update for 0.7.15

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Merge branch 'release/0.8' into release/0.7
2013-02-21 03:28:32 +01:00 · 2013-02-21 03:28:00 +01:00 · 2013-02-21 02:00:40 +01:00 · 2013-02-20 04:33:01 +01:00 · 2013-02-20 01:26:33 +01:00 · 2013-02-20 01:23:54 +01:00
171 changed files with 1728 additions and 755 deletions
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.7.10
+PROJECT_NUMBER         = 0.7.15

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.10
+0.7.15
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.10
+0.7.15
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -57,7 +57,7 @@ AVFormatContext *avformat_opts;
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts;

-static const int this_year = 2011;
+static const int this_year = 2013;

 void init_opts(void)
 {
--- a/4
+++ b/4
@@ -1057,6 +1057,7 @@ HAVE_LIST="
    dlfcn_h
    dlopen
    dos_paths
+    dxva_h
    ebp_available
    ebx_available
    exp2
@@ -2378,7 +2379,7 @@ check_host_cflags -std=c99
 check_host_cflags -Wall

 case "$arch" in
-    alpha|ia64|mips|parisc|sparc)
+    alpha|ia64|mips|parisc|ppc|sparc)
        spic=$shared
    ;;
    x86)
@@ -2859,6 +2860,7 @@ check_func_headers windows.h MapViewOfFile
 check_func_headers windows.h VirtualAlloc

 check_header dlfcn.h
+check_header dxva.h
 check_header dxva2api.h
 check_header libcrystalhd/libcrystalhd_if.h
 check_header malloc.h
--- a/doc/ffmpeg.texi
+++ b/doc/ffmpeg.texi
@@ -299,6 +299,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be
@file{PREFIX-N.log}, where N is a number specific to the output
 stream.

+Note that this option is overwritten by a local option of the same name
+when using @code{-vcodec libx264}. That option maps to the x264 option stats
+which has a different syntax.
+
@item -newvideo
 Add a new video stream to the current output stream.

--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -1760,9 +1760,9 @@ interlaced video, accepts one of the following values:

@table @option
@item 0
-assume bottom field first
-@item 1
 assume top field first
+@item 1
+assume bottom field first
@item -1
 enable automatic detection
@end table
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -315,6 +315,7 @@ typedef struct AVOutputStream {
 #endif

   int sws_flags;
+   char *forced_key_frames;
 } AVOutputStream;

 static AVOutputStream **output_streams_for_file[MAX_FILES] = { NULL };
@@ -2337,6 +2338,9 @@ static int transcode(AVFormatContext **output_files,
                                               "Please consider specifiying a lower framerate, a different muxer or -vsync 2\n");
                }

+                if (ost->forced_key_frames)
+                    parse_forced_key_frames(ost->forced_key_frames, ost, codec);
+
 #if CONFIG_AVFILTER
                if (configure_video_filters(ist, ost)) {
                    fprintf(stderr, "Error opening filters!\n");
@@ -2858,6 +2862,7 @@ static int transcode(AVFormatContext **output_files,
                av_freep(&ost->st->codec->subtitle_header);
                av_free(ost->resample_frame.data[0]);
                av_free(ost->forced_kf_pts);
+                av_free(ost->forced_key_frames);
                if (ost->video_resample)
                    sws_freeContext(ost->img_resample_ctx);
                if (ost->resample)
@@ -3656,8 +3661,10 @@ static void new_video_stream(AVFormatContext *oc, int file_idx)
            }
        }

-        if (forced_key_frames)
-            parse_forced_key_frames(forced_key_frames, ost, video_enc);
+        if (forced_key_frames) {
+            ost->forced_key_frames = forced_key_frames;
+            forced_key_frames = NULL;
+        }
    }
    if (video_language) {
        av_dict_set(&st->metadata, "language", video_language, 0);
@@ -3667,7 +3674,6 @@ static void new_video_stream(AVFormatContext *oc, int file_idx)
    /* reset some key parameters */
    video_disable = 0;
    av_freep(&video_codec_name);
-    av_freep(&forced_key_frames);
    video_stream_copy = 0;
    frame_pix_fmt = PIX_FMT_NONE;
 }
--- a/ffserver.c
+++ b/ffserver.c
@@ -518,6 +518,7 @@ static int socket_open_listen(struct sockaddr_in *my_addr)
    tmp = 1;
    setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &tmp, sizeof(tmp));

+    my_addr->sin_family = AF_INET;
    if (bind (server_fd, (struct sockaddr *) my_addr, sizeof (*my_addr)) < 0) {
        char bindmsg[32];
        snprintf(bindmsg, sizeof(bindmsg), "bind(port %d)", ntohs(my_addr->sin_port));
--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -44,7 +44,7 @@ typedef struct EightSvxContext {
    /* buffer used to store the whole audio decoded/interleaved chunk,
     * which is sent with the first packet */
    uint8_t *samples;
-    size_t samples_size;
+    int64_t samples_size;
    int samples_idx;
 } EightSvxContext;

--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -568,6 +568,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
        output_scale_factor = 1.0;
    }

+    if (avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    AAC_INIT_VLC_STATIC( 0, 304);
    AAC_INIT_VLC_STATIC( 1, 270);
    AAC_INIT_VLC_STATIC( 2, 550);
@@ -754,19 +759,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                return -1;
            }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return -1;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
                band_type        [idx]   = sect_band_type;
                band_type_run_end[idx++] = sect_end;
@@ -1693,7 +1699,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns,
    int w, filt, m, i;
    int bottom, top, order, start, end, size, inc;
    float lpc[TNS_MAX_ORDER];
-    float tmp[TNS_MAX_ORDER];
+    float tmp[TNS_MAX_ORDER + 1];

    for (w = 0; w < ics->num_windows; w++) {
        bottom = ics->num_swb;
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1183,14 +1183,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
 {
    int i, n;
    const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
+    const int step = 128 >> div;
    float *v;
    for (i = 0; i < 32; i++) {
-        if (*v_off == 0) {
+        if (*v_off < step) {
            int saved_samples = (1280 - 128) >> div;
            memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
-            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
        } else {
-            *v_off -= 128 >> div;
+            *v_off -= step;
        }
        v = v0 + *v_off;
        if (div) {
--- a/libavcodec/ac3dsp.c
+++ b/libavcodec/ac3dsp.c
@@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
                                     int snr_offset, int floor,
                                     const uint8_t *bap_tab, uint8_t *bap)
 {
-    int bin, band;
+    int bin, band, band_end;

    /* special case, if snr offset is -960, set all bap's to zero */
    if (snr_offset == -960) {
@@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
    band = ff_ac3_bin_to_band_tab[start];
    do {
        int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
-        int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+        band_end = ff_ac3_band_start_tab[++band];
+        band_end = FFMIN(band_end, end);
+
        for (; bin < band_end; bin++) {
            int address = av_clip((psd[bin] - m) >> 5, 0, 63);
            bap[bin] = bap_tab[address];
        }
-    } while (end > ff_ac3_band_start_tab[band++]);
+    } while (end > band_end);
 }

 static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -778,9 +778,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
 static av_cold int adpcm_decode_init(AVCodecContext * avctx)
 {
    ADPCMContext *c = avctx->priv_data;
+    unsigned int min_channels = 1;
    unsigned int max_channels = 2;

    switch(avctx->codec->id) {
+    case CODEC_ID_ADPCM_EA:
+        min_channels = 2;
+        break;
    case CODEC_ID_ADPCM_EA_R1:
    case CODEC_ID_ADPCM_EA_R2:
    case CODEC_ID_ADPCM_EA_R3:
@@ -788,8 +792,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
        max_channels = 6;
        break;
    }
-    if(avctx->channels > max_channels){
-        return -1;
+
+    if (avctx->channels < min_channels || avctx->channels > max_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR(EINVAL);
    }

    switch(avctx->codec->id) {
@@ -1360,11 +1366,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
        }
        break;
    case CODEC_ID_ADPCM_EA:
-        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
        }
        samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
        src += 4;
        current_left_sample   = (int16_t)bytestream_get_le16(&src);
        previous_left_sample  = (int16_t)bytestream_get_le16(&src);
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -664,10 +664,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
    alac->numchannels = alac->avctx->channels;

    /* initialize from the extradata */
-    if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) {
-        av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n",
-            ALAC_EXTRADATA_SIZE);
-        return -1;
+    if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n");
+        return AVERROR_INVALIDDATA;
    }
    if (alac_set_info(alac)) {
        av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n");
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -551,12 +551,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks,

 /** Read the block data for a constant block
 */
-static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 {
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    GetBitContext *gb        = &ctx->gb;

+    if (bd->block_length <= 0)
+        return -1;
+
    *bd->raw_samples = 0;
    *bd->const_block = get_bits1(gb);    // 1 = constant value, 0 = zero block (silence)
    bd->js_blocks    = get_bits1(gb);
@@ -571,6 +574,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // ensure constant block decoding by reusing this field
    *bd->const_block = 1;
+
+    return 0;
 }


@@ -650,6 +655,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        for (k = 1; k < sub_blocks; k++)
            s[k] = s[k - 1] + decode_rice(gb, 0);
    }
+    for (k = 1; k < sub_blocks; k++)
+        if (s[k] > 32) {
+            av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n");
+            return AVERROR_INVALIDDATA;
+        }

    if (get_bits1(gb))
        *bd->shift_lsbs = get_bits(gb, 4) + 1;
@@ -662,6 +672,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                2, sconf->max_order + 1));
            *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            *bd->opt_order = sconf->max_order;
        }
@@ -694,6 +709,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
                    int rice_param = parcor_rice_table[sconf->coef_table][k][1];
                    int offset     = parcor_rice_table[sconf->coef_table][k][0];
                    quant_cof[k] = decode_rice(gb, rice_param) + offset;
+                    if (quant_cof[k] < -64 || quant_cof[k] > 63) {
+                        av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]);
+                        return AVERROR_INVALIDDATA;
+                    }
                }

                // read coefficients 20 to 126
@@ -726,7 +745,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
            bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;

-            r                 = get_unary(gb, 0, 4);
+            r                 = get_unary(gb, 0, 3);
            c                 = get_bits(gb, 2);
            bd->ltp_gain[2]   = ltp_gain_values[r][c];

@@ -755,7 +774,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        int          delta[8];
        unsigned int k    [8];
        unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5);
-        unsigned int i = start;

        // read most significant bits
        unsigned int high;
@@ -766,29 +784,30 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

        current_res = bd->raw_samples + start;

-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++) {
+            unsigned int sb_len  = sb_length - (sb ? 0 : start);
+
            k    [sb] = s[sb] > b ? s[sb] - b : 0;
            delta[sb] = 5 - s[sb] + k[sb];

-            ff_bgmc_decode(gb, sb_length, current_res,
+            ff_bgmc_decode(gb, sb_len, current_res,
                        delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);

-            current_res += sb_length;
+            current_res += sb_len;
        }

        ff_bgmc_decode_end(gb);


        // read least significant bits and tails
-        i = start;
        current_res = bd->raw_samples + start;

-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++, start = 0) {
            unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]];
            unsigned int cur_k         = k[sb];
            unsigned int cur_s         = s[sb];

-            for (; i < sb_length; i++) {
+            for (; start < sb_length; start++) {
                int32_t res = *current_res;

                if (res == cur_tail_code) {
@@ -956,7 +975,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
        if (read_var_block_data(ctx, bd))
            return -1;
    } else {
-        read_const_block_data(ctx, bd);
+        if (read_const_block_data(ctx, bd) < 0)
+            return -1;
    }

    return 0;
@@ -1010,7 +1030,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max,
 {
    unsigned int count = 0;

-    while (b < b_max)
+    for (; b < b_max; b++)
        count += div_blocks[b];

    if (count)
--- a/libavcodec/ass_split.c
+++ b/libavcodec/ass_split.c
@@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv,
    char new_line[2];
    int text_len = 0;

-    while (*buf) {
+    while (buf && *buf) {
        if (text && callbacks->text &&
            (sscanf(buf, "\\%1[nN]", new_line) == 1 ||
             !strncmp(buf, "{\\", 2))) {
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -395,6 +395,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent

            for (k=0; k<coded_components; k++) {
                sfIndx = get_bits(gb,6);
+                if (component_count >= 64)
+                    return AVERROR_INVALIDDATA;
                pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                max_coded_values = 1024 - pComponent[component_count].pos;
                coded_values = coded_values_per_component + 1;
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -544,7 +544,7 @@ enum AVChromaLocation{
 /**
 * LPC analysis type
 */
-attribute_deprecated enum AVLPCType {
+enum AVLPCType {
    AV_LPC_TYPE_DEFAULT     = -1, ///< use the codec default LPC type
    AV_LPC_TYPE_NONE        =  0, ///< do not use LPC prediction or use all zero coefficients
    AV_LPC_TYPE_FIXED       =  1, ///< fixed LPC coefficients
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -160,6 +160,7 @@ static av_cold int avs_decode_init(AVCodecContext * avctx)
    AvsContext *const avs = avctx->priv_data;
    avctx->pix_fmt = PIX_FMT_PAL8;
    avcodec_get_frame_defaults(&avs->picture);
+    avcodec_set_dimensions(avctx, 318, 198);
    return 0;
 }

--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -457,8 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                    int start_bits, int has_sign)
 {
    int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
-    int16_t *dst_end =( int16_t*)b->data_end;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;

    CHECK_READ_VAL(gb, b, len);
    v = get_bits(gb, start_bits - has_sign);
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
        frame_len_bits = 11;
    }

-    if (avctx->channels > MAX_CHANNELS) {
-        av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
-        return -1;
+    if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
    }

    if (avctx->extradata && avctx->extradata_size > 0)
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -219,9 +219,6 @@ static int bmp_decode_frame(AVCodecContext *avctx,
    if(comp == BMP_RLE4 || comp == BMP_RLE8)
        memset(p->data[0], 0, avctx->height * p->linesize[0]);

-    if(depth == 4 || depth == 8)
-        memset(p->data[1], 0, 1024);
-
    if(height > 0){
        ptr = p->data[0] + (avctx->height - 1) * p->linesize[0];
        linesize = -p->linesize[0];
@@ -232,6 +229,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,

    if(avctx->pix_fmt == PIX_FMT_PAL8){
        int colors = 1 << depth;
+
+        memset(p->data[1], 0, 1024);
+
        if(ihsize >= 36){
            int t;
            buf = buf0 + 46;
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -26,6 +26,10 @@
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"

+typedef struct {
+    const uint8_t *buffer, *buffer_end;
+} GetByteContext;
+
 #define DEF_T(type, name, bytes, read, write)                             \
 static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
    (*b) += bytes;\
@@ -34,6 +38,18 @@ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
 static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\
    write(*b, value);\
    (*b) += bytes;\
+}\
+static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\
+{\
+    if (g->buffer_end - g->buffer < bytes)\
+        return 0;\
+    return bytestream_get_ ## name(&g->buffer);\
+}\
+static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\
+{\
+    if (g->buffer_end - g->buffer < bytes)\
+        return 0;\
+    return read(g->buffer);\
 }

 #define DEF(name, bytes, read, write) \
@@ -55,6 +71,34 @@ DEF  (byte, 1, AV_RB8 , AV_WB8 )
 #undef DEF64
 #undef DEF_T

