MAINTAINERS: Remove myself as leader

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f2c58931e6) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Update for 0.7.17
2015-07-31 18:35:41 +02:00 · 2015-03-12 00:54:14 +01:00 · 2015-03-12 00:47:06 +01:00 · 2015-03-12 00:47:06 +01:00 · 2015-03-12 00:47:06 +01:00 · 2015-03-12 00:47:06 +01:00
339 changed files with 4903 additions and 2564 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,10 @@
 *-example
 *-test
 *_g
+*.def
+*.dll
+*.lib
+*.exp
 config.*
 doc/*.1
 doc/*.html
--- a/720
+++ b/720
@@ -1,720 +0,0 @@
-Entries are sorted chronologically from oldest to youngest within each release,
-releases are sorted from youngest to oldest.
-
-
-version 0.7.1:
-
- added various additional FOURCC codec identifiers
- H.264 4:4:4 fixes
- build system and compilation fixes
- Doxygen and general documentation corrections and improvements
- fixed segfault in ffprobe
- behavioral fix in av_open_input_stream()
- Licensing clarification for LGPL'ed vf_gradfun
- bugfixes while seeking in multithreaded decoding
- support newer versions of OpenCV
- ffmpeg: fix operation with --disable-avfilter
- fixed integer underflow in matroska decoder
-
-version 0.7:
-
- many many things we forgot because we rather write code than changelogs
- libmpcodecs video filter support (3 times as many filters than before)
- mpeg2 aspect ratio dection fixed
- libxvid aspect pickiness fixed
- Frame multithreaded decoding
- E-AC-3 audio encoder
- ac3enc: add channel coupling support
- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders
- H.264/MPEG frame-level multithreading
- av_metadata_* functions renamed to av_dict_* and moved to libavutil
- 4:4:4 H.264 decoding support
- 10-bit H.264 optimizations for x86
- lut, lutrgb, and lutyuv filters added
- buffersink libavfilter sink added
- bump libswscale for recently reported ABI break
-
-
-version 0.7_beta2:
-
- VP8 frame-level multithreading
- NEON optimizations for VP8
- removed a lot of deprecated API cruft
- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors
- showinfo filter added
- DPX image encoder
- SMPTE 302M AES3 audio decoder
- Apple Core Audio Format muxer
- 9bit and 10bit per sample support in the H.264 decoder
- 9bit and 10bit FFV1 encoding / decoding
- split filter added
- select filter added
- sdl output device added
-
-
-version 0.7_beta1:
-
- WebM support in Matroska de/muxer
- low overhead Ogg muxing
- MMS-TCP support
- VP8 de/encoding via libvpx
- Demuxer for On2's IVF format
- Pictor/PC Paint decoder
- HE-AAC v2 decoder
- libfaad2 wrapper removed
- DTS-ES extension (XCh) decoding support
- native VP8 decoder
- RTSP tunneling over HTTP
- RTP depacketization of SVQ3
- -strict inofficial replaced by -strict unofficial
- ffplay -exitonkeydown and -exitonmousedown options added
- native GSM / GSM MS decoder
- RTP depacketization of QDM2
- ANSI/ASCII art playback system
- Lego Mindstorms RSO de/muxer
- libavcore added
- SubRip subtitle file muxer and demuxer
- Chinese AVS encoding via libxavs
- ffprobe -show_packets option added
- RTP packetization of Theora and Vorbis
- RTP depacketization of MP4A-LATM
- RTP packetization and depacketization of VP8
- hflip filter
- Apple HTTP Live Streaming demuxer
- a64 codec
- MMS-HTTP support
- G.722 ADPCM audio encoder/decoder
- R10k video decoder
- ocv_smooth filter
- frei0r wrapper filter
- change crop filter syntax to width:height:x:y
- make the crop filter accept parametric expressions
- make ffprobe accept AVFormatContext options
- yadif filter
- blackframe filter
- Demuxer for Leitch/Harris' VR native stream format (LXF)
- RTP depacketization of the X-QT QuickTime format
- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer
- cropdetect filter
- ffmpeg -crop* options removed
- transpose filter added
- ffmpeg -force_key_frames option added
- demuxer for receiving raw rtp:// URLs without an SDP description
- single stream LATM/LOAS decoder
- setpts filter added
- Win64 support for optimized x86 assembly functions
- MJPEG/AVI1 to JPEG/JFIF bitstream filter
- ASS subtitle encoder and decoder
- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough)
- overlay filter added
- rename aspect filter to setdar, and pixelaspect to setsar
- IEC 61937 demuxer
- Mobotix .mxg demuxer
- frei0r source added
- hqdn3d filter added
- RTP depacketization of QCELP
- FLAC parser added
- gradfun filter added
- AMR-WB decoder
- replace the ocv_smooth filter with a more generic ocv filter
- Windows Televison (WTV) demuxer
- FFmpeg metadata format muxer and demuxer
- SubRip (srt) subtitle encoder and decoder
- floating-point AC-3 encoder added
- Lagarith decoder
- ffmpeg -copytb option added
- IVF muxer added
- Wing Commander IV movies decoder added
- movie source added
- Bink version 'b' audio and video decoder
- Bitmap Brothers JV playback system
- Apple HTTP Live Streaming protocol handler
- sndio support for playback and record
- Linux framebuffer input device added
- Chronomaster DFA decoder
- DPX image encoder
- MicroDVD subtitle file muxer and demuxer
- Playstation Portable PMP format demuxer
- fieldorder video filter added
- AAC encoding via libvo-aacenc
- AMR-WB encoding via libvo-amrwbenc
- xWMA demuxer
- Mobotix MxPEG decoder
-
-
-version 0.6:
-
- PB-frame decoding for H.263
- deprecated vhook subsystem removed
- deprecated old scaler removed
- VQF demuxer
- Alpha channel scaler
- PCX encoder
- RTP packetization of H.263
- RTP packetization of AMR
- RTP depacketization of Vorbis
- CorePNG decoding support
- Cook multichannel decoding support
- introduced avlanguage helpers in libavformat
- 8088flex TMV demuxer and decoder
- per-stream language-tags extraction in asfdec
- V210 decoder and encoder
- remaining GPL parts in AC-3 decoder converted to LGPL
- QCP demuxer
- SoX native format muxer and demuxer
- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries
- DPX image decoder
- Electronic Arts Madcow decoder
- DivX (XSUB) subtitle encoder
- nonfree libamr support for AMR-NB/WB decoding/encoding removed
- experimental AAC encoder
- RTP depacketization of ASF and RTSP from WMS servers
- RTMP support in libavformat
- noX handling for OPT_BOOL X options
- Wave64 demuxer
- IEC-61937 compatible Muxer
- TwinVQ decoder
- Bluray (PGS) subtitle decoder
- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks)
- WMA Pro decoder
- Core Audio Format demuxer
- Atrac1 decoder
- MD STUDIO audio demuxer
- RF64 support in WAV demuxer
- MPEG-4 Audio Lossless Coding (ALS) decoder
- -formats option split into -formats, -codecs, -bsfs, and -protocols
- IV8 demuxer
- CDG demuxer and decoder
- R210 decoder
- Auravision Aura 1 and 2 decoders
- Deluxe Paint Animation playback system
- SIPR decoder
- Adobe Filmstrip muxer and demuxer
- RTP depacketization of H.263
- Bink demuxer and audio/video decoders
- enable symbol versioning by default for linkers that support it
- IFF PBM/ILBM bitmap decoder
- concat protocol
- Indeo 5 decoder
- RTP depacketization of AMR
- WMA Voice decoder
- ffprobe tool
- AMR-NB decoder
- RTSP muxer
- HE-AAC v1 decoder
- Kega Game Video (KGV1) decoder
- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files
- RTP depacketization of Theora
- HTTP Digest authentication
- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp
- Psygnosis YOP demuxer and video decoder
- spectral extension support in the E-AC-3 decoder
- unsharp video filter
- RTP hinting in the mov/3gp/mp4 muxer
- Dirac in Ogg demuxing
- seek to keyframes in Ogg
- 4:2:2 and 4:4:4 Theora decoding
- 35% faster VP3/Theora decoding
- faster AAC decoding
- faster H.264 decoding
- RealAudio 1.0 (14.4K) encoder
-
-
-version 0.5:
-
- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer
- TechSmith Camtasia (TSCC) video decoder
- IBM Ultimotion (ULTI) video decoder
- Sierra Online audio file demuxer and decoder
- Apple QuickDraw (qdrw) video decoder
- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes)
- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer
- Miro VideoXL (VIXL) video decoder
- H.261 video encoder
- QPEG video decoder
- Nullsoft Video (NSV) file demuxer
- Shorten audio decoder
- LOCO video decoder
- Apple Lossless Audio Codec (ALAC) decoder
- Winnov WNV1 video decoder
- Autodesk Animator Studio Codec (AASC) decoder
- Indeo 2 video decoder
- Fraps FPS1 video decoder
- Snow video encoder/decoder
- Sonic audio encoder/decoder
- Vorbis audio decoder
- Macromedia ADPCM decoder
- Duck TrueMotion 2 video decoder
- support for decoding FLX and DTA extensions in FLIC files
- H.264 custom quantization matrices support
- ffserver fixed, it should now be usable again
- QDM2 audio decoder
- Real Cooker audio decoder
- TrueSpeech audio decoder
- WMA2 audio decoder fixed, now all files should play correctly
- RealAudio 14.4 and 28.8 decoders fixed
- JPEG-LS decoder
- build system improvements
- tabs and trailing whitespace removed from the codebase
- CamStudio video decoder
- AIFF/AIFF-C audio format, encoding and decoding
- ADTS AAC file reading and writing
- Creative VOC file reading and writing
- American Laser Games multimedia (*.mm) playback system
- Zip Motion Blocks Video decoder
- improved Theora/VP3 decoder
- True Audio (TTA) decoder
- AVS demuxer and video decoder
- JPEG-LS encoder
- Smacker demuxer and decoder
- NuppelVideo/MythTV demuxer and RTjpeg decoder
- KMVC decoder
- MPEG-2 intra VLC support
- MPEG-2 4:2:2 encoder
- Flash Screen Video decoder
- GXF demuxer
- Chinese AVS decoder
- GXF muxer
- MXF demuxer
- VC-1/WMV3/WMV9 video decoder
- MacIntel support
- AVISynth support
- VMware video decoder
- VP5 video decoder
- VP6 video decoder
- WavPack lossless audio decoder
- Targa (.TGA) picture decoder
- Vorbis audio encoder
- Delphine Software .cin demuxer/audio and video decoder
- Tiertex .seq demuxer/video decoder
- MTV demuxer
- TIFF picture encoder and decoder
- GIF picture decoder
- Intel Music Coder decoder
- Zip Motion Blocks Video encoder
- Musepack decoder
- Flash Screen Video encoder
- Theora encoding via libtheora
- BMP encoder
- WMA encoder
- GSM-MS encoder and decoder
- DCA decoder
- DXA demuxer and decoder
- DNxHD decoder
- Gamecube movie (.THP) playback system
- Blackfin optimizations
- Interplay C93 demuxer and video decoder
- Bethsoft VID demuxer and video decoder
- CRYO APC demuxer
- Atrac3 decoder
- V.Flash PTX decoder
- RoQ muxer, RoQ audio encoder
- Renderware TXD demuxer and decoder
- extern C declarations for C++ removed from headers
- sws_flags command line option
- codebook generator
- RoQ video encoder
- QTRLE encoder
- OS/2 support removed and restored again
- AC-3 decoder
- NUT muxer
- additional SPARC (VIS) optimizations
- Matroska muxer
- slice-based parallel H.264 decoding
- Monkey's Audio demuxer and decoder
- AMV audio and video decoder
- DNxHD encoder
- H.264 PAFF decoding
- Nellymoser ASAO decoder
- Beam Software SIFF demuxer and decoder
- libvorbis Vorbis decoding removed in favor of native decoder
- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1
- Ogg (Theora, Vorbis and FLAC) muxer
- The "device" muxers and demuxers are now in a new libavdevice library
- PC Paintbrush PCX decoder
- Sun Rasterfile decoder
- TechnoTrend PVA demuxer
- Linux Media Labs MPEG-4 (LMLM4) demuxer
- AVM2 (Flash 9) SWF muxer
- QT variant of IMA ADPCM encoder
- VFW grabber
- iPod/iPhone compatible mp4 muxer
- Mimic decoder
- MSN TCP Webcam stream demuxer
- RL2 demuxer / decoder
- IFF demuxer
- 8SVX audio decoder
- non-recursive Makefiles
- BFI demuxer
- MAXIS EA XA (.xa) demuxer / decoder
- BFI video decoder
- OMA demuxer
- MLP/TrueHD decoder
- Electronic Arts CMV decoder
- Motion Pixels Video decoder
- Motion Pixels MVI demuxer
- removed animated GIF decoder/demuxer
- D-Cinema audio muxer
- Electronic Arts TGV decoder
- Apple Lossless Audio Codec (ALAC) encoder
- AAC decoder
- floating point PCM encoder/decoder
- MXF muxer
- DV100 AKA DVCPRO HD decoder and demuxer
- E-AC-3 support added to AC-3 decoder
- Nellymoser ASAO encoder
- ASS and SSA demuxer and muxer
- liba52 wrapper removed
- SVQ3 watermark decoding support
- Speex decoding via libspeex
- Electronic Arts TGQ decoder
- RV40 decoder
- QCELP / PureVoice decoder
- RV30 decoder
- hybrid WavPack support
- R3D REDCODE demuxer
- ALSA support for playback and record
- Electronic Arts TQI decoder
- OpenJPEG based JPEG 2000 decoder
- NC (NC4600) camera file demuxer
- Gopher client support
- MXF D-10 muxer
- generic metadata API
- flash ScreenVideo2 encoder
-
-
-version 0.4.9-pre1:
-
- DV encoder, DV muxer
- Microsoft RLE video decoder
- Microsoft Video-1 decoder
- Apple Animation (RLE) decoder
- Apple Graphics (SMC) decoder
- Apple Video (RPZA) decoder
- Cinepak decoder
- Sega FILM (CPK) file demuxer
- Westwood multimedia support (VQA & AUD files)
- Id Quake II CIN playback support
- 8BPS video decoder
- FLIC playback support
- RealVideo 2.0 (RV20) decoder
- Duck TrueMotion v1 (DUCK) video decoder
- Sierra VMD demuxer and video decoder
- MSZH and ZLIB decoder support
- SVQ1 video encoder
- AMR-WB support
- PPC optimizations
- rate distortion optimal cbp support
- rate distorted optimal ac prediction for MPEG-4
- rate distorted optimal lambda->qp support
- AAC encoding with libfaac
- Sunplus JPEG codec (SP5X) support
- use Lagrange multipler instead of QP for ratecontrol
- Theora/VP3 decoding support
- XA and ADX ADPCM codecs
- export MPEG-2 active display area / pan scan
- Add support for configuring with IBM XLC
- floating point AAN DCT
- initial support for zygo video (not complete)
- RGB ffv1 support
- new audio/video parser API
- av_log() system
- av_read_frame() and av_seek_frame() support
- missing last frame fixes
- seek by mouse in ffplay
- noise reduction of DCT coefficients
- H.263 OBMC & 4MV support
- H.263 alternative inter vlc support
- H.263 loop filter
- H.263 slice structured mode
- interlaced DCT support for MPEG-2 encoding
- stuffing to stay above min_bitrate
- MB type & QP visualization
- frame stepping for ffplay
- interlaced motion estimation
- alternate scantable support
- SVCD scan offset support
- closed GOP support
- SSE2 FDCT
- quantizer noise shaping
- G.726 ADPCM audio codec
- MS ADPCM encoding
- multithreaded/SMP motion estimation
- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263
- multithreaded/SMP decoding for MPEG-2
- FLAC decoder
- Metrowerks CodeWarrior suppport
- H.263+ custom pcf support
- nicer output for 'ffmpeg -formats'
- Matroska demuxer
- SGI image format, encoding and decoding
- H.264 loop filter support
- H.264 CABAC support
- nicer looking arrows for the motion vector visualization
- improved VCD support
- audio timestamp drift compensation
- MPEG-2 YUV 422/444 support
- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample
- better image scaling
- H.261 support
- correctly interleave packets during encoding
- VIS optimized motion compensation
- intra_dc_precision>0 encoding support
- support reuse of motion vectors/MB types/field select values of the source video
- more accurate deblock filter
- padding support
- many optimizations and bugfixes
- FunCom ISS audio file demuxer and according ADPCM decoding
-
-
-version 0.4.8:
-
- MPEG-2 video encoding (Michael)
- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson)
- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson
-  and Mario Brito)
- Xan DPCM audio decoder (Mario Brito)
- Interplay MVE playback subsystem (Mike Melanson)
- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson)
-
-
-version 0.4.7:
-
- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq
-  (originally from public domain player for Amiga at http://www.honeypot.net/audio)
- current version now also compiles with older GCC (Fabrice)
- 4X multimedia playback system including 4xm file demuxer (Mike
-  Melanson), and 4X video and audio codecs (Michael)
- Creative YUV (CYUV) decoder (Mike Melanson)
- FFV1 codec (our very simple lossless intra only codec, compresses much better
-  than HuffYUV) (Michael)
- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various)
- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with
-  alpha support), JPEG YUV colorspace support. (Fabrice Bellard)
- ffplay has been replaced with a newer version which uses SDL (optionally)
-  for multiplatform support (Fabrice)
- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated
-  by anonymous
- AMR format has been added (Johannes Carlsson)
- 3GP support has been added (Johannes Carlsson)
- VP3 codec has been added (Mike Melanson)
- more MPEG-1/2 fixes
- better multiplatform support, MS Visual Studio fixes (various)
- AltiVec optimizations (Magnus Damn and others)
- SH4 processor support has been added (BERO)
- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick)
- VOB streaming support (Brian Foley)
- better MP3 autodetection (Andriy Rysin)
- qpel encoding (Michael)
- 4mv+b frames encoding finally fixed (Michael)
- chroma ME (Michael)
- 5 comparison functions for ME (Michael)
- B-frame encoding speedup (Michael)
- WMV2 codec (unfinished - Michael)
- user specified diamond size for EPZS (Michael)
- Playstation STR playback subsystem, still experimental (Mike and Michael)
- ASV2 codec (Michael)
- CLJR decoder (Alex)
-
-.. And lots more new enhancements and fixes.
-
-
-version 0.4.6:
-
- completely new integer only MPEG audio layer 1/2/3 decoder rewritten
-  from scratch
- Recoded DCT and motion vector search with gcc (no longer depends on nasm)
- fix quantization bug in AC3 encoder
- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues
- added prototype ffplay program
- added GOB header parsing on H.263/H.263+ decoder (Juanjo)
- bug fix on MCBPC tables of H.263 (Juanjo)
- bug fix on DC coefficients of H.263 (Juanjo)
- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo)
- now we can decode H.263 streams found in QuickTime files (Juanjo)
- now we can decode H.263 streams found in VIVO v1 files(Juanjo)
- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo)
- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo)
- now H.263 picture size is returned on the first decoded frame (Juanjo)
- added first regression tests
- added MPEG-2 TS demuxer
- new demux API for libav
- more accurate and faster IDCT (Michael)
- faster and entropy-controlled motion search (Michael)
- two pass video encoding (Michael)
- new video rate control (Michael)
- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael)
- great performance improvement of video encoders and decoders (Michael)
- new and faster bit readers and vlc parsers (Michael)
- high quality encoding mode: tries all macroblock/VLC types (Michael)
- added DV video decoder
- preliminary RTP/RTSP support in ffserver and libavformat
- H.263+ AIC decoding/encoding support (Juanjo)
- VCD MPEG-PS mode (Juanjo)
- PSNR stuff (Juanjo)
- simple stats output (Juanjo)
- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit)
-
-
-version 0.4.5:
-
- some header fixes (Zdenek Kabelac <kabi at informatics.muni.cz>)
- many MMX optimizations (Nick Kurshev <nickols_k at mail.ru>)
- added configure system (actually a small shell script)
- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by
-  Michael Hipp (temporary solution - waiting for integer only
-  decoder)
- fixed VIDIOCSYNC interrupt
- added Intel H.263 decoding support ('I263' AVI fourCC)
- added Real Video 1.0 decoding (needs further testing)
- simplified image formats again. Added PGM format (=grey
-  pgm). Renamed old PGM to PGMYUV.
- fixed msmpeg4 slice issues (tell me if you still find problems)
- fixed OpenDivX bugs with newer versions (added VOL header decoding)
- added support for MPlayer interface
- added macroblock skip optimization
- added MJPEG decoder
- added mmx/mmxext IDCT from libmpeg2
- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer
-  <celer at shell.scrypt.net>)
- added pixel format conversion layer (e.g. for MJPEG or PPM)
- added deinterlacing option
- MPEG-1/2 fixes
- MPEG-4 vol header fixes (Jonathan Marsden <snmjbm at pacbell.net>)
- ARM optimizations (Lionel Ulmer <lionel.ulmer at free.fr>).
- Windows porting of file converter
- added MJPEG raw format (input/ouput)
- added JPEG image format support (input/output)
-
-
-version 0.4.4:
-
- fixed some std header definitions (Bjorn Lindgren
-  <bjorn.e.lindgren at telia.com>).
- added MPEG demuxer (MPEG-1 and 2 compatible).
- added ASF demuxer
- added prototype RM demuxer
- added AC3 decoding (done with libac3 by Aaron Holtzman)
- added decoding codec parameter guessing (.e.g. for MPEG, because the
-  header does not include them)
- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now
-  play them (only tested video)
- fixed H.263 white bug
- fixed phase rounding in img resample filter
- add MMX code for polyphase img resample filter
- added CPU autodetection
- added generic title/author/copyright/comment string handling (ASF and RM
-  use them)
- added SWF demux to extract MP3 track (not usable yet because no MP3
-  decoder)
- added fractional frame rate support
- codecs are no longer searched by read_header() (should fix ffserver
-  segfault)
-
-
-version 0.4.3:
-
- BGR24 patch (initial patch by Jeroen Vreeken <pe1rxq at amsat.org>)
- fixed raw yuv output
- added motion rounding support in MPEG-4
- fixed motion bug rounding in MSMPEG4
- added B-frame handling in video core
- added full MPEG-1 decoding support
- added partial (frame only) MPEG-2 support
- changed the FOURCC code for H.263 to "U263" to be able to see the
-  +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with
-  this +codec ;) (JuanJo).
- Halfpel motion estimation after MB type selection (JuanJo)
- added pgm and .Y.U.V output format
- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or
-  output.
- added pgmpipe I/O format (original patch from Martin Aumueller
-  <lists at reserv.at>, but changed completely since we use a format
-  instead of a protocol)
-
-
-version 0.4.2:
-
- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support
-  (for OpenDivX) is almost complete: 8x8 MVs and rounding are
-  missing. MSMPEG4 support is complete.
- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it
-  can decode ffmpeg MPEGs :-)).
- added libavcodec API documentation (see apiexample.c).
- fixed image polyphase bug (the bottom of some images could be
-  greenish)
- added support for non clipped motion vectors (decoding only)
-  and image sizes non-multiple of 16
- added support for AC prediction (decoding only)
- added file overwrite confirmation (can be disabled with -y)
- added custom size picture to H.263 using H.263+ (Juanjo)
-
-
-version 0.4.1:
-
- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec
-  of AVI and ASF to DIV3.
- added -me option to set motion estimation method
-  (default=log). suppressed redundant -hq option.
- added options -acodec and -vcodec to force a given codec (useful for
-  AVI for example)
- fixed -an option
- improved dct_quantize speed
- factorized some motion estimation code
-
-
-version 0.4.0:
-
- removing grab code from ffserver and moved it to ffmpeg. Added
-  multistream support to ffmpeg.
- added timeshifting support for live feeds (option ?date=xxx in the
-  URL)
- added high quality image resize code with polyphase filter (need
-  mmx/see optimization). Enable multiple image size support in ffserver.
- added multi live feed support in ffserver
- suppressed master feature from ffserver (it should be done with an
-  external program which opens the .ffm url and writes it to another
-  ffserver)
- added preliminary support for video stream parsing (WAV and AVI half
-  done). Added proper support for audio/video file conversion in
-  ffmpeg.
- added preliminary support for video file sending from ffserver
- redesigning I/O subsystem: now using URL based input and output
-  (see avio.h)
- added WAV format support
- added "tty user interface" to ffmpeg to stop grabbing gracefully
- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences)
-  (Juan J. Sierralta P. a.k.a. "Juanjo" <juanjo at atmlab.utfsm.cl>)
- added MMX DCT from mpeg2_movie 1.5 (Juanjo)
- added new motion estimation algorithms, log and phods (Juanjo)
- changed directories: libav for format handling, libavcodec for
-  codecs
-
-
-version 0.3.4:
-
- added stereo in MPEG audio encoder
-
-
-version 0.3.3:
-
- added 'high quality' mode which use motion vectors. It can be used in
-  real time at low resolution.
- fixed rounding problems which caused quality problems at high
-  bitrates and large GOP size
-
-
-version 0.3.2: small fixes
-
- ASF fixes
- put_seek bug fix
-
-
-version 0.3.1: added avi/divx support
-
- added AVI support
- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec
- added sound for flash format (not tested)
-
-
-version 0.3: initial public release
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.7.4
+PROJECT_NUMBER         = 0.7.17

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/6
+++ b/6
@@ -41,6 +41,6 @@ is incompatible with the LGPL v2.1 and the GPL v2, but not with version 3 of
 those licenses. So to combine the OpenCORE libraries with FFmpeg, the license
 version needs to be upgraded by passing --enable-version3 to configure.

