MAINTAINERS: Remove myself as leader

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2c58931e6)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Changelog

@@ -3,6 +3,299 @@ releases are sorted from youngest to oldest.
 
 version next:
 
+
+version 0.10.11
+
+- pthread: Avoid spurious wakeups
+- pthread: Fix deadlock during thread initialization
+- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
+- vc1dec: Don't decode slices when the latest slice header failed to decode
+- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
+- r3d: Add more input value validation
+- fraps: Make the input buffer size checks more strict
+- svq3: Avoid a division by zero
+- rmdec: Validate the fps value
+- twinvqdec: Check the ibps parameter separately
+- asfdec: Check the return value of asf_read_stream_properties
+- mxfdec: set audio timebase to 1/samplerate
+- pcx: Check the packet size before assuming it fits a palette
+- rpza: Fix a buffer size check
+- xxan: Disallow odd width
+- xan: Only read within the data that actually was initialized
+- xan: Use bytestream2 to limit reading to within the buffer
+- pcx: Consume the whole packet if giving up due to missing palette
+- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
+- mov: Make sure the read sample count is nonnegative
+- bfi: Add some very basic sanity checks for input packet sizes
+- bfi: Avoid divisions by zero
+- electronicarts: Add more sanity checking for the number of channels
+- riffdec: Add sanity checks for the sample rate
+- mvi: Add sanity checking for the audio frame size
+- xwma: Avoid division by zero
+- avidec: Make sure a packet is large enough before reading its data
+- vqf: Make sure the bitrate is in the valid range
+- vqf: Make sure sample_rate is set to a valid value
+- vc1dec: Undo mpegvideo initialization if unable to allocate tables
+- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
+- wnv1: Make sure the input packet is large enough
+- dca: Validate the lfe parameter
+- rl2: Avoid a division by zero
+- wtv: Add more sanity checks for a length read from the file
+- segafilm: Validate the number of audio channels
+- qpeg: Add checks for running out of rows in qpeg_decode_inter
+- mpegaudiodec: Validate that the number of channels fits at the given offset
+- asv1: Verify the amount of extradata
+- idroqdec: Make sure a video stream has been allocated before returning packets
+- rv10: Validate the dimensions set from the container
+- xmv: Add more sanity checks for parameters read from the bitstream
+- ffv1: Make sure at least one slice context is initialized
+- truemotion2: Use av_freep properly in an error path
+- eacmv: Make sure a reference frame exists before referencing it
+- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
+- ivi_common: Make sure color planes have been initialized
+- oggparseogm: Convert to use bytestream2
+- rv34: Check the return value from ff_rv34_decode_init
+- matroskadec: Verify realaudio codec parameters
+- mace: Make sure that the channel count is set to a valid value
+- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
+- vp3: Check the framerate for validity
+- cavsdec: Make sure a sequence header has been decoded before decoding pictures
+- sierravmd: Do sanity checking of frame sizes
+- omadec: Properly check lengths before incrementing the position
+- mpc8: Make sure the first stream exists before parsing the seek table
+- mpc8: Check the seek table size parsed from the bitstream
+- zmbvdec: Check the buffer size for uncompressed data
+- ape: Don't allow the seektable to be omitted
+- shorten: Break out of loop looking for fmt chunk if none is found
+- shorten: Use a checked bytestream reader for the wave header
+- smacker: Make sure we don't fill in huffman codes out of range
+- smacker: Avoid integer overflow when allocating packets
+- smacker: Don't return packets in unallocated streams
+- dsicin: Add some basic sanity checks for fields read from the file
+- roqvideodec: check dimensions validity
+- qdm2: check array index before use, fix out of array accesses
+- alsdec: check block length
+
+
+version 0.10.10
+
+- x86: fft: Remove 3DNow! optimizations, they break FATE
+- x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16
+- aac: Check init_get_bits return value
+- aac: return meaningful errors
+- dsicinav: K&R formatting cosmetics
+- mov: Seek back if overreading an individual atom
+- vcr1: add sanity checks
+- pictordec: pass correct context to avpriv_request_sample
+- dsicinav: Clip the source size to the expected maximum
+- alsdec: Clean up error paths
+- ogg: Fix potential infinite discard loop
+- nuv: check rtjpeg_decode_frame_yuv420 return value
+- nuv: Reset the frame on resize
+- nuv: Use av_fast_realloc
+- nuv: return meaningful error codes.
+- nuv: Pad the lzo outbuf
+- nuv: Do not ignore lzo decompression failures
+- oma: correctly mark and decrypt partial packets
+- oma: check geob tag boundary
+- oma: refactor seek function
+- 8bps: Bound-check the input buffer
+- rtmp: Do not misuse memcmp
+- rtmp: rename data_size to size
+- lavc: set the default rc_initial_buffer_occupancy
+- 4xm: Reject not a multiple of 16 dimension
+- 4xm: do not overread the prestream buffer
+- 4xm: validate the buffer size before parsing it
+- indeo: Do not reference mismatched tiles
+- indeo: Sanitize ff_ivi_init_planes fail paths
+- indeo: Bound-check before applying motion compensation
+- indeo: Bound-check before applying transform
+- indeo: reject negative array indexes
+- indeo: Cosmetic formatting
+- indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks
+- indeo: Refactor ff_ivi_dec_huff_desc
+- lavf: fix the comparison in an overflow check
+- dv: Add a guard to not overread the ppcm array
+- mpegvideo: Avoid 32-bit wrapping of linesize multiplications
+- mjpegb: Detect changing number of planes in interlaced video
+- matroskadec: Check that .lang was allocated and set before reading it
+- ape demuxer: check for EOF in potentially long loops
+- lavf: avoid integer overflow when estimating bitrate
+- pictordec: break out of both decoding loops when y drops below 0
+- ac3: Return proper error codes
+- ac3: Clean up the error paths
+- ac3: Do not clash with normal AVERROR
+- dxa: Make sure the reference frame exists
+- h261: check the mtype index
+- segafilm: Error out on impossible packet size
+- ogg: Always alloc the private context in vorbis_header
+- vc1: check mb_height validity.
+- vc1: check the source buffer in vc1_mc functions
+- bink: Bound check the quantization matrix.
+- xl: Make sure the width is valid
+- alsdec: Fix the clipping range
+- dsicinav: Bound-check the source buffer when needed
+- mov: Do not allow updating the time scale after it has been set
+- ac3dec: Don't consume more data than the actual input packet size
+- indeo: Reject impossible FRAMETYPE_NULL
+- indeo5: return proper error codes
+- indeo4: Validate scantable dimension
+- indeo4: Check the quantization matrix index
+- indeo4: Do not access missing reference MV
+- adpcm: Unbreak ima-dk4
+- ac3dec: validate channel output mode against channel count
+- dca: Respect the current limits in the downmixing capabilities
+- dca: Error out on missing DSYNC
+- pcm: always use codec->id instead of codec_id
+- mlpdec: Do not set invalid context in read_restart_header
+- pcx: Do not overread source buffer in pcx_rle_decode
+- wmavoice: conceal clearly corrupted blocks
+- iff: Do not read over the source buffer
+- qdm2: Conceal broken samples
+- qdm2: refactor joined stereo support
+- adpcm: Write the correct number of samples for ima-dk4
+- imc: Catch a division by zero
+- atrac3: Error on impossible encoding/channel combinations
+- atrac3: set the getbits context the right buffer_end
+- atrac3: fix error handling
+- qdm2: check and reset dithering index per channel
+- westwood_vqa: do not free extradata on error in read_header
+- vqavideo: check the version
+- rmdec: Use the AVIOContext given as parameter in rm_read_metadata()
+- avio: Handle AVERROR_EOF in the same way as the return value 0
+- wtv: Mark attachment with a negative stream id
+- avidec: Let the inner dv demuxer take care of discarding
+- swfdec: do better validation of tag length
+
+
+version 0.10.8
+- kmvc: Clip pixel position to valid range
+- kmvc: use fixed sized arrays in the context
+- indeo: use a typedef for the mc function pointer
+- lavc: check for overflow in init_get_bits
+- mjpegdec: properly report unsupported disabled features
+- jpegls: return meaningful errors
+- jpegls: factorize return paths
+- jpegls: check the scan offset
+- wavpack: validate samples size parsed in wavpack_decode_block
+- ljpeg: use the correct number of components in yuv
+- mjpeg: Validate sampling factors
+- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
+- wavpack: check packet size early
+- wavpack: return meaningful errors
+- apetag: use int64_t for filesize
+- tiff: do not overread the source buffer
+- Prepare for 0.8.8 Release
+- smacker: fix an off by one in huff.length computation
+- smacker: check the return value of smacker_decode_tree
+- smacker: pad the extradata allocation
+- smacker: check frame size validity
+- vmdav: convert to bytestream2
+- 4xm: don't rely on get_buffer() initializing the frame.
+- 4xm: check the return value of read_huffman_tables().
+- 4xm: use the correct logging context
+- 4xm: reject frames not compatible with the declared version
+- 4xm: check bitstream_size boundary before using it
+- 4xm: do not overread the source buffer in decode_p_block
+- avfiltergraph: check for sws opts being non-NULL before using them
+- bmv: check for len being valid in bmv_decode_frame()
+- dfa: check for invalid access in decode_wdlt()
+- indeo3: check motion vectors
+- indeo3: fix data size check
+- indeo3: switch parsing the header to bytestream2
+- lavf: make sure stream probe data gets freed.
+- oggdec: fix faulty cleanup prototype
+- oma: Validate sample rates
+- qdm2: check that the FFT size is a power of 2
+- rv10: check that extradata is large enough
+- xmv: check audio track parameters validity
+- xmv: do not leak memory in the error paths in xmv_read_header()
+- aac: check the maximum number of channels
+- indeo3: fix off by one in MV validity check, Bug #503
+- id3v2: check for end of file while unescaping tags
+- wav: Always seek to an even offset, Bug #500, LP: #1174737
+- proresdec: support mixed interlaced/non-interlaced content
+
+
+version 0.10.6:
+
+- many bug fixes that where found with Coverity
+
+- The following CVE fixes where backported:
+  CVE-2012-2796, CVE-2012-2775, CVE-2012-2772, CVE-2012-2776,
+  CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, CVE-2012-2800,
+  CVE-2012-2802, CVE-2012-2801, CVE-2012-2786, CVE-2012-2798,
+  CVE-2012-2793, CVE-2012-2789, CVE-2012-2788, CVE-2012-2790,
+  CVE-2012-2777, CVE-2012-2784
+
+- hundreads of other bug fixes, some possibly security relevant,
+  see the git log for details.
+
+
+version 0.10.5:
+
+- Several bugs and crashes have been fixed as well as build problems
+  with recent mingw64
+
+
+version 0.10.4:
+
+- Several bugs and crashes have been fixed
+  Note, CVE-2012-0851 and CVE-2011-3937 have been fixed in previous releases
+
+version 0.10.3:
+
+- Security fixes in the 4xm demuxer, avi demuxer, cook decoder,
+  mm demuxer, mpegvideo decoder, vqavideo decoder (CVE-2012-0947) and
+  xmv demuxer.
+
+- Several bugs and crashes have been fixed in the following codecs: AAC,
+  APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW,
+  TTA, VC1, VQA, WMA Voice, vqavideo.
+
+- Several bugs and crashes have been fixed in the following formats:
+  ASF, ID3v2, MOV, xWMA
+
+- This release additionally updates the following codecs to the
+  bytestream2 API, and therefore benefit from additional overflow
+  checks: truemotion2, utvideo, vqavideo
+
+
+version 0.10.1
+- Several security fixes, many bugfixes affecting many formats and
+  codecs, the list below is not complete.
+
+- swapuv filter
+
+- Several bugs and crashes have been fixed in the following codecs: AAC,
+  AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio, DCA,
+  DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and
+  decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the
+  libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE,
+  ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF,
+  Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA,
+  Westwood SNDx, XXAN.
+
+- This release additionally updates the following codecs to the
+  bytestream2 API, and therefore benefit from additional overflow
+  checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG
+
+- Several bugs and crashes have been fixed in the following formats:
+  AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM,
+  SWF.
+
+- Libswscale has an potential overflow for large image size fixed.
+
+- The following APIs have been added:
+
+  avcodec_is_open()
+  avformat_get_riff_video_tags()
+  avformat_get_riff_audio_tags()
+
+  Please see the file doc/APIchanges and the Doxygen documentation for
+  further information.
+
+
 version 0.10:
 - Fixes: CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936,
          CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944,

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 0.10.16
 
 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55

MAINTAINERS

@@ -14,7 +14,6 @@ and related discussions.
 Project Leader
 ==============
 
-Michael Niedermayer
   final design decisions
 
 

Makefile

@@ -137,7 +137,6 @@ uninstall-data:
 clean::
 	$(RM) $(ALLPROGS) $(ALLPROGS_G)
 	$(RM) $(CLEANSUFFIXES)
-	$(RM) $(TOOLS)
 	$(RM) $(CLEANSUFFIXES:%=tools/%)
 	$(RM) coverage.info
 	$(RM) -r coverage-html
@@ -158,6 +157,8 @@ coverage-html: coverage.info
 	$(Q)genhtml -o $@ $<
 	$(Q)touch $@
 
+check: all alltools checkheaders examples testprogs fate
+
 include $(SRC_PATH)/doc/Makefile
 include $(SRC_PATH)/tests/Makefile
 
@@ -172,5 +173,5 @@ $(sort $(OBJDIRS)):
 # so this saves some time on slow systems.
 .SUFFIXES:
 
-.PHONY: all all-yes alltools *clean config examples install*
+.PHONY: all all-yes alltools check *clean config examples install*
 .PHONY: testprogs uninstall*

RELEASE

@@ -1 +1 @@
-0.9.1.git
+0.10.16

VERSION

@@ -0,0 +1 @@
+0.10.16

cmdutils.c

@@ -56,7 +56,7 @@
 struct SwsContext *sws_opts;
 AVDictionary *format_opts, *codec_opts;
 
-const int this_year = 2012;
+const int this_year = 2015;
 
 static FILE *report_file;
 
@@ -423,7 +423,10 @@ int opt_default(const char *opt, const char *arg)
     const AVOption *oc, *of, *os;
     char opt_stripped[128];
     const char *p;
-    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class(), *sc;
+    const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class();
+#if CONFIG_SWSCALE
+    const AVClass *sc = sws_get_class();
+#endif
 
     if (!(p = strchr(opt, ':')))
         p = opt + strlen(opt);
@@ -438,7 +441,6 @@ int opt_default(const char *opt, const char *arg)
                           AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ)))
         av_dict_set(&format_opts, opt, arg, FLAGS(of));
 #if CONFIG_SWSCALE
-    sc = sws_get_class();
     if ((os = av_opt_find(&sc, opt, NULL, 0,
                           AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ))) {
         // XXX we only support sws_flags, not arbitrary sws options
@@ -806,7 +808,7 @@ int opt_codecs(const char *opt, const char *arg)
             if (p2 && strcmp(p->name, p2->name) == 0) {
                 if (p->decode)
                     decode = 1;
-                if (p->encode)
+                if (p->encode || p->encode2)
                     encode = 1;
                 cap |= p->capabilities;
             }

common.mak

@@ -117,4 +117,13 @@ CLEANSUFFIXES     = *.d *.o *~ *.ho *.map *.ver *.gcno *.gcda
 DISTCLEANSUFFIXES = *.pc
 LIBSUFFIXES       = *.a *.lib *.so *.so.* *.dylib *.dll *.def *.dll.a *.exp
 
+define RULES
+clean::
+	$(RM) $(OBJS) $(OBJS:.o=.d)
+	$(RM) $(HOSTPROGS)
+	$(RM) $(TOOLS)
+endef
+
+$(eval $(RULES))
+
 -include $(wildcard $(OBJS:.o=.d) $(TESTOBJS:.o=.d))

configure

@@ -54,6 +54,8 @@ if test "$E1" != 0 || test "$E2" = 0; then
     exit 1
 fi
 
+test -d /usr/xpg4/bin && PATH=/usr/xpg4/bin:$PATH
+
 show_help(){
 cat <<EOF
 Usage: configure [options]
@@ -688,6 +690,13 @@ check_ld(){
     check_cmd $ld $LDFLAGS $flags -o $TMPE $TMPO $libs $extralibs
 }
 
+print_include(){
+    hdr=$1
+    test "${hdr%.h}" = "${hdr}" &&
+        echo "#include $hdr"    ||
+        echo "#include <$hdr>"
+}
+
 check_cppflags(){
     log check_cppflags "$@"
     set -- $($filter_cppflags "$@")
@@ -765,7 +774,7 @@ check_func_headers(){
     shift 2
     {
         for hdr in $headers; do
-            echo "#include <$hdr>"
+            print_include $hdr
         done
         for func in $funcs; do
             echo "long check_$func(void) { return (long) $func; }"
@@ -1168,6 +1177,7 @@ HAVE_LIST="
     dlfcn_h
     dlopen
     dos_paths
+    dxva_h
     ebp_available
     ebx_available
     exp2
@@ -2559,7 +2569,7 @@ check_host_cflags -std=c99
 check_host_cflags -Wall
 
 case "$arch" in
-    alpha|ia64|mips|parisc|sparc)
+    alpha|ia64|mips|parisc|ppc|sparc)
         spic=$shared
     ;;
     x86)
@@ -2899,17 +2909,14 @@ elif enabled ppc; then
         check_cc <<EOF || disable altivec
 $inc_altivec_h
 int main(void) {
-    vector signed int v1, v2, v3;
-    v1 = vec_add(v2,v3);
+    vector signed int v1 = (vector signed int) { 0 };
+    vector signed int v2 = (vector signed int) { 1 };
+    v1 = vec_add(v1, v2);
     return 0;
 }
 EOF
 
-        # check if our compiler supports braces for vector declarations
-        check_cc <<EOF || die "You need a compiler that supports {} in AltiVec vector declarations."
-$inc_altivec_h
-int main (void) { (vector int) {1}; return 0; }
-EOF
+        enabled altivec || warn "Altivec disabled, possibly missing --cpu flag"
     fi
 
 elif enabled sparc; then
@@ -2981,6 +2988,7 @@ if enabled asm; then
 fi
 
 check_ldflags -Wl,--as-needed
+check_ldflags -Wl,-z,noexecstack
 
 if check_func dlopen; then
     ldl=
@@ -3047,6 +3055,7 @@ check_func_headers windows.h MapViewOfFile
 check_func_headers windows.h VirtualAlloc
 
 check_header dlfcn.h
+check_header dxva.h
 check_header dxva2api.h -D_WIN32_WINNT=0x0600
 check_header libcrystalhd/libcrystalhd_if.h
 check_header malloc.h
@@ -3135,7 +3144,7 @@ enabled libdirac   && require_pkg_config dirac                          \
     "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h"  \
     "dirac_decoder_init dirac_encoder_init"
 enabled libfaac    && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac
-enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType
+enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType
 enabled libgsm     && require  libgsm gsm/gsm.h gsm_create -lgsm
 enabled libmodplug && require  libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug
 enabled libmp3lame && require  "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame
@@ -3201,7 +3210,14 @@ makeinfo --version > /dev/null 2>&1 && enable makeinfo  || disable makeinfo
 check_header linux/fb.h
 check_header linux/videodev.h
 check_header linux/videodev2.h
-check_struct linux/videodev2.h "struct v4l2_frmivalenum" discrete
+check_cc <<EOF && enable_safe struct_v4l2_frmivalenum_discrete
+#include <linux/videodev2.h>
+int main(void) {
+struct v4l2_frmsizeenum vfse;
+vfse.discrete.width = 0;
+return 0;
+}
+EOF
 
 check_header sys/videoio.h
 
@@ -3354,11 +3370,15 @@ elif enabled gcc; then
     check_cflags -fno-tree-vectorize
     check_cflags -Werror=implicit-function-declaration
     check_cflags -Werror=missing-prototypes
+    check_cflags -Werror=return-type
 elif enabled llvm_gcc; then
     check_cflags -mllvm -stack-alignment=16
 elif enabled clang; then
     check_cflags -mllvm -stack-alignment=16
     check_cflags -Qunused-arguments
+    check_cflags -Werror=return-type
+    check_cflags -Werror=implicit-function-declaration
+    check_cflags -Werror=missing-prototypes
 elif enabled armcc; then
     # 2523: use of inline assembler is deprecated
     add_cflags -W${armcc_opt},--diag_suppress=2523

doc/APIchanges

@@ -13,24 +13,40 @@ libavutil:   2011-04-18
 
 API changes, most recent first:
 
+2014-09-16 - 8637f4e - lavu 51.22.3 - cpu.h
+  Add AV_CPU_FLAG_CMOV.
+
 2012-01-24 - xxxxxxx - lavfi 2.60.100
   Add avfilter_graph_dump.
 
