Update for 1.1.15

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
avcodec/indeo3: ensure offsets are non negative
2014-12-21 04:51:41 +01:00 · 2014-12-21 04:40:35 +01:00 · 2014-12-21 04:40:35 +01:00 · 2014-12-21 04:40:35 +01:00 · 2014-12-21 04:40:35 +01:00 · 2014-12-21 04:40:35 +01:00
190 changed files with 1851 additions and 1036 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.7
+1.1.15
--- a/1
+++ b/1
@@ -1 +0,0 @@
-1.1.7
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -65,7 +65,7 @@ struct SwsContext *sws_opts;
 SwrContext *swr_opts;
 AVDictionary *format_opts, *codec_opts;

-const int this_year = 2013;
+const int this_year = 2014;

 static FILE *report_file;

--- a/46
+++ b/46
@@ -797,6 +797,13 @@ check_ld(){
    check_cmd $ld $LDFLAGS $flags $(ld_o $TMPE) $TMPO $libs $extralibs
 }

+print_include(){
+    hdr=$1
+    test "${hdr%.h}" = "${hdr}" &&
+        echo "#include $hdr"    ||
+        echo "#include <$hdr>"
+}
+
 check_code(){
    log check_code "$@"
    check=$1
@@ -805,7 +812,7 @@ check_code(){
    shift 3
    {
        for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
        done
        echo "int main(void) { $code; return 0; }"
    } | check_$check "$@"
@@ -889,7 +896,7 @@ check_func_headers(){
    shift 2
    {
        for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
        done
        for func in $funcs; do
            echo "long check_$func(void) { return (long) $func; }"
@@ -1053,6 +1060,26 @@ require_pkg_config(){
    add_extralibs $(get_safe ${pkg}_libs)
 }

+require_libfreetype(){
+    log require_libfreetype "$@"
+    pkg="freetype2"
+    check_cmd $pkg_config --exists --print-errors $pkg \
+      || die "ERROR: $pkg not found"
+    pkg_cflags=$($pkg_config --cflags $pkg)
+    pkg_libs=$($pkg_config --libs $pkg)
+    {
+        echo "#include <ft2build.h>"
+        echo "#include FT_FREETYPE_H"
+        echo "long check_func(void) { return (long) FT_Init_FreeType; }"
+        echo "int main(void) { return 0; }"
+    } | check_ld "cc" $pkg_cflags $pkg_libs \
+      && set_safe ${pkg}_cflags $pkg_cflags \
+      && set_safe ${pkg}_libs   $pkg_libs \
+      || die "ERROR: $pkg not found"
+    add_cflags    $(get_safe ${pkg}_cflags)
+    add_extralibs $(get_safe ${pkg}_libs)
+}
+
 hostcc_o(){
    eval printf '%s\\n' $HOSTCC_O
 }
@@ -1735,7 +1762,7 @@ rv30_decoder_select="error_resilience golomb h264chroma h264pred h264qpel mpegvi
 rv40_decoder_select="error_resilience golomb h264chroma h264pred h264qpel mpegvideo"
 shorten_decoder_select="golomb"
 sipr_decoder_select="lsp"
-snow_decoder_select="dwt rangecoder"
+snow_decoder_select="dwt rangecoder videodsp"
 snow_encoder_select="aandcttables dwt error_resilience mpegvideoenc rangecoder"
 sonic_decoder_select="golomb"
 sonic_encoder_select="golomb"
@@ -2560,7 +2587,9 @@ probe_cc(){
    unset _depflags _DEPCMD _DEPFLAGS
    _flags_filter=echo

-    if $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then
+    if $_cc --version 2>&1 | grep -q '^GNU assembler'; then
+        true # no-op to avoid reading stdin in following checks
+    elif $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then
        _type=llvm_gcc
        gcc_extra_ver=$(expr "$($_cc --version | head -n1)" : '.*\((.*)\)')
        _ident="llvm-gcc $($_cc -dumpversion) $gcc_extra_ver"
@@ -3106,6 +3135,10 @@ case "$arch" in
        check_64bit ppc ppc64 'sizeof(void *) > 4'
        spic=$shared
    ;;
+    s390)
+        check_64bit s390 s390x 'sizeof(void *) > 4'
+        spic=$shared
+    ;;
    sparc)
        check_64bit sparc sparc64 'sizeof(void *) > 4'
        spic=$shared
@@ -3658,6 +3691,7 @@ EOF
 fi

 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack

 if check_func dlopen; then
    ldl=
@@ -3831,7 +3865,7 @@ enabled gnutls     && require_pkg_config gnutls gnutls/gnutls.h gnutls_global_in
 enabled libiec61883 && require libiec61883 libiec61883/iec61883.h iec61883_cmp_connect -lraw1394 -lavc1394 -lrom1394 -liec61883
 enabled libaacplus && require  "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus
 enabled libass     && require_pkg_config libass ass/ass.h ass_library_init
-enabled libbluray  && require libbluray libbluray/bluray.h bd_open -lbluray
+enabled libbluray  && require_pkg_config libbluray libbluray/bluray.h bd_open
 enabled libcelt    && require libcelt celt/celt.h celt_decode -lcelt0 &&
                      { check_lib celt/celt.h celt_decoder_create_custom -lcelt0 ||
                        die "ERROR: libcelt must be installed and version must be >= 0.11.0."; }
@@ -3840,7 +3874,7 @@ enabled libfaac    && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaa
 enabled libfdk_aac && require  libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac
 flite_libs="-lflite_cmu_time_awb -lflite_cmu_us_awb -lflite_cmu_us_kal -lflite_cmu_us_kal16 -lflite_cmu_us_rms -lflite_cmu_us_slt -lflite_usenglish -lflite_cmulex -lflite"
 enabled libflite   && require2 libflite "flite/flite.h" flite_init $flite_libs
-enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype && require_libfreetype
 enabled libgsm     && require  libgsm gsm/gsm.h gsm_create -lgsm
 enabled libilbc    && require  libilbc ilbc.h WebRtcIlbcfix_InitDecode -lilbc
 enabled libmodplug && require  libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.

-PROJECT_NUMBER         = 1.1.7
+PROJECT_NUMBER         = 1.1.15

 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
--- a/doc/encoders.texi
+++ b/doc/encoders.texi
@@ -749,7 +749,7 @@ Set maximum frame size, or duration of a frame in milliseconds. The
 argument must be exactly the following: 2.5, 5, 10, 20, 40, 60. Smaller
 frame sizes achieve lower latency but less quality at a given bitrate.
 Sizes greater than 20ms are only interesting at fairly low bitrates.
-The default of FFmpeg is 10ms, but is 20ms in @command{opusenc}.
+The default is 20ms.

@item packet_loss (@emph{expect-loss})
 Set expected packet loss percentage. The default is 0.
--- a/doc/ffmpeg.texi
+++ b/doc/ffmpeg.texi
@@ -1254,11 +1254,11 @@ ffmpeg -f image2 -pattern_type glob -i 'foo-*.jpeg' -r 12 -s WxH foo.avi
 You can put many streams of the same type in the output:

@example
-ffmpeg -i test1.avi -i test2.avi -map 0:3 -map 0:2 -map 0:1 -map 0:0 -c copy test12.nut
+ffmpeg -i test1.avi -i test2.avi -map 1:1 -map 1:0 -map 0:1 -map 0:0 -c copy -y test12.nut
@end example

-The resulting output file @file{test12.avi} will contain first four streams from
-the input file in reverse order.
+The resulting output file @file{test12.nut} will contain the first four streams
+from the input files in reverse order.

@item
 To force CBR video output:
--- a/doc/platform.texi
+++ b/doc/platform.texi
@@ -51,8 +51,9 @@ The toolchain provided with Xcode is sufficient to build the basic
 unacelerated code.

 Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from
+@url{https://github.com/FFmpeg/gas-preprocessor} or
@url{http://github.com/yuvi/gas-preprocessor} to build the optimized
-assembler functions. Just download the Perl script and put it somewhere
+assembler functions. Put the Perl script somewhere
 in your PATH, FFmpeg's configure will pick it up automatically.

 Mac OS X on amd64 and x86 requires @command{yasm} to build most of the
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -578,6 +578,25 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost)
        bsfc = bsfc->next;
    }

+    if (!(s->oformat->flags & AVFMT_NOTIMESTAMPS) &&
+        ost->last_mux_dts != AV_NOPTS_VALUE &&
+        pkt->dts < ost->last_mux_dts + !(s->oformat->flags & AVFMT_TS_NONSTRICT)) {
+        av_log(NULL, AV_LOG_WARNING, "Non-monotonous DTS in output stream "
+               "%d:%d; previous: %"PRId64", current: %"PRId64"; ",
+               ost->file_index, ost->st->index, ost->last_mux_dts, pkt->dts);
+        if (exit_on_error) {
+            av_log(NULL, AV_LOG_FATAL, "aborting.\n");
+            exit(1);
+        }
+        av_log(NULL, AV_LOG_WARNING, "changing to %"PRId64". This may result "
+               "in incorrect timestamps in the output file.\n",
+               ost->last_mux_dts + 1);
+        pkt->dts = ost->last_mux_dts + 1;
+        if (pkt->pts != AV_NOPTS_VALUE)
+            pkt->pts = FFMAX(pkt->pts, pkt->dts);
+    }
+    ost->last_mux_dts = pkt->dts;
+
    pkt->stream_index = ost->index;

    if (debug_ts) {
@@ -996,6 +1015,19 @@ static void do_video_stats(OutputStream *ost, int frame_size)
    }
 }

+static void finish_output_stream(OutputStream *ost)
+{
+    OutputFile *of = output_files[ost->file_index];
+    int i;
+
+    ost->finished = 1;
+
+    if (of->shortest) {
+        for (i = 0; i < of->ctx->nb_streams; i++)
+            output_streams[of->ost_index + i]->finished = 1;
+    }
+}
+
 /**
 * Get and encode new output from any of the filtergraphs, without causing
 * activity.
@@ -2764,7 +2796,7 @@ static int process_input(int file_index)

                if (ost->source_index == ifile->ist_index + i &&
                    (ost->stream_copy || ost->enc->type == AVMEDIA_TYPE_SUBTITLE))
-                    close_output_stream(ost);
+                    finish_output_stream(ost);
            }
        }

--- a/ffmpeg.h
+++ b/ffmpeg.h
@@ -300,6 +300,8 @@ typedef struct OutputStream {
    /* pts of the first frame encoded for this stream, used for limiting
     * recording time */
    int64_t first_pts;
+    /* dts of the last packet sent to the muxer */
+    int64_t last_mux_dts;
    AVBitStreamFilterContext *bitstream_filters;
    AVCodec *enc;
    int64_t max_frames;
--- a/ffmpeg_filter.c
+++ b/ffmpeg_filter.c
@@ -41,12 +41,15 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodec *codec, enum AVPixelFo
        const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target);
        int has_alpha = desc ? desc->nb_components % 2 == 0 : 0;
        enum AVPixelFormat best= AV_PIX_FMT_NONE;
+        const enum AVPixelFormat mjpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
+        const enum AVPixelFormat ljpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
+                                                     AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
+
        if (st->codec->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) {
            if (st->codec->codec_id == AV_CODEC_ID_MJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE };
+                p = mjpeg_formats;
            } else if (st->codec->codec_id == AV_CODEC_ID_LJPEG) {
-                p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P,
-                                                 AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE };
+                p =ljpeg_formats;
            }
        }
        for (; *p != AV_PIX_FMT_NONE; p++) {
--- a/ffmpeg_opt.c
+++ b/ffmpeg_opt.c
@@ -1021,6 +1021,7 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e
        input_streams[source_index]->discard = 0;
        input_streams[source_index]->st->discard = AVDISCARD_NONE;
    }
+    ost->last_mux_dts = AV_NOPTS_VALUE;

    return ost;
 }
@@ -1824,7 +1825,8 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j]->nb_streams; i++) {
                    AVCodecContext *c = input_files[j]->ctx->streams[i]->codec;
-                    if (c->codec_type != AVMEDIA_TYPE_VIDEO)
+                    if (c->codec_type != AVMEDIA_TYPE_VIDEO ||
+                        !c->time_base.num)
                        continue;
                    fr = c->time_base.den * 1000 / c->time_base.num;
                    if (fr == 25000) {
@@ -1938,6 +1940,10 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
        av_log(NULL, AV_LOG_ERROR, "Unknown target: %s\n", arg);
        return AVERROR(EINVAL);
    }
+
+    av_dict_copy(&o->g->codec_opts,  codec_opts, 0);
+    av_dict_copy(&o->g->format_opts, format_opts, 0);
+
    return 0;
 }

--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int size;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp;

    tmp.u64 = av_be2ne64(state);
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -190,6 +190,9 @@ static int frame_configure_elements(AVCodecContext *avctx)
        }
    }

+    if (!avctx->channels)
+        return 1;
+
    /* get output buffer */
    ac->frame.nb_samples = 2048;
    if ((ret = ff_get_buffer(avctx, &ac->frame)) < 0) {
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
    int err;
    union {
        uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
    } tmp = { av_be2ne64(state) };
    AC3HeaderInfo hdr;
    GetBitContext gbc;
--- a/libavcodec/ac3enc_template.c
+++ b/libavcodec/ac3enc_template.c
@@ -259,7 +259,7 @@ static void apply_channel_coupling(AC3EncodeContext *s)
                energy_cpl = energy[blk][CPL_CH][bnd];
                energy_ch = energy[blk][ch][bnd];
                blk1 = blk+1;
-                while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) {
+                while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) {
                    if (s->blocks[blk1].cpl_in_use) {
                        energy_cpl += energy[blk1][CPL_CH][bnd];
                        energy_ch += energy[blk1][ch][bnd];
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1387,7 +1387,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

 static const enum AVSampleFormat sample_fmts_s16[]  = { AV_SAMPLE_FMT_S16,
                                                        AV_SAMPLE_FMT_NONE };
-static const enum AVSampleFormat sample_fmts_s16p[] = { AV_SAMPLE_FMT_S16,
+static const enum AVSampleFormat sample_fmts_s16p[] = { AV_SAMPLE_FMT_S16P,
                                                        AV_SAMPLE_FMT_NONE };
 static const enum AVSampleFormat sample_fmts_both[] = { AV_SAMPLE_FMT_S16,
                                                        AV_SAMPLE_FMT_S16P,
--- a/libavcodec/adpcmenc.c
+++ b/libavcodec/adpcmenc.c
@@ -558,10 +558,11 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
            put_bits(&pb, 7,  status->step_index);
            if (avctx->trellis > 0) {
                uint8_t buf[64];
-                adpcm_compress_trellis(avctx, &samples_p[ch][1], buf, status,
+                adpcm_compress_trellis(avctx, &samples_p[ch][0], buf, status,
                                       64, 1);
                for (i = 0; i < 64; i++)
                    put_bits(&pb, 4, buf[i ^ 1]);
+                status->prev_sample = status->predictor;
            } else {
                for (i = 0; i < 64; i += 2) {
                    int t1, t2;
--- a/libavcodec/adx.c
+++ b/libavcodec/adx.c
@@ -47,13 +47,8 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
        return AVERROR_INVALIDDATA;
    offset = AV_RB16(buf + 2) + 4;

-    if (offset < 6) {
-        av_log(avctx, AV_LOG_ERROR, "offset is prior data\n");
-        return AVERROR_INVALIDDATA;
-    }
-
    /* if copyright string is within the provided data, validate it */
-    if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6))
+    if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6))
        return AVERROR_INVALIDDATA;

    /* check for encoding=3 block_size=18, sample_size=4 */
--- a/libavcodec/alacenc.c
+++ b/libavcodec/alacenc.c
@@ -67,7 +67,7 @@ typedef struct AlacEncodeContext {
    int write_sample_size;
    int extra_bits;
    int32_t sample_buf[2][DEFAULT_FRAME_SIZE];
-    int32_t predictor_buf[DEFAULT_FRAME_SIZE];
+    int32_t predictor_buf[2][DEFAULT_FRAME_SIZE];
    int interlacing_shift;
    int interlacing_leftweight;
    PutBitContext pbctx;
@@ -254,13 +254,14 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)
 {
    int i;
    AlacLPCContext lpc = s->lpc[ch];
+    int32_t *residual = s->predictor_buf[ch];

    if (lpc.lpc_order == 31) {
-        s->predictor_buf[0] = s->sample_buf[ch][0];
+        residual[0] = s->sample_buf[ch][0];

        for (i = 1; i < s->frame_size; i++) {
-            s->predictor_buf[i] = s->sample_buf[ch][i    ] -
-                                  s->sample_buf[ch][i - 1];
+            residual[i] = s->sample_buf[ch][i    ] -
+                          s->sample_buf[ch][i - 1];
        }

        return;
@@ -270,7 +271,6 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)

    if (lpc.lpc_order > 0) {
        int32_t *samples  = s->sample_buf[ch];
-        int32_t *residual = s->predictor_buf;