-The nonfree external library libfaac can be hooked up in FFmpeg. You need to
-pass --enable-nonfree to configure to enable it. Employ this option with care
-as FFmpeg then becomes nonfree and unredistributable.
+The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg.
+You need to pass --enable-nonfree to configure to enable it. Employ this option
+with care as FFmpeg then becomes nonfree and unredistributable.
--- a/4
+++ b/4
@@ -8,7 +8,6 @@ FFmpeg code.
 Project Leader
 ==============

-Michael Niedermayer
  final design decisions


@@ -19,7 +18,7 @@ ffmpeg:
  ffmpeg.c                              Michael Niedermayer

 ffplay:
-  ffplay.c                              Michael Niedermayer
+  ffplay.c                              Marton Balint

 ffprobe:
  ffprobe.c                             Stefano Sabatini
@@ -373,6 +372,7 @@ Ben Littler                   3EE3 3723 E560 3214 A8CD 4DEB 2CDB FCE7 768C 8D2C
 Benoit Fouet                  B22A 4F4F 43EF 636B BB66 FCDC 0023 AE1E 2985 49C8
 Daniel Verkamp                78A6 07ED 782C 653E C628 B8B9 F0EB 8DD8 2F0E 21C7
 Diego Biurrun                 8227 1E31 B6D9 4994 7427 E220 9CAE D6CC 4757 FCC5
+Gwenole Beauchesne            2E63 B3A6 3E44 37E2 017D 2704 53C7 6266 B153 99C4
 Jaikrishnan Menon             61A1 F09F 01C9 2D45 78E1 C862 25DC 8831 AF70 D368
 Justin Ruggles                3136 ECC0 C10D 6C04 5F43 CA29 FCBE CD2A 3787 1EBF
 Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
--- a/7
+++ b/7
@@ -258,9 +258,12 @@ FATE_SEEK    = $(SEEK_TESTS:seek_%=fate-seek-%)
 FATE = $(FATE_ACODEC)                                                   \
       $(FATE_VCODEC)                                                   \
       $(FATE_LAVF)                                                     \
-       $(FATE_LAVFI)                                                    \
       $(FATE_SEEK)                                                     \

+FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI)
+
+FATE += $(FATE-yes)
+
 $(filter-out %-aref,$(FATE_ACODEC)): $(AREF)
 $(filter-out %-vref,$(FATE_VCODEC)): $(VREF)
 $(FATE_LAVF):   $(REFS)
@@ -282,7 +285,7 @@ fate-lavfi:  $(FATE_LAVFI)
 fate-seek:   $(FATE_SEEK)

 ifdef SAMPLES
-FATE += $(FATE_TESTS)
+FATE += $(FATE_TESTS) $(FATE_TESTS-yes)
 fate-rsync:
 	rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES)
 else
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.4
+0.7.17
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.4
+0.7.17
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -57,7 +57,7 @@ AVFormatContext *avformat_opts;
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts;

-static const int this_year = 2011;
+static const int this_year = 2015;

 void init_opts(void)
 {
--- a/31
+++ b/31
@@ -162,6 +162,7 @@ External library support:
  --enable-bzlib           enable bzlib [autodetect]
  --enable-libcelt         enable CELT/Opus decoding via libcelt [no]
  --enable-frei0r          enable frei0r video filtering
+  --enable-libaacplus      enable AAC+ encoding via libaacplus [no]
  --enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no]
  --enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no]
  --enable-libopencv       enable video filtering via libopencv [no]
@@ -177,7 +178,7 @@ External library support:
  --enable-libopenjpeg     enable JPEG 2000 decoding via OpenJPEG [no]
  --enable-librtmp         enable RTMP[E] support via librtmp [no]
  --enable-libschroedinger enable Dirac support via libschroedinger [no]
-  --enable-libspeex        enable Speex decoding via libspeex [no]
+  --enable-libspeex        enable Speex encoding and decoding via libspeex [no]
  --enable-libtheora       enable Theora encoding via libtheora [no]
  --enable-libvo-aacenc    enable AAC encoding via libvo-aacenc [no]
  --enable-libvo-amrwbenc  enable AMR-WB encoding via libvo-amrwbenc [no]
@@ -927,6 +928,8 @@ CONFIG_LIST="
    h264pred
    hardcoded_tables
    huffman
+    libaacplus
+    libcdio
    libcelt
    libdc1394
    libdirac
@@ -1054,6 +1057,7 @@ HAVE_LIST="
    dlfcn_h
    dlopen
    dos_paths
+    dxva_h
    ebp_available
    ebx_available
    exp2
@@ -1401,6 +1405,7 @@ vdpau_deps="vdpau_vdpau_h vdpau_vdpau_x11_h"
 h264_parser_select="golomb h264dsp h264pred"

 # external libraries
+libaacplus_encoder_deps="libaacplus"
 libcelt_decoder_deps="libcelt"
 libdirac_decoder_deps="libdirac !libschroedinger"
 libdirac_encoder_deps="libdirac"
@@ -1417,6 +1422,7 @@ libopenjpeg_decoder_deps="libopenjpeg"
 libschroedinger_decoder_deps="libschroedinger"
 libschroedinger_encoder_deps="libschroedinger"
 libspeex_decoder_deps="libspeex"
+libspeex_encoder_deps="libspeex"
 libtheora_encoder_deps="libtheora"
 libvo_aacenc_encoder_deps="libvo_aacenc"
 libvo_amrwbenc_encoder_deps="libvo_amrwbenc"
@@ -1531,7 +1537,7 @@ test_deps(){
        dep=${v%=*}
        tests=${v#*=}
        for name in ${tests}; do
-            eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'"
+            append ${name}_test_deps ${dep}$suf1 ${dep}$suf2
        done
    done
 }
@@ -1541,6 +1547,9 @@ set_ne_test_deps(){
    eval ${1}_le_test_deps="!bigendian"
 }

+mxf_d10_test_deps="avfilter"
+seek_lavf_mxf_d10_test_deps="mxf_d10_test"
+
 test_deps _encoder _decoder                                             \
    adpcm_g726=g726                                                     \
    adpcm_ima_qt                                                        \
@@ -1603,7 +1612,7 @@ test_deps _muxer _demuxer                                               \
    mmf                                                                 \
    mov                                                                 \
    pcm_mulaw=mulaw                                                     \
-    mxf                                                                 \
+    mxf="mxf mxf_d10"                                                   \
    nut                                                                 \
    ogg                                                                 \
    rawvideo=pixfmt                                                     \
@@ -2195,7 +2204,7 @@ case "$arch" in
        arch="sparc"
        subarch="sparc64"
    ;;
-    i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64)
+    i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64)
        arch="x86"
    ;;
 esac
@@ -2370,7 +2379,7 @@ check_host_cflags -std=c99
 check_host_cflags -Wall

 case "$arch" in
-    alpha|ia64|mips|parisc|sparc)
+    alpha|ia64|mips|parisc|ppc|sparc)
        spic=$shared
    ;;
    x86)
@@ -2583,6 +2592,7 @@ die_license_disabled gpl libxavs
 die_license_disabled gpl libxvid
 die_license_disabled gpl x11grab

+die_license_disabled nonfree libaacplus
 die_license_disabled nonfree libfaac

 die_license_disabled version3 libopencore_amrnb
@@ -2789,6 +2799,7 @@ if enabled asm; then
 fi

 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack

 if check_func dlopen; then
    ldl=
@@ -2850,6 +2861,7 @@ check_func_headers windows.h MapViewOfFile
 check_func_headers windows.h VirtualAlloc

 check_header dlfcn.h
+check_header dxva.h
 check_header dxva2api.h
 check_header libcrystalhd/libcrystalhd_if.h
 check_header malloc.h
@@ -2915,6 +2927,7 @@ check_mathfunc truncf
 enabled avisynth   && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32
 enabled libcelt    && require libcelt celt/celt.h celt_decode -lcelt0
 enabled frei0r     && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; }
+enabled libaacplus && require  "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus
 enabled libdc1394  && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new
 enabled libdirac   && require_pkg_config dirac                          \
    "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h"  \
@@ -3072,6 +3085,10 @@ else
 fi
 check_cflags -fno-math-errno
 check_cflags -fno-signed-zeros
+check_cc -mno-red-zone <<EOF && noredzone_flags="-mno-red-zone"
+int x;
+EOF
+

 if enabled icc; then
    # Just warnings, no remarks
@@ -3150,7 +3167,7 @@ check_deps $CONFIG_LIST       \

 enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; }

-if test $target_os == "haiku"; then
+if test $target_os = "haiku"; then
    disable memalign
    disable posix_memalign
 fi
@@ -3222,6 +3239,7 @@ echo "frei0r enabled            ${frei0r-no}"
 echo "libdc1394 support         ${libdc1394-no}"
 echo "libdirac enabled          ${libdirac-no}"
 echo "libfaac enabled           ${libfaac-no}"
+echo "libaacplus enabled        ${libaacplus-no}"
 echo "libgsm enabled            ${libgsm-no}"
 echo "libmp3lame enabled        ${libmp3lame-no}"
 echo "libnut enabled            ${libnut-no}"
@@ -3382,6 +3400,7 @@ SLIB_EXTRA_CMD=${SLIB_EXTRA_CMD}
 SLIB_INSTALL_EXTRA_CMD=${SLIB_INSTALL_EXTRA_CMD}
 SLIB_UNINSTALL_EXTRA_CMD=${SLIB_UNINSTALL_EXTRA_CMD}
 SAMPLES:=${samples:-\$(FATE_SAMPLES)}
+NOREDZONE_FLAGS=$noredzone_flags
 EOF

 get_version(){
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -13,6 +13,7 @@ libavutil:   2011-04-18

 API changes, most recent first:

+
 2011-06-19 - xxxxxxx - lavfi 2.23.0 - avfilter.h
  Add layout negotiation fields and helper functions.

@@ -43,6 +44,12 @@ API changes, most recent first:
 2011-06-12 - xxxxxxx - lavfi 2.16.0 - avfilter_graph_parse()
  Change avfilter_graph_parse() signature.

+2011-07-10 - xxxxxxx - lavf 53.3.0
+  Add avformat_find_stream_info(), deprecate av_find_stream_info().
+
+2011-07-10 - xxxxxxx - lavc 53.6.0
+  Add avcodec_open2(), deprecate avcodec_open().
+
 2011-06-xx - xxxxxxx - lavf 53.2.0 - avformat.h
  Add avformat_open_input and avformat_write_header().
  Deprecate av_open_input_stream, av_open_input_file,
@@ -59,16 +66,16 @@ API changes, most recent first:
 2011-06-10 - c381960 - lavfi 2.15.0 - avfilter_get_audio_buffer_ref_from_arrays
  Add avfilter_get_audio_buffer_ref_from_arrays() to avfilter.h.

-2011-06-09 - d9f80ea - lavu 51.8.0 - AVMetadata
+2011-06-09 - f9ecb84 / d9f80ea - lavu 51.8.0 - AVMetadata
  Move AVMetadata from lavf to lavu and rename it to
  AVDictionary -- new installed header dict.h.
  All av_metadata_* functions renamed to av_dict_*.

-2011-06-07 - a6703fa - lavu 51.8.0 - av_get_bytes_per_sample()
+2011-06-07 - d552f61 / a6703fa - lavu 51.8.0 - av_get_bytes_per_sample()
  Add av_get_bytes_per_sample() in libavutil/samplefmt.h.
  Deprecate av_get_bits_per_sample_fmt().

-2011-06-xx - b39b062 - lavu 51.8.0 - opt.h
+2011-06-xx - f956924 / b39b062 - lavu 51.8.0 - opt.h
  Add av_opt_free convenience function.

 2011-06-06 - 95a0242 - lavfi 2.14.0 - AVFilterBufferRefAudioProps
@@ -98,7 +105,7 @@ API changes, most recent first:
  Add av_get_pix_fmt_name() in libavutil/pixdesc.h, and deprecate
  avcodec_get_pix_fmt_name() in libavcodec/avcodec.h in its favor.

-2011-05-25 - 30315a8 - lavf 53.3.0 - avformat.h
+2011-05-25 - 39e4206 / 30315a8 - lavf 53.3.0 - avformat.h
  Add fps_probe_size to AVFormatContext.

 2011-05-22 - 5ecdfd0 - lavf 53.2.0 - avformat.h
@@ -114,10 +121,10 @@ API changes, most recent first:
 2011-05-14 - 9fdf772 - lavfi 2.6.0 - avcodec.h
  Add avfilter_get_video_buffer_ref_from_frame() to libavfilter/avcodec.h.

-2011-05-18 - 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt
+2011-05-18 - 75a37b5 / 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt
  Add request_sample_fmt field to AVCodecContext.

-2011-05-10 - 188dea1 - lavc 53.6.0 - avcodec.h
+2011-05-10 - 59eb12f / 188dea1 - lavc 53.6.0 - avcodec.h
  Deprecate AVLPCType and the following fields in
  AVCodecContext: lpc_coeff_precision, prediction_order_method,
  min_partition_order, max_partition_order, lpc_type, lpc_passes.
@@ -147,81 +154,81 @@ API changes, most recent first:
  Add av_dynarray_add function for adding
  an element to a dynamic array.

-2011-04-26 - bebe72f - lavu 51.1.0 - avutil.h
+2011-04-26 - d7e5aeb / bebe72f - lavu 51.1.0 - avutil.h
  Add AVPictureType enum and av_get_picture_type_char(), deprecate
  FF_*_TYPE defines and av_get_pict_type_char() defined in
  libavcodec/avcodec.h.

-2011-04-26 - 10d3940 - lavfi 2.3.0 - avfilter.h
+2011-04-26 - d7e5aeb / 10d3940 - lavfi 2.3.0 - avfilter.h
  Add pict_type and key_frame fields to AVFilterBufferRefVideo.

-2011-04-26 - 7a11c82 - lavfi 2.2.0 - vsrc_buffer
+2011-04-26 - d7e5aeb / 7a11c82 - lavfi 2.2.0 - vsrc_buffer
  Add sample_aspect_ratio fields to vsrc_buffer arguments

-2011-04-21 - 94f7451 - lavc 53.1.0 - avcodec.h
+2011-04-21 - 8772156 / 94f7451 - lavc 53.1.0 - avcodec.h
  Add CODEC_CAP_SLICE_THREADS for codecs supporting sliced threading.

 2011-04-15 - lavc 52.120.0 - avcodec.h
  AVPacket structure got additional members for passing side information:
-    4de339e introduce side information for AVPacket
-    2d8591c make containers pass palette change in AVPacket
+    c407984 / 4de339e introduce side information for AVPacket
+    c407984 / 2d8591c make containers pass palette change in AVPacket

 2011-04-12 - lavf 52.107.0 - avio.h
  Avio cleanup, part II - deprecate the entire URLContext API:
-    175389c add avio_check as a replacement for url_exist
-    ff1ec0c add avio_pause and avio_seek_time as replacements
+    c55780d / 175389c add avio_check as a replacement for url_exist
+    9891004 / ff1ec0c add avio_pause and avio_seek_time as replacements
            for _av_url_read_fseek/fpause
-    cdc6a87 deprecate av_protocol_next(), avio_enum_protocols
+    d4d0932 / cdc6a87 deprecate av_protocol_next(), avio_enum_protocols
            should be used instead.
-    80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb.
-    f87b1b3 rename open flags: URL_* -> AVIO_*
-    f8270bb add avio_enum_protocols.
-    5593f03 deprecate URLProtocol.
-    c486dad deprecate URLContext.
-    026e175 deprecate the typedef for URLInterruptCB
-    8e76a19 deprecate av_register_protocol2.
-    b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME
-    1305d93 deprecate av_url_read_seek
-    fa104e1 deprecate av_url_read_pause
-    727c7aa deprecate url_get_filename().
-    5958df3 deprecate url_max_packet_size().
-    1869ea0 deprecate url_get_file_handle().
-    32a97d4 deprecate url_filesize().
-    e52a914 deprecate url_close().
-    58a48c6 deprecate url_seek().
-    925e908 deprecate url_write().
-    dce3756 deprecate url_read_complete().
-    bc371ac deprecate url_read().
-    0589da0 deprecate url_open().
-    62eaaea deprecate url_connect.
-    5652bb9 deprecate url_alloc.
-    333e894 deprecate url_open_protocol
-    e230705 deprecate url_poll and URLPollEntry
+    c88caa5 / 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb.
+    c88caa5 / f87b1b3 rename open flags: URL_* -> AVIO_*
+    d4d0932 / f8270bb add avio_enum_protocols.
+    d4d0932 / 5593f03 deprecate URLProtocol.
+    d4d0932 / c486dad deprecate URLContext.
+    d4d0932 / 026e175 deprecate the typedef for URLInterruptCB
+    c88caa5 / 8e76a19 deprecate av_register_protocol2.
+    11d7841 / b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME
+    11d7841 / 1305d93 deprecate av_url_read_seek
+    11d7841 / fa104e1 deprecate av_url_read_pause
+    434f248 / 727c7aa deprecate url_get_filename().
+    434f248 / 5958df3 deprecate url_max_packet_size().
+    434f248 / 1869ea0 deprecate url_get_file_handle().
+    434f248 / 32a97d4 deprecate url_filesize().
+    434f248 / e52a914 deprecate url_close().
+    434f248 / 58a48c6 deprecate url_seek().
+    434f248 / 925e908 deprecate url_write().
+    434f248 / dce3756 deprecate url_read_complete().
+    434f248 / bc371ac deprecate url_read().
+    434f248 / 0589da0 deprecate url_open().
+    434f248 / 62eaaea deprecate url_connect.
+    434f248 / 5652bb9 deprecate url_alloc.
+    434f248 / 333e894 deprecate url_open_protocol
+    434f248 / e230705 deprecate url_poll and URLPollEntry

 2011-04-08 - lavf 52.106.0 - avformat.h
  Minor avformat.h cleanup:
-    a9bf9d8 deprecate av_guess_image2_codec
-    c3675df rename avf_sdp_create->av_sdp_create
+    d4d0932 / a9bf9d8 deprecate av_guess_image2_codec
+    d4d0932 / c3675df rename avf_sdp_create->av_sdp_create

 2011-04-03 - lavf 52.105.0 - avio.h
  Large-scale renaming/deprecating of AVIOContext-related functions:
-    724f6a0 deprecate url_fdopen
-    403ee83 deprecate url_open_dyn_packet_buf
-    6dc7d80 rename url_close_dyn_buf       -> avio_close_dyn_buf
-    b92c545 rename url_open_dyn_buf        -> avio_open_dyn_buf
-    8978fed introduce an AVIOContext.seekable field as a replacement for
+    2cae980 / 724f6a0 deprecate url_fdopen
+    2cae980 / 403ee83 deprecate url_open_dyn_packet_buf
+    2cae980 / 6dc7d80 rename url_close_dyn_buf       -> avio_close_dyn_buf
+    2cae980 / b92c545 rename url_open_dyn_buf        -> avio_open_dyn_buf
+    2cae980 / 8978fed introduce an AVIOContext.seekable field as a replacement for
            AVIOContext.is_streamed and url_is_streamed()
-    b64030f deprecate get_checksum()
-    4c4427a deprecate init_checksum()
-    4ec153b deprecate udp_set_remote_url/get_local_port
-    933e90a deprecate av_url_read_fseek/fpause
-    8d9769a deprecate url_fileno
-    b7f2fdd rename put_flush_packet -> avio_flush
-    35f1023 deprecate url_close_buf
-    83fddae deprecate url_open_buf
-    d9d86e0 rename url_fprintf -> avio_printf
-    59f65d9 deprecate url_setbufsize
-    3e68b3b deprecate url_ferror
+    1caa412 / b64030f deprecate get_checksum()
+    1caa412 / 4c4427a deprecate init_checksum()
+    2fd41c9 / 4ec153b deprecate udp_set_remote_url/get_local_port
+    4fa0e24 / 933e90a deprecate av_url_read_fseek/fpause
+    4fa0e24 / 8d9769a deprecate url_fileno
+    0fecf26 / b7f2fdd rename put_flush_packet -> avio_flush
+    0fecf26 / 35f1023 deprecate url_close_buf
+    0fecf26 / 83fddae deprecate url_open_buf
+    0fecf26 / d9d86e0 rename url_fprintf -> avio_printf
+    0fecf26 / 59f65d9 deprecate url_setbufsize
+    6947b0c / 3e68b3b deprecate url_ferror
    66e5b1d deprecate url_feof
    e8bb2e2 deprecate url_fget_max_packet_size
    76aa876 rename url_fsize -> avio_size
@@ -243,7 +250,7 @@ API changes, most recent first:
    b3db9ce deprecate get_partial_buffer
    8d9ac96 rename av_alloc_put_byte -> avio_alloc_context

-2011-03-25 - 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type
+2011-03-25 - 27ef7b1 / 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type
  Add audio_service_type field to AVCodecContext.