-2012-01-25 - lavf 53.22.0
-  f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible
+2012-01-25 - lavf 53.31.100 / 53.22.0
+  3c5fe5b / f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible
           buffered data within a muxer. Added AVFMT_ALLOW_FLUSH for
           muxers supporting it (av_write_frame makes sure it is called
           only for muxers with this flag).
 
-2012-01-15 - lavc 53.34.0
+2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h
+  Add AVERROR_UNKNOWN
+
+2012-02-29 - 2ad77c6 - lavf 53.21.1
+  Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags().
+
+2012-02-29 - a1556d3 - lavu 51.22.0 - intfloat.h
+  Add a new installed header libavutil/intfloat.h with int/float punning
+  functions.
+
+2012-02-17 - 350d06d - lavc 53.35.0
+  Add avcodec_is_open() function.
+
+2012-01-15 - lavc 53.56.105 / 53.34.0
   New audio encoding API:
-  b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio
+  67f5650 / b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio
           encoders.
-  5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function.
-  b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio().
+  67f5650 / 5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function.
+  67f5650 / b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio().
           Add AVCodec.encode2().
 
-2012-01-12 - 3167dc9 - lavfi 2.15.0
+2012-01-12 - b18e17e / 3167dc9 - lavfi 2.59.100 / 2.15.0
   Add a new installed header -- libavfilter/version.h -- with version macros.
 
 2011-12-08 - a502939 - lavfi 2.52.0
@@ -51,37 +67,37 @@ API changes, most recent first:
 2011-10-20 - b35e9e1 - lavu 51.22.0
   Add av_strtok() to avstring.h.
 
-2011-01-03 - b73ec05 - lavu 51.21.0
+2012-01-03 - ad1c8dd / b73ec05 - lavu 51.34.100 / 51.21.0
   Add av_popcount64
 
-2011-12-18 - 8400b12 - lavc 53.28.1
+2011-12-18 - 7c29313 / 8400b12 - lavc 53.46.1 / 53.28.1
   Deprecate AVFrame.age. The field is unused.
 
-2011-12-12 - 5266045 - lavf 53.17.0
+2011-12-12 - 8bc7fe4 / 5266045 - lavf 53.25.0 / 53.17.0
   Add avformat_close_input().
   Deprecate av_close_input_file() and av_close_input_stream().
 
-2011-12-02 - 0eea212 - lavc 53.25.0
+2011-12-02 - e4de716 / 0eea212 - lavc 53.40.0 / 53.25.0
   Add nb_samples and extended_data fields to AVFrame.
   Deprecate AVCODEC_MAX_AUDIO_FRAME_SIZE.
   Deprecate avcodec_decode_audio3() in favor of avcodec_decode_audio4().
   avcodec_decode_audio4() writes output samples to an AVFrame, which allows
   audio decoders to use get_buffer().
 
-2011-12-04 - 560f773 - lavc 53.24.0
+2011-12-04 - e4de716 / 560f773 - lavc 53.40.0 / 53.24.0
   Change AVFrame.data[4]/base[4]/linesize[4]/error[4] to [8] at next major bump.
   Change AVPicture.data[4]/linesize[4] to [8] at next major bump.
   Change AVCodecContext.error[4] to [8] at next major bump.
   Add AV_NUM_DATA_POINTERS to simplify the bump transition.
 
-2011-11-23 - bbb46f3 - lavu 51.18.0
+2011-11-23 - 8e576d5 / bbb46f3 - lavu 51.27.0 / 51.18.0
   Add av_samples_get_buffer_size(), av_samples_fill_arrays(), and
   av_samples_alloc(), to samplefmt.h.
 
-2011-11-23 - 8889cc4 - lavu 51.17.0
+2011-11-23 - 8e576d5 / 8889cc4 - lavu 51.27.0 / 51.17.0
   Add planar sample formats and av_sample_fmt_is_planar() to samplefmt.h.
 
-2011-11-19 - f3a29b7 - lavc 53.21.0
+2011-11-19 - dbb38bc / f3a29b7 - lavc 53.36.0 / 53.21.0
   Move some AVCodecContext fields to a new private struct, AVCodecInternal,
   which is accessed from a new field, AVCodecContext.internal.
   - fields moved:
@@ -89,55 +105,55 @@ API changes, most recent first:
       AVCodecContext.internal_buffer_count --> AVCodecInternal.buffer_count
       AVCodecContext.is_copy               --> AVCodecInternal.is_copy
 
-2011-11-16 - 6270671 - lavu 51.16.0
+2011-11-16 - 8709ba9 / 6270671 - lavu 51.26.0 / 51.16.0
   Add av_timegm()
 
-2011-11-13 - lavf 53.15.0
+2011-11-13 - lavf 53.21.0 / 53.15.0
   New interrupt callback API, allowing per-AVFormatContext/AVIOContext
   interrupt callbacks.
-  6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to
+  5f268ca / 6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to
           AVFormatContext.
-  1dee0ac Add avio_open2() with additional parameters. Those are
+  5f268ca / 1dee0ac Add avio_open2() with additional parameters. Those are
           an interrupt callback and an options AVDictionary.
           This will allow passing AVOptions to protocols after lavf
           54.0.
 
-2011-11-06 - ba04ecf - lavu 51.14.0
+2011-11-06 - 13b7781 / ba04ecf - lavu 51.24.0 / 51.14.0
   Add av_strcasecmp() and av_strncasecmp() to avstring.h.
 
-2011-11-06 - 07b172f - lavu 51.13.0
+2011-11-06 - 13b7781 / 07b172f - lavu 51.24.0 / 51.13.0
   Add av_toupper()/av_tolower()
 
-2011-11-05 - b6d08f4 - lavf 53.13.0
+2011-11-05 - d8cab5c / b6d08f4 - lavf 53.19.0 / 53.13.0
   Add avformat_network_init()/avformat_network_uninit()
 
-2011-10-27 - 512557b - lavc 53.15.0
+2011-10-27 - 6faf0a2 / 512557b - lavc 53.24.0 / 53.15.0
   Remove avcodec_parse_frame.
   Deprecate AVCodecContext.parse_only and CODEC_CAP_PARSE_ONLY.
 
-2011-10-19 - 569129a - lavf 53.10.0
+2011-10-19 - d049257 / 569129a - lavf 53.17.0 / 53.10.0
   Add avformat_new_stream(). Deprecate av_new_stream().
 
-2011-10-13 - b631fba - lavf 53.9.0
+2011-10-13 - 91eb1b1 / b631fba - lavf 53.16.0 / 53.9.0
   Add AVFMT_NO_BYTE_SEEK AVInputFormat flag.
 
-2011-10-12 - lavu 51.12.0
+2011-10-12 - lavu 51.21.0 / 51.12.0
   AVOptions API rewrite.
 
-  - 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_*
+  - f884ef0 / 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_*
   - new setting/getting functions with slightly different semantics:
-        dac66da av_set_string3 -> av_opt_set
+        f884ef0 / dac66da av_set_string3 -> av_opt_set
                 av_set_double  -> av_opt_set_double
                 av_set_q       -> av_opt_set_q
                 av_set_int     -> av_opt_set_int
 
-        41d9d51 av_get_string  -> av_opt_get
+        f884ef0 / 41d9d51 av_get_string  -> av_opt_get
                 av_get_double  -> av_opt_get_double
                 av_get_q       -> av_opt_get_q
                 av_get_int     -> av_opt_get_int
 
-  - 8c5dcaa trivial rename av_next_option -> av_opt_next
-  - 641c7af new functions - av_opt_child_next, av_opt_child_class_next
+  - f884ef0 / 8c5dcaa trivial rename av_next_option -> av_opt_next
+  - f884ef0 / 641c7af new functions - av_opt_child_next, av_opt_child_class_next
     and av_opt_find2()
 
 2011-09-22 - a70e787 - lavu 51.17.0
@@ -183,31 +199,31 @@ API changes, most recent first:
 2011-08-20 - 69e2c1a - lavu 51.13.0
   Add av_get_media_type_string().
 
-2011-09-03 - fb4ca26 - lavc 53.13.0
+2011-09-03 - 1889c67 / fb4ca26 - lavc 53.13.0
                        lavf 53.11.0
                        lsws  2.1.0
   Add {avcodec,avformat,sws}_get_class().
 
-2011-08-03 - c11fb82 - lavu 51.15.0
+2011-08-03 - 1889c67 / c11fb82 - lavu 51.15.0
   Add AV_OPT_SEARCH_FAKE_OBJ flag for av_opt_find() function.
 
 2011-08-14 - 323b930 - lavu 51.12.0
   Add av_fifo_peek2(), deprecate av_fifo_peek().
 
-2011-08-26 - lavu 51.9.0
-  - add41de..abc78a5 Do not include intfloat_readwrite.h,
+2011-08-26 - lavu 51.14.0 / 51.9.0
+  - 976a8b2 / add41de..976a8b2 / abc78a5 Do not include intfloat_readwrite.h,
     mathematics.h, rational.h, pixfmt.h, or log.h from avutil.h.
 
-2011-08-16 - 48f9e45 - lavf 53.8.0
+2011-08-16 - 27fbe31 / 48f9e45 - lavf 53.11.0 / 53.8.0
   Add avformat_query_codec().
 
-2011-08-16 - bca06e7 - lavc 53.11.0
+2011-08-16 - 27fbe31 / bca06e7 - lavc 53.11.0
   Add avcodec_get_type().
 
-2011-08-06 - 2f63440 - lavf 53.7.0
+2011-08-06 - 0cb233c / 2f63440 - lavf 53.7.0
   Add error_recognition to AVFormatContext.
 
-2011-08-02 - 9d39cbf - lavc 53.9.1
+2011-08-02 - 1d186e9 / 9d39cbf - lavc 53.9.1
   Add AV_PKT_FLAG_CORRUPT AVPacket flag.
 
 2011-07-16 - b57df29 - lavfi 2.27.0
@@ -218,10 +234,10 @@ API changes, most recent first:
   avfilter_set_common_packing_formats()
   avfilter_all_packing_formats()
 
-2011-07-10 - a67c061 - lavf 53.6.0
+2011-07-10 - 3602ad7 / a67c061 - lavf 53.6.0
   Add avformat_find_stream_info(), deprecate av_find_stream_info().
 
-2011-07-10 - 0b950fe - lavc 53.8.0
+2011-07-10 - 3602ad7 / 0b950fe - lavc 53.8.0
   Add avcodec_open2(), deprecate avcodec_open().
 
 2011-07-01 - b442ca6 - lavf 53.5.0 - avformat.h
@@ -260,35 +276,35 @@ API changes, most recent first:
 2011-06-12 - 6119b23 - lavfi 2.16.0 - avfilter_graph_parse()
   Change avfilter_graph_parse() signature.
 
-2011-06-23 - 67e9ae1 - lavu 51.8.0 - attributes.h
+2011-06-23 - 686959e / 67e9ae1 - lavu 51.10.0 / 51.8.0 - attributes.h
   Add av_printf_format().
 
-2011-06-16 - 05e84c9, 25de595 - lavf 53.2.0 - avformat.h
+2011-06-16 - 2905e3f / 05e84c9, 2905e3f / 25de595 - lavf 53.4.0 / 53.2.0 - avformat.h
   Add avformat_open_input and avformat_write_header().
   Deprecate av_open_input_stream, av_open_input_file,
   AVFormatParameters and av_write_header.
 
-2011-06-16 - 7e83e1c, dc59ec5 - lavu 51.7.0 - opt.h
+2011-06-16 - 2905e3f / 7e83e1c, 2905e3f / dc59ec5 - lavu 51.9.0 / 51.7.0 - opt.h
   Add av_opt_set_dict() and av_opt_find().
   Deprecate av_find_opt().
   Add AV_DICT_APPEND flag.
 
-2011-06-10 - cb7c11c - lavu 51.6.0 - opt.h
+2011-06-10 - 45fb647 / cb7c11c - lavu 51.6.0 - opt.h
   Add av_opt_flag_is_set().
 
 2011-06-10 - c381960 - lavfi 2.15.0 - avfilter_get_audio_buffer_ref_from_arrays
   Add avfilter_get_audio_buffer_ref_from_arrays() to avfilter.h.
 
-2011-06-09 - d9f80ea - lavu 51.8.0 - AVMetadata
+2011-06-09 - f9ecb84 / d9f80ea - lavu 51.8.0 - AVMetadata
   Move AVMetadata from lavf to lavu and rename it to
   AVDictionary -- new installed header dict.h.
   All av_metadata_* functions renamed to av_dict_*.
 
-2011-06-07 - a6703fa - lavu 51.8.0 - av_get_bytes_per_sample()
+2011-06-07 - d552f61 / a6703fa - lavu 51.8.0 - av_get_bytes_per_sample()
   Add av_get_bytes_per_sample() in libavutil/samplefmt.h.
   Deprecate av_get_bits_per_sample_fmt().
 
-2011-06-05 - b39b062 - lavu 51.8.0 - opt.h
+2011-06-05 - f956924 / b39b062 - lavu 51.8.0 - opt.h
   Add av_opt_free convenience function.
 
 2011-06-06 - 95a0242 - lavfi 2.14.0 - AVFilterBufferRefAudioProps
@@ -318,7 +334,7 @@ API changes, most recent first:
   Add av_get_pix_fmt_name() in libavutil/pixdesc.h, and deprecate
   avcodec_get_pix_fmt_name() in libavcodec/avcodec.h in its favor.
 
-2011-05-25 - 30315a8 - lavf 53.3.0 - avformat.h
+2011-05-25 - 39e4206 / 30315a8 - lavf 53.3.0 - avformat.h
   Add fps_probe_size to AVFormatContext.
 
 2011-05-22 - 5ecdfd0 - lavf 53.2.0 - avformat.h
@@ -334,10 +350,10 @@ API changes, most recent first:
 2011-05-14 - 9fdf772 - lavfi 2.6.0 - avcodec.h
   Add avfilter_get_video_buffer_ref_from_frame() to libavfilter/avcodec.h.
 
-2011-05-18 - 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt
+2011-05-18 - 75a37b5 / 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt
   Add request_sample_fmt field to AVCodecContext.
 
-2011-05-10 - 188dea1 - lavc 53.6.0 - avcodec.h
+2011-05-10 - 59eb12f / 188dea1 - lavc 53.6.0 - avcodec.h
   Deprecate AVLPCType and the following fields in
   AVCodecContext: lpc_coeff_precision, prediction_order_method,
   min_partition_order, max_partition_order, lpc_type, lpc_passes.
@@ -367,81 +383,81 @@ API changes, most recent first:
   Add av_dynarray_add function for adding
   an element to a dynamic array.
 
-2011-04-26 - bebe72f - lavu 51.1.0 - avutil.h
+2011-04-26 - d7e5aeb / bebe72f - lavu 51.1.0 - avutil.h
   Add AVPictureType enum and av_get_picture_type_char(), deprecate
   FF_*_TYPE defines and av_get_pict_type_char() defined in
   libavcodec/avcodec.h.
 
-2011-04-26 - 10d3940 - lavfi 2.3.0 - avfilter.h
+2011-04-26 - d7e5aeb / 10d3940 - lavfi 2.3.0 - avfilter.h
   Add pict_type and key_frame fields to AVFilterBufferRefVideo.
 
-2011-04-26 - 7a11c82 - lavfi 2.2.0 - vsrc_buffer
+2011-04-26 - d7e5aeb / 7a11c82 - lavfi 2.2.0 - vsrc_buffer
   Add sample_aspect_ratio fields to vsrc_buffer arguments
 
-2011-04-21 - 94f7451 - lavc 53.1.0 - avcodec.h
+2011-04-21 - 8772156 / 94f7451 - lavc 53.1.0 - avcodec.h
   Add CODEC_CAP_SLICE_THREADS for codecs supporting sliced threading.
 