        // generate warm-up samples
        residual[0] = samples[0];
@@ -314,11 +314,11 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)
    }
 }

-static void alac_entropy_coder(AlacEncodeContext *s)
+static void alac_entropy_coder(AlacEncodeContext *s, int ch)
 {
    unsigned int history = s->rc.initial_history;
    int sign_modifier = 0, i, k;
-    int32_t *samples = s->predictor_buf;
+    int32_t *samples = s->predictor_buf[ch];

    for (i = 0; i < s->frame_size;) {
        int x;
@@ -395,6 +395,19 @@ static void write_element(AlacEncodeContext *s,
        init_sample_buffers(s, channels, samples);
        write_element_header(s, element, instance);

+        // extract extra bits if needed
+        if (s->extra_bits) {
+            uint32_t mask = (1 << s->extra_bits) - 1;
+            for (j = 0; j < channels; j++) {
+                int32_t *extra = s->predictor_buf[j];
+                int32_t *smp   = s->sample_buf[j];
+                for (i = 0; i < s->frame_size; i++) {
+                    extra[i] = smp[i] & mask;
+                    smp[i] >>= s->extra_bits;
+                }
+            }
+        }
+
        if (channels == 2)
            alac_stereo_decorrelation(s);
        else
@@ -420,8 +433,7 @@ static void write_element(AlacEncodeContext *s,
            uint32_t mask = (1 << s->extra_bits) - 1;
            for (i = 0; i < s->frame_size; i++) {
                for (j = 0; j < channels; j++) {
-                    put_bits(pb, s->extra_bits, s->sample_buf[j][i] & mask);
-                    s->sample_buf[j][i] >>= s->extra_bits;
+                    put_bits(pb, s->extra_bits, s->predictor_buf[j][i] & mask);
                }
            }
        }
@@ -433,10 +445,11 @@ static void write_element(AlacEncodeContext *s,
            // TODO: determine when this will actually help. for now it's not used.
            if (prediction_type == 15) {
                // 2nd pass 1st order filter
+                int32_t *residual = s->predictor_buf[channels];
                for (j = s->frame_size - 1; j > 0; j--)
-                    s->predictor_buf[j] -= s->predictor_buf[j - 1];
+                    residual[j] -= residual[j - 1];
            }
-            alac_entropy_coder(s);
+            alac_entropy_coder(s, i);
        }
    }
 }
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -285,7 +285,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
    GetBitContext gb;
    uint64_t ht_size;
    int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
    ALSSpecificConfig *sconf = &ctx->sconf;
    AVCodecContext *avctx    = ctx->avctx;
    uint32_t als_id, header_size, trailer_size;
@@ -1394,6 +1394,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)

        for (b = 0; b < ctx->num_blocks; b++) {
            bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }

            for (c = 0; c < avctx->channels; c++) {
                bd.const_block = ctx->const_block + c;
--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@@ -415,7 +415,7 @@ static int decode_frame(AVCodecContext *avctx,
            switch(buf[0]) {
            case '0': case '1': case '2': case '3': case '4':
            case '5': case '6': case '7': case '8': case '9':
-                if (s->nb_args < MAX_NB_ARGS)
+                if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553)
                    s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                break;
            case ';':
--- a/libavcodec/arm/dsputil_armv6.S
+++ b/libavcodec/arm/dsputil_armv6.S
@@ -144,10 +144,11 @@ function ff_put_pixels8_y2_armv6, export=1
        eor             r7,  r5,  r7
        uadd8           r10, r10, r6
        and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uadd8           r11, r11, r7
        strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        strd_post       r10, r11, r0,  r2
        bne             1b

@@ -196,9 +197,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
        uhadd8          r9,  r5,  r7
        ldr             r5,  [r1, #4]
        uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
        uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
        stm             r0,  {r8,r9}
        add             r0,  r0,  r2
        stm             r0,  {r12,r14}
--- a/libavcodec/arm/h264dsp_init_arm.c
+++ b/libavcodec/arm/h264dsp_init_arm.c
@@ -91,7 +91,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i
    c->h264_idct_dc_add     = ff_h264_idct_dc_add_neon;
    c->h264_idct_add16      = ff_h264_idct_add16_neon;
    c->h264_idct_add16intra = ff_h264_idct_add16intra_neon;
-    if (chroma_format_idc == 1)
+    if (chroma_format_idc <= 1)
        c->h264_idct_add8   = ff_h264_idct_add8_neon;
    c->h264_idct8_add       = ff_h264_idct8_add_neon;
    c->h264_idct8_dc_add    = ff_h264_idct8_dc_add_neon;
--- a/libavcodec/arm/int_neon.S
+++ b/libavcodec/arm/int_neon.S
@@ -41,10 +41,10 @@ function ff_scalarproduct_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
@@ -81,10 +81,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1

        vpadd.s32       d16, d0,   d1
        vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
        vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
        vpadd.s32       d2,  d0,   d1
        vpaddl.s32      d3,  d2
        vmov.32         r0,  d3[0]
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -283,7 +283,7 @@ int av_packet_split_side_data(AVPacket *pkt){
        for (i=0; ; i++){
            size= AV_RB32(p);
            av_assert0(size<=INT_MAX && p - pkt->data >= size);
-            pkt->side_data[i].data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
+            pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE);
            pkt->side_data[i].size = size;
            pkt->side_data[i].type = p[4]&127;
            if (!pkt->side_data[i].data)
--- a/libavcodec/bytestream.h
+++ b/libavcodec/bytestream.h
@@ -325,6 +325,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p)
    return p->eof;
 }

+static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p,
+                                                              GetByteContext *g,
+                                                              unsigned int size)
+{
+    memcpy(p->buffer, g->buffer, size);
+    p->buffer += size;
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p,
+                                                             GetByteContext *g,
+                                                             unsigned int size)
+{
+    int size2;
+
+    if (p->eof)
+        return 0;
+    size  = FFMIN(g->buffer_end - g->buffer, size);
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+
+    return bytestream2_copy_bufferu(p, g, size2);
+}
+
 static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b,
                                                           uint8_t *dst,
                                                           unsigned int size)
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -305,7 +305,7 @@ STOP_TIMER("get_cabac_bypass")

    for(i=0; i<SIZE; i++){
 START_TIMER
-        if( (r[i]&1) != get_cabac(&c, state) )
+        if( (r[i]&1) != get_cabac_noinline(&c, state) )
            av_log(NULL, AV_LOG_ERROR, "CABAC failure at %d\n", i);
 STOP_TIMER("get_cabac")
    }
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -604,8 +604,9 @@ static inline int decode_residual_inter(AVSContext *h)

    /* get coded block pattern */
    int cbp = get_ue_golomb(&h->gb);
-    if (cbp > 63U) {
-        av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+
+    if (cbp > 63 || cbp < 0) {
+        av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
        return -1;
    }
    h->cbp = cbp_tab[cbp][1];
@@ -675,7 +676,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
    /* get coded block pattern */
    if (h->cur.f->pict_type == AV_PICTURE_TYPE_I)
        cbp_code = get_ue_golomb(gb);
-    if (cbp_code > 63U) {
+    if (cbp_code > 63 || cbp_code < 0) {
        av_log(h->avctx, AV_LOG_ERROR, "illegal intra cbp\n");
        return -1;
    }
@@ -978,7 +979,8 @@ static int decode_pic(AVSContext *h)
    if (h->cur.f->data[0])
        h->avctx->release_buffer(h->avctx, h->cur.f);

-    if ((ret = ff_get_buffer(h->avctx, h->cur.f)) < 0)
+    ret = ff_get_buffer(h->avctx, h->cur.f);
+    if (ret < 0)
        return ret;

    if (!h->edge_emu_buffer) {
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -269,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                            void *data, int *got_frame, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
    int buf_size       = avpkt->size;
    int ret;
    uint8_t command, inst;
@@ -286,19 +286,19 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        return AVERROR(EINVAL);
    }

+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+
    ret = avctx->reget_buffer(avctx, &cc->frame);
    if (ret) {
        av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
        return ret;
    }

-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
    inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-
-    if (buf_size > CDG_HEADER_SIZE)
-        bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));

    if ((command & CDG_MASK) == CDG_COMMAND) {
        switch (inst) {
@@ -357,11 +357,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
        *got_frame = 1;
    } else {
        *got_frame = 0;
-        buf_size   = 0;
    }

    *(AVFrame *) data = cc->frame;
-    return buf_size;
+    return avpkt->size;
 }

 static av_cold int cdg_decode_end(AVCodecContext *avctx)
--- a/libavcodec/dirac_arith.h
+++ b/libavcodec/dirac_arith.h
@@ -28,6 +28,7 @@
 #ifndef AVCODEC_DIRAC_ARITH_H
 #define AVCODEC_DIRAC_ARITH_H

+#include "libavutil/x86/asm.h"
 #include "bytestream.h"
 #include "get_bits.h"

@@ -134,7 +135,7 @@ static inline int dirac_get_arith_bit(DiracArith *c, int ctx)

    range_times_prob = (c->range * prob_zero) >> 16;

-#if HAVE_FAST_CMOV && HAVE_INLINE_ASM
+#if HAVE_FAST_CMOV && HAVE_INLINE_ASM && HAVE_6REGS
    low   -= range_times_prob << 16;
    range -= range_times_prob;
    bit = 0;
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -200,6 +200,7 @@ typedef struct DiracContext {

    uint16_t *mctmp;            /* buffer holding the MC data multipled by OBMC weights */
    uint8_t *mcscratch;
+    int buffer_stride;

    DECLARE_ALIGNED(16, uint8_t, obmc_weight)[3][MAX_BLOCKSIZE*MAX_BLOCKSIZE];

@@ -342,22 +343,44 @@ static int alloc_sequence_buffers(DiracContext *s)
            return AVERROR(ENOMEM);
    }

-    w = s->source.width;
-    h = s->source.height;
-
    /* fixme: allocate using real stride here */
-    s->sbsplit  = av_malloc(sbwidth * sbheight);
-    s->blmotion = av_malloc(sbwidth * sbheight * 16 * sizeof(*s->blmotion));
-    s->edge_emu_buffer_base = av_malloc((w+64)*MAX_BLOCKSIZE);
+    s->sbsplit  = av_malloc_array(sbwidth, sbheight);
+    s->blmotion = av_malloc_array(sbwidth, sbheight * 16 * sizeof(*s->blmotion));

-    s->mctmp     = av_malloc((w+64+MAX_BLOCKSIZE) * (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp));
-    s->mcscratch = av_malloc((w+64)*MAX_BLOCKSIZE);
-
-    if (!s->sbsplit || !s->blmotion || !s->mctmp || !s->mcscratch)
+    if (!s->sbsplit || !s->blmotion)
        return AVERROR(ENOMEM);
    return 0;
 }

+static int alloc_buffers(DiracContext *s, int stride)
+{
+    int w = s->source.width;
+    int h = s->source.height;
+
+    av_assert0(stride >= w);
+    stride += 64;
+
+    if (s->buffer_stride >= stride)
+        return 0;
+    s->buffer_stride = 0;
+
+    av_freep(&s->edge_emu_buffer_base);
+    memset(s->edge_emu_buffer, 0, sizeof(s->edge_emu_buffer));
+    av_freep(&s->mctmp);
+    av_freep(&s->mcscratch);
+
+    s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
+
+    s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp));
+    s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
+
+    if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch)
+        return AVERROR(ENOMEM);
+
+    s->buffer_stride = stride;
+    return 0;
+}
+
 static void free_sequence_buffers(DiracContext *s)
 {
    int i, j, k;
@@ -381,6 +404,7 @@ static void free_sequence_buffers(DiracContext *s)
        av_freep(&s->plane[i].idwt_tmp);
    }

+    s->buffer_stride = 0;
    av_freep(&s->sbsplit);
    av_freep(&s->blmotion);
    av_freep(&s->edge_emu_buffer_base);
@@ -1342,8 +1366,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
        motion_y >>= s->chroma_y_shift;
    }

-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
    motion_x >>= s->mv_precision;
    motion_y >>= s->mv_precision;
    /* normalize subpel coordinates to epel */
@@ -1817,6 +1841,9 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int
        s->plane[1].stride = pic->avframe.linesize[1];
        s->plane[2].stride = pic->avframe.linesize[2];

+        if (alloc_buffers(s, FFMAX3(FFABS(s->plane[0].stride), FFABS(s->plane[1].stride), FFABS(s->plane[2].stride))) < 0)
+            return AVERROR(ENOMEM);
+
        /* [DIRAC_STD] 11.1 Picture parse. picture_parse() */
        if (dirac_decode_picture_header(s))
            return -1;
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -39,6 +39,7 @@ typedef struct DNXHDContext {
    GetBitContext gb;
    int64_t cid;                        ///< compression id
    unsigned int width, height;
+    enum AVPixelFormat pix_fmt;
    unsigned int mb_width, mb_height;
    uint32_t mb_scan_index[68];         /* max for 1080p */
    int cur_field;                      ///< current interlaced field
@@ -135,7 +136,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
    av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height);

    if (buf[0x21] & 0x40) {
-        ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
+        ctx->pix_fmt = AV_PIX_FMT_YUV422P10;
        ctx->avctx->bits_per_raw_sample = 10;
        if (ctx->bit_depth != 10) {
            ff_dsputil_init(&ctx->dsp, ctx->avctx);
@@ -143,7 +144,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
            ctx->decode_dct_block = dnxhd_decode_dct_block_10;
        }
    } else {
-        ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P;
+        ctx->pix_fmt = AV_PIX_FMT_YUV422P;
        ctx->avctx->bits_per_raw_sample = 8;
        if (ctx->bit_depth != 8) {
            ff_dsputil_init(&ctx->dsp, ctx->avctx);
@@ -381,9 +382,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
               avctx->width, avctx->height, ctx->width, ctx->height);
        first_field = 1;
    }
+    if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) {
+        av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt));
+        first_field = 1;
+    }

    if (av_image_check_size(ctx->width, ctx->height, 0, avctx))
        return -1;
+    avctx->pix_fmt = ctx->pix_fmt;
    avcodec_set_dimensions(avctx, ctx->width, ctx->height);

    if (first_field) {
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@@ -235,7 +235,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)

 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
    if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
        FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);

--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1922,7 +1922,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){

 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
    long i;
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src+i);
        long b = *(long*)(dst+i);
        *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1947,7 +1947,7 @@ static void diff_bytes_c(uint8_t *dst, const uint8_t *src1, const uint8_t *src2,
        }
    }else
 #endif
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
        long a = *(long*)(src1+i);
        long b = *(long*)(src2+i);
        *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@@ -45,8 +45,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
    DVDSubParseContext *pc = s->priv_data;

    if (pc->packet_index == 0) {
-        if (buf_size < 2)
-            return 0;
+        if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
+            if (buf_size)
+                av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size);
+            return buf_size;
+        }
        pc->packet_len = AV_RB16(buf);
        if (pc->packet_len == 0) /* HD-DVD subpicture packet */
            pc->packet_len = AV_RB32(buf+2);
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -304,6 +304,11 @@ static av_cold int decode_init(AVCodecContext *avctx)

    avctx->pix_fmt = AV_PIX_FMT_PAL8;

+    if (avctx->width%4 || avctx->height%4) {
+        av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }
+
    avcodec_get_frame_defaults(&c->pic);
    avcodec_get_frame_defaults(&c->prev);

--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -123,7 +123,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *

 static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t *buf_end)
 {
-    int pal_start, pal_count, i;
+    int pal_start, pal_count, i, fps;

    if(buf_end - buf < 16) {
        av_log(s->avctx, AV_LOG_WARNING, "truncated header\n");
@@ -135,8 +135,9 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
    if (s->avctx->width!=s->width || s->avctx->height!=s->height)
        avcodec_set_dimensions(s->avctx, s->width, s->height);

-    s->avctx->time_base.num = 1;
-    s->avctx->time_base.den = AV_RL16(&buf[10]);
+    fps = AV_RL16(&buf[10]);
+    if (fps > 0)
+        s->avctx->time_base = (AVRational){ 1, fps };

    pal_start = AV_RL16(&buf[12]);
    pal_count = AV_RL16(&buf[14]);
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -29,6 +29,7 @@
 */

 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "aandcttab.h"
@@ -232,32 +233,34 @@ static int decode_frame(AVCodecContext *avctx,
 {
    const uint8_t *buf = avpkt->data;
    int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
    MadContext *s     = avctx->priv_data;
+    GetByteContext gb;
    int width, height, ret;
    int chunk_type;
    int inter;

