Update for 0.7.12

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Merge branch 'release/0.8' into release/0.7
2012-04-09 18:49:11 +02:00 · 2012-04-09 18:00:44 +02:00 · 2012-04-09 17:53:17 +02:00 · 2012-04-09 15:39:02 +02:00 · 2012-04-09 15:37:55 +02:00 · 2012-04-08 21:08:46 +02:00
93 changed files with 783 additions and 369 deletions
--- a/2
+++ b/2
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 0.7.9
+PROJECT_NUMBER         = 0.7.12

 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.9
+0.7.12
--- a/2
+++ b/2
@@ -1 +1 @@
-0.7.9
+0.7.12
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -1760,9 +1760,9 @@ interlaced video, accepts one of the following values:

@table @option
@item 0
-assume bottom field first
-@item 1
 assume top field first
+@item 1
+assume bottom field first
@item -1
 enable automatic detection
@end table
--- a/ffserver.c
+++ b/ffserver.c
@@ -518,6 +518,7 @@ static int socket_open_listen(struct sockaddr_in *my_addr)
    tmp = 1;
    setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &tmp, sizeof(tmp));

+    my_addr->sin_family = AF_INET;
    if (bind (server_fd, (struct sockaddr *) my_addr, sizeof (*my_addr)) < 0) {
        char bindmsg[32];
        snprintf(bindmsg, sizeof(bindmsg), "bind(port %d)", ntohs(my_addr->sin_port));
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -754,19 +754,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                return -1;
            }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return -1;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
                band_type        [idx]   = sect_band_type;
                band_type_run_end[idx++] = sect_end;
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1185,7 +1185,7 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
    const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
    float *v;
    for (i = 0; i < 32; i++) {
-        if (*v_off == 0) {
+        if (*v_off < 128 >> div) {
            int saved_samples = (1280 - 128) >> div;
            memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
--- a/libavcodec/ac3dsp.c
+++ b/libavcodec/ac3dsp.c
@@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
                                     int snr_offset, int floor,
                                     const uint8_t *bap_tab, uint8_t *bap)
 {
-    int bin, band;
+    int bin, band, band_end;

    /* special case, if snr offset is -960, set all bap's to zero */
    if (snr_offset == -960) {
@@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
    band = ff_ac3_bin_to_band_tab[start];
    do {
        int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
-        int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+        band_end = ff_ac3_band_start_tab[++band];
+        band_end = FFMIN(band_end, end);
+
        for (; bin < band_end; bin++) {
            int address = av_clip((psd[bin] - m) >> 5, 0, 63);
            bap[bin] = bap_tab[address];
        }
-    } while (end > ff_ac3_band_start_tab[band++]);
+    } while (end > band_end);
 }

 static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1360,11 +1360,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
        }
        break;
    case CODEC_ID_ADPCM_EA:
-        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
        }
        samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
        src += 4;
        current_left_sample   = (int16_t)bytestream_get_le16(&src);
        previous_left_sample  = (int16_t)bytestream_get_le16(&src);
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1010,7 +1010,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max,
 {
    unsigned int count = 0;

-    while (b < b_max)
+    for (; b < b_max; b++)
        count += div_blocks[b];

    if (count)
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -395,6 +395,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent

            for (k=0; k<coded_components; k++) {
                sfIndx = get_bits(gb,6);
+                if (component_count >= 64)
+                    return AVERROR_INVALIDDATA;
                pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                max_coded_values = 1024 - pComponent[component_count].pos;
                coded_values = coded_values_per_component + 1;
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -544,7 +544,7 @@ enum AVChromaLocation{
 /**
 * LPC analysis type
 */
-attribute_deprecated enum AVLPCType {
+enum AVLPCType {
    AV_LPC_TYPE_DEFAULT     = -1, ///< use the codec default LPC type
    AV_LPC_TYPE_NONE        =  0, ///< do not use LPC prediction or use all zero coefficients
    AV_LPC_TYPE_FIXED       =  1, ///< fixed LPC coefficients
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -457,8 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                    int start_bits, int has_sign)
 {
    int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
-    int16_t *dst_end =( int16_t*)b->data_end;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;

    CHECK_READ_VAL(gb, b, len);
    v = get_bits(gb, start_bits - has_sign);
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1066,6 +1066,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
    q->sample_rate = avctx->sample_rate;
    q->nb_channels = avctx->channels;
    q->bit_rate = avctx->bit_rate;
+    if (!q->nb_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR_INVALIDDATA;
+    }

    /* Initialize RNG. */
    av_lfg_init(&q->random_state, 0);
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
            av_log(avctx, AV_LOG_ERROR,
                   "CamStudio codec error: invalid depth %i bpp\n",
                   avctx->bits_per_coded_sample);
-            return 1;
+            return AVERROR_INVALIDDATA;
    }
    c->bpp = avctx->bits_per_coded_sample;
    avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
    c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
    if (!c->decomp_buf) {
        av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-        return 1;
+        return AVERROR(ENOMEM);
    }
    return 0;
 }
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -29,6 +29,7 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
 #include "dsputil.h"
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -146,11 +146,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
    return dst_cur - dst;
 }

-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
 {
    uint16_t cmd;
    int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end = dst + dst_size, *dst_start = dst;
    const unsigned char *src_end = src + src_size;

    while (src < src_end && dst < dst_end) {
@@ -161,6 +161,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            } else {
                cmd = AV_RL16(src); src += 2;
                offset = cmd >> 4;
+                if ((int) (dst - dst_start) < offset + 1)
+                    return AVERROR_INVALIDDATA;
                sz = (cmd & 0xF) + 2;
                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
                /* buffer overlappings to repeat bytes in the destination */
@@ -172,6 +174,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
            }
        }
    }
+
+    return 0;
 }

 static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@@ -201,13 +205,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
-
-    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
-    }
+    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;

    palette_type = buf[0];
    palette_colors_count = AV_RL16(buf+1);
@@ -233,8 +231,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
            bitmap_frame_size -= 4;
        }
    }
-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;

    /* note: the decoding routines below assumes that surface.width = surface.pitch */
    switch (bitmap_frame_type) {
@@ -267,17 +263,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 38:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 39:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    }

+    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+    if (avctx->reget_buffer(avctx, &cin->frame)) {
+        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return -1;
+    }
+
+    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+    cin->frame.palette_has_changed = 1;
    for (y = 0; y < cin->avctx->height; ++y)
        memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -420,7 +420,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
    type = get_bits(&s->gb, 6);

    if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
        wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
        while (!get_bits1(&s->gb))
            wasted++;
        s->curr_bps -= wasted;
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -135,7 +135,7 @@ static int decode_frame(AVCodecContext *avctx,
    uint32_t *luma1,*luma2,*cb,*cr;
    uint32_t offs[4];
    int i, j, is_chroma, planes;
-
+    enum PixelFormat pix_fmt;

    header = AV_RL32(buf);
    version = header & 0xff;
@@ -152,12 +152,16 @@ static int decode_frame(AVCodecContext *avctx,
    if (header_size == 8)
        buf+=4;

+    pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
+    if (avctx->pix_fmt != pix_fmt && f->data[0]) {
+        avctx->release_buffer(avctx, f);
+    }
+    avctx->pix_fmt = pix_fmt;
+
    switch(version) {
    case 0:
    default:
        /* Fraps v0 is a reordered YUV420 */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
-
        if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -205,8 +209,6 @@ static int decode_frame(AVCodecContext *avctx,

    case 1:
        /* Fraps v1 is an upside-down BGR24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
-
        if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
             (buf_size != header_size) ) {
            av_log(avctx, AV_LOG_ERROR,
@@ -241,7 +243,6 @@ static int decode_frame(AVCodecContext *avctx,
         * Fraps v2 is Huffman-coded YUV420 planes
         * Fraps v4 is virtually the same
         */
-        avctx->pix_fmt = PIX_FMT_YUVJ420P;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
@@ -286,7 +287,6 @@ static int decode_frame(AVCodecContext *avctx,
    case 3:
    case 5:
        /* Virtually the same as version 4, but is for RGB24 */
-        avctx->pix_fmt = PIX_FMT_BGR24;
        planes = 3;
        f->reference = 1;
        f->buffer_hints = FF_BUFFER_HINTS_VALID |
--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
    }else{
        int ret = 1;

-        while (1) {
+        do {
            buf >>= 32 - 8;
            LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));

@@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
            ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
            UPDATE_CACHE(re, gb);
            buf = GET_CACHE(re, gb);
-        }
+        } while (ret);

        CLOSE_READER(re, gb);
        return ret - 1;
@@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
        return buf;
    }else{
        int i;
-        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
            LAST_SKIP_BITS(re, gb, 1);
            UPDATE_CACHE(re, gb);
        }
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -564,8 +564,7 @@ retry:
 #if HAVE_MMX
    if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) {
        avctx->idct_algo= FF_IDCT_XVIDMMX;
-        avctx->coded_width= 0; // force reinit
-//        dsputil_init(&s->dsp, avctx);
+        ff_dct_common_init(s);
        s->picture_number=0;
    }
 #endif
@@ -579,6 +578,12 @@ retry:
        || s->height != avctx->coded_height) {
        /* H.263 could change picture size any time */
        ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
+
+        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
+            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+            return -1;   // width / height changed during parallelized decoding
+        }
+
        s->parse_context.buffer=0;
        MPV_common_end(s);
        s->parse_context= pc;
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -108,7 +108,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
    return 0;
 } //FIXME cleanup like check_intra_pred_mode

-static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    MpegEncContext * const s = &h->s;
    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -140,23 +143,6 @@ static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
    return mode;
 }

-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 0);
-}
-
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 1);
-}
-
-
 const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
    int i, si, di;
    uint8_t *dst;
@@ -2231,7 +2217,11 @@ static void implicit_weight_table(H264Context *h, int field){
    }

    if(field < 0){
-        cur_poc = s->current_picture_ptr->poc;
+        if (s->picture_structure == PICT_FRAME) {
+            cur_poc = s->current_picture_ptr->poc;
+        } else {
+            cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+        }
    if(   h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
       && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
        h->use_weight= 0;
@@ -2896,7 +2886,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
    h->ref_count[1]= h->pps.ref_count[1];

    if(h->slice_type_nos != AV_PICTURE_TYPE_I){
-        unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
+        unsigned max= s->picture_structure == PICT_FRAME ? 15 : 31;
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B){
            h->direct_spatial_mv_pred= get_bits1(&s->gb);
        }
@@ -2906,13 +2897,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
            h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
            if(h->slice_type_nos==AV_PICTURE_TYPE_B)
                h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
+        }

-        }
-        if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+        if (h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
            av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
-            h->ref_count[0]= h->ref_count[1]= 1;
-            return -1;
+            h->ref_count[0] = h->ref_count[1] = 1;
+            return AVERROR_INVALIDDATA;
        }
+
        if(h->slice_type_nos == AV_PICTURE_TYPE_B)
            h->list_count= 2;
        else
@@ -3761,7 +3753,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                case NAL_IDR_SLICE:
                case NAL_SLICE:
                    init_get_bits(&hx->s.gb, ptr, bit_length);
-                    if(!get_ue_golomb(&hx->s.gb))
+                    if (!get_ue_golomb(&hx->s.gb))
                        nals_needed = nal_index;
            }
            continue;
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -658,12 +658,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
 /**
 * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
 */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
-
-/**
- * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);

 void ff_h264_write_back_intra_pred_mode(H264Context *h);
 void ff_h264_hl_decode_mb(H264Context *h);
@@ -1075,7 +1070,7 @@ static void fill_decode_caches(H264Context *h, int mb_type){
                AV_ZERO32(h->mv_cache [list][scan8[0] + 4 - 1*8]);
                h->ref_cache[list][scan8[0] + 4 - 1*8]= topright_type ? LIST_NOT_USED : PART_NOT_AVAILABLE;
            }
-            if(h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
+            if(h->ref_cache[list][scan8[0] + 2 - 1*8] < 0 || h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){
                if(USES_LIST(topleft_type, list)){
                    const int b_xy = h->mb2b_xy [topleft_xy] + 3 + h->b_stride + (h->topleft_partition & 2*h->b_stride);
                    const int b8_xy= 4*topleft_xy + 1 + (h->topleft_partition & 2);
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1959,6 +1959,8 @@ decode_intra_mb:
        }