+static av_always_inline void bytestream2_init(GetByteContext *g,
+                                              const uint8_t *buf, int buf_size)
+{
+    g->buffer =  buf;
+    g->buffer_end = buf + buf_size;
+}
+
+static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g)
+{
+    return g->buffer_end - g->buffer;
+}
+
+static av_always_inline void bytestream2_skip(GetByteContext *g,
+                                              unsigned int size)
+{
+    g->buffer += FFMIN(g->buffer_end - g->buffer, size);
+}
+
+static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g,
+                                                            uint8_t *dst,
+                                                            unsigned int size)
+{
+    int size2 = FFMIN(g->buffer_end - g->buffer, size);
+    memcpy(dst, g->buffer, size2);
+    g->buffer += size2;
+    return size2;
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size)
 {
    memcpy(dst, *b, size);
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -609,12 +609,21 @@ static int decode_pic(AVSContext *h) {
 static int decode_seq_header(AVSContext *h) {
    MpegEncContext *s = &h->s;
    int frame_rate_code;
+    int width, height;

    h->profile =         get_bits(&s->gb,8);
    h->level =           get_bits(&s->gb,8);
    skip_bits1(&s->gb); //progressive sequence
-    s->width =           get_bits(&s->gb,14);
-    s->height =          get_bits(&s->gb,14);
+
+    width  = get_bits(&s->gb, 14);
+    height = get_bits(&s->gb, 14);
+    if ((s->width || s->height) && (s->width != width || s->height != height)) {
+        av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
+        return AVERROR_PATCHWELCOME;
+    }
+    s->width  = width;
+    s->height = height;
+
    skip_bits(&s->gb,2); //chroma format
    skip_bits(&s->gb,3); //sample_precision
    h->aspect_ratio =    get_bits(&s->gb,4);
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
        return AVERROR(EINVAL);
    }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }

    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
--- a/libavcodec/celp_filters.c
+++ b/libavcodec/celp_filters.c
@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
        out2 -= val * old_out2;
        out3 -= val * old_out3;

-        old_out3 = out[-5];
-
        for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
            val = filter_coeffs[i-1];

            out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,

            FFSWAP(float, old_out0, old_out2);
            old_out1 = old_out3;
-            old_out3 = out[-i-2];
        }

        tmp0 = out0;
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1066,6 +1066,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    q->sample_rate = avctx->sample_rate;
    q->nb_channels = avctx->channels;
    q->bit_rate = avctx->bit_rate;
+    if (!q->nb_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR_INVALIDDATA;
+    }

    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);
@@ -1082,6 +1086,11 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
        if (extradata_size >= 8){
            bytestream_get_be32(&edata_ptr);    //Unknown unused
            q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr);
+            if (q->subpacket[s].js_subband_start >= 51) {
+                av_log(avctx, AV_LOG_ERROR, "js_subband_start %d is too large\n", q->subpacket[s].js_subband_start);
+                return AVERROR_INVALIDDATA;
+            }
+
            q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr);
            extradata_size -= 8;
        }
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
            av_log(avctx, AV_LOG_ERROR,
                   "CamStudio codec error: invalid depth %i bpp\n",
                   avctx->bits_per_coded_sample);
-            return 1;
+            return AVERROR_INVALIDDATA;
    }
    c->bpp = avctx->bits_per_coded_sample;
    avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
    if (!c->decomp_buf) {
        av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-        return 1;
+        return AVERROR(ENOMEM);
    }
    return 0;
 }
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -29,6 +29,7 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
 #include "dsputil.h"
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -23,6 +23,8 @@
 #include "avcodec.h"
 #include "libavutil/intreadwrite.h"
 #include "bytestream.h"
+
+#include "libavutil/imgutils.h"
 #include "libavutil/lzo.h" // for av_memcpy_backptr

 typedef struct DfaContext {
@@ -35,9 +37,13 @@ typedef struct DfaContext {
 static av_cold int dfa_decode_init(AVCodecContext *avctx)
 {
    DfaContext *s = avctx->priv_data;
+    int ret;

    avctx->pix_fmt = PIX_FMT_PAL8;

+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
    s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING);
    if (!s->frame_buf)
        return AVERROR(ENOMEM);
@@ -153,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
            bitbuf = bytestream_get_le16(&src);
            mask = 1;
        }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+
        if (bitbuf & mask) {
            v = bytestream_get_le16(&src);
            offset = (v & 0x1FFF) << 2;
@@ -168,8 +173,13 @@ static int decode_dds1(uint8_t *frame, int width, int height,
                frame += 2;
            }
        } else if (bitbuf & (mask << 1)) {
-            frame += bytestream_get_le16(&src) * 2;
+            v = bytestream_get_le16(&src)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
        } else {
+            if (frame_end - frame < width + 3)
+                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  *src++;
            frame += 2;
@@ -231,6 +241,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
    const uint8_t *frame_end   = frame + width * height;
    uint8_t *line_ptr;
    int count, i, v, lines, segments;
+    int y = 0;

    lines = bytestream_get_le16(&src);
    if (lines > height || src >= src_end)
@@ -239,10 +250,12 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
    while (lines--) {
        segments = bytestream_get_le16(&src);
        while ((segments & 0xC000) == 0xC000) {
+            unsigned skip_lines = -(int16_t)segments;
            unsigned delta = -((int16_t)segments * width);
-            if (frame_end - frame <= delta)
+            if (frame_end - frame <= delta || y + lines + skip_lines > height)
                return -1;
            frame    += delta;
+            y        += skip_lines;
            segments = bytestream_get_le16(&src);
        }
        if (segments & 0x8000) {
@@ -251,6 +264,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
        }
        line_ptr = frame;
        frame += width;
+        y++;
        while (segments--) {
            if (src_end - src < 2)
                return -1;
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    int in, out = 0;
    int predictor[2];
    int channel_number = 0;
+    int stereo = s->channels - 1;
    short *output_samples = data;
    int shift[2];
    unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    if (!buf_size)
        return 0;

+    if (stereo && (buf_size & 1))
+        buf_size--;
+
    // almost every DPCM variant expands one byte of data into two
    if(*data_size/2 < buf_size)
        return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    }

    *data_size = out * sizeof(short);
-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id, name, long_name_)      \
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -146,11 +146,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -161,6 +161,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            } else {
                cmd = AV_RL16(src); src += 2;
                offset = cmd >> 4;
+                if ((int) (dst - dst_start) < offset + 1)
+                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
                /* buffer overlappings to repeat bytes in the destination */
@@ -172,6 +174,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            }
        }
    }
+
+    return 0;
 }

 static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@@ -201,13 +205,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
-
-    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
-    }
+    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;

    palette_type = buf[0];
    palette_colors_count = AV_RL16(buf+1);
@@ -233,8 +231,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
            bitmap_frame_size -= 4;
        }
    }
-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;

    /* note: the decoding routines below assumes that surface.width = surface.pitch */
    switch (bitmap_frame_type) {
@@ -267,17 +263,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 39:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

+    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+    if (avctx->reget_buffer(avctx, &cin->frame)) {
+        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return -1;
+    }
+
+    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
--- a/libavcodec/dxva2_internal.h
+++ b/libavcodec/dxva2_internal.h
@@ -25,7 +25,14 @@

 #define _WIN32_WINNT 0x0600
 #define COBJMACROS
+
+#include "config.h"
+
 #include "dxva2.h"
+#if HAVE_DXVA_H
+#include <dxva.h>
+#endif
+
 #include "avcodec.h"
 #include "mpegvideo.h"

--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -249,7 +249,7 @@ static int decode_frame(AVCodecContext *avctx,
    int chunk_type;
    int inter;

-    if (buf_size < 17) {
+    if (buf_size < 26) {
        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
        *data_size = 0;
        return -1;
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
 {
    int n;
    s->dsp.clear_blocks(block[0]);
    for (n=0; n<6; n++)
-        ff_mpeg1_decode_block_intra(s, block[n], n);
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+            return -1;
+
+    return 0;
 }

 static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
    for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
    {
-        tqi_decode_mb(s, t->block);
+        if (tqi_decode_mb(s, t->block) < 0)
+            break;
        tqi_idct_put(t, t->block);
    }

--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -420,7 +420,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
    type = get_bits(&s->gb, 6);

    if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
        wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
        while (!get_bits1(&s->gb))
            wasted++;
        s->curr_bps -= wasted;
--- a/libavcodec/flacenc.c
+++ b/libavcodec/flacenc.c
@@ -948,14 +948,16 @@ static int encode_residual_ch(FlacEncodeContext *s, int ch)
        omethod == ORDER_METHOD_8LEVEL) {
        int levels = 1 << omethod;
        uint32_t bits[1 << ORDER_METHOD_8LEVEL];
-        int order;
+        int order       = -1;
        int opt_index   = levels-1;
        opt_order       = max_order-1;
        bits[opt_index] = UINT32_MAX;
        for (i = levels-1; i >= 0; i--) {
+            int last_order = order;
            order = min_order + (((max_order-min_order+1) * (i+1)) / levels)-1;
-            if (order < 0)
-                order = 0;
+            order = av_clip(order, min_order - 1, max_order - 1);
+            if (order == last_order)
+                continue;
            encode_residual_lpc(res, smp, n, order+1, coefs[order], shift[order]);
            bits[i] = find_subframe_rice_params(s, sub, order+1);
            if (bits[i] < bits[opt_index]) {
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -135,7 +135,7 @@ static int decode_frame(AVCodecContext *avctx,
    uint32_t *luma1,*luma2,*cb,*cr;
    uint32_t offs[4];
    int i, j, is_chroma, planes;
-
+    enum PixelFormat pix_fmt;

    header = AV_RL32(buf);
    version = header & 0xff;
@@ -152,12 +152,16 @@ static int decode_frame(AVCodecContext *avctx,
    if (header_size == 8)
        buf+=4;

+    pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
+    if (avctx->pix_fmt != pix_fmt && f->data[0]) {
+        avctx->release_buffer(avctx, f);
+    }
+    avctx->pix_fmt = pix_fmt;
+
    switch(version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
-
        if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -205,8 +209,6 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
-
        if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -241,7 +243,6 @@ static int decode_frame(AVCodecContext *avctx,
         * Fraps v2 is Huffman-coded YUV420 planes
         * Fraps v4 is virtually the same
         */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
@@ -286,7 +287,6 @@ static int decode_frame(AVCodecContext *avctx,
    case 3:
    case 5:
        /* Virtually the same as version 4, but is for RGB24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
    }else{
        int ret = 1;

-        while (1) {
+        do {
            buf >>= 32 - 8;
            LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));

@@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
            ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
            UPDATE_CACHE(re, gb);
            buf = GET_CACHE(re, gb);
-        }
+        } while (ret);

        CLOSE_READER(re, gb);
        return ret - 1;
@@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
        return buf;
    }else{
        int i;
-        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
            LAST_SKIP_BITS(re, gb, 1);
            UPDATE_CACHE(re, gb);
        }
--- a/libavcodec/h263.c
+++ b/libavcodec/h263.c
@@ -98,7 +98,7 @@ void ff_h263_update_motion_val(MpegEncContext * s){
    }
 }

-int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr)
+int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr)
 {
    int x, y, wrap, a, c, pred_dc;
    int16_t *dc_val;
@@ -226,7 +226,7 @@ void ff_h263_loop_filter(MpegEncContext * s){
    }
 }

-void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
+void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
 {
    int x, y, wrap, a, c, pred_dc, scale, i;
    int16_t *dc_val, *ac_val, *ac_val1;
@@ -313,8 +313,8 @@ void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
        ac_val1[8 + i] = block[s->dsp.idct_permutation[i   ]];
 }

-int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir,
-                        int *px, int *py)
+int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir,
+                             int *px, int *py)
 {
    int wrap;
    int16_t *A, *B, *C, (*mot_val)[2];
--- a/libavcodec/h263.h
+++ b/libavcodec/h263.h
@@ -38,16 +38,16 @@
 extern const AVRational ff_h263_pixel_aspect[16];
 extern const uint8_t ff_h263_cbpy_tab[16][2];

-extern const uint8_t cbpc_b_tab[4][2];
+extern const uint8_t ff_cbpc_b_tab[4][2];

-extern const uint8_t mvtab[33][2];
+extern const uint8_t ff_mvtab[33][2];

 extern const uint8_t ff_h263_intra_MCBPC_code[9];
 extern const uint8_t ff_h263_intra_MCBPC_bits[9];

 extern const uint8_t ff_h263_inter_MCBPC_code[28];
 extern const uint8_t ff_h263_inter_MCBPC_bits[28];
-extern const uint8_t h263_mbtype_b_tab[15][2];
+extern const uint8_t ff_h263_mbtype_b_tab[15][2];

 extern VLC ff_h263_intra_MCBPC_vlc;
 extern VLC ff_h263_inter_MCBPC_vlc;
@@ -55,41 +55,41 @@ extern VLC ff_h263_cbpy_vlc;

 extern RLTable ff_h263_rl_inter;

-extern RLTable rl_intra_aic;
+extern RLTable ff_rl_intra_aic;

-extern const uint16_t h263_format[8][2];
-extern const uint8_t modified_quant_tab[2][32];
+extern const uint16_t ff_h263_format[8][2];
+extern const uint8_t ff_modified_quant_tab[2][32];
 extern uint16_t ff_mba_max[6];
 extern uint8_t ff_mba_length[7];

 extern uint8_t ff_h263_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3];


-int h263_decode_motion(MpegEncContext * s, int pred, int f_code);
+int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code);
 av_const int ff_h263_aspect_to_info(AVRational aspect);
 int ff_h263_decode_init(AVCodecContext *avctx);
 int ff_h263_decode_frame(AVCodecContext *avctx,
                             void *data, int *data_size,
                             AVPacket *avpkt);
 int ff_h263_decode_end(AVCodecContext *avctx);
-void h263_encode_mb(MpegEncContext *s,
-                    DCTELEM block[6][64],
-                    int motion_x, int motion_y);
-void h263_encode_picture_header(MpegEncContext *s, int picture_number);
-void h263_encode_gob_header(MpegEncContext * s, int mb_line);
-int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir,
-                        int *px, int *py);
-void h263_encode_init(MpegEncContext *s);
-void h263_decode_init_vlc(MpegEncContext *s);
-int h263_decode_picture_header(MpegEncContext *s);
+void ff_h263_encode_mb(MpegEncContext *s,
+                       DCTELEM block[6][64],
+                       int motion_x, int motion_y);
+void ff_h263_encode_picture_header(MpegEncContext *s, int picture_number);
+void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line);
+int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir,
+                             int *px, int *py);
+void ff_h263_encode_init(MpegEncContext *s);
+void ff_h263_decode_init_vlc(MpegEncContext *s);
+int ff_h263_decode_picture_header(MpegEncContext *s);
 int ff_h263_decode_gob_header(MpegEncContext *s);
 void ff_h263_update_motion_val(MpegEncContext * s);
 void ff_h263_loop_filter(MpegEncContext * s);
 int ff_h263_decode_mba(MpegEncContext *s);
 void ff_h263_encode_mba(MpegEncContext *s);
 void ff_init_qscale_tab(MpegEncContext *s);
-int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr);
-void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n);
+int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr);
+void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n);


 /**
@@ -119,7 +119,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code
    int l, bit_size, code;

    if (val == 0) {
-        return mvtab[0][1];
+        return ff_mvtab[0][1];
    } else {
        bit_size = f_code - 1;
        /* modulo encoding */
@@ -128,7 +128,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code
        val--;
        code = (val >> bit_size) + 1;

-        return mvtab[code][1] + 1 + bit_size;
+        return ff_mvtab[code][1] + 1 + bit_size;
    }
 }