 2011-03-17 - e309fdc - lavu 50.40.0 - pixfmt.h
@@ -281,11 +288,11 @@ API changes, most recent first:
 2011-02-10 - 12c14cd - lavf 52.99.0 - AVStream.disposition
  Add AV_DISPOSITION_HEARING_IMPAIRED and AV_DISPOSITION_VISUAL_IMPAIRED.

-2011-02-09 - 5592734 - lavc 52.112.0 - avcodec_thread_init()
+2011-02-09 - c0b102c - lavc 52.112.0 - avcodec_thread_init()
  Deprecate avcodec_thread_init()/avcodec_thread_free() use; instead
  set thread_count before calling avcodec_open.

-2011-02-09 - 778b08a - lavc 52.111.0 - threading API
+2011-02-09 - 37b00b4 - lavc 52.111.0 - threading API
  Add CODEC_CAP_FRAME_THREADS with new restrictions on get_buffer()/
  release_buffer()/draw_horiz_band() callbacks for appropriate codecs.
  Add thread_type and active_thread_type fields to AVCodecContext.
--- a/doc/faq.texi
+++ b/doc/faq.texi
@@ -447,6 +447,11 @@ encompassing your FFmpeg includes using @code{extern "C"}.

 See @url{http://www.parashift.com/c++-faq-lite/mixing-c-and-cpp.html#faq-32.3}

+@section I'm using libavutil from within my C++ application but the compiler complains about 'UINT64_C' was not declared in this scope
+
+Libav is a pure C project using C99 math features, in order to enable C++
+to use them you have to append -D__STDC_CONSTANT_MACROS to your CXXFLAGS
+
@section I have a file in memory / a API different from *open/*read/ libc how do I use it with libavformat?

 You have to implement a URLProtocol, see @file{libavformat/file.c} in
--- a/doc/ffmpeg.texi
+++ b/doc/ffmpeg.texi
@@ -299,6 +299,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be
@file{PREFIX-N.log}, where N is a number specific to the output
 stream.

+Note that this option is overwritten by a local option of the same name
+when using @code{-vcodec libx264}. That option maps to the x264 option stats
+which has a different syntax.
+
@item -newvideo
 Add a new video stream to the current output stream.

@@ -713,8 +717,39 @@ ffmpeg -i in.ogg -map_metadata 0:0,s0 out.mp3
 Copy chapters from @var{infile} to @var{outfile}. If no chapter mapping is specified,
 then chapters are copied from the first input file with at least one chapter to all
 output files. Use a negative file index to disable any chapter copying.
-@item -debug
+@item -debug @var{category}
 Print specific debug info.
+@var{category} is a number or a string containing one of the following values:
+@table @samp
+@item bitstream
+@item buffers
+picture buffer allocations
+@item bugs
+@item dct_coeff
+@item er
+error recognition
+@item mb_type
+macroblock (MB) type
+@item mmco
+memory management control operations (H.264)
+@item mv
+motion vector
+@item pict
+picture info
+@item pts
+@item qp
+per-block quantization parameter (QP)
+@item rc
+rate control
+@item skip
+@item startcode
+@item thread_ops
+threading operations
+@item vis_mb_type
+visualize block types
+@item vis_qp
+visualize quantization parameter (QP), lower QP are tinted greener
+@end table
@item -benchmark
 Show benchmarking information at the end of an encode.
 Shows CPU time used and maximum memory consumption.
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -82,7 +82,7 @@ Follows a BNF description for the filtergraph syntax:
@var{LINKLABEL}        ::= "[" @var{NAME} "]"
@var{LINKLABELS}       ::= @var{LINKLABEL} [@var{LINKLABELS}]
@var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted)
-@var{FILTER}           ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}]
+@var{FILTER}           ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}]
@var{FILTERCHAIN}      ::= @var{FILTER} [,@var{FILTERCHAIN}]
@var{FILTERGRAPH}      ::= @var{FILTERCHAIN} [;@var{FILTERGRAPH}]
@end example
@@ -1683,7 +1683,7 @@ It accepts the following parameters:

 Negative values for the amount will blur the input video, while positive
 values will sharpen. All parameters are optional and default to the
-equivalent of the string '5:5:1.0:0:0:0.0'.
+equivalent of the string '5:5:1.0:5:5:0.0'.

@table @option

@@ -1701,11 +1701,11 @@ and 5.0, default value is 1.0.

@item chroma_msize_x
 Set the chroma matrix horizontal size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.

@item chroma_msize_y
 Set the chroma matrix vertical size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.

@item luma_amount
 Set the chroma effect strength. It can be a float number between -2.0
@@ -1760,9 +1760,9 @@ interlaced video, accepts one of the following values:

@table @option
@item 0
-assume bottom field first
-@item 1
 assume top field first
+@item 1
+assume bottom field first
@item -1
 enable automatic detection
@end table
--- a/doc/general.texi
+++ b/doc/general.texi
@@ -542,6 +542,8 @@ following image formats are supported:
@multitable @columnfractions .4 .1 .1 .4
@item Name @tab Encoding @tab Decoding @tab Comments
@item 8SVX audio             @tab     @tab  X
+@item AAC+                   @tab  E  @tab  X
+    @tab encoding supported through external library libaacplus
@item AAC                    @tab  E  @tab  X
    @tab encoding supported through external library libfaac and libvo-aacenc
@item AC-3                   @tab IX  @tab  X
@@ -1060,7 +1062,7 @@ These library packages are only available from Cygwin Ports
 (@url{http://sourceware.org/cygwinports/}) :

@example
-yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel,
+yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel,
 libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel,
 libxvidcore-devel
@end example
--- a/doc/issue_tracker.txt
+++ b/doc/issue_tracker.txt
@@ -15,7 +15,7 @@ be properly added to the respective issue.
 The subscription URL for the ffmpeg-trac list is:
 http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac
 The URL of the webinterface of the tracker is:
-http(s)://ffmpeg.org/trac/ffmpeg
+http(s)://trac.ffmpeg.org

 NOTE: issue = (bug report || patch || feature request)

--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -315,6 +315,7 @@ typedef struct AVOutputStream {
 #endif

   int sws_flags;
+   char *forced_key_frames;
 } AVOutputStream;

 static AVOutputStream **output_streams_for_file[MAX_FILES] = { NULL };
@@ -345,7 +346,7 @@ typedef struct AVInputFile {
    int eof_reached;      /* true if eof reached */
    int ist_index;        /* index of first stream in ist_table */
    int buffer_size;      /* current total buffer size */
-    int nb_streams;
+    int nb_streams;       /* nb streams we are aware of */
 } AVInputFile;

 #if HAVE_TERMIOS_H
@@ -2055,7 +2056,7 @@ static int transcode(AVFormatContext **output_files,
        fi = stream_maps[i].sync_file_index;
        si = stream_maps[i].sync_stream_index;
        if (fi < 0 || fi > nb_input_files - 1 ||
-            si < 0 || si > input_files[fi].ctx->nb_streams - 1) {
+            si < 0 || si > input_files[fi].nb_streams - 1) {
            fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si);
            ret = AVERROR(EINVAL);
            goto fail;
@@ -2337,6 +2338,9 @@ static int transcode(AVFormatContext **output_files,
                                               "Please consider specifiying a lower framerate, a different muxer or -vsync 2\n");
                }

+                if (ost->forced_key_frames)
+                    parse_forced_key_frames(ost->forced_key_frames, ost, codec);
+
 #if CONFIG_AVFILTER
                if (configure_video_filters(ist, ost)) {
                    fprintf(stderr, "Error opening filters!\n");
@@ -2380,9 +2384,9 @@ static int transcode(AVFormatContext **output_files,
            }
        }
        if(codec->codec_type == AVMEDIA_TYPE_VIDEO){
-            /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */
+            /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/
            int size= codec->width * codec->height;
-            bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664);
+            bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000);
        }
    }

@@ -2858,6 +2862,7 @@ static int transcode(AVFormatContext **output_files,
                av_freep(&ost->st->codec->subtitle_header);
                av_free(ost->resample_frame.data[0]);
                av_free(ost->forced_kf_pts);
+                av_free(ost->forced_key_frames);
                if (ost->video_resample)
                    sws_freeContext(ost->img_resample_ctx);
                if (ost->resample)
@@ -3656,8 +3661,10 @@ static void new_video_stream(AVFormatContext *oc, int file_idx)
            }
        }

-        if (forced_key_frames)
-            parse_forced_key_frames(forced_key_frames, ost, video_enc);
+        if (forced_key_frames) {
+            ost->forced_key_frames = forced_key_frames;
+            forced_key_frames = NULL;
+        }
    }
    if (video_language) {
        av_dict_set(&st->metadata, "language", video_language, 0);
@@ -3667,7 +3674,6 @@ static void new_video_stream(AVFormatContext *oc, int file_idx)
    /* reset some key parameters */
    video_disable = 0;
    av_freep(&video_codec_name);
-    av_freep(&forced_key_frames);
    video_stream_copy = 0;
    frame_pix_fmt = PIX_FMT_NONE;
 }
--- a/ffplay.c
+++ b/ffplay.c
@@ -2135,7 +2135,12 @@ static int stream_component_open(VideoState *is, int stream_index)

    avctx->workaround_bugs = workaround_bugs;
    avctx->lowres = lowres;
-    if(lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE;
+    if(avctx->lowres > codec->max_lowres){
+        av_log(avctx, AV_LOG_WARNING, "The maximum value for lowres supported by the decoder is %d\n",
+                codec->max_lowres);
+        avctx->lowres= codec->max_lowres;
+    }
+    if(avctx->lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE;
    avctx->idct_algo= idct;
    if(fast) avctx->flags2 |= CODEC_FLAG2_FAST;
    avctx->skip_frame= skip_frame;
--- a/ffserver.c
+++ b/ffserver.c
@@ -518,6 +518,7 @@ static int socket_open_listen(struct sockaddr_in *my_addr)
    tmp = 1;
    setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &tmp, sizeof(tmp));

+    my_addr->sin_family = AF_INET;
    if (bind (server_fd, (struct sockaddr *) my_addr, sizeof (*my_addr)) < 0) {
        char bindmsg[32];
        snprintf(bindmsg, sizeof(bindmsg), "bind(port %d)", ntohs(my_addr->sin_port));
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -133,7 +133,9 @@ typedef struct FourXContext{
    GetBitContext pre_gb;          ///< ac/dc prefix
    GetBitContext gb;
    const uint8_t *bytestream;
+    const uint8_t *bytestream_end;
    const uint16_t *wordstream;
+    const uint16_t *wordstream_end;
    int mv[256];
    VLC pre_vlc;
    int last_dc;
@@ -277,7 +279,7 @@ static void init_mv(FourXContext *f){
    }
 #endif

-static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){
+static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){
   int i;
   dc*= 0x10001;

@@ -328,6 +330,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
    assert(code>=0 && code<=6);

    if(code == 0){
+        if (f->bytestream_end - f->bytestream < 1){
+            av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+            return;
+        }
        src += f->mv[ *f->bytestream++ ];
        if(start > src || src > end){
            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
@@ -345,15 +351,31 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
    }else if(code == 3 && f->version<2){
        mcdc(dst, src, log2w, h, stride, 1, 0);
    }else if(code == 4){
+        if (f->bytestream_end - f->bytestream < 1){
+            av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+            return;
+        }
        src += f->mv[ *f->bytestream++ ];
        if(start > src || src > end){
            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
            return;
        }
+        if (f->wordstream_end - f->wordstream < 1){
+            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+            return;
+        }
        mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++));
    }else if(code == 5){
+        if (f->wordstream_end - f->wordstream < 1){
+            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+            return;
+        }
        mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++));
    }else if(code == 6){
+        if (f->wordstream_end - f->wordstream < 2){
+            av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+            return;
+        }
        if(log2w){
            dst[0] = av_le2ne16(*f->wordstream++);
            dst[1] = av_le2ne16(*f->wordstream++);
@@ -375,6 +397,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){

    if(f->version>1){
        extra=20;
+        if (length < extra)
+            return -1;
        bitstream_size= AV_RL32(buf+8);
        wordstream_size= AV_RL32(buf+12);
        bytestream_size= AV_RL32(buf+16);
@@ -385,11 +409,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
        bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0);
    }

-    if(bitstream_size+ bytestream_size+ wordstream_size + extra != length
-       || bitstream_size  > (1<<26)
-       || bytestream_size > (1<<26)
-       || wordstream_size > (1<<26)
-       ){
+    if (bitstream_size > length ||
+        bytestream_size > length - bitstream_size ||
+        wordstream_size > length - bytestream_size - bitstream_size ||
+        extra > length - bytestream_size - bitstream_size - wordstream_size){
        av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size,
        bitstream_size+ bytestream_size+ wordstream_size - length);
        return -1;
@@ -399,10 +422,13 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
    if (!f->bitstream_buffer)
        return AVERROR(ENOMEM);
    f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4);
+    memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
    init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);

    f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
+    f->wordstream_end= f->wordstream + wordstream_size/2;
    f->bytestream= buf + extra + bitstream_size + wordstream_size;
+    f->bytestream_end = f->bytestream + bytestream_size;

    init_mv(f);

@@ -531,7 +557,7 @@ static int decode_i_mb(FourXContext *f){
    return 0;
 }

-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){
+static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
    int frequency[512];
    uint8_t flag[512];
    int up[512];
@@ -539,6 +565,7 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
    int bits_tab[257];
    int start, end;
    const uint8_t *ptr= buf;
+    const uint8_t *ptr_end = buf + buf_size;
    int j;

    memset(frequency, 0, sizeof(frequency));
@@ -549,6 +576,8 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
    for(;;){
        int i;

+        if (start <= end && ptr_end - ptr < end - start + 1 + 1)
+            return NULL;
        for(i=start; i<=end; i++){
            frequency[i]= *ptr++;
        }
@@ -601,9 +630,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
        len_tab[j]= len;
    }

-    init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
-             len_tab , 1, 1,
-             bits_tab, 4, 4, 0);
+    if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
+                 len_tab , 1, 1,
+                 bits_tab, 4, 4, 0))
+        return NULL;

    return ptr;
 }
@@ -621,10 +651,13 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
    const int height= f->avctx->height;
    uint16_t *dst= (uint16_t*)f->current_picture.data[0];
    const int stride= f->current_picture.linesize[0]>>1;
+    const uint8_t *buf_end = buf + length;

    for(y=0; y<height; y+=16){
        for(x=0; x<width; x+=16){
            unsigned int color[4], bits;
+            if (buf_end - buf < 8)
+                return -1;
            memset(color, 0, sizeof(color));
 //warning following is purely guessed ...
            color[0]= bytestream_get_le16(&buf);
@@ -658,18 +691,26 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    uint16_t *dst= (uint16_t*)f->current_picture.data[0];
    const int stride= f->current_picture.linesize[0]>>1;
    const unsigned int bitstream_size= AV_RL32(buf);
-    const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
-    unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
-    const uint8_t *prestream= buf + bitstream_size + 12;
+    unsigned int prestream_size;
+    const uint8_t *prestream;

-    if(prestream_size + bitstream_size + 12 != length
-       || bitstream_size > (1<<26)
-       || prestream_size > (1<<26)){
+    if (length < bitstream_size + 12) {
+        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+    prestream      = buf + bitstream_size + 12;
+
+    if (prestream_size > (1<<26) ||
+        prestream_size != length - (bitstream_size + 12)){
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
        return -1;
    }

-    prestream= read_huffman_tables(f, prestream);
+    prestream= read_huffman_tables(f, prestream, buf + length - prestream);
+    if (!prestream)
+        return -1;

    init_get_bits(&f->gb, buf + 4, 8*bitstream_size);

@@ -679,6 +720,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    if (!f->bitstream_buffer)
        return AVERROR(ENOMEM);
    f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4);
+    memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
    init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size);

    f->last_dc= 0*128*8*8;
@@ -710,6 +752,8 @@ static int decode_frame(AVCodecContext *avctx,
    AVFrame *p, temp;
    int i, frame_4cc, frame_size;

+    if (buf_size < 12)
+        return AVERROR_INVALIDDATA;
    frame_4cc= AV_RL32(buf);
    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
@@ -722,6 +766,11 @@ static int decode_frame(AVCodecContext *avctx,
        const int whole_size= AV_RL32(buf+16);
        CFrameBuffer *cfrm;

+        if (data_size < 0 || whole_size < 0){
+            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        for(i=0; i<CFRAME_BUFFER_COUNT; i++){
            if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -738,6 +787,8 @@ static int decode_frame(AVCodecContext *avctx,
        }
        cfrm= &f->cfrm[i];

+        if (data_size > UINT_MAX -  cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE)
+            return AVERROR_INVALIDDATA;
        cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
@@ -781,12 +832,16 @@ static int decode_frame(AVCodecContext *avctx,

    if(frame_4cc == AV_RL32("ifr2")){
        p->pict_type= AV_PICTURE_TYPE_I;
-        if(decode_i2_frame(f, buf-4, frame_size) < 0)
+        if(decode_i2_frame(f, buf-4, frame_size+4) < 0){
+            av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n");
            return -1;
+        }
    }else if(frame_4cc == AV_RL32("ifrm")){
        p->pict_type= AV_PICTURE_TYPE_I;
-        if(decode_i_frame(f, buf, frame_size) < 0)
+        if(decode_i_frame(f, buf, frame_size) < 0){
+            av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n");
            return -1;
+        }
    }else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){
        if(!f->last_picture.data[0]){
            f->last_picture.reference= 1;
@@ -797,8 +852,10 @@ static int decode_frame(AVCodecContext *avctx,
        }

        p->pict_type= AV_PICTURE_TYPE_P;
-        if(decode_p_frame(f, buf, frame_size) < 0)
+        if(decode_p_frame(f, buf, frame_size) < 0){
+            av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n");
            return -1;
+        }
    }else if(frame_4cc == AV_RL32("snd_")){
        av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size);
    }else{
@@ -831,6 +888,10 @@ static av_cold int decode_init(AVCodecContext *avctx){
        av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n");
        return 1;
    }
+    if((avctx->width % 16) || (avctx->height % 16)) {
+        av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n");
+        return AVERROR_INVALIDDATA;
+    }

    avcodec_get_frame_defaults(&f->current_picture);
    avcodec_get_frame_defaults(&f->last_picture);
--- a/libavcodec/8svx.c
+++ b/libavcodec/8svx.c
@@ -44,7 +44,7 @@ typedef struct EightSvxContext {
    /* buffer used to store the whole audio decoded/interleaved chunk,
     * which is sent with the first packet */
    uint8_t *samples;
-    size_t samples_size;
+    int64_t samples_size;
    int samples_idx;
 } EightSvxContext;

--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -568,6 +568,7 @@ OBJS-$(CONFIG_WEBM_MUXER)              += xiph.o mpeg4audio.o \
 OBJS-$(CONFIG_WTV_DEMUXER)             += mpeg4audio.o mpegaudiodata.o

 # external codec libraries
+OBJS-$(CONFIG_LIBAACPLUS_ENCODER)         += libaacplus.o
 OBJS-$(CONFIG_LIBCELT_DECODER)            += libcelt_dec.o
 OBJS-$(CONFIG_LIBDIRAC_DECODER)           += libdiracdec.o
 OBJS-$(CONFIG_LIBDIRAC_ENCODER)           += libdiracenc.o libdirac_libschro.o
@@ -588,6 +589,7 @@ OBJS-$(CONFIG_LIBSCHROEDINGER_ENCODER)    += libschroedingerenc.o \
                                             libschroedinger.o    \
                                             libdirac_libschro.o
 OBJS-$(CONFIG_LIBSPEEX_DECODER)           += libspeexdec.o
+OBJS-$(CONFIG_LIBSPEEX_ENCODER)           += libspeexenc.o
 OBJS-$(CONFIG_LIBTHEORA_ENCODER)          += libtheoraenc.o
 OBJS-$(CONFIG_LIBVO_AACENC_ENCODER)       += libvo-aacenc.o mpeg4audio.o
 OBJS-$(CONFIG_LIBVO_AMRWBENC_ENCODER)     += libvo-amrwbenc.o
--- a/libavcodec/a64multienc.c
+++ b/libavcodec/a64multienc.c
@@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest)
            for (y = blocky; y < blocky + 8 && y < C64YRES; y++) {
                for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) {
                    if(x < width && y < height) {
-                        /* build average over 2 pixels */
-                        luma = (src[(x + 0 + y * p->linesize[0])] +
-                                src[(x + 1 + y * p->linesize[0])]) / 2;
+                        if (x + 1 < width) {
+                            /* build average over 2 pixels */
+                            luma = (src[(x + 0 + y * p->linesize[0])] +
+                                    src[(x + 1 + y * p->linesize[0])]) / 2;
+                        } else {
+                            luma = src[(x + y * p->linesize[0])];
+                        }
                        /* write blocks as linear data now so they are suitable for elbg */
                        dest[0] = luma;
                    }
--- a/libavcodec/aac_adtstoasc_bsf.c
+++ b/libavcodec/aac_adtstoasc_bsf.c
@@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc,
        int            pce_size = 0;
        uint8_t        pce_data[MAX_PCE_SIZE];
        if (!hdr.chan_config) {
-            init_get_bits(&gb, buf, buf_size);
+            init_get_bits(&gb, buf, buf_size * 8);
            if (get_bits(&gb, 3) != 5) {
                av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0);
                return -1;
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -183,6 +183,8 @@ static av_cold int che_configure(AACContext *ac,
                                 enum ChannelPosition che_pos[4][MAX_ELEM_ID],
                                 int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
    if (che_pos[type][id]) {
        if (!ac->che[type][id] && !(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
            return AVERROR(ENOMEM);
@@ -568,6 +570,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
        output_scale_factor = 1.0;
    }