        // The pixels are stored in the same order as levels in h->mb array.
+        if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
+            return -1;
        memcpy(h->mb, ptr, mb_size); ptr+=mb_size;

        ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
@@ -2003,14 +2005,14 @@ decode_intra_mb:
            ff_h264_write_back_intra_pred_mode(h);
            if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
        } else {
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
            if( h->intra16x16_pred_mode < 0 ) return -1;
        }
        if(decode_chroma){
            h->chroma_pred_mode_table[mb_xy] =
            pred_mode                        = decode_cabac_mb_chroma_pre_mode( h );

-            pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
+            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
            if( pred_mode < 0 ) return -1;
            h->chroma_pred_mode= pred_mode;
        } else {
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){
 }

 static av_cold void init_cavlc_level_tab(void){
-    int suffix_length, mask;
+    int suffix_length;
    unsigned int i;

    for(suffix_length=0; suffix_length<7; suffix_length++){
        for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
            int prefix= LEVEL_TAB_BITS - av_log2(2*i);
-            int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);

-            mask= -(level_code&1);
-            level_code= (((2+level_code)>>1) ^ mask) - mask;
            if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+                int level_code = (prefix << suffix_length) +
+                    (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+                int mask = -(level_code&1);
+                level_code = (((2 + level_code) >> 1) ^ mask) - mask;
                cavlc_level_tab[suffix_length][i][0]= level_code;
                cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
            }else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -735,12 +736,12 @@ decode_intra_mb:
            if( ff_h264_check_intra4x4_pred_mode(h) < 0)
                return -1;
        }else{
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
            if(h->intra16x16_pred_mode < 0)
                return -1;
        }
        if(decode_chroma){
-            pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
+            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
            if(pred_mode < 0)
                return -1;
            h->chroma_pred_mode= pred_mode;
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -251,6 +251,12 @@ static int h264_parse(AVCodecParserContext *s,
        h->got_first = 1;
        if (avctx->extradata_size) {
            h->s.avctx = avctx;
+            // must be done like in decoder, otherwise opening the parser,
+            // letting it create extradata and then closing and opening again
+            // will cause has_b_frames to be always set.
+            // Note that estimate_timings_from_pts does exactly this.
+            if (!avctx->has_b_frames)
+                h->s.low_delay = 1;
            ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
        }
    }
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -342,6 +342,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){

    if(sps->profile_idc >= 100){ //high profile
        sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
+        if (sps->chroma_format_idc > 3U) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
+            goto fail;
+        }
        if(sps->chroma_format_idc == 3)
            sps->residual_color_transform_flag = get_bits1(&s->gb);
        sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
@@ -481,6 +485,7 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    unsigned int pps_id= get_ue_golomb(&s->gb);
    PPS *pps;
    const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+    int bits_left;

    if(pps_id >= MAX_PPS_COUNT) {
        av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
@@ -557,7 +562,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
    memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
    memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));

-    if(get_bits_count(&s->gb) < bit_length){
+    bits_left = bit_length - get_bits_count(&s->gb);
+    if (bits_left && (bits_left > 8 ||
+                      show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
        pps->transform_8x8_mode= get_bits1(&s->gb);
        decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
        pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -82,13 +82,15 @@ typedef struct HYuvContext{
    DSPContext dsp;
 }HYuvContext;

-static const unsigned char classic_shift_luma[] = {
+#define classic_shift_luma_table_size 42
+static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
  16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
  69,68, 0
 };

-static const unsigned char classic_shift_chroma[] = {
+#define classic_shift_chroma_table_size 59
+static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
  66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
  56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
  214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0
@@ -184,7 +186,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){
        if(repeat==0)
            repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
-        if(i+repeat > 256) {
+        if(i+repeat > 256 || get_bits_left(gb) < 0) {
            av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
            return -1;
        }
@@ -366,10 +368,10 @@ static int read_old_huffman_tables(HYuvContext *s){
    GetBitContext gb;
    int i;

-    init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
    if(read_len_table(s->len[0], &gb)<0)
        return -1;
-    init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
+    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
    if(read_len_table(s->len[1], &gb)<0)
        return -1;

@@ -515,7 +517,7 @@ s->bgr32=1;
        }
        break;
    default:
-        assert(0);
+        return AVERROR_INVALIDDATA;
    }

    alloc_temp(s);
--- a/libavcodec/j2k_dwt.c
+++ b/libavcodec/j2k_dwt.c
@@ -321,7 +321,7 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int
    int i, j, lev = decomp_levels, maxlen,
        b[2][2];

-    if (decomp_levels >= FF_DWT_MAX_DECLVLS)
+    if ((unsigned)decomp_levels >= FF_DWT_MAX_DECLVLS)
        return AVERROR_INVALIDDATA;
    s->ndeclevels = decomp_levels;
    s->type = type;
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -359,7 +359,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)

    if (q->quantsty == J2K_QSTY_NONE){
        n -= 3;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
            return AVERROR(EINVAL);
        for (i = 0; i < n; i++)
            q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -376,7 +376,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
        }
    } else{
        n = (n - 3) >> 1;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
            return AVERROR(EINVAL);
        for (i = 0; i < n; i++){
            x = bytestream_get_be16(&s->buf);
@@ -421,6 +421,10 @@ static uint8_t get_sot(J2kDecoderContext *s)
        return AVERROR(EINVAL);

    s->curtileno = bytestream_get_be16(&s->buf); ///< Isot
+    if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){
+        s->curtileno=0;
+        return AVERROR(EINVAL);
+    }

    s->buf += 4; ///< Psot (ignored)

--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx,

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
-            init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8));
+            init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf));

            for (j = 0; j < avctx->height; j += 8)
                for (i = 0; i < avctx->width; i += 8)
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -30,19 +30,26 @@

 typedef struct {
    AVCodecContext *avctx;
-    AVFrame pic;
-    uint16_t *prev, *cur;
+    AVFrame prev, cur;
 } KgvContext;

+static void decode_flush(AVCodecContext *avctx)
+{
+    KgvContext * const c = avctx->priv_data;
+
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+}
+
 static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
 {
    const uint8_t *buf = avpkt->data;
    const uint8_t *buf_end = buf + avpkt->size;
    KgvContext * const c = avctx->priv_data;
-    int offsets[7];
+    int offsets[8];
    uint16_t *out, *prev;
    int outcnt = 0, maxcnt;
-    int w, h, i;
+    int w, h, i, res;

    if (avpkt->size < 2)
        return -1;
@@ -54,22 +61,25 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    if (av_image_check_size(w, h, 0, avctx))
        return -1;

-    if (w != avctx->width || h != avctx->height)
+    if (w != avctx->width || h != avctx->height) {
+        if (c->prev.data[0])
+            avctx->release_buffer(avctx, &c->prev);
        avcodec_set_dimensions(avctx, w, h);
+    }

    maxcnt = w * h;

-    out = av_realloc(c->cur, w * h * 2);
-    if (!out)
-        return -1;
-    c->cur = out;
+    c->cur.reference = 3;
+    if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
+        return res;
+    out  = (uint16_t *) c->cur.data[0];
+    if (c->prev.data[0]) {
+        prev = (uint16_t *) c->prev.data[0];
+    } else {
+        prev = NULL;
+    }

-    prev = av_realloc(c->prev, w * h * 2);
-    if (!prev)
-        return -1;
-    c->prev = prev;
-
-    for (i = 0; i < 7; i++)
+    for (i = 0; i < 8; i++)
        offsets[i] = -1;

    while (outcnt < maxcnt && buf_end - 2 > buf) {
@@ -80,6 +90,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
            out[outcnt++] = code; // rgb555 pixel coded directly
        } else {
            int count;
+            int inp_off;
            uint16_t *inp;

            if ((code & 0x6000) == 0x6000) {
@@ -101,7 +112,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (maxcnt - start < count)
                    break;

-                inp = prev + start;
+                if (!prev) {
+                    av_log(avctx, AV_LOG_ERROR,
+                           "Frame reference does not exist\n");
+                    break;
+                }
+
+                inp = prev;
+                inp_off = start;
            } else {
                // copy from earlier in this frame
                int offset = (code & 0x1FFF) + 1;
@@ -119,27 +137,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                if (outcnt < offset)
                    break;

-                inp = out + outcnt - offset;
+                inp = out;
+                inp_off = outcnt - offset;
            }

            if (maxcnt - outcnt < count)
                break;

-            for (i = 0; i < count; i++)
+            for (i = inp_off; i < count + inp_off; i++) {
                out[outcnt++] = inp[i];
+            }
        }
    }

    if (outcnt - maxcnt)
        av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt);

-    c->pic.data[0]     = (uint8_t *)c->cur;
-    c->pic.linesize[0] = w * 2;
-
    *data_size = sizeof(AVFrame);
-    *(AVFrame*)data = c->pic;
+    *(AVFrame*)data = c->cur;

-    FFSWAP(uint16_t *, c->cur, c->prev);
+    if (c->prev.data[0])
+        avctx->release_buffer(avctx, &c->prev);
+    FFSWAP(AVFrame, c->cur, c->prev);

    return avpkt->size;
 }
@@ -150,29 +169,25 @@ static av_cold int decode_init(AVCodecContext *avctx)

    c->avctx = avctx;
    avctx->pix_fmt = PIX_FMT_RGB555;
-    avcodec_get_frame_defaults(&c->pic);
+    avctx->flags  |= CODEC_FLAG_EMU_EDGE;

    return 0;
 }

 static av_cold int decode_end(AVCodecContext *avctx)
 {
-    KgvContext * const c = avctx->priv_data;
-
-    av_freep(&c->cur);
-    av_freep(&c->prev);
-
+    decode_flush(avctx);
    return 0;
 }

 AVCodec ff_kgv1_decoder = {
-    "kgv1",
-    AVMEDIA_TYPE_VIDEO,
-    CODEC_ID_KGV1,
-    sizeof(KgvContext),
-    decode_init,
-    NULL,
-    decode_end,
-    decode_frame,
+    .name           = "kgv1",
+    .type           = AVMEDIA_TYPE_VIDEO,
+    .id             = CODEC_ID_KGV1,
+    .priv_data_size = sizeof(KgvContext),
+    .init           = decode_init,
+    .close          = decode_end,
+    .decode         = decode_frame,
+    .flush          = decode_flush,
    .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
 };
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -57,17 +57,21 @@ typedef struct BitBuf {

 #define kmvc_init_getbits(bb, src)  bb.bits = 7; bb.bitbuf = *src++;

-#define kmvc_getbit(bb, src, res) {\
+#define kmvc_getbit(bb, src, src_end, res) {\
    res = 0; \
    if (bb.bitbuf & (1 << bb.bits)) res = 1; \
    bb.bits--; \
    if(bb.bits == -1) { \
+        if (src >= src_end) { \
+            av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \
+            return AVERROR_INVALIDDATA; \
+        } \
        bb.bitbuf = *src++; \
        bb.bits = 7; \
    } \
 }

-static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {         // fill whole 8x8 block
+                if (src >= src_end) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                    return AVERROR_INVALIDDATA;
+                }
                val = *src++;
                for (i = 0; i < 64; i++)
                    BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block from already decoded place
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = val & 0xF;
                            my = val >> 4;
@@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block from already decoded place
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = val & 0xF;
                                    my = val >> 4;
@@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