--- a/libavcodec/h263data.h
+++ b/libavcodec/h263data.h
@@ -57,7 +57,7 @@ const uint8_t ff_h263_inter_MCBPC_bits[28] = {
    11, 13, 13, 13,/* inter4Q*/
 };

-const uint8_t h263_mbtype_b_tab[15][2] = {
+const uint8_t ff_h263_mbtype_b_tab[15][2] = {
 {1, 1},
 {3, 3},
 {1, 5},
@@ -75,7 +75,7 @@ const uint8_t h263_mbtype_b_tab[15][2] = {
 {1, 8},
 };

-const uint8_t cbpc_b_tab[4][2] = {
+const uint8_t ff_cbpc_b_tab[4][2] = {
 {0, 1},
 {2, 2},
 {7, 3},
@@ -88,7 +88,7 @@ const uint8_t ff_h263_cbpy_tab[16][2] =
  {2,5}, {3,6}, {5,4}, {10,4}, {4,4}, {8,4}, {6,4}, {3,2}
 };

-const uint8_t mvtab[33][2] =
+const uint8_t ff_mvtab[33][2] =
 {
  {1,1}, {1,2}, {1,3}, {1,4}, {3,6}, {5,7}, {4,7}, {3,7},
  {11,9}, {10,9}, {9,9}, {17,10}, {16,10}, {15,10}, {14,10}, {13,10},
@@ -98,7 +98,7 @@ const uint8_t mvtab[33][2] =
 };

 /* third non intra table */
-const uint16_t inter_vlc[103][2] = {
+const uint16_t ff_inter_vlc[103][2] = {
 { 0x2, 2 },{ 0xf, 4 },{ 0x15, 6 },{ 0x17, 7 },
 { 0x1f, 8 },{ 0x25, 9 },{ 0x24, 9 },{ 0x21, 10 },
 { 0x20, 10 },{ 0x7, 11 },{ 0x6, 11 },{ 0x20, 11 },
@@ -127,7 +127,7 @@ const uint16_t inter_vlc[103][2] = {
 { 0x5e, 12 },{ 0x5f, 12 },{ 0x3, 7 },
 };

-const int8_t inter_level[102] = {
+const int8_t ff_inter_level[102] = {
  1,  2,  3,  4,  5,  6,  7,  8,
  9, 10, 11, 12,  1,  2,  3,  4,
  5,  6,  1,  2,  3,  4,  1,  2,
@@ -143,7 +143,7 @@ const int8_t inter_level[102] = {
  1,  1,  1,  1,  1,  1,
 };

-const int8_t inter_run[102] = {
+const int8_t ff_inter_run[102] = {
  0,  0,  0,  0,  0,  0,  0,  0,
  0,  0,  0,  0,  1,  1,  1,  1,
  1,  1,  2,  2,  2,  2,  3,  3,
@@ -162,9 +162,9 @@ const int8_t inter_run[102] = {
 RLTable ff_h263_rl_inter = {
    102,
    58,
-    inter_vlc,
-    inter_run,
-    inter_level,
+    ff_inter_vlc,
+    ff_inter_run,
+    ff_inter_level,
 };

 static const uint16_t intra_vlc_aic[103][2] = {
@@ -228,7 +228,7 @@ static const int8_t intra_level_aic[102] = {
 1,  1,  1,  1,  1,  1,
 };

-RLTable rl_intra_aic = {
+RLTable ff_rl_intra_aic = {
    102,
    58,
    intra_vlc_aic,
@@ -236,7 +236,7 @@ RLTable rl_intra_aic = {
    intra_level_aic,
 };

-const uint16_t h263_format[8][2] = {
+const uint16_t ff_h263_format[8][2] = {
    { 0, 0 },
    { 128, 96 },
    { 176, 144 },
@@ -250,7 +250,7 @@ const uint8_t ff_aic_dc_scale_table[32]={
    0, 2, 4, 6, 8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62
 };

-const uint8_t modified_quant_tab[2][32]={
+const uint8_t ff_modified_quant_tab[2][32]={
 //  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 {
    0, 3, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9,10,11,12,13,14,15,16,17,18,18,19,20,21,22,23,24,25,26,27,28
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -111,7 +111,7 @@ av_cold int ff_h263_decode_init(AVCodecContext *avctx)
        if (MPV_common_init(s) < 0)
            return -1;

-        h263_decode_init_vlc(s);
+        ff_h263_decode_init_vlc(s);

    return 0;
 }
@@ -429,7 +429,7 @@ retry:
    } else if (CONFIG_FLV_DECODER && s->h263_flv) {
        ret = ff_flv_decode_picture_header(s);
    } else {
-        ret = h263_decode_picture_header(s);
+        ret = ff_h263_decode_picture_header(s);
    }

    if(ret==FRAME_SKIPPED) return get_consumed_bytes(s, buf_size);
@@ -438,6 +438,13 @@ retry:
    if (ret < 0){
        av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
        return -1;
+    } else if ((s->width  != avctx->coded_width  ||
+                s->height != avctx->coded_height ||
+                (s->width  + 15) >> 4 != s->mb_width ||
+                (s->height + 15) >> 4 != s->mb_height) &&
+               (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+        av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+        return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
    }

    avctx->has_b_frames= !s->low_delay;
@@ -564,8 +571,7 @@ retry:
 #if HAVE_MMX
    if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
        avctx->idct_algo= FF_IDCT_XVIDMMX;
-        avctx->coded_width= 0; // force reinit
-//        dsputil_init(&s->dsp, avctx);
+        ff_dct_common_init(s);
        s->picture_number=0;
    }
 #endif
@@ -579,6 +585,12 @@ retry:
        || s->height != avctx->coded_height) {
        /* H.263 could change picture size any time */
        ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
        s->parse_context.buffer=0;
        MPV_common_end(s);
        s->parse_context= pc;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -108,7 +108,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
    return 0;
 } //FIXME cleanup like check_intra_pred_mode

-static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -140,23 +143,6 @@ static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    return mode;
 }

-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 0);
-}
-
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 1);
-}
-
-
 const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
    int i, si, di;
    uint8_t *dst;
@@ -2231,7 +2217,11 @@ static void implicit_weight_table(H264Context *h, int field){
    }

    if(field < 0){
-        cur_poc = s->current_picture_ptr->poc;
+        if (s->picture_structure == PICT_FRAME) {
+            cur_poc = s->current_picture_ptr->poc;
+        } else {
+            cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+        }
    if(   h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
       && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
        h->use_weight= 0;
@@ -2627,12 +2617,18 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    else
        s->height= 16*s->mb_height - (4>>CHROMA444)*FFMIN(h->sps.crop_bottom, (8<<CHROMA444)-1);

+    if (FFALIGN(s->avctx->width,  16) == s->width &&
+        FFALIGN(s->avctx->height, 16) == s->height) {
+        s->width  = s->avctx->width;
+        s->height = s->avctx->height;
+    }
+
    if (s->context_initialized
        && (   s->width != s->avctx->width || s->height != s->avctx->height
            || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if(h != h0) {
+        if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
            av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
        }
        free_tables(h, 0);
        flush_dpb(s->avctx);
@@ -2896,7 +2892,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->ref_count[1]= h->pps.ref_count[1];

    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
-        unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
+        unsigned max= s->picture_structure == PICT_FRAME ? 15 : 31;
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B){
            h->direct_spatial_mv_pred= get_bits1(&s->gb);
        }
@@ -2904,15 +2901,21 @@ static int decode_slice_header(H264Context *h, H264Context *h0){

        if(num_ref_idx_active_override_flag){
            h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
-            if(h->slice_type_nos==AV_PICTURE_TYPE_B)
+            if (h->ref_count[0] < 1)
+                return AVERROR_INVALIDDATA;
+            if (h->slice_type_nos == AV_PICTURE_TYPE_B) {
                h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
+                if (h->ref_count[1] < 1)
+                    return AVERROR_INVALIDDATA;
+            }
+        }

-        }
-        if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+        if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
            av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
-            h->ref_count[0]= h->ref_count[1]= 1;
-            return -1;
+            h->ref_count[0] = h->ref_count[1] = 1;
+            return AVERROR_INVALIDDATA;
        }
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B)
            h->list_count= 2;
        else
@@ -3553,7 +3556,9 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){

                        return 0;
                    }else{
-                        ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, (AC_END|DC_END|MV_END)&part_mask);
+                        ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y,
+                                        s->mb_x - 1, s->mb_y,
+                                        (AC_END|DC_END|MV_END)&part_mask);

                        return -1;
                    }
@@ -3715,7 +3720,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                    break;
            }

-            if(buf_index+3 >= buf_size) break;
+
+            if (buf_index + 3 >= buf_size) {
+                buf_index = buf_size;
+                break;
+            }

            buf_index+=3;
            if(buf_index >= next_avc) continue;
@@ -3761,7 +3770,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                case NAL_IDR_SLICE:
                case NAL_SLICE:
                    init_get_bits(&hx->s.gb, ptr, bit_length);
-                    if(!get_ue_golomb(&hx->s.gb))
+                    if (!get_ue_golomb(&hx->s.gb))
                        nals_needed = nal_index;
            }
            continue;
@@ -3848,6 +3857,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            hx->inter_gb_ptr= &hx->inter_gb;

            if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning
+               && s->current_picture_ptr
               && s->context_initialized
 #if FF_API_HURRY_UP
               && s->hurry_up < 5
@@ -3866,9 +3876,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            init_get_bits(&s->gb, ptr, bit_length);
            ff_h264_decode_seq_parameter_set(h);

-            if (s->flags& CODEC_FLAG_LOW_DELAY ||
-                (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames))
-                s->low_delay=1;
+            if (s->flags & CODEC_FLAG_LOW_DELAY ||
+                (h->sps.bitstream_restriction_flag &&
+                 !h->sps.num_reorder_frames)) {
+                if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
+                    av_log(avctx, AV_LOG_WARNING, "Delayed frames seen "
+                           "reenabling low delay requires a codec "
+                           "flush.\n");
+                else
+                    s->low_delay = 1;
+            }

            if(avctx->has_b_frames < 2)
                avctx->has_b_frames= !s->low_delay;
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -658,12 +658,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
 /**
 * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
 */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
-
-/**
- * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);

 void ff_h264_write_back_intra_pred_mode(H264Context *h);
 void ff_h264_hl_decode_mb(H264Context *h);
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1959,6 +1959,8 @@ decode_intra_mb:
        }

        // The pixels are stored in the same order as levels in h->mb array.
+        if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
+            return -1;
        memcpy(h->mb, ptr, mb_size); ptr+=mb_size;

        ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
@@ -2003,14 +2005,14 @@ decode_intra_mb:
            ff_h264_write_back_intra_pred_mode(h);
            if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
        } else {
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
            if( h->intra16x16_pred_mode < 0 ) return -1;
        }
        if(decode_chroma){
            h->chroma_pred_mode_table[mb_xy] =
            pred_mode                        = decode_cabac_mb_chroma_pre_mode( h );

-            pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
+            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
            if( pred_mode < 0 ) return -1;
            h->chroma_pred_mode= pred_mode;
        } else {
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){
 }

 static av_cold void init_cavlc_level_tab(void){
-    int suffix_length, mask;
+    int suffix_length;
    unsigned int i;

    for(suffix_length=0; suffix_length<7; suffix_length++){
        for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
            int prefix= LEVEL_TAB_BITS - av_log2(2*i);
-            int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);

-            mask= -(level_code&1);
-            level_code= (((2+level_code)>>1) ^ mask) - mask;
            if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+                int level_code = (prefix << suffix_length) +
+                    (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+                int mask = -(level_code&1);
+                level_code = (((2 + level_code) >> 1) ^ mask) - mask;
                cavlc_level_tab[suffix_length][i][0]= level_code;
                cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
            }else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -735,12 +736,12 @@ decode_intra_mb:
            if( ff_h264_check_intra4x4_pred_mode(h) < 0)
                return -1;
        }else{
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
            if(h->intra16x16_pred_mode < 0)
                return -1;
        }
        if(decode_chroma){
-            pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
+            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
            if(pred_mode < 0)
                return -1;
            h->chroma_pred_mode= pred_mode;
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -251,6 +251,12 @@ static int h264_parse(AVCodecParserContext *s,
        h->got_first = 1;
        if (avctx->extradata_size) {
            h->s.avctx = avctx;
+            // must be done like in decoder, otherwise opening the parser,
+            // letting it create extradata and then closing and opening again
+            // will cause has_b_frames to be always set.
+            // Note that estimate_timings_from_pts does exactly this.
+            if (!avctx->has_b_frames)
+                h->s.low_delay = 1;
            ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
        }
    }
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -37,6 +37,9 @@
 //#undef NDEBUG
 #include <assert.h>

+#define MAX_LOG2_MAX_FRAME_NUM    (12 + 4)
+#define MIN_LOG2_MAX_FRAME_NUM    4
+
 static const AVRational pixel_aspect[17]={
 {0, 1},
 {1, 1},
@@ -311,7 +314,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
    MpegEncContext * const s = &h->s;
    int profile_idc, level_idc, constraint_set_flags = 0;
    unsigned int sps_id;
-    int i;
+    int i, log2_max_frame_num_minus4;
    SPS *sps;

    profile_idc= get_bits(&s->gb, 8);
@@ -340,10 +343,18 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
    memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8));
    sps->scaling_matrix_present = 0;

-    if(sps->profile_idc >= 100){ //high profile
+    if (sps->profile_idc == 100 || sps->profile_idc == 110 ||
+        sps->profile_idc == 122 || sps->profile_idc == 244 ||
+        sps->profile_idc ==  44 || sps->profile_idc ==  83 ||
+        sps->profile_idc ==  86 || sps->profile_idc == 118 ||
+        sps->profile_idc == 128 || sps->profile_idc == 144) {
        sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
-        if(sps->chroma_format_idc == 3)
+        if (sps->chroma_format_idc > 3U) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
+            goto fail;
+        } else if(sps->chroma_format_idc == 3) {
            sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
@@ -359,7 +370,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
        sps->bit_depth_chroma = 8;
    }

-    sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4;
+    log2_max_frame_num_minus4 = get_ue_golomb(&s->gb);
+    if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 ||
+        log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) {
+        av_log(h->s.avctx, AV_LOG_ERROR,
+               "log2_max_frame_num_minus4 out of range (0-12): %d\n",
+               log2_max_frame_num_minus4);
+        return AVERROR_INVALIDDATA;
+    }
+    sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4;
+
    sps->poc_type= get_ue_golomb_31(&s->gb);

    if(sps->poc_type == 0){ //FIXME #define
@@ -481,10 +501,14 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    unsigned int pps_id= get_ue_golomb(&s->gb);
    PPS *pps;
    const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+    int bits_left;

    if(pps_id >= MAX_PPS_COUNT) {
        av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
        return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
    }

    pps= av_mallocz(sizeof(PPS));
@@ -557,7 +581,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
    memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));

-    if(get_bits_count(&s->gb) < bit_length){
+    bits_left = bit_length - get_bits_count(&s->gb);
+    if (bits_left && (bits_left > 8 ||
+                      show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
        pps->transform_8x8_mode= get_bits1(&s->gb);
        decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
        pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -28,6 +28,7 @@
 * huffyuv codec for libavcodec.
 */

+#include "libavutil/avassert.h"
 #include "avcodec.h"
 #include "get_bits.h"
 #include "put_bits.h"
@@ -82,13 +83,15 @@ typedef struct HYuvContext{
    DSPContext dsp;
 }HYuvContext;