-    if (buf_size < 26) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *got_frame = 0;
+    bytestream2_init(&gb, buf, buf_size);
+
+    chunk_type = bytestream2_get_le32(&gb);
+    inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
+    bytestream2_skip(&gb, 10);
+
+    av_reduce(&avctx->time_base.num, &avctx->time_base.den,
+              bytestream2_get_le16(&gb), 1000, 1<<30);
+
+    width  = bytestream2_get_le16(&gb);
+    height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_quant_matrix(s, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
+
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
        return AVERROR_INVALIDDATA;
    }

-    chunk_type = AV_RL32(&buf[0]);
-    inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
-
-    av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
-
-    width  = AV_RL16(&buf[8]);
-    height = AV_RL16(&buf[10]);
-    calc_quant_matrix(s, buf[13]);
-    buf += 16;
-
    if (avctx->width != width || avctx->height != height) {
-        if((width * height)/2048*7 > buf_end-buf)
+        if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb))
            return AVERROR_INVALIDDATA;
        if ((ret = av_image_check_size(width, height, 0, avctx)) < 0)
            return ret;
@@ -292,13 +295,13 @@ static int decode_frame(AVCodecContext *avctx,
    }

    av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size,
-                          buf_end - buf);
+                          bytestream2_get_bytes_left(&gb));
    if (!s->bitstream_buf)
        return AVERROR(ENOMEM);
-    s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    memset((uint8_t*)s->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
-    init_get_bits(&s->gb, s->bitstream_buf, 8*(buf_end-buf));
-
+    s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                         bytestream2_get_bytes_left(&gb) / 2);
+    memset((uint8_t*)s->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE);
+    init_get_bits(&s->gb, s->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
    for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
        for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
            if(decode_mb(s, inter) < 0)
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -924,8 +924,8 @@ void ff_er_frame_end(MpegEncContext *s)
        return;
    };

-    if (   s->picture_structure == PICT_FRAME
-        && s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) {
+    if (s->picture_structure == PICT_FRAME &&
+        s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) {
        av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
        return;
    }
--- a/libavcodec/fft-test.c
+++ b/libavcodec/fft-test.c
@@ -112,6 +112,7 @@ static void fft_ref(FFTComplex *tabr, FFTComplex *tab, int nbits)
    }
 }

+#if CONFIG_MDCT
 static void imdct_ref(FFTSample *out, FFTSample *in, int nbits)
 {
    int n = 1<<nbits;
@@ -146,8 +147,10 @@ static void mdct_ref(FFTSample *output, FFTSample *input, int nbits)
        output[k] = REF_SCALE(s, nbits - 1);
    }
 }
+#endif /* CONFIG_MDCT */

 #if CONFIG_FFT_FLOAT
+#if CONFIG_DCT
 static void idct_ref(FFTSample *output, FFTSample *input, int nbits)
 {
    int n = 1<<nbits;
@@ -180,6 +183,7 @@ static void dct_ref(FFTSample *output, FFTSample *input, int nbits)
        output[k] = s;
    }
 }
+#endif /* CONFIG_DCT */
 #endif


@@ -305,6 +309,7 @@ int main(int argc, char **argv)
    tab2 = av_malloc(fft_size * sizeof(FFTSample));

    switch (transform) {
+#if CONFIG_MDCT
    case TRANSFORM_MDCT:
        av_log(NULL, AV_LOG_INFO,"Scale factor is set to %f\n", scale);
        if (do_inverse)
@@ -313,6 +318,7 @@ int main(int argc, char **argv)
            av_log(NULL, AV_LOG_INFO,"MDCT");
        ff_mdct_init(m, fft_nbits, do_inverse, scale);
        break;
+#endif /* CONFIG_MDCT */
    case TRANSFORM_FFT:
        if (do_inverse)
            av_log(NULL, AV_LOG_INFO,"IFFT");
@@ -322,6 +328,7 @@ int main(int argc, char **argv)
        fft_ref_init(fft_nbits, do_inverse);
        break;
 #if CONFIG_FFT_FLOAT
+#if CONFIG_RDFT
    case TRANSFORM_RDFT:
        if (do_inverse)
            av_log(NULL, AV_LOG_INFO,"IDFT_C2R");
@@ -330,6 +337,8 @@ int main(int argc, char **argv)
        ff_rdft_init(r, fft_nbits, do_inverse ? IDFT_C2R : DFT_R2C);
        fft_ref_init(fft_nbits, do_inverse);
        break;
+#endif /* CONFIG_RDFT */
+#if CONFIG_DCT
    case TRANSFORM_DCT:
        if (do_inverse)
            av_log(NULL, AV_LOG_INFO,"DCT_III");
@@ -337,6 +346,7 @@ int main(int argc, char **argv)
            av_log(NULL, AV_LOG_INFO,"DCT_II");
        ff_dct_init(d, fft_nbits, do_inverse ? DCT_III : DCT_II);
        break;
+#endif /* CONFIG_DCT */
 #endif
    default:
        av_log(NULL, AV_LOG_ERROR, "Requested transform not supported\n");
@@ -355,6 +365,7 @@ int main(int argc, char **argv)
    av_log(NULL, AV_LOG_INFO,"Checking...\n");

    switch (transform) {
+#if CONFIG_MDCT
    case TRANSFORM_MDCT:
        if (do_inverse) {
            imdct_ref((FFTSample *)tab_ref, (FFTSample *)tab1, fft_nbits);
@@ -368,6 +379,7 @@ int main(int argc, char **argv)
            err = check_diff((FFTSample *)tab_ref, tab2, fft_size / 2, scale);
        }
        break;
+#endif /* CONFIG_MDCT */
    case TRANSFORM_FFT:
        memcpy(tab, tab1, fft_size * sizeof(FFTComplex));
        s->fft_permute(s, tab);
@@ -377,6 +389,7 @@ int main(int argc, char **argv)
        err = check_diff((FFTSample *)tab_ref, (FFTSample *)tab, fft_size * 2, 1.0);
        break;
 #if CONFIG_FFT_FLOAT
+#if CONFIG_RDFT
    case TRANSFORM_RDFT:
        fft_size_2 = fft_size >> 1;
        if (do_inverse) {
@@ -408,6 +421,8 @@ int main(int argc, char **argv)
            err = check_diff((float *)tab_ref, (float *)tab2, fft_size, 1.0);
        }
        break;
+#endif /* CONFIG_RDFT */
+#if CONFIG_DCT
    case TRANSFORM_DCT:
        memcpy(tab, tab1, fft_size * sizeof(FFTComplex));
        d->dct_calc(d, (FFTSample *)tab);
@@ -418,6 +433,7 @@ int main(int argc, char **argv)
        }
        err = check_diff((float *)tab_ref, (float *)tab, fft_size, 1.0);
        break;
+#endif /* CONFIG_DCT */
 #endif
    }

@@ -469,19 +485,25 @@ int main(int argc, char **argv)
    }

    switch (transform) {
+#if CONFIG_MDCT
    case TRANSFORM_MDCT:
        ff_mdct_end(m);
        break;
+#endif /* CONFIG_MDCT */
    case TRANSFORM_FFT:
        ff_fft_end(s);
        break;
 #if CONFIG_FFT_FLOAT
+#if CONFIG_RDFT
    case TRANSFORM_RDFT:
        ff_rdft_end(r);
        break;
+#endif /* CONFIG_RDFT */
+#if CONFIG_DCT
    case TRANSFORM_DCT:
        ff_dct_end(d);
        break;
+#endif /* CONFIG_DCT */
 #endif
    }

--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -541,31 +541,31 @@ static int read_header(FFV1Context *f)
                f->state_transition[i] = get_symbol(c, state, 1) + c->one_state[i];
        }

-        colorspace     = get_symbol(c, state, 0); //YUV cs type
+        colorspace          = get_symbol(c, state, 0); //YUV cs type
        bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample;
-        chroma_planes  = get_rac(c, state);
-        chroma_h_shift = get_symbol(c, state, 0);
-        chroma_v_shift = get_symbol(c, state, 0);
-        transparency   = get_rac(c, state);
+        chroma_planes       = get_rac(c, state);
+        chroma_h_shift      = get_symbol(c, state, 0);
+        chroma_v_shift      = get_symbol(c, state, 0);
+        transparency        = get_rac(c, state);

        if (f->plane_count) {
-            if (   colorspace    != f->colorspace
-                || bits_per_raw_sample != f->avctx->bits_per_raw_sample
-                || chroma_planes != f->chroma_planes
-                || chroma_h_shift!= f->chroma_h_shift
-                || chroma_v_shift!= f->chroma_v_shift
-                || transparency  != f->transparency) {
+            if (colorspace          != f->colorspace                 ||
+                bits_per_raw_sample != f->avctx->bits_per_raw_sample ||
+                chroma_planes       != f->chroma_planes              ||
+                chroma_h_shift      != f->chroma_h_shift             ||
+                chroma_v_shift      != f->chroma_v_shift             ||
+                transparency        != f->transparency) {
                av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n");
                return AVERROR_INVALIDDATA;
            }
        }

-        f->colorspace     = colorspace;
+        f->colorspace                 = colorspace;
        f->avctx->bits_per_raw_sample = bits_per_raw_sample;
-        f->chroma_planes  = chroma_planes;
-        f->chroma_h_shift = chroma_h_shift;
-        f->chroma_v_shift = chroma_v_shift;
-        f->transparency   = transparency;
+        f->chroma_planes              = chroma_planes;
+        f->chroma_h_shift             = chroma_h_shift;
+        f->chroma_v_shift             = chroma_v_shift;
+        f->transparency               = transparency;

        f->plane_count    = 2 + f->transparency;
    }
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -467,10 +467,10 @@ static int decode_frame(FLACContext *s)
        ret = allocate_buffers(s);
        if (ret < 0)
            return ret;
-        ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps);
        s->got_streaminfo = 1;
        dump_headers(s->avctx, (FLACStreaminfo *)s);
    }
+    ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps);

 //    dump_headers(s->avctx, (FLACStreaminfo *)s);

--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -390,7 +390,9 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                    s->diff_start  = get_bits(&gb, 8);
                    s->diff_height = get_bits(&gb, 8);
                    if (s->diff_start + s->diff_height > cur_blk_height) {
-                        av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n");
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
                        return AVERROR_INVALIDDATA;
                    }
                    av_log(avctx, AV_LOG_DEBUG,
--- a/libavcodec/g723_1.c
+++ b/libavcodec/g723_1.c
@@ -2292,7 +2292,8 @@ static int pack_bitstream(G723_1_Context *p, unsigned char *frame, int size)
    if (p->cur_rate == RATE_6300) {
        info_bits = 0;
        put_bits(&pb, 2, info_bits);
-    }
+    }else
+        av_assert0(0);

    put_bits(&pb, 8, p->lsp_index[2]);
    put_bits(&pb, 8, p->lsp_index[1]);
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -65,8 +65,8 @@ typedef struct GifState {
    int stored_img_size;
    int stored_bg_color;

-    GetByteContext gb;
    /* LZW compatible decoder */
+    GetByteContext gb;
    LZWState *lzw;

    /* aux buffers */
@@ -144,11 +144,11 @@ static int gif_read_image(GifState *s)
    if (bytestream2_get_bytes_left(&s->gb) < 9)
        return AVERROR_INVALIDDATA;

-    left = bytestream2_get_le16u(&s->gb);
-    top = bytestream2_get_le16u(&s->gb);
-    width = bytestream2_get_le16u(&s->gb);
+    left   = bytestream2_get_le16u(&s->gb);
+    top    = bytestream2_get_le16u(&s->gb);
+    width  = bytestream2_get_le16u(&s->gb);
    height = bytestream2_get_le16u(&s->gb);
-    flags = bytestream2_get_byteu(&s->gb);
+    flags  = bytestream2_get_byteu(&s->gb);
    is_interleaved = flags & 0x40;
    has_local_palette = flags & 0x80;
    bits_per_pixel = (flags & 0x07) + 1;
@@ -185,8 +185,11 @@ static int gif_read_image(GifState *s)

    /* verify that all the image is inside the screen dimensions */
    if (left + width > s->screen_width ||
-        top + height > s->screen_height)
+        top + height > s->screen_height ||
+        !width || !height) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid image dimensions.\n");
        return AVERROR_INVALIDDATA;
+    }

    /* process disposal method */
    if (s->gce_prev_disposal == GCE_DISPOSAL_BACKGROUND) {
@@ -253,26 +256,21 @@ static int gif_read_image(GifState *s)
            case 1:
                y1 += 8;
                ptr += linesize * 8;
-                if (y1 >= height) {
-                    y1 = pass ? 2 : 4;
-                    ptr = ptr1 + linesize * y1;
-                    pass++;
-                }
                break;
            case 2:
                y1 += 4;
                ptr += linesize * 4;
-                if (y1 >= height) {
-                    y1 = 1;
-                    ptr = ptr1 + linesize;
-                    pass++;
-                }
                break;
            case 3:
                y1 += 2;
                ptr += linesize * 2;
                break;
            }
+            while (y1 >= height) {
+                y1  = 4 >> pass;
+                ptr = ptr1 + linesize * y1;
+                pass++;
+            }
        } else {
            ptr += linesize;
        }
@@ -314,7 +312,7 @@ static int gif_read_extension(GifState *s)
        if (bytestream2_get_bytes_left(&s->gb) < 5)
            return AVERROR_INVALIDDATA;

-        gce_flags = bytestream2_get_byteu(&s->gb);
+        gce_flags    = bytestream2_get_byteu(&s->gb);
        bytestream2_skipu(&s->gb, 2);    // delay during which the frame is shown
        gce_transparent_index = bytestream2_get_byteu(&s->gb);
        if (gce_flags & 0x01)
@@ -368,7 +366,7 @@ static int gif_read_header1(GifState *s)

    /* read screen header */
    s->transparent_color_index = -1;
-    s->screen_width = bytestream2_get_le16u(&s->gb);
+    s->screen_width  = bytestream2_get_le16u(&s->gb);
    s->screen_height = bytestream2_get_le16u(&s->gb);
    if(   (unsigned)s->screen_width  > 32767
       || (unsigned)s->screen_height > 32767){
@@ -411,10 +409,10 @@ static int gif_read_header1(GifState *s)

 static int gif_parse_next_image(GifState *s, int *got_picture)
 {
-    int ret;
    *got_picture = 1;
-    while (bytestream2_get_bytes_left(&s->gb)) {
+    while (bytestream2_get_bytes_left(&s->gb) > 0) {
        int code = bytestream2_get_byte(&s->gb);
+        int ret;

        av_dlog(s->avctx, "code=%02x '%c'\n", code, code);

@@ -459,9 +457,9 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, A

    bytestream2_init(&s->gb, avpkt->data, avpkt->size);

-    s->picture.pts          = avpkt->pts;
-    s->picture.pkt_pts      = avpkt->pts;
-    s->picture.pkt_dts      = avpkt->dts;
+    s->picture.pts     = avpkt->pts;
+    s->picture.pkt_pts = avpkt->pts;
+    s->picture.pkt_dts = avpkt->dts;
    s->picture.pkt_duration = avpkt->duration;

    if (avpkt->size >= 6) {
@@ -513,7 +511,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, A
    else if (*got_frame)
        *picture = s->picture;

-    return avpkt->size;
+    return bytestream2_tell(&s->gb);
 }

 static av_cold int gif_decode_close(AVCodecContext *avctx)
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -392,7 +392,6 @@ uint64_t time= rdtsc();
            return buf_size;
    }

-
 retry:
    if(s->divx_packed && s->bitstream_buffer_size){
        int i;
@@ -407,16 +406,20 @@ retry:
        }
    }

-    if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder
-        init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8);
-    }else
-        init_get_bits(&s->gb, buf, buf_size*8);
-    s->bitstream_buffer_size=0;
+    if (s->bitstream_buffer_size && (s->divx_packed || buf_size < 20)) // divx 5.01+/xvid frame reorder
+        ret = init_get_bits8(&s->gb, s->bitstream_buffer,
+                             s->bitstream_buffer_size);
+    else
+        ret = init_get_bits8(&s->gb, buf, buf_size);

-    if (!s->context_initialized) {
-        if ((ret = ff_MPV_common_init(s)) < 0) //we need the idct permutaton for reading a custom matrix
+    s->bitstream_buffer_size=0;
+    if (ret < 0)
+        return ret;
+
+    if (!s->context_initialized)
+        // we need the idct permutaton for reading a custom matrix
+        if ((ret = ff_MPV_common_init(s)) < 0)
            return ret;
-    }

    /* We need to set current_picture_ptr before reading the header,
     * otherwise we cannot store anyting in there */
@@ -436,8 +439,11 @@ retry:
        if(s->avctx->extradata_size && s->picture_number==0){
            GetBitContext gb;