+    if (avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    AAC_INIT_VLC_STATIC( 0, 304);
    AAC_INIT_VLC_STATIC( 1, 270);
    AAC_INIT_VLC_STATIC( 2, 550);
@@ -754,19 +761,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                return -1;
            }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return -1;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
                band_type        [idx]   = sect_band_type;
                band_type_run_end[idx++] = sect_end;
@@ -1090,7 +1098,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
                            GET_VLC(code, re, gb, vlc_tab, 8, 2);
                            cb_idx = cb_vector_idx[code];
                            nnz = cb_idx >> 8 & 15;
-                            bits = SHOW_UBITS(re, gb, nnz) << (32-nnz);
+                            bits = nnz ? GET_CACHE(re, gb) : 0;
                            LAST_SKIP_BITS(re, gb, nnz);
                            cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx);
                        } while (len -= 4);
@@ -1130,7 +1138,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
                            GET_VLC(code, re, gb, vlc_tab, 8, 2);
                            cb_idx = cb_vector_idx[code];
                            nnz = cb_idx >> 8 & 15;
-                            sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12);
+                            sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0;
                            LAST_SKIP_BITS(re, gb, nnz);
                            cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx);
                        } while (len -= 2);
@@ -1693,7 +1701,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns,
    int w, filt, m, i;
    int bottom, top, order, start, end, size, inc;
    float lpc[TNS_MAX_ORDER];
-    float tmp[TNS_MAX_ORDER];
+    float tmp[TNS_MAX_ORDER + 1];

    for (w = 0; w < ics->num_windows; w++) {
        bottom = ics->num_swb;
@@ -1755,12 +1763,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out,
    } else {
        memset(in, 0, 448 * sizeof(float));
        ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128);
-        memcpy(in + 576, in + 576, 448 * sizeof(float));
    }
    if (ics->window_sequence[0] != LONG_START_SEQUENCE) {
        ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024);
    } else {
-        memcpy(in + 1024, in + 1024, 448 * sizeof(float));
        ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128);
        memset(in + 1024 + 576, 0, 448 * sizeof(float));
    }
@@ -2078,7 +2084,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
    ChannelElement *che = NULL, *che_prev = NULL;
    enum RawDataBlockType elem_type, elem_type_prev = TYPE_END;
    int err, elem_id, data_size_tmp;
-    int samples = 0, multiplier;
+    int samples = 0, multiplier, audio_found = 0;

    if (show_bits(gb, 12) == 0xfff) {
        if (parse_adts_frame_header(ac, gb) < 0) {
@@ -2109,10 +2115,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,

        case TYPE_SCE:
            err = decode_ics(ac, &che->ch[0], gb, 0, 0);
+            audio_found = 1;
            break;

        case TYPE_CPE:
            err = decode_cpe(ac, gb, che);
+            audio_found = 1;
            break;

        case TYPE_CCE:
@@ -2121,6 +2129,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,

        case TYPE_LFE:
            err = decode_ics(ac, &che->ch[0], gb, 0, 0);
+            audio_found = 1;
            break;

        case TYPE_DSE:
@@ -2197,7 +2206,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
                                                   samples, avctx->channels);
    }

-    if (ac->output_configured)
+    if (ac->output_configured && audio_found)
        ac->output_configured = OC_LOCKED;

    return 0;
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -153,7 +153,7 @@ static void put_audio_specific_config(AVCodecContext *avctx)
    PutBitContext pb;
    AACEncContext *s = avctx->priv_data;

-    init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8);
+    init_put_bits(&pb, avctx->extradata, avctx->extradata_size);
    put_bits(&pb, 5, 2); //object type - AAC-LC
    put_bits(&pb, 4, s->samplerate_index); //sample rate index
    put_bits(&pb, 4, avctx->channels);
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2
    const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB;

    //Remapping
-    memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
-    memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
-    memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
-    memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
-    memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
-    memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
-    memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
-    memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    if (ps->num_env_old) {
+        memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
+        memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
+        memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
+        memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
+        memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
+        memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
+        memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
+        memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    }
+
    if (is34) {
        remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1);
        remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1);
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -33,6 +33,7 @@
 #include "fft.h"
 #include "aacps.h"
 #include "libavutil/libm.h"
+#include "libavutil/avassert.h"

 #include <stdint.h>
 #include <float.h>
@@ -1182,14 +1183,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
 {
    int i, n;
    const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
+    const int step = 128 >> div;
    float *v;
    for (i = 0; i < 32; i++) {
-        if (*v_off == 0) {
+        if (*v_off < step) {
            int saved_samples = (1280 - 128) >> div;
            memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
-            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
        } else {
-            *v_off -= 128 >> div;
+            *v_off -= step;
        }
        v = v0 + *v_off;
        if (div) {
@@ -1457,6 +1459,7 @@ static void sbr_mapping(AACContext *ac, SpectralBandReplication *sbr,
        uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow;
        int k;

+        av_assert0(sbr->kx[1] <= table[0]);
        for (i = 0; i < ilim; i++)
            for (m = table[i]; m < table[i + 1]; m++)
                sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i];
--- a/libavcodec/ac3dsp.c
+++ b/libavcodec/ac3dsp.c
@@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
                                     int snr_offset, int floor,
                                     const uint8_t *bap_tab, uint8_t *bap)
 {
-    int bin, band;
+    int bin, band, band_end;

    /* special case, if snr offset is -960, set all bap's to zero */
    if (snr_offset == -960) {
@@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
    band = ff_ac3_bin_to_band_tab[start];
    do {
        int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
-        int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+        band_end = ff_ac3_band_start_tab[++band];
+        band_end = FFMIN(band_end, end);
+
        for (; bin < band_end; bin++) {
            int address = av_clip((psd[bin] - m) >> 5, 0, 63);
            bap[bin] = bap_tab[address];
        }
-    } while (end > ff_ac3_band_start_tab[band++]);
+    } while (end > band_end);
 }

 static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -778,9 +778,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
 static av_cold int adpcm_decode_init(AVCodecContext * avctx)
 {
    ADPCMContext *c = avctx->priv_data;
+    unsigned int min_channels = 1;
    unsigned int max_channels = 2;

    switch(avctx->codec->id) {
+    case CODEC_ID_ADPCM_EA:
+        min_channels = 2;
+        break;
    case CODEC_ID_ADPCM_EA_R1:
    case CODEC_ID_ADPCM_EA_R2:
    case CODEC_ID_ADPCM_EA_R3:
@@ -788,8 +792,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
        max_channels = 6;
        break;
    }
-    if(avctx->channels > max_channels){
-        return -1;
+
+    if (avctx->channels < min_channels || avctx->channels > max_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR(EINVAL);
    }

    switch(avctx->codec->id) {
@@ -1333,10 +1339,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
            buf_size -= 128;
        }
        break;
-    case CODEC_ID_ADPCM_IMA_EA_EACS:
+    case CODEC_ID_ADPCM_IMA_EA_EACS: {
+        unsigned header_size = 4 + (8<<st);
        samples_in_chunk = bytestream_get_le32(&src) >> (1-st);

-        if (samples_in_chunk > buf_size-4-(8<<st)) {
+        if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
            src += buf_size - 4;
            break;
        }
@@ -1351,6 +1358,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
            *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
        }
        break;
+    }
    case CODEC_ID_ADPCM_IMA_EA_SEAD:
        for (; src < buf+buf_size; src++) {
            *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);
@@ -1358,11 +1366,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
        }
        break;
    case CODEC_ID_ADPCM_EA:
-        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
        }
        samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
        src += 4;
        current_left_sample   = (int16_t)bytestream_get_le16(&src);
        previous_left_sample  = (int16_t)bytestream_get_le16(&src);
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -664,10 +664,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
    alac->numchannels = alac->avctx->channels;

    /* initialize from the extradata */
-    if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) {
-        av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n",
-            ALAC_EXTRADATA_SIZE);
-        return -1;
+    if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n");
+        return AVERROR_INVALIDDATA;
    }
    if (alac_set_info(alac)) {
        av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n");
--- a/libavcodec/alacenc.c
+++ b/libavcodec/alacenc.c
@@ -257,7 +257,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)
        // generate warm-up samples
        residual[0] = samples[0];
        for(i=1;i<=lpc.lpc_order;i++)
-            residual[i] = samples[i] - samples[i-1];
+            residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size);

        // perform lpc on remaining samples
        for(i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) {
--- a/libavcodec/allcodecs.c
+++ b/libavcodec/allcodecs.c
@@ -370,6 +370,7 @@ void avcodec_register_all(void)
    REGISTER_ENCDEC  (XSUB, xsub);

    /* external libraries */
+    REGISTER_ENCODER (LIBAACPLUS, libaacplus);
    REGISTER_DECODER (LIBCELT, libcelt);
    REGISTER_ENCDEC  (LIBDIRAC, libdirac);
    REGISTER_ENCODER (LIBFAAC, libfaac);
@@ -380,7 +381,7 @@ void avcodec_register_all(void)
    REGISTER_DECODER (LIBOPENCORE_AMRWB, libopencore_amrwb);
    REGISTER_DECODER (LIBOPENJPEG, libopenjpeg);
    REGISTER_ENCDEC  (LIBSCHROEDINGER, libschroedinger);
-    REGISTER_DECODER (LIBSPEEX, libspeex);
+    REGISTER_ENCDEC  (LIBSPEEX, libspeex);
    REGISTER_ENCODER (LIBTHEORA, libtheora);
    REGISTER_ENCODER (LIBVO_AACENC, libvo_aacenc);
    REGISTER_ENCODER (LIBVO_AMRWBENC, libvo_amrwbenc);
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -551,12 +551,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks,

 /** Read the block data for a constant block
 */
-static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 {
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    GetBitContext *gb        = &ctx->gb;

+    if (bd->block_length <= 0)
+        return -1;
+
    *bd->raw_samples = 0;
    *bd->const_block = get_bits1(gb);    // 1 = constant value, 0 = zero block (silence)
    bd->js_blocks    = get_bits1(gb);
@@ -571,6 +574,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)

    // ensure constant block decoding by reusing this field
    *bd->const_block = 1;
+
+    return 0;
 }


@@ -650,6 +655,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        for (k = 1; k < sub_blocks; k++)
            s[k] = s[k - 1] + decode_rice(gb, 0);
    }
+    for (k = 1; k < sub_blocks; k++)
+        if (s[k] > 32) {
+            av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n");
+            return AVERROR_INVALIDDATA;
+        }

    if (get_bits1(gb))
        *bd->shift_lsbs = get_bits(gb, 4) + 1;
@@ -662,6 +672,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                2, sconf->max_order + 1));
            *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            *bd->opt_order = sconf->max_order;
        }
@@ -694,6 +709,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
                    int rice_param = parcor_rice_table[sconf->coef_table][k][1];
                    int offset     = parcor_rice_table[sconf->coef_table][k][0];
                    quant_cof[k] = decode_rice(gb, rice_param) + offset;
+                    if (quant_cof[k] < -64 || quant_cof[k] > 63) {
+                        av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]);
+                        return AVERROR_INVALIDDATA;
+                    }
                }

                // read coefficients 20 to 126
@@ -726,7 +745,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
            bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;

-            r                 = get_unary(gb, 0, 4);
+            r                 = get_unary(gb, 0, 3);
            c                 = get_bits(gb, 2);
            bd->ltp_gain[2]   = ltp_gain_values[r][c];

@@ -755,7 +774,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
        int          delta[8];
        unsigned int k    [8];
        unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5);
-        unsigned int i = start;

        // read most significant bits
        unsigned int high;
@@ -766,29 +784,30 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)

        current_res = bd->raw_samples + start;

-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++) {
+            unsigned int sb_len  = sb_length - (sb ? 0 : start);
+
            k    [sb] = s[sb] > b ? s[sb] - b : 0;
            delta[sb] = 5 - s[sb] + k[sb];

-            ff_bgmc_decode(gb, sb_length, current_res,
+            ff_bgmc_decode(gb, sb_len, current_res,
                        delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);

-            current_res += sb_length;
+            current_res += sb_len;
        }

        ff_bgmc_decode_end(gb);


        // read least significant bits and tails
-        i = start;
        current_res = bd->raw_samples + start;

-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++, start = 0) {
            unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]];
            unsigned int cur_k         = k[sb];
            unsigned int cur_s         = s[sb];

-            for (; i < sb_length; i++) {
+            for (; start < sb_length; start++) {
                int32_t res = *current_res;

                if (res == cur_tail_code) {
@@ -956,7 +975,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
        if (read_var_block_data(ctx, bd))
            return -1;
    } else {
-        read_const_block_data(ctx, bd);
+        if (read_const_block_data(ctx, bd) < 0)
+            return -1;
    }

    return 0;
@@ -1010,7 +1030,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max,
 {
    unsigned int count = 0;

-    while (b < b_max)
+    for (; b < b_max; b++)
        count += div_blocks[b];

    if (count)
--- a/libavcodec/anm.c
+++ b/libavcodec/anm.c
@@ -79,6 +79,8 @@ static inline int op(uint8_t **dst, const uint8_t *dst_end,
        int striplen = FFMIN(count, remaining);
        if (buf) {
            striplen = FFMIN(striplen, buf_end - *buf);
+            if (*buf >= buf_end)
+                goto exhausted;
            memcpy(*dst, *buf, striplen);
            *buf += striplen;
        } else if (pixel >= 0)
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -163,6 +163,18 @@ typedef struct APEContext {

 // TODO: dsputilize

+static av_cold int ape_decode_close(AVCodecContext * avctx)
+{
+    APEContext *s = avctx->priv_data;
+    int i;
+
+    for (i = 0; i < APE_FILTER_LEVELS; i++)
+        av_freep(&s->filterbuf[i]);
+
+    av_freep(&s->data);
+    return 0;
+}
+
 static av_cold int ape_decode_init(AVCodecContext * avctx)
 {
    APEContext *s = avctx->priv_data;
@@ -195,25 +207,18 @@ static av_cold int ape_decode_init(AVCodecContext * avctx)
    for (i = 0; i < APE_FILTER_LEVELS; i++) {
        if (!ape_filter_orders[s->fset][i])
            break;
-        s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4);
+        FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i],
+                         (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4,
+                         filter_alloc_fail);
    }

    dsputil_init(&s->dsp, avctx);
    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
    avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO;
    return 0;
-}
-
-static av_cold int ape_decode_close(AVCodecContext * avctx)
-{
-    APEContext *s = avctx->priv_data;
-    int i;
-
-    for (i = 0; i < APE_FILTER_LEVELS; i++)
-        av_freep(&s->filterbuf[i]);
-
-    av_freep(&s->data);
-    return 0;
+filter_alloc_fail:
+    ape_decode_close(avctx);
+    return AVERROR(ENOMEM);
 }

 /**
@@ -797,7 +802,7 @@ static int ape_decode_frame(AVCodecContext * avctx,
    int buf_size = avpkt->size;
    APEContext *s = avctx->priv_data;
    int16_t *samples = data;
-    int nblocks;
+    uint32_t nblocks;
    int i, n;
    int blockstodecode;
    int bytes_used;
@@ -814,12 +819,15 @@ static int ape_decode_frame(AVCodecContext * avctx,
    }

    if(!s->samples){
-        s->data = av_realloc(s->data, (buf_size + 3) & ~3);
+        void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3);
+        if (!tmp_data)
+            return AVERROR(ENOMEM);
+        s->data = tmp_data;
        s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2);
        s->ptr = s->last_ptr = s->data;
        s->data_end = s->data + buf_size;

-        nblocks = s->samples = bytestream_get_be32(&s->ptr);
+        nblocks = bytestream_get_be32(&s->ptr);
        n =  bytestream_get_be32(&s->ptr);
        if(n < 0 || n > 3){
            av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
@@ -828,12 +836,13 @@ static int ape_decode_frame(AVCodecContext * avctx,
        }
        s->ptr += n;

-        s->currentframeblocks = nblocks;
        buf += 4;
-        if (s->samples <= 0) {
+        if (!nblocks || nblocks > INT_MAX) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks);
            *data_size = 0;
-            return buf_size;
+            return AVERROR_INVALIDDATA;
        }
+        s->currentframeblocks = s->samples = nblocks;

        memset(s->decoded0,  0, sizeof(s->decoded0));
        memset(s->decoded1,  0, sizeof(s->decoded1));
--- a/libavcodec/arm/fft_fixed_neon.S
+++ b/libavcodec/arm/fft_fixed_neon.S
@@ -56,7 +56,7 @@
        vhsub.s16       \r0, \d0, \d1           @ t3, t4, t8, t7
        vhsub.s16       \r1, \d1, \d0
        vhadd.s16       \d0, \d0, \d1           @ t1, t2, t6, t5
-        vmov.i64        \d1, #0xffff<<32
+        vmov.i64        \d1, #0xffff00000000
        vbit            \r0, \r1, \d1
        vrev64.16       \r1, \r0                @ t7, t8, t4, t3
        vtrn.32         \r0, \r1                @ t3, t4, t7, t8
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -67,10 +67,10 @@ function ff_scalarproduct_int16_neon, export=1

 3:      vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@@ -107,10 +107,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/ass_split.c
+++ b/libavcodec/ass_split.c
@@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv,
    char new_line[2];
    int text_len = 0;

-    while (*buf) {
+    while (buf && *buf) {
        if (text && callbacks->text &&
            (sscanf(buf, "\\%1[nN]", new_line) == 1 ||
             !strncmp(buf, "{\\", 2))) {
--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -276,7 +276,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
    const uint8_t *buf = avpkt->data;
    int buf_size       = avpkt->size;
    AT1Ctx *q          = avctx->priv_data;
-    int ch, ret, i;
+    int ch, ret, i, out_size;
    GetBitContext gb;
    float* samples = data;

@@ -286,6 +286,13 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
        return -1;
    }

+    out_size = q->channels * AT1_SU_SAMPLES *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
    for (ch = 0; ch < q->channels; ch++) {
        AT1SUCtx* su = &q->SUs[ch];

@@ -318,7 +325,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
        }
    }

-    *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples);
+    *data_size = out_size;
    return avctx->block_align;
 }

@@ -329,6 +336,11 @@ static av_cold int atrac1_decode_init(AVCodecContext *avctx)

    avctx->sample_fmt = AV_SAMPLE_FMT_FLT;

+    if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n",
+               avctx->channels);
+        return AVERROR(EINVAL);
+    }
    q->channels = avctx->channels;

    /* Init the mdct transforms */
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -179,8 +179,11 @@ static int decode_bytes(const uint8_t* inbuffer, uint8_t* out, int bytes){
    uint32_t* obuf = (uint32_t*) out;

    off = (intptr_t)inbuffer & 3;
-    buf = (const uint32_t*) (inbuffer - off);
-    c = av_be2ne32((0x537F6103 >> (off*8)) | (0x537F6103 << (32-(off*8))));
+    buf = (const uint32_t *)(inbuffer - off);
+    if (off)
+        c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8))));
+    else
+        c = av_be2ne32(0x537F6103U);
    bytes += 3 + off;
    for (i = 0; i < bytes/4; i++)
        obuf[i] = c ^ buf[i];
@@ -395,6 +398,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent

            for (k=0; k<coded_components; k++) {
                sfIndx = get_bits(gb,6);
+                if (component_count >= 64)
+                    return AVERROR_INVALIDDATA;
                pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                max_coded_values = 1024 - pComponent[component_count].pos;
                coded_values = coded_values_per_component + 1;
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -30,6 +30,7 @@
 #include "libavutil/samplefmt.h"
 #include "libavutil/avutil.h"
 #include "libavutil/cpu.h"
+#include "libavutil/dict.h"

 #include "libavcodec/version.h"

@@ -543,7 +544,7 @@ enum AVChromaLocation{
 /**
 * LPC analysis type
 */
-attribute_deprecated enum AVLPCType {
+enum AVLPCType {
    AV_LPC_TYPE_DEFAULT     = -1, ///< use the codec default LPC type
    AV_LPC_TYPE_NONE        =  0, ///< do not use LPC prediction or use all zero coefficients
    AV_LPC_TYPE_FIXED       =  1, ///< fixed LPC coefficients
@@ -2686,7 +2687,6 @@ typedef struct AVCodecContext {

    /**
     * Bits per sample/pixel of internal libavcodec pixel/sample format.
-     * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32.
     * - encoding: set by user.
     * - decoding: set by libavcodec.
     */
@@ -3785,6 +3785,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v
 int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, void *arg2, int, int),void *arg, int *ret, int count);
 //FIXME func typedef

+#if FF_API_AVCODEC_OPEN
 /**
 * Initialize the AVCodecContext to use the given AVCodec. Prior to using this
 * function the context has to be allocated.
@@ -3811,8 +3812,44 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2,
 * @param codec The codec to use within the context.
 * @return zero on success, a negative value on error
 * @see avcodec_alloc_context, avcodec_find_decoder, avcodec_find_encoder, avcodec_close
+ *
+ * @deprecated use avcodec_open2
 */
 int avcodec_open(AVCodecContext *avctx, AVCodec *codec);
+#endif
+
+/**
+ * Initialize the AVCodecContext to use the given AVCodec. Prior to using this
+ * function the context has to be allocated with avcodec_alloc_context().
+ *
+ * The functions avcodec_find_decoder_by_name(), avcodec_find_encoder_by_name(),
+ * avcodec_find_decoder() and avcodec_find_encoder() provide an easy way for
+ * retrieving a codec.
+ *
+ * @warning This function is not thread safe!
+ *
+ * @code
+ * avcodec_register_all();
+ * av_dict_set(&opts, "b", "2.5M", 0);
+ * codec = avcodec_find_decoder(CODEC_ID_H264);
+ * if (!codec)
+ *     exit(1);
+ *
+ * context = avcodec_alloc_context();
+ *
+ * if (avcodec_open(context, codec, opts) < 0)
+ *     exit(1);
+ * @endcode
+ *
+ * @param avctx The context to initialize.
+ * @param options A dictionary filled with AVCodecContext and codec-private options.
+ *                On return this object will be filled with options that were not found.
+ *
+ * @return zero on success, a negative value on error
+ * @see avcodec_alloc_context3(), avcodec_find_decoder(), avcodec_find_encoder(),
+ *      av_dict_set(), av_opt_find().
+ */
+int avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVDictionary **options);