-static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h)
+static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h)
 {
    BitBuf bb;
    int res, val;
@@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
    int bx, by;
    int l0x, l1x, l0y, l1y;
    int mx, my;
+    const uint8_t *src_end = src + src_size;

    kmvc_init_getbits(bb, src);

    for (by = 0; by < h; by += 8)
        for (bx = 0; bx < w; bx += 8) {
-            kmvc_getbit(bb, src, res);
+            kmvc_getbit(bb, src, src_end, res);
            if (!res) {
-                kmvc_getbit(bb, src, res);
+                kmvc_getbit(bb, src, src_end, res);
                if (!res) {     // fill whole 8x8 block
+                    if (src >= src_end) {
+                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                    val = *src++;
                    for (i = 0; i < 64; i++)
                        BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
@@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                for (i = 0; i < 4; i++) {
                    l0x = bx + (i & 1) * 4;
                    l0y = by + (i & 2) * 2;
-                    kmvc_getbit(bb, src, res);
+                    kmvc_getbit(bb, src, src_end, res);
                    if (!res) {
-                        kmvc_getbit(bb, src, res);
+                        kmvc_getbit(bb, src, src_end, res);
                        if (!res) {     // fill whole 4x4 block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            for (j = 0; j < 16; j++)
                                BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val;
                        } else {        // copy block
+                            if (src >= src_end) {
+                                av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                return AVERROR_INVALIDDATA;
+                            }
                            val = *src++;
                            mx = (val & 0xF) - 8;
                            my = (val >> 4) - 8;
@@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                        for (j = 0; j < 4; j++) {
                            l1x = l0x + (j & 1) * 2;
                            l1y = l0y + (j & 2);
-                            kmvc_getbit(bb, src, res);
+                            kmvc_getbit(bb, src, src_end, res);
                            if (!res) {
-                                kmvc_getbit(bb, src, res);
+                                kmvc_getbit(bb, src, src_end, res);
                                if (!res) {     // fill whole 2x2 block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    BLK(ctx->cur, l1x, l1y) = val;
                                    BLK(ctx->cur, l1x + 1, l1y) = val;
                                    BLK(ctx->cur, l1x, l1y + 1) = val;
                                    BLK(ctx->cur, l1x + 1, l1y + 1) = val;
                                } else {        // copy block
+                                    if (src >= src_end) {
+                                        av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
+                                        return AVERROR_INVALIDDATA;
+                                    }
                                    val = *src++;
                                    mx = (val & 0xF) - 8;
                                    my = (val >> 4) - 8;
@@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w,
                }
            }
        }
+
+    return 0;
 }

 static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt)
@@ -300,10 +350,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa
        memcpy(ctx->cur, ctx->prev, 320 * 200);
        break;
    case 3:
-        kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    case 4:
-        kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height);
+        kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height);
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD);
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                len = mszh_dlen;
            }
            break;
-        case COMP_MSZH_NOCOMP:
+        case COMP_MSZH_NOCOMP: {
+            int bppx2;
+            switch (c->imgtype) {
+            case IMGTYPE_YUV111:
+            case IMGTYPE_RGB24:
+                bppx2 = 6;
+                break;
+            case IMGTYPE_YUV422:
+            case IMGTYPE_YUV211:
+                bppx2 = 4;
+                break;
+            case IMGTYPE_YUV411:
+            case IMGTYPE_YUV420:
+                bppx2 = 3;
+                break;
+            default:
+                bppx2 = 0; // will error out below
+                break;
+            }
+            if (len < ((width * height * bppx2) >> 1))
+                return AVERROR_INVALIDDATA;
            break;
+        }
        default:
            av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
            return -1;
@@ -456,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
    avcodec_get_frame_defaults(&c->pic);
    if (avctx->extradata_size < 8) {
        av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Check codec type */
@@ -505,7 +526,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype);
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Detect compression method */
@@ -522,7 +543,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
            break;
        default:
            av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
        break;
 #if CONFIG_ZLIB_DECODER
@@ -540,7 +561,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        default:
            if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) {
                av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression);
-                return 1;
+                return AVERROR_INVALIDDATA;
            }
            av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression);
        }
@@ -548,14 +569,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
 #endif
    default:
        av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n");
-        return 1;
+        return AVERROR_INVALIDDATA;
    }

    /* Allocate decompression buffer */
    if (c->decomp_size) {
        if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) {
            av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-            return 1;
+            return AVERROR(ENOMEM);
        }
    }

@@ -581,7 +602,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        if (zret != Z_OK) {
            av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
            av_freep(&c->decomp_buf);
-            return 1;
+            return AVERROR_INVALIDDATA;
        }
    }
 #endif
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -59,6 +59,9 @@ read_header:
    s->restart_count = 0;
    s->mjpb_skiptosod = 0;

+    if (buf_end - buf_ptr >= 1 << 28)
+        return AVERROR_INVALIDDATA;
+
    init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);

    skip_bits(&hgb, 32); /* reserved zeros */
@@ -66,7 +69,7 @@ read_header:
    if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
    {
        av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
-        return 0;
+        return AVERROR_INVALIDDATA;
    }

    field_size = get_bits_long(&hgb, 32); /* field size */
@@ -109,8 +112,8 @@ read_header:
    av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
    if (sos_offs)
    {
-//        init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
-        init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
+        init_get_bits(&s->gb, buf_ptr + sos_offs,
+                      8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
        s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
        s->start_code = SOS;
        ff_mjpeg_decode_sos(s, NULL, NULL);
@@ -142,7 +145,7 @@ read_header:
        picture->quality*= FF_QP2LAMBDA;
    }

-    return buf_ptr - buf;
+    return buf_size;
 }

 AVCodec ff_mjpegb_decoder = {
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -52,7 +52,7 @@ static inline int sad_hpel_motion_search(MpegEncContext * s,
                                  int src_index, int ref_index,
                                  int size, int h);

-static inline int update_map_generation(MotionEstContext *c)
+static inline unsigned update_map_generation(MotionEstContext *c)
 {
    c->map_generation+= 1<<(ME_MAP_MV_BITS*2);
    if(c->map_generation==0){
--- a/libavcodec/motion_est_template.c
+++ b/libavcodec/motion_est_template.c
@@ -158,9 +158,8 @@ static int hpel_motion_search(MpegEncContext * s,
        const int b= score_map[(index+(1<<ME_MAP_SHIFT))&(ME_MAP_SIZE-1)]
                     + (mv_penalty[bx   - pred_x] + mv_penalty[by+2 - pred_y])*c->penalty_factor;

-#if 1
-        int key;
-        int map_generation= c->map_generation;
+        unsigned key;
+        unsigned map_generation= c->map_generation;
 #ifndef NDEBUG
        uint32_t *map= c->map;
 #endif
@@ -172,7 +171,6 @@ static int hpel_motion_search(MpegEncContext * s,
        assert(map[(index+1)&(ME_MAP_SIZE-1)] == key);
        key= ((my)<<ME_MAP_MV_BITS) + (mx-1) + map_generation;
        assert(map[(index-1)&(ME_MAP_SIZE-1)] == key);
-#endif
        if(t<=b){
            CHECK_HALF_MV(0, 1, mx  ,my-1)
            if(l<=r){
@@ -280,7 +278,7 @@ static int qpel_motion_search(MpegEncContext * s,
    const int mx = *mx_ptr;
    const int my = *my_ptr;
    const int penalty_factor= c->sub_penalty_factor;
-    const int map_generation= c->map_generation;
+    const unsigned map_generation = c->map_generation;
    const int subpel_quality= c->avctx->me_subpel_quality;
    uint32_t *map= c->map;
    me_cmp_func cmpf, chroma_cmpf;
@@ -497,7 +495,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV(x,y)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
    assert((x) >= xmin);\
    assert((x) <= xmax);\
@@ -525,7 +523,7 @@ static int qpel_motion_search(MpegEncContext * s,

 #define CHECK_MV_DIR(x,y,new_dir)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
    const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
 /*printf("check_mv_dir %d %d %d\n", x, y, new_dir);*/\
    if(map[index]!=key){\
@@ -563,13 +561,13 @@ static av_always_inline int small_diamond_search(MpegEncContext * s, int *best,
    int next_dir=-1;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];

    { /* ensure that the best point is in the MAP as h/qpel refinement needs it */
-        const int key= (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
+        const unsigned key = (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
        const int index= ((best[1]<<ME_MAP_SHIFT) + best[0])&(ME_MAP_SIZE-1);
        if(map[index]!=key){ //this will be executed only very rarey
            score_map[index]= cmp(s, best[0], best[1], 0, 0, size, h, ref_index, src_index, cmpf, chroma_cmpf, flags);
@@ -605,7 +603,7 @@ static int funny_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -646,7 +644,7 @@ static int hex_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,d;
    const int dec= dia_size & (dia_size-1);

@@ -680,7 +678,7 @@ static int l2s_dia_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,i,d;
    int dia_size= c->dia_size&0xFF;
    const int dec= dia_size & (dia_size-1);
@@ -718,7 +716,7 @@ static int umh_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y,x2,y2, i, j, d;
    const int dia_size= c->dia_size&0xFE;
    static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2},
@@ -765,7 +763,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,
    me_cmp_func cmpf, chroma_cmpf;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
    int x,y, d;
    const int dia_size= c->dia_size&0xFF;

@@ -794,7 +792,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,

 #define SAB_CHECK_MV(ax,ay)\
 {\
-    const int key= ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
+    const unsigned key = ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
    const int index= (((ay)<<ME_MAP_SHIFT) + (ax))&(ME_MAP_SIZE-1);\
 /*printf("sab check %d %d\n", ax, ay);*/\
    if(map[index]!=key){\
@@ -833,7 +831,7 @@ static int sab_diamond_search(MpegEncContext * s, int *best, int dmin,
    int i, j;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -918,7 +916,7 @@ static int var_diamond_search(MpegEncContext * s, int *best, int dmin,
    int dia_size;
    LOAD_COMMON
    LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;

    cmpf= s->dsp.me_cmp[size];
    chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -1010,7 +1008,7 @@ static av_always_inline int epzs_motion_search_internal(MpegEncContext * s, int
    int d;                   ///< the score (cmp + penalty) of any given mv
    int dmin;                /*!< the best value of d, i.e. the score
                               corresponding to the mv stored in best[]. */
-    int map_generation;
+    unsigned map_generation;
    int penalty_factor;
    const int ref_mv_stride= s->mb_stride; //pass as arg  FIXME
    const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME
@@ -1138,7 +1136,7 @@ static int epzs_motion_search4(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=1;
    const int h=8;
@@ -1198,7 +1196,7 @@ static int epzs_motion_search2(MpegEncContext * s,
    MotionEstContext * const c= &s->me;
    int best[2]={0, 0};
    int d, dmin;
-    int map_generation;
+    unsigned map_generation;
    const int penalty_factor= c->penalty_factor;
    const int size=0; //FIXME pass as arg
    const int h=8;
--- a/libavcodec/mpeg12enc.c
+++ b/libavcodec/mpeg12enc.c
@@ -27,6 +27,7 @@

 #include "avcodec.h"
 #include "dsputil.h"
+#include "mathops.h"
 #include "mpegvideo.h"

 #include "mpeg12.h"
@@ -681,8 +682,7 @@ static void mpeg1_encode_motion(MpegEncContext *s, int val, int f_or_b_code)
        int bit_size = f_or_b_code - 1;
        int range = 1 << bit_size;
        /* modulo encoding */
-        int l= INT_BIT - 5 - bit_size;
-        val= (val<<l)>>l;
+        val = sign_extend(val, 5 + bit_size);

        if (val >= 0) {
            val--;
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){
    int i;

    // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
-    FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
-    s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
+    FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+

     //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
    FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad,  (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -405,7 +405,7 @@ fail:
 static void free_duplicate_context(MpegEncContext *s){
    if(s==NULL) return;