-            init_get_bits(&gb, s->avctx->extradata, s->avctx->extradata_size*8);
-            ret = ff_mpeg4_decode_picture_header(s, &gb);
+            ret = init_get_bits8(&gb, s->avctx->extradata,
+                                 s->avctx->extradata_size);
+            if (ret < 0)
+                return ret;
+            ff_mpeg4_decode_picture_header(s, &gb);
        }
        ret = ff_mpeg4_decode_picture_header(s, &s->gb);
    } else if (CONFIG_H263I_DECODER && s->codec_id == AV_CODEC_ID_H263I) {
@@ -714,10 +720,10 @@ frame_end:
        }

        if(startcode_found){
-            av_fast_malloc(
+            av_fast_padded_mallocz(
                &s->bitstream_buffer,
                &s->allocated_bitstream_buffer_size,
-                buf_size - current_pos + FF_INPUT_BUFFER_PADDING_SIZE);
+                buf_size - current_pos);
            if (!s->bitstream_buffer)
                return AVERROR(ENOMEM);
            memcpy(s->bitstream_buffer, buf + current_pos, buf_size - current_pos);
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -67,9 +67,15 @@ static const uint8_t div6[QP_MAX_NUM + 1] = {
 };

 static const enum AVPixelFormat hwaccel_pixfmt_list_h264_jpeg_420[] = {
+#if CONFIG_H264_DXVA2_HWACCEL
    AV_PIX_FMT_DXVA2_VLD,
+#endif
+#if CONFIG_H264_VAAPI_HWACCEL
    AV_PIX_FMT_VAAPI_VLD,
+#endif
+#if CONFIG_H264_VDA_HWACCEL
    AV_PIX_FMT_VDA_VLD,
+#endif
    AV_PIX_FMT_YUVJ420P,
    AV_PIX_FMT_NONE
 };
@@ -135,10 +141,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h)
 int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma)
 {
    MpegEncContext *const s     = &h->s;
-    static const int8_t top[7]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
-    static const int8_t left[7] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 };
+    static const int8_t top[4]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
+    static const int8_t left[5] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 };

-    if (mode > 6U) {
+    if (mode > 3U) {
        av_log(h->s.avctx, AV_LOG_ERROR,
               "out of range intra chroma pred mode at %d %d\n",
               s->mb_x, s->mb_y);
@@ -157,18 +163,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma)

    if ((h->left_samples_available & 0x8080) != 0x8080) {
        mode = left[mode];
-        if (is_chroma && (h->left_samples_available & 0x8080)) {
-            // mad cow disease mode, aka MBAFF + constrained_intra_pred
-            mode = ALZHEIMER_DC_L0T_PRED8x8 +
-                   (!(h->left_samples_available & 0x8000)) +
-                   2 * (mode == DC_128_PRED8x8);
-        }
        if (mode < 0) {
            av_log(h->s.avctx, AV_LOG_ERROR,
                   "left block unavailable for requested intra mode at %d %d\n",
                   s->mb_x, s->mb_y);
            return -1;
        }
+        if (is_chroma && (h->left_samples_available & 0x8080)) {
+            // mad cow disease mode, aka MBAFF + constrained_intra_pred
+            mode = ALZHEIMER_DC_L0T_PRED8x8 +
+                   (!(h->left_samples_available & 0x8000)) +
+                   2 * (mode == DC_128_PRED8x8);
+        }
    }

    return mode;
@@ -1243,6 +1249,18 @@ static int decode_update_thread_context(AVCodecContext *dst,
        memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
        memset(h->pps_buffers, 0, sizeof(h->pps_buffers));

+        h->intra4x4_pred_mode= NULL;
+        h->non_zero_count    = NULL;
+        h->slice_table_base  = NULL;
+        h->slice_table       = NULL;
+        h->cbp_table         = NULL;
+        h->chroma_pred_mode_table = NULL;
+        memset(h->mvd_table, 0, sizeof(h->mvd_table));
+        h->direct_table      = NULL;
+        h->list_counts       = NULL;
+        h->mb2b_xy           = NULL;
+        h->mb2br_xy          = NULL;
+
        if (s1->context_initialized) {
        if (ff_h264_alloc_tables(h) < 0) {
            av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n");
@@ -1331,6 +1349,8 @@ int ff_h264_frame_start(H264Context *h)
    int i;
    const int pixel_shift = h->pixel_shift;

+    h->next_output_pic = NULL;
+
    if (ff_MPV_frame_start(s, s->avctx) < 0)
        return -1;
    ff_er_frame_start(s);
@@ -1383,8 +1403,6 @@ int ff_h264_frame_start(H264Context *h)
    s->current_picture_ptr->field_poc[0]     =
        s->current_picture_ptr->field_poc[1] = INT_MAX;

-    h->next_output_pic = NULL;
-
    assert(s->current_picture_ptr->long_ref == 0);

    return 0;
@@ -2170,6 +2188,7 @@ static void flush_change(H264Context *h)
    h->sync= 0;
    h->list_count = 0;
    h->current_slice = 0;
+    h->mmco_reset = 1;
 }

 /* forget old pics after a seek */
@@ -2443,12 +2462,6 @@ static int h264_set_parameter_from_sps(H264Context *h)
    if (s->avctx->has_b_frames < 2)
        s->avctx->has_b_frames = !s->low_delay;

-    if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
-        av_log_missing_feature(s->avctx,
-            "Different bit depth between chroma and luma", 1);
-        return AVERROR_PATCHWELCOME;
-    }
-
    if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
        h->cur_chroma_format_idc      != h->sps.chroma_format_idc) {
        if (s->avctx->codec &&
@@ -2719,6 +2732,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
    h->slice_type     = slice_type;
    h->slice_type_nos = slice_type & 3;

+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    // to make a few old functions happy, it's wrong though
    s->pict_type = h->slice_type;

@@ -2920,7 +2939,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            assert(s0->current_picture_ptr->f.reference != DELAYED_PIC_REF);

            /* Mark old field/frame as completed */
-            if (!last_pic_droppable && s0->current_picture_ptr->owner2 == s0) {
+            if (s0->current_picture_ptr->owner2 == s0) {
                ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX,
                                          last_pic_structure == PICT_BOTTOM_FIELD);
            }
@@ -2929,7 +2948,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            if (!FIELD_PICTURE || s->picture_structure == last_pic_structure) {
                /* Previous field is unmatched. Don't display it, but let it
                 * remain for reference if marked as such. */
-                if (!last_pic_droppable && last_pic_structure != PICT_FRAME) {
+                if (last_pic_structure != PICT_FRAME) {
                    ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX,
                                              last_pic_structure == PICT_TOP_FIELD);
                }
@@ -2939,7 +2958,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                     * different frame_nums. Consider this field first in
                     * pair. Throw away previous field except for reference
                     * purposes. */
-                    if (!last_pic_droppable && last_pic_structure != PICT_FRAME) {
+                    if (last_pic_structure != PICT_FRAME) {
                        ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX,
                                                  last_pic_structure == PICT_TOP_FIELD);
                    }
@@ -2983,8 +3002,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            if (!h->sps.gaps_in_frame_num_allowed_flag)
                for(i=0; i<FF_ARRAY_ELEMS(h->last_pocs); i++)
                    h->last_pocs[i] = INT_MIN;
-            if (ff_h264_frame_start(h) < 0)
+            if (ff_h264_frame_start(h) < 0) {
+                s0->first_field = 0;
                return -1;
+            }
            h->prev_frame_num++;
            h->prev_frame_num %= 1 << h->sps.log2_max_frame_num;
            s->current_picture_ptr->frame_num = h->prev_frame_num;
@@ -3224,8 +3245,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
        get_se_golomb(&s->gb); /* slice_qs_delta */

    h->deblocking_filter     = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset     = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset     = 0;
    if (h->pps.deblocking_filter_parameters_present) {
        tmp = get_ue_golomb_31(&s->gb);
        if (tmp > 2) {
@@ -3238,10 +3259,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            h->deblocking_filter ^= 1;  // 1<->0

        if (h->deblocking_filter) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if (h->slice_alpha_c0_offset > 104U ||
-                h->slice_beta_offset     > 104U) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
                av_log(s->avctx, AV_LOG_ERROR,
                       "deblocking filter parameters %d %d out of range\n",
                       h->slice_alpha_c0_offset, h->slice_beta_offset);
@@ -3278,7 +3301,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
            }
        }
    }
-    h->qp_thresh = 15 + 52 -
+    h->qp_thresh = 15 -
                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
                   FFMAX3(0,
                          h->pps.chroma_qp_index_offset[0],
@@ -3352,7 +3375,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
               h->ref_count[0], h->ref_count[1],
               s->qscale,
               h->deblocking_filter,
-               h->slice_alpha_c0_offset / 2 - 26, h->slice_beta_offset / 2 - 26,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
               h->use_weight,
               h->use_weight == 1 && h->use_weight_chroma ? "c" : "",
               h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : "");
@@ -3905,6 +3928,8 @@ static int execute_decode_slices(H264Context *h, int context_count)
    H264Context *hx;
    int i;

+    av_assert0(s->mb_y < s->mb_height);
+
    if (s->avctx->hwaccel ||
        s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)
        return 0;
@@ -4027,7 +4052,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,
                s->workaround_bugs |= FF_BUG_TRUNCATED;

            if (!(s->workaround_bugs & FF_BUG_TRUNCATED))
-                while(dst_length > 0 && ptr[dst_length - 1] == 0)
+                while (dst_length > 0 && ptr[dst_length - 1] == 0)
                    dst_length--;
            bit_length = !dst_length ? 0
                                     : (8 * dst_length -
@@ -4180,12 +4205,24 @@ again:
                }
                break;
            case NAL_DPA:
+                if (s->flags2 & CODEC_FLAG2_CHUNKS) {
+                    av_log(h->s.avctx, AV_LOG_ERROR,
+                           "Decoding in chunks is not supported for "
+                           "partitioned slices.\n");
+                    return AVERROR(ENOSYS);
+                }
+
                init_get_bits(&hx->s.gb, ptr, bit_length);
                hx->intra_gb_ptr =
                hx->inter_gb_ptr = NULL;

-                if ((err = decode_slice_header(hx, h)) < 0)
+                if ((err = decode_slice_header(hx, h)) < 0) {
+                    /* make sure data_partitioning is cleared if it was set
+                     * before, so we don't try decoding a slice without a valid
+                     * slice header later */
+                    h->s.data_partitioning = 0;
                    break;
+                }

                hx->s.data_partitioning = 1;
                break;
@@ -4255,9 +4292,10 @@ again:
                context_count = 0;
            }

-            if (err < 0)
+            if (err < 0) {
                av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n");
-            else if (err == 1) {
+                h->ref_count[0] = h->ref_count[1] = h->list_count = 0;
+            } else if (err == 1) {
                /* Slice could not be decoded in parallel mode, copy down
                 * NAL unit stuff to context 0 and restart. Note that
                 * rbsp_buffer is not transferred, but since we no longer
@@ -4310,6 +4348,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,

    s->flags  = avctx->flags;
    s->flags2 = avctx->flags2;
+    /* reset data partitioning here, to ensure GetBitContexts from previous
+     * packets do not get used. */
+    s->data_partitioning = 0;

    /* end of stream, output what is still in the buffers */
    if (buf_size == 0) {
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -771,6 +771,10 @@ decode_intra_mb:

        // We assume these blocks are very rare so we do not optimize it.
        align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }

        // The pixels are stored in the same order as levels in h->mb array.
        for(x=0; x < mb_size; x++){
--- a/libavcodec/h264_loopfilter.c
+++ b/libavcodec/h264_loopfilter.c
@@ -251,8 +251,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
    int top_type= h->top_type;

    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    int mb_type = s->current_picture.f.mb_type[mb_xy];
    int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -712,8 +712,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
    av_unused int dir;
    int chroma = CHROMA && !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
    int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;

    if (FRAME_MBAFF
            // and current and left pair do not have the same interlaced type
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -154,7 +154,7 @@ pps:
            goto fail;

        /* prepend only to the first type 5 NAL unit of an IDR picture */
-        if (ctx->first_idr && unit_type == 5) {
+        if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) {
            if ((ret=alloc_and_copy(poutbuf, poutbuf_size,
                               avctx->extradata, avctx->extradata_size,
                               buf, nal_size)) < 0)
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -267,7 +267,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
        }

        if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
            return -1;
        }
    }
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -63,7 +63,9 @@ static int split_field_copy(Picture *dest, Picture *src,
    return match;
 }

-static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){
+static int build_def_list(Picture *def, int def_len,
+                          Picture **in, int len, int is_long, int sel)
+{
    int i[2]={0};
    int index=0;

@@ -73,10 +75,12 @@ static int build_def_list(Picture *def, Picture **in, int len, int is_long, int
        while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3))))
            i[1]++;
        if(i[0] < len){
+            av_assert0(index < def_len);
            in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num;
            split_field_copy(&def[index++], in[ i[0]++ ], sel  , 1);
        }
        if(i[1] < len){
+            av_assert0(index < def_len);
            in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num;
            split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0);
        }
@@ -124,8 +128,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
            len= add_sorted(sorted    , h->short_ref, h->short_ref_count, cur_poc, 1^list);
            len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list);
            av_assert0(len<=32);
-            len= build_def_list(h->default_ref_list[list]    , sorted     , len, 0, s->picture_structure);
-            len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure);
+            len  = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                                  sorted, len, 0, s->picture_structure);
+            len += build_def_list(h->default_ref_list[list] + len,
+                                  FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                                  h->long_ref, 16, 1, s->picture_structure);
+
            av_assert0(len<=32);

            if(len < h->ref_count[list])
@@ -139,8 +147,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){
                FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]);
        }
    }else{
-        len = build_def_list(h->default_ref_list[0]    , h->short_ref, h->short_ref_count, 0, s->picture_structure);
-        len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16                , 1, s->picture_structure);
+        len  = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]),
+                              h->short_ref, h->short_ref_count, 0, s->picture_structure);
+        len += build_def_list(h->default_ref_list[0] + len,
+                              FF_ARRAY_ELEMS(h->default_ref_list[0]) - len,
+                              h-> long_ref, 16, 1, s->picture_structure);
+
        av_assert0(len<=32);
        if(len < h->ref_count[0])
            memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len));
@@ -550,7 +562,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
            if(!pic){
                if(mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg]
                   || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) {
-                    av_log(h->s.avctx, AV_LOG_ERROR, "mmco: unref short failure\n");
+                    av_log(h->s.avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n");
                    err = AVERROR_INVALIDDATA;
                }
                continue;
@@ -687,7 +699,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){
    print_short_term(h);
    print_long_term(h);

-    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
+    if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){
        s->current_picture_ptr->sync |= 1;
        if(!h->s.avctx->has_b_frames)
            h->sync = 2;
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -223,6 +223,12 @@ int ff_h264_decode_sei(H264Context *h){
        if(s->avctx->debug&FF_DEBUG_STARTCODE)
            av_log(h->s.avctx, AV_LOG_DEBUG, "SEI %d len:%d\n", type, size);

+        if (size > get_bits_left(&s->gb) / 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+                   type, get_bits_left(&s->gb));
+            return AVERROR_INVALIDDATA;
+        }
+
        switch(type){
        case SEI_TYPE_PIC_TIMING: // Picture timing SEI
            if(decode_picture_timing(h) < 0)
--- a/libavcodec/h264dsp.c
+++ b/libavcodec/h264dsp.c
@@ -63,13 +63,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\
    c->h264_idct_add16     = FUNC(ff_h264_idct_add16, depth);\
    c->h264_idct8_add4     = FUNC(ff_h264_idct8_add4, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8, depth);\
    else\
        c->h264_idct_add8  = FUNC(ff_h264_idct_add8_422, depth);\
    c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\
    c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\
    else\
        c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\
@@ -90,20 +90,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo
    c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\
    c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\
    c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\
    else\
        c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\
    c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\
-    if (chroma_format_idc == 1)\
+    if (chroma_format_idc <= 1)\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\
    else\
        c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\
--- a/libavcodec/h264pred.c
+++ b/libavcodec/h264pred.c
@@ -480,7 +480,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth,
    h->pred8x8l[TOP_DC_PRED         ]= FUNCC(pred8x8l_top_dc              , depth);\
    h->pred8x8l[DC_128_PRED         ]= FUNCC(pred8x8l_128_dc              , depth);\
 \
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[VERT_PRED8x8   ]= FUNCC(pred8x8_vertical               , depth);\
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x8_horizontal             , depth);\
    } else {\
@@ -488,7 +488,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth,
        h->pred8x8[HOR_PRED8x8    ]= FUNCC(pred8x16_horizontal            , depth);\
    }\
    if (codec_id != AV_CODEC_ID_VP8) {\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane                , depth);\
        } else {\
            h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane               , depth);\
@@ -496,7 +496,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth,
    } else\
        h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\
    if(codec_id != AV_CODEC_ID_RV40 && codec_id != AV_CODEC_ID_VP8){\
-        if (chroma_format_idc == 1) {\
+        if (chroma_format_idc <= 1) {\
            h->pred8x8[DC_PRED8x8     ]= FUNCC(pred8x8_dc                     , depth);\
            h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc                , depth);\
            h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc                 , depth);\
@@ -522,7 +522,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth,
            h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc              , depth);\
        }\
    }\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc                 , depth);\
    } else {\
        h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc                , depth);\
@@ -556,7 +556,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth,
    h->pred4x4_add  [ HOR_PRED   ]= FUNCC(pred4x4_horizontal_add          , depth);\
    h->pred8x8l_add [VERT_PRED   ]= FUNCC(pred8x8l_vertical_add           , depth);\
    h->pred8x8l_add [ HOR_PRED   ]= FUNCC(pred8x8l_horizontal_add         , depth);\
-    if (chroma_format_idc == 1) {\
+    if (chroma_format_idc <= 1) {\
    h->pred8x8_add  [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add            , depth);\
    h->pred8x8_add  [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add          , depth);\
    } else {\
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -107,11 +107,13 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb)
    return 0;
 }