 2011-04-15 - lavc 52.120.0 - avcodec.h
   AVPacket structure got additional members for passing side information:
-    4de339e introduce side information for AVPacket
-    2d8591c make containers pass palette change in AVPacket
+    c407984 / 4de339e introduce side information for AVPacket
+    c407984 / 2d8591c make containers pass palette change in AVPacket
 
 2011-04-12 - lavf 52.107.0 - avio.h
   Avio cleanup, part II - deprecate the entire URLContext API:
-    175389c add avio_check as a replacement for url_exist
-    ff1ec0c add avio_pause and avio_seek_time as replacements
+    c55780d / 175389c add avio_check as a replacement for url_exist
+    9891004 / ff1ec0c add avio_pause and avio_seek_time as replacements
             for _av_url_read_fseek/fpause
-    cdc6a87 deprecate av_protocol_next(), avio_enum_protocols
+    d4d0932 / cdc6a87 deprecate av_protocol_next(), avio_enum_protocols
             should be used instead.
-    80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb.
-    f87b1b3 rename open flags: URL_* -> AVIO_*
-    f8270bb add avio_enum_protocols.
-    5593f03 deprecate URLProtocol.
-    c486dad deprecate URLContext.
-    026e175 deprecate the typedef for URLInterruptCB
-    8e76a19 deprecate av_register_protocol2.
-    b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME
-    1305d93 deprecate av_url_read_seek
-    fa104e1 deprecate av_url_read_pause
-    727c7aa deprecate url_get_filename().
-    5958df3 deprecate url_max_packet_size().
-    1869ea0 deprecate url_get_file_handle().
-    32a97d4 deprecate url_filesize().
-    e52a914 deprecate url_close().
-    58a48c6 deprecate url_seek().
-    925e908 deprecate url_write().
-    dce3756 deprecate url_read_complete().
-    bc371ac deprecate url_read().
-    0589da0 deprecate url_open().
-    62eaaea deprecate url_connect.
-    5652bb9 deprecate url_alloc.
-    333e894 deprecate url_open_protocol
-    e230705 deprecate url_poll and URLPollEntry
+    c88caa5 / 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb.
+    c88caa5 / f87b1b3 rename open flags: URL_* -> AVIO_*
+    d4d0932 / f8270bb add avio_enum_protocols.
+    d4d0932 / 5593f03 deprecate URLProtocol.
+    d4d0932 / c486dad deprecate URLContext.
+    d4d0932 / 026e175 deprecate the typedef for URLInterruptCB
+    c88caa5 / 8e76a19 deprecate av_register_protocol2.
+    11d7841 / b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME
+    11d7841 / 1305d93 deprecate av_url_read_seek
+    11d7841 / fa104e1 deprecate av_url_read_pause
+    434f248 / 727c7aa deprecate url_get_filename().
+    434f248 / 5958df3 deprecate url_max_packet_size().
+    434f248 / 1869ea0 deprecate url_get_file_handle().
+    434f248 / 32a97d4 deprecate url_filesize().
+    434f248 / e52a914 deprecate url_close().
+    434f248 / 58a48c6 deprecate url_seek().
+    434f248 / 925e908 deprecate url_write().
+    434f248 / dce3756 deprecate url_read_complete().
+    434f248 / bc371ac deprecate url_read().
+    434f248 / 0589da0 deprecate url_open().
+    434f248 / 62eaaea deprecate url_connect.
+    434f248 / 5652bb9 deprecate url_alloc.
+    434f248 / 333e894 deprecate url_open_protocol
+    434f248 / e230705 deprecate url_poll and URLPollEntry
 
 2011-04-08 - lavf 52.106.0 - avformat.h
   Minor avformat.h cleanup:
-    a9bf9d8 deprecate av_guess_image2_codec
-    c3675df rename avf_sdp_create->av_sdp_create
+    d4d0932 / a9bf9d8 deprecate av_guess_image2_codec
+    d4d0932 / c3675df rename avf_sdp_create->av_sdp_create
 
 2011-04-03 - lavf 52.105.0 - avio.h
   Large-scale renaming/deprecating of AVIOContext-related functions:
-    724f6a0 deprecate url_fdopen
-    403ee83 deprecate url_open_dyn_packet_buf
-    6dc7d80 rename url_close_dyn_buf       -> avio_close_dyn_buf
-    b92c545 rename url_open_dyn_buf        -> avio_open_dyn_buf
-    8978fed introduce an AVIOContext.seekable field as a replacement for
+    2cae980 / 724f6a0 deprecate url_fdopen
+    2cae980 / 403ee83 deprecate url_open_dyn_packet_buf
+    2cae980 / 6dc7d80 rename url_close_dyn_buf       -> avio_close_dyn_buf
+    2cae980 / b92c545 rename url_open_dyn_buf        -> avio_open_dyn_buf
+    2cae980 / 8978fed introduce an AVIOContext.seekable field as a replacement for
             AVIOContext.is_streamed and url_is_streamed()
-    b64030f deprecate get_checksum()
-    4c4427a deprecate init_checksum()
-    4ec153b deprecate udp_set_remote_url/get_local_port
-    933e90a deprecate av_url_read_fseek/fpause
-    8d9769a deprecate url_fileno
-    b7f2fdd rename put_flush_packet -> avio_flush
-    35f1023 deprecate url_close_buf
-    83fddae deprecate url_open_buf
-    d9d86e0 rename url_fprintf -> avio_printf
-    59f65d9 deprecate url_setbufsize
-    3e68b3b deprecate url_ferror
+    1caa412 / b64030f deprecate get_checksum()
+    1caa412 / 4c4427a deprecate init_checksum()
+    2fd41c9 / 4ec153b deprecate udp_set_remote_url/get_local_port
+    4fa0e24 / 933e90a deprecate av_url_read_fseek/fpause
+    4fa0e24 / 8d9769a deprecate url_fileno
+    0fecf26 / b7f2fdd rename put_flush_packet -> avio_flush
+    0fecf26 / 35f1023 deprecate url_close_buf
+    0fecf26 / 83fddae deprecate url_open_buf
+    0fecf26 / d9d86e0 rename url_fprintf -> avio_printf
+    0fecf26 / 59f65d9 deprecate url_setbufsize
+    6947b0c / 3e68b3b deprecate url_ferror
     e8bb2e2 deprecate url_fget_max_packet_size
     76aa876 rename url_fsize -> avio_size
     e519753 deprecate url_fgetc
@@ -462,7 +478,7 @@ API changes, most recent first:
     b3db9ce deprecate get_partial_buffer
     8d9ac96 rename av_alloc_put_byte -> avio_alloc_context
 
-2011-03-25 - 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type
+2011-03-25 - 27ef7b1 / 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type
   Add audio_service_type field to AVCodecContext.
 
 2011-03-17 - e309fdc - lavu 50.40.0 - pixfmt.h
@@ -500,11 +516,11 @@ API changes, most recent first:
 2011-02-10 - 12c14cd - lavf 52.99.0 - AVStream.disposition
   Add AV_DISPOSITION_HEARING_IMPAIRED and AV_DISPOSITION_VISUAL_IMPAIRED.
 
-2011-02-09 - 5592734 - lavc 52.112.0 - avcodec_thread_init()
+2011-02-09 - c0b102c - lavc 52.112.0 - avcodec_thread_init()
   Deprecate avcodec_thread_init()/avcodec_thread_free() use; instead
   set thread_count before calling avcodec_open.
 
-2011-02-09 - 778b08a - lavc 52.111.0 - threading API
+2011-02-09 - 37b00b4 - lavc 52.111.0 - threading API
   Add CODEC_CAP_FRAME_THREADS with new restrictions on get_buffer()/
   release_buffer()/draw_horiz_band() callbacks for appropriate codecs.
   Add thread_type and active_thread_type fields to AVCodecContext.

doc/developer.texi

@@ -187,8 +187,8 @@ the following snippet into your @file{.vimrc}:
 set expandtab
 set shiftwidth=4
 set softtabstop=4
-" allow tabs in Makefiles
-autocmd FileType make set noexpandtab shiftwidth=8 softtabstop=8
+" Allow tabs in Makefiles.
+autocmd FileType make,automake set noexpandtab shiftwidth=8 softtabstop=8
 " Trailing whitespace and tabs are forbidden, so highlight them.
 highlight ForbiddenWhitespace ctermbg=red guibg=red
 match ForbiddenWhitespace /\s\+$\|\t/

doc/ffmpeg.texi

@@ -407,6 +407,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be
 @file{PREFIX-N.log}, where N is a number specific to the output
 stream
 
+Note that this option is overwritten by a local option of the same name
+when using @code{-vcodec libx264}. That option maps to the x264 option stats
+which has a different syntax.
+
 @item -vlang @var{code}
 Set the ISO 639 language code (3 letters) of the current video stream.
 

doc/filters.texi

@@ -82,7 +82,7 @@ Follows a BNF description for the filtergraph syntax:
 @var{LINKLABEL}        ::= "[" @var{NAME} "]"
 @var{LINKLABELS}       ::= @var{LINKLABEL} [@var{LINKLABELS}]
 @var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted)
-@var{FILTER}           ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}]
+@var{FILTER}           ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}]
 @var{FILTERCHAIN}      ::= @var{FILTER} [,@var{FILTERCHAIN}]
 @var{FILTERGRAPH}      ::= @var{FILTERCHAIN} [;@var{FILTERGRAPH}]
 @end example
@@ -2549,6 +2549,9 @@ For example:
 will create two separate outputs from the same input, one cropped and
 one padded.
 
+@section swapuv
+Swap U & V plane.
+
 @section thumbnail
 Select the most representative frame in a given sequence of consecutive frames.
 

doc/issue_tracker.txt

@@ -24,7 +24,7 @@ a mail for every change to every issue.
 The subscription URL for the ffmpeg-trac list is:
 http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac
 The URL of the webinterface of the tracker is:
-http(s)://ffmpeg.org/trac/ffmpeg
+http(s)://trac.ffmpeg.org
 
 Type:
 -----

doc/platform.texi

@@ -51,14 +51,15 @@ The toolchain provided with Xcode is sufficient to build the basic
 unacelerated code.
 
 Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from
-@url{http://github.com/yuvi/gas-preprocessor} to build the optimized
-assembler functions. Just download the Perl script and put it somewhere
+@url{https://github.com/FFmpeg/gas-preprocessor} or
+@url{https://github.com/yuvi/gas-preprocessor} to build the optimized
+assembler functions. Put the Perl script somewhere
 in your PATH, FFmpeg's configure will pick it up automatically.
 
 Mac OS X on amd64 and x86 requires @command{yasm} to build most of the
 optimized assembler functions. @uref{http://www.finkproject.org/, Fink},
 @uref{http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml, Gentoo Prefix},
-@uref{http://mxcl.github.com/homebrew/, Homebrew}
+@uref{https://mxcl.github.com/homebrew/, Homebrew}
 or @uref{http://www.macports.org, MacPorts} can easily provide it.
 
 

doc/protocols.texi

@@ -242,7 +242,7 @@ data transferred over RDT).
 
 The muxer can be used to send a stream using RTSP ANNOUNCE to a server
 supporting it (currently Darwin Streaming Server and Mischa Spiegelmock's
-@uref{http://github.com/revmischa/rtsp-server, RTSP server}).
+@uref{https://github.com/revmischa/rtsp-server, RTSP server}).
 
 The required syntax for a RTSP url is:
 @example

ffmpeg.c

@@ -505,7 +505,7 @@ static int alloc_buffer(AVCodecContext *s, InputStream *ist, FrameBuffer **pbuf)
         const int v_shift = i==0 ? 0 : v_chroma_shift;
         if (s->flags & CODEC_FLAG_EMU_EDGE)
             buf->data[i] = buf->base[i];
-        else
+        else if (buf->base[i])
             buf->data[i] = buf->base[i] +
                            FFALIGN((buf->linesize[i]*edge >> v_shift) +
                                    (pixel_size*edge >> h_shift), 32);
@@ -2626,32 +2626,35 @@ static int transcode_init(OutputFile *output_files, int nb_output_files,
                 break;
             }
             /* two pass mode */
-            if (codec->codec_id != CODEC_ID_H264 &&
-                (codec->flags & (CODEC_FLAG_PASS1 | CODEC_FLAG_PASS2))) {
+            if (codec->flags & (CODEC_FLAG_PASS1 | CODEC_FLAG_PASS2)) {
                 char logfilename[1024];
                 FILE *f;
 
                 snprintf(logfilename, sizeof(logfilename), "%s-%d.log",
                          pass_logfilename_prefix ? pass_logfilename_prefix : DEFAULT_PASS_LOGFILENAME_PREFIX,
                          i);
-                if (codec->flags & CODEC_FLAG_PASS2) {
-                    char  *logbuffer;
-                    size_t logbuffer_size;
-                    if (cmdutils_read_file(logfilename, &logbuffer, &logbuffer_size) < 0) {
-                        av_log(NULL, AV_LOG_FATAL, "Error reading log file '%s' for pass-2 encoding\n",
-                               logfilename);
-                        exit_program(1);
+                if (!strcmp(ost->enc->name, "libx264")) {
+                    av_dict_set(&ost->opts, "stats", logfilename, AV_DICT_DONT_OVERWRITE);
+                } else {
+                    if (codec->flags & CODEC_FLAG_PASS2) {
+                        char  *logbuffer;
+                        size_t logbuffer_size;
+                        if (cmdutils_read_file(logfilename, &logbuffer, &logbuffer_size) < 0) {
+                            av_log(NULL, AV_LOG_FATAL, "Error reading log file '%s' for pass-2 encoding\n",
+                                logfilename);
+                            exit_program(1);
+                        }
+                        codec->stats_in = logbuffer;
                     }
-                    codec->stats_in = logbuffer;
-                }
-                if (codec->flags & CODEC_FLAG_PASS1) {
-                    f = fopen(logfilename, "wb");
-                    if (!f) {
-                        av_log(NULL, AV_LOG_FATAL, "Cannot write log file '%s' for pass-1 encoding: %s\n",
-                               logfilename, strerror(errno));
-                        exit_program(1);
+                    if (codec->flags & CODEC_FLAG_PASS1) {
+                        f = fopen(logfilename, "wb");
+                        if (!f) {
+                            av_log(NULL, AV_LOG_FATAL, "Cannot write log file '%s' for pass-1 encoding: %s\n",
+                                logfilename, strerror(errno));
+                            exit_program(1);
+                        }
+                        ost->logfile = f;
                     }
-                    ost->logfile = f;
                 }
             }
         }
@@ -4054,8 +4057,6 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc)
             if (p) p++;
         }
         video_enc->rc_override_count = i;
-        if (!video_enc->rc_initial_buffer_occupancy)
-            video_enc->rc_initial_buffer_occupancy = video_enc->rc_buffer_size * 3 / 4;
         video_enc->intra_dc_precision = intra_dc_precision - 8;
 
         if (do_psnr)
@@ -4065,9 +4066,11 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc)
         if (do_pass) {
             if (do_pass & 1) {
                 video_enc->flags |= CODEC_FLAG_PASS1;
+                av_dict_set(&ost->opts, "flags", "+pass1", AV_DICT_APPEND);
             }
             if (do_pass & 2) {
                 video_enc->flags |= CODEC_FLAG_PASS2;
+                av_dict_set(&ost->opts, "flags", "+pass2", AV_DICT_APPEND);
             }
         }
 
@@ -4693,7 +4696,8 @@ static int opt_target(OptionsContext *o, const char *opt, const char *arg)
             for (j = 0; j < nb_input_files; j++) {
                 for (i = 0; i < input_files[j].nb_streams; i++) {
                     AVCodecContext *c = input_files[j].ctx->streams[i]->codec;
-                    if (c->codec_type != AVMEDIA_TYPE_VIDEO)
+                    if (c->codec_type != AVMEDIA_TYPE_VIDEO ||
+                        !c->time_base.num)
                         continue;
                     fr = c->time_base.den * 1000 / c->time_base.num;
                     if (fr == 25000) {

ffplay.c

@@ -1611,7 +1611,7 @@ static int input_reget_buffer(AVCodecContext *codec, AVFrame *pic)
 
     if (pic->data[0] == NULL) {
         pic->buffer_hints |= FF_BUFFER_HINTS_READABLE;
-        return codec->get_buffer(codec, pic);
+        return input_get_buffer(codec, pic);
     }
 
     if ((codec->width != ref->video->w) || (codec->height != ref->video->h) ||

ffprobe.c

@@ -1790,6 +1790,10 @@ int main(int argc, char **argv)
 
     if (!print_format)
         print_format = av_strdup("default");
+    if (!print_format) {
+        ret = AVERROR(ENOMEM);
+        goto end;
+    }
     w_name = av_strtok(print_format, "=", &buf);
     w_args = buf;
 

ffserver.c

@@ -562,9 +562,11 @@ static void start_multicast(void)
     default_port = 6000;
     for(stream = first_stream; stream != NULL; stream = stream->next) {
         if (stream->is_multicast) {
+            unsigned random0 = av_lfg_get(&random_state);
+            unsigned random1 = av_lfg_get(&random_state);
             /* open the RTP connection */
             snprintf(session_id, sizeof(session_id), "%08x%08x",
-                     av_lfg_get(&random_state), av_lfg_get(&random_state));
+                     random0, random1);
 
             /* choose a port if none given */
             if (stream->multicast_port == 0) {
@@ -3086,9 +3088,12 @@ static void rtsp_cmd_setup(HTTPContext *c, const char *url,
  found:
 
     /* generate session id if needed */
-    if (h->session_id[0] == '\0')
+    if (h->session_id[0] == '\0') {
+        unsigned random0 = av_lfg_get(&random_state);
+        unsigned random1 = av_lfg_get(&random_state);
         snprintf(h->session_id, sizeof(h->session_id), "%08x%08x",
-                 av_lfg_get(&random_state), av_lfg_get(&random_state));
+                 random0, random1);
+    }
 
     /* find rtp session, and create it if none found */
     rtp_c = find_rtp_session(h->session_id);
@@ -3457,6 +3462,9 @@ static AVStream *add_av_stream1(FFStream *stream, AVCodecContext *codec, int cop
 {
     AVStream *fst;
 
+    if(stream->nb_streams >= FF_ARRAY_ELEMS(stream->streams))
+        return NULL;
+
     fst = av_mallocz(sizeof(AVStream));
     if (!fst)
         return NULL;
@@ -3802,6 +3810,9 @@ static void add_codec(FFStream *stream, AVCodecContext *av)
 {
     AVStream *st;
 
+    if(stream->nb_streams >= FF_ARRAY_ELEMS(stream->streams))
+        return;
+
     /* compute default parameters */
     switch(av->codec_type) {
     case AVMEDIA_TYPE_AUDIO:

libavcodec/4xm.c

@@ -25,6 +25,7 @@
  */
 
 #include "libavutil/intreadwrite.h"
+#include "libavutil/avassert.h"
 #include "avcodec.h"
 #include "dsputil.h"
 #include "get_bits.h"
@@ -347,6 +348,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
         decode_p_block(f, dst             , src             , log2w, log2h, stride);
         decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride);
     }else if(code == 3 && f->version<2){
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
         mcdc(dst, src, log2w, h, stride, 1, 0);
     }else if(code == 4){
         if (f->g.buffer_end - f->g.buffer < 1){
@@ -368,6 +373,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
             av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
             return;
         }
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
         mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
     }else if(code == 6){
         if (f->g2.buffer_end - f->g2.buffer < 2){
@@ -394,6 +403,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
 
     if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
         extra=20;
         if (length < extra)
             return -1;
@@ -551,7 +562,10 @@ static int decode_i_mb(FourXContext *f){
     return 0;
 }
 
-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
+static const uint8_t *read_huffman_tables(FourXContext *f,
+                                          const uint8_t * const buf,
+                                          int buf_size)
+{
     int frequency[512];
     uint8_t flag[512];
     int up[512];
@@ -572,6 +586,9 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
 
         if (start <= end && ptr_end - ptr < end - start + 1 + 1)
             return NULL;
+        if (end < start || buf_size < 0)
+            return NULL;
+
         for(i=start; i<=end; i++){
             frequency[i]= *ptr++;
         }
@@ -665,8 +682,8 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
             color[0]= bytestream2_get_le16u(&g3);
             color[1]= bytestream2_get_le16u(&g3);
 
-            if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n");
-            if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n");
+            if(color[0]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n");
+            if(color[1]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n");
 
             color[2]= mix(color[0], color[1]);
             color[3]= mix(color[1], color[0]);
@@ -694,7 +711,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int prestream_size;
     const uint8_t *prestream;
 
-    if (bitstream_size > (1<<26) || length < bitstream_size + 12) {
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
+    if (length < bitstream_size + 12) {
         av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
         return AVERROR_INVALIDDATA;
     }
@@ -702,15 +722,19 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
     prestream      = buf + bitstream_size + 12;
 
-    if (prestream_size > (1<<26) ||
-        prestream_size != length - (bitstream_size + 12)){
+    if(prestream_size + bitstream_size + 12 != length
+       || prestream_size > (1<<26)){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
         return -1;
     }
 
-    prestream= read_huffman_tables(f, prestream, buf + length - prestream);
-    if (!prestream)
-        return -1;
+    prestream = read_huffman_tables(f, prestream, prestream_size);
+    if (!prestream) {
+        av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    av_assert0(prestream <= buf + length);
 
     init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
 
@@ -751,25 +775,35 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame *p, temp;
     int i, frame_4cc, frame_size;
 
-    if (buf_size < 12)
+    if (buf_size < 20)
+        return AVERROR_INVALIDDATA;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions non-multiple of 16 are invalid.\n");
         return AVERROR_INVALIDDATA;
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
     }
 
+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
+    }
+
+    frame_4cc = AV_RL32(buf);
+
     if(frame_4cc == AV_RL32("cfrm")){
         int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
         CFrameBuffer *cfrm;
 
+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
         if (data_size < 0 || whole_size < 0){
             av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
             return AVERROR_INVALIDDATA;
         }
-
         for(i=0; i<CFRAME_BUFFER_COUNT; i++){
             if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                 av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -805,6 +839,9 @@ static int decode_frame(AVCodecContext *avctx,
                 av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number);
             }
 