-    av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL;
+    av_freep(&s->edge_emu_buffer);
    av_freep(&s->me.scratchpad);
    s->me.temp=
    s->rd_scratchpad=
@@ -422,7 +422,6 @@ static void free_duplicate_context(MpegEncContext *s){

 static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){
 #define COPY(a) bak->a= src->a
-    COPY(allocated_edge_emu_buffer);
    COPY(edge_emu_buffer);
    COPY(me.scratchpad);
    COPY(me.temp);
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -153,7 +153,7 @@ typedef struct MotionEstContext{
    int best_bits;
    uint32_t *map;                     ///< map to avoid duplicate evaluations
    uint32_t *score_map;               ///< map to store the scores
-    int map_generation;
+    unsigned map_generation;
    int pre_penalty_factor;
    int penalty_factor;                /*!< an estimate of the bits required to
                                        code a given mv value, e.g. (1,0) takes
@@ -317,8 +317,7 @@ typedef struct MpegEncContext {
    uint8_t *mbintra_table;       ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding
    uint8_t *cbp_table;           ///< used to store cbp, ac_pred for partitioned decoding
    uint8_t *pred_dir_table;      ///< used to store pred_dir for partitioned decoding
-    uint8_t *allocated_edge_emu_buffer;
-    uint8_t *edge_emu_buffer;     ///< points into the middle of allocated_edge_emu_buffer
+    uint8_t *edge_emu_buffer;     ///< temporary buffer for if MVs point to out-of-frame data
    uint8_t *rd_scratchpad;       ///< scratchpad for rate distortion mb decision
    uint8_t *obmc_scratchpad;
    uint8_t *b_scratchpad;        ///< scratchpad used for writing into write only buffers
--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -157,19 +157,26 @@ static int decode_tag(AVCodecContext * avctx,
    int buf_size = avpkt->size;
    NellyMoserDecodeContext *s = avctx->priv_data;
    int data_max = *data_size;
-    int blocks, i;
+    int blocks, i, block_size;
    int16_t* samples;
-    *data_size = 0;
    samples = (int16_t*)data;

-    if (buf_size < avctx->block_align)
+    if (buf_size < avctx->block_align) {
+        *data_size = 0;
        return buf_size;
+    }

    if (buf_size % 64) {
        av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+        *data_size = 0;
        return buf_size;
    }
-    blocks = buf_size / 64;
+    block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+    blocks     = FFMIN(buf_size / 64, *data_size / block_size);
+    if (blocks <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
    /* Normal numbers of blocks for sample rates:
     *  8000 Hz - 1
     * 11025 Hz - 2
@@ -183,8 +190,8 @@ static int decode_tag(AVCodecContext * avctx,
            return i > 0 ? i * NELLY_BLOCK_LEN : -1;
        nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
        s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
-        *data_size += NELLY_SAMPLES*sizeof(int16_t);
    }
+    *data_size = blocks * block_size;

    return buf_size;
 }
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -55,7 +55,7 @@ static void png_get_interlaced_row(uint8_t *dst, int row_size,
    uint8_t *d;
    const uint8_t *s;

-    mask = ff_png_pass_mask[pass];
+    mask =  (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass];
    switch(bits_per_pixel) {
    case 1:
        memset(dst, 0, row_size);
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -60,7 +60,6 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,

    avctx->pix_fmt = PIX_FMT_RGB555;

-
    if (buf_end - buf < offset)
        return AVERROR_INVALIDDATA;
    if (offset != 0x2c)
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1816,6 +1816,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
    extradata += 4;

    s->checksum_size = AV_RB32(extradata);
+    if (s->checksum_size >= 1U << 28) {
+        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+        return AVERROR_INVALIDDATA;
+    }

    s->fft_order = av_log2(s->fft_size) + 1;
    s->fft_frame_size = 2 * s->fft_size; // complex has two floats
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -418,7 +418,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx)
    default:
        av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n",
            avctx->bits_per_coded_sample);
-        break;
+        return AVERROR_INVALIDDATA;
    }

    avcodec_get_frame_defaults(&s->frame);
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -151,6 +151,9 @@ static int raw_decode(AVCodecContext *avctx,
        frame->top_field_first  = context->tff;
    }

+    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+        return -1;
+
    //2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
    if (context->buffer) {
        int i;
@@ -175,9 +178,6 @@ static int raw_decode(AVCodecContext *avctx,
       avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
        buf += buf_size - context->length;

-    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
-        return -1;
-
    avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
    if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
       (avctx->pix_fmt!=PIX_FMT_PAL8 &&
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s)
            color4[1] |= ((11 * ta + 21 * tb) >> 5);
            color4[2] |= ((21 * ta + 11 * tb) >> 5);

+            if (s->size - stream_ptr < n_blocks * 4)
+                return;
            while (n_blocks--) {
                block_ptr = row_ptr + pixel_ptr;
                for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s)

        /* Fill block with 16 colors */
        case 0x00:
+            if (s->size - stream_ptr < 16)
+                return;
            block_ptr = row_ptr + pixel_ptr;
            for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                for (pixel_x = 0; pixel_x < 4; pixel_x++){
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -672,8 +672,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,

    if(!avctx->slice_count){
        slice_count = (*buf++) + 1;
+        buf_size--;
        slices_hdr = buf + 4;
        buf += 8 * slice_count;
+        buf_size -= 8 * slice_count;
+        if (buf_size <= 0)
+            return AVERROR_INVALIDDATA;
    }else
        slice_count = avctx->slice_count;

@@ -712,7 +716,7 @@ static int rv10_decode_frame(AVCodecContext *avctx,
        s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
    }

-    return buf_size;
+    return avpkt->size;
 }

 AVCodec ff_rv10_decoder = {
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -81,6 +81,7 @@ typedef struct ShortenContext {
    int channels;

    int32_t *decoded[MAX_CHANNELS];
+    int32_t *decoded_base[MAX_CHANNELS];
    int32_t *offset[MAX_CHANNELS];
    int *coeffs;
    uint8_t *bitstream;
@@ -130,13 +131,14 @@ static int allocate_buffers(ShortenContext *s)
            return AVERROR(ENOMEM);
        s->offset[chan] = tmp_ptr;

-        tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+        tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+                             sizeof(s->decoded_base[0][0]));
        if (!tmp_ptr)
            return AVERROR(ENOMEM);
-        s->decoded[chan] = tmp_ptr;
+        s->decoded_base[chan] = tmp_ptr;
        for (i=0; i<s->nwrap; i++)
-            s->decoded[chan][i] = 0;
-        s->decoded[chan] += s->nwrap;
+            s->decoded_base[chan][i] = 0;
+        s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
    }

    coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
@@ -548,8 +550,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
    int i;

    for (i = 0; i < s->channels; i++) {
-        s->decoded[i] -= s->nwrap;
-        av_freep(&s->decoded[i]);
+        s->decoded[i] = NULL;
+        av_freep(&s->decoded_base[i]);
        av_freep(&s->offset[i]);
    }
    av_freep(&s->bitstream);
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -127,12 +127,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 */
 static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
 {
+    if (hc->current + 1 >= hc->length) {
+        av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
+        return -1;
+    }
    if(!get_bits1(gb)){ //Leaf
        int val, i1, i2, b1, b2;
-        if(hc->current >= hc->length){
-            av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
-            return -1;
-        }
        b1 = get_bits_count(gb);
        i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
        b1 = get_bits_count(gb) - b1;
@@ -156,7 +156,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
        hc->values[hc->current++] = val;
        return 1;
    } else { //Node
-        int r = 0, t;
+        int r = 0, r_new, t;

        t = hc->current++;
        r = smacker_decode_bigtree(gb, hc, ctx);
@@ -164,8 +164,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
            return r;
        hc->values[t] = SMK_NODE | r;
        r++;
-        r += smacker_decode_bigtree(gb, hc, ctx);
-        return r;
+        r_new = smacker_decode_bigtree(gb, hc, ctx);
+        if (r_new < 0)
+            return r_new;
+        return r + r_new;
    }
 }

@@ -180,6 +182,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    VLC vlc[2];
    int escapes[3];
    DBCtx ctx;
+    int err = 0;

    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
@@ -253,7 +256,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    huff.current = 0;
    huff.values = av_mallocz(huff.length * sizeof(int));

-    smacker_decode_bigtree(gb, &huff, &ctx);
+    if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+        err = -1;
    skip_bits1(gb);
    if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
    if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
@@ -272,7 +276,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    av_free(tmp2.lengths);
    av_free(tmp2.values);

-    return 0;
+    return err;
 }

 static int decode_header_trees(SmackVContext *smk) {
--- a/libavcodec/srtdec.c
+++ b/libavcodec/srtdec.c
@@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end,
                                    for (j=sptr-2; j>=0; j--)
                                        if (stack[j].param[i][0]) {
                                            out += snprintf(out, out_end-out,
-                                                            stack[j].param[i]);
+                                                            "%s", stack[j].param[i]);
                                            break;
                                        }
                        } else {
@@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end,
                            for (i=0; i<PARAM_NUMBER; i++)
                                if (stack[sptr].param[i][0])
                                    out += snprintf(out, out_end-out,
-                                                    stack[sptr].param[i]);
+                                                    "%s", stack[sptr].param[i]);
                        }
                    } else if (!buffer[1] && strspn(buffer, "bisu") == 1) {
                        out += snprintf(out, out_end-out,
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
        dir = i_mb_type_info[mb_type - 8].pred_mode;
        dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;

-        if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
+        if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
            av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
            return -1;
        }
@@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
    s->current_picture.mb_type[mb_xy] = mb_type;

    if (IS_INTRA(mb_type)) {
-        h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
+        h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1);
    }

    return 0;
@@ -811,7 +811,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
    MpegEncContext *s = &h->s;
    int m;
    unsigned char *extradata;
+    unsigned char *extradata_end;
    unsigned int size;
+    int marker_found = 0;

    if (ff_h264_decode_init(avctx) < 0)
        return -1;
@@ -832,19 +834,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)

        /* prowl for the "SEQH" marker in the extradata */
        extradata = (unsigned char *)avctx->extradata;
-        for (m = 0; m < avctx->extradata_size; m++) {
-            if (!memcmp(extradata, "SEQH", 4))
-                break;
-            extradata++;
+        extradata_end = avctx->extradata + avctx->extradata_size;
+        if (extradata) {
+            for (m = 0; m + 8 < avctx->extradata_size; m++) {
+                if (!memcmp(extradata, "SEQH", 4)) {
+                    marker_found = 1;
+                    break;
+                }
+                extradata++;
+            }
        }

        /* if a match was found, parse the extra data */
-        if (extradata && !memcmp(extradata, "SEQH", 4)) {
+        if (marker_found) {

            GetBitContext gb;
            int frame_size_code;

            size = AV_RB32(&extradata[4]);
+            if (size > extradata_end - extradata - 8)
+                return AVERROR_INVALIDDATA;
            init_get_bits(&gb, extradata + 8, size*8);

            /* 'frame size code' and optional 'width, height' */
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -56,24 +56,24 @@ typedef struct TiffContext {
    LZWState *lzw;
 } TiffContext;

-static int tget_short(const uint8_t **p, int le){
-    int v = le ? AV_RL16(*p) : AV_RB16(*p);
+static unsigned tget_short(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL16(*p) : AV_RB16(*p);
    *p += 2;
    return v;
 }

-static int tget_long(const uint8_t **p, int le){
-    int v = le ? AV_RL32(*p) : AV_RB32(*p);
+static unsigned tget_long(const uint8_t **p, int le) {
+    unsigned v = le ? AV_RL32(*p) : AV_RB32(*p);
    *p += 4;
    return v;
 }

-static int tget(const uint8_t **p, int type, int le){
+static unsigned tget(const uint8_t **p, int type, int le) {
    switch(type){
    case TIFF_BYTE : return *(*p)++;
    case TIFF_SHORT: return tget_short(p, le);
    case TIFF_LONG : return tget_long (p, le);
-    default        : return -1;
+    default        : return UINT_MAX;
    }
 }