-static void generate_joint_tables(HYuvContext *s)
+static int generate_joint_tables(HYuvContext *s)
 {
    uint16_t symbols[1 << VLC_BITS];
    uint16_t bits[1 << VLC_BITS];
    uint8_t len[1 << VLC_BITS];
+    int ret;
+
    if (s->bitstream_bpp < 24) {
        int p, i, y, u;
        for (p = 0; p < 3; p++) {
@@ -133,8 +135,9 @@ static void generate_joint_tables(HYuvContext *s)
                }
            }
            ff_free_vlc(&s->vlc[3 + p]);
-            ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1,
-                               bits, 2, 2, symbols, 2, 2, 0);
+            if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1,
+                                          bits, 2, 2, symbols, 2, 2, 0)) < 0)
+                return ret;
        }
    } else {
        uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map;
@@ -176,31 +179,34 @@ static void generate_joint_tables(HYuvContext *s)
            }
        }
        ff_free_vlc(&s->vlc[3]);
-        init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+        if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1,
+                            bits, 2, 2, 0)) < 0)
+            return ret;
    }
+    return 0;
 }

 static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length)
 {
    GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;

-    init_get_bits(&gb, src, length * 8);
+    if ((ret = init_get_bits(&gb, src, length * 8)) < 0)
+        return ret;

    for (i = 0; i < 3; i++) {
-        if (read_len_table(s->len[i], &gb) < 0)
-            return -1;
-        if (ff_huffyuv_generate_bits_table(s->bits[i], s->len[i]) < 0) {
-            return -1;
-        }
+        if ((ret = read_len_table(s->len[i], &gb)) < 0)
+            return ret;
+        if ((ret = ff_huffyuv_generate_bits_table(s->bits[i], s->len[i])) < 0)
+            return ret;
        ff_free_vlc(&s->vlc[i]);
        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
-                           s->bits[i], 4, 4, 0)) < 0)
+                            s->bits[i], 4, 4, 0)) < 0)
            return ret;
    }

-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;

    return (get_bits_count(&gb) + 7) / 8;
 }
@@ -208,18 +214,19 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length)
 static int read_old_huffman_tables(HYuvContext *s)
 {
    GetBitContext gb;
-    int i;
-    int ret;
+    int i, ret;

-    init_get_bits(&gb, classic_shift_luma,
-                  classic_shift_luma_table_size * 8);
-    if (read_len_table(s->len[0], &gb) < 0)
-        return -1;
+    if ((ret = init_get_bits(&gb, classic_shift_luma,
+                             classic_shift_luma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[0], &gb)) < 0)
+        return ret;

-    init_get_bits(&gb, classic_shift_chroma,
-                  classic_shift_chroma_table_size * 8);
-    if (read_len_table(s->len[1], &gb) < 0)
-        return -1;
+    if ((ret = init_get_bits(&gb, classic_shift_chroma,
+                             classic_shift_chroma_table_size * 8)) < 0)
+        return ret;
+    if ((ret = read_len_table(s->len[1], &gb)) < 0)
+        return ret;

    for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma  [i];
    for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];
@@ -238,7 +245,8 @@ static int read_old_huffman_tables(HYuvContext *s)
            return ret;
    }

-    generate_joint_tables(s);
+    if ((ret = generate_joint_tables(s)) < 0)
+        return ret;

    return 0;
 }
@@ -246,6 +254,7 @@ static int read_old_huffman_tables(HYuvContext *s)
 static av_cold int decode_init(AVCodecContext *avctx)
 {
    HYuvContext *s = avctx->priv_data;
+    int ret;

    ff_huffyuv_common_init(avctx);
    memset(s->vlc, 0, 3 * sizeof(VLC));
@@ -281,9 +290,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
        s->interlaced = (interlace == 1) ? 1 : (interlace == 2) ? 0 : s->interlaced;
        s->context = ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0;

-        if ( read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
-                                 avctx->extradata_size - 4) < 0)
-            return AVERROR_INVALIDDATA;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size - 4)) < 0)
+            return ret;
    }else{
        switch (avctx->bits_per_coded_sample & 7) {
        case 1:
@@ -310,8 +319,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
        s->bitstream_bpp = avctx->bits_per_coded_sample & ~7;
        s->context = 0;

-        if (read_old_huffman_tables(s) < 0)
-            return AVERROR_INVALIDDATA;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
    }

    switch (s->bitstream_bpp) {
@@ -341,13 +350,16 @@ static av_cold int decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "width must be even for this colorspace\n");
        return AVERROR_INVALIDDATA;
    }
-    if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) {
-        av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n");
+    if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P &&
+        avctx->width % 4) {
+        av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 "
+               "for this combination of colorspace and predictor type.\n");
        return AVERROR_INVALIDDATA;
    }
-    if (ff_huffyuv_alloc_temp(s)) {
+
+    if ((ret = ff_huffyuv_alloc_temp(s)) < 0) {
        ff_huffyuv_common_end(s);
-        return AVERROR(ENOMEM);
+        return ret;
    }

    return 0;
@@ -356,24 +368,24 @@ static av_cold int decode_init(AVCodecContext *avctx)
 static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
 {
    HYuvContext *s = avctx->priv_data;
-    int i;
+    int i, ret;

    avctx->coded_frame= &s->picture;
-    if (ff_huffyuv_alloc_temp(s)) {
+    if ((ret = ff_huffyuv_alloc_temp(s)) < 0) {
        ff_huffyuv_common_end(s);
-        return AVERROR(ENOMEM);
+        return ret;
    }

    for (i = 0; i < 6; i++)
        s->vlc[i].table = NULL;

    if (s->version == 2) {
-        if (read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
-                                avctx->extradata_size) < 0)
-            return AVERROR_INVALIDDATA;
+        if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+                                       avctx->extradata_size)) < 0)
+            return ret;
    } else {
-        if (read_old_huffman_tables(s) < 0)
-            return AVERROR_INVALIDDATA;
+        if ((ret = read_old_huffman_tables(s)) < 0)
+            return ret;
    }

    return 0;
@@ -532,14 +544,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    if (s->context) {
        table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size);
        if (table_size < 0)
-            return AVERROR_INVALIDDATA;
+            return table_size;
    }

    if ((unsigned)(buf_size-table_size) >= INT_MAX / 8)
        return AVERROR_INVALIDDATA;

-    init_get_bits(&s->gb, s->bitstream_buffer+table_size,
-                  (buf_size-table_size) * 8);
+    if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size,
+                             (buf_size - table_size) * 8)) < 0)
+        return ret;

    fake_ystride = s->interlaced ? p->linesize[0] * 2  : p->linesize[0];
    fake_ustride = s->interlaced ? p->linesize[1] * 2  : p->linesize[1];
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -832,9 +832,9 @@ static int decode_frame(AVCodecContext *avctx,
        break;
    case 4:
        bytestream2_init(&gb, buf, buf_size);
-        if (avctx->codec_tag == MKTAG('R','G','B','8'))
+        if (avctx->codec_tag == MKTAG('R','G','B','8') && avctx->pix_fmt == AV_PIX_FMT_RGB32)
            decode_rgb8(&gb, s->frame.data[0], avctx->width, avctx->height, s->frame.linesize[0]);
-        else if (avctx->codec_tag == MKTAG('R','G','B','N'))
+        else if (avctx->codec_tag == MKTAG('R','G','B','N') && avctx->pix_fmt == AV_PIX_FMT_RGB444)
            decode_rgbn(&gb, s->frame.data[0], avctx->width, avctx->height, s->frame.linesize[0]);
        else
            return unsupported(avctx);
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext {

    int16_t         width, height;
    uint32_t        frame_num;      ///< current frame number (zero-based)
-    uint32_t        data_size;      ///< size of the frame data in bytes
+    int             data_size;      ///< size of the frame data in bytes
    uint16_t        frame_flags;    ///< frame properties
    uint8_t         cb_offset;      ///< needed for selecting VQ tables
    uint8_t         buf_sel;        ///< active frame buffer: 0 - primary, 1 -secondary
@@ -906,7 +906,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    GetByteContext gb;
    const uint8_t   *bs_hdr;
    uint32_t        frame_num, word2, check_sum, data_size;
-    uint32_t        y_offset, u_offset, v_offset, starts[3], ends[3];
+    int             y_offset, u_offset, v_offset;
+    uint32_t        starts[3], ends[3];
    uint16_t        height, width;
    int             i, j;

@@ -987,7 +988,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    ctx->y_data_size = ends[0] - starts[0];
    ctx->v_data_size = ends[1] - starts[1];
    ctx->u_data_size = ends[2] - starts[2];
-    if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
+    if (FFMIN3(y_offset, v_offset, u_offset) < 0 ||
+        FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 ||
        FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 ||
        FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) {
        av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n");
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -296,6 +296,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,

    band->is_empty = get_bits1(&ctx->gb);
    if (!band->is_empty) {
+        int old_blk_size = band->blk_size;
        /* skip header size
         * If header size is not given, header size is 4 bytes. */
        if (get_bits1(&ctx->gb))
@@ -391,6 +392,17 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
                return AVERROR_INVALIDDATA;
            }
            band->quant_mat = quant_mat;
+        } else {
+            if (old_blk_size != band->blk_size) {
+                av_log(avctx, AV_LOG_ERROR,
+                       "The band block size does not match the configuration "
+                       "inherited\n");
+                return AVERROR_INVALIDDATA;
+            }
+            if (band->quant_mat < 0) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid quant_mat inherited\n");
+                return AVERROR_INVALIDDATA;
+            }
        }
        if (quant_index_to_tab[band->quant_mat] > 4 && band->blk_size == 4) {
            av_log(avctx, AV_LOG_ERROR, "Invalid quant matrix for 4x4 block encountered!\n");
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -757,6 +757,8 @@ int ff_h263_decode_mb(MpegEncContext *s,
        }

        if(IS_DIRECT(mb_type)){
+            if (!s->pp_time)
+                return AVERROR_INVALIDDATA;
            s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT;
            mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0);
        }else{
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -142,6 +142,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, int RI
        ret = ret >> 1;
    }

+    if(FFABS(ret) > 0xFFFF)
+        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
    ret *= state->twonear;
@@ -205,6 +207,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void *
                x += stride;
            }

+            if (x >= w) {
+                av_log(NULL, AV_LOG_ERROR, "run overflow\n");
+                return;
+            }
+
            /* decode run termination value */
            Rb = R(last, x);
            RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0;
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -40,6 +40,14 @@ typedef struct JvContext {
 static av_cold int decode_init(AVCodecContext *avctx)
 {
    JvContext *s = avctx->priv_data;
+
+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 7) || (avctx->height & 7)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
    avctx->pix_fmt = AV_PIX_FMT_PAL8;
    ff_dsputil_init(&s->dsp, avctx);
    return 0;
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -53,6 +53,7 @@ typedef struct LagarithContext {
    int zeros;                  /**< number of consecutive zero bytes encountered */
    int zeros_rem;              /**< number of zero bytes remaining to output */
    uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
    int rgb_stride;
 } LagarithContext;

@@ -567,13 +568,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
        offs[1] = offset_gu;
        offs[2] = offset_ry;

+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * planes + 1);
        if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4 + 16);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
+            return AVERROR(ENOMEM);
        }
        for (i = 0; i < planes; i++)
            srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -199,7 +199,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
    case AV_CODEC_ID_MSZH:
        switch (c->compression) {
        case COMP_MSZH:
-            if (c->imgtype == IMGTYPE_RGB24 && len == width * height * 3) {
+            if (c->imgtype == IMGTYPE_RGB24 && len == width * height * 3 ||
+                c->imgtype == IMGTYPE_YUV111 && len == width * height * 3) {
                ;
            } else if (c->flags & FLAG_MULTITHREAD) {
                mthread_inlen = AV_RL32(encoded);
--- a/libavcodec/libmp3lame.c
+++ b/libavcodec/libmp3lame.c
@@ -191,6 +191,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
    MPADecodeHeader hdr;
    int len, ret, ch;
    int lame_result;
+    uint32_t h;

    if (frame) {
        switch (avctx->sample_fmt) {
@@ -246,7 +247,12 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
       determine the frame size. */
    if (s->buffer_index < 4)
        return 0;
-    if (avpriv_mpegaudio_decode_header(&hdr, AV_RB32(s->buffer))) {
+    h = AV_RB32(s->buffer);
+    if (ff_mpa_check_header(h) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid mp3 header at start of buffer\n");
+        return AVERROR_BUG;
+    }
+    if (avpriv_mpegaudio_decode_header(&hdr, h)) {
        av_log(avctx, AV_LOG_ERROR, "free format output not supported\n");
        return -1;
    }
--- a/libavcodec/libopusenc.c
+++ b/libavcodec/libopusenc.c
@@ -375,7 +375,7 @@ static const AVOption libopus_options[] = {
        { "voip",           "Favor improved speech intelligibility",   0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_VOIP },                0, 0, FLAGS, "application" },
        { "audio",          "Favor faithfulness to the input",         0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_AUDIO },               0, 0, FLAGS, "application" },
        { "lowdelay",       "Restrict to only the lowest delay modes", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_RESTRICTED_LOWDELAY }, 0, 0, FLAGS, "application" },
-    { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 10.0 }, 2.5, 60.0, FLAGS },
+    { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 20.0 }, 2.5, 60.0, FLAGS },
    { "packet_loss",    "Expected packet loss percentage",     OFFSET(packet_loss),    AV_OPT_TYPE_INT,   { .i64 = 0 },    0,   100,  FLAGS },
    { "vbr",            "Variable bit rate mode",              OFFSET(vbr),            AV_OPT_TYPE_INT,   { .i64 = 1 },    0,   2,    FLAGS, "vbr" },
        { "off",            "Use constant bit rate", 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, 0, 0, FLAGS, "vbr" },
--- a/libavcodec/libvorbisenc.c
+++ b/libavcodec/libvorbisenc.c
@@ -362,7 +362,8 @@ static int oggvorbis_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
            avctx->delay              = duration;
            av_assert0(!s->afq.remaining_delay);
            s->afq.frames->duration  += duration;
-            s->afq.frames->pts       -= duration;
+            if (s->afq.frames->pts != AV_NOPTS_VALUE)
+                s->afq.frames->pts       -= duration;
            s->afq.remaining_samples += duration;
        }
        ff_af_queue_remove(&s->afq, duration, &avpkt->pts, &avpkt->duration);
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -28,6 +28,7 @@
 */

 #include "avcodec.h"
+#include "bytestream.h"
 #include "lzw.h"
 #include "libavutil/mem.h"

@@ -43,7 +44,7 @@ static const uint16_t mask[17] =
 };

 struct LZWState {
-    const uint8_t *pbuf, *ebuf;
+    GetByteContext gb;
    int bbits;
    unsigned int bbuf;