-static const unsigned char classic_shift_luma[] = {
+#define classic_shift_luma_table_size 42
+static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
  16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
  69,68, 0
 };

-static const unsigned char classic_shift_chroma[] = {
+#define classic_shift_chroma_table_size 59
+static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
  56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
  214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0
@@ -184,7 +187,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){
        if(repeat==0)
            repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
-        if(i+repeat > 256) {
+        if(i+repeat > 256 || get_bits_left(gb) < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
            return -1;
        }
@@ -281,12 +284,13 @@ static void generate_joint_tables(HYuvContext *s){
            for(i=y=0; y<256; y++){
                int len0 = s->len[0][y];
                int limit = VLC_BITS - len0;
-                if(limit <= 0)
+                if(limit <= 0 || !len0)
                    continue;
                for(u=0; u<256; u++){
                    int len1 = s->len[p][u];
-                    if(len1 > limit)
+                    if (len1 > limit || !len1)
                        continue;
+                    av_assert0(i < (1 << VLC_BITS));
                    len[i] = len0 + len1;
                    bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
                    symbols[i] = (y<<8) + u;
@@ -308,18 +312,19 @@ static void generate_joint_tables(HYuvContext *s){
        for(i=0, g=-16; g<16; g++){
            int len0 = s->len[p0][g&255];
            int limit0 = VLC_BITS - len0;
-            if(limit0 < 2)
+            if (limit0 < 2 || !len0)
                continue;
            for(b=-16; b<16; b++){
                int len1 = s->len[p1][b&255];
                int limit1 = limit0 - len1;
-                if(limit1 < 1)
+                if (limit1 < 1 || !len1)
                    continue;
                code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
                for(r=-16; r<16; r++){
                    int len2 = s->len[2][r&255];
-                    if(len2 > limit1)
+                    if (len2 > limit1 || !len2)
                        continue;
+                    av_assert0(i < (1 << VLC_BITS));
                    len[i] = len0 + len1 + len2;
                    bits[i] = (code << len2) + s->bits[2][r&255];
                    if(s->decorrelate){
@@ -343,6 +348,7 @@ static void generate_joint_tables(HYuvContext *s){
 static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
    GetBitContext gb;
    int i;
+    int ret;

    init_get_bits(&gb, src, length*8);

@@ -353,7 +359,8 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
            return -1;
        }
        free_vlc(&s->vlc[i]);
-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+            return ret;
    }

    generate_joint_tables(s);
@@ -365,11 +372,12 @@ static int read_old_huffman_tables(HYuvContext *s){
 #if 1
    GetBitContext gb;
    int i;
+    int ret;

-    init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
    if(read_len_table(s->len[0], &gb)<0)
        return -1;
-    init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
+    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
    if(read_len_table(s->len[1], &gb)<0)
        return -1;

@@ -385,7 +393,8 @@ static int read_old_huffman_tables(HYuvContext *s){

    for(i=0; i<3; i++){
        free_vlc(&s->vlc[i]);
-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0)
+            return ret;
    }

    generate_joint_tables(s);
@@ -515,7 +524,7 @@ s->bgr32=1;
        }
        break;
    default:
-        assert(0);
+        return AVERROR_INVALIDDATA;
    }

    alloc_temp(s);
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx,
    const uint8_t *buf;
    unsigned buf_size;
    IffContext *s = avctx->priv_data;
-    int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+    int palette_size;
+
+    if (avctx->extradata_size < 2) {
+        av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
+        return AVERROR_INVALIDDATA;
+    }
+    palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);

    if (avpkt) {
        int image_size;
@@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx,
            return AVERROR_INVALIDDATA;
        }
    } else {
-        if (avctx->extradata_size < 2)
-            return AVERROR_INVALIDDATA;
        buf = avctx->extradata;
        buf_size = bytestream_get_be16(&buf);
        if (buf_size <= 1 || palette_size < 0) {
@@ -281,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
    int err;

    if (avctx->bits_per_coded_sample <= 8) {
-        int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        int palette_size;
+
+        if (avctx->extradata_size >= 2)
+            palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        else
+            palette_size = 0;
        avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) ||
                         (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8;
    } else if (avctx->bits_per_coded_sample <= 32) {
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -654,7 +654,8 @@ static enum PixelFormat avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask,
    /* find exact color match with smallest size */
    dst_pix_fmt = PIX_FMT_NONE;
    min_dist = 0x7fffffff;
-    for(i = 0;i < PIX_FMT_NB; i++) {
+    /* test only the first 64 pixel formats to avoid undefined behaviour */
+    for (i = 0; i < 64; i++) {
        if (pix_fmt_mask & (1ULL << i)) {
            loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask;
            if (loss == 0) {
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -76,6 +76,8 @@ typedef struct {
    int             is_scalable;
    uint32_t        lock_word;
    IVIPicConfig    pic_conf;
+
+    int gop_invalid;
 } IVI5DecContext;


@@ -219,6 +221,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx)
            }

            if (band->blk_size == 8) {
+                if(quant_mat >= 5){
+                    av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+                    return -1;
+                }
                band->intra_base  = &ivi5_base_quant_8x8_intra[quant_mat][0];
                band->inter_base  = &ivi5_base_quant_8x8_inter[quant_mat][0];
                band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];
@@ -335,8 +341,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx)
    ctx->frame_num = get_bits(&ctx->gb, 8);

    if (ctx->frame_type == FRAMETYPE_INTRA) {
-        if (decode_gop_header(ctx, avctx))
-            return -1;
+        ctx->gop_invalid = 1;
+        if (decode_gop_header(ctx, avctx)) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        ctx->gop_invalid = 0;
    }

    if (ctx->frame_type != FRAMETYPE_NULL) {
@@ -453,6 +463,16 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band,
    ref_mb = tile->ref_mbs;
    offs   = tile->ypos * band->pitch + tile->xpos;

+    if (!ref_mb &&
+        ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv))
+        return AVERROR_INVALIDDATA;
+
+    if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) {
+        av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n",
+               tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size));
+        return AVERROR_INVALIDDATA;
+    }
+
    /* scale factor for motion vectors */
    mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3);
    mv_x = mv_y = 0;
@@ -603,8 +623,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num,

        tile->is_empty = get_bits1(&ctx->gb);
        if (tile->is_empty) {
-            ff_ivi_process_empty_tile(avctx, band, tile,
+            result = ff_ivi_process_empty_tile(avctx, band, tile,
                                      (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3));
+            if (result < 0)
+                break;
        } else {
            tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb);

@@ -751,6 +773,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
               "Error while decoding picture header: %d\n", result);
        return -1;
    }
+    if (ctx->gop_invalid)
+        return AVERROR_INVALIDDATA;

    if (ctx->gop_flags & IVI5_IS_PROTECTED) {
        av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
--- a/libavcodec/intelh263dec.c
+++ b/libavcodec/intelh263dec.c
@@ -65,8 +65,8 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s)
    s->pb_frame = get_bits1(&s->gb);

    if (format < 6) {
-        s->width = h263_format[format][0];
-        s->height = h263_format[format][1];
+        s->width = ff_h263_format[format][0];
+        s->height = ff_h263_format[format][1];
        s->avctx->sample_aspect_ratio.num = 12;
        s->avctx->sample_aspect_ratio.den = 11;
    } else {
@@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s)
        }
        if(get_bits(&s->gb, 2))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
-        s->loop_filter = get_bits1(&s->gb);
+        s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres;
        if(get_bits1(&s->gb))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
        if(get_bits1(&s->gb))
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -100,7 +100,7 @@ static VLC cbpc_b_vlc;
 /* init vlcs */

 /* XXX: find a better solution to handle static init */
-void h263_decode_init_vlc(MpegEncContext *s)
+void ff_h263_decode_init_vlc(MpegEncContext *s)
 {
    static int done = 0;

@@ -117,18 +117,18 @@ void h263_decode_init_vlc(MpegEncContext *s)
                 &ff_h263_cbpy_tab[0][1], 2, 1,
                 &ff_h263_cbpy_tab[0][0], 2, 1, 64);
        INIT_VLC_STATIC(&mv_vlc, MV_VLC_BITS, 33,
-                 &mvtab[0][1], 2, 1,
-                 &mvtab[0][0], 2, 1, 538);
+                 &ff_mvtab[0][1], 2, 1,
+                 &ff_mvtab[0][0], 2, 1, 538);
        init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]);
-        init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]);
+        init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]);
        INIT_VLC_RL(ff_h263_rl_inter, 554);
-        INIT_VLC_RL(rl_intra_aic, 554);
+        INIT_VLC_RL(ff_rl_intra_aic, 554);
        INIT_VLC_STATIC(&h263_mbtype_b_vlc, H263_MBTYPE_B_VLC_BITS, 15,
-                 &h263_mbtype_b_tab[0][1], 2, 1,
-                 &h263_mbtype_b_tab[0][0], 2, 1, 80);
+                 &ff_h263_mbtype_b_tab[0][1], 2, 1,
+                 &ff_h263_mbtype_b_tab[0][0], 2, 1, 80);
        INIT_VLC_STATIC(&cbpc_b_vlc, CBPC_B_VLC_BITS, 4,
-                 &cbpc_b_tab[0][1], 2, 1,
-                 &cbpc_b_tab[0][0], 2, 1, 8);
+                 &ff_cbpc_b_tab[0][1], 2, 1,
+                 &ff_cbpc_b_tab[0][0], 2, 1, 8);
    }
 }

@@ -268,7 +268,7 @@ int ff_h263_resync(MpegEncContext *s){
    return -1;
 }

-int h263_decode_motion(MpegEncContext * s, int pred, int f_code)
+int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code)
 {
    int code, val, sign, shift, l;
    code = get_vlc2(&s->gb, mv_vlc.table, MV_VLC_BITS, 2);
@@ -379,16 +379,16 @@ static void preview_obmc(MpegEncContext *s){
        if ((cbpc & 16) == 0) {
                s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0;
                /* 16x16 motion prediction */
-                mot_val= h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                mot_val= ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
                if (s->umvplus)
                   mx = h263p_decode_umotion(s, pred_x);
                else
-                   mx = h263_decode_motion(s, pred_x, 1);
+                   mx = ff_h263_decode_motion(s, pred_x, 1);

                if (s->umvplus)
                   my = h263p_decode_umotion(s, pred_y);
                else
-                   my = h263_decode_motion(s, pred_y, 1);
+                   my = ff_h263_decode_motion(s, pred_y, 1);

                mot_val[0       ]= mot_val[2       ]=
                mot_val[0+stride]= mot_val[2+stride]= mx;
@@ -397,16 +397,16 @@ static void preview_obmc(MpegEncContext *s){
        } else {
            s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0;
            for(i=0;i<4;i++) {
-                mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);
                if (s->umvplus)
                  mx = h263p_decode_umotion(s, pred_x);
                else
-                  mx = h263_decode_motion(s, pred_x, 1);
+                  mx = ff_h263_decode_motion(s, pred_x, 1);

                if (s->umvplus)
                  my = h263p_decode_umotion(s, pred_y);
                else
-                  my = h263_decode_motion(s, pred_y, 1);
+                  my = ff_h263_decode_motion(s, pred_y, 1);
                if (s->umvplus && (mx - pred_x) == 1 && (my - pred_y) == 1)
                  skip_bits1(&s->gb); /* Bit stuffing to prevent PSC */
                mot_val[0] = mx;
@@ -430,7 +430,7 @@ static void h263_decode_dquant(MpegEncContext *s){

    if(s->modified_quant){
        if(get_bits1(&s->gb))
-            s->qscale= modified_quant_tab[get_bits1(&s->gb)][ s->qscale ];
+            s->qscale= ff_modified_quant_tab[get_bits1(&s->gb)][ s->qscale ];
        else
            s->qscale= get_bits(&s->gb, 5);
    }else
@@ -448,7 +448,7 @@ static int h263_decode_block(MpegEncContext * s, DCTELEM * block,

    scan_table = s->intra_scantable.permutated;
    if (s->h263_aic && s->mb_intra) {
-        rl = &rl_intra_aic;
+        rl = &ff_rl_intra_aic;
        i = 0;
        if (s->ac_pred) {
            if (s->h263_aic_dir)
@@ -537,7 +537,7 @@ retry:
        if (i >= 64){
            if(s->alt_inter_vlc && rl == &ff_h263_rl_inter && !s->mb_intra){
                //Looks like a hack but no, it's the way it is supposed to work ...
-                rl = &rl_intra_aic;
+                rl = &ff_rl_intra_aic;
                i = 0;
                s->gb= gb;
                s->dsp.clear_block(block);
@@ -554,7 +554,7 @@ retry:
    }
 not_coded:
    if (s->mb_intra && s->h263_aic) {
-        h263_pred_acdc(s, block, n);
+        ff_h263_pred_acdc(s, block, n);
        i = 63;
    }
    s->block_last_index[n] = i;
@@ -653,11 +653,11 @@ int ff_h263_decode_mb(MpegEncContext *s,
            s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0;
            /* 16x16 motion prediction */
            s->mv_type = MV_TYPE_16X16;
-            h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+            ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
            if (s->umvplus)
               mx = h263p_decode_umotion(s, pred_x);
            else
-               mx = h263_decode_motion(s, pred_x, 1);
+               mx = ff_h263_decode_motion(s, pred_x, 1);

            if (mx >= 0xffff)
                return -1;
@@ -665,7 +665,7 @@ int ff_h263_decode_mb(MpegEncContext *s,
            if (s->umvplus)
               my = h263p_decode_umotion(s, pred_y);
            else
-               my = h263_decode_motion(s, pred_y, 1);
+               my = ff_h263_decode_motion(s, pred_y, 1);

            if (my >= 0xffff)
                return -1;
@@ -678,18 +678,18 @@ int ff_h263_decode_mb(MpegEncContext *s,
            s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0;
            s->mv_type = MV_TYPE_8X8;
            for(i=0;i<4;i++) {
-                mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);
                if (s->umvplus)
                  mx = h263p_decode_umotion(s, pred_x);
                else
-                  mx = h263_decode_motion(s, pred_x, 1);
+                  mx = ff_h263_decode_motion(s, pred_x, 1);
                if (mx >= 0xffff)
                    return -1;

                if (s->umvplus)
                  my = h263p_decode_umotion(s, pred_y);
                else
-                  my = h263_decode_motion(s, pred_y, 1);
+                  my = ff_h263_decode_motion(s, pred_y, 1);
                if (my >= 0xffff)
                    return -1;
                s->mv[0][i][0] = mx;
@@ -761,11 +761,11 @@ int ff_h263_decode_mb(MpegEncContext *s,
 //FIXME UMV

            if(USES_LIST(mb_type, 0)){
-                int16_t *mot_val= h263_pred_motion(s, 0, 0, &mx, &my);
+                int16_t *mot_val= ff_h263_pred_motion(s, 0, 0, &mx, &my);
                s->mv_dir = MV_DIR_FORWARD;

-                mx = h263_decode_motion(s, mx, 1);
-                my = h263_decode_motion(s, my, 1);
+                mx = ff_h263_decode_motion(s, mx, 1);
+                my = ff_h263_decode_motion(s, my, 1);

                s->mv[0][0][0] = mx;
                s->mv[0][0][1] = my;
@@ -774,11 +774,11 @@ int ff_h263_decode_mb(MpegEncContext *s,
            }

            if(USES_LIST(mb_type, 1)){
-                int16_t *mot_val= h263_pred_motion(s, 0, 1, &mx, &my);
+                int16_t *mot_val= ff_h263_pred_motion(s, 0, 1, &mx, &my);
                s->mv_dir |= MV_DIR_BACKWARD;