+            if (f->version <= 1)
+                return AVERROR_INVALIDDATA;
+
             cfrm->size= cfrm->id= 0;
             frame_4cc= AV_RL32("pfrm");
         }else
@@ -848,6 +885,7 @@ static int decode_frame(AVCodecContext *avctx,
                 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                 return -1;
             }
+            memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0]));
         }
 
         p->pict_type= AV_PICTURE_TYPE_P;
@@ -915,7 +953,7 @@ static av_cold int decode_end(AVCodecContext *avctx){
         av_freep(&f->cfrm[i].data);
         f->cfrm[i].allocated_size= 0;
     }
-    free_vlc(&f->pre_vlc);
+    ff_free_vlc(&f->pre_vlc);
     if(f->current_picture.data[0])
         avctx->release_buffer(avctx, &f->current_picture);
     if(f->last_picture.data[0])

libavcodec/8bps.c

@@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         unsigned char *pixptr, *pixptr_end;
         unsigned int height = avctx->height; // Real image height
         unsigned int dlen, p, row;
-        const unsigned char *lp, *dp;
+        const unsigned char *lp, *dp, *ep;
         unsigned char count;
         unsigned int planes = c->planes;
         unsigned char *planemap = c->planemap;
@@ -84,6 +84,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                 return -1;
         }
 
+        ep = encoded + buf_size;
+
         /* Set data pointer after line lengths */
         dp = encoded + planes * (height << 1);
 
@@ -95,16 +97,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                 for(row = 0; row < height; row++) {
                         pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
                         pixptr_end = pixptr + c->pic.linesize[0];
+                        if (ep - lp < row * 2 + 2)
+                            return AVERROR_INVALIDDATA;
                         dlen = av_be2ne16(*(const unsigned short *)(lp+row*2));
                         /* Decode a row of this plane */
                         while(dlen > 0) {
-                                if(dp + 1 >= buf+buf_size) return -1;
+                                if(ep - dp <= 1) return -1;
                                 if ((count = *dp++) <= 127) {
                                         count++;
                                         dlen -= count + 1;
                                         if (pixptr + count * planes > pixptr_end)
                                             break;
-                                        if(dp + count > buf+buf_size) return -1;
+                                        if(ep - dp < count) return -1;
                                         while(count--) {
                                                 *pixptr = *dp++;
                                                 pixptr += planes;

libavcodec/8svx.c

@@ -38,6 +38,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 
 /** decoder context */
 typedef struct EightSvxContext {
@@ -47,7 +48,7 @@ typedef struct EightSvxContext {
     /* buffer used to store the whole audio decoded/interleaved chunk,
      * which is sent with the first packet */
     uint8_t *samples;
-    size_t samples_size;
+    int64_t samples_size;
     int samples_idx;
 } EightSvxContext;
 
@@ -151,7 +152,7 @@ static int eightsvx_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     esc->frame.nb_samples = (FFMIN(MAX_FRAME_SIZE, esc->samples_size - esc->samples_idx) +avctx->channels-1)  / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &esc->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &esc->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/Makefile

@@ -578,7 +578,8 @@ OBJS-$(CONFIG_ADPCM_YAMAHA_ENCODER)       += adpcmenc.o adpcm_data.o
 # libavformat dependencies
 OBJS-$(CONFIG_ADTS_MUXER)              += mpeg4audio.o
 OBJS-$(CONFIG_ADX_DEMUXER)             += adx.o
-OBJS-$(CONFIG_CAF_DEMUXER)             += mpeg4audio.o mpegaudiodata.o
+OBJS-$(CONFIG_CAF_DEMUXER)             += mpeg4audio.o mpegaudiodata.o  \
+                                          ac3tab.o
 OBJS-$(CONFIG_DV_DEMUXER)              += dvdata.o
 OBJS-$(CONFIG_DV_MUXER)                += dvdata.o timecode.o
 OBJS-$(CONFIG_FLAC_DEMUXER)            += flacdec.o flacdata.o flac.o vorbis_data.o
@@ -594,7 +595,7 @@ OBJS-$(CONFIG_MATROSKA_MUXER)          += xiph.o mpeg4audio.o \
                                           flacdec.o flacdata.o flac.o \
                                           mpegaudiodata.o vorbis_data.o
 OBJS-$(CONFIG_MP3_MUXER)               += mpegaudiodata.o mpegaudiodecheader.o
-OBJS-$(CONFIG_MOV_DEMUXER)             += mpeg4audio.o mpegaudiodata.o timecode.o
+OBJS-$(CONFIG_MOV_DEMUXER)             += mpeg4audio.o mpegaudiodata.o ac3tab.o timecode.o
 OBJS-$(CONFIG_MOV_MUXER)               += mpeg4audio.o mpegaudiodata.o
 OBJS-$(CONFIG_MPEGTS_MUXER)            += mpegvideo.o mpeg4audio.o
 OBJS-$(CONFIG_MPEGTS_DEMUXER)          += mpeg4audio.o mpegaudiodata.o

libavcodec/a64multienc.c

@@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest)
             for (y = blocky; y < blocky + 8 && y < C64YRES; y++) {
                 for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) {
                     if(x < width && y < height) {
-                        /* build average over 2 pixels */
-                        luma = (src[(x + 0 + y * p->linesize[0])] +
-                                src[(x + 1 + y * p->linesize[0])]) / 2;
+                        if (x + 1 < width) {
+                            /* build average over 2 pixels */
+                            luma = (src[(x + 0 + y * p->linesize[0])] +
+                                    src[(x + 1 + y * p->linesize[0])]) / 2;
+                        } else {
+                            luma = src[(x + y * p->linesize[0])];
+                        }
                         /* write blocks as linear data now so they are suitable for elbg */
                         dest[0] = luma;
                     }

libavcodec/aac_ac3_parser.h

@@ -28,13 +28,13 @@
 #include "parser.h"
 
 typedef enum {
-    AAC_AC3_PARSE_ERROR_SYNC        = -1,
-    AAC_AC3_PARSE_ERROR_BSID        = -2,
-    AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -3,
-    AAC_AC3_PARSE_ERROR_FRAME_SIZE  = -4,
-    AAC_AC3_PARSE_ERROR_FRAME_TYPE  = -5,
-    AAC_AC3_PARSE_ERROR_CRC         = -6,
-    AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -7,
+    AAC_AC3_PARSE_ERROR_SYNC        = -0x1030c0a,
+    AAC_AC3_PARSE_ERROR_BSID        = -0x2030c0a,
+    AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -0x3030c0a,
+    AAC_AC3_PARSE_ERROR_FRAME_SIZE  = -0x4030c0a,
+    AAC_AC3_PARSE_ERROR_FRAME_TYPE  = -0x5030c0a,
+    AAC_AC3_PARSE_ERROR_CRC         = -0x6030c0a,
+    AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -0x7030c0a,
 } AACAC3ParseError;
 
 typedef struct AACAC3ParseContext {

libavcodec/aac_parser.c

@@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
     int size;
     union {
         uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
     } tmp;
 
     tmp.u64 = av_be2ne64(state);

libavcodec/aaccoder.c

@@ -713,7 +713,7 @@ static void search_for_quantizers_twoloop(AVCodecContext *avctx,
                                           const float lambda)
 {
     int start = 0, i, w, w2, g;
-    int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels;
+    int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels * (lambda / 120.f);
     float dists[128], uplims[128];
     float maxvals[128];
     int fflag, minscaler;

libavcodec/aacdec.c

@@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac,
                                  enum ChannelPosition che_pos[4][MAX_ELEM_ID],
                                  int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
     if (che_pos[type][id]) {
         if (!ac->che[type][id]) {
             if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
@@ -360,7 +362,7 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
     comment_len = get_bits(gb, 8) * 8;
     if (get_bits_left(gb) < comment_len) {
         av_log(avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
     skip_bits_long(gb, comment_len);
     return 0;
@@ -381,7 +383,7 @@ static av_cold int set_default_channel_config(AVCodecContext *avctx,
     if (channel_config < 1 || channel_config > 7) {
         av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n",
                channel_config);
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
     /* default channel configurations:
@@ -499,20 +501,21 @@ static int decode_audio_specific_config(AACContext *ac,
                                         int sync_extension)
 {
     GetBitContext gb;
-    int i;
+    int i, ret;
 
     av_dlog(avctx, "extradata size %d\n", avctx->extradata_size);
     for (i = 0; i < avctx->extradata_size; i++)
          av_dlog(avctx, "%02x ", avctx->extradata[i]);
     av_dlog(avctx, "\n");
 
-    init_get_bits(&gb, data, bit_size);
+    if ((ret = init_get_bits(&gb, data, bit_size)) < 0)
+        return ret;
 
     if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
     if (m4ac->sampling_index > 12) {
         av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index);
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
     skip_bits_long(&gb, i);
@@ -521,13 +524,14 @@ static int decode_audio_specific_config(AACContext *ac,
     case AOT_AAC_MAIN:
     case AOT_AAC_LC:
     case AOT_AAC_LTP:
-        if (decode_ga_specific_config(ac, avctx, &gb, m4ac, m4ac->chan_config))
-            return -1;
+        if ((ret = decode_ga_specific_config(ac, avctx, &gb,
+                                             m4ac, m4ac->chan_config)) < 0)
+            return ret;
         break;
     default:
         av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n",
                m4ac->sbr == 1? "SBR+" : "", m4ac->object_type);
-        return -1;
+        return AVERROR(ENOSYS);
     }
 
     av_dlog(avctx, "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n",
@@ -598,16 +602,17 @@ static void reset_predictor_group(PredictorState *ps, int group_num)
 static av_cold int aac_decode_init(AVCodecContext *avctx)
 {
     AACContext *ac = avctx->priv_data;
+    int ret;
     float output_scale_factor;
 
     ac->avctx = avctx;
     ac->m4ac.sample_rate = avctx->sample_rate;
 
     if (avctx->extradata_size > 0) {
-        if (decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
+        if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->m4ac,
                                          avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0)
-            return -1;
+                                         avctx->extradata_size*8, 1)) < 0)
+            return ret;
     } else {
         int sr, i;
         enum ChannelPosition new_che_pos[4][MAX_ELEM_ID];
@@ -700,7 +705,7 @@ static int skip_data_stream_element(AACContext *ac, GetBitContext *gb)
 
     if (get_bits_left(gb) < 8 * count) {
         av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
     skip_bits_long(gb, 8 * count);
     return 0;
@@ -714,7 +719,7 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics,
         ics->predictor_reset_group = get_bits(gb, 5);
         if (ics->predictor_reset_group == 0 || ics->predictor_reset_group > 30) {
             av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
     }
     for (sfb = 0; sfb < FFMIN(ics->max_sfb, ff_aac_pred_sfb_max[ac->m4ac.sampling_index]); sfb++) {
@@ -824,21 +829,22 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
             int sect_band_type = get_bits(gb, 4);
             if (sect_band_type == 12) {
                 av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1 && get_bits_left(gb) >= bits)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                 sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0 || sect_len_incr == (1 << bits) - 1) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return AVERROR_INVALIDDATA;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return AVERROR_INVALIDDATA;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
             for (; k < sect_end; k++) {
                 band_type        [idx]   = sect_band_type;
                 band_type_run_end[idx++] = sect_end;
@@ -908,7 +914,7 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb,
                     if (offset[0] > 255U) {
                         av_log(ac->avctx, AV_LOG_ERROR,
                                "%s (%d) out of range.\n", sf_str[0], offset[0]);
-                        return -1;
+                        return AVERROR_INVALIDDATA;
                     }
                     sf[idx] = -ff_aac_pow2sf_tab[offset[0] - 100 + POW_SF2_ZERO];
                 }
@@ -966,7 +972,7 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns,
                     av_log(ac->avctx, AV_LOG_ERROR, "TNS filter order %d is greater than maximum %d.\n",
                            tns->order[w][filt], tns_max_order);
                     tns->order[w][filt] = 0;
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                 }
                 if (tns->order[w][filt]) {
                     tns->direction[w][filt] = get_bits1(gb);
@@ -1249,7 +1255,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
 
                                     if (b > 8) {
                                         av_log(ac->avctx, AV_LOG_ERROR, "error in spectral data, ESC overflow\n");
-                                        return -1;
+                                        return AVERROR_INVALIDDATA;
                                     }
 
                                     SKIP_BITS(re, gb, b + 1);
@@ -1392,6 +1398,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
     IndividualChannelStream *ics = &sce->ics;
     float *out = sce->coeffs;
     int global_gain, pulse_present = 0;
+    int ret;
 
     /* This assignment is to silence a GCC warning about the variable being used
      * uninitialized when in fact it always is.
@@ -1405,25 +1412,27 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
             return AVERROR_INVALIDDATA;
     }
 
-    if (decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics) < 0)
-        return -1;
-    if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end) < 0)
-        return -1;
+    if ((ret = decode_band_types(ac, sce->band_type,
+                                 sce->band_type_run_end, gb, ics)) < 0)
+        return ret;
+    if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
+                                   sce->band_type, sce->band_type_run_end)) < 0)
+        return ret;
 
     pulse_present = 0;
     if (!scale_flag) {
         if ((pulse_present = get_bits1(gb))) {
             if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
                 av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
             if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
                 av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
         }
         if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics))
-            return -1;
+            return AVERROR_INVALIDDATA;
         if (get_bits1(gb)) {
             av_log_missing_feature(ac->avctx, "SSR", 1);
             return -1;
@@ -1431,7 +1440,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
     }
 
     if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     if (ac->m4ac.object_type == AOT_AAC_MAIN && !common_window)
         apply_prediction(ac, sce);
@@ -1529,7 +1538,7 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe)
         ms_present = get_bits(gb, 2);
         if (ms_present == 3) {
             av_log(ac->avctx, AV_LOG_ERROR, "ms_present = 3 is reserved.\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         } else if (ms_present)
             decode_mid_side_stereo(cpe, gb, ms_present);
     }
@@ -1765,7 +1774,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns,
     int w, filt, m, i;
     int bottom, top, order, start, end, size, inc;
     float lpc[TNS_MAX_ORDER];
-    float tmp[TNS_MAX_ORDER];
+    float tmp[TNS_MAX_ORDER + 1];
 
     for (w = 0; w < ics->num_windows; w++) {
         bottom = ics->num_swb;
@@ -2267,7 +2276,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
     if (samples) {
         /* get output buffer */
         ac->frame.nb_samples = samples;
-        if ((err = avctx->get_buffer(avctx, &ac->frame)) < 0) {
+        if ((err = ff_get_buffer(avctx, &ac->frame)) < 0) {
             av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
             return err;
         }
@@ -2320,7 +2329,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_INVALIDDATA;
     }
 
-    init_get_bits(&gb, buf, buf_size * 8);
+    if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0)
+        return err;
 
     if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0)
         return err;
@@ -2565,7 +2575,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
     int                 muxlength, err;
     GetBitContext       gb;
 
-    init_get_bits(&gb, avpkt->data, avpkt->size * 8);
+    if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0)
+        return err;
 
     // check for LOAS sync word
     if (get_bits(&gb, 11) != LOAS_SYNC_WORD)

libavcodec/aacenc.c

@@ -164,7 +164,7 @@ static void put_audio_specific_config(AVCodecContext *avctx)
     PutBitContext pb;
     AACEncContext *s = avctx->priv_data;
 
-    init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8);
+    init_put_bits(&pb, avctx->extradata, avctx->extradata_size);
     put_bits(&pb, 5, 2); //object type - AAC-LC
     put_bits(&pb, 4, s->samplerate_index); //sample rate index
     put_bits(&pb, 4, s->channels);
@@ -200,8 +200,8 @@ WINDOW_FUNC(long_start)
     float *out = sce->ret;
 
     dsp->vector_fmul(out, audio, lwindow, 1024);
-    memcpy(out + 1024, audio, sizeof(out[0]) * 448);
-    dsp->vector_fmul_reverse(out + 1024 + 448, audio, swindow, 128);
+    memcpy(out + 1024, audio + 1024, sizeof(out[0]) * 448);
+    dsp->vector_fmul_reverse(out + 1024 + 448, audio + 1024 + 448, swindow, 128);
     memset(out + 1024 + 576, 0, sizeof(out[0]) * 448);
 }
 
@@ -487,10 +487,10 @@ static void deinterleave_input_samples(AACEncContext *s,
         const float *sptr = samples + channel_map[ch];
 
         /* copy last 1024 samples of previous frame to the start of the current frame */
-        memcpy(&s->planar_samples[ch][0], &s->planar_samples[ch][1024], 1024 * sizeof(s->planar_samples[0][0]));
+        memcpy(&s->planar_samples[ch][1024], &s->planar_samples[ch][2048], 1024 * sizeof(s->planar_samples[0][0]));
 
         /* deinterleave */
-        for (i = 1024; i < 1024 * 2; i++) {
+        for (i = 2048; i < 3072; i++) {
             s->planar_samples[ch][i] = *sptr;
             sptr += sinc;
         }

libavcodec/aacps.c

@@ -275,6 +275,10 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps
 err:
     ps->start = 0;
     skip_bits_long(gb_host, bits_left);
+    memset(ps->iid_par, 0, sizeof(ps->iid_par));
+    memset(ps->icc_par, 0, sizeof(ps->icc_par));
+    memset(ps->ipd_par, 0, sizeof(ps->ipd_par));
+    memset(ps->opd_par, 0, sizeof(ps->opd_par));
     return bits_left;
 }
 

libavcodec/aacsbr.c

@@ -542,7 +542,7 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr)
             k = sbr->n_master;
     } while (sb != sbr->kx[1] + sbr->m[1]);
 
-    if (sbr->patch_num_subbands[sbr->num_patches-1] < 3 && sbr->num_patches > 1)
+    if (sbr->num_patches > 1 && sbr->patch_num_subbands[sbr->num_patches-1] < 3)
         sbr->num_patches--;
 
     return 0;

libavcodec/aasc.c

@@ -34,17 +34,10 @@
 
 typedef struct AascContext {
     AVCodecContext *avctx;
+    GetByteContext gb;
     AVFrame frame;
 } AascContext;
 
-#define FETCH_NEXT_STREAM_BYTE() \
-    if (stream_ptr >= buf_size) \
-    { \
-      av_log(s->avctx, AV_LOG_ERROR, " AASC: stream ptr just went out of bounds (fetch)\n"); \
-      break; \
-    } \
-    stream_byte = buf[stream_ptr++];
-
 static av_cold int aasc_decode_init(AVCodecContext *avctx)
 {
     AascContext *s = avctx->priv_data;
@@ -89,7 +82,8 @@ static int aasc_decode_frame(AVCodecContext *avctx,
         }
         break;
     case 1:
-        ff_msrle_decode(avctx, (AVPicture*)&s->frame, 8, buf - 4, buf_size + 4);
+        bytestream2_init(&s->gb, buf - 4, buf_size + 4);
+        ff_msrle_decode(avctx, (AVPicture*)&s->frame, 8, &s->gb);
         break;
     default:
         av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);

libavcodec/ac3_parser.c

@@ -134,7 +134,7 @@ int avpriv_ac3_parse_header(GetBitContext *gbc, AC3HeaderInfo *hdr)
                         (hdr->num_blocks * 256.0));
         hdr->channels = ff_ac3_channels_tab[hdr->channel_mode] + hdr->lfe_on;
     }
-    hdr->channel_layout = ff_ac3_channel_layout_tab[hdr->channel_mode];
+    hdr->channel_layout = avpriv_ac3_channel_layout_tab[hdr->channel_mode];
     if (hdr->lfe_on)
         hdr->channel_layout |= AV_CH_LOW_FREQUENCY;
 
