts);
            bytestream_put_byte(&p, ts >> 24);
            bytestream_put_be24(&p, 0);
-            bytestream_put_buffer(&p, rpkt.data, rpkt.data_size);
+            bytestream_put_buffer(&p, rpkt.data, rpkt.size);
            bytestream_put_be32(&p, 0);
            ff_rtmp_packet_destroy(&rpkt);
            return 0;
        } else if (rpkt.type == RTMP_PT_METADATA) {
            // we got raw FLV data, make it available for FLV demuxer
            rt->flv_off  = 0;
-            rt->flv_size = rpkt.data_size;
+            rt->flv_size = rpkt.size;
            rt->flv_data = av_realloc(rt->flv_data, rt->flv_size);
            /* rewrite timestamps */
            next = rpkt.data;
            ts = rpkt.timestamp;
-            while (next - rpkt.data < rpkt.data_size - 11) {
+            while (next - rpkt.data < rpkt.size - 11) {
                next++;
-                data_size = bytestream_get_be24(&next);
+                size = bytestream_get_be24(&next);
                p=next;
                cts = bytestream_get_be24(&next);
                cts |= bytestream_get_byte(&next) << 24;
@@ -760,9 +761,9 @@ static int get_packet(URLContext *s, int for_header)
                pts = cts;
                bytestream_put_be24(&p, ts);
                bytestream_put_byte(&p, ts >> 24);
-                next += data_size + 3 + 4;
+                next += size + 3 + 4;
            }
-            memcpy(rt->flv_data, rpkt.data, rpkt.data_size);
+            memcpy(rt->flv_data, rpkt.data, rpkt.size);
            ff_rtmp_packet_destroy(&rpkt);
            return 0;
        }
@@ -776,7 +777,7 @@ static int rtmp_close(URLContext *h)

    if (!rt->is_input) {
        rt->flv_data = NULL;
-        if (rt->out_pkt.data_size)
+        if (rt->out_pkt.size)
            ff_rtmp_packet_destroy(&rt->out_pkt);
        if (rt->state > STATE_FCPUBLISH)
            gen_fcunpublish_stream(h, rt);
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -76,6 +76,16 @@ static int film_probe(AVProbeData *p)
    return AVPROBE_SCORE_MAX;
 }

+static int film_read_close(AVFormatContext *s)
+{
+    FilmDemuxContext *film = s->priv_data;
+
+    av_freep(&film->sample_table);
+    av_freep(&film->stereo_buffer);
+
+    return 0;
+}
+
 static int film_read_header(AVFormatContext *s,
                            AVFormatParameters *ap)
 {
@@ -83,7 +93,7 @@ static int film_read_header(AVFormatContext *s,
    AVIOContext *pb = s->pb;
    AVStream *st;
    unsigned char scratch[256];
-    int i;
+    int i, ret;
    unsigned int data_offset;
    unsigned int audio_frame_counter;

@@ -113,6 +123,11 @@ static int film_read_header(AVFormatContext *s,
            return AVERROR(EIO);
        film->audio_samplerate = AV_RB16(&scratch[24]);
        film->audio_channels = scratch[21];
+        if (!film->audio_channels || film->audio_channels > 2) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid number of channels: %d\n", film->audio_channels);
+            return AVERROR_INVALIDDATA;
+        }
        film->audio_bits = scratch[22];
        if (scratch[23] == 2)
            film->audio_type = CODEC_ID_ADPCM_ADX;
@@ -205,14 +220,16 @@ static int film_read_header(AVFormatContext *s,
    for (i = 0; i < film->sample_count; i++) {
        /* load the next sample record and transfer it to an internal struct */
        if (avio_read(pb, scratch, 16) != 16) {
-            av_free(film->sample_table);
-            return AVERROR(EIO);
+            ret = AVERROR(EIO);
+            goto fail;
        }
        film->sample_table[i].sample_offset =
            data_offset + AV_RB32(&scratch[0]);
        film->sample_table[i].sample_size = AV_RB32(&scratch[4]);
-        if (film->sample_table[i].sample_size > INT_MAX / 4)
-            return AVERROR_INVALIDDATA;
+        if (film->sample_table[i].sample_size > INT_MAX / 4) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
        if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) {
            film->sample_table[i].stream = film->audio_stream_index;
            film->sample_table[i].pts = audio_frame_counter;
@@ -235,6 +252,9 @@ static int film_read_header(AVFormatContext *s,
    film->current_sample = 0;

    return 0;
+fail:
+    film_read_close(s);
+    return ret;
 }

 static int film_read_packet(AVFormatContext *s,
@@ -315,16 +335,6 @@ static int film_read_packet(AVFormatContext *s,
    return ret;
 }

-static int film_read_close(AVFormatContext *s)
-{
-    FilmDemuxContext *film = s->priv_data;
-
-    av_free(film->sample_table);
-    av_free(film->stereo_buffer);
-
-    return 0;
-}
-
 AVInputFormat ff_segafilm_demuxer = {
    .name           = "film_cpk",
    .long_name      = NULL_IF_CONFIG_SMALL("Sega FILM/CPK format"),
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10.9
 .10.12