-                mx = h263_decode_motion(s, mx, 1);
-                my = h263_decode_motion(s, my, 1);
+                mx = ff_h263_decode_motion(s, mx, 1);
+                my = ff_h263_decode_motion(s, my, 1);

                s->mv[1][0][0] = mx;
                s->mv[1][0][1] = my;
@@ -829,8 +829,8 @@ intra:
    }

    while(pb_mv_count--){
-        h263_decode_motion(s, 0, 1);
-        h263_decode_motion(s, 0, 1);
+        ff_h263_decode_motion(s, 0, 1);
+        ff_h263_decode_motion(s, 0, 1);
    }

    /* decode each block */
@@ -864,7 +864,7 @@ end:
 }

 /* most is hardcoded. should extend to handle all h263 streams */
-int h263_decode_picture_header(MpegEncContext *s)
+int ff_h263_decode_picture_header(MpegEncContext *s)
 {
    int format, width, height, i;
    uint32_t startcode;
@@ -916,8 +916,8 @@ int h263_decode_picture_header(MpegEncContext *s)
    if (format != 7 && format != 6) {
        s->h263_plus = 0;
        /* H.263v1 */
-        width = h263_format[format][0];
-        height = h263_format[format][1];
+        width = ff_h263_format[format][0];
+        height = ff_h263_format[format][1];
        if (!width)
            return -1;

@@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s)
            s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */
            s->loop_filter= get_bits1(&s->gb);
            s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter;
+            if(s->avctx->lowres)
+                s->loop_filter = 0;

            s->h263_slice_structured= get_bits1(&s->gb);
            if (get_bits1(&s->gb) != 0) {
@@ -1024,8 +1026,8 @@ int h263_decode_picture_header(MpegEncContext *s)
                    s->avctx->sample_aspect_ratio= ff_h263_pixel_aspect[s->aspect_ratio_info];
                }
            } else {
-                width = h263_format[format][0];
-                height = h263_format[format][1];
+                width = ff_h263_format[format][0];
+                height = ff_h263_format[format][1];
                s->avctx->sample_aspect_ratio= (AVRational){12,11};
            }
            if ((width == 0) || (height == 0))
--- a/libavcodec/ituh263enc.c
+++ b/libavcodec/ituh263enc.c
@@ -102,7 +102,7 @@ av_const int ff_h263_aspect_to_info(AVRational aspect){
    return FF_ASPECT_EXTENDED;
 }

-void h263_encode_picture_header(MpegEncContext * s, int picture_number)
+void ff_h263_encode_picture_header(MpegEncContext * s, int picture_number)
 {
    int format, coded_frame_rate, coded_frame_rate_base, i, temp_ref;
    int best_clock_code=1;
@@ -141,7 +141,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number)
    put_bits(&s->pb, 1, 0);     /* camera  off */
    put_bits(&s->pb, 1, 0);     /* freeze picture release off */

-    format = ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height);
+    format = ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height);
    if (!s->h263_plus) {
        /* H.263v1 */
        put_bits(&s->pb, 3, format);
@@ -247,7 +247,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number)
 /**
 * Encode a group of blocks header.
 */
-void h263_encode_gob_header(MpegEncContext * s, int mb_line)
+void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line)
 {
    put_bits(&s->pb, 17, 1); /* GBSC */

@@ -333,7 +333,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n)
    } else {
        i = 0;
        if (s->h263_aic && s->mb_intra)
-            rl = &rl_intra_aic;
+            rl = &ff_rl_intra_aic;

        if(s->alt_inter_vlc && !s->mb_intra){
            int aic_vlc_bits=0;
@@ -353,14 +353,14 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n)
                    if(level<0) level= -level;

                    code = get_rl_index(rl, last, run, level);
-                    aic_code = get_rl_index(&rl_intra_aic, last, run, level);
+                    aic_code = get_rl_index(&ff_rl_intra_aic, last, run, level);
                    inter_vlc_bits += rl->table_vlc[code][1]+1;
-                    aic_vlc_bits   += rl_intra_aic.table_vlc[aic_code][1]+1;
+                    aic_vlc_bits   += ff_rl_intra_aic.table_vlc[aic_code][1]+1;

                    if (code == rl->n) {
                        inter_vlc_bits += 1+6+8-1;
                    }
-                    if (aic_code == rl_intra_aic.n) {
+                    if (aic_code == ff_rl_intra_aic.n) {
                        aic_vlc_bits += 1+6+8-1;
                        wrong_pos += run + 1;
                    }else
@@ -370,7 +370,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n)
            }
            i = 0;
            if(aic_vlc_bits < inter_vlc_bits && wrong_pos > 63)
-                rl = &rl_intra_aic;
+                rl = &ff_rl_intra_aic;
        }
    }

@@ -454,9 +454,9 @@ static void h263p_encode_umotion(MpegEncContext * s, int val)
    }
 }

-void h263_encode_mb(MpegEncContext * s,
-                    DCTELEM block[6][64],
-                    int motion_x, int motion_y)
+void ff_h263_encode_mb(MpegEncContext * s,
+                       DCTELEM block[6][64],
+                       int motion_x, int motion_y)
 {
    int cbpc, cbpy, i, cbp, pred_x, pred_y;
    int16_t pred_dc;
@@ -500,7 +500,7 @@ void h263_encode_mb(MpegEncContext * s,
            }

            /* motion vectors: 16x16 mode */
-            h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+            ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);

            if (!s->umvplus) {
                ff_h263_encode_motion_vector(s, motion_x - pred_x,
@@ -527,7 +527,7 @@ void h263_encode_mb(MpegEncContext * s,

            for(i=0; i<4; i++){
                /* motion vectors: 8x8 mode*/
-                h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);

                motion_x= s->current_picture.motion_val[0][ s->block_index[i] ][0];
                motion_y= s->current_picture.motion_val[0][ s->block_index[i] ][1];
@@ -561,7 +561,7 @@ void h263_encode_mb(MpegEncContext * s,
                if(i<4) scale= s->y_dc_scale;
                else    scale= s->c_dc_scale;

-                pred_dc = h263_pred_dc(s, i, &dc_ptr[i]);
+                pred_dc = ff_h263_pred_dc(s, i, &dc_ptr[i]);
                level -= pred_dc;
                /* Quant */
                if (level >= 0)
@@ -662,7 +662,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code)
    if (val == 0) {
        /* zero vector */
        code = 0;
-        put_bits(&s->pb, mvtab[code][1], mvtab[code][0]);
+        put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]);
    } else {
        bit_size = f_code - 1;
        range = 1 << bit_size;
@@ -677,7 +677,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code)
        code = (val >> bit_size) + 1;
        bits = val & (range - 1);

-        put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign);
+        put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign);
        if (bit_size > 0) {
            put_bits(&s->pb, bit_size, bits);
        }
@@ -693,7 +693,7 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s)
        for(mv=-MAX_MV; mv<=MAX_MV; mv++){
            int len;

-            if(mv==0) len= mvtab[0][1];
+            if(mv==0) len= ff_mvtab[0][1];
            else{
                int val, bit_size, code;

@@ -705,9 +705,9 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s)
                val--;
                code = (val >> bit_size) + 1;
                if(code<33){
-                    len= mvtab[code][1] + 1 + bit_size;
+                    len= ff_mvtab[code][1] + 1 + bit_size;
                }else{
-                    len= mvtab[32][1] + av_log2(code>>5) + 2 + bit_size;
+                    len= ff_mvtab[32][1] + av_log2(code>>5) + 2 + bit_size;
                }
            }

@@ -769,7 +769,7 @@ static void init_uni_h263_rl_tab(RLTable *rl, uint32_t *bits_tab, uint8_t *len_t
    }
 }

-void h263_encode_init(MpegEncContext *s)
+void ff_h263_encode_init(MpegEncContext *s)
 {
    static int done = 0;

@@ -777,9 +777,9 @@ void h263_encode_init(MpegEncContext *s)
        done = 1;

        init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]);
-        init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]);
+        init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]);

-        init_uni_h263_rl_tab(&rl_intra_aic, NULL, uni_h263_intra_aic_rl_len);
+        init_uni_h263_rl_tab(&ff_rl_intra_aic, NULL, uni_h263_intra_aic_rl_len);
        init_uni_h263_rl_tab(&ff_h263_rl_inter    , NULL, uni_h263_inter_rl_len);

        init_mv_penalty_and_fcode(s);
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -123,6 +123,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab,
        if (huff_tab->tab_sel == 7) {
            /* custom huffman table (explicitly encoded) */
            new_huff.num_rows = get_bits(gb, 4);
+            if (!new_huff.num_rows) {
+                av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n");
+                return AVERROR_INVALIDDATA;
+            }

            for (i = 0; i < new_huff.num_rows; i++)
                new_huff.xbits[i] = get_bits(gb, 4);
@@ -136,9 +140,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab,
                result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc,
                        &huff_tab->cust_tab, 0);
                if (result) {
+                    huff_tab->cust_desc.num_rows = 0; // reset faulty description
                    av_log(avctx, AV_LOG_ERROR,
                           "Error while initializing custom vlc table!\n");
-                    return -1;
+                    return result;
                }
            }
            huff_tab->tab = &huff_tab->cust_tab;
@@ -207,14 +212,15 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
            band->width    = b_width;
            band->height   = b_height;
            band->pitch    = width_aligned;
-            band->bufs[0]  = av_malloc(buf_size);
-            band->bufs[1]  = av_malloc(buf_size);
+            band->aheight  = height_aligned;
+            band->bufs[0]  = av_mallocz(buf_size);
+            band->bufs[1]  = av_mallocz(buf_size);
            if (!band->bufs[0] || !band->bufs[1])
                return AVERROR(ENOMEM);

            /* allocate the 3rd band buffer for scalability mode */
            if (cfg->luma_bands > 1) {
-                band->bufs[2] = av_malloc(buf_size);
+                band->bufs[2] = av_mallocz(buf_size);
                if (!band->bufs[2])
                    return AVERROR(ENOMEM);
            }
@@ -377,6 +383,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                mv_x >>= 1;
                mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
            }
+            if (mb->type) {
+                int dmv_x, dmv_y, cx, cy;
+
+                dmv_x = mb->mv_x >> band->is_halfpel;
+                dmv_y = mb->mv_y >> band->is_halfpel;
+                cx    = mb->mv_x &  band->is_halfpel;
+                cy    = mb->mv_y &  band->is_halfpel;
+
+                if (   mb->xpos + dmv_x < 0
+                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                    || mb->ypos + dmv_y < 0
+                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                    return AVERROR_INVALIDDATA;
+                }
+            }
        }

        for (blk = 0; blk < num_blocks; blk++) {
@@ -389,6 +410,11 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
            }

            if (cbp & 1) { /* block coded ? */
+                if (!band->scan) {
+                    av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n");
+                    return AVERROR_INVALIDDATA;
+                }
+
                scan_pos = -1;
                memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */
                memset(col_flags, 0, sizeof(col_flags));      /* zero column flags */
@@ -469,7 +495,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
    return 0;
 }

-void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
+int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                               IVITile *tile, int32_t mv_scale)
 {
    int             x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type;
@@ -480,6 +506,13 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
    void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch,
                             int mc_type);

+    if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) {
+        av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches "
+               "parameters %d in ivi_process_empty_tile()\n",
+               tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size));
+        return AVERROR_INVALIDDATA;
+    }
+
    offs       = tile->ypos * band->pitch + tile->xpos;
    mb         = tile->mbs;
    ref_mb     = tile->ref_mbs;
@@ -560,6 +593,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
            dst += band->pitch;
        }
    }
+
+    return 0;
 }


--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -132,6 +132,7 @@ typedef struct {
    int             band_num;       ///< band number
    int             width;
    int             height;
+    int             aheight;        ///< aligned band height
    const uint8_t   *data_ptr;      ///< ptr to the first byte of the band data
    int             data_size;      ///< size of the band data
    int16_t         *buf;           ///< pointer to the output buffer for this band
@@ -324,7 +325,7 @@ int  ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile);
 *  @param[in]  tile      pointer to the tile descriptor
 *  @param[in]  mv_scale  scaling factor for motion vectors
 */
-void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
+int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                               IVITile *tile, int32_t mv_scale);

 /**
--- a/libavcodec/j2k_dwt.c
+++ b/libavcodec/j2k_dwt.c
@@ -321,7 +321,7 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int
    int i, j, lev = decomp_levels, maxlen,
        b[2][2];

-    if (decomp_levels >= FF_DWT_MAX_DECLVLS)
+    if ((unsigned)decomp_levels >= FF_DWT_MAX_DECLVLS)
        return AVERROR_INVALIDDATA;
    s->ndeclevels = decomp_levels;
    s->type = type;
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -359,7 +359,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)

    if (q->quantsty == J2K_QSTY_NONE){
        n -= 3;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
            return AVERROR(EINVAL);
        for (i = 0; i < n; i++)
            q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -376,7 +376,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
        }
    } else{
        n = (n - 3) >> 1;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
            return AVERROR(EINVAL);
        for (i = 0; i < n; i++){
            x = bytestream_get_be16(&s->buf);
@@ -421,6 +421,10 @@ static uint8_t get_sot(J2kDecoderContext *s)
        return AVERROR(EINVAL);

    s->curtileno = bytestream_get_be16(&s->buf); ///< Isot
+    if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){
+        s->curtileno=0;
+        return AVERROR(EINVAL);
+    }

    s->buf += 4; ///< Psot (ignored)

--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx,
    buf += 5;

    if (video_size) {
+        if(video_size < 0) {
+            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
+            return AVERROR_INVALIDDATA;
+        }
        if (avctx->reget_buffer(avctx, &s->frame) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return -1;
@@ -150,7 +154,7 @@ static int decode_frame(AVCodecContext *avctx,

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
-            init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8));
+            init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf));

            for (j = 0; j < avctx->height; j += 8)
                for (i = 0; i < avctx->width; i += 8)
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -30,19 +30,26 @@

 typedef struct {
    AVCodecContext *avctx;
-    AVFrame pic;
-    uint16_t *prev, *cur;
+    AVFrame prev, cur;
 } KgvContext;

+static void decode_flush(AVCodecContext *avctx)
+{
+    KgvContext * const c = avctx->priv_data;
+
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+}
+
 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
 {
    const uint8_t *buf = avpkt->data;
    const uint8_t *buf_end = buf + avpkt->size;
    KgvContext * const c = avctx->priv_data;
-    int offsets[7];
+    int offsets[8];
    uint16_t *out, *prev;
    int outcnt = 0, maxcnt;
-    int w, h, i;
+    int w, h, i, res;

    if (avpkt->size < 2)
        return -1;
@@ -54,22 +61,25 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    if (av_image_check_size(w, h, 0, avctx))
        return -1;

-    if (w != avctx->width || h != avctx->height)
+    if (w != avctx->width || h != avctx->height) {
+        if (c->prev.data[0])
+            avctx->release_buffer(avctx, &c->prev);
        avcodec_set_dimensions(avctx, w, h);
+    }

    maxcnt = w * h;

-    out = av_realloc(c->cur, w * h * 2);
-    if (!out)
-        return -1;
-    c->cur = out;
+    c->cur.reference = 3;
+    if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+        return res;
+    out  = (uint16_t *) c->cur.data[0];
+    if (c->prev.data[0]) {
+        prev = (uint16_t *) c->prev.data[0];
+    } else {
+        prev = NULL;
+    }

