Update for 0.7.13

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Merge branch 'release/0.8' into release/0.7
2012-06-09 21:17:02 +02:00 · 2012-06-09 21:13:58 +02:00 · 2012-06-09 21:09:06 +02:00 · 2012-06-09 21:08:21 +02:00 · 2012-06-09 21:08:13 +02:00 · 2012-06-09 21:07:53 +02:00
107 changed files with 843 additions and 1146 deletions
--- a/769
+++ b/769
@@ -1,769 +0,0 @@
-Entries are sorted chronologically from oldest to youngest within each release,
-releases are sorted from youngest to oldest.
-
-version 0.7.4:
-
- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895)
- vorbisdec: Fix decoding bug with channel handling.
- matroskadec: Fix a bug where a pointer was cached to an array that might
-  later move due to a realloc(). (CVE-2011-3893)
- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893)
- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892)
- avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected
-  for the loopback address.
- vp3: fix streams with non-zero last coefficient.
- swscale: fix crash in fast_bilinear code when compiled with -mred-zone.
-
-
-version 0.7.3:
-
- check buffer and input values in various parts of the code:
-  vmd (CVE-2011-4364), qdm2 (CVE-2011-4351), imgutils (several codecs),
-  vp6 (CVE-2011-4353), svq1 (CVE-2011-4579), vp3 (CVE-2011-4352), wma, 4xm
- backport avcodec_open2() as a replacement for avcodec_open()
- backport avformat_find_stream_info()
-
-
-version 0.7.2:
-
- check buffer and input values in various parts of the code:
-  H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV,
-  cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf,
-  Matroska (CVE-2011-3504), RV10, RV30/RV40
- memory leaks: vf_scale, eval
-
- ARM: workaround for bug in GNU assembler
- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28)
- Reintroduce AVInputStream.nb_streams to avoid crashes
- aac: Only output configure if audio was found
- aac: Remove some suspicious illegal memcpy()s from LTP
- aacps: skip some memcpy() if src and dst would be equal
- adts: fix PCE copying
- alsa: fallback to buffer_size/4 for period_size
- alsa: limit buffer_size to 32768 frames
- cljr, indeo2: init_get_bits size in bits instead of bytes
- configure: add missing CFLAGS to fix building on the HURD
- dca: set AVCodecContext frame_size for DTS audio
- fate: allow testing with libavfilter disabled
- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps
- h264: correct implicit weight table computation for long ref pics
- h264: correct the check for invalid long term frame index in MMCO decode
- h264: fix PCM intra-coded blocks in monochrome case
- jpegdec: actually search for and parse RSTn
- lavc: fix type for thread_type option
- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails
- lavf: do not set codec_tag for rawvideo
- libx264: do not set pic quality if no frame is output
- movenc: create an alternate group for each media type
- mpegts: fix Continuity Counter error detection
- mxfenc: fix ignored drop flag in binary timecode representation
- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948)
- ppc64: fix cast related random failures
- riff: Add mpgv MPEG-2 fourcc
- swscale: don't use planar output functions to write to NV12/21
- vc1: properly zero coded_block[] edges on new slice entry
- vp3/theora: flush after seek
-
- various bug other fixes
-
-
-version 0.7.1:
-
- added various additional FOURCC codec identifiers
- H.264 4:4:4 fixes
- build system and compilation fixes
- Doxygen and general documentation corrections and improvements
- fixed segfault in ffprobe
- behavioral fix in av_open_input_stream()
- Licensing clarification for LGPL'ed vf_gradfun
- bugfixes while seeking in multithreaded decoding
- support newer versions of OpenCV
- ffmpeg: fix operation with --disable-avfilter
- fixed integer underflow in matroska decoder
-
-
-version 0.7:
-
- E-AC-3 audio encoder
- ac3enc: add channel coupling support
- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders
- H.264/MPEG frame-level multithreading
- av_metadata_* functions renamed to av_dict_* and moved to libavutil
- 4:4:4 H.264 decoding support
- 10-bit H.264 optimizations for x86
- bump libswscale for recently reported ABI break
-
-
-version 0.7_beta2:
-
- VP8 frame-level multithreading
- NEON optimizations for VP8
- removed a lot of deprecated API cruft
- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors
- DPX image encoder
- SMPTE 302M AES3 audio decoder
- ffmpeg no longer quits after the 'q' key is pressed; use 'ctrl+c' instead
- 9bit and 10bit per sample support in the H.264 decoder
-
-
-version 0.7_beta1:
-
- WebM support in Matroska de/muxer
- low overhead Ogg muxing
- MMS-TCP support
- VP8 de/encoding via libvpx
- Demuxer for On2's IVF format
- Pictor/PC Paint decoder
- HE-AAC v2 decoder
- libfaad2 wrapper removed
- DTS-ES extension (XCh) decoding support
- native VP8 decoder
- RTSP tunneling over HTTP
- RTP depacketization of SVQ3
- -strict inofficial replaced by -strict unofficial
- ffplay -exitonkeydown and -exitonmousedown options added
- native GSM / GSM MS decoder
- RTP depacketization of QDM2
- ANSI/ASCII art playback system
- Lego Mindstorms RSO de/muxer
- SubRip subtitle file muxer and demuxer
- Chinese AVS encoding via libxavs
- ffprobe -show_packets option added
- RTP packetization of Theora and Vorbis
- RTP depacketization of MP4A-LATM
- RTP packetization and depacketization of VP8
- hflip filter
- Apple HTTP Live Streaming demuxer
- a64 codec
- MMS-HTTP support
- G.722 ADPCM audio encoder/decoder
- R10k video decoder
- ocv_smooth filter
- frei0r wrapper filter
- change crop filter syntax to width:height:x:y
- make the crop filter accept parametric expressions
- make ffprobe accept AVFormatContext options
- yadif filter
- blackframe filter
- Demuxer for Leitch/Harris' VR native stream format (LXF)
- RTP depacketization of the X-QT QuickTime format
- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer
- cropdetect filter
- ffmpeg -crop* options removed
- transpose filter added
- ffmpeg -force_key_frames option added
- demuxer for receiving raw rtp:// URLs without an SDP description
- single stream LATM/LOAS decoder
- setpts filter added
- Win64 support for optimized x86 assembly functions
- MJPEG/AVI1 to JPEG/JFIF bitstream filter
- ASS subtitle encoder and decoder
- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough)
- overlay filter added
- rename aspect filter to setdar, and pixelaspect to setsar
- IEC 61937 demuxer
- Mobotix .mxg demuxer
- frei0r source added
- hqdn3d filter added
- RTP depacketization of QCELP
- FLAC parser added
- gradfun filter added
- AMR-WB decoder
- replace the ocv_smooth filter with a more generic ocv filter
- Windows Televison (WTV) demuxer
- FFmpeg metadata format muxer and demuxer
- SubRip (srt) subtitle decoder
- floating-point AC-3 encoder added
- Lagarith decoder
- ffmpeg -copytb option added
- IVF muxer added
- Wing Commander IV movies decoder added
- movie source added
- Bink version 'b' audio and video decoder
- Bitmap Brothers JV playback system
- Apple HTTP Live Streaming protocol handler
- sndio support for playback and record
- Linux framebuffer input device added
- Chronomaster DFA decoder
- Mobotix MxPEG decoder
- AAC encoding via libvo-aacenc
- AMR-WB encoding via libvo-amrwbenc
- xWMA demuxer
- fieldorder video filter added
-
-
-version 0.6:
-
- PB-frame decoding for H.263
- deprecated vhook subsystem removed
- deprecated old scaler removed
- VQF demuxer
- Alpha channel scaler
- PCX encoder
- RTP packetization of H.263
- RTP packetization of AMR
- RTP depacketization of Vorbis
- CorePNG decoding support
- Cook multichannel decoding support
- introduced avlanguage helpers in libavformat
- 8088flex TMV demuxer and decoder
- per-stream language-tags extraction in asfdec
- V210 decoder and encoder
- remaining GPL parts in AC-3 decoder converted to LGPL
- QCP demuxer
- SoX native format muxer and demuxer
- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries
- DPX image decoder
- Electronic Arts Madcow decoder
- DivX (XSUB) subtitle encoder
- nonfree libamr support for AMR-NB/WB decoding/encoding removed
- experimental AAC encoder
- RTP depacketization of ASF and RTSP from WMS servers
- RTMP support in libavformat
- noX handling for OPT_BOOL X options
- Wave64 demuxer
- IEC-61937 compatible Muxer
- TwinVQ decoder
- Bluray (PGS) subtitle decoder
- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks)
- WMA Pro decoder
- Core Audio Format demuxer
- Atrac1 decoder
- MD STUDIO audio demuxer
- RF64 support in WAV demuxer
- MPEG-4 Audio Lossless Coding (ALS) decoder
- -formats option split into -formats, -codecs, -bsfs, and -protocols
- IV8 demuxer
- CDG demuxer and decoder
- R210 decoder
- Auravision Aura 1 and 2 decoders
- Deluxe Paint Animation playback system
- SIPR decoder
- Adobe Filmstrip muxer and demuxer
- RTP depacketization of H.263
- Bink demuxer and audio/video decoders
- enable symbol versioning by default for linkers that support it
- IFF PBM/ILBM bitmap decoder
- concat protocol
- Indeo 5 decoder
- RTP depacketization of AMR
- WMA Voice decoder
- ffprobe tool
- AMR-NB decoder
- RTSP muxer
- HE-AAC v1 decoder
- Kega Game Video (KGV1) decoder
- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files
- RTP depacketization of Theora
- HTTP Digest authentication
- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp
- Psygnosis YOP demuxer and video decoder
- spectral extension support in the E-AC-3 decoder
- unsharp video filter
- RTP hinting in the mov/3gp/mp4 muxer
- Dirac in Ogg demuxing
- seek to keyframes in Ogg
- 4:2:2 and 4:4:4 Theora decoding
- 35% faster VP3/Theora decoding
- faster AAC decoding
- faster H.264 decoding
- RealAudio 1.0 (14.4K) encoder
-
-
-version 0.5:
-
- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer
- TechSmith Camtasia (TSCC) video decoder
- IBM Ultimotion (ULTI) video decoder
- Sierra Online audio file demuxer and decoder
- Apple QuickDraw (qdrw) video decoder
- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes)
- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer
- Miro VideoXL (VIXL) video decoder
- H.261 video encoder
- QPEG video decoder
- Nullsoft Video (NSV) file demuxer
- Shorten audio decoder
- LOCO video decoder
- Apple Lossless Audio Codec (ALAC) decoder
- Winnov WNV1 video decoder
- Autodesk Animator Studio Codec (AASC) decoder
- Indeo 2 video decoder
- Fraps FPS1 video decoder
- Snow video encoder/decoder
- Sonic audio encoder/decoder
- Vorbis audio decoder
- Macromedia ADPCM decoder
- Duck TrueMotion 2 video decoder
- support for decoding FLX and DTA extensions in FLIC files
- H.264 custom quantization matrices support
- ffserver fixed, it should now be usable again
- QDM2 audio decoder
- Real Cooker audio decoder
- TrueSpeech audio decoder
- WMA2 audio decoder fixed, now all files should play correctly
- RealAudio 14.4 and 28.8 decoders fixed
- JPEG-LS decoder
- build system improvements
- tabs and trailing whitespace removed from the codebase
- CamStudio video decoder
- AIFF/AIFF-C audio format, encoding and decoding
- ADTS AAC file reading and writing
- Creative VOC file reading and writing
- American Laser Games multimedia (*.mm) playback system
- Zip Motion Blocks Video decoder
- improved Theora/VP3 decoder
- True Audio (TTA) decoder
- AVS demuxer and video decoder
- JPEG-LS encoder
- Smacker demuxer and decoder
- NuppelVideo/MythTV demuxer and RTjpeg decoder
- KMVC decoder
- MPEG-2 intra VLC support
- MPEG-2 4:2:2 encoder
- Flash Screen Video decoder
- GXF demuxer
- Chinese AVS decoder
- GXF muxer
- MXF demuxer
- VC-1/WMV3/WMV9 video decoder
- MacIntel support
- AVISynth support
- VMware video decoder
- VP5 video decoder
- VP6 video decoder
- WavPack lossless audio decoder
- Targa (.TGA) picture decoder
- Vorbis audio encoder
- Delphine Software .cin demuxer/audio and video decoder
- Tiertex .seq demuxer/video decoder
- MTV demuxer
- TIFF picture encoder and decoder
- GIF picture decoder
- Intel Music Coder decoder
- Zip Motion Blocks Video encoder
- Musepack decoder
- Flash Screen Video encoder
- Theora encoding via libtheora
- BMP encoder
- WMA encoder
- GSM-MS encoder and decoder
- DCA decoder
- DXA demuxer and decoder
- DNxHD decoder
- Gamecube movie (.THP) playback system
- Blackfin optimizations
- Interplay C93 demuxer and video decoder
- Bethsoft VID demuxer and video decoder
- CRYO APC demuxer
- Atrac3 decoder
- V.Flash PTX decoder
- RoQ muxer, RoQ audio encoder
- Renderware TXD demuxer and decoder
- extern C declarations for C++ removed from headers
- sws_flags command line option
- codebook generator
- RoQ video encoder
- QTRLE encoder
- OS/2 support removed and restored again
- AC-3 decoder
- NUT muxer
- additional SPARC (VIS) optimizations
- Matroska muxer
- slice-based parallel H.264 decoding
- Monkey's Audio demuxer and decoder
- AMV audio and video decoder
- DNxHD encoder
- H.264 PAFF decoding
- Nellymoser ASAO decoder
- Beam Software SIFF demuxer and decoder
- libvorbis Vorbis decoding removed in favor of native decoder
- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1
- Ogg (Theora, Vorbis and FLAC) muxer
- The "device" muxers and demuxers are now in a new libavdevice library
- PC Paintbrush PCX decoder
- Sun Rasterfile decoder
- TechnoTrend PVA demuxer
- Linux Media Labs MPEG-4 (LMLM4) demuxer
- AVM2 (Flash 9) SWF muxer
- QT variant of IMA ADPCM encoder
- VFW grabber
- iPod/iPhone compatible mp4 muxer