@@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
     int err;
     union {
         uint64_t u64;
-        uint8_t  u8[8];
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
     } tmp = { av_be2ne64(state) };
     AC3HeaderInfo hdr;
     GetBitContext gbc;

libavcodec/ac3dec.c

@@ -297,7 +297,7 @@ static int parse_frame_header(AC3DecodeContext *s)
         return ff_eac3_parse_header(s);
     } else {
         av_log(s->avctx, AV_LOG_ERROR, "E-AC-3 support not compiled in\n");
-        return -1;
+        return AVERROR(ENOSYS);
     }
 }
 
@@ -822,12 +822,12 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
             if (start_subband >= end_subband) {
                 av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension "
                        "range (%d >= %d)\n", start_subband, end_subband);
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
             if (dst_start_freq >= src_start_freq) {
                 av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension "
                        "copy start bin (%d >= %d)\n", dst_start_freq, src_start_freq);
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
 
             s->spx_dst_start_freq = dst_start_freq;
@@ -904,7 +904,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
 
             if (channel_mode < AC3_CHMODE_STEREO) {
                 av_log(s->avctx, AV_LOG_ERROR, "coupling not allowed in mono or dual-mono\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
 
             /* check for enhanced coupling */
@@ -934,7 +934,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
             if (cpl_start_subband >= cpl_end_subband) {
                 av_log(s->avctx, AV_LOG_ERROR, "invalid coupling range (%d >= %d)\n",
                        cpl_start_subband, cpl_end_subband);
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
             s->start_freq[CPL_CH] = cpl_start_subband * 12 + 37;
             s->end_freq[CPL_CH]   = cpl_end_subband   * 12 + 37;
@@ -956,7 +956,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
         if (!blk) {
             av_log(s->avctx, AV_LOG_ERROR, "new coupling strategy must "
                    "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         } else {
             s->cpl_in_use[blk] = s->cpl_in_use[blk-1];
         }
@@ -986,7 +986,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                 } else if (!blk) {
                     av_log(s->avctx, AV_LOG_ERROR, "new coupling coordinates must "
                            "be present in block 0\n");
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                 }
             } else {
                 /* channel not in coupling */
@@ -1041,7 +1041,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                 int bandwidth_code = get_bits(gbc, 6);
                 if (bandwidth_code > 60) {
                     av_log(s->avctx, AV_LOG_ERROR, "bandwidth code = %d > 60\n", bandwidth_code);
-                    return -1;
+                    return AVERROR_INVALIDDATA;
                 }
                 s->end_freq[ch] = bandwidth_code * 3 + 73;
             }
@@ -1064,7 +1064,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                                  s->num_exp_groups[ch], s->dexps[ch][0],
                                  &s->dexps[ch][s->start_freq[ch]+!!ch])) {
                 av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
             if (ch != CPL_CH && ch != s->lfe_ch)
                 skip_bits(gbc, 2); /* skip gainrng */
@@ -1084,7 +1084,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
         } else if (!blk) {
             av_log(s->avctx, AV_LOG_ERROR, "new bit allocation info must "
                    "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
     }
 
@@ -1115,7 +1115,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
             }
         } else if (!s->eac3 && !blk) {
             av_log(s->avctx, AV_LOG_ERROR, "new snr offsets must be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
     }
 
@@ -1154,7 +1154,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
         } else if (!s->eac3 && !blk) {
             av_log(s->avctx, AV_LOG_ERROR, "new coupling leak info must "
                    "be present in block 0\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
         s->first_cpl_leak = 0;
     }
@@ -1166,7 +1166,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
             s->dba_mode[ch] = get_bits(gbc, 2);
             if (s->dba_mode[ch] == DBA_RESERVED) {
                 av_log(s->avctx, AV_LOG_ERROR, "delta bit allocation strategy reserved\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
             bit_alloc_stages[ch] = FFMAX(bit_alloc_stages[ch], 2);
         }
@@ -1207,7 +1207,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
                                            s->dba_offsets[ch], s->dba_lengths[ch],
                                            s->dba_values[ch],  s->mask[ch])) {
                 av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
         }
         if (bit_alloc_stages[ch] > 0) {
@@ -1328,7 +1328,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
         switch (err) {
         case AAC_AC3_PARSE_ERROR_SYNC:
             av_log(avctx, AV_LOG_ERROR, "frame sync error\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         case AAC_AC3_PARSE_ERROR_BSID:
             av_log(avctx, AV_LOG_ERROR, "invalid bitstream id\n");
             break;
@@ -1342,17 +1342,20 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
             /* skip frame if CRC is ok. otherwise use error concealment. */
             /* TODO: add support for substreams and dependent frames */
             if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT || s->substreamid) {
-                av_log(avctx, AV_LOG_ERROR, "unsupported frame type : "
+                av_log(avctx, AV_LOG_WARNING, "unsupported frame type : "
                        "skipping frame\n");
                 *got_frame_ptr = 0;
-                return s->frame_size;
+                return buf_size;
             } else {
                 av_log(avctx, AV_LOG_ERROR, "invalid frame type\n");
             }
             break;
-        default:
-            av_log(avctx, AV_LOG_ERROR, "invalid header\n");
+        case AAC_AC3_PARSE_ERROR_CRC:
+        case AAC_AC3_PARSE_ERROR_CHANNEL_CFG:
             break;
+        default: // Normal AVERROR do not try to recover.
+            *got_frame_ptr = 0;
+            return err;
         }
     } else {
         /* check that reported frame size fits in input buffer */
@@ -1373,8 +1376,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
     if (!err) {
         avctx->sample_rate = s->sample_rate;
         avctx->bit_rate    = s->bit_rate;
+    }
 
-        /* channel config */
+    /* channel config */
+    if (!err || (s->channels && s->out_channels != s->channels)) {
         s->out_channels = s->channels;
         s->output_mode  = s->channel_mode;
         if (s->lfe_on)
@@ -1383,7 +1388,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
                 avctx->request_channels < s->channels) {
             s->out_channels = avctx->request_channels;
             s->output_mode  = avctx->request_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO;
-            s->channel_layout = ff_ac3_channel_layout_tab[s->output_mode];
+            s->channel_layout = avpriv_ac3_channel_layout_tab[s->output_mode];
         }
         avctx->channels       = s->out_channels;
         avctx->channel_layout = s->channel_layout;
@@ -1397,11 +1402,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
                 s->fbw_channels == s->out_channels)) {
             set_downmix_coeffs(s);
         }
-    } else if (!s->out_channels) {
-        s->out_channels = avctx->channels;
-        if (s->out_channels < s->channels)
-            s->output_mode  = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO;
+    } else if (!s->channels) {
+        av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n");
+        return AVERROR_INVALIDDATA;
     }
+    avctx->channels = s->out_channels;
+
     /* set audio service type based on bitstream mode for AC-3 */
     avctx->audio_service_type = s->bitstream_mode;
     if (s->bitstream_mode == 0x7 && s->channels > 1)
@@ -1409,7 +1415,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->num_blocks * 256;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/ac3dsp.c

@@ -109,7 +109,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
                                      int snr_offset, int floor,
                                      const uint8_t *bap_tab, uint8_t *bap)
 {
-    int bin, band;
+    int bin, band, band_end;
 
     /* special case, if snr offset is -960, set all bap's to zero */
     if (snr_offset == -960) {
@@ -121,12 +121,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd,
     band = ff_ac3_bin_to_band_tab[start];
     do {
         int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor;
-        int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end);
+        band_end = ff_ac3_band_start_tab[++band];
+        band_end = FFMIN(band_end, end);
+
         for (; bin < band_end; bin++) {
             int address = av_clip((psd[bin] - m) >> 5, 0, 63);
             bap[bin] = bap_tab[address];
         }
-    } while (end > ff_ac3_band_start_tab[band++]);
+    } while (end > band_end);
 }
 
 static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap,

libavcodec/ac3enc_template.c

@@ -261,7 +261,7 @@ static void apply_channel_coupling(AC3EncodeContext *s)
                 energy_cpl = energy[blk][CPL_CH][bnd];
                 energy_ch = energy[blk][ch][bnd];
                 blk1 = blk+1;
-                while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) {
+                while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) {
                     if (s->blocks[blk1].cpl_in_use) {
                         energy_cpl += energy[blk1][CPL_CH][bnd];
                         energy_ch += energy[blk1][ch][bnd];

libavcodec/ac3tab.c

@@ -84,7 +84,7 @@ const uint8_t ff_ac3_channels_tab[8] = {
 /**
  * Map audio coding mode (acmod) to channel layout mask.
  */
-const uint16_t ff_ac3_channel_layout_tab[8] = {
+const uint16_t avpriv_ac3_channel_layout_tab[8] = {
     AV_CH_LAYOUT_STEREO,
     AV_CH_LAYOUT_MONO,
     AV_CH_LAYOUT_STEREO,

libavcodec/ac3tab.h

@@ -33,7 +33,7 @@
 
 extern const uint16_t ff_ac3_frame_size_tab[38][3];
 extern const uint8_t  ff_ac3_channels_tab[8];
-extern const uint16_t ff_ac3_channel_layout_tab[8];
+extern const uint16_t avpriv_ac3_channel_layout_tab[8];
 extern const uint8_t  ff_ac3_enc_channel_map[8][2][6];
 extern const uint8_t  ff_ac3_dec_channel_map[8][2][6];
 extern const uint16_t ff_ac3_sample_rate_tab[3];

libavcodec/adpcm.c

@@ -18,6 +18,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "put_bits.h"
 #include "bytestream.h"
@@ -265,8 +266,9 @@ static inline short adpcm_yamaha_expand_nibble(ADPCMChannelStatus *c, unsigned c
     return c->predictor;
 }
 
-static void xa_decode(short *out, const unsigned char *in,
-    ADPCMChannelStatus *left, ADPCMChannelStatus *right, int inc)
+static int xa_decode(AVCodecContext *avctx,
+                     short *out, const unsigned char *in,
+                     ADPCMChannelStatus *left, ADPCMChannelStatus *right, int inc)
 {
     int i, j;
     int shift,filter,f0,f1;
@@ -277,6 +279,12 @@ static void xa_decode(short *out, const unsigned char *in,
 
         shift  = 12 - (in[4+i*2] & 15);
         filter = in[4+i*2] >> 4;
+        if (filter > 4) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid XA-ADPCM filter %d (max. allowed is 4)\n",
+                   filter);
+            return AVERROR_INVALIDDATA;
+        }
         f0 = xa_adpcm_table[filter][0];
         f1 = xa_adpcm_table[filter][1];
 
@@ -304,7 +312,12 @@ static void xa_decode(short *out, const unsigned char *in,
 
         shift  = 12 - (in[5+i*2] & 15);
         filter = in[5+i*2] >> 4;
-
+        if (filter > 4) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid XA-ADPCM filter %d (max. allowed is 4)\n",
+                   filter);
+            return AVERROR_INVALIDDATA;
+        }
         f0 = xa_adpcm_table[filter][0];
         f1 = xa_adpcm_table[filter][1];
 
@@ -328,6 +341,8 @@ static void xa_decode(short *out, const unsigned char *in,
             left->sample2 = s_2;
         }
     }
+
+    return 0;
 }
 
 /**
@@ -542,7 +557,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = nb_samples;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -699,11 +714,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
-            cs->step_index = *src++;
+            cs->step_index = av_clip(*src++, 0, 88);
             src++;
             *samples++ = cs->predictor;
         }
-        for (n = nb_samples >> (1 - st); n > 0; n--, src++) {
+        for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--, src++) {
             uint8_t v = *src;
             *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4  , 3);
             *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3);
@@ -722,8 +737,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
         c->status[0].predictor  = (int16_t)AV_RL16(src + 10);
         c->status[1].predictor  = (int16_t)AV_RL16(src + 12);
-        c->status[0].step_index = src[14];
-        c->status[1].step_index = src[15];
+        c->status[0].step_index = av_clip(src[14], 0, 88);
+        c->status[1].step_index = av_clip(src[15], 0, 88);
         /* sign extend the predictors */
         src += 16;
         diff_channel = c->status[1].predictor;
@@ -763,7 +778,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
-            cs->step_index = *src++;
+            cs->step_index = av_clip(*src++, 0, 88);
             src++;
         }
 
@@ -815,8 +830,9 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         break;
     case CODEC_ID_ADPCM_XA:
         while (buf_size >= 128) {
-            xa_decode(samples, src, &c->status[0], &c->status[1],
-                avctx->channels);
+            if ((ret = xa_decode(avctx, samples, src, &c->status[0],
+                                 &c->status[1], avctx->channels)) < 0)
+                return ret;
             src += 128;
             samples += 28 * 8;
             buf_size -= 128;
@@ -826,7 +842,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         src += 4; // skip sample count (already read)
 
         for (i=0; i<=st; i++)
-            c->status[i].step_index = bytestream_get_le32(&src);
+            c->status[i].step_index = av_clip(bytestream_get_le32(&src), 0, 88);
         for (i=0; i<=st; i++)
             c->status[i].predictor  = bytestream_get_le32(&src);
 
@@ -1043,11 +1059,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
     case CODEC_ID_ADPCM_IMA_SMJPEG:
         if (avctx->codec->id == CODEC_ID_ADPCM_IMA_AMV) {
             c->status[0].predictor = sign_extend(bytestream_get_le16(&src), 16);
-            c->status[0].step_index = bytestream_get_le16(&src);
+            c->status[0].step_index = av_clip(bytestream_get_le16(&src), 0, 88);
             src += 4;
         } else {
             c->status[0].predictor = sign_extend(bytestream_get_be16(&src), 16);
-            c->status[0].step_index = bytestream_get_byte(&src);
+            c->status[0].step_index = av_clip(bytestream_get_byte(&src), 0, 88);
             src += 1;
         }
 

libavcodec/adpcmenc.c

@@ -551,10 +551,10 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
     {
         int ch, i;
         PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);
 
         for (ch = 0; ch < avctx->channels; ch++) {
-            put_bits(&pb, 9, (c->status[ch].prev_sample + 0x10000) >> 7);
+            put_bits(&pb, 9, (c->status[ch].prev_sample & 0xFFFF) >> 7);
             put_bits(&pb, 7,  c->status[ch].step_index);
             if (avctx->trellis > 0) {
                 uint8_t buf[64];
@@ -582,7 +582,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx,
     {
         int i;
         PutBitContext pb;
-        init_put_bits(&pb, dst, buf_size * 8);
+        init_put_bits(&pb, dst, buf_size);
 
         n = avctx->frame_size - 1;
 

libavcodec/adx.c

@@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf,
     offset = AV_RB16(buf + 2) + 4;
 
     /* if copyright string is within the provided data, validate it */
-    if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6))
+    if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6))
         return AVERROR_INVALIDDATA;
 
     /* check for encoding=3 block_size=18, sample_size=4 */

libavcodec/adxdec.c

@@ -21,6 +21,7 @@
 
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "adx.h"
 #include "get_bits.h"
 
@@ -140,7 +141,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = num_blocks * BLOCK_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/alac.c

@@ -47,6 +47,7 @@
 
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "bytestream.h"
 #include "unary.h"
@@ -417,7 +418,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
     alac->frame.nb_samples = outputsamples;
-    if ((ret = avctx->get_buffer(avctx, &alac->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &alac->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -615,6 +616,12 @@ static int alac_set_info(ALACContext *alac)
 
     /* buffer size / 2 ? */
     alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr);
+    if (!alac->setinfo_max_samples_per_frame ||
+        alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) {
+        av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n",
+               alac->setinfo_max_samples_per_frame);
+        return AVERROR_INVALIDDATA;
+    }
     ptr++;                          /* compatible version */
     alac->setinfo_sample_size           = *ptr++;
     alac->setinfo_rice_historymult      = *ptr++;
@@ -636,10 +643,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
     alac->avctx = avctx;
 
     /* initialize from the extradata */
-    if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) {
-        av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n",
-            ALAC_EXTRADATA_SIZE);
-        return -1;
+    if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n");
+        return AVERROR_INVALIDDATA;
     }
     if (alac_set_info(alac)) {
         av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n");

libavcodec/alacenc.c

@@ -259,7 +259,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch)
         // generate warm-up samples
         residual[0] = samples[0];
         for (i = 1; i <= lpc.lpc_order; i++)
-            residual[i] = samples[i] - samples[i-1];
+            residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size);
 
         // perform lpc on remaining samples
         for (i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) {

libavcodec/alsdec.c

@@ -30,6 +30,7 @@
 
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "unary.h"
 #include "mpeg4audio.h"
@@ -283,7 +284,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
     GetBitContext gb;
     uint64_t ht_size;
     int i, config_offset;
-    MPEG4AudioConfig m4ac;
+    MPEG4AudioConfig m4ac = {0};
     ALSSpecificConfig *sconf = &ctx->sconf;
     AVCodecContext *avctx    = ctx->avctx;
     uint32_t als_id, header_size, trailer_size;
@@ -294,12 +295,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
                                                  avctx->extradata_size * 8, 1);
 
     if (config_offset < 0)
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     skip_bits_long(&gb, config_offset);
 
     if (get_bits_left(&gb) < (30 << 3))
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     // read the fixed items
     als_id                      = get_bits_long(&gb, 32);
@@ -334,7 +335,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
 
     // check for ALSSpecificConfig struct
     if (als_id != MKBETAG('A','L','S','\0'))
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     ctx->cur_frame_length = sconf->frame_length;
 
@@ -349,7 +350,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
         int chan_pos_bits = av_ceil_log2(avctx->channels);
         int bits_needed  = avctx->channels * chan_pos_bits + 7;
         if (get_bits_left(&gb) < bits_needed)
-            return -1;
+            return AVERROR_INVALIDDATA;
 
         if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos))))
             return AVERROR(ENOMEM);
@@ -367,7 +368,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
     // read fixed header and trailer sizes,
     // if size = 0xFFFFFFFF then there is no data field!
     if (get_bits_left(&gb) < 64)
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     header_size  = get_bits_long(&gb, 32);
     trailer_size = get_bits_long(&gb, 32);
@@ -381,10 +382,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
 
     // skip the header and trailer data
     if (get_bits_left(&gb) < ht_size)
-        return -1;
+        return AVERROR_INVALIDDATA;
 
     if (ht_size > INT32_MAX)
-        return -1;
+        return AVERROR_PATCHWELCOME;
 
     skip_bits_long(&gb, ht_size);
 
@@ -392,7 +393,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
     // initialize CRC calculation
     if (sconf->crc_enabled) {
         if (get_bits_left(&gb) < 32)
-            return -1;
+            return AVERROR_INVALIDDATA;
 
         if (avctx->err_recognition & (AV_EF_CRCCHECK|AV_EF_CAREFUL)) {
             ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
@@ -632,7 +633,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
     if (bd->block_length & (sub_blocks - 1)) {
         av_log(avctx, AV_LOG_WARNING,
                "Block length is not evenly divisible by the number of subblocks.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
     sb_length = bd->block_length >> log2_sub_blocks;
@@ -651,6 +652,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         for (k = 1; k < sub_blocks; k++)
             s[k] = s[k - 1] + decode_rice(gb, 0);
     }
+    for (k = 1; k < sub_blocks; k++)
+        if (s[k] > 32) {
+            av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
     if (get_bits1(gb))
         *bd->shift_lsbs = get_bits(gb, 4) + 1;
@@ -663,6 +669,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                 2, sconf->max_order + 1));
             *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+                return AVERROR_INVALIDDATA;
+            }
         } else {
             *bd->opt_order = sconf->max_order;
         }
@@ -695,6 +706,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
                     int rice_param = parcor_rice_table[sconf->coef_table][k][1];
                     int offset     = parcor_rice_table[sconf->coef_table][k][0];
                     quant_cof[k] = decode_rice(gb, rice_param) + offset;
+                    if (quant_cof[k] < -64 || quant_cof[k] > 63) {
+                        av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]);
+                        return AVERROR_INVALIDDATA;
+                    }
                 }
 