-    prev = av_realloc(c->prev, w * h * 2);
-    if (!prev)
-        return -1;
-    c->prev = prev;
-
-    for (i = 0; i < 7; i++)
+    for (i = 0; i < 8; i++)
        offsets[i] = -1;

    while (outcnt < maxcnt && buf_end - 2 > buf) {
@@ -80,6 +90,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
            out[outcnt++] = code; // rgb555 pixel coded directly
        } else {
            int count;
+            int inp_off;
            uint16_t *inp;

            if ((code & 0x6000) == 0x6000) {
@@ -101,7 +112,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (maxcnt - start < count)
                    break;

-                inp = prev + start;
+                if (!prev) {
+                    av_log(avctx, AV_LOG_ERROR,
+                           "Frame reference does not exist\n");
+                    break;
+                }
+
+                inp = prev;
+                inp_off = start;
            } else {
                // copy from earlier in this frame
                int offset = (code & 0x1FFF) + 1;
@@ -119,27 +137,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (outcnt < offset)
                    break;

-                inp = out + outcnt - offset;
+                inp = out;
+                inp_off = outcnt - offset;
            }

            if (maxcnt - outcnt < count)
                break;

-            for (i = 0; i < count; i++)
+            for (i = inp_off; i < count + inp_off; i++) {
                out[outcnt++] = inp[i];
+            }
        }
    }

    if (outcnt - maxcnt)
        av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt);

-    c->pic.data[0]     = (uint8_t *)c->cur;
-    c->pic.linesize[0] = w * 2;
-
    *data_size = sizeof(AVFrame);
-    *(AVFrame*)data = c->pic;
+    *(AVFrame*)data = c->cur;

-    FFSWAP(uint16_t *, c->cur, c->prev);
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+    FFSWAP(AVFrame, c->cur, c->prev);

    return avpkt->size;
 }
@@ -150,29 +169,25 @@ static av_cold int decode_init(AVCodecContext *avctx)

    c->avctx = avctx;
    avctx->pix_fmt = PIX_FMT_RGB555;
-    avcodec_get_frame_defaults(&c->pic);
+    avctx->flags  |= CODEC_FLAG_EMU_EDGE;

    return 0;
 }

 static av_cold int decode_end(AVCodecContext *avctx)
 {
-    KgvContext * const c = avctx->priv_data;
-
-    av_freep(&c->cur);
-    av_freep(&c->prev);
-
+    decode_flush(avctx);
    return 0;
 }

 AVCodec ff_kgv1_decoder = {
-    "kgv1",
-    AVMEDIA_TYPE_VIDEO,
-    CODEC_ID_KGV1,
-    sizeof(KgvContext),
-    decode_init,
-    NULL,
-    decode_end,
-    decode_frame,
+    .name           = "kgv1",
+    .type           = AVMEDIA_TYPE_VIDEO,
+    .id             = CODEC_ID_KGV1,
+    .priv_data_size = sizeof(KgvContext),
+    .init           = decode_init,
+    .close          = decode_end,
+    .decode         = decode_frame,
+    .flush          = decode_flush,
    .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
 };
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
 #define KMVC_METHOD   0x0F
+#define MAX_PALSIZE   256

 /*
 * Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {

    int setpal;
    int palsize;
-    uint32_t pal[256];
+    uint32_t pal[MAX_PALSIZE];
    uint8_t *cur, *prev;
    uint8_t *frm0, *frm1;
 } KmvcContext;
@@ -57,17 +58,21 @@ typedef struct BitBuf {

 #define kmvc_init_getbits(bb, src)  bb.bits = 7; bb.bitbuf = *src++;

-#define kmvc_getbit(bb, src, res) {\
+#define kmvc_getbit(bb, src, src_end, res) {\
    res = 0; \
    if (bb.bitbuf & (1 << bb.bits)) res = 1; \
    bb.bits--; \
    if(bb.bits == -1) { \
+        if (src >= src_end) { \
+            av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
+            return AVERROR_INVALIDDATA; \
+        } \
        bb.bitbuf = *src++; \
        bb.bits = 7; \
    } \
 }

-static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -75,13 +80,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {         // fill whole 8x8 block
+                if (src >= src_end) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                    return AVERROR_INVALIDDATA;
+                }
                val = *src++;
                for (i = 0; i < 64; i++)
                    BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -89,14 +99,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block from already decoded place
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = val & 0xF;
                            my = val >> 4;
@@ -108,16 +126,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block from already decoded place
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = val & 0xF;
                                    my = val >> 4;
@@ -140,9 +166,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

-static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -150,15 +178,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {
-                kmvc_getbit(bb, src, res);
+                kmvc_getbit(bb, src, src_end, res);
                if (!res) {     // fill whole 8x8 block
+                    if (src >= src_end) {
+                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    val = *src++;
                    for (i = 0; i < 64; i++)
                        BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -171,14 +204,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = (val & 0xF) - 8;
                            my = (val >> 4) - 8;
@@ -190,16 +231,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = (val & 0xF) - 8;
                                    my = (val >> 4) - 8;
@@ -222,6 +271,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

 static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
@@ -300,10 +351,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
        memcpy(ctx->cur, ctx->prev, 320 * 200);
        break;
    case 3:
-        kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    case 4:
-        kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
@@ -365,6 +416,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
        c->palsize = 127;
    } else {
        c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize >= MAX_PALSIZE) {
+            av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+            return AVERROR_INVALIDDATA;
+        }
    }

    if (avctx->extradata_size == 1036) {        // palette in extradata
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -322,6 +322,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
 output_zeros:
    if (l->zeros_rem) {
        count = FFMIN(l->zeros_rem, width - i);
+        if (end - dst < count) {
+            av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        memset(dst, 0, count);
        l->zeros_rem -= count;
        dst += count;
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                len = mszh_dlen;
            }
            break;
-        case COMP_MSZH_NOCOMP:
+        case COMP_MSZH_NOCOMP: {
+            int bppx2;
+            switch (c->imgtype) {
+            case IMGTYPE_YUV111:
+            case IMGTYPE_RGB24:
+                bppx2 = 6;
+                break;
+            case IMGTYPE_YUV422:
+            case IMGTYPE_YUV211:
+                bppx2 = 4;
+                break;
+            case IMGTYPE_YUV411:
+            case IMGTYPE_YUV420:
+                bppx2 = 3;
+                break;
+            default:
+                bppx2 = 0; // will error out below
+                break;
+            }
+            if (len < ((width * height * bppx2) >> 1))
+                return AVERROR_INVALIDDATA;
            break;
+        }
        default:
            av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
            return -1;
@@ -456,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avcodec_get_frame_defaults(&c->pic);
    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Check codec type */
@@ -505,7 +526,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype);
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Detect compression method */
@@ -522,7 +543,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
            break;
        default:
            av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
        break;
 #if CONFIG_ZLIB_DECODER
@@ -540,7 +561,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        default:
            if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) {
                av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression);
-                return 1;
+                return AVERROR_INVALIDDATA;
            }
            av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression);
        }
@@ -548,14 +569,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
 #endif
    default:
        av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Allocate decompression buffer */
    if (c->decomp_size) {
        if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) {
            av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-            return 1;
+            return AVERROR(ENOMEM);
        }
    }

@@ -581,7 +602,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        if (zret != Z_OK) {
            av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
            av_freep(&c->decomp_buf);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
    }
 #endif
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -59,6 +59,9 @@ read_header:
    s->restart_count = 0;
    s->mjpb_skiptosod = 0;

+    if (buf_end - buf_ptr >= 1 << 28)
+        return AVERROR_INVALIDDATA;
+
    init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);

    skip_bits(&hgb, 32); /* reserved zeros */
@@ -66,7 +69,7 @@ read_header:
    if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
    {
        av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
-        return 0;
+        return AVERROR_INVALIDDATA;
    }

    field_size = get_bits_long(&hgb, 32); /* field size */
@@ -109,8 +112,8 @@ read_header:
    av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
    if (sos_offs)
    {
-//        init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
-        init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+        init_get_bits(&s->gb, buf_ptr + sos_offs,
+                      8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
        s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
        s->start_code = SOS;
        ff_mjpeg_decode_sos(s, NULL, NULL);
@@ -142,7 +145,7 @@ read_header:
        picture->quality*= FF_QP2LAMBDA;
    }

-    return buf_ptr - buf;
+    return buf_size;
 }

 AVCodec ff_mjpegb_decoder = {
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -52,7 +52,7 @@ static inline int sad_hpel_motion_search(MpegEncContext * s,
                                  int src_index, int ref_index,
                                  int size, int h);

-static inline int update_map_generation(MotionEstContext *c)
+static inline unsigned update_map_generation(MotionEstContext *c)
 {
    c->map_generation+= 1<<(ME_MAP_MV_BITS*2);
    if(c->map_generation==0){
--- a/libavcodec/motion_est_template.c
+++ b/libavcodec/motion_est_template.c
@@ -158,9 +158,8 @@ static int hpel_motion_search(MpegEncContext * s,
        const int b= score_map[(index+(1<<ME_MAP_SHIFT))&(ME_MAP_SIZE-1)]
                     + (mv_penalty[bx   - pred_x] + mv_penalty[by+2 - pred_y])*c->penalty_factor;

-#if 1
-        int key;
-        int map_generation= c->map_generation;
+        unsigned key;
+        unsigned map_generation= c->map_generation;
 #ifndef NDEBUG
        uint32_t *map= c->map;
 #endif
@@ -172,7 +171,6 @@ static int hpel_motion_search(MpegEncContext * s,
        assert(map[(index+1)&(ME_MAP_SIZE-1)] == key);
        key= ((my)<<ME_MAP_MV_BITS) + (mx-1) + map_generation;
        assert(map[(index-1)&(ME_MAP_SIZE-1)] == key);
-#endif
        if(t<=b){
            CHECK_HALF_MV(0, 1, mx  ,my-1)
            if(l<=r){
@@ -280,7 +278,7 @@ static int qpel_motion_search(MpegEncContext * s,
    const int mx = *mx_ptr;
    const int my = *my_ptr;
    const int penalty_factor= c->sub_penalty_factor;
-    const int map_generation= c->map_generation;
+    const unsigned map_generation = c->map_generation;
    const int subpel_quality= c->avctx->me_subpel_quality;
    uint32_t *map= c->map;
    me_cmp_func cmpf, chroma_cmpf;
@@ -497,7 +495,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV(x,y)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
    assert((x) >= xmin);\
    assert((x) <= xmax);\
@@ -525,7 +523,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV_DIR(x,y,new_dir)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
 /*printf("check_mv_dir %d %d %d\n", x, y, new_dir);*/\
    if(map[index]!=key){\
@@ -563,13 +561,13 @@ static av_always_inline int small_diamond_search(MpegEncContext * s, int *best,
    int next_dir=-1;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];

    { /* ensure that the best point is in the MAP as h/qpel refinement needs it */
-        const int key= (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
+        const unsigned key = (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
        const int index= ((best[1]<<ME_MAP_SHIFT) + best[0])&(ME_MAP_SIZE-1);
        if(map[index]!=key){ //this will be executed only very rarey
            score_map[index]= cmp(s, best[0], best[1], 0, 0, size, h, ref_index, src_index, cmpf, chroma_cmpf, flags);
@@ -605,7 +603,7 @@ static int funny_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -646,7 +644,7 @@ static int hex_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,d;
    const int dec= dia_size & (dia_size-1);

@@ -680,7 +678,7 @@ static int l2s_dia_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,i,d;
    int dia_size= c->dia_size&0xFF;
    const int dec= dia_size & (dia_size-1);
@@ -718,7 +716,7 @@ static int umh_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,x2,y2, i, j, d;
    const int dia_size= c->dia_size&0xFE;
    static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2},
@@ -765,7 +763,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y, d;
    const int dia_size= c->dia_size&0xFF;

@@ -794,7 +792,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,

 #define SAB_CHECK_MV(ax,ay)\
 {\
-    const int key= ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
+    const unsigned key = ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
    const int index= (((ay)<<ME_MAP_SHIFT) + (ax))&(ME_MAP_SIZE-1);\
 /*printf("sab check %d %d\n", ax, ay);*/\
    if(map[index]!=key){\
@@ -833,7 +831,7 @@ static int sab_diamond_search(MpegEncContext * s, int *best, int dmin,
    int i, j;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -918,7 +916,7 @@ static int var_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -1010,7 +1008,7 @@ static av_always_inline int epzs_motion_search_internal(MpegEncContext * s, int
    int d;                   ///< the score (cmp + penalty) of any given mv
    int dmin;                /*!< the best value of d, i.e. the score
                               corresponding to the mv stored in best[]. */
-    int map_generation;
+    unsigned map_generation;
    int penalty_factor;
    const int ref_mv_stride= s->mb_stride; //pass as arg  FIXME
    const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME
@@ -1138,7 +1136,7 @@ static int epzs_motion_search4(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=1;
    const int h=8;
@@ -1198,7 +1196,7 @@ static int epzs_motion_search2(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=0; //FIXME pass as arg
    const int h=8;
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx)
    int w4 = (avctx->width  + 3) & ~3;
    int h4 = (avctx->height + 3) & ~3;

+    if(avctx->extradata_size < 2){
+        av_log(avctx, AV_LOG_ERROR, "extradata too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    motionpixels_tableinit();
    mp->avctx = avctx;
    dsputil_init(&mp->dsp, avctx);
@@ -191,10 +196,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
            p = mp_get_yuv_from_rgb(mp, x - 1, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((x & 3) == 0) {
                if ((y & 3) == 0) {
                    p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                    p.v = av_clip(p.v, -32, 31);
                    p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                    p.u = av_clip(p.u, -32, 31);
                    mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
                } else {
                    p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -218,9 +226,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
            p = mp_get_yuv_from_rgb(mp, 0, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((y & 3) == 0) {
                p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                p.v = av_clip(p.v, -32, 31);
                p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                p.u = av_clip(p.u, -32, 31);
            }
            mp->vpt[y] = p;
            mp_set_rgb_from_yuv(mp, 0, y, &p);
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
    c->frames = 1 << (get_bits(&gb, 3) * 2);

    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
-    avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channels = channels;

    if(vlc_initialized) return 0;
    av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n");
--- a/libavcodec/mpeg12.c
+++ b/libavcodec/mpeg12.c
@@ -1151,6 +1151,7 @@ typedef struct Mpeg1Context {
    int save_width, save_height, save_progressive_seq;
    AVRational frame_rate_ext;       ///< MPEG-2 specific framerate modificator
    int sync;                        ///< Did we reach a sync point like a GOP/SEQ/KEYFrame?
+    int extradata_decoded;
 } Mpeg1Context;

 static av_cold int mpeg_decode_init(AVCodecContext *avctx)
@@ -2315,8 +2316,10 @@ static int mpeg_decode_frame(AVCodecContext *avctx,

    s->slice_count= 0;

-    if(avctx->extradata && !avctx->frame_number)
+    if (avctx->extradata && !s->extradata_decoded) {
        decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size);
+        s->extradata_decoded = 1;
+    }

    return decode_chunks(avctx, picture, data_size, buf, buf_size);
 }
--- a/libavcodec/mpeg12enc.c
+++ b/libavcodec/mpeg12enc.c
@@ -27,6 +27,7 @@

 #include "avcodec.h"
 #include "dsputil.h"
+#include "mathops.h"
 #include "mpegvideo.h"