 #if FF_API_AUDIO_OLD
 /**
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,
                 void *data, int *data_size, AVPacket *avpkt)
 {
    const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
    int buf_size = avpkt->size;
    AvsContext *const avs = avctx->priv_data;
    AVFrame *picture = data;
@@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,
    out = avs->picture.data[0];
    stride = avs->picture.linesize[0];

+    if (buf_end - buf < 4)
+        return AVERROR_INVALIDDATA;
    sub_type = buf[0];
    type = buf[1];
    buf += 4;
@@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,

        first = AV_RL16(buf);
        last = first + AV_RL16(buf + 2);
+        if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))
+            return AVERROR_INVALIDDATA;
        buf += 4;
        for (i=first; i<last; i++, buf+=3)
            pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);
@@ -114,16 +119,22 @@ avs_decode_frame(AVCodecContext * avctx,
      return -1;
    }

+    if (buf_end - buf < 256 * vect_w * vect_h)
+        return AVERROR_INVALIDDATA;
    table = buf + (256 * vect_w * vect_h);
    if (sub_type != AVS_I_FRAME) {
        int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
-        init_get_bits(&change_map, table, map_size);
+        if (buf_end - table < map_size)
+            return AVERROR_INVALIDDATA;
+        init_get_bits(&change_map, table, map_size * 8);
        table += map_size;
    }

    for (y=0; y<198; y+=vect_h) {
        for (x=0; x<318; x+=vect_w) {
            if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {
+                if (buf_end - table < 1)
+                    return AVERROR_INVALIDDATA;
                vect = &buf[*table++ * (vect_w * vect_h)];
                for (j=0; j<vect_w; j++) {
                    out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];
@@ -149,6 +160,7 @@ static av_cold int avs_decode_init(AVCodecContext * avctx)
    AvsContext *const avs = avctx->priv_data;
    avctx->pix_fmt = PIX_FMT_PAL8;
    avcodec_get_frame_defaults(&avs->picture);
+    avcodec_set_dimensions(avctx, 318, 198);
    return 0;
 }

--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -246,7 +246,7 @@ static void read_tree(GetBitContext *gb, Tree *tree)
            tree->syms[i] = get_bits(gb, 4);
            tmp1[tree->syms[i]] = 1;
        }
-        for (i = 0; i < 16; i++)
+        for (i = 0; i < 16 && len < 16 - 1; i++)
            if (!tmp1[i])
                tree->syms[++len] = i;
    } else {
@@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
        memset(b->cur_dec, v, t);
        b->cur_dec += t;
    } else {
-        do {
+        while (b->cur_dec < dec_end) {
            v = GET_HUFF(gb, b->tree);
            if (v) {
                sign = -get_bits1(gb);
                v = (v ^ sign) - sign;
            }
            *b->cur_dec++ = v;
-        } while (b->cur_dec < dec_end);
+        }
    }
    return 0;
 }
@@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
        memset(b->cur_dec, v, t);
        b->cur_dec += t;
    } else {
-        do {
+        while (b->cur_dec < dec_end) {
            v = GET_HUFF(gb, b->tree);
            if (v < 12) {
                last = v;
@@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
            } else {
                int run = bink_rlelens[v - 12];

+                if (dec_end - b->cur_dec < run)
+                    return -1;
                memset(b->cur_dec, last, run);
                b->cur_dec += run;
            }
-        } while (b->cur_dec < dec_end);
+        }
    }
    return 0;
 }
@@ -455,7 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                    int start_bits, int has_sign)
 {
    int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;

    CHECK_READ_VAL(gb, b, len);
    v = get_bits(gb, start_bits - has_sign);
@@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
        sign = -get_bits1(gb);
        v = (v ^ sign) - sign;
    }
+    if (dst_end - dst < 1)
+        return -1;
    *dst++ = v;
    len--;
    for (i = 0; i < len; i += 8) {
        len2 = FFMIN(len - i, 8);
+        if (dst_end - dst < len2)
+            return -1;
        bsize = get_bits(gb, 4);
        if (bsize) {
            for (j = 0; j < len2; j++) {
@@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
    int i, len;

    CHECK_READ_VAL(gb, b, len);
+    if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
+        return -1;
    if (bits <= 8) {
        if (!issigned) {
            for (i = 0; i < len; i++)
@@ -964,8 +973,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
    for (i = 0; i < BINK_NB_SRC; i++)
        read_bundle(gb, c, i);

-    ref_start = c->last.data[plane_idx];
-    ref_end   = c->last.data[plane_idx]
+    ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx];
+    ref_end   = ref_start
                + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8;

    for (i = 0; i < 64; i++)
@@ -994,7 +1004,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
        if (by == bh)
            break;
        dst  = c->pic.data[plane_idx]  + 8*by*stride;
-        prev = c->last.data[plane_idx] + 8*by*stride;
+        prev = (c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx]) + 8*by*stride;
        for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
            blk = get_value(c, BINK_SRC_BLOCK_TYPES);
            // 16x16 block type on odd line means part of the already decoded block, so skip it
--- a/libavcodec/binkaudio.c
+++ b/libavcodec/binkaudio.c
@@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
        frame_len_bits = 11;
    }

-    if (avctx->channels > MAX_CHANNELS) {
-        av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
-        return -1;
+    if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
    }

    if (avctx->extradata && avctx->extradata_size > 0)
@@ -153,11 +153,18 @@ static const uint8_t rle_length_tab[16] = {
    2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64
 };

+#define GET_BITS_SAFE(out, nbits) do {  \
+    if (get_bits_left(gb) < nbits)      \
+        return AVERROR_INVALIDDATA;     \
+    out = get_bits(gb, nbits);          \
+} while (0)
+
 /**
 * Decode Bink Audio block
 * @param[out] out Output buffer (must contain s->block_size elements)
+ * @return 0 on success, negative error code on failure
 */
-static void decode_block(BinkAudioContext *s, short *out, int use_dct)
+static int decode_block(BinkAudioContext *s, short *out, int use_dct)
 {
    int ch, i, j, k;
    float q, quant[25];
@@ -170,13 +177,19 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
    for (ch = 0; ch < s->channels; ch++) {
        FFTSample *coeffs = s->coeffs_ptr[ch];
        if (s->version_b) {
+            if (get_bits_left(gb) < 64)
+                return AVERROR_INVALIDDATA;
            coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root;
            coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root;
        } else {
+            if (get_bits_left(gb) < 58)
+                return AVERROR_INVALIDDATA;
            coeffs[0] = get_float(gb) * s->root;
            coeffs[1] = get_float(gb) * s->root;
        }

+        if (get_bits_left(gb) < s->num_bands * 8)
+            return AVERROR_INVALIDDATA;
        for (i = 0; i < s->num_bands; i++) {
            /* constant is result of 0.066399999/log10(M_E) */
            int value = get_bits(gb, 8);
@@ -191,15 +204,20 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
        while (i < s->frame_len) {
            if (s->version_b) {
                j = i + 16;
-            } else if (get_bits1(gb)) {
-                j = i + rle_length_tab[get_bits(gb, 4)] * 8;
            } else {
-                j = i + 8;
+                int v;
+                GET_BITS_SAFE(v, 1);
+                if (v) {
+                    GET_BITS_SAFE(v, 4);
+                    j = i + rle_length_tab[v] * 8;
+                } else {
+                    j = i + 8;
+                }
            }

            j = FFMIN(j, s->frame_len);

-            width = get_bits(gb, 4);
+            GET_BITS_SAFE(width, 4);
            if (width == 0) {
                memset(coeffs + i, 0, (j - i) * sizeof(*coeffs));
                i = j;
@@ -209,9 +227,11 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
                while (i < j) {
                    if (s->bands[k] == i)
                        q = quant[k++];
-                    coeff = get_bits(gb, width);
+                    GET_BITS_SAFE(coeff, width);
                    if (coeff) {
-                        if (get_bits1(gb))
+                        int v;
+                        GET_BITS_SAFE(v, 1);
+                        if (v)
                            coeffs[i] = -q * coeff;
                        else
                            coeffs[i] =  q * coeff;
@@ -247,6 +267,8 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct)
           s->overlap_len * s->channels * sizeof(*out));

    s->first = 0;
+
+    return 0;
 }

 static av_cold int decode_end(AVCodecContext *avctx)
@@ -278,12 +300,17 @@ static int decode_frame(AVCodecContext *avctx,
    int reported_size;
    GetBitContext *gb = &s->gb;

+    if (buf_size < 4) {
+        av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    init_get_bits(gb, buf, buf_size * 8);

    reported_size = get_bits_long(gb, 32);
-    while (get_bits_count(gb) / 8 < buf_size &&
-           samples + s->block_size <= samples_end) {
-        decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT);
+    while (samples + s->block_size <= samples_end) {
+        if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT))
+            break;
        samples += s->block_size;
        get_bits_align32(gb);
    }
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@@ -109,8 +109,8 @@ static int alloc_table(VLC *vlc, int size, int use_static)
        if(use_static)
            abort(); //cant do anything, init_vlc() is used with too little memory
        vlc->table_allocated += (1 << vlc->bits);
-        vlc->table = av_realloc(vlc->table,
-                                sizeof(VLC_TYPE) * 2 * vlc->table_allocated);
+        vlc->table = av_realloc_f(vlc->table,
+                                  vlc->table_allocated, sizeof(VLC_TYPE) * 2);
        if (!vlc->table)
            return -1;
    }
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -219,9 +219,6 @@ static int bmp_decode_frame(AVCodecContext *avctx,
    if(comp == BMP_RLE4 || comp == BMP_RLE8)
        memset(p->data[0], 0, avctx->height * p->linesize[0]);

-    if(depth == 4 || depth == 8)
-        memset(p->data[1], 0, 1024);
-
    if(height > 0){
        ptr = p->data[0] + (avctx->height - 1) * p->linesize[0];
        linesize = -p->linesize[0];
@@ -232,6 +229,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,

    if(avctx->pix_fmt == PIX_FMT_PAL8){
        int colors = 1 << depth;
+
+        memset(p->data[1], 0, 1024);
+
        if(ihsize >= 36){
            int t;
            buf = buf0 + 46;
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -26,6 +26,10 @@
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"

+typedef struct {
+    const uint8_t *buffer, *buffer_end;
+} GetByteContext;
+
 #define DEF_T(type, name, bytes, read, write)                             \
 static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
    (*b) += bytes;\
@@ -34,6 +38,18 @@ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
 static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\
    write(*b, value);\
    (*b) += bytes;\
+}\
+static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\
+{\
+    if (g->buffer_end - g->buffer < bytes)\
+        return 0;\
+    return bytestream_get_ ## name(&g->buffer);\
+}\
+static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\
+{\
+    if (g->buffer_end - g->buffer < bytes)\
+        return 0;\
+    return read(g->buffer);\
 }

 #define DEF(name, bytes, read, write) \
@@ -55,6 +71,34 @@ DEF  (byte, 1, AV_RB8 , AV_WB8 )
 #undef DEF64
 #undef DEF_T

+static av_always_inline void bytestream2_init(GetByteContext *g,
+                                              const uint8_t *buf, int buf_size)
+{
+    g->buffer =  buf;
+    g->buffer_end = buf + buf_size;
+}
+
+static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g)
+{
+    return g->buffer_end - g->buffer;
+}
+
+static av_always_inline void bytestream2_skip(GetByteContext *g,
+                                              unsigned int size)
+{
+    g->buffer += FFMIN(g->buffer_end - g->buffer, size);
+}
+
+static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g,
+                                                            uint8_t *dst,
+                                                            unsigned int size)
+{
+    int size2 = FFMIN(g->buffer_end - g->buffer, size);
+    memcpy(dst, g->buffer, size2);
+    g->buffer += size2;
+    return size2;
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size)
 {
    memcpy(dst, *b, size);
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -161,10 +161,14 @@ void ff_init_cabac_states(CABACContext *c){
        ff_h264_mps_state[2*i+1]= 2*mps_state[i]+1;

        if( i ){
+            ff_h264_lps_state[2*i+0]=
            ff_h264_mlps_state[128-2*i-1]= 2*lps_state[i]+0;
+            ff_h264_lps_state[2*i+1]=
            ff_h264_mlps_state[128-2*i-2]= 2*lps_state[i]+1;
        }else{
+            ff_h264_lps_state[2*i+0]=
            ff_h264_mlps_state[128-2*i-1]= 1;
+            ff_h264_lps_state[2*i+1]=
            ff_h264_mlps_state[128-2*i-2]= 0;
        }
    }
@@ -190,7 +194,8 @@ int main(void){
    ff_init_cabac_states(&c);

    for(i=0; i<SIZE; i++){
-        r[i] = av_lfg_get(&prng) % 7;
+        if(2*i<SIZE) r[i] = av_lfg_get(&prng) % 7;
+        else         r[i] = (i>>8)&1;
    }

    for(i=0; i<SIZE; i++){
@@ -205,6 +210,7 @@ START_TIMER
 STOP_TIMER("put_cabac")
    }

+#if 0
    for(i=0; i<SIZE; i++){
 START_TIMER
        put_cabac_u(&c, state, r[i], 6, 3, i&1);
@@ -216,7 +222,7 @@ START_TIMER
        put_cabac_ueg(&c, state, r[i], 3, 0, 1, 2);
 STOP_TIMER("put_cabac_ueg")
    }
-
+#endif
    put_cabac_terminate(&c, 1);

    ff_init_cabac_decoder(&c, b, SIZE);
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -609,12 +609,21 @@ static int decode_pic(AVSContext *h) {
 static int decode_seq_header(AVSContext *h) {
    MpegEncContext *s = &h->s;
    int frame_rate_code;
+    int width, height;

    h->profile =         get_bits(&s->gb,8);
    h->level =           get_bits(&s->gb,8);
    skip_bits1(&s->gb); //progressive sequence
-    s->width =           get_bits(&s->gb,14);
-    s->height =          get_bits(&s->gb,14);
+
+    width  = get_bits(&s->gb, 14);
+    height = get_bits(&s->gb, 14);
+    if ((s->width || s->height) && (s->width != width || s->height != height)) {
+        av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
+        return AVERROR_PATCHWELCOME;
+    }
+    s->width  = width;
+    s->height = height;
+
    skip_bits(&s->gb,2); //chroma format
    skip_bits(&s->gb,3); //sample_precision
    h->aspect_ratio =    get_bits(&s->gb,4);
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
        return AVERROR(EINVAL);
    }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }

    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
--- a/libavcodec/celp_filters.c
+++ b/libavcodec/celp_filters.c
@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
        out2 -= val * old_out2;
        out3 -= val * old_out3;

-        old_out3 = out[-5];
-
        for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
            val = filter_coeffs[i-1];

            out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,

            FFSWAP(float, old_out0, old_out2);
            old_out1 = old_out3;
-            old_out3 = out[-i-2];
        }

        tmp0 = out0;
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -335,7 +335,8 @@ static int cinepak_decode (CinepakContext *s)
             * If the frame header is followed by the bytes FE 00 00 06 00 00 then
             * this is probably one of the two known files that have 6 extra bytes
             * after the frame header. Else, assume 2 extra bytes. */
-            if ((s->data[10] == 0xFE) &&
+            if (s->size >= 16 &&
+                (s->data[10] == 0xFE) &&
                (s->data[11] == 0x00) &&
                (s->data[12] == 0x00) &&
                (s->data[13] == 0x06) &&
@@ -364,6 +365,8 @@ static int cinepak_decode (CinepakContext *s)
        s->strips[i].x2 = s->avctx->width;

        strip_size = AV_RB24 (&s->data[1]) - 12;
+        if(strip_size < 0)
+            return -1;
        s->data   += 12;
        strip_size = ((s->data + strip_size) > eod) ? (eod - s->data) : strip_size;

--- a/libavcodec/cljr.c
+++ b/libavcodec/cljr.c
@@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx,
    p->pict_type= AV_PICTURE_TYPE_I;
    p->key_frame= 1;

-    init_get_bits(&a->gb, buf, buf_size);
+    init_get_bits(&a->gb, buf, buf_size * 8);

    for(y=0; y<avctx->height; y++){
        uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ];
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1066,6 +1066,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    q->sample_rate = avctx->sample_rate;
    q->nb_channels = avctx->channels;
    q->bit_rate = avctx->bit_rate;
+    if (!q->nb_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR_INVALIDDATA;
+    }

    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);
@@ -1079,9 +1083,14 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
            q->subpacket[s].subbands = bytestream_get_be16(&edata_ptr);
            extradata_size -= 8;
        }
-        if (avctx->extradata_size >= 8){
+        if (extradata_size >= 8){
            bytestream_get_be32(&edata_ptr);    //Unknown unused
            q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr);
+            if (q->subpacket[s].js_subband_start >= 51) {
+                av_log(avctx, AV_LOG_ERROR, "js_subband_start %d is too large\n", q->subpacket[s].js_subband_start);
+                return AVERROR_INVALIDDATA;
+            }
+
            q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr);
            extradata_size -= 8;
        }
@@ -1175,8 +1184,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
            return -1;
        }

-        if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 0)) {
-            av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= 0 and <= 6 allowed!\n",q->subpacket[s].js_vlc_bits);
+        if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 2*q->subpacket[s].joint_stereo)) {
+            av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= %d and <= 6 allowed!\n",
+                   q->subpacket[s].js_vlc_bits, 2*q->subpacket[s].joint_stereo);
            return -1;
        }

--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
            av_log(avctx, AV_LOG_ERROR,
                   "CamStudio codec error: invalid depth %i bpp\n",
                   avctx->bits_per_coded_sample);
-            return 1;
+            return AVERROR_INVALIDDATA;
    }
    c->bpp = avctx->bits_per_coded_sample;
    avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
    if (!c->decomp_buf) {
        av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-        return 1;
+        return AVERROR(ENOMEM);
    }
    return 0;
 }
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -29,6 +29,7 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
 #include "dsputil.h"
@@ -898,15 +899,17 @@ static void qmf_32_subbands(DCAContext * s, int chans,
    else                        /* Perfect reconstruction */
        prCoeff = fir_32bands_perfect;

+    for (i = sb_act; i < 32; i++)
+        s->raXin[i] = 0.0;
+
    /* Reconstructed channel sample index */
    for (subindex = 0; subindex < 8; subindex++) {
        /* Load in one sample from each subband and clear inactive subbands */
        for (i = 0; i < sb_act; i++){
-            uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
+            unsigned sign = (i - 1) & 2;
+            uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30;
            AV_WN32A(&s->raXin[i], v);
        }
-        for (; i < 32; i++)
-            s->raXin[i] = 0.0;

        s->synth.synth_filter_float(&s->imdct,
                              s->subband_fir_hist[chans], &s->hist_index[chans],
@@ -1650,6 +1653,7 @@ static int dca_decode_frame(AVCodecContext * avctx,
    //set AVCodec values with parsed data
    avctx->sample_rate = s->sample_rate;
    avctx->bit_rate = s->bit_rate;
+    avctx->frame_size = s->sample_blocks * 32;

    s->profile = FF_PROFILE_DTS;

--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -23,6 +23,8 @@
 #include "avcodec.h"
 #include "libavutil/intreadwrite.h"
 #include "bytestream.h"
+
+#include "libavutil/imgutils.h"
 #include "libavutil/lzo.h" // for av_memcpy_backptr

 typedef struct DfaContext {
@@ -35,9 +37,13 @@ typedef struct DfaContext {
 static av_cold int dfa_decode_init(AVCodecContext *avctx)
 {
    DfaContext *s = avctx->priv_data;
+    int ret;

    avctx->pix_fmt = PIX_FMT_PAL8;

+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
    s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING);
    if (!s->frame_buf)
        return AVERROR(ENOMEM);
@@ -153,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
            bitbuf = bytestream_get_le16(&src);
            mask = 1;
        }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+
        if (bitbuf & mask) {
            v = bytestream_get_le16(&src);
            offset = (v & 0x1FFF) << 2;
@@ -168,8 +173,13 @@ static int decode_dds1(uint8_t *frame, int width, int height,
                frame += 2;
            }
        } else if (bitbuf & (mask << 1)) {
-            frame += bytestream_get_le16(&src) * 2;
+            v = bytestream_get_le16(&src)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
        } else {
+            if (frame_end - frame < width + 3)
+                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  *src++;
            frame += 2;
@@ -231,6 +241,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
    const uint8_t *frame_end   = frame + width * height;
    uint8_t *line_ptr;
    int count, i, v, lines, segments;
+    int y = 0;

    lines = bytestream_get_le16(&src);
    if (lines > height || src >= src_end)
@@ -239,10 +250,12 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
    while (lines--) {
        segments = bytestream_get_le16(&src);
        while ((segments & 0xC000) == 0xC000) {
+            unsigned skip_lines = -(int16_t)segments;
            unsigned delta = -((int16_t)segments * width);
-            if (frame_end - frame <= delta)
+            if (frame_end - frame <= delta || y + lines + skip_lines > height)
                return -1;
            frame    += delta;
+            y        += skip_lines;
            segments = bytestream_get_le16(&src);
        }
        if (segments & 0x8000) {
@@ -250,7 +263,10 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
            segments = bytestream_get_le16(&src);
        }
        line_ptr = frame;
+        if (frame_end - frame < width)
+            return AVERROR_INVALIDDATA;
        frame += width;
+        y++;
        while (segments--) {
            if (src_end - src < 2)
                return -1;
--- a/libavcodec/dirac.c
+++ b/libavcodec/dirac.c
@@ -120,7 +120,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,
    // chroma subsampling
    if (get_bits1(gb))
        source->chroma_format = svq3_get_ue_golomb(gb);
-    if (source->chroma_format > 2) {
+    if (source->chroma_format > 2U) {
        av_log(avctx, AV_LOG_ERROR, "Unknown chroma format %d\n",
               source->chroma_format);
        return -1;
@@ -128,14 +128,14 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,

    if (get_bits1(gb))
        source->interlaced = svq3_get_ue_golomb(gb);
-    if (source->interlaced > 1)
+    if (source->interlaced > 1U)
        return -1;

    // frame rate
    if (get_bits1(gb)) {
        source->frame_rate_index = svq3_get_ue_golomb(gb);

-        if (source->frame_rate_index > 10)
+        if (source->frame_rate_index > 10U)
            return -1;

        if (!source->frame_rate_index) {
@@ -156,7 +156,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,
    if (get_bits1(gb)) {
        source->aspect_ratio_index = svq3_get_ue_golomb(gb);

-        if (source->aspect_ratio_index > 6)
+        if (source->aspect_ratio_index > 6U)
            return -1;

        if (!source->aspect_ratio_index) {
@@ -179,7 +179,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,
    if (get_bits1(gb)) {
        source->pixel_range_index = svq3_get_ue_golomb(gb);