- Mimic decoder
- MSN TCP Webcam stream demuxer
- RL2 demuxer / decoder
- IFF demuxer
- 8SVX audio decoder
- non-recursive Makefiles
- BFI demuxer
- MAXIS EA XA (.xa) demuxer / decoder
- BFI video decoder
- OMA demuxer
- MLP/TrueHD decoder
- Electronic Arts CMV decoder
- Motion Pixels Video decoder
- Motion Pixels MVI demuxer
- removed animated GIF decoder/demuxer
- D-Cinema audio muxer
- Electronic Arts TGV decoder
- Apple Lossless Audio Codec (ALAC) encoder
- AAC decoder
- floating point PCM encoder/decoder
- MXF muxer
- DV100 AKA DVCPRO HD decoder and demuxer
- E-AC-3 support added to AC-3 decoder
- Nellymoser ASAO encoder
- ASS and SSA demuxer and muxer
- liba52 wrapper removed
- SVQ3 watermark decoding support
- Speex decoding via libspeex
- Electronic Arts TGQ decoder
- RV40 decoder
- QCELP / PureVoice decoder
- RV30 decoder
- hybrid WavPack support
- R3D REDCODE demuxer
- ALSA support for playback and record
- Electronic Arts TQI decoder
- OpenJPEG based JPEG 2000 decoder
- NC (NC4600) camera file demuxer
- Gopher client support
- MXF D-10 muxer
- generic metadata API
-
-
-version 0.4.9-pre1:
-
- DV encoder, DV muxer
- Microsoft RLE video decoder
- Microsoft Video-1 decoder
- Apple Animation (RLE) decoder
- Apple Graphics (SMC) decoder
- Apple Video (RPZA) decoder
- Cinepak decoder
- Sega FILM (CPK) file demuxer
- Westwood multimedia support (VQA & AUD files)
- Id Quake II CIN playback support
- 8BPS video decoder
- FLIC playback support
- RealVideo 2.0 (RV20) decoder
- Duck TrueMotion v1 (DUCK) video decoder
- Sierra VMD demuxer and video decoder
- MSZH and ZLIB decoder support
- SVQ1 video encoder
- AMR-WB support
- PPC optimizations
- rate distortion optimal cbp support
- rate distorted optimal ac prediction for MPEG-4
- rate distorted optimal lambda->qp support
- AAC encoding with libfaac
- Sunplus JPEG codec (SP5X) support
- use Lagrange multipler instead of QP for ratecontrol
- Theora/VP3 decoding support
- XA and ADX ADPCM codecs
- export MPEG-2 active display area / pan scan
- Add support for configuring with IBM XLC
- floating point AAN DCT
- initial support for zygo video (not complete)
- RGB ffv1 support
- new audio/video parser API
- av_log() system
- av_read_frame() and av_seek_frame() support
- missing last frame fixes
- seek by mouse in ffplay
- noise reduction of DCT coefficients
- H.263 OBMC & 4MV support
- H.263 alternative inter vlc support
- H.263 loop filter
- H.263 slice structured mode
- interlaced DCT support for MPEG-2 encoding
- stuffing to stay above min_bitrate
- MB type & QP visualization
- frame stepping for ffplay
- interlaced motion estimation
- alternate scantable support
- SVCD scan offset support
- closed GOP support
- SSE2 FDCT
- quantizer noise shaping
- G.726 ADPCM audio codec
- MS ADPCM encoding
- multithreaded/SMP motion estimation
- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263
- multithreaded/SMP decoding for MPEG-2
- FLAC decoder
- Metrowerks CodeWarrior suppport
- H.263+ custom pcf support
- nicer output for 'ffmpeg -formats'
- Matroska demuxer
- SGI image format, encoding and decoding
- H.264 loop filter support
- H.264 CABAC support
- nicer looking arrows for the motion vector visualization
- improved VCD support
- audio timestamp drift compensation
- MPEG-2 YUV 422/444 support
- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample
- better image scaling
- H.261 support
- correctly interleave packets during encoding
- VIS optimized motion compensation
- intra_dc_precision>0 encoding support
- support reuse of motion vectors/MB types/field select values of the source video
- more accurate deblock filter
- padding support
- many optimizations and bugfixes
- FunCom ISS audio file demuxer and according ADPCM decoding
-
-
-version 0.4.8:
-
- MPEG-2 video encoding (Michael)
- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson)
- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson
-  and Mario Brito)
- Xan DPCM audio decoder (Mario Brito)
- Interplay MVE playback subsystem (Mike Melanson)
- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson)
-
-
-version 0.4.7:
-
- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq
-  (originally from public domain player for Amiga at http://www.honeypot.net/audio)
- current version now also compiles with older GCC (Fabrice)
- 4X multimedia playback system including 4xm file demuxer (Mike
-  Melanson), and 4X video and audio codecs (Michael)
- Creative YUV (CYUV) decoder (Mike Melanson)
- FFV1 codec (our very simple lossless intra only codec, compresses much better
-  than HuffYUV) (Michael)
- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various)
- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with
-  alpha support), JPEG YUV colorspace support. (Fabrice Bellard)
- ffplay has been replaced with a newer version which uses SDL (optionally)
-  for multiplatform support (Fabrice)
- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated
-  by anonymous
- AMR format has been added (Johannes Carlsson)
- 3GP support has been added (Johannes Carlsson)
- VP3 codec has been added (Mike Melanson)
- more MPEG-1/2 fixes
- better multiplatform support, MS Visual Studio fixes (various)
- AltiVec optimizations (Magnus Damn and others)
- SH4 processor support has been added (BERO)
- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick)
- VOB streaming support (Brian Foley)
- better MP3 autodetection (Andriy Rysin)
- qpel encoding (Michael)
- 4mv+b frames encoding finally fixed (Michael)
- chroma ME (Michael)
- 5 comparison functions for ME (Michael)
- B-frame encoding speedup (Michael)
- WMV2 codec (unfinished - Michael)
- user specified diamond size for EPZS (Michael)
- Playstation STR playback subsystem, still experimental (Mike and Michael)
- ASV2 codec (Michael)
- CLJR decoder (Alex)
-
-.. And lots more new enhancements and fixes.
-
-
-version 0.4.6:
-
- completely new integer only MPEG audio layer 1/2/3 decoder rewritten
-  from scratch
- Recoded DCT and motion vector search with gcc (no longer depends on nasm)
- fix quantization bug in AC3 encoder
- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues
- added prototype ffplay program
- added GOB header parsing on H.263/H.263+ decoder (Juanjo)
- bug fix on MCBPC tables of H.263 (Juanjo)
- bug fix on DC coefficients of H.263 (Juanjo)
- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo)
- now we can decode H.263 streams found in QuickTime files (Juanjo)
- now we can decode H.263 streams found in VIVO v1 files(Juanjo)
- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo)
- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo)
- now H.263 picture size is returned on the first decoded frame (Juanjo)
- added first regression tests
- added MPEG-2 TS demuxer
- new demux API for libav
- more accurate and faster IDCT (Michael)
- faster and entropy-controlled motion search (Michael)
- two pass video encoding (Michael)
- new video rate control (Michael)
- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael)
- great performance improvement of video encoders and decoders (Michael)
- new and faster bit readers and vlc parsers (Michael)
- high quality encoding mode: tries all macroblock/VLC types (Michael)
- added DV video decoder
- preliminary RTP/RTSP support in ffserver and libavformat
- H.263+ AIC decoding/encoding support (Juanjo)
- VCD MPEG-PS mode (Juanjo)
- PSNR stuff (Juanjo)
- simple stats output (Juanjo)
- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit)
-
-
-version 0.4.5:
-
- some header fixes (Zdenek Kabelac <kabi at informatics.muni.cz>)
- many MMX optimizations (Nick Kurshev <nickols_k at mail.ru>)
- added configure system (actually a small shell script)
- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by
-  Michael Hipp (temporary solution - waiting for integer only
-  decoder)
- fixed VIDIOCSYNC interrupt
- added Intel H.263 decoding support ('I263' AVI fourCC)
- added Real Video 1.0 decoding (needs further testing)
- simplified image formats again. Added PGM format (=grey
-  pgm). Renamed old PGM to PGMYUV.
- fixed msmpeg4 slice issues (tell me if you still find problems)
- fixed OpenDivX bugs with newer versions (added VOL header decoding)
- added support for MPlayer interface
- added macroblock skip optimization
- added MJPEG decoder
- added mmx/mmxext IDCT from libmpeg2
- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer
-  <celer at shell.scrypt.net>)
- added pixel format conversion layer (e.g. for MJPEG or PPM)
- added deinterlacing option
- MPEG-1/2 fixes
- MPEG-4 vol header fixes (Jonathan Marsden <snmjbm at pacbell.net>)
- ARM optimizations (Lionel Ulmer <lionel.ulmer at free.fr>).
- Windows porting of file converter
- added MJPEG raw format (input/ouput)
- added JPEG image format support (input/output)
-
-
-version 0.4.4:
-
- fixed some std header definitions (Bjorn Lindgren
-  <bjorn.e.lindgren at telia.com>).
- added MPEG demuxer (MPEG-1 and 2 compatible).
- added ASF demuxer
- added prototype RM demuxer
- added AC3 decoding (done with libac3 by Aaron Holtzman)
- added decoding codec parameter guessing (.e.g. for MPEG, because the
-  header does not include them)
- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now
-  play them (only tested video)
- fixed H.263 white bug
- fixed phase rounding in img resample filter
- add MMX code for polyphase img resample filter
- added CPU autodetection
- added generic title/author/copyright/comment string handling (ASF and RM
-  use them)
- added SWF demux to extract MP3 track (not usable yet because no MP3
-  decoder)
- added fractional frame rate support
- codecs are no longer searched by read_header() (should fix ffserver
-  segfault)
-
-
-version 0.4.3:
-
- BGR24 patch (initial patch by Jeroen Vreeken <pe1rxq at amsat.org>)
- fixed raw yuv output
- added motion rounding support in MPEG-4
- fixed motion bug rounding in MSMPEG4
- added B-frame handling in video core
- added full MPEG-1 decoding support
- added partial (frame only) MPEG-2 support
- changed the FOURCC code for H.263 to "U263" to be able to see the
-  +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with
-  this +codec ;) (JuanJo).
- Halfpel motion estimation after MB type selection (JuanJo)
- added pgm and .Y.U.V output format
- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or
-  output.
- added pgmpipe I/O format (original patch from Martin Aumueller
-  <lists at reserv.at>, but changed completely since we use a format
-  instead of a protocol)
-
-
-version 0.4.2:
-
- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support
-  (for OpenDivX) is almost complete: 8x8 MVs and rounding are
-  missing. MSMPEG4 support is complete.
- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it
-  can decode ffmpeg MPEGs :-)).
- added libavcodec API documentation (see apiexample.c).
- fixed image polyphase bug (the bottom of some images could be
-  greenish)
- added support for non clipped motion vectors (decoding only)
-  and image sizes non-multiple of 16
- added support for AC prediction (decoding only)
- added file overwrite confirmation (can be disabled with -y)
- added custom size picture to H.263 using H.263+ (Juanjo)
-
-
-version 0.4.1:
-
- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec
-  of AVI and ASF to DIV3.
- added -me option to set motion estimation method
-  (default=log). suppressed redundant -hq option.
- added options -acodec and -vcodec to force a given codec (useful for
-  AVI for example)
- fixed -an option
- improved dct_quantize speed
- factorized some motion estimation code
-
-
-version 0.4.0:
-
- removing grab code from ffserver and moved it to ffmpeg. Added
-  multistream support to ffmpeg.
- added timeshifting support for live feeds (option ?date=xxx in the
-  URL)
- added high quality image resize code with polyphase filter (need
-  mmx/see optimization). Enable multiple image size support in ffserver.
- added multi live feed support in ffserver
- suppressed master feature from ffserver (it should be done with an
-  external program which opens the .ffm url and writes it to another
-  ffserver)
- added preliminary support for video stream parsing (WAV and AVI half
-  done). Added proper support for audio/video file conversion in
-  ffmpeg.
- added preliminary support for video file sending from ffserver
- redesigning I/O subsystem: now using URL based input and output
-  (see avio.h)
- added WAV format support
- added "tty user interface" to ffmpeg to stop grabbing gracefully
- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences)
-  (Juan J. Sierralta P. a.k.a. "Juanjo" <juanjo at atmlab.utfsm.cl>)
- added MMX DCT from mpeg2_movie 1.5 (Juanjo)
- added new motion estimation algorithms, log and phods (Juanjo)
- changed directories: libav for format handling, libavcodec for
-  codecs
-
-
-version 0.3.4:
-
- added stereo in MPEG audio encoder
-
-
-version 0.3.3:
-
- added 'high quality' mode which use motion vectors. It can be used in
-  real time at low resolution.
- fixed rounding problems which caused quality problems at high
-  bitrates and large GOP size
-
-
-version 0.3.2: small fixes
-
- ASF fixes
- put_seek bug fix
-
-
-version 0.3.1: added avi/divx support
-
- added AVI support
- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec
- added sound for flash format (not tested)
-
-
-version 0.3: initial public release
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.7.11
+PROJECT_NUMBER         = 0.7.13