@@ -73,9 +74,9 @@ static int lzw_get_code(struct LZWState * s)
    if(s->mode == FF_LZW_GIF) {
        while (s->bbits < s->cursize) {
            if (!s->bs) {
-                s->bs = *s->pbuf++;
+                s->bs = bytestream2_get_byte(&s->gb);
            }
-            s->bbuf |= (*s->pbuf++) << s->bbits;
+            s->bbuf |= bytestream2_get_byte(&s->gb) << s->bbits;
            s->bbits += 8;
            s->bs--;
        }
@@ -83,7 +84,7 @@ static int lzw_get_code(struct LZWState * s)
        s->bbuf >>= s->cursize;
    } else { // TIFF
        while (s->bbits < s->cursize) {
-            s->bbuf = (s->bbuf << 8) | (*s->pbuf++);
+            s->bbuf = (s->bbuf << 8) | bytestream2_get_byte(&s->gb);
            s->bbits += 8;
        }
        c = s->bbuf >> (s->bbits - s->cursize);
@@ -97,17 +98,12 @@ void ff_lzw_decode_tail(LZWState *p)
    struct LZWState *s = (struct LZWState *)p;

    if(s->mode == FF_LZW_GIF) {
-        while (s->bs > 0) {
-            if (s->bs >= s->ebuf - s->pbuf) {
-                s->pbuf = s->ebuf;
-                break;
-            } else {
-                s->pbuf += s->bs;
-                s->bs = *s->pbuf++;
-            }
+        while (s->bs > 0 && bytestream2_get_bytes_left(&s->gb)) {
+            bytestream2_skip(&s->gb, s->bs);
+            s->bs = bytestream2_get_byte(&s->gb);
        }
    }else
-        s->pbuf= s->ebuf;
+        bytestream2_skip(&s->gb, bytestream2_get_bytes_left(&s->gb));
 }

 av_cold void ff_lzw_decode_open(LZWState **p)
@@ -135,8 +131,7 @@ int ff_lzw_decode_init(LZWState *p, int csize, const uint8_t *buf, int buf_size,
    if(csize < 1 || csize >= LZW_MAXBITS)
        return -1;
    /* read buffer */
-    s->pbuf = buf;
-    s->ebuf = s->pbuf + buf_size;
+    bytestream2_init(&s->gb, buf, buf_size);
    s->bbuf = 0;
    s->bbits = 0;
    s->bs = 0;
@@ -186,10 +181,6 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
            if ((--l) == 0)
                goto the_end;
        }
-        if (s->ebuf < s->pbuf) {
-            av_log(NULL, AV_LOG_ERROR, "lzw overread\n");
-            goto the_end;
-        }
        c = lzw_get_code(s);
        if (c == s->end_code) {
            break;
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -211,7 +211,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)

 int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 {
-    int len, nb_components, i, width, height, pix_fmt_id;
+    int len, nb_components, i, width, height, bits, pix_fmt_id;
    int h_count[MAX_COMPONENTS];
    int v_count[MAX_COMPONENTS];

@@ -220,14 +220,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)

    /* XXX: verify len field validity */
    len     = get_bits(&s->gb, 16);
-    s->bits = get_bits(&s->gb, 8);
+    bits = get_bits(&s->gb, 8);

    if (s->pegasus_rct)
-        s->bits = 9;
-    if (s->bits == 9 && !s->pegasus_rct)
+        bits = 9;
+    if (bits == 9 && !s->pegasus_rct)
        s->rct  = 1;    // FIXME ugly

-    if (s->bits != 8 && !s->lossless) {
+    if (bits != 8 && !s->lossless) {
        av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
        return -1;
    }
@@ -259,7 +259,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
            return AVERROR_INVALIDDATA;
        }
    }
-    if (s->ls && !(s->bits <= 8 || nb_components == 1)) {
+    if (s->ls && !(bits <= 8 || nb_components == 1)) {
        av_log_missing_feature(s->avctx,
                               "For JPEG-LS anything except <= 8 bits/component"
                               " or 16-bit gray", 0);
@@ -307,12 +307,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)

    /* if different size, realloc/alloc picture */
    if (   width != s->width || height != s->height
+        || bits != s->bits
        || memcmp(s->h_count, h_count, sizeof(h_count[0])*nb_components)
        || memcmp(s->v_count, v_count, sizeof(v_count[0])*nb_components)) {
        av_freep(&s->qscale_table);

        s->width      = width;
        s->height     = height;
+        s->bits       = bits;
        memcpy(s->h_count, h_count, sizeof(h_count));
        memcpy(s->v_count, v_count, sizeof(v_count));
        s->interlaced = 0;
@@ -1140,7 +1142,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
    }

    if (!Al) {
-        s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
+        s->coefs_finished[c] |= (2LL << se) - (1LL << ss);
        last_scan = !~s->coefs_finished[c];
    }

@@ -1434,6 +1436,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
    }

    if (id == AV_RL32("LJIF")) {
+        int rgb = s->rgb;
+        int pegasus_rct = s->pegasus_rct;
        if (s->avctx->debug & FF_DEBUG_PICT_INFO)
            av_log(s->avctx, AV_LOG_INFO,
                   "Pegasus lossless jpeg header found\n");
@@ -1443,17 +1447,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
        skip_bits(&s->gb, 16); /* unknown always 0? */
        switch (get_bits(&s->gb, 8)) {
        case 1:
-            s->rgb         = 1;
-            s->pegasus_rct = 0;
+            rgb         = 1;
+            pegasus_rct = 0;
            break;
        case 2:
-            s->rgb         = 1;
-            s->pegasus_rct = 1;
+            rgb         = 1;
+            pegasus_rct = 1;
            break;
        default:
            av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n");
        }
+
        len -= 9;
+        if (s->got_picture)
+            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
+                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
+                goto out;
+            }
+
+        s->rgb = rgb;
+        s->pegasus_rct = pegasus_rct;
+
        goto out;
    }

@@ -1596,8 +1610,6 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s,
        int t = 0, b = 0;
        PutBitContext pb;

-        s->cur_scan++;
-
        /* find marker */
        while (src + t < buf_end) {
            uint8_t x = src[t++];
@@ -1661,7 +1673,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                                          &unescaped_buf_size);
        /* EOF */
        if (start_code < 0) {
-            goto the_end;
+            break;
        } else if (unescaped_buf_size > INT_MAX / 8) {
            av_log(avctx, AV_LOG_ERROR,
                   "MJPEG packet 0x%x too big (%d/%d), corrupt data?\n",
@@ -1783,6 +1795,7 @@ eoi_parser:

                goto the_end;
            case SOS:
+                s->cur_scan++;
                if ((ret = ff_mjpeg_decode_sos(s, NULL, NULL)) < 0 &&
                    (avctx->err_recognition & AV_EF_EXPLODE))
                    goto fail;
@@ -1812,7 +1825,7 @@ eoi_parser:
                   (get_bits_count(&s->gb) + 7) / 8, get_bits_count(&s->gb));
        }
    }
-    if (s->got_picture) {
+    if (s->got_picture && s->cur_scan) {
        av_log(avctx, AV_LOG_WARNING, "EOI missing, emulating\n");
        goto eoi_parser;
    }
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -60,6 +60,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx)

    avctx->pix_fmt = AV_PIX_FMT_PAL8;

+    if (!avctx->width || !avctx->height ||
+        (avctx->width & 1) || (avctx->height & 1)) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n",
+               avctx->width, avctx->height);
+        return AVERROR(EINVAL);
+    }
+
    avcodec_get_frame_defaults(&s->frame);
    s->frame.reference = 3;

@@ -109,7 +116,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)

        if (color) {
            memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length);
-            if (half_vert)
+            if (half_vert && y + half_vert < s->avctx->height)
                memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length);
        }
        x+= run_length;
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -165,6 +165,7 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
    int i;

    i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1);
+    i = FFMIN(i, FF_ARRAY_ELEMS(mp->codes) - 1);
    return mp->codes[i].delta;
 }

--- a/libavcodec/mpeg12.c
+++ b/libavcodec/mpeg12.c
@@ -81,6 +81,15 @@ static int mpeg_decode_motion(MpegEncContext *s, int fcode, int pred)
    return sign_extend(val, 5 + shift);
 }

+#define check_scantable_index(ctx, x)                                     \
+    do {                                                                  \
+        if ((x) > 63) {                                                   \
+            av_log(ctx->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", \
+                   ctx->mb_x, ctx->mb_y);                                 \
+            return AVERROR_INVALIDDATA;                                   \
+        }                                                                 \
+    } while (0)                                                           \
+
 static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
    int level, dc, diff, i, j, run;
@@ -112,6 +121,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                break;
            } else if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level - 1) | 1;
@@ -128,6 +138,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = SHOW_UBITS(re, &s->gb, 8)      ; LAST_SKIP_BITS(re, &s->gb, 8);
                }
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = -level;
@@ -139,10 +150,6 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = (level - 1) | 1;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            block[j] = level;
        }
@@ -267,6 +274,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc

            if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = ((level * 2 + 1) * qscale) >> 1;
                level = (level - 1) | 1;
@@ -283,6 +291,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc
                    level = SHOW_UBITS(re, &s->gb, 8)      ; SKIP_BITS(re, &s->gb, 8);
                }
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = -level;
@@ -348,6 +357,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block

            if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -359,6 +369,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);

                i += run;
+                check_scantable_index(s, i);
                j = scantable[i];
                if (level < 0) {
                    level = ((-level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
@@ -367,10 +378,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block
                    level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            mismatch ^= level;
            block[j]  = level;
@@ -422,6 +429,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,

        if (level != 0) {
            i += run;
+            check_scantable_index(s, i);
            j  = scantable[i];
            level = ((level * 2 + 1) * qscale) >> 1;
            level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -433,6 +441,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s,
            level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);

            i += run;
+            check_scantable_index(s, i);
            j  = scantable[i];
            if (level < 0) {
                level = ((-level * 2 + 1) * qscale) >> 1;
@@ -499,6 +508,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                break;
            } else if (level != 0) {
                i += run;
+                check_scantable_index(s, i);
                j  = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
@@ -509,6 +519,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                UPDATE_CACHE(re, &s->gb);
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
                i += run;
+                check_scantable_index(s, i);
                j  = scantable[i];
                if (level < 0) {
                    level = (-level * qscale * quant_matrix[j]) >> 4;
@@ -517,10 +528,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
                    level = (level * qscale * quant_matrix[j]) >> 4;
                }
            }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }

            mismatch ^= level;
            block[j]  = level;
@@ -540,10 +547,10 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in
 */
 static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n)
 {
-    int level, dc, diff, j, run;
+    int level, dc, diff, i, j, run;
    int component;
    RLTable *rl;
-    uint8_t * scantable = s->intra_scantable.permutated;
+    uint8_t * const scantable = s->intra_scantable.permutated;
    const uint16_t *quant_matrix;
    const int qscale = s->qscale;

@@ -562,6 +569,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
    dc += diff;
    s->last_dc[component] = dc;
    block[0] = dc << (3 - s->intra_dc_precision);
+    i = 0;
    if (s->intra_vlc_format)
        rl = &ff_rl_mpeg2;
    else
@@ -577,8 +585,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
            if (level == 127) {
                break;
            } else if (level != 0) {
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                level = (level * qscale * quant_matrix[j]) >> 4;
                level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1);
                LAST_SKIP_BITS(re, &s->gb, 1);
@@ -587,8 +596,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
                run = SHOW_UBITS(re, &s->gb, 6) + 1; LAST_SKIP_BITS(re, &s->gb, 6);
                UPDATE_CACHE(re, &s->gb);
                level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12);
-                scantable += run;
-                j = *scantable;
+                i += run;
+                check_scantable_index(s, i);
+                j  = scantable[i];
                if (level < 0) {
                    level = (-level * qscale * quant_matrix[j]) >> 4;
                    level = -level;
@@ -602,7 +612,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc
        CLOSE_READER(re, &s->gb);
    }

-    s->block_last_index[n] = scantable - s->intra_scantable.permutated;
+    s->block_last_index[n] = i;
    return 0;
 }

--- a/libavcodec/mpeg4video.h
+++ b/libavcodec/mpeg4video.h
@@ -111,6 +111,7 @@ int ff_mpeg4_set_direct_mv(MpegEncContext *s, int mx, int my);

 extern uint8_t ff_mpeg4_static_rl_table_store[3][2][2*MAX_RUN + MAX_LEVEL + 3];

+void ff_mpeg4_init_tables(void);

 #if 0 //3IV1 is quite rare and it slows things down a tiny bit
 #define IS_3IV1 s->codec_tag == AV_RL32("3IV1")
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -48,6 +48,33 @@ static const int mb_type_b_map[4]= {
    MB_TYPE_L0 | MB_TYPE_16x16,
 };

+av_cold void ff_mpeg4videodec_static_init(void)
+{
+    static int done = 0;
+
+    if (!done) {
+        ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]);
+        ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]);
+        ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]);
+        INIT_VLC_RL(ff_mpeg4_rl_intra, 554);
+        INIT_VLC_RL(ff_rvlc_rl_inter, 1072);
+        INIT_VLC_RL(ff_rvlc_rl_intra, 1072);
+        INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */,
+                 &ff_mpeg4_DCtab_lum[0][1], 2, 1,
+                 &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512);
+        INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */,
+                 &ff_mpeg4_DCtab_chrom[0][1], 2, 1,
+                 &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512);
+        INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15,
+                 &ff_sprite_trajectory_tab[0][1], 4, 2,
+                 &ff_sprite_trajectory_tab[0][0], 4, 2, 128);
+        INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4,
+                 &ff_mb_type_b_tab[0][1], 2, 1,
+                 &ff_mb_type_b_tab[0][0], 2, 1, 16);
+        done = 1;
+    }
+}
+
 /**
 * Predict the ac.
 * @param n block index (0-3 are luma, 4-5 are chroma)
@@ -2255,32 +2282,6 @@ end:
    return decode_vop_header(s, gb);
 }

-av_cold void ff_mpeg4videodec_static_init(void) {
-    static int done = 0;
-
-    if (!done) {
-        ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]);
-        ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]);
-        ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]);
-        INIT_VLC_RL(ff_mpeg4_rl_intra, 554);
-        INIT_VLC_RL(ff_rvlc_rl_inter, 1072);
-        INIT_VLC_RL(ff_rvlc_rl_intra, 1072);
-        INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */,
-                 &ff_mpeg4_DCtab_lum[0][1], 2, 1,
-                 &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512);
-        INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */,
-                 &ff_mpeg4_DCtab_chrom[0][1], 2, 1,
-                 &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512);
-        INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15,
-                 &ff_sprite_trajectory_tab[0][1], 4, 2,
-                 &ff_sprite_trajectory_tab[0][0], 4, 2, 128);
-        INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4,
-                 &ff_mb_type_b_tab[0][1], 2, 1,
-                 &ff_mb_type_b_tab[0][0], 2, 1, 16);
-        done = 1;
-    }
-}
-
 static av_cold int decode_init(AVCodecContext *avctx)
 {
    MpegEncContext *s = avctx->priv_data;
--- a/libavcodec/mpegaudiodecheader.c
+++ b/libavcodec/mpegaudiodecheader.c
@@ -25,6 +25,8 @@
 */

 //#define DEBUG
+#include "libavutil/common.h"
+
 #include "avcodec.h"
 #include "mpegaudio.h"
 #include "mpegaudiodata.h"
@@ -46,6 +48,8 @@ int avpriv_mpegaudio_decode_header(MPADecodeHeader *s, uint32_t header)
    s->layer = 4 - ((header >> 17) & 3);
    /* extract frequency */
    sample_rate_index = (header >> 10) & 3;
+    if (sample_rate_index >= FF_ARRAY_ELEMS(avpriv_mpa_freq_tab))
+        sample_rate_index = 0;
    sample_rate = avpriv_mpa_freq_tab[sample_rate_index] >> (s->lsf + mpeg25);
    sample_rate_index += 3 * (s->lsf + mpeg25);
    s->sample_rate_index = sample_rate_index;
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -128,9 +128,15 @@ const enum AVPixelFormat ff_pixfmt_list_420[] = {
 };

 const enum AVPixelFormat ff_hwaccel_pixfmt_list_420[] = {
+#if CONFIG_H264_DXVA2_HWACCEL
    AV_PIX_FMT_DXVA2_VLD,
+#endif
+#if CONFIG_H264_VAAPI_HWACCEL
    AV_PIX_FMT_VAAPI_VLD,
+#endif
+#if CONFIG_H264_VDA_HWACCEL
    AV_PIX_FMT_VDA_VLD,
+#endif
    AV_PIX_FMT_YUV420P,
    AV_PIX_FMT_NONE
 };
@@ -1028,6 +1034,9 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s)
 {
    int i, err = 0;