-        if (source->pixel_range_index > 4)
+        if (source->pixel_range_index > 4U)
            return -1;

        // This assumes either fullrange or MPEG levels only
@@ -207,7 +207,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,
    if (get_bits1(gb)) {
        idx = source->color_spec_index = svq3_get_ue_golomb(gb);

-        if (source->color_spec_index > 4)
+        if (source->color_spec_index > 4U)
            return -1;

        avctx->color_primaries = dirac_color_presets[idx].color_primaries;
@@ -217,7 +217,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb,
        if (!source->color_spec_index) {
            if (get_bits1(gb)) {
                idx = svq3_get_ue_golomb(gb);
-                if (idx < 3)
+                if (idx < 3U)
                    avctx->color_primaries = dirac_primaries[idx];
            }

@@ -259,7 +259,7 @@ int ff_dirac_parse_sequence_header(AVCodecContext *avctx, GetBitContext *gb,
    else if (version_major > 2)
        av_log(avctx, AV_LOG_WARNING, "Stream may have unhandled features\n");

-    if (video_format > 20)
+    if (video_format > 20U)
        return -1;

    // Fill in defaults for the source parameters.
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@@ -151,7 +151,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    int in, out = 0;
    int predictor[2];
    int channel_number = 0;
+    int stereo = s->channels - 1;
    short *output_samples = data;
    int shift[2];
    unsigned char byte;
@@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    if (!buf_size)
        return 0;

+    if (stereo && (buf_size & 1))
+        buf_size--;
+
    // almost every DPCM variant expands one byte of data into two
    if(*data_size/2 < buf_size)
        return -1;
@@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
    }

    *data_size = out * sizeof(short);
-    return buf_size;
+    return avpkt->size;
 }

 #define DPCM_DECODER(id, name, long_name_)      \
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -146,11 +146,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -161,6 +161,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            } else {
                cmd = AV_RL16(src); src += 2;
                offset = cmd >> 4;
+                if ((int) (dst - dst_start) < offset + 1)
+                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
                /* buffer overlappings to repeat bytes in the destination */
@@ -172,6 +174,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            }
        }
    }
+
+    return 0;
 }

 static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@@ -201,13 +205,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
-
-    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
-    }
+    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;

    palette_type = buf[0];
    palette_colors_count = AV_RL16(buf+1);
@@ -217,7 +215,11 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
    bitmap_frame_size = buf_size - 4;

    /* handle palette */
+    if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0)))
+        return AVERROR_INVALIDDATA;
    if (palette_type == 0) {
+        if (palette_colors_count > 256)
+            return AVERROR_INVALIDDATA;
        for (i = 0; i < palette_colors_count; ++i) {
            cin->palette[i] = bytestream_get_le24(&buf);
            bitmap_frame_size -= 3;
@@ -229,8 +231,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
            bitmap_frame_size -= 4;
        }
    }
-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;

    /* note: the decoding routines below assumes that surface.width = surface.pitch */
    switch (bitmap_frame_type) {
@@ -263,17 +263,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 39:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

+    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+    if (avctx->reget_buffer(avctx, &cin->frame)) {
+        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return -1;
+    }
+
+    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
@@ -306,6 +320,11 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx)
    CinAudioContext *cin = avctx->priv_data;

    cin->avctx = avctx;
+    if (avctx->channels != 1) {
+        av_log_ask_for_sample(avctx, "Number of channels is not supported\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
    cin->initial_decode_frame = 1;
    cin->delta = 0;
    avctx->sample_fmt = AV_SAMPLE_FMT_S16;
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1914,7 +1914,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){

 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
    long i;
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
        long a = *(long*)(src+i);
        long b = *(long*)(dst+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1939,7 +1939,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
        }
    }else
 #endif
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
@@ -2836,7 +2836,7 @@ int ff_check_alignment(void){

 av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
 {
-    int i;
+    int i, j;

    ff_check_alignment();

@@ -3222,11 +3222,15 @@ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
    if (ARCH_SH4)        dsputil_init_sh4   (c, avctx);
    if (ARCH_BFIN)       dsputil_init_bfin  (c, avctx);

-    for(i=0; i<64; i++){
-        if(!c->put_2tap_qpel_pixels_tab[0][i])
-            c->put_2tap_qpel_pixels_tab[0][i]= c->put_h264_qpel_pixels_tab[0][i];
-        if(!c->avg_2tap_qpel_pixels_tab[0][i])
-            c->avg_2tap_qpel_pixels_tab[0][i]= c->avg_h264_qpel_pixels_tab[0][i];
+    for (i = 0; i < 4; i++) {
+        for (j = 0; j < 16; j++) {
+            if(!c->put_2tap_qpel_pixels_tab[i][j])
+                c->put_2tap_qpel_pixels_tab[i][j] =
+                    c->put_h264_qpel_pixels_tab[i][j];
+            if(!c->avg_2tap_qpel_pixels_tab[i][j])
+                c->avg_2tap_qpel_pixels_tab[i][j] =
+                    c->avg_h264_qpel_pixels_tab[i][j];
+        }
    }

    c->put_rv30_tpel_pixels_tab[0][0] = c->put_h264_qpel_pixels_tab[0][0];
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -1360,7 +1360,7 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf,
        rect->y = display->y_pos + offset_y;
        rect->w = region->width;
        rect->h = region->height;
-        rect->nb_colors = 16;
+        rect->nb_colors = (1 << region->depth);
        rect->type      = SUBTITLE_BITMAP;
        rect->pict.linesize[0] = region->width;

--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = {
 const DVprofile* ff_dv_frame_profile(const DVprofile *sys,
                                  const uint8_t* frame, unsigned buf_size)
 {
-   int i;
+   int i, dsf, stype;

-   int dsf = (frame[3] & 0x80) >> 7;
+   if(buf_size < DV_PROFILE_BYTES)
+       return NULL;

-   int stype = frame[80*5 + 48 + 3] & 0x1f;
+   dsf = (frame[3] & 0x80) >> 7;
+   stype = frame[80*5 + 48 + 3] & 0x1f;

   /* 576i50 25Mbps 4:1:1 is a special case */
   if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -295,6 +295,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
    c->avctx = avctx;
    avctx->pix_fmt = PIX_FMT_PAL8;

+    if (avctx->width%4 || avctx->height%4) {
+        av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }
+
    avcodec_get_frame_defaults(&c->pic);
    avcodec_get_frame_defaults(&c->prev);

--- a/libavcodec/dxva2_h264.c
+++ b/libavcodec/dxva2_h264.c
@@ -158,9 +158,10 @@ static void fill_scaling_lists(const H264Context *h, DXVA_Qmatrix_H264 *qm)
        for (j = 0; j < 16; j++)
            qm->bScalingLists4x4[i][j] = h->pps.scaling_matrix4[i][zigzag_scan[j]];

-    for (i = 0; i < 2; i++)
-        for (j = 0; j < 64; j++)
-            qm->bScalingLists8x8[i][j] = h->pps.scaling_matrix8[i][ff_zigzag_direct[j]];
+    for (j = 0; j < 64; j++) {
+        qm->bScalingLists8x8[0][j] = h->pps.scaling_matrix8[0][ff_zigzag_direct[j]];
+        qm->bScalingLists8x8[1][j] = h->pps.scaling_matrix8[3][ff_zigzag_direct[j]];
+    }
 }

 static int is_slice_short(struct dxva_context *ctx)
--- a/libavcodec/dxva2_internal.h
+++ b/libavcodec/dxva2_internal.h
@@ -25,7 +25,14 @@

 #define _WIN32_WINNT 0x0600
 #define COBJMACROS
+
+#include "config.h"
+
 #include "dxva2.h"
+#if HAVE_DXVA_H
+#include <dxva.h>
+#endif
+
 #include "avcodec.h"
 #include "mpegvideo.h"

--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -56,7 +56,7 @@ static void cmv_decode_intra(CmvContext * s, const uint8_t *buf, const uint8_t *
    unsigned char *dst = s->frame.data[0];
    int i;

-    for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) {
+    for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) {
        memcpy(dst, buf, s->avctx->width);
        dst += s->frame.linesize[0];
        buf += s->avctx->width;
@@ -88,7 +88,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *

    i = 0;
    for(y=0; y<s->avctx->height/4; y++)
-    for(x=0; x<s->avctx->width/4 && buf+i<buf_end; x++) {
+    for(x=0; x<s->avctx->width/4 && buf_end - buf > i; x++) {
        if (buf[i]==0xFF) {
            unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4;
            if (raw+16<buf_end && *raw==0xFF) { /* intra */
@@ -110,9 +110,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
        }else{  /* inter using last frame as reference */
            int xoffset = (buf[i] & 0xF) - 7;
            int yoffset = ((buf[i] >> 4)) - 7;
-            cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
-                      s->last_frame.data[0], s->last_frame.linesize[0],
-                      x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+            if (s->last_frame.data[0])
+                cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
+                          s->last_frame.data[0], s->last_frame.linesize[0],
+                          x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
        }
        i++;
    }
@@ -122,7 +123,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
 {
    int pal_start, pal_count, i;

-    if(buf+16>=buf_end) {
+    if(buf_end - buf < 16) {
        av_log(s->avctx, AV_LOG_WARNING, "truncated header\n");
        return;
    }
@@ -139,7 +140,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
    pal_count = AV_RL16(&buf[14]);

    buf += 16;
-    for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+    for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
        s->palette[i] = AV_RB24(buf);
        buf += 3;
    }
@@ -157,6 +158,9 @@ static int cmv_decode_frame(AVCodecContext *avctx,
    CmvContext *s = avctx->priv_data;
    const uint8_t *buf_end = buf + buf_size;

+    if (buf_end - buf < EA_PREAMBLE_SIZE)
+        return AVERROR_INVALIDDATA;
+
    if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) {
        cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end);
        return buf_size;
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -85,15 +85,21 @@ static inline void comp_block(MadContext *t, int mb_x, int mb_y,
 {
    MpegEncContext *s = &t->s;
    if (j < 4) {
+        unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+        if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7)
+            return;
        comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3),
             t->frame.linesize[0],
-             t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x,
+             t->last_frame.data[0] + offset,
             t->last_frame.linesize[0], add);
    } else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) {
        int index = j - 3;
+        unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
+        if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7)
+            return;
        comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8,
             t->frame.linesize[index],
-             t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2),
+             t->last_frame.data[index] + offset,
             t->last_frame.linesize[index], add);
    }
 }
@@ -205,7 +211,8 @@ static void decode_mb(MadContext *t, int inter)
    for (j=0; j<6; j++) {
        if (mv_map & (1<<j)) {  // mv_x and mv_y are guarded by mv_map
            int add = 2*decode_motion(&s->gb);
-            comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
+            if (t->last_frame.data[0])
+                comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add);
        } else {
            s->dsp.clear_block(t->block);
            decode_block_intra(t, t->block);
@@ -242,7 +249,7 @@ static int decode_frame(AVCodecContext *avctx,
    int chunk_type;
    int inter;

-    if (buf_size < 17) {
+    if (buf_size < 26) {
        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
        *data_size = 0;
        return -1;
@@ -266,6 +273,8 @@ static int decode_frame(AVCodecContext *avctx,
        avcodec_set_dimensions(avctx, s->width, s->height);
        if (t->frame.data[0])
            avctx->release_buffer(avctx, &t->frame);
+        if (t->last_frame.data[0])
+            avctx->release_buffer(avctx, &t->last_frame);
    }

    t->frame.reference = 1;
@@ -280,6 +289,7 @@ static int decode_frame(AVCodecContext *avctx,
    if (!t->bitstream_buf)
        return AVERROR(ENOMEM);
    bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
+    memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
    init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));

    for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
    else
        src += 2;

-    if (src+3>src_end)
+    if (src_end - src < 3)
        return -1;
    size = AV_RB24(src);
    src += 3;
@@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
 * @return 0 on success, -1 on critical buffer underflow
 */
 static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
-    unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
+    unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
    int num_mvs;
    int num_blocks_raw;
    int num_blocks_packed;
@@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
    int mvbits;
    const unsigned char *blocks_raw;

-    if(buf+12>buf_end)
+    if(buf_end - buf < 12)
        return -1;

    num_mvs           = AV_RL16(&buf[0]);
@@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
    /* read motion vectors */
    mvbits = (num_mvs*2*10+31) & ~31;

-    if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end)
+    if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
        return -1;

    init_get_bits(&gb, buf, mvbits);
@@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
        int src_stride;

        if (vector < num_mvs) {
-            src = s->last_frame.data[0] +
-                  (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
-                   x*4 + s->mv_codebook[vector][0];
+            unsigned offset =
+                (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
+                 x*4 + s->mv_codebook[vector][0];
+
            src_stride = s->last_frame.linesize[0];
-            if (src+3*src_stride+3>=frame0_end)
+            if (offset >= last_frame_size - (3*src_stride+3))
                continue;
+            src = s->last_frame.data[0] + offset;
        }else{
            int offset = vector - num_mvs;
            if (offset<num_blocks_raw)
@@ -252,12 +254,15 @@ static int tgv_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf_end = buf + buf_size;
    int chunk_type;

+    if (buf_end - buf < EA_PREAMBLE_SIZE)
+        return AVERROR_INVALIDDATA;
+
    chunk_type = AV_RL32(&buf[0]);
    buf += EA_PREAMBLE_SIZE;

    if (chunk_type==kVGT_TAG) {
        int pal_count, i;
-        if(buf+12>buf_end) {
+        if(buf_end - buf < 12) {
            av_log(avctx, AV_LOG_WARNING, "truncated header\n");
            return -1;
        }
@@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,

        pal_count = AV_RL16(&buf[6]);
        buf += 12;
-        for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+        for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
            s->palette[i] = AV_RB24(buf);
            buf += 3;
        }
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx)
    return 0;
 }

-static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
+static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
 {
    int n;
    s->dsp.clear_blocks(block[0]);
    for (n=0; n<6; n++)
-        ff_mpeg1_decode_block_intra(s, block[n], n);
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
+            return -1;
+
+    return 0;
 }

 static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64])
@@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx,
    for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
    for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
    {
-        tqi_decode_mb(s, t->block);
+        if (tqi_decode_mb(s, t->block) < 0)
+            break;
        tqi_idct_put(t, t->block);
    }

--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -660,7 +660,7 @@ static int is_intra_more_likely(MpegEncContext *s){

    if(s->codec_id == CODEC_ID_H264){
        H264Context *h= (void*)s;
-        if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
+        if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
            return 1;
    }

--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs)
    PutBitContext pb;
    int run, mode = ~0, pix_left = width, run_idx = 0;

-    init_put_bits(&pb, dst, size*8);
+    init_put_bits(&pb, dst, size);
    while(pix_left > 0){
        run = runs[run_idx++];
        mode = ~mode;
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -522,7 +522,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w,
    int run_mode=0;

    if(s->ac){
-        if(c->bytestream_end - c->bytestream < w*20){
+        if(c->bytestream_end - c->bytestream < w*35){
            av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
            return -1;
        }
@@ -1805,7 +1805,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        bytes_read = c->bytestream - c->bytestream_start - 1;
        if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME
 //printf("pos=%d\n", bytes_read);
-        init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read);
+        init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8);
    } else {
        bytes_read = 0; /* avoid warning */
    }
@@ -1822,7 +1822,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
        if(fs->ac){
            ff_init_range_decoder(&fs->c, buf_p, v);
        }else{
-            init_get_bits(&fs->gb, buf_p, v);
+            init_get_bits(&fs->gb, buf_p, v * 8);
        }
    }

--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -646,7 +646,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 handle_error:
    *poutbuf      = NULL;
    *poutbuf_size = 0;
-    return read_end - buf;
+    return buf_size ? read_end - buf : 0;
 }

 static int flac_parse_init(AVCodecParserContext *c)
--- a/libavcodec/flacdata.c
+++ b/libavcodec/flacdata.c
@@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] =
  8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000,
  0, 0, 0, 0 };

-const int16_t ff_flac_blocksize_table[16] = {
+const int32_t ff_flac_blocksize_table[16] = {
     0,    192, 576<<0, 576<<1, 576<<2, 576<<3,      0,      0,
 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7
 };
--- a/libavcodec/flacdata.h
+++ b/libavcodec/flacdata.h
@@ -26,6 +26,6 @@

 extern const int ff_flac_sample_rate_table[16];

-extern const int16_t ff_flac_blocksize_table[16];
+extern const int32_t ff_flac_blocksize_table[16];

 #endif /* AVCODEC_FLACDATA_H */
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)

    buf += 4;
    do {
+        if (buf_end - buf < 4)
+            return 0;
        ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
        buf += 4;
-        if (buf + metadata_size > buf_end) {
+        if (buf_end - buf < metadata_size) {
            /* need more data in order to read the complete header */
            return 0;
        }
@@ -418,7 +420,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
    type = get_bits(&s->gb, 6);

    if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
        wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
        while (!get_bits1(&s->gb))
            wasted++;
        s->curr_bps -= wasted;
--- a/libavcodec/flacenc.c
+++ b/libavcodec/flacenc.c
@@ -948,14 +948,16 @@ static int encode_residual_ch(FlacEncodeContext *s, int ch)
        omethod == ORDER_METHOD_8LEVEL) {
        int levels = 1 << omethod;
        uint32_t bits[1 << ORDER_METHOD_8LEVEL];
-        int order;
+        int order       = -1;
        int opt_index   = levels-1;
        opt_order       = max_order-1;
        bits[opt_index] = UINT32_MAX;
        for (i = levels-1; i >= 0; i--) {
+            int last_order = order;
            order = min_order + (((max_order-min_order+1) * (i+1)) / levels)-1;
-            if (order < 0)
-                order = 0;
+            order = av_clip(order, min_order - 1, max_order - 1);
+            if (order == last_order)
+                continue;
            encode_residual_lpc(res, smp, n, order+1, coefs[order], shift[order]);
            bits[i] = find_subframe_rice_params(s, sub, order+1);
            if (bits[i] < bits[opt_index]) {
--- a/libavcodec/flashsv2enc.c
+++ b/libavcodec/flashsv2enc.c
@@ -270,7 +270,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size)
    if (buf_size < 5)
        return -1;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb, 4, (s->block_width  >> 4) - 1);
    put_bits(&pb, 12, s->image_width);
--- a/libavcodec/flashsvenc.c
+++ b/libavcodec/flashsvenc.c
@@ -139,7 +139,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf,
    int buf_pos, res;
    int pred_blocks = 0;

-    init_put_bits(&pb, buf, buf_size * 8);
+    init_put_bits(&pb, buf, buf_size);

    put_bits(&pb,  4, (block_width / 16) - 1);
    put_bits(&pb, 12, s->image_width);
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -132,7 +132,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    FlicDecodeContext *s = avctx->priv_data;

    int stream_ptr = 0;
-    int stream_ptr_after_color_chunk;
    int pixel_ptr;
    int palette_ptr;
    unsigned char palette_idx1;
@@ -172,7 +171,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    pixels = s->frame.data[0];
    pixel_limit = s->avctx->height * s->frame.linesize[0];

+    if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
+        return AVERROR_INVALIDDATA;
    frame_size = AV_RL32(&buf[stream_ptr]);
+    if (frame_size > buf_size)
+        frame_size = buf_size;
    stream_ptr += 6;  /* skip the magic number */
    num_chunks = AV_RL16(&buf[stream_ptr]);
    stream_ptr += 10;  /* skip padding */
@@ -180,13 +183,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    frame_size -= 16;

    /* iterate through the chunks */
-    while ((frame_size > 0) && (num_chunks > 0)) {
+    while ((frame_size >= 6) && (num_chunks > 0)) {
+        int stream_ptr_after_chunk;
        chunk_size = AV_RL32(&buf[stream_ptr]);
        if (chunk_size > frame_size) {
            av_log(avctx, AV_LOG_WARNING,
                   "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
            chunk_size = frame_size;
        }
+        stream_ptr_after_chunk = stream_ptr + chunk_size;
+
        stream_ptr += 4;
        chunk_type = AV_RL16(&buf[stream_ptr]);
        stream_ptr += 2;
@@ -194,8 +200,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
        switch (chunk_type) {
        case FLI_256_COLOR:
        case FLI_COLOR:
-            stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
-
            /* check special case: If this file is from the Magic Carpet
             * game and uses 6-bit colors even though it reports 256-color
             * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during
@@ -219,6 +223,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                if (color_changes == 0)
                    color_changes = 256;

+                if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
+                    break;
+
                for (j = 0; j < color_changes; j++) {
                    unsigned int entry;

@@ -235,13 +242,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    s->palette[palette_ptr++] = entry;
                }
            }
-
-            /* color chunks sometimes have weird 16-bit alignment issues;
-             * therefore, take the hardline approach and set the stream_ptr
-             * to the value calculated w.r.t. the size specified by the color
-             * chunk header */
-            stream_ptr = stream_ptr_after_color_chunk;
-
            break;

        case FLI_DELTA:
@@ -249,6 +249,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
            compressed_lines = AV_RL16(&buf[stream_ptr]);
            stream_ptr += 2;
            while (compressed_lines > 0) {
+                if (stream_ptr + 2 > stream_ptr_after_chunk)
+                    break;
                line_packets = AV_RL16(&buf[stream_ptr]);
                stream_ptr += 2;
                if ((line_packets & 0xC000) == 0xC000) {
@@ -268,6 +270,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    CHECK_PIXEL_PTR(0);
                    pixel_countdown = s->avctx->width;
                    for (i = 0; i < line_packets; i++) {
+                        if (stream_ptr + 2 > stream_ptr_after_chunk)
+                            break;
                        /* account for the skip bytes */
                        pixel_skip = buf[stream_ptr++];
                        pixel_ptr += pixel_skip;
@@ -284,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                            }
                        } else {
                            CHECK_PIXEL_PTR(byte_run * 2);
+                            if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk)
+                                break;
                            for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
                                palette_idx1 = buf[stream_ptr++];
                                pixels[pixel_ptr++] = palette_idx1;
@@ -310,6 +316,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                CHECK_PIXEL_PTR(0);
                pixel_countdown = s->avctx->width;
                line_packets = buf[stream_ptr++];
+                if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk)
+                    break;
                if (line_packets > 0) {
                    for (i = 0; i < line_packets; i++) {
                        /* account for the skip bytes */
@@ -319,6 +327,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                        byte_run = (signed char)(buf[stream_ptr++]);
                        if (byte_run > 0) {
                            CHECK_PIXEL_PTR(byte_run);
+                            if (stream_ptr + byte_run > stream_ptr_after_chunk)
+                                break;
                            for (j = 0; j < byte_run; j++, pixel_countdown--) {
                                palette_idx1 = buf[stream_ptr++];
                                pixels[pixel_ptr++] = palette_idx1;
@@ -356,6 +366,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                stream_ptr++;
                pixel_countdown = s->avctx->width;
                while (pixel_countdown > 0) {
+                    if (stream_ptr + 1 > stream_ptr_after_chunk)
+                        break;
                    byte_run = (signed char)(buf[stream_ptr++]);
                    if (byte_run > 0) {
                        palette_idx1 = buf[stream_ptr++];
@@ -370,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                    } else {  /* copy bytes if byte_run < 0 */
                        byte_run = -byte_run;
                        CHECK_PIXEL_PTR(byte_run);
+                        if (stream_ptr + byte_run > stream_ptr_after_chunk)
+                            break;
                        for (j = 0; j < byte_run; j++) {
                            palette_idx1 = buf[stream_ptr++];
                            pixels[pixel_ptr++] = palette_idx1;
@@ -387,10 +401,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,

        case FLI_COPY:
            /* copy the chunk (uncompressed frame) */
-            if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
+            if (chunk_size - 6 != s->avctx->width * s->avctx->height) {
                av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
-                       "bigger than image, skipping chunk\n", chunk_size - 6);
-                stream_ptr += chunk_size - 6;
+                       "has incorrect size, skipping chunk\n", chunk_size - 6);
            } else {
                for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
                     y_ptr += s->frame.linesize[0]) {
@@ -403,7 +416,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,

        case FLI_MINI:
            /* some sort of a thumbnail? disregard this chunk... */
-            stream_ptr += chunk_size - 6;
            break;

        default:
@@ -411,6 +423,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
            break;
        }