@@ -274,7 +274,7 @@ static int init_image(TiffContext *s)

 static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf)
 {
-    int tag, type, count, off, value = 0;
+    unsigned tag, type, count, off, value = 0;
    int i, j;
    uint32_t *pal;
    const uint8_t *rp, *gp, *bp;
@@ -286,6 +286,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
    count = tget_long(&buf, s->le);
    off = tget_long(&buf, s->le);

+    if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
+        av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
+        return 0;
+    }
+
    if(count == 1){
        switch(type){
        case TIFF_BYTE:
@@ -304,13 +309,15 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
                break;
            }
        default:
-            value = -1;
+            value = UINT_MAX;
+            buf = start + off;
+        }
+    } else {
+        if (count <= 4 && type_sizes[type] * count <= 4) {
+            buf -= 4;
+        } else {
            buf = start + off;
        }
-    }else if(type_sizes[type] * count <= 4){
-        buf -= 4;
-    }else{
-        buf = start + off;
    }

    if(buf && (buf < start || buf > end_buf)){
@@ -388,7 +395,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
        }
        break;
    case TIFF_ROWSPERSTRIP:
-        if(type == TIFF_LONG && value == -1)
+        if (type == TIFF_LONG && value == UINT_MAX)
            value = s->avctx->height;
        if(value < 1){
            av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n");
@@ -526,6 +533,8 @@ static int decode_frame(AVCodecContext *avctx,
        av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
        return -1;
    }
+    // Reset these pointers so we can tell if they were set this frame
+    s->stripsizes = s->stripdata = NULL;
    /* parse image file directory */
    off = tget_long(&buf, le);
    if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -132,7 +132,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
               huff.val_bits, huff.max_bits);
        return -1;
    }
-    if((huff.nodes < 0) || (huff.nodes > 0x10000)) {
+    if((huff.nodes <= 0) || (huff.nodes > 0x10000)) {
        av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes);
        return -1;
    }
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -484,6 +484,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp);
+        return AVERROR_INVALIDDATA;
    }

    return 0;
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -150,7 +150,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
    }
 }

-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, int y, int x1,
                                        intptr_t sy, int ady, int adx,
                                        float *buf)
 {
@@ -162,14 +162,14 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
        if (err >= 0) {
            err += ady - adx;
            y   += sy;
-            buf[x++] = ff_vorbis_floor1_inverse_db_table[y];
+            buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
        }
-        buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+        buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
    }
    if (x <= 0) {
        if (err + ady >= 0)
            y += sy;
-        buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+        buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
    }
 }

@@ -179,14 +179,14 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
    int adx = x1 - x0;
    int ady = FFABS(dy);
    int sy  = dy < 0 ? -1 : 1;
-    buf[x0] = ff_vorbis_floor1_inverse_db_table[y0];
+    buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)];
    if (ady*2 <= adx) { // optimized common case
        render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
    } else {
-        int base = dy / adx;
-        int x    = x0;
-        int y    = y0;
-        int err  = -adx;
+        int base  = dy / adx;
+        int x     = x0;
+        int y     = y0;
+        int err   = -adx;
        ady -= FFABS(base) * adx;
        while (++x < x1) {
            y += base;
@@ -195,7 +195,7 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
                err -= adx;
                y   += sy;
            }
-            buf[x] = ff_vorbis_floor1_inverse_db_table[y];
+            buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
        }
    }
 }
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -660,7 +660,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
        res_setup->partition_size = get_bits(gb, 24) + 1;
        /* Validations to prevent a buffer overflow later. */
        if (res_setup->begin>res_setup->end ||
-            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
+            res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 ||
            (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
            av_log(vc->avccontext, AV_LOG_ERROR,
                   "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
@@ -1232,20 +1232,20 @@ static int vorbis_floor1_decode(vorbis_context *vc,
            floor1_flag[i]               = 1;
            if (val >= room) {
                if (highroom > lowroom) {
-                    floor1_Y_final[i] = val - lowroom + predicted;
+                    floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted);
                } else {
-                    floor1_Y_final[i] = predicted - val + highroom - 1;
+                    floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1);
                }
            } else {
                if (val & 1) {
-                    floor1_Y_final[i] = predicted - (val + 1) / 2;
+                    floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2);
                } else {
-                    floor1_Y_final[i] = predicted + val / 2;
+                    floor1_Y_final[i] = av_clip_uint16(predicted + val / 2);
                }
            }
        } else {
            floor1_flag[i]    = 0;
-            floor1_Y_final[i] = predicted;
+            floor1_Y_final[i] = av_clip_uint16(predicted);
        }

        av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n",
@@ -1269,6 +1269,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                                                           uint8_t *do_not_decode,
                                                           float *vec,
                                                           unsigned vlen,
+                                                           unsigned ch_left,
                                                           int vr_type)
 {
    GetBitContext *gb = &vc->gb;
@@ -1276,6 +1277,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
    unsigned ptns_to_read = vr->ptns_to_read;
    uint8_t *classifs = vr->classifs;
    unsigned pass, ch_used, i, j, k, l;
+    unsigned max_output = (ch - 1) * vlen;

    if (vr_type == 2) {
        for (j = 1; j < ch; ++j)
@@ -1283,8 +1285,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
        if (do_not_decode[0])
            return 0;
        ch_used = 1;
+        max_output += vr->end / ch;
    } else {
        ch_used = ch;
+        max_output += vr->end;
+    }
+
+    if (max_output > ch_left * vlen) {
+        av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
+        return -1;
    }

    av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d  cpc %d  \n", ch, c_p_c);
@@ -1411,14 +1420,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
 static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
                                        unsigned ch,
                                        uint8_t *do_not_decode,
-                                        float *vec, unsigned vlen)
+                                        float *vec, unsigned vlen,
+                                        unsigned ch_left)
 {
    if (vr->type == 2)
-        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2);
+        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
    else if (vr->type == 1)
-        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1);
+        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
    else if (vr->type == 0)
-        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0);
+        return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
    else {
        av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
        return -1;
@@ -1466,6 +1476,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
    uint8_t res_chan[255];
    unsigned res_num = 0;
    int retlen  = 0;
+    unsigned ch_left = vc->audio_channels;
+    unsigned vlen;

    if (get_bits1(gb)) {
        av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@@ -1485,11 +1497,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)

    blockflag = vc->modes[mode_number].blockflag;
    blocksize = vc->blocksize[blockflag];
+    vlen = blocksize / 2;
    if (blockflag)
        skip_bits(gb, 2); // previous_window, next_window

-    memset(ch_res_ptr,   0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
-    memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ?
+    memset(ch_res_ptr,   0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
+    memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?

 // Decode floor

@@ -1509,7 +1522,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
            return -1;
        }
        no_residue[i] = ret;
-        ch_floor_ptr += blocksize / 2;
+        ch_floor_ptr += vlen;
    }

 // Nonzero vector propagate
@@ -1526,6 +1539,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
    for (i = 0; i < mapping->submaps; ++i) {
        vorbis_residue *residue;
        unsigned ch = 0;
+        int ret;

        for (j = 0; j < vc->audio_channels; ++j) {
            if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
@@ -1540,9 +1554,18 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
            }
        }
        residue = &vc->residues[mapping->submap_residue[i]];
-        vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
+        if (ch_left < ch) {
+            av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
+            return -1;
+        }
+        if (ch) {
+            ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
+            if (ret < 0)
+                return ret;
+        }

-        ch_res_ptr += ch * blocksize / 2;
+        ch_res_ptr += ch * vlen;
+        ch_left -= ch;
    }

 // Inverse coupling
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1323,6 +1323,8 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
            return i;
        }
    } while (i < 64);
+    // return value is expected to be a valid level
+    i--;
 end:
    // the actual DC+prediction is in the fragment structure
    block[0] = frag->dc * s->qmat[0][inter][plane][0];
@@ -1514,10 +1516,7 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                    /* invert DCT and place (or add) in final output */

                    if (s->all_fragments[i].coding_method == MODE_INTRA) {
-                        int index;
-                        index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
-                        if (index > 63)
-                            continue;
+                        vp3_dequant(s, s->all_fragments + i, plane, 0, block);
                        if(s->avctx->idct_algo!=FF_IDCT_VP3)
                            block[0] += 128<<3;
                        s->dsp.idct_put(
@@ -1525,10 +1524,7 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                            stride,
                            block);
                    } else {
-                        int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
-                        if (index > 63)
-                            continue;
-                        if (index > 0) {
+                        if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
                        s->dsp.idct_add(
                            output_plane + first_pixel,
                            stride,
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -55,6 +55,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
        }
        rows = vp56_rac_gets(c, 8);  /* number of stored macroblock rows */
        cols = vp56_rac_gets(c, 8);  /* number of stored macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
+                   cols << 4, rows << 4);
+            return 0;
+        }
        vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
        vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
        vp56_rac_gets(c, 2);
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -75,6 +75,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
        cols = buf[3];  /* number of stored macroblock cols */
        /* buf[4] is number of displayed macroblock rows */
        /* buf[5] is number of displayed macroblock cols */
+        if (!rows || !cols) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
+            return 0;
+        }

        if (!s->macroblocks || /* first frame */
            16*cols != s->avctx->coded_width ||
@@ -95,7 +99,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
            vrt_shift = 5;
        s->sub_version = sub_version;
    } else {
-        if (!s->sub_version)
+        if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
            return 0;

        if (separated_coeff || !s->filter_header) {
--- a/libavcodec/wma.c
+++ b/libavcodec/wma.c
@@ -85,7 +85,7 @@ int av_cold ff_wma_get_frame_len_bits(int sample_rate, int version,
    } else if (sample_rate <= 22050 ||
             (sample_rate <= 32000 && version == 1)) {
        frame_len_bits = 10;
-    } else if (sample_rate <= 48000) {
+    } else if (sample_rate <= 48000 || version < 3) {
        frame_len_bits = 11;
    } else if (sample_rate <= 96000) {
        frame_len_bits = 12;
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -364,7 +364,7 @@ static int decode_exp_vlc(WMACodecContext *s, int ch)
        }
        /* NOTE: this offset is the same as MPEG4 AAC ! */
        last_exp += code - 60;
-        if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) {
+        if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) {
            av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n",
                   last_exp);
            return -1;
@@ -882,6 +882,8 @@ static int wma_decode_superframe(AVCodecContext *avctx,

        /* read each frame starting from bit_offset */
        pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
+        if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
+            return AVERROR_INVALIDDATA;
        init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
        len = pos & 7;
        if (len > 0)
--- a/libavcodec/wmaenc.c
+++ b/libavcodec/wmaenc.c
@@ -39,6 +39,12 @@ static int encode_init(AVCodecContext * avctx){
        return AVERROR(EINVAL);
    }

+    if (avctx->sample_rate > 48000) {
+        av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz",
+               avctx->sample_rate);
+        return AVERROR(EINVAL);
+    }
+
    if(avctx->bit_rate < 24*1000) {
        av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n",
               avctx->bit_rate);
@@ -64,6 +70,8 @@ static int encode_init(AVCodecContext * avctx){
    s->use_exp_vlc = flags2 & 0x0001;
    s->use_bit_reservoir = flags2 & 0x0002;
    s->use_variable_block_len = flags2 & 0x0004;
+    if (avctx->channels == 2)
+        s->ms_stereo = 1;

    ff_wma_init(avctx, flags2);

@@ -71,8 +79,12 @@ static int encode_init(AVCodecContext * avctx){
    for(i = 0; i < s->nb_block_sizes; i++)
        ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0);

-    avctx->block_align=
-    s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8);
+    s->block_align     = avctx->bit_rate * (int64_t)s->frame_len /
+                         (avctx->sample_rate * 8);
+    s->block_align     = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE);
+    avctx->block_align = s->block_align;
+    avctx->bit_rate    = avctx->block_align * 8LL * avctx->sample_rate /
+                         s->frame_len;
 //av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate);
    avctx->frame_size= s->frame_len;