                 // read coefficients 20 to 126
@@ -727,7 +742,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
             bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;
 
-            r                 = get_unary(gb, 0, 4);
+            r                 = get_unary(gb, 0, 3);
             c                 = get_bits(gb, 2);
             bd->ltp_gain[2]   = ltp_gain_values[r][c];
 
@@ -756,7 +771,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         int          delta[8];
         unsigned int k    [8];
         unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5);
-        unsigned int i = start;
 
         // read most significant bits
         unsigned int high;
@@ -767,29 +781,30 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
         current_res = bd->raw_samples + start;
 
-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++) {
+            unsigned int sb_len  = sb_length - (sb ? 0 : start);
+
             k    [sb] = s[sb] > b ? s[sb] - b : 0;
             delta[sb] = 5 - s[sb] + k[sb];
 
-            ff_bgmc_decode(gb, sb_length, current_res,
+            ff_bgmc_decode(gb, sb_len, current_res,
                         delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);
 
-            current_res += sb_length;
+            current_res += sb_len;
         }
 
         ff_bgmc_decode_end(gb);
 
 
         // read least significant bits and tails
-        i = start;
         current_res = bd->raw_samples + start;
 
-        for (sb = 0; sb < sub_blocks; sb++, i = 0) {
+        for (sb = 0; sb < sub_blocks; sb++, start = 0) {
             unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]];
             unsigned int cur_k         = k[sb];
             unsigned int cur_s         = s[sb];
 
-            for (; i < sb_length; i++) {
+            for (; start < sb_length; start++) {
                 int32_t res = *current_res;
 
                 if (res == cur_tail_code) {
@@ -949,18 +964,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
  */
 static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
+    int ret = 0;
     GetBitContext *gb        = &ctx->gb;
 
     *bd->shift_lsbs = 0;
     // read block type flag and read the samples accordingly
     if (get_bits1(gb)) {
-        if (read_var_block_data(ctx, bd))
-            return -1;
+        ret = read_var_block_data(ctx, bd);
     } else {
         read_const_block_data(ctx, bd);
     }
 
-    return 0;
+    return ret;
 }
 
 
@@ -969,12 +984,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
     unsigned int smp;
+    int ret = 0;
 
     // read block type flag and read the samples accordingly
     if (*bd->const_block)
         decode_const_block_data(ctx, bd);
-    else if (decode_var_block_data(ctx, bd))
-        return -1;
+    else
+        ret = decode_var_block_data(ctx, bd); // always return 0
+
+    if (ret < 0)
+        return ret;
 
     // TODO: read RLSLMS extension data
 
@@ -992,14 +1011,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 {
     int ret;
 
-    ret = read_block(ctx, bd);
-
-    if (ret)
+    if ((ret = read_block(ctx, bd)) < 0)
         return ret;
 
-    ret = decode_block(ctx, bd);
-
-    return ret;
+    return decode_block(ctx, bd);
 }
 
 
@@ -1025,6 +1040,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
                              unsigned int c, const unsigned int *div_blocks,
                              unsigned int *js_blocks)
 {
+    int ret;
     unsigned int b;
     ALSBlockData bd;
 
@@ -1047,10 +1063,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame,
     for (b = 0; b < ctx->num_blocks; b++) {
         bd.block_length     = div_blocks[b];
 
-        if (read_decode_block(ctx, &bd)) {
+        if ((ret = read_decode_block(ctx, &bd)) < 0) {
             // damaged block, write zero for the rest of the frame
             zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples);
-            return -1;
+            return ret;
         }
         bd.raw_samples += div_blocks[b];
         bd.ra_block     = 0;
@@ -1069,6 +1085,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
     ALSSpecificConfig *sconf = &ctx->sconf;
     unsigned int offset = 0;
     unsigned int b;
+    int ret;
     ALSBlockData bd[2];
 
     memset(bd, 0, 2 * sizeof(ALSBlockData));
@@ -1112,12 +1129,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
         bd[0].raw_other    = bd[1].raw_samples;
         bd[1].raw_other    = bd[0].raw_samples;
 
-        if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) {
-            // damaged block, write zero for the rest of the frame
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
-            zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
-            return -1;
-        }
+        if ((ret = read_decode_block(ctx, &bd[0])) < 0 ||
+            (ret = read_decode_block(ctx, &bd[1])) < 0)
+            goto fail;
+
 
         // reconstruct joint-stereo blocks
         if (bd[0].js_blocks) {
@@ -1143,8 +1158,19 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
             sizeof(*ctx->raw_samples[c]) * sconf->max_order);
 
     return 0;
+fail:
+    // damaged block, write zero for the rest of the frame
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples);
+    zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples);
+    return ret;
 }
 
+static inline int als_weighting(GetBitContext *gb, int k, int off)
+{
+    int idx = av_clip(decode_rice(gb, k) + off,
+                      0, FF_ARRAY_ELEMS(mcc_weightings) - 1);
+    return mcc_weightings[idx];
+}
 
 /** Read the channel data.
   */
@@ -1160,19 +1186,19 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
 
         if (current->master_channel >= channels) {
             av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
 
         if (current->master_channel != c) {
             current->time_diff_flag = get_bits1(gb);
-            current->weighting[0]   = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)];
-            current->weighting[1]   = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)];
-            current->weighting[2]   = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)];
+            current->weighting[0]   = als_weighting(gb, 1, 16);
+            current->weighting[1]   = als_weighting(gb, 2, 14);
+            current->weighting[2]   = als_weighting(gb, 1, 16);
 
             if (current->time_diff_flag) {
-                current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)];
-                current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)];
-                current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)];
+                current->weighting[3] = als_weighting(gb, 1, 16);
+                current->weighting[4] = als_weighting(gb, 1, 16);
+                current->weighting[5] = als_weighting(gb, 1, 16);
 
                 current->time_diff_sign  = get_bits1(gb);
                 current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3;
@@ -1185,7 +1211,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c)
 
     if (entries == channels) {
         av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
     align_get_bits(gb);
@@ -1217,7 +1243,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
 
     if (dep == channels) {
         av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
     bd->const_block = ctx->const_block + c;
@@ -1290,6 +1316,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
     unsigned int js_blocks[2];
 
     uint32_t bs_info = 0;
+    int ret;
 
     // skip the size of the ra unit if present in the frame
     if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame)
@@ -1320,13 +1347,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                 independent_bs = 1;
 
             if (independent_bs) {
-                if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
-
+                ret = decode_blocks_ind(ctx, ra_frame, c,
+                                        div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;
                 independent_bs--;
             } else {
-                if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks))
-                    return -1;
+                ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks);
+                if (ret < 0)
+                    return ret;
 
                 c++;
             }
@@ -1345,7 +1374,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
         for (c = 0; c < avctx->channels; c++)
             if (ctx->chan_data[c] < ctx->chan_data_buffer) {
                 av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n");
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
 
         memset(&bd,               0, sizeof(ALSBlockData));
@@ -1358,6 +1387,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
 
         for (b = 0; b < ctx->num_blocks; b++) {
             bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }
 
             for (c = 0; c < avctx->channels; c++) {
                 bd.const_block = ctx->const_block + c;
@@ -1377,11 +1411,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
                     return -1;
             }
 
-            for (c = 0; c < avctx->channels; c++)
-                if (revert_channel_correlation(ctx, &bd, ctx->chan_data,
-                                               reverted_channels, offset, c))
-                    return -1;
-
+            for (c = 0; c < avctx->channels; c++) {
+                ret = revert_channel_correlation(ctx, &bd, ctx->chan_data,
+                                                 reverted_channels, offset, c);
+                if (ret < 0)
+                    return ret;
+            }
             for (c = 0; c < avctx->channels; c++) {
                 bd.const_block = ctx->const_block + c;
                 bd.shift_lsbs  = ctx->shift_lsbs + c;
@@ -1450,7 +1485,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
 
     /* get output buffer */
     ctx->frame.nb_samples = ctx->cur_frame_length;
-    if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -1578,29 +1613,30 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
     unsigned int c;
     unsigned int channel_size;
-    int num_buffers;
+    int num_buffers, ret;
     ALSDecContext *ctx = avctx->priv_data;
     ALSSpecificConfig *sconf = &ctx->sconf;
     ctx->avctx = avctx;
 
     if (!avctx->extradata) {
         av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n");
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 
-    if (read_specific_config(ctx)) {
+    if ((ret = read_specific_config(ctx)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n");
-        decode_end(avctx);
-        return -1;
+        goto fail;
     }
 
-    if (check_specific_config(ctx)) {
-        decode_end(avctx);
-        return -1;
+    if ((ret = check_specific_config(ctx)) < 0) {
+        goto fail;
     }
 
-    if (sconf->bgmc)
-        ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+    if (sconf->bgmc) {
+        ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status);
+        if (ret < 0)
+            goto fail;
+    }
 
     if (sconf->floating) {
         avctx->sample_fmt          = AV_SAMPLE_FMT_FLT;
@@ -1636,7 +1672,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
         !ctx->quant_cof_buffer       || !ctx->lpc_cof_buffer ||
         !ctx->lpc_cof_reversed_buffer) {
         av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
     }
 
     // assign quantized parcor coefficient buffers
@@ -1661,8 +1698,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
         !ctx->use_ltp  || !ctx->ltp_lag ||
         !ctx->ltp_gain || !ctx->ltp_gain_buffer) {
         av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
     }
 
     for (c = 0; c < num_buffers; c++)
@@ -1679,8 +1716,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
 
         if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) {
             av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
         }
 
         for (c = 0; c < num_buffers; c++)
@@ -1701,8 +1738,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
     // allocate previous raw sample buffer
     if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) {
         av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-        decode_end(avctx);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto fail;
     }
 
     // assign raw samples buffers
@@ -1719,8 +1756,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
                                     av_get_bytes_per_sample(avctx->sample_fmt));
         if (!ctx->crc_buffer) {
             av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
-            decode_end(avctx);
-            return AVERROR(ENOMEM);
+            ret = AVERROR(ENOMEM);
+            goto fail;
         }
     }
 
@@ -1730,6 +1767,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
     avctx->coded_frame = &ctx->frame;
 
     return 0;
+
+fail:
+    decode_end(avctx);
+    return ret;
 }
 
 

libavcodec/amrnbdec.c

@@ -44,6 +44,7 @@
 #include <math.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "libavutil/common.h"
 #include "celp_math.h"
@@ -200,6 +201,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf,
     p->bad_frame_indicator = !get_bits1(&gb); // quality bit
     skip_bits(&gb, 2);                        // two padding bits
 
+    if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) {
+        return NO_DATA;
+    }
+
     if (mode < MODE_DTX)
         ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1,
                            amr_unpacking_bitmaps_per_mode[mode]);
@@ -940,13 +945,17 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     p->avframe.nb_samples = AMR_BLOCK_SIZE;
-    if ((ret = avctx->get_buffer(avctx, &p->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &p->avframe)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
     buf_out = (float *)p->avframe.data[0];
 
     p->cur_frame_mode = unpack_bitstream(p, buf, buf_size);
+    if (p->cur_frame_mode == NO_DATA) {
+        av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n");
+        return AVERROR_INVALIDDATA;
+    }
     if (p->cur_frame_mode == MODE_DTX) {
         av_log_missing_feature(avctx, "dtx mode", 0);
         av_log(avctx, AV_LOG_INFO, "Note: libopencore_amrnb supports dtx\n");

libavcodec/amrwbdec.c

@@ -27,6 +27,7 @@
 #include "libavutil/lfg.h"
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "lsp.h"
 #include "celp_math.h"
@@ -898,10 +899,10 @@ static float auto_correlation(float *diff_isf, float mean, int lag)
  * Extrapolate a ISF vector to the 16kHz range (20th order LP)
  * used at mode 6k60 LP filter for the high frequency band.
  *
- * @param[out] out                 Buffer for extrapolated isf
- * @param[in]  isf                 Input isf vector
+ * @param[out] isf Buffer for extrapolated isf; contains LP_ORDER
+ *                 values on input
  */
-static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
+static void extrapolate_isf(float isf[LP_ORDER_16k])
 {
     float diff_isf[LP_ORDER - 2], diff_mean;
     float *diff_hi = diff_isf - LP_ORDER + 1; // diff array for extrapolated indexes
@@ -909,8 +910,7 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
     float est, scale;
     int i, i_max_corr;
 
-    memcpy(out, isf, (LP_ORDER - 1) * sizeof(float));
-    out[LP_ORDER_16k - 1] = isf[LP_ORDER - 1];
+    isf[LP_ORDER_16k - 1] = isf[LP_ORDER - 1];
 
     /* Calculate the difference vector */
     for (i = 0; i < LP_ORDER - 2; i++)
@@ -931,16 +931,16 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
     i_max_corr++;
 
     for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
-        out[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
+        isf[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
                             - isf[i - 2 - i_max_corr];
 
     /* Calculate an estimate for ISF(18) and scale ISF based on the error */
-    est   = 7965 + (out[2] - out[3] - out[4]) / 6.0;
-    scale = 0.5 * (FFMIN(est, 7600) - out[LP_ORDER - 2]) /
-            (out[LP_ORDER_16k - 2] - out[LP_ORDER - 2]);
+    est   = 7965 + (isf[2] - isf[3] - isf[4]) / 6.0;
+    scale = 0.5 * (FFMIN(est, 7600) - isf[LP_ORDER - 2]) /
+            (isf[LP_ORDER_16k - 2] - isf[LP_ORDER - 2]);
 
     for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
-        diff_hi[i] = scale * (out[i] - out[i - 1]);
+        diff_hi[i] = scale * (isf[i] - isf[i - 1]);
 
     /* Stability insurance */
     for (i = LP_ORDER; i < LP_ORDER_16k - 1; i++)
@@ -952,11 +952,11 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
         }
 
     for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
-        out[i] = out[i - 1] + diff_hi[i] * (1.0f / (1 << 15));
+        isf[i] = isf[i - 1] + diff_hi[i] * (1.0f / (1 << 15));
 
     /* Scale the ISF vector for 16000 Hz */
     for (i = 0; i < LP_ORDER_16k - 1; i++)
-        out[i] *= 0.8;
+        isf[i] *= 0.8;
 }
 
 /**
@@ -1003,7 +1003,7 @@ static void hb_synthesis(AMRWBContext *ctx, int subframe, float *samples,
         ff_weighted_vector_sumf(e_isf, isf_past, isf, isfp_inter[subframe],
                                 1.0 - isfp_inter[subframe], LP_ORDER);
 
-        extrapolate_isf(e_isf, e_isf);
+        extrapolate_isf(e_isf);
 
         e_isf[LP_ORDER_16k - 1] *= 2.0;
         ff_acelp_lsf2lspd(e_isp, e_isf, LP_ORDER_16k);
@@ -1088,30 +1088,34 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     ctx->avframe.nb_samples = 4 * AMRWB_SFR_SIZE_16k;
-    if ((ret = avctx->get_buffer(avctx, &ctx->avframe)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &ctx->avframe)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
     buf_out = (float *)ctx->avframe.data[0];
 
     header_size      = decode_mime_header(ctx, buf);
+    if (ctx->fr_cur_mode > MODE_SID) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Invalid mode %d\n", ctx->fr_cur_mode);
+        return AVERROR_INVALIDDATA;
+    }
     expected_fr_size = ((cf_sizes_wb[ctx->fr_cur_mode] + 7) >> 3) + 1;
 
     if (buf_size < expected_fr_size) {
         av_log(avctx, AV_LOG_ERROR,
             "Frame too small (%d bytes). Truncated file?\n", buf_size);
         *got_frame_ptr = 0;
-        return buf_size;
+        return AVERROR_INVALIDDATA;
     }
 
     if (!ctx->fr_quality || ctx->fr_cur_mode > MODE_SID)
         av_log(avctx, AV_LOG_ERROR, "Encountered a bad or corrupted frame\n");
 
-    if (ctx->fr_cur_mode == MODE_SID) /* Comfort noise frame */
+    if (ctx->fr_cur_mode == MODE_SID) { /* Comfort noise frame */
         av_log_missing_feature(avctx, "SID mode", 1);
-
-    if (ctx->fr_cur_mode >= MODE_SID)
         return -1;
+    }
 
     ff_amr_bit_reorder((uint16_t *) &ctx->frame, sizeof(AMRWBFrame),
         buf + header_size, amr_bit_orderings_by_mode[ctx->fr_cur_mode]);

libavcodec/ansi.c

@@ -26,6 +26,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "cga_data.h"
 
 #define ATTR_BOLD         0x01  /**< Bold/Bright-foreground (mode 1) */
@@ -222,7 +223,7 @@ static int execute_code(AVCodecContext * avctx, int c)
             if (s->frame.data[0])
                 avctx->release_buffer(avctx, &s->frame);
             avcodec_set_dimensions(avctx, width, height);
-            ret = avctx->get_buffer(avctx, &s->frame);
+            ret = ff_get_buffer(avctx, &s->frame);
             if (ret < 0) {
                 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                 return ret;

libavcodec/apedec.c

@@ -22,6 +22,7 @@
 
 #define BITSTREAM_READER_LE
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "get_bits.h"
 #include "bytestream.h"
@@ -404,9 +405,12 @@ static inline int ape_decode_value(APEContext *ctx, APERice *rice)
 
         if (tmpk <= 16)
             x = range_decode_bits(ctx, tmpk);
-        else {
+        else if (tmpk <= 32) {
             x = range_decode_bits(ctx, 16);
             x |= (range_decode_bits(ctx, tmpk - 16) << 16);
+        } else {
+            av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk);
+            return AVERROR_INVALIDDATA;
         }
         x += overflow << tmpk;
     } else {
@@ -819,7 +823,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     int16_t *samples;
     int i, ret;
     int blockstodecode;
-    int bytes_used = 0;
 
     /* this should never be negative, but bad things will happen if it is, so
        check it just to make sure. */
@@ -874,7 +877,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR_INVALIDDATA;
         }
 
-        bytes_used = buf_size;
     }
 
     if (!s->data) {
@@ -886,7 +888,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = blockstodecode;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -917,7 +919,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame_ptr   = 1;
     *(AVFrame *)data = s->frame;
 
-    return bytes_used;
+    return (s->samples == 0) ? buf_size : 0;
 }
 
 static void ape_flush(AVCodecContext *avctx)

libavcodec/arm/asm.S

@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm
 
+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm

libavcodec/arm/dsputil_armv6.S

@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
         eor             r7,  r5,  r7
         uadd8           r10, r10, r6
         and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uadd8           r11, r11, r7
         strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         strd_post       r10, r11, r0,  r2
         bne             1b
 