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.11
+0.7.13
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.11
+0.7.13
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -1760,9 +1760,9 @@ interlaced video, accepts one of the following values:

@table @option
@item 0
-assume bottom field first
-@item 1
 assume top field first
+@item 1
+assume bottom field first
@item -1
 enable automatic detection
@end table
--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -44,7 +44,7 @@ typedef struct EightSvxContext {
    /* buffer used to store the whole audio decoded/interleaved chunk,
     * which is sent with the first packet */
    uint8_t *samples;
-    size_t samples_size;
+    int64_t samples_size;
    int samples_idx;
 } EightSvxContext;

--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -754,19 +754,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                return -1;
            }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return -1;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
                band_type        [idx]   = sect_band_type;
                band_type_run_end[idx++] = sect_end;
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1183,14 +1183,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
 {
    int i, n;
    const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
+    const int step = 128 >> div;
    float *v;
    for (i = 0; i < 32; i++) {
-        if (*v_off < 128 >> div) {
+        if (*v_off < step) {
            int saved_samples = (1280 - 128) >> div;
            memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
-            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
        } else {
-            *v_off -= 128 >> div;
+            *v_off -= step;
        }
        v = v0 + *v_off;
        if (div) {
--- a/libavcodec/ac3dsp.c
+++ b/libavcodec/ac3dsp.c
@@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
                                     int snr_offset, int floor,
                                     const uint8_t *bap_tab, uint8_t *bap)
 {
-    int bin, band;
+    int bin, band, band_end;

    /* special case, if snr offset is -960, set all bap's to zero */
    if (snr_offset == -960) {
@@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
    band = ff_ac3_bin_to_band_tab[start];
    do {
        int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
-        int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+        band_end = ff_ac3_band_start_tab[++band];
+        band_end = FFMIN(band_end, end);
+
        for (; bin < band_end; bin++) {
            int address = av_clip((psd[bin] - m) >> 5, 0, 63);
            bap[bin] = bap_tab[address];
        }
-    } while (end > ff_ac3_band_start_tab[band++]);
+    } while (end > band_end);
 }

 static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -778,9 +778,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
 static av_cold int adpcm_decode_init(AVCodecContext * avctx)
 {
    ADPCMContext *c = avctx->priv_data;
+    unsigned int min_channels = 1;
    unsigned int max_channels = 2;

    switch(avctx->codec->id) {
+    case CODEC_ID_ADPCM_EA:
+        min_channels = 2;
+        break;
    case CODEC_ID_ADPCM_EA_R1:
    case CODEC_ID_ADPCM_EA_R2:
    case CODEC_ID_ADPCM_EA_R3:
@@ -788,8 +792,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
        max_channels = 6;
        break;
    }
-    if(avctx->channels > max_channels){
-        return -1;
+
+    if (avctx->channels < min_channels || avctx->channels > max_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR(EINVAL);
    }

    switch(avctx->codec->id) {
@@ -1360,11 +1366,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
        }
        break;
    case CODEC_ID_ADPCM_EA:
-        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
        }
        samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
        src += 4;
        current_left_sample   = (int16_t)bytestream_get_le16(&src);
        previous_left_sample  = (int16_t)bytestream_get_le16(&src);
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1010,7 +1010,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max,
 {
    unsigned int count = 0;

-    while (b < b_max)
+    for (; b < b_max; b++)
        count += div_blocks[b];

    if (count)
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -395,7 +395,7 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent

            for (k=0; k<coded_components; k++) {
                sfIndx = get_bits(gb,6);
-                if(component_count>=64)
+                if (component_count >= 64)
                    return AVERROR_INVALIDDATA;
                pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                max_coded_values = 1024 - pComponent[component_count].pos;
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -544,7 +544,7 @@ enum AVChromaLocation{
 /**
 * LPC analysis type
 */
-attribute_deprecated enum AVLPCType {
+enum AVLPCType {
    AV_LPC_TYPE_DEFAULT     = -1, ///< use the codec default LPC type
    AV_LPC_TYPE_NONE        =  0, ///< do not use LPC prediction or use all zero coefficients
    AV_LPC_TYPE_FIXED       =  1, ///< fixed LPC coefficients
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -457,8 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                    int start_bits, int has_sign)
 {
    int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
-    int16_t *dst_end =( int16_t*)b->data_end;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;

    CHECK_READ_VAL(gb, b, len);
    v = get_bits(gb, start_bits - has_sign);
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
        frame_len_bits = 11;
    }

-    if (avctx->channels > MAX_CHANNELS) {
-        av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
-        return -1;
+    if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
    }

    if (avctx->extradata && avctx->extradata_size > 0)
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
        return AVERROR(EINVAL);
    }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }

    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
--- a/libavcodec/celp_filters.c
+++ b/libavcodec/celp_filters.c
@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
        out2 -= val * old_out2;
        out3 -= val * old_out3;

-        old_out3 = out[-5];
-
        for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
            val = filter_coeffs[i-1];

            out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,

            FFSWAP(float, old_out0, old_out2);
            old_out1 = old_out3;
-            old_out3 = out[-i-2];
        }

        tmp0 = out0;
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1066,6 +1066,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    q->sample_rate = avctx->sample_rate;
    q->nb_channels = avctx->channels;
    q->bit_rate = avctx->bit_rate;
+    if (!q->nb_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR_INVALIDDATA;
+    }

    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
            av_log(avctx, AV_LOG_ERROR,
                   "CamStudio codec error: invalid depth %i bpp\n",
                   avctx->bits_per_coded_sample);
-            return 1;
+            return AVERROR_INVALIDDATA;
    }
    c->bpp = avctx->bits_per_coded_sample;
    avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
    if (!c->decomp_buf) {
        av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-        return 1;
+        return AVERROR(ENOMEM);
    }
    return 0;
 }
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -29,6 +29,7 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
 #include "dsputil.h"
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    int in, out = 0;
    int predictor[2];
    int channel_number = 0;
+    int stereo = s->channels - 1;
    short *output_samples = data;
    int shift[2];
    unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    if (!buf_size)
        return 0;

+    if (stereo && (buf_size & 1))
+        buf_size--;
+
    // almost every DPCM variant expands one byte of data into two
    if(*data_size/2 < buf_size)
        return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    }

    *data_size = out * sizeof(short);
-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id, name, long_name_)      \
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -146,11 +146,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -161,6 +161,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            } else {
                cmd = AV_RL16(src); src += 2;
                offset = cmd >> 4;
+                if ((int) (dst - dst_start) < offset + 1)
+                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
                /* buffer overlappings to repeat bytes in the destination */
@@ -172,6 +174,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            }
        }
    }
+
+    return 0;
 }

 static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@@ -201,13 +205,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
-
-    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
-    }
+    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;

    palette_type = buf[0];
    palette_colors_count = AV_RL16(buf+1);
@@ -233,8 +231,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
            bitmap_frame_size -= 4;
        }
    }
-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;

    /* note: the decoding routines below assumes that surface.width = surface.pitch */
    switch (bitmap_frame_type) {
@@ -267,17 +263,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 39:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

+    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+    if (avctx->reget_buffer(avctx, &cin->frame)) {
+        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return -1;
+    }
+
+    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
 {
    int n;
    s->dsp.clear_blocks(block[0]);
    for (n=0; n<6; n++)
-        ff_mpeg1_decode_block_intra(s, block[n], n);
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+            return -1;
+
+    return 0;
 }

 static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
    for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
    {
-        tqi_decode_mb(s, t->block);
+        if (tqi_decode_mb(s, t->block) < 0)
+            break;
        tqi_idct_put(t, t->block);
    }

--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -420,7 +420,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
    type = get_bits(&s->gb, 6);

    if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
        wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
        while (!get_bits1(&s->gb))
            wasted++;
        s->curr_bps -= wasted;
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -135,7 +135,7 @@ static int decode_frame(AVCodecContext *avctx,
    uint32_t *luma1,*luma2,*cb,*cr;
    uint32_t offs[4];
    int i, j, is_chroma, planes;
-
+    enum PixelFormat pix_fmt;

    header = AV_RL32(buf);
    version = header & 0xff;
@@ -152,12 +152,16 @@ static int decode_frame(AVCodecContext *avctx,
    if (header_size == 8)
        buf+=4;

+    pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
+    if (avctx->pix_fmt != pix_fmt && f->data[0]) {
+        avctx->release_buffer(avctx, f);
+    }
+    avctx->pix_fmt = pix_fmt;
+
    switch(version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
-
        if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -205,8 +209,6 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
-
        if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -241,7 +243,6 @@ static int decode_frame(AVCodecContext *avctx,
         * Fraps v2 is Huffman-coded YUV420 planes
         * Fraps v4 is virtually the same
         */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
@@ -286,7 +287,6 @@ static int decode_frame(AVCodecContext *avctx,
    case 3:
    case 5:
        /* Virtually the same as version 4, but is for RGB24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
    }else{
        int ret = 1;

-        while (1) {
+        do {
            buf >>= 32 - 8;
            LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));

@@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
            ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
            UPDATE_CACHE(re, gb);
            buf = GET_CACHE(re, gb);
-        }
+        } while (ret);

        CLOSE_READER(re, gb);
        return ret - 1;
@@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
        return buf;
    }else{
        int i;
-        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
            LAST_SKIP_BITS(re, gb, 1);
            UPDATE_CACHE(re, gb);
        }
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -438,6 +438,13 @@ retry:
    if (ret < 0){
        av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
        return -1;
+    } else if ((s->width  != avctx->coded_width  ||
+                s->height != avctx->coded_height ||
+                (s->width  + 15) >> 4 != s->mb_width ||
+                (s->height + 15) >> 4 != s->mb_height) &&
+               (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+        av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+        return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
    }

    avctx->has_b_frames= !s->low_delay;
@@ -564,8 +571,7 @@ retry:
 #if HAVE_MMX
    if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
        avctx->idct_algo= FF_IDCT_XVIDMMX;
-        avctx->coded_width= 0; // force reinit
-//        dsputil_init(&s->dsp, avctx);
+        ff_dct_common_init(s);
        s->picture_number=0;
    }
 #endif
@@ -579,6 +585,12 @@ retry:
        || s->height != avctx->coded_height) {
        /* H.263 could change picture size any time */
        ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
        s->parse_context.buffer=0;
        MPV_common_end(s);
        s->parse_context= pc;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -108,7 +108,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
    return 0;
 } //FIXME cleanup like check_intra_pred_mode

-static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -140,23 +143,6 @@ static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    return mode;
 }

-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 0);
-}
-
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 1);
-}
-
-
 const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
    int i, si, di;
    uint8_t *dst;
@@ -2231,7 +2217,11 @@ static void implicit_weight_table(H264Context *h, int field){
    }

    if(field < 0){
-        cur_poc = s->current_picture_ptr->poc;
+        if (s->picture_structure == PICT_FRAME) {
+            cur_poc = s->current_picture_ptr->poc;
+        } else {
+            cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+        }
    if(   h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
       && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
        h->use_weight= 0;
@@ -2630,9 +2620,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    if (s->context_initialized
        && (   s->width != s->avctx->width || s->height != s->avctx->height
            || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if(h != h0) {
+        if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
            av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
        }
        free_tables(h, 0);
        flush_dpb(s->avctx);
@@ -2896,7 +2886,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->ref_count[1]= h->pps.ref_count[1];

    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
-        unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
+        unsigned max= s->picture_structure == PICT_FRAME ? 15 : 31;
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B){
            h->direct_spatial_mv_pred= get_bits1(&s->gb);
        }
@@ -2906,13 +2897,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
            h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
            if(h->slice_type_nos==AV_PICTURE_TYPE_B)
                h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
+        }

-        }
-        if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+        if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
            av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
-            h->ref_count[0]= h->ref_count[1]= 1;
-            return -1;
+            h->ref_count[0] = h->ref_count[1] = 1;
+            return AVERROR_INVALIDDATA;
        }
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B)
            h->list_count= 2;
        else
@@ -3761,7 +3753,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                case NAL_IDR_SLICE:
                case NAL_SLICE:
                    init_get_bits(&hx->s.gb, ptr, bit_length);
-                    if(!get_ue_golomb(&hx->s.gb))
+                    if (!get_ue_golomb(&hx->s.gb))
                        nals_needed = nal_index;
            }
            continue;
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -658,12 +658,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
 /**
 * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
 */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
-
-/**
- * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);

 void ff_h264_write_back_intra_pred_mode(H264Context *h);
 void ff_h264_hl_decode_mb(H264Context *h);
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1959,6 +1959,8 @@ decode_intra_mb:
        }

        // The pixels are stored in the same order as levels in h->mb array.
+        if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
+            return -1;
        memcpy(h->mb, ptr, mb_size); ptr+=mb_size;

        ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
@@ -2003,14 +2005,14 @@ decode_intra_mb:
            ff_h264_write_back_intra_pred_mode(h);
            if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
        } else {
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
            if( h->intra16x16_pred_mode < 0 ) return -1;
        }
        if(decode_chroma){
            h->chroma_pred_mode_table[mb_xy] =
            pred_mode                        = decode_cabac_mb_chroma_pre_mode( h );

-            pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
+            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
            if( pred_mode < 0 ) return -1;
            h->chroma_pred_mode= pred_mode;
        } else {
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){
 }

 static av_cold void init_cavlc_level_tab(void){
-    int suffix_length, mask;
+    int suffix_length;
    unsigned int i;

    for(suffix_length=0; suffix_length<7; suffix_length++){
        for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
            int prefix= LEVEL_TAB_BITS - av_log2(2*i);
-            int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);

-            mask= -(level_code&1);
-            level_code= (((2+level_code)>>1) ^ mask) - mask;
            if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+                int level_code = (prefix << suffix_length) +
+                    (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+                int mask = -(level_code&1);
+                level_code = (((2 + level_code) >> 1) ^ mask) - mask;
                cavlc_level_tab[suffix_length][i][0]= level_code;
                cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
            }else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -735,12 +736,12 @@ decode_intra_mb:
            if( ff_h264_check_intra4x4_pred_mode(h) < 0)
                return -1;
        }else{
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
            if(h->intra16x16_pred_mode < 0)
                return -1;
        }
        if(decode_chroma){
-            pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
+            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
            if(pred_mode < 0)
                return -1;
            h->chroma_pred_mode= pred_mode;
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -251,6 +251,12 @@ static int h264_parse(AVCodecParserContext *s,
        h->got_first = 1;
        if (avctx->extradata_size) {
            h->s.avctx = avctx;
+            // must be done like in decoder, otherwise opening the parser,
+            // letting it create extradata and then closing and opening again
+            // will cause has_b_frames to be always set.
+            // Note that estimate_timings_from_pts does exactly this.
+            if (!avctx->has_b_frames)
+                h->s.low_delay = 1;
            ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
        }
    }
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -345,9 +345,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
        if (sps->chroma_format_idc > 3U) {
            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
            goto fail;
-        }
-        if(sps->chroma_format_idc == 3)
+        } else if(sps->chroma_format_idc == 3) {
            sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
@@ -485,10 +485,14 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    unsigned int pps_id= get_ue_golomb(&s->gb);
    PPS *pps;
    const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+    int bits_left;

    if(pps_id >= MAX_PPS_COUNT) {
        av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
        return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
    }

    pps= av_mallocz(sizeof(PPS));
@@ -561,7 +565,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
    memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));

-    if(get_bits_count(&s->gb) < bit_length){
+    bits_left = bit_length - get_bits_count(&s->gb);
+    if (bits_left && (bits_left > 8 ||
+                      show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
        pps->transform_8x8_mode= get_bits1(&s->gb);
        decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
        pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -82,13 +82,15 @@ typedef struct HYuvContext{
    DSPContext dsp;
 }HYuvContext;

-static const unsigned char classic_shift_luma[] = {
+#define classic_shift_luma_table_size 42
+static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
  16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
  69,68, 0
 };

-static const unsigned char classic_shift_chroma[] = {
+#define classic_shift_chroma_table_size 59
+static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
  56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
  214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0
@@ -184,7 +186,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){
        if(repeat==0)
            repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
-        if(i+repeat > 256) {
+        if(i+repeat > 256 || get_bits_left(gb) < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
            return -1;
        }
@@ -366,10 +368,10 @@ static int read_old_huffman_tables(HYuvContext *s){
    GetBitContext gb;
    int i;

-    init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
    if(read_len_table(s->len[0], &gb)<0)
        return -1;
-    init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
+    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
    if(read_len_table(s->len[1], &gb)<0)
        return -1;

@@ -515,7 +517,7 @@ s->bgr32=1;
        }
        break;
    default:
-        assert(0);
+        return AVERROR_INVALIDDATA;
    }

    alloc_temp(s);
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx,
    const uint8_t *buf;
    unsigned buf_size;
    IffContext *s = avctx->priv_data;
-    int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+    int palette_size;
+
+    if (avctx->extradata_size < 2) {
+        av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
+        return AVERROR_INVALIDDATA;
+    }
+    palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);

    if (avpkt) {
        int image_size;
@@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx,
            return AVERROR_INVALIDDATA;
        }
    } else {
-        if (avctx->extradata_size < 2)
-            return AVERROR_INVALIDDATA;
        buf = avctx->extradata;
        buf_size = bytestream_get_be16(&buf);
        if (buf_size <= 1 || palette_size < 0) {
@@ -281,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
    int err;

    if (avctx->bits_per_coded_sample <= 8) {
-        int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        int palette_size;
+
+        if (avctx->extradata_size >= 2)
+            palette_size = avctx->extradata_size - AV_RB16(avctx->extradata);
+        else
+            palette_size = 0;
        avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) ||
                         (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8;
    } else if (avctx->bits_per_coded_sample <= 32) {
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx)
            }

            if (band->blk_size == 8) {
+                if(quant_mat >= 5){
+                    av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+                    return -1;
+                }
                band->intra_base  = &ivi5_base_quant_8x8_intra[quant_mat][0];
                band->inter_base  = &ivi5_base_quant_8x8_inter[quant_mat][0];
                band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];
--- a/libavcodec/intelh263dec.c
+++ b/libavcodec/intelh263dec.c
@@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s)
        }
        if(get_bits(&s->gb, 2))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
-        s->loop_filter = get_bits1(&s->gb);
+        s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres;
        if(get_bits1(&s->gb))
            av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n");
        if(get_bits1(&s->gb))
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s)
            s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */
            s->loop_filter= get_bits1(&s->gb);
            s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter;
+            if(s->avctx->lowres)
+                s->loop_filter = 0;

            s->h263_slice_structured= get_bits1(&s->gb);
            if (get_bits1(&s->gb) != 0) {
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx,
    buf += 5;

    if (video_size) {
+        if(video_size < 0) {
+            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
+            return AVERROR_INVALIDDATA;
+        }
        if (avctx->reget_buffer(avctx, &s->frame) < 0) {
            av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
            return -1;
@@ -150,7 +154,7 @@ static int decode_frame(AVCodecContext *avctx,

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
-            init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8));
+            init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf));

            for (j = 0; j < avctx->height; j += 8)
                for (i = 0; i < avctx->width; i += 8)
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -30,19 +30,26 @@

 typedef struct {
    AVCodecContext *avctx;
-    AVFrame pic;
-    uint16_t *prev, *cur;
+    AVFrame prev, cur;
 } KgvContext;

+static void decode_flush(AVCodecContext *avctx)
+{
+    KgvContext * const c = avctx->priv_data;
+
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+}
+
 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
 {
    const uint8_t *buf = avpkt->data;
    const uint8_t *buf_end = buf + avpkt->size;
    KgvContext * const c = avctx->priv_data;
-    int offsets[7];
+    int offsets[8];
    uint16_t *out, *prev;
    int outcnt = 0, maxcnt;
-    int w, h, i;
+    int w, h, i, res;

    if (avpkt->size < 2)
        return -1;
@@ -54,22 +61,25 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    if (av_image_check_size(w, h, 0, avctx))
        return -1;

-    if (w != avctx->width || h != avctx->height)
+    if (w != avctx->width || h != avctx->height) {
+        if (c->prev.data[0])
+            avctx->release_buffer(avctx, &c->prev);
        avcodec_set_dimensions(avctx, w, h);
+    }

    maxcnt = w * h;

-    out = av_realloc(c->cur, w * h * 2);
-    if (!out)
-        return -1;
-    c->cur = out;
+    c->cur.reference = 3;
+    if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+        return res;
+    out  = (uint16_t *) c->cur.data[0];
+    if (c->prev.data[0]) {
+        prev = (uint16_t *) c->prev.data[0];
+    } else {
+        prev = NULL;
+    }

-    prev = av_realloc(c->prev, w * h * 2);
-    if (!prev)
-        return -1;
-    c->prev = prev;
-
-    for (i = 0; i < 7; i++)
+    for (i = 0; i < 8; i++)
        offsets[i] = -1;

    while (outcnt < maxcnt && buf_end - 2 > buf) {
@@ -80,6 +90,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
            out[outcnt++] = code; // rgb555 pixel coded directly
        } else {
            int count;
+            int inp_off;
            uint16_t *inp;

            if ((code & 0x6000) == 0x6000) {
@@ -101,7 +112,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (maxcnt - start < count)
                    break;

-                inp = prev + start;
+                if (!prev) {
+                    av_log(avctx, AV_LOG_ERROR,
+                           "Frame reference does not exist\n");
+                    break;
+                }
+
+                inp = prev;
+                inp_off = start;
            } else {
                // copy from earlier in this frame
                int offset = (code & 0x1FFF) + 1;
@@ -119,27 +137,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (outcnt < offset)
                    break;

-                inp = out + outcnt - offset;
+                inp = out;
+                inp_off = outcnt - offset;
            }

            if (maxcnt - outcnt < count)
                break;

-            for (i = 0; i < count; i++)
+            for (i = inp_off; i < count + inp_off; i++) {
                out[outcnt++] = inp[i];
+            }
        }
    }

    if (outcnt - maxcnt)
        av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt);

-    c->pic.data[0]     = (uint8_t *)c->cur;
-    c->pic.linesize[0] = w * 2;
-
    *data_size = sizeof(AVFrame);
-    *(AVFrame*)data = c->pic;
+    *(AVFrame*)data = c->cur;

-    FFSWAP(uint16_t *, c->cur, c->prev);
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+    FFSWAP(AVFrame, c->cur, c->prev);

    return avpkt->size;
 }
@@ -150,29 +169,25 @@ static av_cold int decode_init(AVCodecContext *avctx)

    c->avctx = avctx;
    avctx->pix_fmt = PIX_FMT_RGB555;
-    avcodec_get_frame_defaults(&c->pic);
+    avctx->flags  |= CODEC_FLAG_EMU_EDGE;

    return 0;
 }

 static av_cold int decode_end(AVCodecContext *avctx)
 {
-    KgvContext * const c = avctx->priv_data;
-
-    av_freep(&c->cur);
-    av_freep(&c->prev);
-
+    decode_flush(avctx);
    return 0;
 }

 AVCodec ff_kgv1_decoder = {
-    "kgv1",
-    AVMEDIA_TYPE_VIDEO,
-    CODEC_ID_KGV1,
-    sizeof(KgvContext),
-    decode_init,
-    NULL,
-    decode_end,
-    decode_frame,
+    .name           = "kgv1",
+    .type           = AVMEDIA_TYPE_VIDEO,
+    .id             = CODEC_ID_KGV1,
+    .priv_data_size = sizeof(KgvContext),
+    .init           = decode_init,
+    .close          = decode_end,
+    .decode         = decode_frame,
+    .flush          = decode_flush,
    .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
 };
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
 #define KMVC_METHOD   0x0F
+#define MAX_PALSIZE   256

 /*
 * Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {

    int setpal;
    int palsize;
-    uint32_t pal[256];
+    uint32_t pal[MAX_PALSIZE];
    uint8_t *cur, *prev;
    uint8_t *frm0, *frm1;
 } KmvcContext;
@@ -57,17 +58,21 @@ typedef struct BitBuf {

 #define kmvc_init_getbits(bb, src)  bb.bits = 7; bb.bitbuf = *src++;

-#define kmvc_getbit(bb, src, res) {\
+#define kmvc_getbit(bb, src, src_end, res) {\
    res = 0; \
    if (bb.bitbuf & (1 << bb.bits)) res = 1; \
    bb.bits--; \
    if(bb.bits == -1) { \
+        if (src >= src_end) { \
+            av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
+            return AVERROR_INVALIDDATA; \
+        } \
        bb.bitbuf = *src++; \
        bb.bits = 7; \
    } \
 }

-static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -75,13 +80,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {         // fill whole 8x8 block
+                if (src >= src_end) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                    return AVERROR_INVALIDDATA;
+                }
                val = *src++;
                for (i = 0; i < 64; i++)
                    BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -89,14 +99,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block from already decoded place
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = val & 0xF;
                            my = val >> 4;
@@ -108,16 +126,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block from already decoded place
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = val & 0xF;
                                    my = val >> 4;
@@ -140,9 +166,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