@@ -181,7 +193,7 @@ static int encode_block(WMACodecContext *s, float (*src_coefs)[BLOCK_MAX_SIZE],
    }

    if (s->nb_channels == 2) {
-        put_bits(&s->pb, 1, s->ms_stereo= 1);
+        put_bits(&s->pb, 1, !!s->ms_stereo);
    }

    for(ch = 0; ch < s->nb_channels; ch++) {
@@ -355,6 +367,11 @@ static int encode_superframe(AVCodecContext *avctx,
        }
    }

+    if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n");
+        return AVERROR(EINVAL);
+    }
+
 #if 1
    total_gain= 128;
    for(i=64; i; i>>=1){
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -100,8 +100,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,

        /* make sure we don't write more than out_size samples */
        switch (code) {
-        case 0:  smp = 4;                              break;
-        case 1:  smp = 2;                              break;
+        case 0:  smp = 4*(count+1);                    break;
+        case 1:  smp = 2*(count+1);                    break;
        case 2:  smp = (count & 0x20) ? 1 : count + 1; break;
        default: smp = count + 1;                      break;
        }
--- a/libavcodec/x86/dsputil_yasm.asm
+++ b/libavcodec/x86/dsputil_yasm.asm
@@ -474,7 +474,7 @@ cglobal scalarproduct_float_sse, 3,3,2, v1, v2, offset
    shufps  xmm0, xmm0, 1
    addss   xmm0, xmm1
 %ifndef ARCH_X86_64
-    movd    r0m,  xmm0
+    movss   r0m,  xmm0
    fld     dword r0m
 %endif
    RET
--- a/libavcodec/x86/dsputilenc_mmx.c
+++ b/libavcodec/x86/dsputilenc_mmx.c
@@ -823,6 +823,7 @@ static int vsad16_mmx2(void *v, uint8_t * pix1, uint8_t * pix2, int line_size, i

 static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
    x86_reg i=0;
+    if(w>=16)
    __asm__ volatile(
        "1:                             \n\t"
        "movq  (%2, %0), %%mm0          \n\t"
--- a/libavcodec/x86/h264_deblock_10bit.asm
+++ b/libavcodec/x86/h264_deblock_10bit.asm
@@ -876,7 +876,7 @@ cglobal deblock_v_chroma_10_%1, 5,7-(mmsize/16),8*(mmsize/16)
 %if mmsize < 16
    add         r0, mmsize
    add         r5, mmsize
-    add         r4, mmsize/8
+    add         r4, mmsize/4
    dec         r6
    jg .loop
    REP_RET
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -555,8 +555,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
        }
        buf_size = buf_end - buf;
    }
-    if (s->palettes_count <= 0)
+    if (s->palettes_count <= 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "No palette found\n");
        return AVERROR_INVALIDDATA;
+    }

    if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
        av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
--- a/libavfilter/avfilter.c
+++ b/libavfilter/avfilter.c
@@ -614,7 +614,7 @@ void avfilter_filter_samples(AVFilterLink *link, AVFilterBufferRef *samplesref)
        link->cur_buf->audio->sample_rate = samplesref->audio->sample_rate;

        /* Copy actual data into new samples buffer */
-        for (i = 0; samplesref->data[i]; i++)
+        for (i = 0; samplesref->data[i] && i < 8; i++)
            memcpy(link->cur_buf->data[i], samplesref->data[i], samplesref->linesize[0]);

        avfilter_unref_buffer(samplesref);
--- a/libavfilter/vf_pad.c
+++ b/libavfilter/vf_pad.c
@@ -157,7 +157,7 @@ static int config_input(AVFilterLink *inlink)
    var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN;
    var_values[VAR_A]     = (float) inlink->w / inlink->h;
    var_values[VAR_HSUB]  = 1<<pad->hsub;
-    var_values[VAR_VSUB]  = 2<<pad->vsub;
+    var_values[VAR_VSUB]  = 1<<pad->vsub;

    /* evaluate width and height */
    av_expr_parse_and_eval(&res, (expr = pad->w_expr),
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -232,9 +232,11 @@ static int config_props(AVFilterLink *outlink)
    if (!scale->sws || !scale->isws[0] || !scale->isws[1])
        return AVERROR(EINVAL);

-    if (inlink->sample_aspect_ratio.num){
-        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
-    } else
+    if (inlink->sample_aspect_ratio.num)
+        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h*inlink->w,
+                                                             outlink->w*inlink->h},
+                                                inlink->sample_aspect_ratio);
+    else
        outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;

    return 0;
--- a/libavfilter/vf_yadif.c
+++ b/libavfilter/vf_yadif.c
@@ -36,8 +36,8 @@ typedef struct {
    int mode;

    /**
-     *  0: bottom field first
-     *  1: top field first
+     *  0: top field first
+     *  1: bottom field first
     * -1: auto-detection
     */
    int parity;
@@ -195,9 +195,12 @@ static void return_frame(AVFilterContext *ctx, int is_second)
        tff = yadif->parity^1;
    }

-    if (is_second)
+    if (is_second) {
        yadif->out = avfilter_get_video_buffer(link, AV_PERM_WRITE | AV_PERM_PRESERVE |
                                               AV_PERM_REUSE, link->w, link->h);
+        avfilter_copy_buffer_ref_props(yadif->out, yadif->cur);
+        yadif->out->video->interlaced = 0;
+    }

    if (!yadif->csp)
        yadif->csp = &av_pix_fmt_descriptors[link->format];
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -176,7 +176,7 @@ static int fourxm_read_header(AVFormatContext *s,
                                              sizeof(AudioTrack),
                                              current_track + 1);
                if (!fourxm->tracks) {
-                    ret=  AVERROR(ENOMEM);
+                    ret = AVERROR(ENOMEM);
                    goto fail;
                }
                memset(&fourxm->tracks[fourxm->track_count], 0,
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -196,6 +196,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size)
    asf->hdr.flags              = avio_rl32(pb);
    asf->hdr.min_pktsize        = avio_rl32(pb);
    asf->hdr.max_pktsize        = avio_rl32(pb);
+    if (asf->hdr.min_pktsize >= (1U<<29))
+        return AVERROR_INVALIDDATA;
    asf->hdr.max_bitrate        = avio_rl32(pb);
    s->packet_size = asf->hdr.max_pktsize;

@@ -610,7 +612,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
        if (gsize < 24)
            return -1;
        if (!ff_guidcmp(&g, &ff_asf_file_header)) {
-            asf_read_file_properties(s, gsize);
+            int ret = asf_read_file_properties(s, gsize);
+            if (ret < 0)
+                return ret;
        } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
            asf_read_stream_properties(s, gsize);
        } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
@@ -751,7 +755,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
        c= avio_r8(pb);
        d= avio_r8(pb);
        rsize+=3;
-    }else{
+    } else if (!pb->eof_reached) {
        avio_seek(pb, -1, SEEK_CUR); //FIXME
    }

@@ -783,6 +787,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
        asf->packet_segments = 1;
        asf->packet_segsizetype = 0x80;
    }
+    if (rsize > packet_length - padsize) {
+        asf->packet_size_left = 0;
+        av_log(s, AV_LOG_ERROR,
+               "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+               rsize, packet_length, padsize, avio_tell(pb));
+        return -1;
+    }
    asf->packet_size_left = packet_length - padsize - rsize;
    if (packet_length < asf->hdr.min_pktsize)
        padsize += asf->hdr.min_pktsize - packet_length;
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -119,16 +119,23 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
    if (quant > 1)
        return -1; /* unsupported quantization */

+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency))
+        return AVERROR_INVALIDDATA;
+
    size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */
    half_ch = sys->difseg_size / 2;

    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
    ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0;
-    pcm  = ppcm[ipcm++];

    /* for each DIF channel */
    for (chan = 0; chan < sys->n_difchan; chan++) {
+        /* next stereo channel (50Mbps and 100Mbps only) */
+        pcm = ppcm[ipcm++];
+        if (!pcm)
+            break;
+
        /* for each DIF segment */
        for (i = 0; i < sys->difseg_size; i++) {
            frame += 6 * 80; /* skip DIF segment header */
@@ -176,11 +183,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
                frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */
            }
        }
-
-        /* next stereo channel (50Mbps and 100Mbps only) */
-        pcm = ppcm[ipcm++];
-        if (!pcm)
-            break;
    }

    return size;
@@ -202,6 +204,18 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
    stype = (as_pack[3] & 0x1f);      /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
    quant =  as_pack[4] & 0x07;       /* 0 - 16bit linear, 1 - 12bit nonlinear */

+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) {
+        av_log(c->fctx, AV_LOG_ERROR,
+               "Unrecognized audio sample rate index (%d)\n", freq);
+        return 0;
+    }
+
+    if (stype > 3) {
+        av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
+        c->ach = 0;
+        return 0;
+    }
+
    /* note: ach counts PAIRS of channels (i.e. stereo channels) */
    ach = ((int[4]){  1,  0,  2,  4})[stype];
    if (ach == 1 && quant && freq == 2)
@@ -336,7 +350,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
       c->audio_pkt[i].pts  = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate;
       ppcm[i] = c->audio_buf[i];
    }
-    dv_extract_audio(buf, ppcm, c->sys);
+    if (c->ach)
+        dv_extract_audio(buf, ppcm, c->sys);

    /* We work with 720p frames split in half, thus even frames have
     * channels 0,1 and odd 2,3. */
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -173,8 +173,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
        }
    }

-    if (timeslen == fileposlen) {
-         for(i = 0; i < timeslen; i++)
+    if (!ret && timeslen == fileposlen) {
+         for (i = 0; i < fileposlen; i++)
             av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
    } else
        av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n");
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -224,8 +224,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t

    unsync = flags & 0x80;

-    if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
-        avio_skip(s->pb, get_size(s->pb, 4));
+    if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+        int extlen = get_size(s->pb, 4);
+        if (version == 4)
+            extlen -= 4;     // in v2.4 the length includes the length field we just read
+
+        if (extlen < 0) {
+            reason = "invalid extended header length";
+            goto error;
+        }
+        avio_skip(s->pb, extlen);
+    }

    while (len >= taghdrlen) {
        unsigned int tflags = 0;
--- a/libavformat/isom.c
+++ b/libavformat/isom.c
@@ -149,10 +149,13 @@ const AVCodecTag codec_movvideo_tags[] = {
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '1') }, /* MPEG2 HDV 720p30 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '2') }, /* MPEG2 HDV 1080i60 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '3') }, /* MPEG2 HDV 1080i50 */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '4') }, /* MPEG2 HDV 720p24 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '5') }, /* MPEG2 HDV 720p25 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '8') }, /* MPEG2 HDV 1080p30 */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '9') }, /* MPEG2 HDV 720p60 JVC */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', 'a') }, /* MPEG2 HDV 720p50 */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'n') }, /* MPEG2 IMX NTSC 525/60 50mb/s produced by FCP */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'p') }, /* MPEG2 IMX PAL 625/50 50mb/s produced by FCP */
    { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '4', 'n') }, /* MPEG2 IMX NTSC 525/60 40mb/s produced by FCP */
@@ -183,6 +186,8 @@ const AVCodecTag codec_movvideo_tags[] = {
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'd') }, /* XDCAM EX 1080p24 VBR */
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'e') }, /* XDCAM EX 1080p25 VBR */
    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'f') }, /* XDCAM EX 1080p30 VBR */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', 'd') }, /* XDCAM HD 540p */
+    { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', '2') }, /* XDCAM HD422 540p */
    { CODEC_ID_MPEG2VIDEO, MKTAG('A', 'V', 'm', 'p') }, /* AVID IMX PAL */

    { CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, /* JPEG 2000 produced by FCP */
@@ -397,7 +402,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext
    len = ff_mp4_read_descr(fc, pb, &tag);
    if (tag == MP4DecSpecificDescrTag) {
        av_dlog(fc, "Specific MPEG4 header len=%d\n", len);
-        if((uint64_t)len > (1<<30))
+        if (!len || (uint64_t)len > (1<<30))
            return -1;
        av_free(st->codec->extradata);
        st->codec->extradata = av_mallocz(len + FF_INPUT_BUFFER_PADDING_SIZE);
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -664,16 +664,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num)
 */
 static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
 {
-    av_free(*str);
+    char *res;
+
    /* EBML strings are usually not 0-terminated, so we allocate one
     * byte more, read the string and NULL-terminate it ourselves. */
-    if (!(*str = av_malloc(size + 1)))
+    if (!(res = av_malloc(size + 1)))
        return AVERROR(ENOMEM);
-    if (avio_read(pb, (uint8_t *) *str, size) != size) {
-        av_freep(str);
+    if (avio_read(pb, (uint8_t *) res, size) != size) {
+        av_free(res);
        return AVERROR(EIO);
    }
-    (*str)[size] = '\0';
+    (res)[size] = '\0';
+    av_free(*str);
+    *str = res;

    return 0;
 }
@@ -1169,7 +1172,6 @@ static void matroska_convert_tags(AVFormatContext *s)
 static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
 {
    EbmlList *seekhead_list = &matroska->seekhead;
-    MatroskaSeekhead *seekhead = seekhead_list->elem;
    uint32_t level_up = matroska->level_up;
    int64_t before_pos = avio_tell(matroska->ctx->pb);
    uint32_t saved_id = matroska->current_id;
@@ -1182,6 +1184,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
        return;

    for (i=0; i<seekhead_list->nb_elem; i++) {
+        MatroskaSeekhead *seekhead = seekhead_list->elem;
        int64_t offset = seekhead[i].pos + matroska->segment_start;

        if (seekhead[i].pos <= before_pos
@@ -1427,7 +1430,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap)
        } else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) {
            int profile = matroska_aac_profile(track->codec_id);
            int sri = matroska_aac_sri(track->audio.samplerate);
-            extradata = av_malloc(5);
+            extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE);
            if (extradata == NULL)
                return AVERROR(ENOMEM);
            extradata[0] = (profile << 3) | ((sri&0x0E) >> 1);
@@ -1836,15 +1839,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                if (!track->audio.pkt_cnt) {
                    if (track->audio.sub_packet_cnt == 0)
                        track->audio.buf_timecode = timecode;
-                    if (st->codec->codec_id == CODEC_ID_RA_288)
+                    if (st->codec->codec_id == CODEC_ID_RA_288) {
+                        if (size < cfs * h / 2) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt int4 RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        for (x=0; x<h/2; x++)
                            memcpy(track->audio.buf+x*2*w+y*cfs,
                                   data+x*cfs, cfs);
-                    else if (st->codec->codec_id == CODEC_ID_SIPR)
+                    } else if (st->codec->codec_id == CODEC_ID_SIPR) {
+                        if (size < w) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt sipr RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        memcpy(track->audio.buf + y*w, data, w);
-                    else
+                    } else {
+                        if (size < sps * w / sps) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt generic RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                        for (x=0; x<w/sps; x++)
                            memcpy(track->audio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps);
+                    }

                    if (++track->audio.sub_packet_cnt >= h) {
                        if (st->codec->codec_id == CODEC_ID_SIPR)
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -423,7 +423,7 @@ static int mpegps_read_packet(AVFormatContext *s,
 {
    MpegDemuxContext *m = s->priv_data;
    AVStream *st;
-    int len, startcode, i, es_type;
+    int len, startcode, i, es_type, ret;
    int request_probe= 0;
    enum CodecID codec_id = CODEC_ID_NONE;
    enum AVMediaType type;
@@ -568,8 +568,7 @@ static int mpegps_read_packet(AVFormatContext *s,
        else if (st->codec->bits_per_coded_sample == 28)
            return AVERROR(EINVAL);
    }
-    av_new_packet(pkt, len);
-    avio_read(s->pb, pkt->data, pkt->size);
+    ret = av_get_packet(s->pb, pkt, len);
    pkt->pts = pts;
    pkt->dts = dts;
    pkt->pos = dummy_pos;
@@ -578,7 +577,7 @@ static int mpegps_read_packet(AVFormatContext *s,
            pkt->stream_index, pkt->pts / 90000.0, pkt->dts / 90000.0,
            pkt->size);

-    return 0;
+    return (ret < 0) ? ret : 0;
 }

 static int64_t mpegps_read_dts(AVFormatContext *s, int stream_index,
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -308,7 +308,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        char *token, *value;
        char quote;

-        p = strings = av_mallocz(strings_size + 1);
+        p = strings = av_mallocz((size_t)strings_size + 1);
+        if (!p)
+            return AVERROR(ENOMEM);
        endp = strings + strings_size;
        avio_read(pb, strings, strings_size);
        while (p < endp) {
@@ -343,6 +345,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t))
            return -1;
        nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
+        if (!nsv->nsvs_file_offset)
+            return AVERROR(ENOMEM);

        for(i=0;i<table_entries_used;i++)
            nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
@@ -350,6 +354,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
        if(table_entries > table_entries_used &&
           avio_rl32(pb) == MKTAG('T','O','C','2')) {
            nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t));
+            if (!nsv->nsvs_timestamps)
+                return AVERROR(ENOMEM);
            for(i=0;i<table_entries_used;i++) {
                nsv->nsvs_timestamps[i] = avio_rl32(pb);
            }
@@ -518,11 +524,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap)
    for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
        if (nsv_resync(s) < 0)
            return -1;
-        if (nsv->state == NSV_FOUND_NSVF)
+        if (nsv->state == NSV_FOUND_NSVF) {
            err = nsv_parse_NSVf_header(s, ap);
+            if (err < 0)
+                return err;
+        }
            /* we need the first NSVs also... */
        if (nsv->state == NSV_FOUND_NSVS) {
            err = nsv_parse_NSVs_header(s, ap);
+            if (err < 0)
+                return err;
            break; /* we just want the first one */
        }
    }
@@ -597,12 +608,12 @@ null_chunk_retry:
    }

    /* map back streams to v,a */
-    if (s->streams[0])
+    if (s->nb_streams > 0)
        st[s->streams[0]->id] = s->streams[0];
-    if (s->streams[1])
+    if (s->nb_streams > 1)
        st[s->streams[1]->id] = s->streams[1];

-    if (vsize/* && st[NSV_ST_VIDEO]*/) {
+    if (vsize && st[NSV_ST_VIDEO]) {
        nst = st[NSV_ST_VIDEO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_VIDEO];
        av_get_packet(pb, pkt, vsize);
@@ -615,7 +626,7 @@ null_chunk_retry:
    if(st[NSV_ST_VIDEO])
        ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++;

-    if (asize/*st[NSV_ST_AUDIO]*/) {
+    if (asize && st[NSV_ST_AUDIO]) {
        nst = st[NSV_ST_AUDIO]->priv_data;
        pkt = &nsv->ahead[NSV_ST_AUDIO];
        /* read raw audio specific header on the first audio chunk... */
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -378,8 +378,19 @@ static int rm_read_index(AVFormatContext *s)
                st = s->streams[n];
                break;
            }
-        if (n == s->nb_streams)
+        if (n == s->nb_streams) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid stream index %d for index at pos %"PRId64"\n",
+                   str_id, avio_tell(pb));
            goto skip;
+        } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) {
+            av_log(s, AV_LOG_ERROR,
+                   "Nr. of packets in packet index for stream index %d "
+                   "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n",
+                   str_id, avio_size(pb), avio_tell(pb),
+                   (avio_size(pb) - avio_tell(pb)) / 14);
+            goto skip;
+        }

        for (n = 0; n < n_pkts; n++) {
            avio_skip(pb, 2);
@@ -391,9 +402,12 @@ static int rm_read_index(AVFormatContext *s)
        }

 skip:
-        if (next_off && avio_tell(pb) != next_off &&
-            avio_seek(pb, next_off, SEEK_SET) < 0)
+        if (next_off && avio_tell(pb) < next_off &&
+            avio_seek(pb, next_off, SEEK_SET) < 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "Non-linear index detected, not supported\n");
            return -1;
+        }
    } while (next_off);

    return 0;
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -261,8 +261,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
                    sz += (t & 0x7F) + 1;
                    pal += ((t & 0x7F) + 1) * 3;
                } else if(t & 0x40){ /* copy with offset */
-                    off = avio_r8(s->pb) * 3;
+                    off = avio_r8(s->pb);
                    j = (t & 0x3F) + 1;
+                    if (off + j > 0xff) {
+                        av_log(s, AV_LOG_ERROR,
+                               "Invalid palette update, offset=%d length=%d extends beyond palette size\n",
+                               off, j);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    off *= 3;
                    while(j-- && sz < 256) {
                        *pal++ = oldpal[off + 0];
                        *pal++ = oldpal[off + 1];
--- a/libavformat/sol.c
+++ b/libavformat/sol.c
@@ -132,6 +132,8 @@ static int sol_read_packet(AVFormatContext *s,
    if (url_feof(s->pb))
        return AVERROR(EIO);
    ret= av_get_packet(s->pb, pkt, MAX_SIZE);
+    if (ret < 0)
+        return ret;
    pkt->stream_index = 0;

    /* note: we need to modify the packet size here to handle the last
--- a/libavformat/swfdec.c
+++ b/libavformat/swfdec.c
@@ -84,7 +84,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
    SWFContext *swf = s->priv_data;
    AVIOContext *pb = s->pb;
    AVStream *vst = NULL, *ast = NULL, *st = 0;
-    int tag, len, i, frame, v;
+    int tag, len, i, frame, v, res;

    for(;;) {
        uint64_t pos = avio_tell(pb);
@@ -147,7 +147,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                st = s->streams[i];
                if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) {
                    frame = avio_rl16(pb);
-                    av_get_packet(pb, pkt, len-2);
+                    if ((res = av_get_packet(pb, pkt, len-2)) < 0)
+                        return res;
                    pkt->pos = pos;
                    pkt->pts = frame;
                    pkt->stream_index = st->index;
@@ -160,9 +161,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) {
            if (st->codec->codec_id == CODEC_ID_MP3) {
                avio_skip(pb, 4);
-                av_get_packet(pb, pkt, len-4);
+                if ((res = av_get_packet(pb, pkt, len-4)) < 0)
+                    return res;
            } else { // ADPCM, PCM
-                av_get_packet(pb, pkt, len);
+                if ((res = av_get_packet(pb, pkt, len)) < 0)
+                    return res;
            }
            pkt->pos = pos;
            pkt->stream_index = st->index;
@@ -186,7 +189,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                st = vst;
            }
            avio_rl16(pb); /* BITMAP_ID */
-            av_new_packet(pkt, len-2);
+            if ((res = av_new_packet(pkt, len-2)) < 0)
+                return res;
            avio_read(pb, pkt->data, 4);
            if (AV_RB32(pkt->data) == 0xffd8ffd9 ||
                AV_RB32(pkt->data) == 0xffd9ffd8) {
--- a/libavutil/intfloat_readwrite.c
+++ b/libavutil/intfloat_readwrite.c
@@ -30,13 +30,13 @@
 #include "intfloat_readwrite.h"

 double av_int2dbl(int64_t v){
-    if(v+v > 0xFFEULL<<52)
+    if((uint64_t)v+v > 0xFFEULL<<52)
        return NAN;
    return ldexp(((v&((1LL<<52)-1)) + (1LL<<52)) * (v>>63|1), (v>>52&0x7FF)-1075);
 }

 float av_int2flt(int32_t v){
-    if(v+v > 0xFF000000U)
+    if((uint32_t)v+v > 0xFF000000U)
        return NAN;
    return ldexp(((v&0x7FFFFF) + (1<<23)) * (v>>31|1), (v>>23&0xFF)-150);
 }
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -272,7 +272,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi
            xDstInSrc+= xInc;
        }
    } else {
-        int xDstInSrc;
+        int64_t xDstInSrc;
        int sizeFactor;

        if      (flags&SWS_BICUBIC)      sizeFactor=  4;
@@ -291,7 +291,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi
        if (xInc <= 1<<16)      filterSize= 1 + sizeFactor; // upscale
        else                    filterSize= 1 + (sizeFactor*srcW + dstW - 1)/ dstW;