@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
         uhadd8          r9,  r5,  r7
         ldr             r5,  [r1, #4]
         uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         stm             r0,  {r8,r9}
         add             r0,  r0,  r2
         stm             r0,  {r12,r14}

libavcodec/arm/dsputil_neon.S

@@ -44,22 +44,22 @@ endfunc
   .if \avg
         mov             r12, r0
   .endif
-1:      vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-        vld1.64         {q2},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+        vld1.8          {q2},     [r1], r2
         pld             [r1, r2, lsl #2]
-        vld1.64         {q3},     [r1], r2
+        vld1.8          {q3},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
         pld             [r1, r2, lsl #1]
   .if \avg
-        vld1.64         {q8},     [r12,:128], r2
+        vld1.8          {q8},     [r12,:128], r2
         vrhadd.u8       q0,  q0,  q8
-        vld1.64         {q9},     [r12,:128], r2
+        vld1.8          {q9},     [r12,:128], r2
         vrhadd.u8       q1,  q1,  q9
-        vld1.64         {q10},    [r12,:128], r2
+        vld1.8          {q10},    [r12,:128], r2
         vrhadd.u8       q2,  q2,  q10
-        vld1.64         {q11},    [r12,:128], r2
+        vld1.8          {q11},    [r12,:128], r2
         vrhadd.u8       q3,  q3,  q11
   .endif
         subs            r3,  r3,  #4
@@ -72,8 +72,8 @@ endfunc
 .endm
 
 .macro  pixels16_x2     rnd=1, avg=0
-1:      vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
+1:      vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
         pld             [r1]
         pld             [r1, r2]
         subs            r3,  r3,  #2
@@ -88,20 +88,21 @@ endfunc
         vrhadd.u8       q2,  q2,  q3
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {q0},     [r0,:128], r2
-        vst1.64         {q2},     [r0,:128], r2
+        vst1.8          {q0},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels16_y2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
 1:      subs            r3,  r3,  #2
         avg             q2,  q0,  q1
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
         avg             q3,  q0,  q1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
   .if \avg
@@ -111,18 +112,31 @@ endfunc
         vrhadd.u8       q3,  q3,  q9
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {q2},     [r0,:128], r2
-        vst1.64         {q3},     [r0,:128], r2
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
         bne             1b
+
+        avg             q2,  q0,  q1
+        vld1.8          {q0},     [r1], r2
+        avg             q3,  q0,  q1
+  .if \avg
+        vld1.8          {q8},     [r0,:128], r2
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q2,  q2,  q8
+        vrhadd.u8       q3,  q3,  q9
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {q2},     [r0,:128], r2
+        vst1.8          {q3},     [r0,:128], r2
+
         bx              lr
 .endm
 
 .macro  pixels16_xy2    rnd=1, avg=0
-        vld1.64         {d0-d2},  [r1], r2
-        vld1.64         {d4-d6},  [r1], r2
-  .ifeq \rnd
-        vmov.i16        q13, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {d0-d2},  [r1], r2
+        vld1.8          {d4-d6},  [r1], r2
+NRND    vmov.i16        q13, #1
         pld             [r1]
         pld             [r1, r2]
         vext.8          q1,  q0,  q1,  #1
@@ -132,38 +146,30 @@ endfunc
         vaddl.u8        q9,  d4,  d6
         vaddl.u8        q11, d5,  d7
 1:      subs            r3,  r3,  #2
-        vld1.64         {d0-d2},  [r1], r2
+        vld1.8          {d0-d2},  [r1], r2
         vadd.u16        q12, q8,  q9
         pld             [r1]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
         vext.8          q15, q0,  q1,  #1
         vadd.u16        q1 , q10, q11
         shrn            d28, q12, #2
-  .ifeq \rnd
-        vadd.u16        q1,  q1,  q13
-  .endif
+NRND    vadd.u16        q1,  q1,  q13
         shrn            d29, q1,  #2
   .if \avg
         vld1.8          {q8},     [r0,:128]
         vrhadd.u8       q14, q14, q8
   .endif
         vaddl.u8        q8,  d0,  d30
-        vld1.64         {d2-d4},  [r1], r2
+        vld1.8          {d2-d4},  [r1], r2
         vaddl.u8        q10, d1,  d31
-        vst1.64         {q14},    [r0,:128], r2
+        vst1.8          {q14},    [r0,:128], r2
         vadd.u16        q12, q8,  q9
         pld             [r1, r2]
-  .ifeq \rnd
-        vadd.u16        q12, q12, q13
-  .endif
+NRND    vadd.u16        q12, q12, q13
         vext.8          q2,  q1,  q2,  #1
         vadd.u16        q0,  q10, q11
         shrn            d30, q12, #2
-  .ifeq \rnd
-        vadd.u16        q0,  q0,  q13
-  .endif
+NRND    vadd.u16        q0,  q0,  q13
         shrn            d31, q0,  #2
   .if \avg
         vld1.8          {q9},     [r0,:128]
@@ -171,44 +177,72 @@ endfunc
   .endif
         vaddl.u8        q9,  d2,  d4
         vaddl.u8        q11, d3,  d5
-        vst1.64         {q15},    [r0,:128], r2
+        vst1.8          {q15},    [r0,:128], r2
         bgt             1b
+
+        vld1.8          {d0-d2},  [r1], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vext.8          q15, q0,  q1,  #1
+        vadd.u16        q1 , q10, q11
+        shrn            d28, q12, #2
+NRND    vadd.u16        q1,  q1,  q13
+        shrn            d29, q1,  #2
+  .if \avg
+        vld1.8          {q8},     [r0,:128]
+        vrhadd.u8       q14, q14, q8
+  .endif
+        vaddl.u8        q8,  d0,  d30
+        vaddl.u8        q10, d1,  d31
+        vst1.8          {q14},    [r0,:128], r2
+        vadd.u16        q12, q8,  q9
+NRND    vadd.u16        q12, q12, q13
+        vadd.u16        q0,  q10, q11
+        shrn            d30, q12, #2
+NRND    vadd.u16        q0,  q0,  q13
+        shrn            d31, q0,  #2
+  .if \avg
+        vld1.8          {q9},     [r0,:128]
+        vrhadd.u8       q15, q15, q9
+  .endif
+        vst1.8          {q15},    [r0,:128], r2
+
         bx              lr
 .endm
 
 .macro  pixels8         rnd=1, avg=0
-1:      vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
-        vld1.64         {d2},     [r1], r2
+1:      vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
+        vld1.8          {d2},     [r1], r2
         pld             [r1, r2, lsl #2]
-        vld1.64         {d3},     [r1], r2
+        vld1.8          {d3},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
         pld             [r1, r2, lsl #1]
   .if \avg
-        vld1.64         {d4},     [r0,:64], r2
+        vld1.8          {d4},     [r0,:64], r2
         vrhadd.u8       d0,  d0,  d4
-        vld1.64         {d5},     [r0,:64], r2
+        vld1.8          {d5},     [r0,:64], r2
         vrhadd.u8       d1,  d1,  d5
-        vld1.64         {d6},     [r0,:64], r2
+        vld1.8          {d6},     [r0,:64], r2
         vrhadd.u8       d2,  d2,  d6
-        vld1.64         {d7},     [r0,:64], r2
+        vld1.8          {d7},     [r0,:64], r2
         vrhadd.u8       d3,  d3,  d7
         sub             r0,  r0,  r2,  lsl #2
   .endif
         subs            r3,  r3,  #4
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
-        vst1.64         {d2},     [r0,:64], r2
-        vst1.64         {d3},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
+        vst1.8          {d2},     [r0,:64], r2
+        vst1.8          {d3},     [r0,:64], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels8_x2      rnd=1, avg=0
-1:      vld1.64         {q0},     [r1], r2
+1:      vld1.8          {q0},     [r1], r2
         vext.8          d1,  d0,  d1,  #1
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         vext.8          d3,  d2,  d3,  #1
         pld             [r1]
         pld             [r1, r2]
@@ -221,20 +255,21 @@ endfunc
         vrhadd.u8       q0,  q0,  q2
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {d0},     [r0,:64], r2
-        vst1.64         {d1},     [r0,:64], r2
+        vst1.8          {d0},     [r0,:64], r2
+        vst1.8          {d1},     [r0,:64], r2
         bne             1b
         bx              lr
 .endm
 
 .macro  pixels8_y2      rnd=1, avg=0
-        vld1.64         {d0},     [r1], r2
-        vld1.64         {d1},     [r1], r2
+        sub             r3,  r3,  #2
+        vld1.8          {d0},     [r1], r2
+        vld1.8          {d1},     [r1], r2
 1:      subs            r3,  r3,  #2
         avg             d4,  d0,  d1
-        vld1.64         {d0},     [r1], r2
+        vld1.8          {d0},     [r1], r2
         avg             d5,  d0,  d1
-        vld1.64         {d1},     [r1], r2
+        vld1.8          {d1},     [r1], r2
         pld             [r1]
         pld             [r1, r2]
   .if \avg
@@ -243,18 +278,30 @@ endfunc
         vrhadd.u8       q2,  q2,  q1
         sub             r0,  r0,  r2
   .endif
-        vst1.64         {d4},     [r0,:64], r2
-        vst1.64         {d5},     [r0,:64], r2
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
         bne             1b
+
+        avg             d4,  d0,  d1
+        vld1.8          {d0},     [r1], r2
+        avg             d5,  d0,  d1
+  .if \avg
+        vld1.8          {d2},     [r0,:64], r2
+        vld1.8          {d3},     [r0,:64]
+        vrhadd.u8       q2,  q2,  q1
+        sub             r0,  r0,  r2
+  .endif
+        vst1.8          {d4},     [r0,:64], r2
+        vst1.8          {d5},     [r0,:64], r2
+
         bx              lr
 .endm
 
 .macro  pixels8_xy2     rnd=1, avg=0
-        vld1.64         {q0},     [r1], r2
-        vld1.64         {q1},     [r1], r2
-  .ifeq \rnd
-        vmov.i16        q11, #1
-  .endif
+        sub             r3,  r3,  #2
+        vld1.8          {q0},     [r1], r2
+        vld1.8          {q1},     [r1], r2
+NRND    vmov.i16        q11, #1
         pld             [r1]
         pld             [r1, r2]
         vext.8          d4,  d0,  d1,  #1
@@ -262,26 +309,22 @@ endfunc
         vaddl.u8        q8,  d0,  d4
         vaddl.u8        q9,  d2,  d6
 1:      subs            r3,  r3,  #2
-        vld1.64         {q0},     [r1], r2
+        vld1.8          {q0},     [r1], r2
         pld             [r1]
         vadd.u16        q10, q8,  q9
         vext.8          d4,  d0,  d1,  #1
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
+NRND    vadd.u16        q10, q10, q11
         vaddl.u8        q8,  d0,  d4
         shrn            d5,  q10, #2
-        vld1.64         {q1},     [r1], r2
+        vld1.8          {q1},     [r1], r2
         vadd.u16        q10, q8,  q9
         pld             [r1, r2]
   .if \avg
         vld1.8          {d7},     [r0,:64]
         vrhadd.u8       d5,  d5,  d7
   .endif
-  .ifeq \rnd
-        vadd.u16        q10, q10, q11
-  .endif
-        vst1.64         {d5},     [r0,:64], r2
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
         shrn            d7,  q10, #2
   .if \avg
         vld1.8          {d5},     [r0,:64]
@@ -289,8 +332,29 @@ endfunc
   .endif
         vext.8          d6,  d2,  d3,  #1
         vaddl.u8        q9,  d2,  d6
-        vst1.64         {d7},     [r0,:64], r2
+        vst1.8          {d7},     [r0,:64], r2
         bgt             1b
+
+        vld1.8          {q0},     [r1], r2
+        vadd.u16        q10, q8,  q9
+        vext.8          d4,  d0,  d1,  #1
+NRND    vadd.u16        q10, q10, q11
+        vaddl.u8        q8,  d0,  d4
+        shrn            d5,  q10, #2
+        vadd.u16        q10, q8,  q9
+  .if \avg
+        vld1.8          {d7},     [r0,:64]
+        vrhadd.u8       d5,  d5,  d7
+  .endif
+NRND    vadd.u16        q10, q10, q11
+        vst1.8          {d5},     [r0,:64], r2
+        shrn            d7,  q10, #2
+  .if \avg
+        vld1.8          {d5},     [r0,:64]
+        vrhadd.u8       d7,  d7,  d5
+  .endif
+        vst1.8          {d7},     [r0,:64], r2
+
         bx              lr
 .endm
 
@@ -302,6 +366,8 @@ endfunc
     .macro shrn rd, rn, rm
         vrshrn.u16      \rd, \rn, \rm
     .endm
+    .macro NRND insn:vararg
+    .endm
   .else
     .macro avg  rd, rn, rm
         vhadd.u8        \rd, \rn, \rm
@@ -309,12 +375,16 @@ endfunc
     .macro shrn rd, rn, rm
         vshrn.u16       \rd, \rn, \rm
     .endm
+    .macro NRND insn:vararg
+        \insn
+    .endm
   .endif
 function ff_\pfx\name\suf\()_neon, export=1
         \name           \rnd, \avg
 endfunc
         .purgem         avg
         .purgem         shrn
+        .purgem         NRND
 .endm
 
 .macro  pixfunc2        pfx, name, avg=0
@@ -359,147 +429,147 @@ endfunc
         pixfunc2        avg_, pixels8_xy2, avg=1
 
 function ff_put_pixels_clamped_neon, export=1
-        vld1.64         {d16-d19}, [r0,:128]!
+        vld1.16         {d16-d19}, [r0,:128]!
         vqmovun.s16     d0, q8
-        vld1.64         {d20-d23}, [r0,:128]!
+        vld1.16         {d20-d23}, [r0,:128]!
         vqmovun.s16     d1, q9
-        vld1.64         {d24-d27}, [r0,:128]!
+        vld1.16         {d24-d27}, [r0,:128]!
         vqmovun.s16     d2, q10
-        vld1.64         {d28-d31}, [r0,:128]!
+        vld1.16         {d28-d31}, [r0,:128]!
         vqmovun.s16     d3, q11
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
         vqmovun.s16     d4, q12
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
         vqmovun.s16     d5, q13
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
         vqmovun.s16     d6, q14
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
         vqmovun.s16     d7, q15
-        vst1.64         {d4},      [r1,:64], r2
-        vst1.64         {d5},      [r1,:64], r2
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
         bx              lr
 endfunc
 
 function ff_put_signed_pixels_clamped_neon, export=1
         vmov.u8         d31, #128
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
         vqmovn.s16      d0, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
         vqmovn.s16      d1, q9
-        vld1.64         {d16-d17}, [r0,:128]!
+        vld1.16         {d16-d17}, [r0,:128]!
         vqmovn.s16      d2, q8
-        vld1.64         {d18-d19}, [r0,:128]!
+        vld1.16         {d18-d19}, [r0,:128]!
         vadd.u8         d0, d0, d31
-        vld1.64         {d20-d21}, [r0,:128]!
+        vld1.16         {d20-d21}, [r0,:128]!
         vadd.u8         d1, d1, d31
-        vld1.64         {d22-d23}, [r0,:128]!
+        vld1.16         {d22-d23}, [r0,:128]!
         vadd.u8         d2, d2, d31
-        vst1.64         {d0},      [r1,:64], r2
+        vst1.8          {d0},      [r1,:64], r2
         vqmovn.s16      d3, q9
-        vst1.64         {d1},      [r1,:64], r2
+        vst1.8          {d1},      [r1,:64], r2
         vqmovn.s16      d4, q10
-        vst1.64         {d2},      [r1,:64], r2
+        vst1.8          {d2},      [r1,:64], r2
         vqmovn.s16      d5, q11
-        vld1.64         {d24-d25}, [r0,:128]!
+        vld1.16         {d24-d25}, [r0,:128]!
         vadd.u8         d3, d3, d31
-        vld1.64         {d26-d27}, [r0,:128]!
+        vld1.16         {d26-d27}, [r0,:128]!
         vadd.u8         d4, d4, d31
         vadd.u8         d5, d5, d31
-        vst1.64         {d3},      [r1,:64], r2
+        vst1.8          {d3},      [r1,:64], r2
         vqmovn.s16      d6, q12
-        vst1.64         {d4},      [r1,:64], r2
+        vst1.8          {d4},      [r1,:64], r2
         vqmovn.s16      d7, q13
-        vst1.64         {d5},      [r1,:64], r2
+        vst1.8          {d5},      [r1,:64], r2
         vadd.u8         d6, d6, d31
         vadd.u8         d7, d7, d31
-        vst1.64         {d6},      [r1,:64], r2
-        vst1.64         {d7},      [r1,:64], r2
+        vst1.8          {d6},      [r1,:64], r2
+        vst1.8          {d7},      [r1,:64], r2
         bx              lr
 endfunc
 
 function ff_add_pixels_clamped_neon, export=1
         mov             r3, r1
-        vld1.64         {d16},   [r1,:64], r2
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.8          {d16},   [r1,:64], r2
+        vld1.16         {d0-d1}, [r0,:128]!
         vaddw.u8        q0, q0, d16
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
         vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
+        vld1.8          {d18},   [r1,:64], r2
         vaddw.u8        q1, q1, d17
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.16         {d4-d5}, [r0,:128]!
         vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
         vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.8          {d19},   [r1,:64], r2
+        vld1.16         {d6-d7}, [r0,:128]!
         vaddw.u8        q3, q3, d19
         vqmovun.s16     d4, q2
-        vst1.64         {d2},    [r3,:64], r2
-        vld1.64         {d16},   [r1,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
+        vld1.8          {d16},   [r1,:64], r2
         vqmovun.s16     d6, q3
-        vld1.64         {d0-d1}, [r0,:128]!
+        vld1.16         {d0-d1}, [r0,:128]!
         vaddw.u8        q0, q0, d16
-        vst1.64         {d4},    [r3,:64], r2
-        vld1.64         {d17},   [r1,:64], r2
-        vld1.64         {d2-d3}, [r0,:128]!
+        vst1.8          {d4},    [r3,:64], r2
+        vld1.8          {d17},   [r1,:64], r2
+        vld1.16         {d2-d3}, [r0,:128]!
         vaddw.u8        q1, q1, d17
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
         vqmovun.s16     d0, q0
-        vld1.64         {d18},   [r1,:64], r2
-        vld1.64         {d4-d5}, [r0,:128]!
+        vld1.8          {d18},   [r1,:64], r2
+        vld1.16         {d4-d5}, [r0,:128]!
         vaddw.u8        q2, q2, d18
-        vst1.64         {d0},    [r3,:64], r2
+        vst1.8          {d0},    [r3,:64], r2
         vqmovun.s16     d2, q1
-        vld1.64         {d19},   [r1,:64], r2
+        vld1.8          {d19},   [r1,:64], r2
         vqmovun.s16     d4, q2
-        vld1.64         {d6-d7}, [r0,:128]!
+        vld1.16         {d6-d7}, [r0,:128]!
         vaddw.u8        q3, q3, d19
-        vst1.64         {d2},    [r3,:64], r2
+        vst1.8          {d2},    [r3,:64], r2
         vqmovun.s16     d6, q3
-        vst1.64         {d4},    [r3,:64], r2
-        vst1.64         {d6},    [r3,:64], r2
+        vst1.8          {d4},    [r3,:64], r2
+        vst1.8          {d6},    [r3,:64], r2
         bx              lr
 endfunc
 
 function ff_vector_fmul_neon, export=1
         subs            r3,  r3,  #8
-        vld1.64         {d0-d3},  [r1,:128]!
-        vld1.64         {d4-d7},  [r2,:128]!
+        vld1.32         {d0-d3},  [r1,:128]!
+        vld1.32         {d4-d7},  [r2,:128]!
         vmul.f32        q8,  q0,  q2
         vmul.f32        q9,  q1,  q3
         beq             3f
         bics            ip,  r3,  #15
         beq             2f
 1:      subs            ip,  ip,  #16
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
         vmul.f32        q10, q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
         vmul.f32        q11, q1,  q3
-        vst1.64         {d16-d19},[r0,:128]!
-        vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d19},[r0,:128]!
+        vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
         vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
         vmul.f32        q9,  q1,  q3
-        vst1.64         {d20-d23},[r0,:128]!
+        vst1.32         {d20-d23},[r0,:128]!
         bne             1b
         ands            r3,  r3,  #15
         beq             3f
-2:      vld1.64         {d0-d1},  [r1,:128]!
-        vld1.64         {d4-d5},  [r2,:128]!
-        vst1.64         {d16-d17},[r0,:128]!
+2:      vld1.32         {d0-d1},  [r1,:128]!
+        vld1.32         {d4-d5},  [r2,:128]!
+        vst1.32         {d16-d17},[r0,:128]!
         vmul.f32        q8,  q0,  q2
-        vld1.64         {d2-d3},  [r1,:128]!
-        vld1.64         {d6-d7},  [r2,:128]!
-        vst1.64         {d18-d19},[r0,:128]!
+        vld1.32         {d2-d3},  [r1,:128]!
+        vld1.32         {d6-d7},  [r2,:128]!
+        vst1.32         {d18-d19},[r0,:128]!
         vmul.f32        q9,  q1,  q3
-3:      vst1.64         {d16-d19},[r0,:128]!
+3:      vst1.32         {d16-d19},[r0,:128]!
         bx              lr
 endfunc
 