+    if (!s->context_initialized)
+        return AVERROR(EINVAL);
+
    if (s->slice_context_count > 1) {
        for (i = 0; i < s->slice_context_count; i++) {
            free_duplicate_context(s->thread_context[i]);
@@ -1056,8 +1065,8 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s)
        s->mb_height = (s->height + 15) / 16;

    if ((s->width || s->height) &&
-        av_image_check_size(s->width, s->height, 0, s->avctx))
-        return AVERROR_INVALIDDATA;
+        (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0)
+        goto fail;

    if ((err = init_context_frame(s)))
        goto fail;
@@ -1073,7 +1082,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s)
            }

            for (i = 0; i < nb_slices; i++) {
-                if (init_duplicate_context(s->thread_context[i], s) < 0)
+                if ((err = init_duplicate_context(s->thread_context[i], s)) < 0)
                    goto fail;
                    s->thread_context[i]->start_mb_y =
                        (s->mb_height * (i) + nb_slices / 2) / nb_slices;
@@ -1462,7 +1471,11 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx)
                return i;
            }
            s->last_picture_ptr = &s->picture[i];
+
            s->last_picture_ptr->f.key_frame = 0;
+            s->last_picture_ptr->f.reference   = 3;
+            s->last_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P;
+
            if (ff_alloc_picture(s, s->last_picture_ptr, 0) < 0) {
                s->last_picture_ptr = NULL;
                return -1;
@@ -1488,6 +1501,9 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx)
            }
            s->next_picture_ptr = &s->picture[i];
            s->next_picture_ptr->f.key_frame = 0;
+            s->next_picture_ptr->f.reference   = 3;
+            s->next_picture_ptr->f.pict_type = AV_PICTURE_TYPE_P;
+
            if (ff_alloc_picture(s, s->next_picture_ptr, 0) < 0) {
                s->next_picture_ptr = NULL;
                return -1;
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -35,6 +35,7 @@
 #include "avcodec.h"
 #include "dsputil.h"
 #include "msrledec.h"
+#include "libavutil/imgutils.h"

 typedef struct MsrleContext {
    AVCodecContext *avctx;
@@ -112,7 +113,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,

    /* FIXME how to correctly detect RLE ??? */
    if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
-        int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8;
+        int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
        uint8_t *ptr = s->frame.data[0];
        uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
        int i, j;
--- a/libavcodec/msvideo1enc.c
+++ b/libavcodec/msvideo1enc.c
@@ -58,7 +58,7 @@ enum MSV1Mode{
 };

 #define SKIP_PREFIX 0x8400
-#define SKIPS_MAX 0x0FFF
+#define SKIPS_MAX 0x03FF
 #define MKRGB555(in, off) ((in[off] << 10) | (in[off + 1] << 5) | (in[off + 2]))

 static const int remap[16] = { 0, 1, 4, 5, 2, 3, 6, 7, 8, 9, 12, 13, 10, 11, 14, 15 };
--- a/libavcodec/options_table.h
+++ b/libavcodec/options_table.h
@@ -101,8 +101,8 @@ static const AVOption options[]={
 {"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX},
 {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX},
 {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E},
-{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E},
-{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E},
+{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E},
+{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E},
 {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E},
 {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E},
 {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX},
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -212,6 +212,13 @@ static int parse_picture_segment(AVCodecContext *avctx,
    /* Decode rle bitmap length, stored size includes width/height data */
    rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;

+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Buffer dimension %d larger than the expected RLE data %d\n",
+               buf_size, rle_bitmap_len);
+        return AVERROR_INVALIDDATA;
+    }
+
    /* Get bitmap dimensions from data */
    width  = bytestream_get_be16(&buf);
    height = bytestream_get_be16(&buf);
@@ -222,11 +229,6 @@ static int parse_picture_segment(AVCodecContext *avctx,
        return -1;
    }

-    if (buf_size > rle_bitmap_len) {
-        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
-        return AVERROR_INVALIDDATA;
-    }
-
    ctx->pictures[picture_id].w = width;
    ctx->pictures[picture_id].h = height;

--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -567,6 +567,12 @@ static int decode_frame(AVCodecContext *avctx,
        case MKTAG('I', 'H', 'D', 'R'):
            if (length != 13)
                goto fail;
+
+            if (s->state & PNG_IDAT) {
+                av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n");
+                goto fail;
+            }
+
            s->width  = bytestream2_get_be32(&s->gb);
            s->height = bytestream2_get_be32(&s->gb);
            if(av_image_check_size(s->width, s->height, 0, avctx)){
@@ -634,7 +640,7 @@ static int decode_frame(AVCodecContext *avctx,
                } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) &&
                           s->color_type == PNG_COLOR_TYPE_PALETTE) {
                    avctx->pix_fmt = AV_PIX_FMT_PAL8;
-                } else if (s->bit_depth == 1) {
+                } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) {
                    avctx->pix_fmt = AV_PIX_FMT_MONOBLACK;
                } else if (s->bit_depth == 8 &&
                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
@@ -841,9 +847,10 @@ static int decode_frame(AVCodecContext *avctx,
            int i, j;
            uint8_t *pd = s->current_picture->data[0];
            uint8_t *pd_last = s->last_picture->data[0];
+            int ls = FFMIN(av_image_get_linesize(s->current_picture->format, s->width, 0), s->width * s->bpp);

            for(j=0; j < s->height; j++) {
-                for(i=0; i < s->width * s->bpp; i++) {
+                for(i=0; i < ls; i++) {
                    pd[i] += pd_last[i];
                }
                pd += s->image_linesize;
--- a/libavcodec/ppc/h264_altivec.c
+++ b/libavcodec/ppc/h264_altivec.c
@@ -1005,7 +1005,7 @@ void ff_h264dsp_init_ppc(H264DSPContext *c, const int bit_depth, const int chrom
    if (av_get_cpu_flags() & AV_CPU_FLAG_ALTIVEC) {
    if (bit_depth == 8) {
        c->h264_idct_add = ff_h264_idct_add_altivec;
-        if (chroma_format_idc == 1)
+        if (chroma_format_idc <= 1)
            c->h264_idct_add8 = ff_h264_idct_add8_altivec;
        c->h264_idct_add16 = ff_h264_idct_add16_altivec;
        c->h264_idct_add16intra = ff_h264_idct_add16intra_altivec;
--- a/libavcodec/proresdec_lgpl.c
+++ b/libavcodec/proresdec_lgpl.c
@@ -368,7 +368,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out,
 /**
 * Decode AC coefficients for all blocks in a slice.
 */
-static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
+static inline int decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
                                    int blocks_per_slice,
                                    int plane_size_factor,
                                    const uint8_t *scan)
@@ -389,15 +389,19 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,

        bits_left = get_bits_left(gb);
        if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
-            return;
+            return 0;

        run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]);
+        if (run < 0)
+            return AVERROR_INVALIDDATA;

        bits_left = get_bits_left(gb);
        if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
-            return;
+            return AVERROR_INVALIDDATA;

        level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1;
+        if (level < 0)
+            return AVERROR_INVALIDDATA;

        pos += run + 1;
        if (pos >= max_coeffs)
@@ -407,22 +411,24 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out,
        out[((pos & block_mask) << 6) + scan[pos >> plane_size_factor]] =
            (level ^ sign) - sign;
    }
+
+    return 0;
 }


 /**
 * Decode a slice plane (luma or chroma).
 */
-static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
-                               const uint8_t *buf,
-                               int data_size, uint16_t *out_ptr,
-                               int linesize, int mbs_per_slice,
-                               int blocks_per_mb, int plane_size_factor,
-                               const int16_t *qmat, int is_chroma)
+static int decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
+                              const uint8_t *buf,
+                              int data_size, uint16_t *out_ptr,
+                              int linesize, int mbs_per_slice,
+                              int blocks_per_mb, int plane_size_factor,
+                              const int16_t *qmat, int is_chroma)
 {
    GetBitContext gb;
    DCTELEM *block_ptr;
-    int mb_num, blocks_per_slice;
+    int mb_num, blocks_per_slice, ret;

    blocks_per_slice = mbs_per_slice * blocks_per_mb;

@@ -432,8 +438,10 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,

    decode_dc_coeffs(&gb, td->blocks, blocks_per_slice);

-    decode_ac_coeffs(&gb, td->blocks, blocks_per_slice,
-                     plane_size_factor, ctx->scantable.permutated);
+    ret = decode_ac_coeffs(&gb, td->blocks, blocks_per_slice,
+                           plane_size_factor, ctx->scantable.permutated);
+    if (ret < 0)
+        return ret;

    /* inverse quantization, inverse transform and output */
    block_ptr = td->blocks;
@@ -467,6 +475,7 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td,
            }
        }
    }
+    return 0;
 }


@@ -485,6 +494,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
    int i, sf, slice_width_factor;
    int slice_data_size, hdr_size, y_data_size, u_data_size, v_data_size;
    int y_linesize, u_linesize, v_linesize;
+    int ret;

    buf             = ctx->slice_data[slice_num].index;
    slice_data_size = ctx->slice_data[slice_num + 1].index - buf;
@@ -541,28 +551,34 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
    }

    /* decode luma plane */
-    decode_slice_plane(ctx, td, buf + hdr_size, y_data_size,
-                       (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize +
-                                    (mb_x_pos << 5)), y_linesize,
-                       mbs_per_slice, 4, slice_width_factor + 2,
-                       td->qmat_luma_scaled, 0);
+    ret = decode_slice_plane(ctx, td, buf + hdr_size, y_data_size,
+                             (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize +
+                                          (mb_x_pos << 5)), y_linesize,
+                             mbs_per_slice, 4, slice_width_factor + 2,
+                             td->qmat_luma_scaled, 0);
+    if (ret < 0)
+        return ret;

    /* decode U chroma plane */
-    decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size,
-                       (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize +
-                                    (mb_x_pos << ctx->mb_chroma_factor)),
-                       u_linesize, mbs_per_slice, ctx->num_chroma_blocks,
-                       slice_width_factor + ctx->chroma_factor - 1,
-                       td->qmat_chroma_scaled, 1);
+    ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size,
+                             (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize +
+                                          (mb_x_pos << ctx->mb_chroma_factor)),
+                             u_linesize, mbs_per_slice, ctx->num_chroma_blocks,
+                             slice_width_factor + ctx->chroma_factor - 1,
+                             td->qmat_chroma_scaled, 1);
+    if (ret < 0)
+        return ret;

    /* decode V chroma plane */
-    decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size,
-                       v_data_size,
-                       (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize +
-                                    (mb_x_pos << ctx->mb_chroma_factor)),
-                       v_linesize, mbs_per_slice, ctx->num_chroma_blocks,
-                       slice_width_factor + ctx->chroma_factor - 1,
-                       td->qmat_chroma_scaled, 1);
+    ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size,
+                             v_data_size,
+                             (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize +
+                                          (mb_x_pos << ctx->mb_chroma_factor)),
+                             v_linesize, mbs_per_slice, ctx->num_chroma_blocks,
+                             slice_width_factor + ctx->chroma_factor - 1,
+                             td->qmat_chroma_scaled, 1);
+    if (ret < 0)
+        return ret;

    return 0;
 }
--- a/libavcodec/proresenc_kostya.c
+++ b/libavcodec/proresenc_kostya.c
@@ -455,6 +455,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic,
                                      num_cblocks, plane_factor,
                                      qmat);
        total_size += sizes[i];
+        if (put_bits_left(pb) < 0) {
+            av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of"
+                   "required buffer size");
+            return AVERROR_BUFFER_TOO_SMALL;
+        }
    }
    return total_size;
 }
@@ -753,9 +758,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
    avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
    avctx->coded_frame->key_frame = 1;

-    pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE;
+    pkt_size = ctx->frame_size_upper_bound;

-    if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0)
+    if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0)
        return ret;

    orig_buf = pkt->data;
@@ -832,7 +837,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
                slice_hdr = buf;
                buf += slice_hdr_size - 1;
                init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8);
-                encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice);
+                ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice);
+                if (ret < 0)
+                    return ret;

                bytestream_put_byte(&slice_hdr, q);
                slice_size = slice_hdr_size + sizes[ctx->num_planes - 1];
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -81,8 +81,8 @@ typedef struct ThreadContext {
    pthread_cond_t last_job_cond;
    pthread_cond_t current_job_cond;
    pthread_mutex_t current_job_lock;
+    unsigned current_execute;
    int current_job;
-    unsigned int current_execute;
    int done;
 } ThreadContext;

@@ -206,8 +206,8 @@ static void* attribute_align_arg worker(void *v)
 {
    AVCodecContext *avctx = v;
    ThreadContext *c = avctx->thread_opaque;
+    unsigned last_execute = 0;
    int our_job = c->job_count;
-    int last_execute = 0;
    int thread_count = avctx->thread_count;
    int self_id;

--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -163,7 +163,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,

                    /* check motion vector */
                    if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
-                       (height - me_y - me_h < 0) || (height - me_y > orig_height) ||
+                       (height - me_y - me_h < 0) || (height - me_y >= orig_height) ||
                       (filled + me_w > width) || (height - me_h < 0))
                        av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
                               me_x, me_y, me_w, me_h, filled, height);
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -38,8 +38,10 @@
 #include <stdlib.h>
 #include <string.h>

+#include "libavutil/common.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/common.h"
 #include "avcodec.h"

 typedef struct RpzaContext {
@@ -126,6 +128,8 @@ static void rpza_decode_stream(RpzaContext *s)
            }
        }

+        n_blocks = FFMIN(n_blocks, total_blocks);
+
        switch (opcode & 0xe0) {

        /* Skip blocks */
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -35,6 +35,7 @@

 static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
 {
+    AVCodecContext *avctx = r->s.avctx;
    int mb_bits;
    int w = r->s.width, h = r->s.height;
    int mb_size;
@@ -57,6 +58,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
        rpr = 0;
    }
    if(rpr){
+        if (avctx->extradata_size < rpr * 2 + 8) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Insufficient extradata - need at least %d bytes, got %d\n",
+                   8 + rpr * 2, avctx->extradata_size);
+            return AVERROR(EINVAL);
+        }
+
        w = r->s.avctx->extradata[6 + rpr*2] << 2;
        h = r->s.avctx->extradata[7 + rpr*2] << 2;
    }
@@ -260,10 +268,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
    }
    r->rpr = (avctx->extradata[1] & 7) >> 1;
    r->rpr = FFMIN(r->rpr + 1, 3);
-    if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
-        av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
-               6 + r->rpr * 2, avctx->extradata_size);
-    }
+
    r->parse_slice_header = rv30_parse_slice_header;
    r->decode_intra_types = rv30_decode_intra_types;
    r->decode_mb_info     = rv30_decode_mb_info;
--- a/libavcodec/sgidec.c
+++ b/libavcodec/sgidec.c
@@ -28,6 +28,7 @@

 typedef struct SgiState {
    AVFrame picture;
+    AVCodecContext *avctx;
    unsigned int width;
    unsigned int height;
    unsigned int depth;
@@ -40,15 +41,16 @@ typedef struct SgiState {
 * Expand an RLE row into a channel.
 * @param s the current image state
 * @param out_buf Points to one line after the output buffer.
- * @param out_end end of line in output buffer
+ * @param len length of out_buf in bytes
 * @param pixelstride pixel stride of input buffer
 * @return size of output in bytes, -1 if buffer overflows
 */
 static int expand_rle_row(SgiState *s, uint8_t *out_buf,
-                          uint8_t *out_end, int pixelstride)
+                          int len, int pixelstride)
 {
    unsigned char pixel, count;
    unsigned char *orig = out_buf;
+    uint8_t *out_end = out_buf + len;

    while (out_buf < out_end) {
        if (bytestream2_get_bytes_left(&s->g) < 1)
@@ -59,7 +61,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf,
        }

        /* Check for buffer overflow. */
-        if(out_buf + pixelstride * (count-1) >= out_end) return -1;
+        if (out_end - out_buf <= pixelstride * (count - 1)) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n");
+            return AVERROR_INVALIDDATA;
+        }

        if (pixel & 0x80) {
            while (count--) {
@@ -103,7 +108,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s)
            dest_row -= s->linesize;
            start_offset = bytestream2_get_be32(&g_table);
            bytestream2_seek(&s->g, start_offset, SEEK_SET);
-            if (expand_rle_row(s, dest_row + z, dest_row + s->width*s->depth,
+            if (expand_rle_row(s, dest_row + z, s->width*s->depth,
                               s->depth) != s->width) {
                return AVERROR_INVALIDDATA;
            }
@@ -244,6 +249,8 @@ static int decode_frame(AVCodecContext *avctx,
 static av_cold int sgi_init(AVCodecContext *avctx){
    SgiState *s = avctx->priv_data;

+    s->avctx = avctx;
+
    avcodec_get_frame_defaults(&s->picture);
    avctx->coded_frame = &s->picture;

--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -273,7 +273,8 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
    return 0;
 }

-static const int fixed_coeffs[3][3] = {
+static const int fixed_coeffs[][3] = {
+    { 0,  0,  0 },
    { 1,  0,  0 },
    { 2, -1,  0 },
    { 3, -3,  1 }
@@ -302,7 +303,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
    } else {
        /* fixed LPC coeffs */
        pred_order = command;
-        coeffs     = fixed_coeffs[pred_order - 1];
+        if (pred_order >= FF_ARRAY_ELEMS(fixed_coeffs)) {
+            av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n",
+                   pred_order);
+            return AVERROR_INVALIDDATA;
+        }
+        coeffs     = fixed_coeffs[pred_order];
        qshift     = 0;
    }