-        if (filterSize > srcW-2) filterSize=srcW-2;
+        filterSize = av_clip(filterSize, 1, srcW - 2);

        FF_ALLOC_OR_GOTO(NULL, filter, dstW*sizeof(*filter)*filterSize, fail);

@@ -824,8 +824,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
    if (!dstFilter) dstFilter= &dummyFilter;
    if (!srcFilter) srcFilter= &dummyFilter;

-    c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW;
-    c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH;
+    c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW;
+    c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH;
    c->dstFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[dstFormat]);
    c->srcFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[srcFormat]);
    c->vRounder= 4* 0x0001000100010001ULL;
@@ -887,8 +887,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
    else
        c->canMMX2BeUsed=0;

-    c->chrXInc= ((c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
-    c->chrYInc= ((c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;
+    c->chrXInc= (((int64_t)c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
+    c->chrYInc= (((int64_t)c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;

    // match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src to pixel n-2 of dst
    // but only for the FAST_BILINEAR mode otherwise do correct scaling
@@ -903,8 +903,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
        }
        //we don't use the x86 asm scaler if MMX is available
        else if (HAVE_MMX && cpu_flags & AV_CPU_FLAG_MMX) {
-            c->lumXInc = ((srcW-2)<<16)/(dstW-2) - 20;
-            c->chrXInc = ((c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
+            c->lumXInc = ((int64_t)(srcW-2)<<16)/(dstW-2) - 20;
+            c->chrXInc = ((int64_t)(c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
        }
    }

@@ -1008,7 +1008,7 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
    c->vLumBufSize= c->vLumFilterSize;
    c->vChrBufSize= c->vChrFilterSize;
    for (i=0; i<dstH; i++) {
-        int chrI= (int64_t)i*c->chrDstH / dstH;
+        int chrI = (int64_t) i * c->chrDstH / dstH;
        int nextSlice= FFMAX(c->vLumFilterPos[i   ] + c->vLumFilterSize - 1,
                           ((c->vChrFilterPos[chrI] + c->vChrFilterSize - 1)<<c->chrSrcVSubSample));

--- a/libswscale/x86/swscale_mmx.c
+++ b/libswscale/x86/swscale_mmx.c
@@ -132,6 +132,44 @@ void updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrBufI
        const int16_t **chrUSrcPtr= (const int16_t **) chrUPixBuf + chrBufIndex + firstChrSrcY - lastInChrBuf + vChrBufSize;
        const int16_t **alpSrcPtr= (CONFIG_SWSCALE_ALPHA && alpPixBuf) ? (const int16_t **) alpPixBuf + lumBufIndex + firstLumSrcY - lastInLumBuf + vLumBufSize : NULL;
        int i;
+
+        if (firstLumSrcY < 0 || firstLumSrcY + vLumFilterSize > c->srcH) {
+            const int16_t **tmpY = (const int16_t **) lumPixBuf + 2 * vLumBufSize;
+            int neg = -firstLumSrcY, i, end = FFMIN(c->srcH - firstLumSrcY, vLumFilterSize);
+            for (i = 0; i < neg;            i++)
+                tmpY[i] = lumSrcPtr[neg];
+            for (     ; i < end;            i++)
+                tmpY[i] = lumSrcPtr[i];
+            for (     ; i < vLumFilterSize; i++)
+                tmpY[i] = tmpY[i-1];
+            lumSrcPtr = tmpY;
+
+            if (alpSrcPtr) {
+                const int16_t **tmpA = (const int16_t **) alpPixBuf + 2 * vLumBufSize;
+                for (i = 0; i < neg;            i++)
+                    tmpA[i] = alpSrcPtr[neg];
+                for (     ; i < end;            i++)
+                    tmpA[i] = alpSrcPtr[i];
+                for (     ; i < vLumFilterSize; i++)
+                    tmpA[i] = tmpA[i - 1];
+                alpSrcPtr = tmpA;
+            }
+        }
+        if (firstChrSrcY < 0 || firstChrSrcY + vChrFilterSize > c->chrSrcH) {
+            const int16_t **tmpU = (const int16_t **) chrUPixBuf + 2 * vChrBufSize;
+            int neg = -firstChrSrcY, i, end = FFMIN(c->chrSrcH - firstChrSrcY, vChrFilterSize);
+            for (i = 0; i < neg;            i++) {
+                tmpU[i] = chrUSrcPtr[neg];
+            }
+            for (     ; i < end;            i++) {
+                tmpU[i] = chrUSrcPtr[i];
+            }
+            for (     ; i < vChrFilterSize; i++) {
+                tmpU[i] = tmpU[i - 1];
+            }
+            chrUSrcPtr = tmpU;
+        }
+
        if (flags & SWS_ACCURATE_RND) {
            int s= APCK_SIZE / 8;
            for (i=0; i<vLumFilterSize; i+=2) {
--- a/libswscale/x86/swscale_template.c
+++ b/libswscale/x86/swscale_template.c
@@ -2238,12 +2238,24 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst,
    void    *mmx2FilterCode= c->lumMmx2FilterCode;
    int i;
 #if defined(PIC)
-    DECLARE_ALIGNED(8, uint64_t, ebxsave);
+    uint64_t ebxsave;
+#endif
+#if ARCH_X86_64
+    uint64_t retsave;
 #endif

    __asm__ volatile(
 #if defined(PIC)
        "mov               %%"REG_b", %5        \n\t"
+#if ARCH_X86_64
+        "mov               -8(%%rsp), %%"REG_a" \n\t"
+        "mov               %%"REG_a", %6        \n\t"
+#endif
+#else
+#if ARCH_X86_64
+        "mov               -8(%%rsp), %%"REG_a" \n\t"
+        "mov               %%"REG_a", %5        \n\t"
+#endif
 #endif
        "pxor                  %%mm7, %%mm7     \n\t"
        "mov                      %0, %%"REG_c" \n\t"
@@ -2285,11 +2297,23 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst,

 #if defined(PIC)
        "mov                      %5, %%"REG_b" \n\t"
+#if ARCH_X86_64
+        "mov                      %6, %%"REG_a" \n\t"
+        "mov               %%"REG_a", -8(%%rsp) \n\t"
+#endif
+#else
+#if ARCH_X86_64
+        "mov                      %5, %%"REG_a" \n\t"
+        "mov               %%"REG_a", -8(%%rsp) \n\t"
+#endif
 #endif
        :: "m" (src), "m" (dst), "m" (filter), "m" (filterPos),
           "m" (mmx2FilterCode)
 #if defined(PIC)
          ,"m" (ebxsave)
+#endif
+#if ARCH_X86_64
+          ,"m"(retsave)
 #endif
        : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
 #if !defined(PIC)
@@ -2312,10 +2336,22 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2,
 #if defined(PIC)
    DECLARE_ALIGNED(8, uint64_t, ebxsave);
 #endif
+#if ARCH_X86_64
+    DECLARE_ALIGNED(8, uint64_t, retsave);
+#endif

    __asm__ volatile(
 #if defined(PIC)
        "mov          %%"REG_b", %7         \n\t"
+#if ARCH_X86_64
+        "mov          -8(%%rsp), %%"REG_a"  \n\t"
+        "mov          %%"REG_a", %8         \n\t"
+#endif
+#else
+#if ARCH_X86_64
+        "mov          -8(%%rsp), %%"REG_a"  \n\t"
+        "mov          %%"REG_a", %7         \n\t"
+#endif
 #endif
        "pxor             %%mm7, %%mm7      \n\t"
        "mov                 %0, %%"REG_c"  \n\t"
@@ -2345,11 +2381,23 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2,

 #if defined(PIC)
        "mov %7, %%"REG_b"    \n\t"
+#if ARCH_X86_64
+        "mov                 %8, %%"REG_a"  \n\t"
+        "mov          %%"REG_a", -8(%%rsp)  \n\t"
+#endif
+#else
+#if ARCH_X86_64
+        "mov                 %7, %%"REG_a"  \n\t"
+        "mov          %%"REG_a", -8(%%rsp)  \n\t"
+#endif
 #endif
        :: "m" (src1), "m" (dst1), "m" (filter), "m" (filterPos),
           "m" (mmx2FilterCode), "m" (src2), "m"(dst2)
 #if defined(PIC)
          ,"m" (ebxsave)
+#endif
+#if ARCH_X86_64
+          ,"m"(retsave)
 #endif
        : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
 #if !defined(PIC)
--- a/tests/fate.mak
+++ b/tests/fate.mak
@@ -175,7 +175,7 @@ fate-maxis-xa: CMD = md5  -i $(SAMPLES)/maxis-xa/SC2KBUG.XA -f s16le
 FATE_TESTS += fate-mimic
 fate-mimic: CMD = framecrc  -idct simple -i $(SAMPLES)/mimic/mimic2-womanloveffmpeg.cam -vsync 0
 FATE_TESTS += fate-motionpixels
-fate-motionpixels: CMD = framecrc  -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24
+fate-motionpixels: CMD = framecrc  -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -vframes 111
 FATE_TESTS += fate-mpc7-demux
 fate-mpc7-demux: CMD = crc  -i $(SAMPLES)/musepack/inside-mp7.mpc -acodec copy
 FATE_TESTS += fate-mpc8-demux
--- a/tests/ref/acodec/wmav1
+++ b/tests/ref/acodec/wmav1
@@ -1,4 +1,4 @@
-26a7f6b0f0b7181df8df3fa589f6bf81 *./tests/data/acodec/wmav1.asf
+0260385b8a54df11ad349f9ba8240fd8 *./tests/data/acodec/wmav1.asf
 106004 ./tests/data/acodec/wmav1.asf
-stddev:12245.52 PSNR: 14.57 MAXDIFF:65521 bytes:  1064960/  1058400
-stddev: 2095.89 PSNR: 29.90 MAXDIFF:27658 bytes:  1056768/  1058400
+stddev:12241.90 PSNR: 14.57 MAXDIFF:65521 bytes:  1064960/  1058400
+stddev: 2074.79 PSNR: 29.99 MAXDIFF:27658 bytes:  1056768/  1058400
--- a/tests/ref/acodec/wmav2
+++ b/tests/ref/acodec/wmav2
@@ -1,4 +1,4 @@
-7c6c0cb692af01b312ae345723674b5f *./tests/data/acodec/wmav2.asf
+bdb4c312fb109f990be83a70f8ec9bdc *./tests/data/acodec/wmav2.asf
 106044 ./tests/data/acodec/wmav2.asf
-stddev:12249.93 PSNR: 14.57 MAXDIFF:65521 bytes:  1064960/  1058400
-stddev: 2089.21 PSNR: 29.93 MAXDIFF:27650 bytes:  1056768/  1058400
+stddev:12246.35 PSNR: 14.57 MAXDIFF:65521 bytes:  1064960/  1058400
+stddev: 2068.08 PSNR: 30.02 MAXDIFF:27650 bytes:  1056768/  1058400
--- a/tests/ref/fate/motionpixels
+++ b/tests/ref/fate/motionpixels
@@ -109,4 +109,3 @@
 0, 648003, 230400, 0xb343f372
 0, 654003, 230400, 0xf7f1e588
 0, 660003, 230400, 0x9682bdb2
-0, 666003, 230400, 0x009f4640
@@ -1 +1 @@
 .7.9
 .7.12