+        stream_ptr = stream_ptr_after_chunk;
+
        frame_size -= chunk_size;
        num_chunks--;
    }
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -135,7 +135,7 @@ static int decode_frame(AVCodecContext *avctx,
    uint32_t *luma1,*luma2,*cb,*cr;
    uint32_t offs[4];
    int i, j, is_chroma, planes;
-
+    enum PixelFormat pix_fmt;

    header = AV_RL32(buf);
    version = header & 0xff;
@@ -152,12 +152,16 @@ static int decode_frame(AVCodecContext *avctx,
    if (header_size == 8)
        buf+=4;

+    pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
+    if (avctx->pix_fmt != pix_fmt && f->data[0]) {
+        avctx->release_buffer(avctx, f);
+    }
+    avctx->pix_fmt = pix_fmt;
+
    switch(version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
-
        if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -205,8 +209,6 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
-
        if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -241,7 +243,6 @@ static int decode_frame(AVCodecContext *avctx,
         * Fraps v2 is Huffman-coded YUV420 planes
         * Fraps v4 is virtually the same
         */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
@@ -286,7 +287,6 @@ static int decode_frame(AVCodecContext *avctx,
    case 3:
    case 5:
        /* Virtually the same as version 4, but is for RGB24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -125,26 +125,21 @@ static int gif_read_image(GifState *s)
            case 1:
                y1 += 8;
                ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                break;
            case 2:
                y1 += 4;
                ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                break;
            case 3:
                y1 += 2;
                ptr += linesize * 2;
                break;
            }
+            while (y1 >= height) {
+                y1 = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
        } else {
            ptr += linesize;
        }
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -75,6 +75,20 @@ static inline int get_ue_golomb(GetBitContext *gb){
    }
 }

+/**
+ * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1.
+ */
+static inline unsigned get_ue_golomb_long(GetBitContext *gb)
+{
+    unsigned buf, log;
+
+    buf = show_bits_long(gb, 32);
+    log = 31 - av_log2(buf);
+    skip_bits_long(gb, log);
+
+    return get_bits_long(gb, log + 1) - 1;
+}
+
 /**
 * read unsigned exp golomb code, constraint to a max of 31.
 * the return value is undefined if the stored value exceeds 31.
@@ -109,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
    }else{
        int ret = 1;

-        while (1) {
+        do {
            buf >>= 32 - 8;
            LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));

@@ -121,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
            ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
            UPDATE_CACHE(re, gb);
            buf = GET_CACHE(re, gb);
-        }
+        } while (ret);

        CLOSE_READER(re, gb);
        return ret - 1;
@@ -287,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
        return buf;
    }else{
        int i;
-        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
            LAST_SKIP_BITS(re, gb, 1);
            UPDATE_CACHE(re, gb);
        }
--- a/libavcodec/h263.c
+++ b/libavcodec/h263.c
@@ -98,7 +98,7 @@ void ff_h263_update_motion_val(MpegEncContext * s){
    }
 }

-int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr)
+int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr)
 {
    int x, y, wrap, a, c, pred_dc;
    int16_t *dc_val;
@@ -226,7 +226,7 @@ void ff_h263_loop_filter(MpegEncContext * s){
    }
 }

-void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
+void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
 {
    int x, y, wrap, a, c, pred_dc, scale, i;
    int16_t *dc_val, *ac_val, *ac_val1;
@@ -313,8 +313,8 @@ void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n)
        ac_val1[8 + i] = block[s->dsp.idct_permutation[i   ]];
 }

-int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir,
-                        int *px, int *py)
+int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir,
+                             int *px, int *py)
 {
    int wrap;
    int16_t *A, *B, *C, (*mot_val)[2];
--- a/libavcodec/h263.h
+++ b/libavcodec/h263.h
@@ -38,16 +38,16 @@
 extern const AVRational ff_h263_pixel_aspect[16];
 extern const uint8_t ff_h263_cbpy_tab[16][2];

-extern const uint8_t cbpc_b_tab[4][2];
+extern const uint8_t ff_cbpc_b_tab[4][2];

-extern const uint8_t mvtab[33][2];
+extern const uint8_t ff_mvtab[33][2];

 extern const uint8_t ff_h263_intra_MCBPC_code[9];
 extern const uint8_t ff_h263_intra_MCBPC_bits[9];

 extern const uint8_t ff_h263_inter_MCBPC_code[28];
 extern const uint8_t ff_h263_inter_MCBPC_bits[28];
-extern const uint8_t h263_mbtype_b_tab[15][2];
+extern const uint8_t ff_h263_mbtype_b_tab[15][2];

 extern VLC ff_h263_intra_MCBPC_vlc;
 extern VLC ff_h263_inter_MCBPC_vlc;
@@ -55,41 +55,41 @@ extern VLC ff_h263_cbpy_vlc;

 extern RLTable ff_h263_rl_inter;

-extern RLTable rl_intra_aic;
+extern RLTable ff_rl_intra_aic;

-extern const uint16_t h263_format[8][2];
-extern const uint8_t modified_quant_tab[2][32];
+extern const uint16_t ff_h263_format[8][2];
+extern const uint8_t ff_modified_quant_tab[2][32];
 extern uint16_t ff_mba_max[6];
 extern uint8_t ff_mba_length[7];

 extern uint8_t ff_h263_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3];


-int h263_decode_motion(MpegEncContext * s, int pred, int f_code);
+int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code);
 av_const int ff_h263_aspect_to_info(AVRational aspect);
 int ff_h263_decode_init(AVCodecContext *avctx);
 int ff_h263_decode_frame(AVCodecContext *avctx,
                             void *data, int *data_size,
                             AVPacket *avpkt);
 int ff_h263_decode_end(AVCodecContext *avctx);
-void h263_encode_mb(MpegEncContext *s,
-                    DCTELEM block[6][64],
-                    int motion_x, int motion_y);
-void h263_encode_picture_header(MpegEncContext *s, int picture_number);
-void h263_encode_gob_header(MpegEncContext * s, int mb_line);
-int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir,
-                        int *px, int *py);
-void h263_encode_init(MpegEncContext *s);
-void h263_decode_init_vlc(MpegEncContext *s);
-int h263_decode_picture_header(MpegEncContext *s);
+void ff_h263_encode_mb(MpegEncContext *s,
+                       DCTELEM block[6][64],
+                       int motion_x, int motion_y);
+void ff_h263_encode_picture_header(MpegEncContext *s, int picture_number);
+void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line);
+int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir,
+                             int *px, int *py);
+void ff_h263_encode_init(MpegEncContext *s);
+void ff_h263_decode_init_vlc(MpegEncContext *s);
+int ff_h263_decode_picture_header(MpegEncContext *s);
 int ff_h263_decode_gob_header(MpegEncContext *s);
 void ff_h263_update_motion_val(MpegEncContext * s);
 void ff_h263_loop_filter(MpegEncContext * s);
 int ff_h263_decode_mba(MpegEncContext *s);
 void ff_h263_encode_mba(MpegEncContext *s);
 void ff_init_qscale_tab(MpegEncContext *s);
-int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr);
-void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n);
+int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr);
+void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n);


 /**
@@ -119,7 +119,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code
    int l, bit_size, code;

    if (val == 0) {
-        return mvtab[0][1];
+        return ff_mvtab[0][1];
    } else {
        bit_size = f_code - 1;
        /* modulo encoding */
@@ -128,7 +128,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code
        val--;
        code = (val >> bit_size) + 1;

-        return mvtab[code][1] + 1 + bit_size;
+        return ff_mvtab[code][1] + 1 + bit_size;
    }
 }

--- a/libavcodec/h263data.h
+++ b/libavcodec/h263data.h
@@ -57,7 +57,7 @@ const uint8_t ff_h263_inter_MCBPC_bits[28] = {
    11, 13, 13, 13,/* inter4Q*/
 };

-const uint8_t h263_mbtype_b_tab[15][2] = {
+const uint8_t ff_h263_mbtype_b_tab[15][2] = {
 {1, 1},
 {3, 3},
 {1, 5},
@@ -75,7 +75,7 @@ const uint8_t h263_mbtype_b_tab[15][2] = {
 {1, 8},
 };

-const uint8_t cbpc_b_tab[4][2] = {
+const uint8_t ff_cbpc_b_tab[4][2] = {
 {0, 1},
 {2, 2},
 {7, 3},
@@ -88,7 +88,7 @@ const uint8_t ff_h263_cbpy_tab[16][2] =
  {2,5}, {3,6}, {5,4}, {10,4}, {4,4}, {8,4}, {6,4}, {3,2}
 };

-const uint8_t mvtab[33][2] =
+const uint8_t ff_mvtab[33][2] =
 {
  {1,1}, {1,2}, {1,3}, {1,4}, {3,6}, {5,7}, {4,7}, {3,7},
  {11,9}, {10,9}, {9,9}, {17,10}, {16,10}, {15,10}, {14,10}, {13,10},
@@ -98,7 +98,7 @@ const uint8_t mvtab[33][2] =
 };

 /* third non intra table */
-const uint16_t inter_vlc[103][2] = {
+const uint16_t ff_inter_vlc[103][2] = {
 { 0x2, 2 },{ 0xf, 4 },{ 0x15, 6 },{ 0x17, 7 },
 { 0x1f, 8 },{ 0x25, 9 },{ 0x24, 9 },{ 0x21, 10 },
 { 0x20, 10 },{ 0x7, 11 },{ 0x6, 11 },{ 0x20, 11 },
@@ -127,7 +127,7 @@ const uint16_t inter_vlc[103][2] = {
 { 0x5e, 12 },{ 0x5f, 12 },{ 0x3, 7 },
 };

-const int8_t inter_level[102] = {
+const int8_t ff_inter_level[102] = {
  1,  2,  3,  4,  5,  6,  7,  8,
  9, 10, 11, 12,  1,  2,  3,  4,
  5,  6,  1,  2,  3,  4,  1,  2,
@@ -143,7 +143,7 @@ const int8_t inter_level[102] = {
  1,  1,  1,  1,  1,  1,
 };

-const int8_t inter_run[102] = {
+const int8_t ff_inter_run[102] = {
  0,  0,  0,  0,  0,  0,  0,  0,
  0,  0,  0,  0,  1,  1,  1,  1,
  1,  1,  2,  2,  2,  2,  3,  3,
@@ -162,9 +162,9 @@ const int8_t inter_run[102] = {
 RLTable ff_h263_rl_inter = {
    102,
    58,
-    inter_vlc,
-    inter_run,
-    inter_level,
+    ff_inter_vlc,
+    ff_inter_run,
+    ff_inter_level,
 };

 static const uint16_t intra_vlc_aic[103][2] = {
@@ -228,7 +228,7 @@ static const int8_t intra_level_aic[102] = {
 1,  1,  1,  1,  1,  1,
 };

-RLTable rl_intra_aic = {
+RLTable ff_rl_intra_aic = {
    102,
    58,
    intra_vlc_aic,
@@ -236,7 +236,7 @@ RLTable rl_intra_aic = {
    intra_level_aic,
 };

-const uint16_t h263_format[8][2] = {
+const uint16_t ff_h263_format[8][2] = {
    { 0, 0 },
    { 128, 96 },
    { 176, 144 },
@@ -250,7 +250,7 @@ const uint8_t ff_aic_dc_scale_table[32]={
    0, 2, 4, 6, 8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62
 };

-const uint8_t modified_quant_tab[2][32]={
+const uint8_t ff_modified_quant_tab[2][32]={
 //  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 {
    0, 3, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9,10,11,12,13,14,15,16,17,18,18,19,20,21,22,23,24,25,26,27,28
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -111,7 +111,7 @@ av_cold int ff_h263_decode_init(AVCodecContext *avctx)
        if (MPV_common_init(s) < 0)
            return -1;

-        h263_decode_init_vlc(s);
+        ff_h263_decode_init_vlc(s);

    return 0;
 }
@@ -429,7 +429,7 @@ retry:
    } else if (CONFIG_FLV_DECODER && s->h263_flv) {
        ret = ff_flv_decode_picture_header(s);
    } else {
-        ret = h263_decode_picture_header(s);
+        ret = ff_h263_decode_picture_header(s);
    }

    if(ret==FRAME_SKIPPED) return get_consumed_bytes(s, buf_size);
@@ -438,6 +438,13 @@ retry:
    if (ret < 0){
        av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
        return -1;
+    } else if ((s->width  != avctx->coded_width  ||
+                s->height != avctx->coded_height ||
+                (s->width  + 15) >> 4 != s->mb_width ||
+                (s->height + 15) >> 4 != s->mb_height) &&
+               (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+        av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+        return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
    }

    avctx->has_b_frames= !s->low_delay;
@@ -564,8 +571,7 @@ retry:
 #if HAVE_MMX
    if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
        avctx->idct_algo= FF_IDCT_XVIDMMX;
-        avctx->coded_width= 0; // force reinit
-//        dsputil_init(&s->dsp, avctx);
+        ff_dct_common_init(s);
        s->picture_number=0;
    }
 #endif
@@ -579,6 +585,12 @@ retry:
        || s->height != avctx->coded_height) {
        /* H.263 could change picture size any time */
        ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
        s->parse_context.buffer=0;
        MPV_common_end(s);
        s->parse_context= pc;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -106,12 +106,12 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
    }

    return 0;
-} //FIXME cleanup like ff_h264_check_intra_pred_mode
+} //FIXME cleanup like check_intra_pred_mode

 /**
 * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
 */
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -131,7 +131,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){

    if((h->left_samples_available&0x8080) != 0x8080){
        mode= left[ mode ];
-        if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
+        if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
            mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8);
        }
        if(mode<0){
@@ -183,20 +183,28 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_l
        i-= RS;
    }

-    if(i>=length-1){ //no escaped 0
-        *dst_length= length;
-        *consumed= length+1; //+1 for the header
-        return src;
-    }
-
    bufidx = h->nal_unit_type == NAL_DPC ? 1 : 0; // use second escape buffer for inter data
-    av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE);
+    si=h->rbsp_buffer_size[bufidx];
+    av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE);
    dst= h->rbsp_buffer[bufidx];
+    if(si != h->rbsp_buffer_size[bufidx])
+        memset(dst + length, 0, FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE);

    if (dst == NULL){
        return NULL;
    }

+    if(i>=length-1){ //no escaped 0
+        *dst_length= length;
+        *consumed= length+1; //+1 for the header
+        if(h->s.avctx->flags2 & CODEC_FLAG2_FAST){
+            return src;
+        }else{
+            memcpy(dst, src, length);
+            return dst;
+        }
+    }
+
 //printf("decoding esc\n");
    memcpy(dst, src, i);
    si=di=i;
@@ -997,8 +1005,12 @@ static av_cold void common_init(H264Context *h){
    s->height = s->avctx->height;
    s->codec_id= s->avctx->codec->id;

-    ff_h264dsp_init(&h->h264dsp, 8);
-    ff_h264_pred_init(&h->hpc, s->codec_id, 8);
+    s->avctx->bits_per_raw_sample = 8;
+
+    ff_h264dsp_init(&h->h264dsp,
+                    s->avctx->bits_per_raw_sample);
+    ff_h264_pred_init(&h->hpc, s->codec_id,
+                      s->avctx->bits_per_raw_sample);

    h->dequant_coeff_pps= -1;
    s->unrestricted_mv=1;
@@ -1010,17 +1022,20 @@ static av_cold void common_init(H264Context *h){
    memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t));
 }

-int ff_h264_decode_extradata(H264Context *h)
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
 {
    AVCodecContext *avctx = h->s.avctx;

-    if(avctx->extradata[0] == 1){
+    if(!buf || size <= 0)
+        return -1;
+
+    if(buf[0] == 1){
        int i, cnt, nalsize;
-        unsigned char *p = avctx->extradata;
+        const unsigned char *p = buf;

        h->is_avc = 1;

-        if(avctx->extradata_size < 7) {
+        if(size < 7) {
            av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
            return -1;
        }
@@ -1032,6 +1047,8 @@ int ff_h264_decode_extradata(H264Context *h)
        p += 6;
        for (i = 0; i < cnt; i++) {
            nalsize = AV_RB16(p) + 2;
+            if(nalsize > size - (p-buf))
+                return -1;
            if(decode_nal_units(h, p, nalsize) < 0) {
                av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
                return -1;
@@ -1042,6 +1059,8 @@ int ff_h264_decode_extradata(H264Context *h)
        cnt = *(p++); // Number of pps
        for (i = 0; i < cnt; i++) {
            nalsize = AV_RB16(p) + 2;
+            if(nalsize > size - (p-buf))
+                return -1;
            if (decode_nal_units(h, p, nalsize) < 0) {
                av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
                return -1;
@@ -1049,10 +1068,10 @@ int ff_h264_decode_extradata(H264Context *h)
            p += nalsize;
        }
        // Now store right nal length size, that will be use to parse all other nals
-        h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;
+        h->nal_length_size = (buf[4] & 0x03) + 1;
    } else {
        h->is_avc = 0;
-        if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0)
+        if(decode_nal_units(h, buf, size) < 0)
            return -1;
    }
    return 0;
@@ -1096,7 +1115,7 @@ av_cold int ff_h264_decode_init(AVCodecContext *avctx){
    }

    if(avctx->extradata_size > 0 && avctx->extradata &&
-        ff_h264_decode_extradata(h))
+        ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size))
        return -1;

    if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){
@@ -1165,7 +1184,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex
        memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc
        memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
        memset(h->pps_buffers, 0, sizeof(h->pps_buffers));
-        ff_h264_alloc_tables(h);
+        if (ff_h264_alloc_tables(h) < 0) {
+            av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n");
+            return AVERROR(ENOMEM);
+        }
        context_init(h);

        for(i=0; i<2; i++){
@@ -1403,7 +1425,7 @@ static void decode_postinit(H264Context *h, int setup_finished){
    pics = 0;
    while(h->delayed_pic[pics]) pics++;

-    assert(pics <= MAX_DELAYED_PIC_COUNT);
+    av_assert0(pics <= MAX_DELAYED_PIC_COUNT);

    h->delayed_pic[pics++] = cur;
    if(cur->reference == 0)
@@ -1848,15 +1870,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i
                    tmp_y[j] = get_bits(&gb, bit_depth);
            }
            if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){
-                for (i = 0; i < 8; i++) {
-                    uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
-                    for (j = 0; j < 8; j++)
-                        tmp_cb[j] = get_bits(&gb, bit_depth);
-                }
-                for (i = 0; i < 8; i++) {
-                    uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
-                    for (j = 0; j < 8; j++)
-                        tmp_cr[j] = get_bits(&gb, bit_depth);
+                if (!h->sps.chroma_format_idc) {
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
+                        for (j = 0; j < 8; j++) {
+                            tmp_cb[j] = 1 << (bit_depth - 1);
+                        }
+                    }
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
+                        for (j = 0; j < 8; j++) {
+                            tmp_cr[j] = 1 << (bit_depth - 1);
+                        }
+                    }
+                } else {
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
+                        for (j = 0; j < 8; j++)
+                            tmp_cb[j] = get_bits(&gb, bit_depth);
+                    }
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
+                        for (j = 0; j < 8; j++)
+                            tmp_cr[j] = get_bits(&gb, bit_depth);
+                    }
                }
            }
        } else {
@@ -1864,9 +1901,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i
                memcpy(dest_y + i*  linesize, h->mb       + i*8, 16);
            }
            if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){
-                for (i=0; i<8; i++) {
-                    memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4,  8);
-                    memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4,  8);
+                if (!h->sps.chroma_format_idc) {
+                    for (i = 0; i < 8; i++) {
+                        memset(dest_cb + i*uvlinesize, 128, 8);
+                        memset(dest_cr + i*uvlinesize, 128, 8);
+                    }
+                } else {
+                    for (i = 0; i < 8; i++) {
+                        memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4,  8);
+                        memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4,  8);
+                    }
                }
            }
        }
@@ -2173,7 +2217,11 @@ static void implicit_weight_table(H264Context *h, int field){
    }

    if(field < 0){
-        cur_poc = s->current_picture_ptr->poc;
+        if (s->picture_structure == PICT_FRAME) {
+            cur_poc = s->current_picture_ptr->poc;
+        } else {
+            cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+        }
    if(   h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
       && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
        h->use_weight= 0;
@@ -2198,15 +2246,17 @@ static void implicit_weight_table(H264Context *h, int field){
    for(ref0=ref_start; ref0 < ref_count0; ref0++){
        int poc0 = h->ref_list[0][ref0].poc;
        for(ref1=ref_start; ref1 < ref_count1; ref1++){
-            int poc1 = h->ref_list[1][ref1].poc;
-            int td = av_clip(poc1 - poc0, -128, 127);
-            int w= 32;
-            if(td){
-                int tb = av_clip(cur_poc - poc0, -128, 127);
-                int tx = (16384 + (FFABS(td) >> 1)) / td;
-                int dist_scale_factor = (tb*tx + 32) >> 8;
-                if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
-                    w = 64 - dist_scale_factor;
+            int w = 32;
+            if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) {
+                int poc1 = h->ref_list[1][ref1].poc;
+                int td = av_clip(poc1 - poc0, -128, 127);
+                if(td){
+                    int tb = av_clip(cur_poc - poc0, -128, 127);
+                    int tx = (16384 + (FFABS(td) >> 1)) / td;
+                    int dist_scale_factor = (tb*tx + 32) >> 8;
+                    if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
+                        w = 64 - dist_scale_factor;
+                }
            }
            if(field<0){
                h->implicit_weight[ref0][ref1][0]=
@@ -2233,7 +2283,7 @@ static void idr(H264Context *h){
 static void flush_dpb(AVCodecContext *avctx){
    H264Context *h= avctx->priv_data;
    int i;
-    for(i=0; i<MAX_DELAYED_PIC_COUNT; i++) {
+    for(i=0; i<=MAX_DELAYED_PIC_COUNT; i++) {
        if(h->delayed_pic[i])
            h->delayed_pic[i]->reference= 0;
        h->delayed_pic[i]= NULL;
@@ -2567,16 +2617,23 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    else
        s->height= 16*s->mb_height - (4>>CHROMA444)*FFMIN(h->sps.crop_bottom, (8<<CHROMA444)-1);