@@ -431,7 +437,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
        void *tmp_ptr;
        s->max_framesize = 8192; // should hopefully be enough for the first header
        tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
        if (!tmp_ptr) {
            av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
            return AVERROR(ENOMEM);
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -69,7 +69,7 @@ typedef struct SmcContext {
        row_ptr += stride * 4; \
    } \
    total_blocks--; \
-    if (total_blocks < 0) \
+    if (total_blocks < !!n_blocks) \
    { \
        av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \
        return; \
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -313,7 +313,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
        if(!sliced && !offset_dst)
            dst -= src_x;
        src_x=0;
-    }else if(src_x + b_w > w){
+    }
+    if(src_x + b_w > w){
        b_w = w - src_x;
    }
    if(src_y<0){
@@ -322,7 +323,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
        if(!sliced && !offset_dst)
            dst -= src_y*dst_stride;
        src_y=0;
-    }else if(src_y + b_h> h){
+    }
+    if(src_y + b_h> h){
        b_h = h - src_y;
    }

@@ -648,7 +650,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i
                if(v){
                    v= 2*(get_symbol2(&s->c, b->state[context + 2], context-4) + 1);
                    v+=get_rac(&s->c, &b->state[0][16 + 1 + 3 + ff_quant3bA[l&0xFF] + 3*ff_quant3bA[t&0xFF]]);
-
+                    if ((uint16_t)v != v) {
+                        av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n");
+                        v = 1;
+                    }
                    xc->x=x;
                    (xc++)->coeff= v;
                }
@@ -658,6 +663,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i
                    else           run= INT_MAX;
                    v= 2*(get_symbol2(&s->c, b->state[0 + 2], 0-4) + 1);
                    v+=get_rac(&s->c, &b->state[0][16 + 1 + 3]);
+                    if ((uint16_t)v != v) {
+                        av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n");
+                        v = 1;
+                    }

                    xc->x=x;
                    (xc++)->coeff= v;
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -61,6 +61,10 @@ typedef struct SVQ1Context {
    DSPContext dsp;
    GetBitContext gb;
    AVFrame *cur, *prev;
+
+    uint8_t *pkt_swapped;
+    int pkt_swapped_allocated;
+
    int width;
    int height;
    int frame_code;
@@ -496,7 +500,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
    return result;
 }

-static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
+static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])
 {
    uint8_t seed;
    int i;
@@ -508,6 +512,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
        out[i] = get_bits(bitbuf, 8) ^ seed;
        seed   = string_table[out[i] ^ seed];
    }
+    out[i] = 0;
 }

 static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
@@ -550,12 +555,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
        }

        if ((s->frame_code ^ 0x10) >= 0x50) {
-            uint8_t msg[256];
+            uint8_t msg[257];

            svq1_parse_string(bitbuf, msg);

            av_log(avctx, AV_LOG_INFO,
-                   "embedded message: \"%s\"\n", (char *)msg);
+                   "embedded message: \"%s\"\n", ((char *)msg) + 1);
        }

        skip_bits(bitbuf, 2);
@@ -628,7 +633,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,

    /* swap some header bytes (why?) */
    if (s->frame_code != 0x20) {
-        uint32_t *src = (uint32_t *)(buf + 4);
+        uint32_t *src;
+
+        if (buf_size < 9 * 4) {
+            av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
+        av_fast_padded_malloc(&s->pkt_swapped, &s->pkt_swapped_allocated,
+                       buf_size);
+        if (!s->pkt_swapped)
+            return AVERROR(ENOMEM);
+
+        memcpy(s->pkt_swapped, buf, buf_size);
+        buf = s->pkt_swapped;
+        init_get_bits(&s->gb, buf, buf_size * 8);
+        skip_bits(&s->gb, 22);
+
+        src = (uint32_t *)(s->pkt_swapped + 4);

        if (buf_size < 36)
            return AVERROR_INVALIDDATA;
@@ -804,6 +826,8 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx)
        avctx->release_buffer(avctx, s->prev);
    avcodec_free_frame(&s->cur);
    avcodec_free_frame(&s->prev);
+    av_freep(&s->pkt_swapped);
+    s->pkt_swapped_allocated = 0;

    return 0;
 }
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -732,11 +732,9 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }

-    if (s->ti.bps != avctx->bits_per_raw_sample) {
-        avctx->bits_per_raw_sample = s->ti.bps;
-        if ((ret = set_bps_params(avctx)) < 0)
-            return ret;
-    }
+    avctx->bits_per_raw_sample = s->ti.bps;
+    if ((ret = set_bps_params(avctx)) < 0)
+        return ret;
    if (s->ti.sample_rate != avctx->sample_rate) {
        avctx->sample_rate = s->ti.sample_rate;
        set_sample_rate_params(avctx);
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -409,6 +409,7 @@ static void av_always_inline horizontal_fill(unsigned int bpp, uint8_t* dst,
 static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
                             const uint8_t *src, int size, int lines)
 {
+    PutByteContext pb;
    int c, line, pixels, code;
    const uint8_t *ssrc = src;
    int width = ((s->width * s->bpp) + 7) >> 3;
@@ -479,6 +480,18 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
            av_log(s->avctx, AV_LOG_ERROR, "Error initializing LZW decoder\n");
            return -1;
        }
+        for (line = 0; line < lines; line++) {
+            pixels = ff_lzw_decode(s->lzw, dst, width);
+            if (pixels < width) {
+                av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n",
+                       pixels, width);
+                return AVERROR_INVALIDDATA;
+            }
+            if (s->bpp < 8 && s->avctx->pix_fmt == AV_PIX_FMT_PAL8)
+                horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0);
+            dst += stride;
+        }
+        return 0;
    }
    if (s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3
        || s->compr == TIFF_G4) {
@@ -520,15 +533,24 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
        av_free(src2);
        return ret;
    }
+
+    bytestream2_init(&s->gb, src, size);
+    bytestream2_init_writer(&pb, dst, stride * lines);
+
    for (line = 0; line < lines; line++) {
        if (src - ssrc > size) {
            av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n");
            return -1;
        }
+
+        if (bytestream2_get_bytes_left(&s->gb) == 0 || bytestream2_get_eof(&pb))
+            break;
+        bytestream2_seek_p(&pb, stride * line, SEEK_SET);
        switch (s->compr) {
        case TIFF_RAW:
            if (ssrc + size - src < width)
                return AVERROR_INVALIDDATA;
+
            if (!s->fill_order) {
                horizontal_fill(s->bpp * (s->avctx->pix_fmt == AV_PIX_FMT_PAL8),
                                dst, 1, src, 0, width, 0);
@@ -572,16 +594,6 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride,
                }
            }
            break;
-        case TIFF_LZW:
-            pixels = ff_lzw_decode(s->lzw, dst, width);
-            if (pixels < width) {
-                av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n",
-                       pixels, width);
-                return -1;
-            }
-            if (s->bpp < 8 && s->avctx->pix_fmt == AV_PIX_FMT_PAL8)
-                horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0);
-            break;
        }
        dst += stride;
    }
@@ -655,7 +667,8 @@ static int init_image(TiffContext *s)
 static int tiff_decode_tag(TiffContext *s)
 {
    unsigned tag, type, count, off, value = 0;
-    int i, j, k, pos, start;
+    int i, start;
+    int j, k, pos;
    int ret;
    uint32_t *pal;
    double *dp;
@@ -707,13 +720,13 @@ static int tiff_decode_tag(TiffContext *s)
        s->height = value;
        break;
    case TIFF_BPP:
-        s->bppcount = count;
-        if (count > 4) {
+        if (count > 4U) {
            av_log(s->avctx, AV_LOG_ERROR,
                   "This format is not supported (bpp=%d, %d components)\n",
-                   s->bpp, count);
+                   value, count);
            return -1;
        }
+        s->bppcount = count;
        if (count == 1)
            s->bpp = value;
        else {
@@ -734,6 +747,13 @@ static int tiff_decode_tag(TiffContext *s)
                s->bpp = -1;
            }
        }
+        if (s->bpp > 64U) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "This format is not supported (bpp=%d, %d components)\n",
+                   s->bpp, count);
+            s->bpp = 0;
+            return AVERROR_INVALIDDATA;
+        }
        break;
    case TIFF_SAMPLES_PER_PIXEL:
        if (count != 1) {
@@ -797,27 +817,17 @@ static int tiff_decode_tag(TiffContext *s)
        if (s->strips == 1)
            s->rps = s->height;
        s->sot = type;
-        if (s->strippos > bytestream2_size(&s->gb)) {
-            av_log(s->avctx, AV_LOG_ERROR,
-                   "Tag referencing position outside the image\n");
-            return -1;
-        }
        break;
    case TIFF_STRIP_SIZE:
        if (count == 1) {
            s->stripsizesoff = 0;
-            s->stripsize = value;
-            s->strips = 1;
+            s->stripsize     = value;
+            s->strips        = 1;
        } else {
            s->stripsizesoff = off;
        }
        s->strips = count;
        s->sstype = type;
-        if (s->stripsizesoff > bytestream2_size(&s->gb)) {
-            av_log(s->avctx, AV_LOG_ERROR,
-                   "Tag referencing position outside the image\n");
-            return -1;
-        }
        break;
    case TIFF_TILE_BYTE_COUNTS:
    case TIFF_TILE_LENGTH:
@@ -854,11 +864,13 @@ static int tiff_decode_tag(TiffContext *s)
        }
        s->fill_order = value - 1;
        break;
-    case TIFF_PAL:
+    case TIFF_PAL: {
        pal = (uint32_t *) s->palette;
        off = type_sizes[type];
-        if (count / 3 > 256 || bytestream2_get_bytes_left(&s->gb) < count / 3 * off * 3)
+        if (count / 3 > 256 ||
+            bytestream2_get_bytes_left(&s->gb) < count / 3 * off * 3)
            return -1;
+
        off = (type_sizes[type] - 1) << 3;
        for (k = 2; k >= 0; k--) {
            for (i = 0; i < count / 3; i++) {
@@ -870,6 +882,7 @@ static int tiff_decode_tag(TiffContext *s)
        }
        s->palette_is_set = 1;
        break;
+    }
    case TIFF_PLANAR:
        if (value == 2) {
            av_log(s->avctx, AV_LOG_ERROR, "Planar format is not supported\n");
@@ -1119,12 +1132,14 @@ static int decode_frame(AVCodecContext *avctx,
    if (s->stripsizesoff) {
        if (s->stripsizesoff >= (unsigned)avpkt->size)
            return AVERROR_INVALIDDATA;
-        bytestream2_init(&stripsizes, avpkt->data + s->stripsizesoff, avpkt->size - s->stripsizesoff);
+        bytestream2_init(&stripsizes, avpkt->data + s->stripsizesoff,
+                         avpkt->size - s->stripsizesoff);
    }
    if (s->strippos) {
        if (s->strippos >= (unsigned)avpkt->size)
            return AVERROR_INVALIDDATA;
-        bytestream2_init(&stripdata, avpkt->data + s->strippos, avpkt->size - s->strippos);
+        bytestream2_init(&stripdata, avpkt->data + s->strippos,
+                         avpkt->size - s->strippos);
    }

    if (s->rps <= 0) {
@@ -1134,12 +1149,12 @@ static int decode_frame(AVCodecContext *avctx,

    for (i = 0; i < s->height; i += s->rps) {
        if (s->stripsizesoff)
-            ssize = tget(&stripsizes, s->sstype, s->le);
+            ssize = tget(&stripsizes, s->sstype, le);
        else
            ssize = s->stripsize;

        if (s->strippos)
-            soff = tget(&stripdata, s->sot, s->le);
+            soff = tget(&stripdata, s->sot, le);
        else
            soff = s->stripoff;

--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -322,6 +322,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
        return -1;
    }

+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    /* unscramble the header bytes with a XOR operation */
    for (i = 1; i < header.header_size; i++)
        header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1];
@@ -513,6 +518,15 @@ hres,vres,i,i%vres (0 < i < 4)
    index = s->index_stream[index_stream_index++] * 4; \
 }

+#define INC_INDEX                                                   \
+do {                                                                \
+    if (index >= 1023) {                                            \
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n");   \
+        return;                                                     \
+    }                                                               \
+    index++;                                                        \
+} while (0)
+
 #define APPLY_C_PREDICTOR() \
    if(index > 1023){\
        av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
@@ -529,10 +543,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define APPLY_C_PREDICTOR_24() \
    if(index > 1023){\
@@ -550,10 +564,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;


 #define APPLY_Y_PREDICTOR() \
@@ -572,10 +586,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define APPLY_Y_PREDICTOR_24() \
    if(index > 1023){\
@@ -593,10 +607,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define OUTPUT_PIXEL_PAIR() \
    *current_pixel_pair = *vert_pred + horiz_pred; \
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -183,6 +183,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
    int i;
    int w_align = 1;
    int h_align = 1;
+    AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt);
+
+    if (desc) {
+        w_align = 1 << desc->log2_chroma_w;
+        h_align = 1 << desc->log2_chroma_h;
+    }

    switch (s->pix_fmt) {
    case AV_PIX_FMT_YUV420P:
@@ -234,6 +240,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
    case AV_PIX_FMT_GBRP12BE:
    case AV_PIX_FMT_GBRP14LE:
    case AV_PIX_FMT_GBRP14BE:
+    case AV_PIX_FMT_GBRP16LE:
+    case AV_PIX_FMT_GBRP16BE:
        w_align = 16; //FIXME assume 16 pixel per macroblock
        h_align = 16 * 2; // interlaced needs 2 macroblocks height
        break;
@@ -261,6 +269,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
            w_align = 4;
            h_align = 4;
        }
+        if (s->codec_id == AV_CODEC_ID_JV) {
+            w_align = 8;
+            h_align = 8;
+        }
        break;
    case AV_PIX_FMT_BGR24:
        if ((s->codec_id == AV_CODEC_ID_MSZH) ||
@@ -270,8 +282,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
        }
        break;
    default:
-        w_align = 1;
-        h_align = 1;
        break;
    }

@@ -540,6 +550,11 @@ void ff_init_buffer_info(AVCodecContext *s, AVFrame *frame)

 int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame)
 {
+    if (avctx->codec->type == AVMEDIA_TYPE_VIDEO) {
+        if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+            return AVERROR_INVALIDDATA;
+    }
+
    ff_init_buffer_info(avctx, frame);

    return avctx->get_buffer(avctx, frame);
@@ -2698,6 +2713,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf)
    ret = av_bprint_finalize(buf, &str);
    if (ret < 0)
        return ret;
+    if (!av_bprint_is_complete(buf)) {
+        av_free(str);
+        return AVERROR(ENOMEM);
+    }
+
    avctx->extradata = str;
    /* Note: the string is NUL terminated (so extradata can be read as a
     * string), but the ending character is not accounted in the size (in
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -212,6 +212,8 @@ static void restore_median(uint8_t *src, int step, int stride,
        slice_height = ((((slice + 1) * height) / slices) & cmask) -
                       slice_start;

+        if (!slice_height)
+            continue;
        bsrc = src + slice_start * stride;

        // first line - left neighbour prediction
@@ -222,7 +224,7 @@ static void restore_median(uint8_t *src, int step, int stride,
            A        = bsrc[i];
        }
        bsrc += stride;
-        if (slice_height == 1)
+        if (slice_height <= 1)
            continue;
        // second line - first element has top prediction, the rest uses median
        C        = bsrc[-stride];
@@ -267,6 +269,8 @@ static void restore_median_il(uint8_t *src, int step, int stride,
        slice_height   = ((((slice + 1) * height) / slices) & cmask) -
                         slice_start;
        slice_height >>= 1;
+        if (!slice_height)
+            continue;

        bsrc = src + slice_start * stride;

@@ -282,7 +286,7 @@ static void restore_median_il(uint8_t *src, int step, int stride,
            A                 = bsrc[stride + i];
        }
        bsrc += stride2;
-        if (slice_height == 1)
+        if (slice_height <= 1)
            continue;
        // second line - first element has top prediction, the rest uses median
        C        = bsrc[-stride2];
--- a/libavcodec/utvideoenc.c
+++ b/libavcodec/utvideoenc.c
@@ -468,7 +468,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src,
         * get the offset in bits and convert to bytes.
         */
        offset += write_huff_codes(dst + sstart * width, c->slice_bits,
-                                   width * (send - sstart), width,
+                                   width * height + 4, width,
                                   send - sstart, he) >> 3;

        slice_len = offset - slice_len;
@@ -525,8 +525,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt,

    bytestream2_init_writer(&pb, dst, pkt->size);

-    av_fast_malloc(&c->slice_bits, &c->slice_bits_size,
-                   width * height + FF_INPUT_BUFFER_PADDING_SIZE);
+    av_fast_padded_malloc(&c->slice_bits, &c->slice_bits_size, width * height + 4);

    if (!c->slice_bits) {
        av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer 2.\n");
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.7
 .1.15