 #include "mpeg12.h"
@@ -681,8 +682,7 @@ static void mpeg1_encode_motion(MpegEncContext *s, int val, int f_or_b_code)
        int bit_size = f_or_b_code - 1;
        int range = 1 << bit_size;
        /* modulo encoding */
-        int l= INT_BIT - 5 - bit_size;
-        val= (val<<l)>>l;
+        val = sign_extend(val, 5 + bit_size);

        if (val >= 0) {
            val--;
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -651,13 +651,13 @@ try_again:
                    if ((cbpc & 16) == 0) {
                        /* 16x16 motion prediction */

-                        h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                        ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
                        if(!s->mcsel){
-                            mx = h263_decode_motion(s, pred_x, s->f_code);
+                            mx = ff_h263_decode_motion(s, pred_x, s->f_code);
                            if (mx >= 0xffff)
                                return -1;

-                            my = h263_decode_motion(s, pred_y, s->f_code);
+                            my = ff_h263_decode_motion(s, pred_y, s->f_code);
                            if (my >= 0xffff)
                                return -1;
                            s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0;
@@ -675,12 +675,12 @@ try_again:
                        int i;
                        s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0;
                        for(i=0;i<4;i++) {
-                            int16_t *mot_val= h263_pred_motion(s, i, 0, &pred_x, &pred_y);
-                            mx = h263_decode_motion(s, pred_x, s->f_code);
+                            int16_t *mot_val= ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                            mx = ff_h263_decode_motion(s, pred_x, s->f_code);
                            if (mx >= 0xffff)
                                return -1;

-                            my = h263_decode_motion(s, pred_y, s->f_code);
+                            my = ff_h263_decode_motion(s, pred_y, s->f_code);
                            if (my >= 0xffff)
                                return -1;
                            mot_val[0] = mx;
@@ -1245,14 +1245,14 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                s->field_select[0][0]= get_bits1(&s->gb);
                s->field_select[0][1]= get_bits1(&s->gb);

-                h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);

                for(i=0; i<2; i++){
-                    mx = h263_decode_motion(s, pred_x, s->f_code);
+                    mx = ff_h263_decode_motion(s, pred_x, s->f_code);
                    if (mx >= 0xffff)
                        return -1;

-                    my = h263_decode_motion(s, pred_y/2, s->f_code);
+                    my = ff_h263_decode_motion(s, pred_y/2, s->f_code);
                    if (my >= 0xffff)
                        return -1;

@@ -1263,13 +1263,13 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0;
                /* 16x16 motion prediction */
                s->mv_type = MV_TYPE_16X16;
-                h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
-                mx = h263_decode_motion(s, pred_x, s->f_code);
+                ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                mx = ff_h263_decode_motion(s, pred_x, s->f_code);

                if (mx >= 0xffff)
                    return -1;

-                my = h263_decode_motion(s, pred_y, s->f_code);
+                my = ff_h263_decode_motion(s, pred_y, s->f_code);

                if (my >= 0xffff)
                    return -1;
@@ -1280,12 +1280,12 @@ static int mpeg4_decode_mb(MpegEncContext *s,
            s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0;
            s->mv_type = MV_TYPE_8X8;
            for(i=0;i<4;i++) {
-                mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y);
-                mx = h263_decode_motion(s, pred_x, s->f_code);
+                mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                mx = ff_h263_decode_motion(s, pred_x, s->f_code);
                if (mx >= 0xffff)
                    return -1;

-                my = h263_decode_motion(s, pred_y, s->f_code);
+                my = ff_h263_decode_motion(s, pred_y, s->f_code);
                if (my >= 0xffff)
                    return -1;
                s->mv[0][i][0] = mx;
@@ -1381,8 +1381,8 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                if(USES_LIST(mb_type, 0)){
                    s->mv_dir = MV_DIR_FORWARD;

-                    mx = h263_decode_motion(s, s->last_mv[0][0][0], s->f_code);
-                    my = h263_decode_motion(s, s->last_mv[0][0][1], s->f_code);
+                    mx = ff_h263_decode_motion(s, s->last_mv[0][0][0], s->f_code);
+                    my = ff_h263_decode_motion(s, s->last_mv[0][0][1], s->f_code);
                    s->last_mv[0][1][0]= s->last_mv[0][0][0]= s->mv[0][0][0] = mx;
                    s->last_mv[0][1][1]= s->last_mv[0][0][1]= s->mv[0][0][1] = my;
                }
@@ -1390,8 +1390,8 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                if(USES_LIST(mb_type, 1)){
                    s->mv_dir |= MV_DIR_BACKWARD;

-                    mx = h263_decode_motion(s, s->last_mv[1][0][0], s->b_code);
-                    my = h263_decode_motion(s, s->last_mv[1][0][1], s->b_code);
+                    mx = ff_h263_decode_motion(s, s->last_mv[1][0][0], s->b_code);
+                    my = ff_h263_decode_motion(s, s->last_mv[1][0][1], s->b_code);
                    s->last_mv[1][1][0]= s->last_mv[1][0][0]= s->mv[1][0][0] = mx;
                    s->last_mv[1][1][1]= s->last_mv[1][0][1]= s->mv[1][0][1] = my;
                }
@@ -1402,8 +1402,8 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                    s->mv_dir = MV_DIR_FORWARD;

                    for(i=0; i<2; i++){
-                        mx = h263_decode_motion(s, s->last_mv[0][i][0]  , s->f_code);
-                        my = h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code);
+                        mx = ff_h263_decode_motion(s, s->last_mv[0][i][0]  , s->f_code);
+                        my = ff_h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code);
                        s->last_mv[0][i][0]=  s->mv[0][i][0] = mx;
                        s->last_mv[0][i][1]= (s->mv[0][i][1] = my)*2;
                    }
@@ -1413,8 +1413,8 @@ static int mpeg4_decode_mb(MpegEncContext *s,
                    s->mv_dir |= MV_DIR_BACKWARD;

                    for(i=0; i<2; i++){
-                        mx = h263_decode_motion(s, s->last_mv[1][i][0]  , s->b_code);
-                        my = h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code);
+                        mx = ff_h263_decode_motion(s, s->last_mv[1][i][0]  , s->b_code);
+                        my = ff_h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code);
                        s->last_mv[1][i][0]=  s->mv[1][i][0] = mx;
                        s->last_mv[1][i][1]= (s->mv[1][i][1] = my)*2;
                    }
@@ -1426,8 +1426,8 @@ static int mpeg4_decode_mb(MpegEncContext *s,
            if(IS_SKIP(mb_type))
                mx=my=0;
            else{
-                mx = h263_decode_motion(s, 0, 1);
-                my = h263_decode_motion(s, 0, 1);
+                mx = ff_h263_decode_motion(s, 0, 1);
+                my = ff_h263_decode_motion(s, 0, 1);
            }

            s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT;
--- a/libavcodec/mpeg4videoenc.c
+++ b/libavcodec/mpeg4videoenc.c
@@ -727,7 +727,7 @@ void mpeg4_encode_mb(MpegEncContext * s,
                }

                /* motion vectors: 16x16 mode */
-                h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);

                ff_h263_encode_motion_vector(s, motion_x - pred_x,
                                                motion_y - pred_y, s->f_code);
@@ -751,7 +751,7 @@ void mpeg4_encode_mb(MpegEncContext * s,
                }

                /* motion vectors: 16x8 interlaced mode */
-                h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+                ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
                pred_y /=2;

                put_bits(&s->pb, 1, s->field_select[0][0]);
@@ -779,7 +779,7 @@ void mpeg4_encode_mb(MpegEncContext * s,

                for(i=0; i<4; i++){
                    /* motion vectors: 8x8 mode*/
-                    h263_pred_motion(s, i, 0, &pred_x, &pred_y);
+                    ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y);

                    ff_h263_encode_motion_vector(s, s->current_picture.motion_val[0][ s->block_index[i] ][0] - pred_x,
                                                    s->current_picture.motion_val[0][ s->block_index[i] ][1] - pred_y, s->f_code);
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -210,7 +210,7 @@ static void ff_compute_band_indexes(MPADecodeContext *s, GranuleDef *g){
            else
                g->long_end = 4; /* 8000 Hz */

-            g->short_start = 2 + (s->sample_rate_index != 8);
+            g->short_start = 3;
        } else {
            g->long_end = 0;
            g->short_start = 0;
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){
    int i;

    // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
-    FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
-    s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
+    FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+

     //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
    FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad,  (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -405,7 +405,7 @@ fail:
 static void free_duplicate_context(MpegEncContext *s){
    if(s==NULL) return;

-    av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL;
+    av_freep(&s->edge_emu_buffer);
    av_freep(&s->me.scratchpad);
    s->me.temp=
    s->rd_scratchpad=
@@ -422,7 +422,6 @@ static void free_duplicate_context(MpegEncContext *s){

 static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){
 #define COPY(a) bak->a= src->a
-    COPY(allocated_edge_emu_buffer);
    COPY(edge_emu_buffer);
    COPY(me.scratchpad);
    COPY(me.temp);
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -153,7 +153,7 @@ typedef struct MotionEstContext{
    int best_bits;
    uint32_t *map;                     ///< map to avoid duplicate evaluations
    uint32_t *score_map;               ///< map to store the scores
-    int map_generation;
+    unsigned map_generation;
    int pre_penalty_factor;
    int penalty_factor;                /*!< an estimate of the bits required to
                                        code a given mv value, e.g. (1,0) takes
@@ -317,8 +317,7 @@ typedef struct MpegEncContext {
    uint8_t *mbintra_table;       ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding
    uint8_t *cbp_table;           ///< used to store cbp, ac_pred for partitioned decoding
    uint8_t *pred_dir_table;      ///< used to store pred_dir for partitioned decoding
-    uint8_t *allocated_edge_emu_buffer;
-    uint8_t *edge_emu_buffer;     ///< points into the middle of allocated_edge_emu_buffer
+    uint8_t *edge_emu_buffer;     ///< temporary buffer for if MVs point to out-of-frame data
    uint8_t *rd_scratchpad;       ///< scratchpad for rate distortion mb decision
    uint8_t *obmc_scratchpad;
    uint8_t *b_scratchpad;        ///< scratchpad used for writing into write only buffers
--- a/libavcodec/mpegvideo_common.h
+++ b/libavcodec/mpegvideo_common.h
@@ -725,7 +725,8 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s,
                        0, 0, 0,
                        ref_picture, pix_op, qpix_op,
                        s->mv[dir][0][0], s->mv[dir][0][1], 16);
-        }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel && s->codec_id == CODEC_ID_WMV2){
+        } else if (!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) &&
+                   s->mspel && s->codec_id == CODEC_ID_WMV2) {
            ff_mspel_motion(s, dest_y, dest_cb, dest_cr,
                        ref_picture, pix_op,
                        s->mv[dir][0][0], s->mv[dir][0][1], 16);
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -582,7 +582,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx)
        break;
    case CODEC_ID_H263:
        if (!CONFIG_H263_ENCODER)  return -1;
-        if (ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height) == 8) {
+        if (ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height) == 8) {
            av_log(avctx, AV_LOG_ERROR, "The specified picture size of %dx%d is not valid for the H.263 codec.\nValid sizes are 128x96, 176x144, 352x288, 704x576, and 1408x1152. Try H.263+.\n", s->width, s->height);
            return -1;
        }
@@ -708,7 +708,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx)
    if (CONFIG_H261_ENCODER && s->out_format == FMT_H261)
        ff_h261_encode_init(s);
    if (CONFIG_H263_ENCODER && s->out_format == FMT_H263)
-        h263_encode_init(s);
+        ff_h263_encode_init(s);
    if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version)
        ff_msmpeg4_encode_init(s);
    if ((CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER)
@@ -1768,7 +1768,7 @@ static av_always_inline void encode_mb_internal(MpegEncContext *s, int motion_x,
    case CODEC_ID_RV10:
    case CODEC_ID_RV20:
        if (CONFIG_H263_ENCODER)
-            h263_encode_mb(s, s->block, motion_x, motion_y);
+            ff_h263_encode_mb(s, s->block, motion_x, motion_y);
        break;
    case CODEC_ID_MJPEG:
        if (CONFIG_MJPEG_ENCODER)
@@ -2200,7 +2200,7 @@ static int encode_thread(AVCodecContext *c, void *arg){
                    case CODEC_ID_H263:
                    case CODEC_ID_H263P:
                        if (CONFIG_H263_ENCODER)
-                            h263_encode_gob_header(s, mb_y);
+                            ff_h263_encode_gob_header(s, mb_y);
                    break;
                    }

@@ -2950,7 +2950,7 @@ static int encode_picture(MpegEncContext *s, int picture_number)
        else if (CONFIG_FLV_ENCODER && s->codec_id == CODEC_ID_FLV1)
            ff_flv_encode_picture_header(s, picture_number);
        else if (CONFIG_H263_ENCODER)
-            h263_encode_picture_header(s, picture_number);
+            ff_h263_encode_picture_header(s, picture_number);
        break;
    case FMT_MPEG1:
        if (CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER)
--- a/libavcodec/msmpeg4.c
+++ b/libavcodec/msmpeg4.c
@@ -511,7 +511,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val)
    if (val == 0) {
        /* zero vector */
        code = 0;
-        put_bits(&s->pb, mvtab[code][1], mvtab[code][0]);
+        put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]);
    } else {
        bit_size = s->f_code - 1;
        range = 1 << bit_size;
@@ -530,7 +530,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val)
        code = (val >> bit_size) + 1;
        bits = val & (range - 1);

-        put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign);
+        put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign);
        if (bit_size > 0) {
            put_bits(&s->pb, bit_size, bits);
        }
@@ -579,7 +579,7 @@ void msmpeg4_encode_mb(MpegEncContext * s,

            s->misc_bits += get_bits_diff(s);

-            h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+            ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
            msmpeg4v2_encode_motion(s, motion_x - pred_x);
            msmpeg4v2_encode_motion(s, motion_y - pred_y);
        }else{
@@ -590,7 +590,7 @@ void msmpeg4_encode_mb(MpegEncContext * s,
            s->misc_bits += get_bits_diff(s);

            /* motion vector */
-            h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
+            ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y);
            ff_msmpeg4_encode_motion(s, motion_x - pred_x,
                                  motion_y - pred_y);
        }
@@ -1138,7 +1138,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, DCTELEM block[6][64])
        cbp|= cbpy<<2;
        if(s->msmpeg4_version==1 || (cbp&3) != 3) cbp^= 0x3C;

-        h263_pred_motion(s, 0, 0, &mx, &my);
+        ff_h263_pred_motion(s, 0, 0, &mx, &my);
        mx= msmpeg4v2_decode_motion(s, mx, 1);
        my= msmpeg4v2_decode_motion(s, my, 1);

@@ -1224,7 +1224,7 @@ static int msmpeg4v34_decode_mb(MpegEncContext *s, DCTELEM block[6][64])
            s->rl_table_index = decode012(&s->gb);
            s->rl_chroma_table_index = s->rl_table_index;
        }
-        h263_pred_motion(s, 0, 0, &mx, &my);
+        ff_h263_pred_motion(s, 0, 0, &mx, &my);
        if (ff_msmpeg4_decode_motion(s, &mx, &my) < 0)
            return -1;
        s->mv_dir = MV_DIR_FORWARD;
@@ -1320,8 +1320,8 @@ av_cold int ff_msmpeg4_decode_init(AVCodecContext *avctx)
                 &v2_mb_type[0][1], 2, 1,
                 &v2_mb_type[0][0], 2, 1, 128);
        INIT_VLC_STATIC(&v2_mv_vlc, V2_MV_VLC_BITS, 33,
-                 &mvtab[0][1], 2, 1,
-                 &mvtab[0][0], 2, 1, 538);
+                 &ff_mvtab[0][1], 2, 1,
+                 &ff_mvtab[0][0], 2, 1, 538);