-static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -150,15 +178,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {
-                kmvc_getbit(bb, src, res);
+                kmvc_getbit(bb, src, src_end, res);
                if (!res) {     // fill whole 8x8 block
+                    if (src >= src_end) {
+                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    val = *src++;
                    for (i = 0; i < 64; i++)
                        BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -171,14 +204,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = (val & 0xF) - 8;
                            my = (val >> 4) - 8;
@@ -190,16 +231,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = (val & 0xF) - 8;
                                    my = (val >> 4) - 8;
@@ -222,6 +271,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

 static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
@@ -300,10 +351,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
        memcpy(ctx->cur, ctx->prev, 320 * 200);
        break;
    case 3:
-        kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    case 4:
-        kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
@@ -365,6 +416,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
        c->palsize = 127;
    } else {
        c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize >= MAX_PALSIZE) {
+            av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+            return AVERROR_INVALIDDATA;
+        }
    }

    if (avctx->extradata_size == 1036) {        // palette in extradata
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                len = mszh_dlen;
            }
            break;
-        case COMP_MSZH_NOCOMP:
+        case COMP_MSZH_NOCOMP: {
+            int bppx2;
+            switch (c->imgtype) {
+            case IMGTYPE_YUV111:
+            case IMGTYPE_RGB24:
+                bppx2 = 6;
+                break;
+            case IMGTYPE_YUV422:
+            case IMGTYPE_YUV211:
+                bppx2 = 4;
+                break;
+            case IMGTYPE_YUV411:
+            case IMGTYPE_YUV420:
+                bppx2 = 3;
+                break;
+            default:
+                bppx2 = 0; // will error out below
+                break;
+            }
+            if (len < ((width * height * bppx2) >> 1))
+                return AVERROR_INVALIDDATA;
            break;
+        }
        default:
            av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
            return -1;
@@ -456,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avcodec_get_frame_defaults(&c->pic);
    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Check codec type */
@@ -505,7 +526,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype);
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Detect compression method */
@@ -522,7 +543,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
            break;
        default:
            av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
        break;
 #if CONFIG_ZLIB_DECODER
@@ -540,7 +561,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        default:
            if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) {
                av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression);
-                return 1;
+                return AVERROR_INVALIDDATA;
            }
            av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression);
        }
@@ -548,14 +569,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
 #endif
    default:
        av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Allocate decompression buffer */
    if (c->decomp_size) {
        if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) {
            av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-            return 1;
+            return AVERROR(ENOMEM);
        }
    }

@@ -581,7 +602,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        if (zret != Z_OK) {
            av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
            av_freep(&c->decomp_buf);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
    }
 #endif
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -59,6 +59,9 @@ read_header:
    s->restart_count = 0;
    s->mjpb_skiptosod = 0;

+    if (buf_end - buf_ptr >= 1 << 28)
+        return AVERROR_INVALIDDATA;
+
    init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);

    skip_bits(&hgb, 32); /* reserved zeros */
@@ -66,7 +69,7 @@ read_header:
    if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
    {
        av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
-        return 0;
+        return AVERROR_INVALIDDATA;
    }

    field_size = get_bits_long(&hgb, 32); /* field size */
@@ -109,8 +112,8 @@ read_header:
    av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
    if (sos_offs)
    {
-//        init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
-        init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+        init_get_bits(&s->gb, buf_ptr + sos_offs,
+                      8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
        s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
        s->start_code = SOS;
        ff_mjpeg_decode_sos(s, NULL, NULL);
@@ -142,7 +145,7 @@ read_header:
        picture->quality*= FF_QP2LAMBDA;
    }

-    return buf_ptr - buf;
+    return buf_size;
 }

 AVCodec ff_mjpegb_decoder = {
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -52,7 +52,7 @@ static inline int sad_hpel_motion_search(MpegEncContext * s,
                                  int src_index, int ref_index,
                                  int size, int h);

-static inline int update_map_generation(MotionEstContext *c)
+static inline unsigned update_map_generation(MotionEstContext *c)
 {
    c->map_generation+= 1<<(ME_MAP_MV_BITS*2);
    if(c->map_generation==0){
--- a/libavcodec/motion_est_template.c
+++ b/libavcodec/motion_est_template.c
@@ -158,9 +158,8 @@ static int hpel_motion_search(MpegEncContext * s,
        const int b= score_map[(index+(1<<ME_MAP_SHIFT))&(ME_MAP_SIZE-1)]
                     + (mv_penalty[bx   - pred_x] + mv_penalty[by+2 - pred_y])*c->penalty_factor;

-#if 1
-        int key;
-        int map_generation= c->map_generation;
+        unsigned key;
+        unsigned map_generation= c->map_generation;
 #ifndef NDEBUG
        uint32_t *map= c->map;
 #endif
@@ -172,7 +171,6 @@ static int hpel_motion_search(MpegEncContext * s,
        assert(map[(index+1)&(ME_MAP_SIZE-1)] == key);
        key= ((my)<<ME_MAP_MV_BITS) + (mx-1) + map_generation;
        assert(map[(index-1)&(ME_MAP_SIZE-1)] == key);
-#endif
        if(t<=b){
            CHECK_HALF_MV(0, 1, mx  ,my-1)
            if(l<=r){
@@ -280,7 +278,7 @@ static int qpel_motion_search(MpegEncContext * s,
    const int mx = *mx_ptr;
    const int my = *my_ptr;
    const int penalty_factor= c->sub_penalty_factor;
-    const int map_generation= c->map_generation;
+    const unsigned map_generation = c->map_generation;
    const int subpel_quality= c->avctx->me_subpel_quality;
    uint32_t *map= c->map;
    me_cmp_func cmpf, chroma_cmpf;
@@ -497,7 +495,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV(x,y)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
    assert((x) >= xmin);\
    assert((x) <= xmax);\
@@ -525,7 +523,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV_DIR(x,y,new_dir)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
 /*printf("check_mv_dir %d %d %d\n", x, y, new_dir);*/\
    if(map[index]!=key){\
@@ -563,13 +561,13 @@ static av_always_inline int small_diamond_search(MpegEncContext * s, int *best,
    int next_dir=-1;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];

    { /* ensure that the best point is in the MAP as h/qpel refinement needs it */
-        const int key= (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
+        const unsigned key = (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
        const int index= ((best[1]<<ME_MAP_SHIFT) + best[0])&(ME_MAP_SIZE-1);
        if(map[index]!=key){ //this will be executed only very rarey
            score_map[index]= cmp(s, best[0], best[1], 0, 0, size, h, ref_index, src_index, cmpf, chroma_cmpf, flags);
@@ -605,7 +603,7 @@ static int funny_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -646,7 +644,7 @@ static int hex_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,d;
    const int dec= dia_size & (dia_size-1);

@@ -680,7 +678,7 @@ static int l2s_dia_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,i,d;
    int dia_size= c->dia_size&0xFF;
    const int dec= dia_size & (dia_size-1);
@@ -718,7 +716,7 @@ static int umh_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,x2,y2, i, j, d;
    const int dia_size= c->dia_size&0xFE;
    static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2},
@@ -765,7 +763,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y, d;
    const int dia_size= c->dia_size&0xFF;

@@ -794,7 +792,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,

 #define SAB_CHECK_MV(ax,ay)\
 {\
-    const int key= ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
+    const unsigned key = ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
    const int index= (((ay)<<ME_MAP_SHIFT) + (ax))&(ME_MAP_SIZE-1);\
 /*printf("sab check %d %d\n", ax, ay);*/\
    if(map[index]!=key){\
@@ -833,7 +831,7 @@ static int sab_diamond_search(MpegEncContext * s, int *best, int dmin,
    int i, j;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -918,7 +916,7 @@ static int var_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -1010,7 +1008,7 @@ static av_always_inline int epzs_motion_search_internal(MpegEncContext * s, int
    int d;                   ///< the score (cmp + penalty) of any given mv
    int dmin;                /*!< the best value of d, i.e. the score
                               corresponding to the mv stored in best[]. */
-    int map_generation;
+    unsigned map_generation;
    int penalty_factor;
    const int ref_mv_stride= s->mb_stride; //pass as arg  FIXME
    const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME
@@ -1138,7 +1136,7 @@ static int epzs_motion_search4(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=1;
    const int h=8;
@@ -1198,7 +1196,7 @@ static int epzs_motion_search2(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=0; //FIXME pass as arg
    const int h=8;
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx)
    int w4 = (avctx->width  + 3) & ~3;
    int h4 = (avctx->height + 3) & ~3;

+    if(avctx->extradata_size < 2){
+        av_log(avctx, AV_LOG_ERROR, "extradata too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    motionpixels_tableinit();
    mp->avctx = avctx;
    dsputil_init(&mp->dsp, avctx);
@@ -191,10 +196,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
            p = mp_get_yuv_from_rgb(mp, x - 1, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((x & 3) == 0) {
                if ((y & 3) == 0) {
                    p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                    p.v = av_clip(p.v, -32, 31);
                    p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                    p.u = av_clip(p.u, -32, 31);
                    mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
                } else {
                    p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -218,9 +226,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
            p = mp_get_yuv_from_rgb(mp, 0, y);
        } else {
            p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
            if ((y & 3) == 0) {
                p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                p.v = av_clip(p.v, -32, 31);
                p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                p.u = av_clip(p.u, -32, 31);
            }
            mp->vpt[y] = p;
            mp_set_rgb_from_yuv(mp, 0, y, &p);
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
    c->frames = 1 << (get_bits(&gb, 3) * 2);

    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
-    avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
+    avctx->channels = channels;

    if(vlc_initialized) return 0;
    av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n");
--- a/libavcodec/mpeg12enc.c
+++ b/libavcodec/mpeg12enc.c
@@ -27,6 +27,7 @@

 #include "avcodec.h"
 #include "dsputil.h"
+#include "mathops.h"
 #include "mpegvideo.h"

 #include "mpeg12.h"
@@ -681,8 +682,7 @@ static void mpeg1_encode_motion(MpegEncContext *s, int val, int f_or_b_code)
        int bit_size = f_or_b_code - 1;
        int range = 1 << bit_size;
        /* modulo encoding */
-        int l= INT_BIT - 5 - bit_size;
-        val= (val<<l)>>l;
+        val = sign_extend(val, 5 + bit_size);

        if (val >= 0) {
            val--;
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){
    int i;

    // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
-    FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
-    s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
+    FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+

     //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
    FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad,  (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -405,7 +405,7 @@ fail:
 static void free_duplicate_context(MpegEncContext *s){
    if(s==NULL) return;

-    av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL;
+    av_freep(&s->edge_emu_buffer);
    av_freep(&s->me.scratchpad);
    s->me.temp=
    s->rd_scratchpad=
@@ -422,7 +422,6 @@ static void free_duplicate_context(MpegEncContext *s){

 static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){
 #define COPY(a) bak->a= src->a
-    COPY(allocated_edge_emu_buffer);
    COPY(edge_emu_buffer);
    COPY(me.scratchpad);
    COPY(me.temp);
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -153,7 +153,7 @@ typedef struct MotionEstContext{
    int best_bits;
    uint32_t *map;                     ///< map to avoid duplicate evaluations
    uint32_t *score_map;               ///< map to store the scores
-    int map_generation;
+    unsigned map_generation;
    int pre_penalty_factor;
    int penalty_factor;                /*!< an estimate of the bits required to
                                        code a given mv value, e.g. (1,0) takes
@@ -317,8 +317,7 @@ typedef struct MpegEncContext {
    uint8_t *mbintra_table;       ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding
    uint8_t *cbp_table;           ///< used to store cbp, ac_pred for partitioned decoding
    uint8_t *pred_dir_table;      ///< used to store pred_dir for partitioned decoding
-    uint8_t *allocated_edge_emu_buffer;
-    uint8_t *edge_emu_buffer;     ///< points into the middle of allocated_edge_emu_buffer
+    uint8_t *edge_emu_buffer;     ///< temporary buffer for if MVs point to out-of-frame data
    uint8_t *rd_scratchpad;       ///< scratchpad for rate distortion mb decision
    uint8_t *obmc_scratchpad;
    uint8_t *b_scratchpad;        ///< scratchpad used for writing into write only buffers
--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -157,19 +157,26 @@ static int decode_tag(AVCodecContext * avctx,
    int buf_size = avpkt->size;
    NellyMoserDecodeContext *s = avctx->priv_data;
    int data_max = *data_size;
-    int blocks, i;
+    int blocks, i, block_size;
    int16_t* samples;
-    *data_size = 0;
    samples = (int16_t*)data;

-    if (buf_size < avctx->block_align)
+    if (buf_size < avctx->block_align) {
+        *data_size = 0;
        return buf_size;
+    }

    if (buf_size % 64) {
        av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+        *data_size = 0;
        return buf_size;
    }
-    blocks = buf_size / 64;
+    block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+    blocks     = FFMIN(buf_size / 64, *data_size / block_size);
+    if (blocks <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
    /* Normal numbers of blocks for sample rates:
     *  8000 Hz - 1
     * 11025 Hz - 2
@@ -183,8 +190,8 @@ static int decode_tag(AVCodecContext * avctx,
            return i > 0 ? i * NELLY_BLOCK_LEN : -1;
        nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
        s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
-        *data_size += NELLY_SAMPLES*sizeof(int16_t);
    }
+    *data_size = blocks * block_size;

    return buf_size;
 }
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -469,11 +469,12 @@ static int decode_frame(AVCodecContext *avctx,
                    avctx->pix_fmt = PIX_FMT_RGB48BE;
                } else if (s->bit_depth == 1) {
                    avctx->pix_fmt = PIX_FMT_MONOBLACK;
-                } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_PALETTE) {
                    avctx->pix_fmt = PIX_FMT_PAL8;
                } else if (s->bit_depth == 8 &&
                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
-                    avctx->pix_fmt = PIX_FMT_GRAY8A;
+                    avctx->pix_fmt = PIX_FMT_Y400A;
                } else {
                    goto fail;
                }
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -55,7 +55,7 @@ static void png_get_interlaced_row(uint8_t *dst, int row_size,
    uint8_t *d;
    const uint8_t *s;

-    mask = ff_png_pass_mask[pass];
+    mask =  (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass];
    switch(bits_per_pixel) {
    case 1:
        memset(dst, 0, row_size);
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -60,7 +60,6 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    avctx->pix_fmt = PIX_FMT_RGB555;

-
    if (buf_end - buf < offset)
        return AVERROR_INVALIDDATA;
    if (offset != 0x2c)
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -881,9 +881,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                        break;

                    case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+                                samples[0] = type30_dequant[index];
+                            } else
+                                samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
+                        } else
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);