+    if (FFALIGN(s->avctx->width,  16) == s->width &&
+        FFALIGN(s->avctx->height, 16) == s->height) {
+        s->width  = s->avctx->width;
+        s->height = s->avctx->height;
+    }
+
    if (s->context_initialized
        && (   s->width != s->avctx->width || s->height != s->avctx->height
            || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if(h != h0) {
+        if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
            av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
        }
        free_tables(h, 0);
        flush_dpb(s->avctx);
        MPV_common_end(s);
+        h->list_count = 0;
    }
    if (!s->context_initialized) {
        if (h != h0) {
@@ -2638,7 +2695,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
        h->prev_interlaced_frame = 1;

        init_scan_tables(h);
-        ff_h264_alloc_tables(h);
+        if (ff_h264_alloc_tables(h) < 0) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n");
+            return AVERROR(ENOMEM);
+        }

        if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) {
            if (context_init(h) < 0) {
@@ -2746,11 +2806,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
                s0->first_field = FIELD_PICTURE;

            } else {
-                if (h->nal_ref_idc &&
-                        s0->current_picture_ptr->reference &&
-                        s0->current_picture_ptr->frame_num != h->frame_num) {
+                if (s0->current_picture_ptr->frame_num != h->frame_num) {
                    /*
-                     * This and previous field were reference, but had
+                     * This and previous field had
                     * different frame_nums. Consider this field first in
                     * pair. Throw away previous field except for reference
                     * purposes.
@@ -2834,6 +2892,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->ref_count[1]= h->pps.ref_count[1];

    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
+        unsigned max= s->picture_structure == PICT_FRAME ? 15 : 31;
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B){
            h->direct_spatial_mv_pred= get_bits1(&s->gb);
        }
@@ -2841,28 +2901,36 @@ static int decode_slice_header(H264Context *h, H264Context *h0){

        if(num_ref_idx_active_override_flag){
            h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
-            if(h->slice_type_nos==AV_PICTURE_TYPE_B)
+            if (h->ref_count[0] < 1)
+                return AVERROR_INVALIDDATA;
+            if (h->slice_type_nos == AV_PICTURE_TYPE_B) {
                h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
-
-            if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
-                av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
-                h->ref_count[0]= h->ref_count[1]= 1;
-                return -1;
+                if (h->ref_count[1] < 1)
+                    return AVERROR_INVALIDDATA;
            }
        }
+
+        if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+            av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+            h->ref_count[0] = h->ref_count[1] = 1;
+            return AVERROR_INVALIDDATA;
+        }
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B)
            h->list_count= 2;
        else
            h->list_count= 1;
    }else
-        h->list_count= 0;
+        h->ref_count[1]= h->ref_count[0]= h->list_count= 0;

    if(!default_ref_list_done){
        ff_h264_fill_default_ref_list(h);
    }

-    if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0)
+    if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) {
+        h->ref_count[1]= h->ref_count[0]= 0;
        return -1;
+    }

    if(h->slice_type_nos!=AV_PICTURE_TYPE_I){
        s->last_picture_ptr= &h->ref_list[0][0];
@@ -3488,7 +3556,9 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){

                        return 0;
                    }else{
-                        ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, (AC_END|DC_END|MV_END)&part_mask);
+                        ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y,
+                                        s->mb_x - 1, s->mb_y,
+                                        (AC_END|DC_END|MV_END)&part_mask);

                        return -1;
                    }
@@ -3650,7 +3720,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                    break;
            }

-            if(buf_index+3 >= buf_size) break;
+
+            if (buf_index + 3 >= buf_size) {
+                buf_index = buf_size;
+                break;
+            }

            buf_index+=3;
            if(buf_index >= next_avc) continue;
@@ -3668,7 +3742,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            s->workaround_bugs |= FF_BUG_TRUNCATED;

        if(!(s->workaround_bugs & FF_BUG_TRUNCATED)){
-        while(ptr[dst_length - 1] == 0 && dst_length > 0)
+        while(dst_length > 0 && ptr[dst_length - 1] == 0)
            dst_length--;
        }
        bit_length= !dst_length ? 0 : (8*dst_length - ff_h264_decode_rbsp_trailing(h, ptr + dst_length - 1));
@@ -3691,9 +3765,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            switch (hx->nal_unit_type) {
                case NAL_SPS:
                case NAL_PPS:
+                    nals_needed = nal_index;
+                    break;
                case NAL_IDR_SLICE:
                case NAL_SLICE:
-                    nals_needed = nal_index;
+                    init_get_bits(&hx->s.gb, ptr, bit_length);
+                    if (!get_ue_golomb(&hx->s.gb))
+                        nals_needed = nal_index;
            }
            continue;
        }
@@ -3779,6 +3857,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            hx->inter_gb_ptr= &hx->inter_gb;

            if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning
+               && s->current_picture_ptr
               && s->context_initialized
 #if FF_API_HURRY_UP
               && s->hurry_up < 5
@@ -3797,13 +3876,26 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
            init_get_bits(&s->gb, ptr, bit_length);
            ff_h264_decode_seq_parameter_set(h);

-            if (s->flags& CODEC_FLAG_LOW_DELAY ||
-                (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames))
-                s->low_delay=1;
+            if (s->flags & CODEC_FLAG_LOW_DELAY ||
+                (h->sps.bitstream_restriction_flag &&
+                 !h->sps.num_reorder_frames)) {
+                if (s->avctx->has_b_frames > 1 || h->delayed_pic[0])
+                    av_log(avctx, AV_LOG_WARNING, "Delayed frames seen "
+                           "reenabling low delay requires a codec "
+                           "flush.\n");
+                else
+                    s->low_delay = 1;
+            }

            if(avctx->has_b_frames < 2)
                avctx->has_b_frames= !s->low_delay;

+            if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
+                av_log_missing_feature(s->avctx,
+                    "Different bit depth between chroma and luma", 1);
+                return AVERROR_PATCHWELCOME;
+            }
+
            if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma) {
                if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
                    avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -53,6 +53,8 @@

 #define MAX_DELAYED_PIC_COUNT 16

+#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes
+
 /* Compiling in interlaced support reduces the speed
 * of progressive decoding by about 2%. */
 #define ALLOW_INTERLACE
@@ -99,7 +101,7 @@
 */
 #define DELAYED_PIC_REF 4

-#define QP_MAX_NUM (51 + 2*6)           // The maximum supported qp
+#define QP_MAX_NUM (51 + 4*6)           // The maximum supported qp

 /* NAL unit types */
 enum {
@@ -225,7 +227,7 @@ typedef struct PPS{
    int transform_8x8_mode;     ///< transform_8x8_mode_flag
    uint8_t scaling_matrix4[6][16];
    uint8_t scaling_matrix8[6][64];
-    uint8_t chroma_qp_table[2][64];  ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
+    uint8_t chroma_qp_table[2][QP_MAX_NUM+1];  ///< pre-scaled (with chroma_qp_index_offset) version of qp_table
    int chroma_qp_diff;
 }PPS;

@@ -582,7 +584,7 @@ typedef struct H264Context{
 }H264Context;


-extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10).
+extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12).

 /**
 * Decode SEI
@@ -656,12 +658,12 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
 /**
 * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
 */
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);

 void ff_h264_write_back_intra_pred_mode(H264Context *h);
 void ff_h264_hl_decode_mb(H264Context *h);
 int ff_h264_frame_start(H264Context *h);
-int ff_h264_decode_extradata(H264Context *h);
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size);
 av_cold int ff_h264_decode_init(AVCodecContext *avctx);
 av_cold int ff_h264_decode_end(AVCodecContext *avctx);
 av_cold void ff_h264_decode_init_vlc(void);
@@ -1068,7 +1070,7 @@ static void fill_decode_caches(H264Context *h, int mb_type){
                AV_ZERO32(h->mv_cache [list][scan8[0] + 4 - 1*8]);
                h->ref_cache[list][scan8[0] + 4 - 1*8]= topright_type ? LIST_NOT_USED : PART_NOT_AVAILABLE;
            }
-            if(h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
+            if(h->ref_cache[list][scan8[0] + 2 - 1*8] < 0 || h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
                if(USES_LIST(topleft_type, list)){
                    const int b_xy = h->mb2b_xy [topleft_xy] + 3 + h->b_stride + (h->topleft_partition & 2*h->b_stride);
                    const int b8_xy= 4*topleft_xy + 1 + (h->topleft_partition & 2);
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1701,7 +1701,7 @@ static av_always_inline void decode_cabac_residual_internal( H264Context *h, DCT
 \
            if( coeff_abs >= 15 ) { \
                int j = 0; \
-                while( get_cabac_bypass( CC ) ) { \
+                while(get_cabac_bypass( CC ) && j<30) { \
                    j++; \
                } \
 \
@@ -1959,6 +1959,8 @@ decode_intra_mb:
        }

        // The pixels are stored in the same order as levels in h->mb array.
+        if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
+            return -1;
        memcpy(h->mb, ptr, mb_size); ptr+=mb_size;

        ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
@@ -2003,14 +2005,14 @@ decode_intra_mb:
            ff_h264_write_back_intra_pred_mode(h);
            if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
        } else {
-            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode );
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
            if( h->intra16x16_pred_mode < 0 ) return -1;
        }
        if(decode_chroma){
            h->chroma_pred_mode_table[mb_xy] =
            pred_mode                        = decode_cabac_mb_chroma_pre_mode( h );

-            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode );
+            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
            if( pred_mode < 0 ) return -1;
            h->chroma_pred_mode= pred_mode;
        } else {
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){
 }

 static av_cold void init_cavlc_level_tab(void){
-    int suffix_length, mask;
+    int suffix_length;
    unsigned int i;

    for(suffix_length=0; suffix_length<7; suffix_length++){
        for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
            int prefix= LEVEL_TAB_BITS - av_log2(2*i);
-            int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);

-            mask= -(level_code&1);
-            level_code= (((2+level_code)>>1) ^ mask) - mask;
            if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+                int level_code = (prefix << suffix_length) +
+                    (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+                int mask = -(level_code&1);
+                level_code = (((2 + level_code) >> 1) ^ mask) - mask;
                cavlc_level_tab[suffix_length][i][0]= level_code;
                cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
            }else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -620,7 +621,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){
                down the code */
    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
        if(s->mb_skip_run==-1)
-            s->mb_skip_run= get_ue_golomb(&s->gb);
+            s->mb_skip_run= get_ue_golomb_long(&s->gb);

        if (s->mb_skip_run--) {
            if(FRAME_MBAFF && (s->mb_y&1) == 0){
@@ -735,12 +736,12 @@ decode_intra_mb:
            if( ff_h264_check_intra4x4_pred_mode(h) < 0)
                return -1;
        }else{
-            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode);
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
            if(h->intra16x16_pred_mode < 0)
                return -1;
        }
        if(decode_chroma){
-            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb));
+            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
            if(pred_mode < 0)
                return -1;
            h->chroma_pred_mode= pred_mode;
--- a/libavcodec/h264_direct.c
+++ b/libavcodec/h264_direct.c
@@ -89,7 +89,8 @@ static void fill_colmap(H264Context *h, int map[2][16+32], int list, int field,
            for(j=start; j<end; j++){
                if(4*h->ref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){
                    int cur_ref= mbafi ? (j-16)^field : j;
-                    map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
+                    if(ref1->mbaff)
+                        map[list][2*old_ref + (rfield^field) + 16] = cur_ref;
                    if(rfield == field || !interl)
                        map[list][old_ref] = cur_ref;
                    break;
@@ -252,6 +253,10 @@ static void pred_spatial_direct_motion(H264Context * const h, int *mb_type){
            mb_type_col[1] = h->ref_list[1][0].mb_type[mb_xy + s->mb_stride];
            b8_stride = 2+4*s->mb_stride;
            b4_stride *= 6;
+            if(IS_INTERLACED(mb_type_col[0]) != IS_INTERLACED(mb_type_col[1])){
+                mb_type_col[0] &= ~MB_TYPE_INTERLACED;
+                mb_type_col[1] &= ~MB_TYPE_INTERLACED;
+            }

            sub_mb_type |= MB_TYPE_16x16|MB_TYPE_DIRECT2; /* B_SUB_8x8 */
            if(    (mb_type_col[0] & MB_TYPE_16x16_OR_INTRA)
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -251,7 +251,13 @@ static int h264_parse(AVCodecParserContext *s,
        h->got_first = 1;
        if (avctx->extradata_size) {
            h->s.avctx = avctx;
-            ff_h264_decode_extradata(h);
+            // must be done like in decoder, otherwise opening the parser,
+            // letting it create extradata and then closing and opening again
+            // will cause has_b_frames to be always set.
+            // Note that estimate_timings_from_pts does exactly this.
+            if (!avctx->has_b_frames)
+                h->s.low_delay = 1;
+            ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
        }
    }

--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -37,6 +37,9 @@
 //#undef NDEBUG
 #include <assert.h>

+#define MAX_LOG2_MAX_FRAME_NUM    (12 + 4)
+#define MIN_LOG2_MAX_FRAME_NUM    4
+
 static const AVRational pixel_aspect[17]={
 {0, 1},
 {1, 1},
@@ -70,7 +73,7 @@ static const AVRational pixel_aspect[17]={
    QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\
    QP(39,d), QP(39,d), QP(39,d), QP(39,d)

-const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = {
+const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = {
    {
        CHROMA_QP_TABLE_END(8)
    },
@@ -83,6 +86,19 @@ const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = {
        6, 7, 8, 9, 10, 11,
        CHROMA_QP_TABLE_END(10)
    },
+    {
+        0,  1, 2, 3,  4,  5,
+        6,  7, 8, 9, 10, 11,
+        12,13,14,15, 16, 17,
+        CHROMA_QP_TABLE_END(11)
+    },
+    {
+        0,  1, 2, 3,  4,  5,
+        6,  7, 8, 9, 10, 11,
+        12,13,14,15, 16, 17,
+        18,19,20,21, 22, 23,
+        CHROMA_QP_TABLE_END(12)
+    },
 };

 static const uint8_t default_scaling4[2][16]={
@@ -130,8 +146,8 @@ static inline int decode_hrd_parameters(H264Context *h, SPS *sps){
    get_bits(&s->gb, 4); /* bit_rate_scale */
    get_bits(&s->gb, 4); /* cpb_size_scale */
    for(i=0; i<cpb_count; i++){
-        get_ue_golomb(&s->gb); /* bit_rate_value_minus1 */
-        get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */
+        get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */
+        get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */
        get_bits1(&s->gb);     /* cbr_flag */
    }
    sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1;
@@ -298,7 +314,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
    MpegEncContext * const s = &h->s;
    int profile_idc, level_idc, constraint_set_flags = 0;
    unsigned int sps_id;
-    int i;
+    int i, log2_max_frame_num_minus4;
    SPS *sps;

    profile_idc= get_bits(&s->gb, 8);
@@ -327,12 +343,27 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
    memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8));
    sps->scaling_matrix_present = 0;

-    if(sps->profile_idc >= 100){ //high profile
+    if (sps->profile_idc == 100 || sps->profile_idc == 110 ||
+        sps->profile_idc == 122 || sps->profile_idc == 244 ||
+        sps->profile_idc ==  44 || sps->profile_idc ==  83 ||
+        sps->profile_idc ==  86 || sps->profile_idc == 118 ||
+        sps->profile_idc == 128 || sps->profile_idc == 144) {
        sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
-        if(sps->chroma_format_idc == 3)
+        if (sps->chroma_format_idc > 3U) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
+            goto fail;
+        } else if(sps->chroma_format_idc == 3) {
            sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
        sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
+        if (sps->bit_depth_luma   < 8 || sps->bit_depth_luma   > 12 ||
+            sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 12 ||
+            sps->bit_depth_luma != sps->bit_depth_chroma) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
+                   sps->bit_depth_luma, sps->bit_depth_chroma);
+            goto fail;
+        }
        sps->transform_bypass = get_bits1(&s->gb);
        decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
    }else{
@@ -341,7 +372,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
        sps->bit_depth_chroma = 8;
    }

-    sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4;
+    log2_max_frame_num_minus4 = get_ue_golomb(&s->gb);
+    if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 ||
+        log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) {
+        av_log(h->s.avctx, AV_LOG_ERROR,
+               "log2_max_frame_num_minus4 out of range (0-12): %d\n",
+               log2_max_frame_num_minus4);
+        return AVERROR_INVALIDDATA;
+    }
+    sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4;
+
    sps->poc_type= get_ue_golomb_31(&s->gb);

    if(sps->poc_type == 0){ //FIXME #define
@@ -365,7 +405,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
    }

    sps->ref_frame_count= get_ue_golomb_31(&s->gb);
-    if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){
+    if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){
        av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
        goto fail;
    }
@@ -463,10 +503,14 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    unsigned int pps_id= get_ue_golomb(&s->gb);
    PPS *pps;
    const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+    int bits_left;

    if(pps_id >= MAX_PPS_COUNT) {
        av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
        return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
    }

    pps= av_mallocz(sizeof(PPS));
@@ -539,7 +583,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
    memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));

-    if(get_bits_count(&s->gb) < bit_length){
+    bits_left = bit_length - get_bits_count(&s->gb);
+    if (bits_left && (bits_left > 8 ||
+                      show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
        pps->transform_8x8_mode= get_bits1(&s->gb);
        decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
        pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -301,7 +301,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h){

 void ff_h264_fill_mbaff_ref_list(H264Context *h){
    int list, i, j;
-    for(list=0; list<2; list++){ //FIXME try list_count
+    for(list=0; list<h->list_count; list++){
        for(i=0; i<h->ref_count[list]; i++){
            Picture *frame = &h->ref_list[list][i];
            Picture *field = &h->ref_list[list][16+2*i];
@@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){
                }
                if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){
                    unsigned int long_arg= get_ue_golomb_31(gb);
-                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
+                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
                        av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode);
                        return -1;
                    }
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -40,7 +40,7 @@
 #undef BIT_DEPTH

 static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
-    const int lt= src[-1-1*stride];
+    const unsigned lt = src[-1-1*stride];
    LOAD_TOP_EDGE
    LOAD_TOP_RIGHT_EDGE
    uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2,
@@ -55,7 +55,7 @@ static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int st
 }

 static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){
-    const int lt= src[-1-1*stride];
+    const unsigned lt = src[-1-1*stride];
    LOAD_LEFT_EDGE

    AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101);
@@ -292,7 +292,7 @@ static void pred16x16_tm_vp8_c(uint8_t *src, int stride){

 static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){
    int i;
-    int dc0;
+    unsigned dc0;

    dc0=0;
    for(i=0;i<8; i++)
@@ -307,7 +307,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){

 static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){
    int i;
-    int dc0;
+    unsigned dc0;

    dc0=0;
    for(i=0;i<8; i++)
@@ -322,7 +322,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){

 static void pred8x8_dc_rv40_c(uint8_t *src, int stride){
    int i;
-    int dc0=0;
+    unsigned dc0 = 0;

    for(i=0;i<4; i++){
        dc0+= src[-1+i*stride] + src[i-stride];
--- a/libavcodec/h264pred_template.c
+++ b/libavcodec/h264pred_template.c
@@ -120,28 +120,28 @@ static void FUNCC(pred4x4_129_dc)(uint8_t *_src, const uint8_t *topright, int _s


 #define LOAD_TOP_RIGHT_EDGE\
-    const int av_unused t4= topright[0];\
-    const int av_unused t5= topright[1];\
-    const int av_unused t6= topright[2];\
-    const int av_unused t7= topright[3];\
+    const unsigned av_unused t4 = topright[0];\
+    const unsigned av_unused t5 = topright[1];\
+    const unsigned av_unused t6 = topright[2];\
+    const unsigned av_unused t7 = topright[3];\

 #define LOAD_DOWN_LEFT_EDGE\
-    const int av_unused l4= src[-1+4*stride];\
-    const int av_unused l5= src[-1+5*stride];\
-    const int av_unused l6= src[-1+6*stride];\
-    const int av_unused l7= src[-1+7*stride];\
+    const unsigned av_unused l4 = src[-1+4*stride];\
+    const unsigned av_unused l5 = src[-1+5*stride];\
+    const unsigned av_unused l6 = src[-1+6*stride];\
+    const unsigned av_unused l7 = src[-1+7*stride];\

 #define LOAD_LEFT_EDGE\
-    const int av_unused l0= src[-1+0*stride];\
-    const int av_unused l1= src[-1+1*stride];\
-    const int av_unused l2= src[-1+2*stride];\
-    const int av_unused l3= src[-1+3*stride];\
+    const unsigned av_unused l0 = src[-1+0*stride];\
+    const unsigned av_unused l1 = src[-1+1*stride];\
+    const unsigned av_unused l2 = src[-1+2*stride];\
+    const unsigned av_unused l3 = src[-1+3*stride];\

 #define LOAD_TOP_EDGE\
-    const int av_unused t0= src[ 0-1*stride];\
-    const int av_unused t1= src[ 1-1*stride];\
-    const int av_unused t2= src[ 2-1*stride];\
-    const int av_unused t3= src[ 3-1*stride];\
+    const unsigned av_unused t0 = src[ 0-1*stride];\
+    const unsigned av_unused t1 = src[ 1-1*stride];\
+    const unsigned av_unused t2 = src[ 2-1*stride];\
+    const unsigned av_unused t3 = src[ 3-1*stride];\

 static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){
    pixel *src = (pixel*)_src;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .7.4
 .7.17