        INIT_VLC_STATIC(&ff_mb_non_intra_vlc[0], MB_NON_INTRA_VLC_BITS, 128,
                     &wmv2_inter_table[0][0][1], 8, 4,
--- a/libavcodec/msmpeg4data.c
+++ b/libavcodec/msmpeg4data.c
@@ -592,9 +592,9 @@ static const int8_t table4_run[168] = {
 29, 30, 31, 32, 33, 34, 35, 36,
 };

-extern const uint16_t inter_vlc[103][2];
-extern const int8_t inter_level[102];
-extern const int8_t inter_run[102];
+extern const uint16_t ff_inter_vlc[103][2];
+extern const int8_t ff_inter_level[102];
+extern const int8_t ff_inter_run[102];

 extern const uint16_t ff_mpeg4_intra_vlc[103][2];
 extern const int8_t ff_mpeg4_intra_level[102];
@@ -647,9 +647,9 @@ RLTable rl_table[NB_RL_TABLES] = {
    {
        102,
        58,
-        inter_vlc,
-        inter_run,
-        inter_level,
+        ff_inter_vlc,
+        ff_inter_run,
+        ff_inter_level,
    },
 };

--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -157,19 +157,26 @@ static int decode_tag(AVCodecContext * avctx,
    int buf_size = avpkt->size;
    NellyMoserDecodeContext *s = avctx->priv_data;
    int data_max = *data_size;
-    int blocks, i;
+    int blocks, i, block_size;
    int16_t* samples;
-    *data_size = 0;
    samples = (int16_t*)data;

-    if (buf_size < avctx->block_align)
+    if (buf_size < avctx->block_align) {
+        *data_size = 0;
        return buf_size;
+    }

    if (buf_size % 64) {
        av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+        *data_size = 0;
        return buf_size;
    }
-    blocks = buf_size / 64;
+    block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+    blocks     = FFMIN(buf_size / 64, *data_size / block_size);
+    if (blocks <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
    /* Normal numbers of blocks for sample rates:
     *  8000 Hz - 1
     * 11025 Hz - 2
@@ -183,8 +190,8 @@ static int decode_tag(AVCodecContext * avctx,
            return i > 0 ? i * NELLY_BLOCK_LEN : -1;
        nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
        s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
-        *data_size += NELLY_SAMPLES*sizeof(int16_t);
    }
+    *data_size = blocks * block_size;

    return buf_size;
 }
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -191,9 +191,10 @@ retry:
    }
    if (c->codec_frameheader) {
        int w, h, q, res;
-        if (buf_size < 12) {
+        if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE ||
+            buf[5] != RTJPEG_FILE_VERSION) {
            av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
        }
        w = AV_RL16(&buf[6]);
        h = AV_RL16(&buf[8]);
@@ -207,8 +208,8 @@ retry:
            size_change = 1;
            goto retry;
        }
-        buf = &buf[12];
-        buf_size -= 12;
+        buf = &buf[RTJPEG_HEADER_SIZE];
+        buf_size -= RTJPEG_HEADER_SIZE;
    }

    if ((size_change || keyframe) && c->pic.data[0])
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -148,7 +148,7 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int
    if(bpp >= 2) g = dst[1];\
    if(bpp >= 3) b = dst[2];\
    if(bpp >= 4) a = dst[3];\
-    for(; i < size; i+=bpp) {\
+    for(; i <= size - bpp; i+=bpp) {\
        dst[i+0] = r = op(r, src[i+0], last[i+0]);\
        if(bpp == 1) continue;\
        dst[i+1] = g = op(g, src[i+1], last[i+1]);\
@@ -164,13 +164,9 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int
    else if(bpp == 2) UNROLL1(2, op)\
    else if(bpp == 3) UNROLL1(3, op)\
    else if(bpp == 4) UNROLL1(4, op)\
-    else {\
-        for (; i < size; i += bpp) {\
-            int j;\
-            for (j = 0; j < bpp; j++)\
-                dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\
-        }\
-    }
+    for (; i < size; i++) {\
+        dst[i] = op(dst[i-bpp], src[i], last[i]);\
+    }\

 /* NOTE: 'dst' can be equal to 'last' */
 static void png_filter_row(PNGDecContext *s, uint8_t *dst, int filter_type,
@@ -469,11 +465,12 @@ static int decode_frame(AVCodecContext *avctx,
                    avctx->pix_fmt = PIX_FMT_RGB48BE;
                } else if (s->bit_depth == 1) {
                    avctx->pix_fmt = PIX_FMT_MONOBLACK;
-                } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_PALETTE) {
                    avctx->pix_fmt = PIX_FMT_PAL8;
                } else if (s->bit_depth == 8 &&
                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
-                    avctx->pix_fmt = PIX_FMT_GRAY8A;
+                    avctx->pix_fmt = PIX_FMT_Y400A;
                } else {
                    goto fail;
                }
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -55,7 +55,7 @@ static void png_get_interlaced_row(uint8_t *dst, int row_size,
    uint8_t *d;
    const uint8_t *s;

-    mask = ff_png_pass_mask[pass];
+    mask =  (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass];
    switch(bits_per_pixel) {
    case 1:
        memset(dst, 0, row_size);
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -60,7 +60,6 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    avctx->pix_fmt = PIX_FMT_RGB555;

-
    if (buf_end - buf < offset)
        return AVERROR_INVALIDDATA;
    if (offset != 0x2c)
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -881,9 +881,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                        break;

                    case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+                                samples[0] = type30_dequant[index];
+                            } else
+                                samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+                        } else
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);

                        run = 1;
@@ -897,8 +901,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                                type34_predictor = samples[0];
                                type34_first = 0;
                            } else {
-                                samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
-                                type34_predictor = samples[0];
+                                unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+                                if (index < FF_ARRAY_ELEMS(type34_delta)) {
+                                    samples[0] = type34_delta[index] / type34_div + type34_predictor;
+                                    type34_predictor = samples[0];
+                                } else
+                                    samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
                            }
                        } else {
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
@@ -1230,6 +1238,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
    for (i = 0; packet_bytes > 0; i++) {
        int j;

+        if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+            SAMPLES_NEEDED_2("too many packet bytes");
+            return;
+        }
+
        q->sub_packet_list_A[i].next = NULL;

        if (i > 0) {
@@ -1816,6 +1829,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    extradata += 4;

    s->checksum_size = AV_RB32(extradata);
+    if (s->checksum_size >= 1U << 28) {
+        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+        return AVERROR_INVALIDDATA;
+    }

    s->fft_order = av_log2(s->fft_size) + 1;
    s->fft_frame_size = 2 * s->fft_size; // complex has two floats
--- a/libavcodec/qdm2_tablegen.h
+++ b/libavcodec/qdm2_tablegen.h
@@ -37,7 +37,7 @@
 #include "libavcodec/qdm2_tables.h"
 #else
 static uint16_t softclip_table[HARDCLIP_THRESHOLD - SOFTCLIP_THRESHOLD + 1];
-static float noise_table[4096];
+static float noise_table[4096 + 20];
 static uint8_t random_dequant_index[256][5];
 static uint8_t random_dequant_type24[128][3];
 static float noise_samples[128];
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -418,7 +418,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx)
    default:
        av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n",
            avctx->bits_per_coded_sample);
-        break;
+        return AVERROR_INVALIDDATA;
    }

    avcodec_get_frame_defaults(&s->frame);
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -151,6 +151,9 @@ static int raw_decode(AVCodecContext *avctx,
        frame->top_field_first  = context->tff;
    }

+    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+        return -1;
+
    //2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
    if (context->buffer) {
        int i;
@@ -175,9 +178,6 @@ static int raw_decode(AVCodecContext *avctx,
       avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
        buf += buf_size - context->length;

-    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
-        return -1;
-
    avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
    if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
       (avctx->pix_fmt!=PIX_FMT_PAL8 &&
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
    RoqContext *s = avctx->priv_data;

    s->avctx = avctx;
+
+    if (avctx->width%16 || avctx->height%16) {
+         av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n");
+         return AVERROR_PATCHWELCOME;
+    }
+
    s->width = avctx->width;
    s->height = avctx->height;
    avcodec_get_frame_defaults(&s->frames[0]);
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s)
            color4[1] |= ((11 * ta + 21 * tb) >> 5);
            color4[2] |= ((21 * ta + 11 * tb) >> 5);

+            if (s->size - stream_ptr < n_blocks * 4)
+                return;
            while (n_blocks--) {
                block_ptr = row_ptr + pixel_ptr;
                for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s)

        /* Fill block with 16 colors */
        case 0x00:
+            if (s->size - stream_ptr < 16)
+                return;
            block_ptr = row_ptr + pixel_ptr;
            for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                for (pixel_x = 0; pixel_x < 4; pixel_x++){
--- a/libavcodec/rtjpeg.h
+++ b/libavcodec/rtjpeg.h
@@ -25,6 +25,9 @@
 #include <stdint.h>
 #include "dsputil.h"

+#define RTJPEG_FILE_VERSION 0
+#define RTJPEG_HEADER_SIZE 12
+
 typedef struct {
    int w, h;
    DSPContext *dsp;
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -498,7 +498,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
    if (MPV_common_init(s) < 0)
        return -1;

-    h263_decode_init_vlc(s);
+    ff_h263_decode_init_vlc(s);

    /* init rv vlc */
    if (!done) {
@@ -672,8 +672,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,

    if(!avctx->slice_count){
        slice_count = (*buf++) + 1;
+        buf_size--;
        slices_hdr = buf + 4;
        buf += 8 * slice_count;
+        buf_size -= 8 * slice_count;
+        if (buf_size <= 0)
+            return AVERROR_INVALIDDATA;
    }else
        slice_count = avctx->slice_count;

@@ -712,7 +716,7 @@ static int rv10_decode_frame(AVCodecContext *avctx,
        s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
    }

-    return buf_size;
+    return avpkt->size;
 }

 AVCodec ff_rv10_decoder = {
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1280,6 +1280,14 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int

    if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) {
        if(s->width != r->si.width || s->height != r->si.height){
+
+            if (HAVE_THREADS &&
+                (s->avctx->active_thread_type & FF_THREAD_FRAME)) {
+                av_log_missing_feature(s->avctx, "Width/height changing with "
+                                       "frame threading is", 0);
+                return AVERROR_PATCHWELCOME;
+            }
+
            av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height);
            MPV_common_end(s);
            s->width  = r->si.width;
@@ -1455,19 +1463,25 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
    if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
       get_slice_offset(avctx, slices_hdr, 0) > buf_size){
        av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
    init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
    if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){
        av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
    }
-    if((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && si.type == AV_PICTURE_TYPE_B)
-        return -1;
+    if ((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) &&
+        si.type == AV_PICTURE_TYPE_B) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid decoder state: B-frame without "
+               "reference data.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
 #if FF_API_HURRY_UP
    /* skip b frames if we are in a hurry */
    if(avctx->hurry_up && si.type==FF_B_TYPE) return buf_size;
 #endif
+
    if(   (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B)
       || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I)
       ||  avctx->skip_frame >= AVDISCARD_ALL)        return avpkt->size;
--- a/libavcodec/rv34data.h
+++ b/libavcodec/rv34data.h
@@ -123,7 +123,7 @@ static const uint8_t rv34_quant_to_vlc_set[2][31] = {

 /**
 * table for obtaining the quantizer difference
- * @todo Use with modified_quant_tab from h263data.h.
+ * @todo Use with ff_modified_quant_tab from h263data.h.
 */
 static const uint8_t rv34_dquant_tab[2][32]={
 //  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -81,6 +81,7 @@ typedef struct ShortenContext {
    int channels;

    int32_t *decoded[MAX_CHANNELS];
+    int32_t *decoded_base[MAX_CHANNELS];
    int32_t *offset[MAX_CHANNELS];
    int *coeffs;
    uint8_t *bitstream;
@@ -130,13 +131,14 @@ static int allocate_buffers(ShortenContext *s)
            return AVERROR(ENOMEM);
        s->offset[chan] = tmp_ptr;

-        tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+        tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+                             sizeof(s->decoded_base[0][0]));
        if (!tmp_ptr)
            return AVERROR(ENOMEM);
-        s->decoded[chan] = tmp_ptr;
+        s->decoded_base[chan] = tmp_ptr;
        for (i=0; i<s->nwrap; i++)
-            s->decoded[chan][i] = 0;
-        s->decoded[chan] += s->nwrap;
+            s->decoded_base[chan][i] = 0;
+        s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
    }

    coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
@@ -548,8 +550,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
    int i;

    for (i = 0; i < s->channels; i++) {
-        s->decoded[i] -= s->nwrap;
-        av_freep(&s->decoded[i]);
+        s->decoded[i] = NULL;
+        av_freep(&s->decoded_base[i]);
        av_freep(&s->offset[i]);
    }
    av_freep(&s->bitstream);
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -127,12 +127,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 */
 static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
 {
+    if (hc->current + 1 >= hc->length) {
+        av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
+        return -1;
+    }
    if(!get_bits1(gb)){ //Leaf
        int val, i1, i2, b1, b2;
-        if(hc->current >= hc->length){
-            av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
-            return -1;
-        }
        b1 = get_bits_count(gb);
        i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
        b1 = get_bits_count(gb) - b1;
@@ -156,7 +156,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
        hc->values[hc->current++] = val;
        return 1;
    } else { //Node
-        int r = 0, t;
+        int r = 0, r_new, t;

        t = hc->current++;
        r = smacker_decode_bigtree(gb, hc, ctx);
@@ -164,8 +164,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
            return r;
        hc->values[t] = SMK_NODE | r;
        r++;
-        r += smacker_decode_bigtree(gb, hc, ctx);
-        return r;
+        r_new = smacker_decode_bigtree(gb, hc, ctx);
+        if (r_new < 0)
+            return r_new;
+        return r + r_new;
    }
 }

@@ -180,6 +182,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    VLC vlc[2];
    int escapes[3];
    DBCtx ctx;
+    int err = 0;

    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
@@ -253,7 +256,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    huff.current = 0;
    huff.values = av_mallocz(huff.length * sizeof(int));

-    smacker_decode_bigtree(gb, &huff, &ctx);
+    if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+        err = -1;
    skip_bits1(gb);
    if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
    if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
@@ -272,7 +276,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    av_free(tmp2.lengths);
    av_free(tmp2.values);

-    return 0;
+    return err;
 }

 static int decode_header_trees(SmackVContext *smk) {
@@ -641,7 +645,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    }
    if(bits) { //decode 16-bit data
        for(i = stereo; i >= 0; i--)
-            pred[i] = av_bswap16(get_bits(&gb, 16));
+            pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16);
        for(i = 0; i <= stereo; i++)
            *samples++ = pred[i];
        for(; i < unp_size / 2; i++) {
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -2299,7 +2299,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
    s->m.me.map       = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t));
    s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t));
    s->m.obmc_scratchpad= av_mallocz(MB_SIZE*MB_SIZE*12*sizeof(uint32_t));
-    h263_encode_init(&s->m); //mv_penalty
+    ff_h263_encode_init(&s->m); //mv_penalty

    s->max_ref_frames = FFMAX(FFMIN(avctx->refs, MAX_REF_FRAMES), 1);

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .7.10
 .7.15