                        run = 1;
@@ -897,8 +901,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l
                                type34_predictor = samples[0];
                                type34_first = 0;
                            } else {
-                                samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
-                                type34_predictor = samples[0];
+                                unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1);
+                                if (index < FF_ARRAY_ELEMS(type34_delta)) {
+                                    samples[0] = type34_delta[index] / type34_div + type34_predictor;
+                                    type34_predictor = samples[0];
+                                } else
+                                    samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
                            }
                        } else {
                            samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
@@ -1816,6 +1824,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    extradata += 4;

    s->checksum_size = AV_RB32(extradata);
+    if (s->checksum_size >= 1U << 28) {
+        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+        return AVERROR_INVALIDDATA;
+    }

    s->fft_order = av_log2(s->fft_size) + 1;
    s->fft_frame_size = 2 * s->fft_size; // complex has two floats
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -418,7 +418,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx)
    default:
        av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n",
            avctx->bits_per_coded_sample);
-        break;
+        return AVERROR_INVALIDDATA;
    }

    avcodec_get_frame_defaults(&s->frame);
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -151,6 +151,9 @@ static int raw_decode(AVCodecContext *avctx,
        frame->top_field_first  = context->tff;
    }

+    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+        return -1;
+
    //2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
    if (context->buffer) {
        int i;
@@ -175,9 +178,6 @@ static int raw_decode(AVCodecContext *avctx,
       avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
        buf += buf_size - context->length;

-    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
-        return -1;
-
    avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
    if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
       (avctx->pix_fmt!=PIX_FMT_PAL8 &&
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s)
            color4[1] |= ((11 * ta + 21 * tb) >> 5);
            color4[2] |= ((21 * ta + 11 * tb) >> 5);

+            if (s->size - stream_ptr < n_blocks * 4)
+                return;
            while (n_blocks--) {
                block_ptr = row_ptr + pixel_ptr;
                for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s)

        /* Fill block with 16 colors */
        case 0x00:
+            if (s->size - stream_ptr < 16)
+                return;
            block_ptr = row_ptr + pixel_ptr;
            for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                for (pixel_x = 0; pixel_x < 4; pixel_x++){
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -672,8 +672,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,

    if(!avctx->slice_count){
        slice_count = (*buf++) + 1;
+        buf_size--;
        slices_hdr = buf + 4;
        buf += 8 * slice_count;
+        buf_size -= 8 * slice_count;
+        if (buf_size <= 0)
+            return AVERROR_INVALIDDATA;
    }else
        slice_count = avctx->slice_count;

@@ -712,7 +716,7 @@ static int rv10_decode_frame(AVCodecContext *avctx,
        s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
    }

-    return buf_size;
+    return avpkt->size;
 }

 AVCodec ff_rv10_decoder = {
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -131,7 +131,8 @@ static int allocate_buffers(ShortenContext *s)
            return AVERROR(ENOMEM);
        s->offset[chan] = tmp_ptr;

-        tmp_ptr = av_realloc(s->decoded_base[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+        tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+                             sizeof(s->decoded_base[0][0]));
        if (!tmp_ptr)
            return AVERROR(ENOMEM);
        s->decoded_base[chan] = tmp_ptr;
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -127,12 +127,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 */
 static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
 {
+    if (hc->current + 1 >= hc->length) {
+        av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
+        return -1;
+    }
    if(!get_bits1(gb)){ //Leaf
        int val, i1, i2, b1, b2;
-        if(hc->current >= hc->length){
-            av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
-            return -1;
-        }
        b1 = get_bits_count(gb);
        i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
        b1 = get_bits_count(gb) - b1;
@@ -156,7 +156,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
        hc->values[hc->current++] = val;
        return 1;
    } else { //Node
-        int r = 0, t;
+        int r = 0, r_new, t;

        t = hc->current++;
        r = smacker_decode_bigtree(gb, hc, ctx);
@@ -164,8 +164,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
            return r;
        hc->values[t] = SMK_NODE | r;
        r++;
-        r += smacker_decode_bigtree(gb, hc, ctx);
-        return r;
+        r_new = smacker_decode_bigtree(gb, hc, ctx);
+        if (r_new < 0)
+            return r_new;
+        return r + r_new;
    }
 }

@@ -180,6 +182,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    VLC vlc[2];
    int escapes[3];
    DBCtx ctx;
+    int err = 0;

    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
@@ -253,7 +256,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    huff.current = 0;
    huff.values = av_mallocz(huff.length * sizeof(int));

-    smacker_decode_bigtree(gb, &huff, &ctx);
+    if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+        err = -1;
    skip_bits1(gb);
    if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
    if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
@@ -272,7 +276,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    av_free(tmp2.lengths);
    av_free(tmp2.values);

-    return 0;
+    return err;
 }

 static int decode_header_trees(SmackVContext *smk) {
--- a/libavcodec/srtdec.c
+++ b/libavcodec/srtdec.c
@@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end,
                                    for (j=sptr-2; j>=0; j--)
                                        if (stack[j].param[i][0]) {
                                            out += snprintf(out, out_end-out,
-                                                            stack[j].param[i]);
+                                                            "%s", stack[j].param[i]);
                                            break;
                                        }
                        } else {
@@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end,
                            for (i=0; i<PARAM_NUMBER; i++)
                                if (stack[sptr].param[i][0])
                                    out += snprintf(out, out_end-out,
-                                                    stack[sptr].param[i]);
+                                                    "%s", stack[sptr].param[i]);
                        }
                    } else if (!buffer[1] && strspn(buffer, "bisu") == 1) {
                        out += snprintf(out, out_end-out,
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
        dir = i_mb_type_info[mb_type - 8].pred_mode;
        dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;

-        if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
+        if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
            av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
            return -1;
        }
@@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
    s->current_picture.mb_type[mb_xy] = mb_type;

    if (IS_INTRA(mb_type)) {
-        h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
+        h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1);
    }

    return 0;
@@ -811,7 +811,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
    MpegEncContext *s = &h->s;
    int m;
    unsigned char *extradata;
+    unsigned char *extradata_end;
    unsigned int size;
+    int marker_found = 0;

    if (ff_h264_decode_init(avctx) < 0)
        return -1;
@@ -832,19 +834,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)

        /* prowl for the "SEQH" marker in the extradata */
        extradata = (unsigned char *)avctx->extradata;
-        for (m = 0; m < avctx->extradata_size; m++) {
-            if (!memcmp(extradata, "SEQH", 4))
-                break;
-            extradata++;
+        extradata_end = avctx->extradata + avctx->extradata_size;
+        if (extradata) {
+            for (m = 0; m + 8 < avctx->extradata_size; m++) {
+                if (!memcmp(extradata, "SEQH", 4)) {
+                    marker_found = 1;
+                    break;
+                }
+                extradata++;
+            }
        }

        /* if a match was found, parse the extra data */
-        if (extradata && !memcmp(extradata, "SEQH", 4)) {
+        if (marker_found) {

            GetBitContext gb;
            int frame_size_code;

            size = AV_RB32(&extradata[4]);
+            if (size > extradata_end - extradata - 8)
+                return AVERROR_INVALIDDATA;
            init_get_bits(&gb, extradata + 8, size*8);

            /* 'frame size code' and optional 'width, height' */
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -56,24 +56,24 @@ typedef struct TiffContext {
    LZWState *lzw;
 } TiffContext;

-static int tget_short(const uint8_t **p, int le){
-    int v = le ? AV_RL16(*p) : AV_RB16(*p);
+static unsigned tget_short(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL16(*p) : AV_RB16(*p);
    *p += 2;
    return v;
 }

-static int tget_long(const uint8_t **p, int le){
-    int v = le ? AV_RL32(*p) : AV_RB32(*p);
+static unsigned tget_long(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL32(*p) : AV_RB32(*p);
    *p += 4;
    return v;
 }

-static int tget(const uint8_t **p, int type, int le){
+static unsigned tget(const uint8_t **p, int type, int le) {
    switch(type){
    case TIFF_BYTE : return *(*p)++;
    case TIFF_SHORT: return tget_short(p, le);
    case TIFF_LONG : return tget_long (p, le);
-    default        : return -1;
+    default        : return UINT_MAX;
    }
 }

@@ -274,7 +274,7 @@ static int init_image(TiffContext *s)

 static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf)
 {
-    int tag, type, count, off, value = 0;
+    unsigned tag, type, count, off, value = 0;
    int i, j;
    uint32_t *pal;
    const uint8_t *rp, *gp, *bp;
@@ -286,6 +286,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
    count = tget_long(&buf, s->le);
    off = tget_long(&buf, s->le);

+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
+
    if(count == 1){
        switch(type){
        case TIFF_BYTE:
@@ -304,13 +309,15 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
                break;
            }
        default:
-            value = -1;
+            value = UINT_MAX;
+            buf = start + off;
+        }
+    } else {
+        if (count <= 4 && type_sizes[type] * count <= 4) {
+            buf -= 4;
+        } else {
            buf = start + off;
        }
-    }else if(type_sizes[type] * count <= 4){
-        buf -= 4;
-    }else{
-        buf = start + off;
    }

    if(buf && (buf < start || buf > end_buf)){
@@ -388,7 +395,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
        }
        break;
    case TIFF_ROWSPERSTRIP:
-        if(type == TIFF_LONG && value == -1)
+        if (type == TIFF_LONG && value == UINT_MAX)
            value = s->avctx->height;
        if(value < 1){
            av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n");
@@ -526,6 +533,8 @@ static int decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
        return -1;
    }
+    // Reset these pointers so we can tell if they were set this frame
+    s->stripsizes = s->stripdata = NULL;
    /* parse image file directory */
    off = tget_long(&buf, le);
    if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4)
 }

 #define APPLY_C_PREDICTOR() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->c_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4)
        index++;

 #define APPLY_C_PREDICTOR_24() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->c_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4)


 #define APPLY_Y_PREDICTOR() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->y_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
@@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4)
        index++;

 #define APPLY_Y_PREDICTOR_24() \
+    if(index > 1023){\
+        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+        return; \
+    }\
    predictor_pair = s->y_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
    if (predictor_pair & 1) { \
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -132,7 +132,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
               huff.val_bits, huff.max_bits);
        return -1;
    }
-    if((huff.nodes < 0) || (huff.nodes > 0x10000)) {
+    if((huff.nodes <= 0) || (huff.nodes > 0x10000)) {
        av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes);
        return -1;
    }
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -484,6 +484,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp);
+        return AVERROR_INVALIDDATA;
    }

    return 0;
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -150,7 +150,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
    }
 }

-static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, int y, int x1,
                                        intptr_t sy, int ady, int adx,
                                        float *buf)
 {
@@ -162,30 +162,30 @@ static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
        if (err >= 0) {
            err += ady - adx;
            y   += sy;
-            buf[x++] = ff_vorbis_floor1_inverse_db_table[y];
+            buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
        }
-        buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+        buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
    }
    if (x <= 0) {
        if (err + ady >= 0)
            y += sy;
-        buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+        buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
    }
 }

-static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
+static void render_line(int x0, int y0, int x1, int y1, float *buf)
 {
    int dy  = y1 - y0;
    int adx = x1 - x0;
    int ady = FFABS(dy);
    int sy  = dy < 0 ? -1 : 1;
-    buf[x0] = ff_vorbis_floor1_inverse_db_table[y0];
+    buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)];
    if (ady*2 <= adx) { // optimized common case
        render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
    } else {
        int base  = dy / adx;
        int x     = x0;
-        uint8_t y = y0;
+        int y     = y0;
        int err   = -adx;
        ady -= FFABS(base) * adx;
        while (++x < x1) {
@@ -195,7 +195,7 @@ static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
                err -= adx;
                y   += sy;
            }
-            buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+            buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
        }
    }
 }
@@ -204,8 +204,7 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values,
                                  uint16_t *y_list, int *flag,
                                  int multiplier, float *out, int samples)
 {
-    int lx, i;
-    uint8_t ly;
+    int lx, ly, i;
    lx = 0;
    ly = y_list[0] * multiplier;
    for (i = 1; i < values; i++) {
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1232,20 +1232,20 @@ static int vorbis_floor1_decode(vorbis_context *vc,
            floor1_flag[i]               = 1;
            if (val >= room) {
                if (highroom > lowroom) {
-                    floor1_Y_final[i] = val - lowroom + predicted;
+                    floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted);
                } else {
-                    floor1_Y_final[i] = predicted - val + highroom - 1;
+                    floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1);
                }
            } else {
                if (val & 1) {
-                    floor1_Y_final[i] = predicted - (val + 1) / 2;
+                    floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2);
                } else {
-                    floor1_Y_final[i] = predicted + val / 2;
+                    floor1_Y_final[i] = av_clip_uint16(predicted + val / 2);
                }
            }
        } else {
            floor1_flag[i]    = 0;
-            floor1_Y_final[i] = predicted;
+            floor1_Y_final[i] = av_clip_uint16(predicted);
        }

        av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n",
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -55,6 +55,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
        }
        rows = vp56_rac_gets(c, 8);  /* number of stored macroblock rows */
        cols = vp56_rac_gets(c, 8);  /* number of stored macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
+                   cols << 4, rows << 4);
+            return 0;
+        }
        vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
        vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
        vp56_rac_gets(c, 2);
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -75,6 +75,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
        cols = buf[3];  /* number of stored macroblock cols */
        /* buf[4] is number of displayed macroblock rows */
        /* buf[5] is number of displayed macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
+            return 0;
+        }

        if (!s->macroblocks || /* first frame */
            16*cols != s->avctx->coded_width ||
@@ -95,7 +99,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
            vrt_shift = 5;
        s->sub_version = sub_version;
    } else {
-        if (!s->sub_version)
+        if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
            return 0;

        if (separated_coeff || !s->filter_header) {
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -159,6 +159,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
        return -1;
    }

+    if (s->width  & (s->vector_width  - 1) ||
+        s->height & (s->vector_height - 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    /* allocate codebooks */
    s->codebook_size = MAX_CODEBOOK_SIZE;
    s->codebook = av_malloc(s->codebook_size);
--- a/libavcodec/wma.c
+++ b/libavcodec/wma.c
@@ -85,7 +85,7 @@ int av_cold ff_wma_get_frame_len_bits(int sample_rate, int version,
    } else if (sample_rate <= 22050 ||
             (sample_rate <= 32000 && version == 1)) {
        frame_len_bits = 10;
-    } else if (sample_rate <= 48000) {
+    } else if (sample_rate <= 48000 || version < 3) {
        frame_len_bits = 11;
    } else if (sample_rate <= 96000) {
        frame_len_bits = 12;
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -364,7 +364,7 @@ static int decode_exp_vlc(WMACodecContext *s, int ch)
        }
        /* NOTE: this offset is the same as MPEG4 AAC ! */
        last_exp += code - 60;
-        if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) {
+        if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) {
            av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n",
                   last_exp);
            return -1;
@@ -882,6 +882,8 @@ static int wma_decode_superframe(AVCodecContext *avctx,

        /* read each frame starting from bit_offset */
        pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
+        if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
+            return AVERROR_INVALIDDATA;
        init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
        len = pos & 7;
        if (len > 0)
--- a/libavcodec/wmaenc.c
+++ b/libavcodec/wmaenc.c
@@ -39,6 +39,12 @@ static int encode_init(AVCodecContext * avctx){
        return AVERROR(EINVAL);
    }

+    if (avctx->sample_rate > 48000) {
+        av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz",
+               avctx->sample_rate);
+        return AVERROR(EINVAL);
+    }
+
    if(avctx->bit_rate < 24*1000) {
        av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n",
               avctx->bit_rate);
@@ -64,6 +70,8 @@ static int encode_init(AVCodecContext * avctx){
    s->use_exp_vlc = flags2 & 0x0001;
    s->use_bit_reservoir = flags2 & 0x0002;
    s->use_variable_block_len = flags2 & 0x0004;
+    if (avctx->channels == 2)
+        s->ms_stereo = 1;

    ff_wma_init(avctx, flags2);

@@ -71,8 +79,12 @@ static int encode_init(AVCodecContext * avctx){
    for(i = 0; i < s->nb_block_sizes; i++)
        ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0);

-    avctx->block_align=
-    s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8);
+    s->block_align     = avctx->bit_rate * (int64_t)s->frame_len /
+                         (avctx->sample_rate * 8);
+    s->block_align     = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE);
+    avctx->block_align = s->block_align;
+    avctx->bit_rate    = avctx->block_align * 8LL * avctx->sample_rate /
+                         s->frame_len;
 //av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate);
    avctx->frame_size= s->frame_len;

@@ -181,7 +193,7 @@ static int encode_block(WMACodecContext *s, float (*src_coefs)[BLOCK_MAX_SIZE],
    }

    if (s->nb_channels == 2) {
-        put_bits(&s->pb, 1, s->ms_stereo= 1);
+        put_bits(&s->pb, 1, !!s->ms_stereo);
    }

    for(ch = 0; ch < s->nb_channels; ch++) {
@@ -355,6 +367,11 @@ static int encode_superframe(AVCodecContext *avctx,
        }
    }

+    if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n");
+        return AVERROR(EINVAL);
+    }
+
 #if 1
    total_gain= 128;
    for(i=64; i; i>>=1){
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx,
    int prev_y = 0, prev_u = 0, prev_v = 0;
    uint8_t *rbuf;

+    if(buf_size<=8) {
+        av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
+
    rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE);
    if(!rbuf){
        av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
--- a/libavcodec/x86/dsputil_yasm.asm
+++ b/libavcodec/x86/dsputil_yasm.asm
@@ -474,7 +474,7 @@ cglobal scalarproduct_float_sse, 3,3,2, v1, v2, offset
    shufps  xmm0, xmm0, 1
    addss   xmm0, xmm1
 %ifndef ARCH_X86_64
-    movd    r0m,  xmm0
+    movss   r0m,  xmm0
    fld     dword r0m
 %endif
    RET
--- a/libavcodec/x86/dsputilenc_mmx.c
+++ b/libavcodec/x86/dsputilenc_mmx.c
@@ -823,6 +823,7 @@ static int vsad16_mmx2(void *v, uint8_t * pix1, uint8_t * pix2, int line_size, i

 static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
    x86_reg i=0;
+    if(w>=16)
    __asm__ volatile(
        "1:                             \n\t"
        "movq  (%2, %0), %%mm0          \n\t"
--- a/libavcodec/x86/h264_deblock_10bit.asm
+++ b/libavcodec/x86/h264_deblock_10bit.asm
@@ -876,7 +876,7 @@ cglobal deblock_v_chroma_10_%1, 5,7-(mmsize/16),8*(mmsize/16)
 %if mmsize < 16
    add         r0, mmsize
    add         r5, mmsize
-    add         r4, mmsize/8
+    add         r4, mmsize/4
    dec         r6
    jg .loop
    REP_RET
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -511,6 +511,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
            int i;
            tag  = bytestream_get_le32(&buf);
            size = bytestream_get_be32(&buf);
+            if(size < 0) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size);
+                return AVERROR_INVALIDDATA;
+            }
            size = FFMIN(size, buf_end - buf);
            switch (tag) {
            case PALT_TAG:
@@ -555,8 +559,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
        }
        buf_size = buf_end - buf;
    }
-    if (s->palettes_count <= 0)
+    if (s->palettes_count <= 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "No palette found\n");
        return AVERROR_INVALIDDATA;
+    }

    if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
        av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
--- a/libavcodec/yop.c
+++ b/libavcodec/yop.c
@@ -90,6 +90,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx)
        return -1;
    }

+    if (!avctx->extradata) {
+        av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    avctx->pix_fmt = PIX_FMT_PAL8;

    avcodec_get_frame_defaults(&s->frame);
@@ -200,6 +205,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    if (s->frame.data[0])
        avctx->release_buffer(avctx, &s->frame);

+    if (avpkt->size < 4 + 3*s->num_pal_colors) {
+        av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size);
+        return AVERROR_INVALIDDATA;
+    }
+
    ret = avctx->get_buffer(avctx, &s->frame);
    if (ret < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
@@ -215,6 +225,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
    s->low_nibble = NULL;

    is_odd_frame = avpkt->data[0];
+    if(is_odd_frame>1){
+        av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame);
+        return AVERROR_INVALIDDATA;
+    }
    firstcolor   = s->first_color[is_odd_frame];
    palette      = (uint32_t *)s->frame.data[1];

--- a/libavfilter/vf_pad.c
+++ b/libavfilter/vf_pad.c
@@ -157,7 +157,7 @@ static int config_input(AVFilterLink *inlink)
    var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN;
    var_values[VAR_A]     = (float) inlink->w / inlink->h;
    var_values[VAR_HSUB]  = 1<<pad->hsub;
-    var_values[VAR_VSUB]  = 2<<pad->vsub;
+    var_values[VAR_VSUB]  = 1<<pad->vsub;

    /* evaluate width and height */
    av_expr_parse_and_eval(&res, (expr = pad->w_expr),
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -232,9 +232,11 @@ static int config_props(AVFilterLink *outlink)
    if (!scale->sws || !scale->isws[0] || !scale->isws[1])
        return AVERROR(EINVAL);

-    if (inlink->sample_aspect_ratio.num){
-        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
-    } else
+    if (inlink->sample_aspect_ratio.num)
+        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h*inlink->w,
+                                                             outlink->w*inlink->h},
+                                                inlink->sample_aspect_ratio);
+    else
        outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;

    return 0;
--- a/libavfilter/vf_yadif.c
+++ b/libavfilter/vf_yadif.c
@@ -36,8 +36,8 @@ typedef struct {
    int mode;

    /**
-     *  0: bottom field first
-     *  1: top field first
+     *  0: top field first
+     *  1: bottom field first
     * -1: auto-detection
     */
    int parity;
@@ -195,9 +195,12 @@ static void return_frame(AVFilterContext *ctx, int is_second)
        tff = yadif->parity^1;
    }

-    if (is_second)
+    if (is_second) {
        yadif->out = avfilter_get_video_buffer(link, AV_PERM_WRITE | AV_PERM_PRESERVE |
                                               AV_PERM_REUSE, link->w, link->h);
+        avfilter_copy_buffer_ref_props(yadif->out, yadif->cur);
+        yadif->out->video->interlaced = 0;
+    }

    if (!yadif->csp)
        yadif->csp = &av_pix_fmt_descriptors[link->format];
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -176,7 +176,7 @@ static int fourxm_read_header(AVFormatContext *s,
                                              sizeof(AudioTrack),
                                              current_track + 1);
                if (!fourxm->tracks) {
-                    ret=  AVERROR(ENOMEM);
+                    ret = AVERROR(ENOMEM);
                    goto fail;
                }
                memset(&fourxm->tracks[fourxm->track_count], 0,
@@ -195,6 +195,11 @@ static int fourxm_read_header(AVFormatContext *s,
                ret= -1;
                goto fail;
            }
+            if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){
+                av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n");
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
            i += 8 + size;

            /* allocate a new AVStream */
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -274,6 +274,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
            return AVERROR(ENOMEM);
        for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
            ape->seektable[i] = avio_rl32(pb);
+    }else{
+        av_log(s, AV_LOG_ERROR, "Missing seektable\n");
+        return -1;
    }

    ape->frames[0].pos     = ape->firstframe;
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -196,6 +196,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size)
    asf->hdr.flags              = avio_rl32(pb);
    asf->hdr.min_pktsize        = avio_rl32(pb);
    asf->hdr.max_pktsize        = avio_rl32(pb);
+    if (asf->hdr.min_pktsize >= (1U<<29))
+        return AVERROR_INVALIDDATA;
    asf->hdr.max_bitrate        = avio_rl32(pb);
    s->packet_size = asf->hdr.max_pktsize;

@@ -610,7 +612,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
        if (gsize < 24)
            return -1;
        if (!ff_guidcmp(&g, &ff_asf_file_header)) {
-            asf_read_file_properties(s, gsize);
+            int ret = asf_read_file_properties(s, gsize);
+            if (ret < 0)
+                return ret;
        } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
            asf_read_stream_properties(s, gsize);
        } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
@@ -751,7 +755,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
        c= avio_r8(pb);
        d= avio_r8(pb);
        rsize+=3;
-    }else{
+    } else if (!pb->eof_reached) {
        avio_seek(pb, -1, SEEK_CUR); //FIXME
    }

@@ -783,6 +787,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
        asf->packet_segments = 1;
        asf->packet_segsizetype = 0x80;
    }
+    if (rsize > packet_length - padsize) {
+        asf->packet_size_left = 0;
+        av_log(s, AV_LOG_ERROR,
+               "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+               rsize, packet_length, padsize, avio_tell(pb));
+        return -1;
+    }
    asf->packet_size_left = packet_length - padsize - rsize;
    if (packet_length < asf->hdr.min_pktsize)
        padsize += asf->hdr.min_pktsize - packet_length;
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -119,16 +119,23 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
    if (quant > 1)
        return -1; /* unsupported quantization */

+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency))
+        return AVERROR_INVALIDDATA;
+
    size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */
    half_ch = sys->difseg_size / 2;

    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
    ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
-    pcm  = ppcm[ipcm++];

    /* for each DIF channel */
    for (chan = 0; chan < sys->n_difchan; chan++) {
+        /* next stereo channel (50Mbps and 100Mbps only) */
+        pcm = ppcm[ipcm++];
+        if (!pcm)
+            break;
+
        /* for each DIF segment */
        for (i = 0; i < sys->difseg_size; i++) {
            frame += 6 * 80; /* skip DIF segment header */
@@ -176,11 +183,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
                frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
            }
        }
-
-        /* next stereo channel (50Mbps and 100Mbps only) */
-        pcm = ppcm[ipcm++];
-        if (!pcm)
-            break;
    }

    return size;
@@ -202,6 +204,18 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
    stype = (as_pack[3] & 0x1f);      /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
    quant =  as_pack[4] & 0x07;       /* 0 - 16bit linear, 1 - 12bit nonlinear */

+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) {
+        av_log(c->fctx, AV_LOG_ERROR,
+               "Unrecognized audio sample rate index (%d)\n", freq);
+        return 0;
+    }
+
+    if (stype > 3) {
+        av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+        c->ach = 0;
+        return 0;
+    }
+
    /* note: ach counts PAIRS of channels (i.e. stereo channels) */
    ach = ((int[4]){  1,  0,  2,  4})[stype];
    if (ach == 1 && quant && freq == 2)
@@ -336,7 +350,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
       c->audio_pkt[i].pts  = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate;
       ppcm[i] = c->audio_buf[i];
    }
-    dv_extract_audio(buf, ppcm, c->sys);
+    if (c->ach)
+        dv_extract_audio(buf, ppcm, c->sys);

    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -470,12 +470,17 @@ static int ea_read_packet(AVFormatContext *s,

    while (!packet_read) {
        chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;

        switch (chunk_type) {
        /* audio data */
        case ISNh_TAG:
            /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
            avio_skip(pb, 32);
            chunk_size -= 32;
        case ISNd_TAG:
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -173,8 +173,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
        }
    }

-    if (timeslen == fileposlen) {
-         for(i = 0; i < timeslen; i++)
+    if (!ret && timeslen == fileposlen) {
+         for (i = 0; i < fileposlen; i++)
             av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
    } else
        av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n");
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -224,8 +224,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t

    unsync = flags & 0x80;

-    if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
-        avio_skip(s->pb, get_size(s->pb, 4));
+    if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+        int extlen = get_size(s->pb, 4);
+        if (version == 4)
+            extlen -= 4;     // in v2.4 the length includes the length field we just read
+
+        if (extlen < 0) {
+            reason = "invalid extended header length";
+            goto error;
+        }
+        avio_skip(s->pb, extlen);
+    }

    while (len >= taghdrlen) {
        unsigned int tflags = 0;
--- a/libavformat/isom.c
+++ b/libavformat/isom.c
@@ -149,10 +149,13 @@ const AVCodecTag codec_movvideo_tags[] = {
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '1') }, /* MPEG2 HDV 720p30 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '2') }, /* MPEG2 HDV 1080i60 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '3') }, /* MPEG2 HDV 1080i50 */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '4') }, /* MPEG2 HDV 720p24 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '5') }, /* MPEG2 HDV 720p25 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '8') }, /* MPEG2 HDV 1080p30 */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '9') }, /* MPEG2 HDV 720p60 JVC */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', 'a') }, /* MPEG2 HDV 720p50 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'n') }, /* MPEG2 IMX NTSC 525/60 50mb/s produced by FCP */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'p') }, /* MPEG2 IMX PAL 625/50 50mb/s produced by FCP */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '4', 'n') }, /* MPEG2 IMX NTSC 525/60 40mb/s produced by FCP */
@@ -183,6 +186,8 @@ const AVCodecTag codec_movvideo_tags[] = {
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'd') }, /* XDCAM EX 1080p24 VBR */
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'e') }, /* XDCAM EX 1080p25 VBR */
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'f') }, /* XDCAM EX 1080p30 VBR */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', 'd') }, /* XDCAM HD 540p */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', '2') }, /* XDCAM HD422 540p */
    { CODEC_ID_MPEG2VIDEO, MKTAG('A', 'V', 'm', 'p') }, /* AVID IMX PAL */

    { CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, /* JPEG 2000 produced by FCP */
@@ -397,7 +402,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext
    len = ff_mp4_read_descr(fc, pb, &tag);
    if (tag == MP4DecSpecificDescrTag) {
        av_dlog(fc, "Specific MPEG4 header len=%d\n", len);
-        if((uint64_t)len > (1<<30))
+        if (!len || (uint64_t)len > (1<<30))
            return -1;
        av_free(st->codec->extradata);
        st->codec->extradata = av_mallocz(len + FF_INPUT_BUFFER_PADDING_SIZE);
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -664,16 +664,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num)
 */
 static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
 {
-    av_free(*str);
+    char *res;
+
    /* EBML strings are usually not 0-terminated, so we allocate one
     * byte more, read the string and NULL-terminate it ourselves. */
-    if (!(*str = av_malloc(size + 1)))
+    if (!(res = av_malloc(size + 1)))
        return AVERROR(ENOMEM);
-    if (avio_read(pb, (uint8_t *) *str, size) != size) {
-        av_freep(str);
+    if (avio_read(pb, (uint8_t *) res, size) != size) {
+        av_free(res);
        return AVERROR(EIO);
    }
-    (*str)[size] = '\0';
+    (res)[size] = '\0';
+    av_free(*str);
+    *str = res;

    return 0;
 }
@@ -1427,7 +1430,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap)
        } else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) {
            int profile = matroska_aac_profile(track->codec_id);
            int sri = matroska_aac_sri(track->audio.samplerate);
-            extradata = av_malloc(5);
+            extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE);
            if (extradata == NULL)
                return AVERROR(ENOMEM);
            extradata[0] = (profile << 3) | ((sri&0x0E) >> 1);
@@ -1836,15 +1839,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                if (!track->audio.pkt_cnt) {
                    if (track->audio.sub_packet_cnt == 0)
                        track->audio.buf_timecode = timecode;
-                    if (st->codec->codec_id == CODEC_ID_RA_288)
+                    if (st->codec->codec_id == CODEC_ID_RA_288) {
+                        if (size < cfs * h / 2) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt int4 RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        for (x=0; x<h/2; x++)
                            memcpy(track->audio.buf+x*2*w+y*cfs,
                                   data+x*cfs, cfs);
-                    else if (st->codec->codec_id == CODEC_ID_SIPR)
+                    } else if (st->codec->codec_id == CODEC_ID_SIPR) {
+                        if (size < w) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt sipr RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        memcpy(track->audio.buf + y*w, data, w);
-                    else
+                    } else {
+                        if (size < sps * w / sps) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt generic RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        for (x=0; x<w/sps; x++)
                            memcpy(track->audio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps);
+                    }

                    if (++track->audio.sub_packet_cnt >= h) {
                        if (st->codec->codec_id == CODEC_ID_SIPR)
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -423,7 +423,7 @@ static int mpegps_read_packet(AVFormatContext *s,
 {
    MpegDemuxContext *m = s->priv_data;
    AVStream *st;
-    int len, startcode, i, es_type;
+    int len, startcode, i, es_type, ret;
    int request_probe= 0;
    enum CodecID codec_id = CODEC_ID_NONE;
    enum AVMediaType type;
@@ -568,8 +568,7 @@ static int mpegps_read_packet(AVFormatContext *s,
        else if (st->codec->bits_per_coded_sample == 28)
            return AVERROR(EINVAL);
    }
-    av_new_packet(pkt, len);
-    avio_read(s->pb, pkt->data, pkt->size);
+    ret = av_get_packet(s->pb, pkt, len);
    pkt->pts = pts;
    pkt->dts = dts;
    pkt->pos = dummy_pos;
@@ -578,7 +577,7 @@ static int mpegps_read_packet(AVFormatContext *s,
            pkt->stream_index, pkt->pts / 90000.0, pkt->dts / 90000.0,
            pkt->size);

-    return 0;
+    return (ret < 0) ? ret : 0;
 }

 static int64_t mpegps_read_dts(AVFormatContext *s, int stream_index,
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -308,7 +308,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        char *token, *value;
        char quote;

-        p = strings = av_mallocz(strings_size + 1);
+        p = strings = av_mallocz((size_t)strings_size + 1);
+        if (!p)
+            return AVERROR(ENOMEM);
        endp = strings + strings_size;
        avio_read(pb, strings, strings_size);
        while (p < endp) {
@@ -343,6 +345,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t))
            return -1;
        nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
+        if (!nsv->nsvs_file_offset)
+            return AVERROR(ENOMEM);

        for(i=0;i<table_entries_used;i++)
            nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
@@ -350,6 +354,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        if(table_entries > table_entries_used &&
           avio_rl32(pb) == MKTAG('T','O','C','2')) {
            nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t));
+            if (!nsv->nsvs_timestamps)
+                return AVERROR(ENOMEM);
            for(i=0;i<table_entries_used;i++) {
                nsv->nsvs_timestamps[i] = avio_rl32(pb);
            }
@@ -518,11 +524,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap)
    for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
        if (nsv_resync(s) < 0)
            return -1;
-        if (nsv->state == NSV_FOUND_NSVF)
+        if (nsv->state == NSV_FOUND_NSVF) {
            err = nsv_parse_NSVf_header(s, ap);
+            if (err < 0)
+                return err;
+        }
            /* we need the first NSVs also... */
        if (nsv->state == NSV_FOUND_NSVS) {
            err = nsv_parse_NSVs_header(s, ap);
+            if (err < 0)
+                return err;
            break; /* we just want the first one */
        }
    }
@@ -597,12 +608,12 @@ null_chunk_retry:
    }

    /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
        st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
        st[s->streams[1]->id] = s->streams[1];

-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
        nst = st[NSV_ST_VIDEO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_VIDEO];
        av_get_packet(pb, pkt, vsize);
@@ -615,7 +626,7 @@ null_chunk_retry:
    if(st[NSV_ST_VIDEO])
        ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;

-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
        nst = st[NSV_ST_AUDIO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_AUDIO];
        /* read raw audio specific header on the first audio chunk... */
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -378,8 +378,19 @@ static int rm_read_index(AVFormatContext *s)
                st = s->streams[n];
                break;
            }
-        if (n == s->nb_streams)
+        if (n == s->nb_streams) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid stream index %d for index at pos %"PRId64"\n",
+                   str_id, avio_tell(pb));
            goto skip;
+        } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) {
+            av_log(s, AV_LOG_ERROR,
+                   "Nr. of packets in packet index for stream index %d "
+                   "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n",
+                   str_id, avio_size(pb), avio_tell(pb),
+                   (avio_size(pb) - avio_tell(pb)) / 14);
+            goto skip;
+        }

        for (n = 0; n < n_pkts; n++) {
            avio_skip(pb, 2);
@@ -391,9 +402,12 @@ static int rm_read_index(AVFormatContext *s)
        }

 skip:
-        if (next_off && avio_tell(pb) != next_off &&
-            avio_seek(pb, next_off, SEEK_SET) < 0)
+        if (next_off && avio_tell(pb) < next_off &&
+            avio_seek(pb, next_off, SEEK_SET) < 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "Non-linear index detected, not supported\n");
            return -1;
+        }
    } while (next_off);

    return 0;
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,14 +233,16 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,

                int cur_len = start_off + len_off - off;
                int prev_len = out_len;
-                void *newbuf;
+                void *newmem;
+
                out_len += cur_len;
-                if(FFMIN(cur_len, len - off)<0)
+
+                if (FFMIN(cur_len, len - off) < 0)
                    return -1;
-                newbuf = av_realloc(asf->buf, out_len);
-                if(!newbuf)
+                newmem = av_realloc(asf->buf, out_len);
+                if (!newmem)
                    return -1;
-                asf->buf= newbuf;
+                asf->buf = newmem;
                memcpy(asf->buf + prev_len, buf + off,
                       FFMIN(cur_len, len - off));
                avio_skip(pb, cur_len);
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -261,8 +261,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
                    sz += (t & 0x7F) + 1;
                    pal += ((t & 0x7F) + 1) * 3;
                } else if(t & 0x40){ /* copy with offset */
-                    off = avio_r8(s->pb) * 3;
+                    off = avio_r8(s->pb);
                    j = (t & 0x3F) + 1;
+                    if (off + j > 0xff) {
+                        av_log(s, AV_LOG_ERROR,
+                               "Invalid palette update, offset=%d length=%d extends beyond palette size\n",
+                               off, j);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    off *= 3;
                    while(j-- && sz < 256) {
                        *pal++ = oldpal[off + 0];
                        *pal++ = oldpal[off + 1];
--- a/libavformat/sol.c
+++ b/libavformat/sol.c
@@ -132,6 +132,8 @@ static int sol_read_packet(AVFormatContext *s,
    if (url_feof(s->pb))
        return AVERROR(EIO);
    ret= av_get_packet(s->pb, pkt, MAX_SIZE);
+    if (ret < 0)
+        return ret;
    pkt->stream_index = 0;

    /* note: we need to modify the packet size here to handle the last
--- a/libavformat/swfdec.c
+++ b/libavformat/swfdec.c
@@ -84,7 +84,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
    SWFContext *swf = s->priv_data;
    AVIOContext *pb = s->pb;
    AVStream *vst = NULL, *ast = NULL, *st = 0;
-    int tag, len, i, frame, v;
+    int tag, len, i, frame, v, res;

    for(;;) {
        uint64_t pos = avio_tell(pb);
@@ -147,7 +147,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                st = s->streams[i];
                if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) {
                    frame = avio_rl16(pb);
-                    av_get_packet(pb, pkt, len-2);
+                    if ((res = av_get_packet(pb, pkt, len-2)) < 0)
+                        return res;
                    pkt->pos = pos;
                    pkt->pts = frame;
                    pkt->stream_index = st->index;
@@ -160,9 +161,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) {
            if (st->codec->codec_id == CODEC_ID_MP3) {
                avio_skip(pb, 4);
-                av_get_packet(pb, pkt, len-4);
+                if ((res = av_get_packet(pb, pkt, len-4)) < 0)
+                    return res;
            } else { // ADPCM, PCM
-                av_get_packet(pb, pkt, len);
+                if ((res = av_get_packet(pb, pkt, len)) < 0)
+                    return res;
            }
            pkt->pos = pos;
            pkt->stream_index = st->index;
@@ -186,7 +189,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                st = vst;
            }
            avio_rl16(pb); /* BITMAP_ID */
-            av_new_packet(pkt, len-2);
+            if ((res = av_new_packet(pkt, len-2)) < 0)
+                return res;
            avio_read(pb, pkt->data, 4);
            if (AV_RB32(pkt->data) == 0xffd8ffd9 ||
                AV_RB32(pkt->data) == 0xffd9ffd8) {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .7.11
 .7.13