@@ -512,10 +582,10 @@ function ff_vector_fmul_window_neon, export=1
         add             r4,  r3,  r5, lsl #3
         add             ip,  r0,  r5, lsl #3
         mov             r5,  #-16
-        vld1.64         {d0,d1},  [r1,:128]!
-        vld1.64         {d2,d3},  [r2,:128], r5
-        vld1.64         {d4,d5},  [r3,:128]!
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d0,d1},  [r1,:128]!
+        vld1.32         {d2,d3},  [r2,:128], r5
+        vld1.32         {d4,d5},  [r3,:128]!
+        vld1.32         {d6,d7},  [r4,:128], r5
 1:      subs            lr,  lr,  #4
         vmul.f32        d22, d0,  d4
         vrev64.32       q3,  q3
@@ -525,19 +595,19 @@ function ff_vector_fmul_window_neon, export=1
         vmul.f32        d21, d1,  d6
         beq             2f
         vmla.f32        d22, d3,  d7
-        vld1.64         {d0,d1},  [r1,:128]!
+        vld1.32         {d0,d1},  [r1,:128]!
         vmla.f32        d23, d2,  d6
-        vld1.64         {d18,d19},[r2,:128], r5
+        vld1.32         {d18,d19},[r2,:128], r5
         vmls.f32        d20, d3,  d4
-        vld1.64         {d24,d25},[r3,:128]!
+        vld1.32         {d24,d25},[r3,:128]!
         vmls.f32        d21, d2,  d5
-        vld1.64         {d6,d7},  [r4,:128], r5
+        vld1.32         {d6,d7},  [r4,:128], r5
         vmov            q1,  q9
         vrev64.32       q11, q11
         vmov            q2,  q12
         vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
         b               1b
 2:      vmla.f32        d22, d3,  d7
         vmla.f32        d23, d2,  d6
@@ -545,8 +615,8 @@ function ff_vector_fmul_window_neon, export=1
         vmls.f32        d21, d2,  d5
         vrev64.32       q11, q11
         vswp            d22, d23
-        vst1.64         {d20,d21},[r0,:128]!
-        vst1.64         {d22,d23},[ip,:128], r5
+        vst1.32         {d20,d21},[r0,:128]!
+        vst1.32         {d22,d23},[ip,:128], r5
         pop             {r4,r5,pc}
 endfunc
 

libavcodec/arm/h264dsp_init_arm.c

@@ -89,7 +89,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i
     c->h264_idct_dc_add     = ff_h264_idct_dc_add_neon;
     c->h264_idct_add16      = ff_h264_idct_add16_neon;
     c->h264_idct_add16intra = ff_h264_idct_add16intra_neon;
-    if (chroma_format_idc == 1)
+    if (chroma_format_idc <= 1)
         c->h264_idct_add8   = ff_h264_idct_add8_neon;
     c->h264_idct8_add       = ff_h264_idct8_add_neon;
     c->h264_idct8_dc_add    = ff_h264_idct8_dc_add_neon;

libavcodec/arm/int_neon.S

@@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1
 
 3:      vpadd.s32       d16, d0,   d1
         vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
         vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
         vpadd.s32       d2,  d0,   d1
         vpaddl.s32      d3,  d2
         vmov.32         r0,  d3[0]
@@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1
 
         vpadd.s32       d16, d0,   d1
         vpadd.s32       d17, d2,   d3
-        vpadd.s32       d10, d4,   d5
-        vpadd.s32       d11, d6,   d7
+        vpadd.s32       d18, d4,   d5
+        vpadd.s32       d19, d6,   d7
         vpadd.s32       d0,  d16,  d17
-        vpadd.s32       d1,  d10,  d11
+        vpadd.s32       d1,  d18,  d19
         vpadd.s32       d2,  d0,   d1
         vpaddl.s32      d3,  d2
         vmov.32         r0,  d3[0]

libavcodec/ass_split.c

@@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv,
     char new_line[2];
     int text_len = 0;
 
-    while (*buf) {
+    while (buf && *buf) {
         if (text && callbacks->text &&
             (sscanf(buf, "\\%1[nN]", new_line) == 1 ||
              !strncmp(buf, "{\\", 2))) {

libavcodec/asv1.c

@@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){
     int i;
     const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2;
 
+    if (avctx->extradata_size < 1) {
+        av_log(avctx, AV_LOG_ERROR, "No extradata provided\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     common_init(avctx);
     init_vlcs(a);
     ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab);

libavcodec/atrac1.c

@@ -33,6 +33,7 @@
 #include <stdio.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "fft.h"
@@ -291,7 +292,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     q->frame.nb_samples = AT1_SU_SAMPLES;
-    if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/atrac3.c

@@ -37,6 +37,7 @@
 #include <stdio.h>
 
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -184,8 +185,11 @@ static int decode_bytes(const uint8_t* inbuffer, uint8_t* out, int bytes){
     uint32_t* obuf = (uint32_t*) out;
 
     off = (intptr_t)inbuffer & 3;
-    buf = (const uint32_t*) (inbuffer - off);
-    c = av_be2ne32((0x537F6103 >> (off*8)) | (0x537F6103 << (32-(off*8))));
+    buf = (const uint32_t *)(inbuffer - off);
+    if (off)
+        c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8))));
+    else
+        c = av_be2ne32(0x537F6103U);
     bytes += 3 + off;
     for (i = 0; i < bytes/4; i++)
         obuf[i] = c ^ buf[i];
@@ -402,7 +406,7 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
 
             for (k=0; k<coded_components; k++) {
                 sfIndx = get_bits(gb,6);
-                if(component_count>=64)
+                if (component_count >= 64)
                     return AVERROR_INVALIDDATA;
                 pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                 max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos;
@@ -687,7 +691,8 @@ static int decodeChannelSoundUnit (ATRAC3Context *q, GetBitContext *gb, channel_
     if (result) return result;
 
     pSnd->numComponents = decodeTonalComponents (gb, pSnd->components, pSnd->bandsCoded);
-    if (pSnd->numComponents == -1) return -1;
+    if (pSnd->numComponents < 0)
+        return pSnd->numComponents;
 
     numSubbands = decodeSpectrum (gb, pSnd->spectrum);
 
@@ -769,7 +774,7 @@ static int decodeFrame(ATRAC3Context *q, const uint8_t* databuf,
 
 
         /* set the bitstream reader at the start of the second Sound Unit*/
-        init_get_bits(&q->gb,ptr1,q->bits_per_frame);
+        init_get_bits(&q->gb, ptr1, (q->bytes_per_frame - i) * 8);
 
         /* Fill the Weighting coeffs delay buffer */
         memmove(q->weighting_delay,&(q->weighting_delay[2]),4*sizeof(int));
@@ -848,7 +853,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     q->frame.nb_samples = SAMPLES_PER_FRAME;
-    if ((result = avctx->get_buffer(avctx, &q->frame)) < 0) {
+    if ((result = ff_get_buffer(avctx, &q->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return result;
     }
@@ -972,6 +977,8 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
     if (q->codingMode == STEREO) {
         av_log(avctx,AV_LOG_DEBUG,"Normal stereo detected.\n");
     } else if (q->codingMode == JOINT_STEREO) {
+        if (avctx->channels != 2)
+            return AVERROR_INVALIDDATA;
         av_log(avctx,AV_LOG_DEBUG,"Joint stereo detected.\n");
     } else {
         av_log(avctx,AV_LOG_ERROR,"Unknown channel coding mode %x!\n",q->codingMode);

libavcodec/avcodec.h

@@ -4032,7 +4032,8 @@ AVCodecContext *avcodec_alloc_context2(enum AVMediaType);
 
 /**
  * Allocate an AVCodecContext and set its fields to default values.  The
- * resulting struct can be deallocated by simply calling av_free().
+ * resulting struct can be deallocated by calling avcodec_close() on it followed
+ * by av_free().
  *
  * @param codec if non-NULL, allocate private data and initialize defaults
  *              for the given codec. It is illegal to then call avcodec_open2()
@@ -4178,6 +4179,11 @@ int avcodec_open(AVCodecContext *avctx, AVCodec *codec);
  * @endcode
  *
  * @param avctx The context to initialize.
+ * @param codec The codec to open this context for. If a non-NULL codec has been
+ *              previously passed to avcodec_alloc_context3() or
+ *              avcodec_get_context_defaults3() for this context, then this
+ *              parameter MUST be either NULL or equal to the previously passed
+ *              codec.
  * @param options A dictionary filled with AVCodecContext and codec-private options.
  *                On return this object will be filled with options that were not found.
  *
@@ -4463,6 +4469,15 @@ int avcodec_encode_video(AVCodecContext *avctx, uint8_t *buf, int buf_size,
 int avcodec_encode_subtitle(AVCodecContext *avctx, uint8_t *buf, int buf_size,
                             const AVSubtitle *sub);
 
+/**
+ * Close a given AVCodecContext and free all the data associated with it
+ * (but not the AVCodecContext itself).
+ *
+ * Calling this function on an AVCodecContext that hasn't been opened will free
+ * the codec-specific data allocated in avcodec_alloc_context3() /
+ * avcodec_get_context_defaults3() with a non-NULL codec. Subsequent calls will
+ * do nothing.
+ */
 int avcodec_close(AVCodecContext *avctx);
 
 /**
@@ -4874,4 +4889,10 @@ const AVClass *avcodec_get_class(void);
  */
 const AVClass *avcodec_get_frame_class(void);
 
+/**
+ * @return a positive value if s is open (i.e. avcodec_open2() was called on it
+ * with no corresponding avcodec_close()), 0 otherwise.
+ */
+int avcodec_is_open(AVCodecContext *s);
+
 #endif /* AVCODEC_AVCODEC_H */

libavcodec/avs.c

@@ -162,6 +162,7 @@ static av_cold int avs_decode_init(AVCodecContext * avctx)
     AvsContext *const avs = avctx->priv_data;
     avctx->pix_fmt = PIX_FMT_PAL8;
     avcodec_get_frame_defaults(&avs->picture);
+    avcodec_set_dimensions(avctx, 318, 198);
     return 0;
 }
 

libavcodec/bink.c

@@ -167,7 +167,7 @@ static void init_lengths(BinkContext *c, int width, int bw)
  *
  * @param c decoder context
  */
-static av_cold void init_bundles(BinkContext *c)
+static av_cold int init_bundles(BinkContext *c)
 {
     int bw, bh, blocks;
     int i;
@@ -178,8 +178,12 @@ static av_cold void init_bundles(BinkContext *c)
 
     for (i = 0; i < BINKB_NB_SRC; i++) {
         c->bundle[i].data = av_malloc(blocks * 64);
+        if (!c->bundle[i].data)
+            return AVERROR(ENOMEM);
         c->bundle[i].data_end = c->bundle[i].data + blocks * 64;
     }
+
+    return 0;
 }
 
 /**
@@ -675,6 +679,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t *
         quant_idx = q;
     }
 
+    if (quant_idx >= 16)
+        return AVERROR_INVALIDDATA;
+
     quant = quant_matrices[quant_idx];
 
     block[0] = (block[0] * quant[0]) >> 11;
@@ -1266,7 +1273,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     BinkContext * const c = avctx->priv_data;
     static VLC_TYPE table[16 * 128][2];
     static int binkb_initialised = 0;
-    int i;
+    int i, ret;
     int flags;
 
     c->version = avctx->codec_tag >> 24;
@@ -1301,7 +1308,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
     dsputil_init(&c->dsp, avctx);
     ff_binkdsp_init(&c->bdsp);
 
-    init_bundles(c);
+    if ((ret = init_bundles(c)) < 0) {
+        free_bundles(c);
+        return ret;
+    }
 
     if (c->version == 'b') {
         if (!binkb_initialised) {

libavcodec/binkaudio.c

@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #define BITSTREAM_READER_LE
 #include "get_bits.h"
 #include "dsputil.h"
@@ -91,9 +92,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
         frame_len_bits = 11;
     }
 
-    if (avctx->channels > MAX_CHANNELS) {
-        av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels);
-        return -1;
+    if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
     }
 
     s->version_b = avctx->extradata && avctx->extradata[3] == 'b';
@@ -340,7 +341,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = s->block_size / avctx->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/bitstream.c

@@ -253,9 +253,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    (byte/word/long) to store the 'bits', 'codes', and 'symbols' tables.
 
    'use_static' should be set to 1 for tables, which should be freed
-   with av_free_static(), 0 if free_vlc() will be used.
+   with av_free_static(), 0 if ff_free_vlc() will be used.
 */
-int init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
+int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
              const void *bits, int bits_wrap, int bits_size,
              const void *codes, int codes_wrap, int codes_size,
              const void *symbols, int symbols_wrap, int symbols_size,
@@ -318,7 +318,7 @@ int init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
 }
 
 
-void free_vlc(VLC *vlc)
+void ff_free_vlc(VLC *vlc)
 {
     av_freep(&vlc->table);
 }

libavcodec/bmp.c

@@ -53,6 +53,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
     uint8_t *ptr;
     int dsize;
     const uint8_t *buf0 = buf;
+    GetByteContext gb;
 
     if(buf_size < 14){
         av_log(avctx, AV_LOG_ERROR, "buf size too small (%d)\n", buf_size);
@@ -117,7 +118,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
 
     depth = bytestream_get_le16(&buf);
 
-    if(ihsize == 40 || ihsize == 64 || ihsize == 56)
+    if (ihsize >= 40)
         comp = bytestream_get_le32(&buf);
     else
         comp = BMP_RGB;
@@ -132,8 +133,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
         rgb[0] = bytestream_get_le32(&buf);
         rgb[1] = bytestream_get_le32(&buf);
         rgb[2] = bytestream_get_le32(&buf);
-        if (ihsize >= 108)
-            alpha = bytestream_get_le32(&buf);
+        alpha = bytestream_get_le32(&buf);
     }
 
     avctx->width = width;
@@ -231,9 +231,6 @@ static int bmp_decode_frame(AVCodecContext *avctx,
     if(comp == BMP_RLE4 || comp == BMP_RLE8)
         memset(p->data[0], 0, avctx->height * p->linesize[0]);
 
-    if(depth == 4 || depth == 8)
-        memset(p->data[1], 0, 1024);
-
     if(height > 0){
         ptr = p->data[0] + (avctx->height - 1) * p->linesize[0];
         linesize = -p->linesize[0];
@@ -244,6 +241,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,
 
     if(avctx->pix_fmt == PIX_FMT_PAL8){
         int colors = 1 << depth;
+
+        memset(p->data[1], 0, 1024);
+
         if(ihsize >= 36){
             int t;
             buf = buf0 + 46;
@@ -269,7 +269,8 @@ static int bmp_decode_frame(AVCodecContext *avctx,
             p->data[0] += p->linesize[0] * (avctx->height - 1);
             p->linesize[0] = -p->linesize[0];
         }
-        ff_msrle_decode(avctx, (AVPicture*)p, depth, buf, dsize);
+        bytestream2_init(&gb, buf, dsize);
+        ff_msrle_decode(avctx, (AVPicture*)p, depth, &gb);
         if(height < 0){
             p->data[0] += p->linesize[0] * (avctx->height - 1);
             p->linesize[0] = -p->linesize[0];

libavcodec/bmv.c

@@ -20,7 +20,9 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
+#include "libavutil/avassert.h"
 
 enum BMVFlags{
     BMV_NOP = 0,
@@ -52,7 +54,7 @@ typedef struct BMVDecContext {
 
 static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, int frame_off)
 {
-    int val, saved_val = 0;
+    unsigned val, saved_val = 0;
     int tmplen = src_len;
     const uint8_t *src, *source_end = source + src_len;
     uint8_t *frame_end = frame + SCREEN_WIDE * SCREEN_HIGH;
@@ -98,6 +100,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
         }
         if (!(val & 0xC)) {
             for (;;) {
+                if(shift>22)
+                    return -1;
                 if (!read_two_nibbles) {
                     if (src < source || src >= source_end)
                         return -1;
@@ -131,15 +135,16 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
         }
         advance_mode = val & 1;
         len = (val >> 1) - 1;
+        av_assert0(len>0);
         mode += 1 + advance_mode;
         if (mode >= 4)
             mode -= 3;
-        if (FFABS(dst_end - dst) < len)
+        if (len <= 0 || FFABS(dst_end - dst) < len)
             return -1;
         switch (mode) {
         case 1:
             if (forward) {
-                if (dst - frame + SCREEN_WIDE < frame_off ||
+                if (dst - frame + SCREEN_WIDE < -frame_off ||
                         frame_end - dst < frame_off + len)
                     return -1;
                 for (i = 0; i < len; i++)
@@ -147,7 +152,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
                 dst += len;
             } else {
                 dst -= len;
-                if (dst - frame + SCREEN_WIDE < frame_off ||
+                if (dst - frame + SCREEN_WIDE < -frame_off ||
                         frame_end - dst < frame_off + len)
                     return -1;
                 for (i = len - 1; i >= 0; i--)
@@ -264,8 +269,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
     c->avctx = avctx;
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if (avctx->width != SCREEN_WIDE || avctx->height != SCREEN_HIGH) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid dimension %dx%d\n", avctx->width, avctx->height);
+        return AVERROR_INVALIDDATA;
+    }
+
     c->pic.reference = 1;
-    if (avctx->get_buffer(avctx, &c->pic) < 0) {
+    if (ff_get_buffer(avctx, &c->pic) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return -1;
     }
@@ -330,7 +340,7 @@ static int bmv_aud_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     c->frame.nb_samples = total_blocks * 32;
-    if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/bytestream.h

@@ -1,6 +1,7 @@
 /*
  * Bytestream functions
  * copyright (c) 2006 Baptiste Coudurier <baptiste.coudurier@free.fr>
+ * Copyright (c) 2012 Aneesh Dogra (lionaneesh) <lionaneesh@gmail.com>
  *
  * This file is part of FFmpeg.
  *
@@ -23,6 +24,7 @@
 #define AVCODEC_BYTESTREAM_H
 
 #include <string.h>
+
 #include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 
@@ -30,35 +32,57 @@ typedef struct {
     const uint8_t *buffer, *buffer_end, *buffer_start;
 } GetByteContext;
 
-#define DEF_T(type, name, bytes, read, write)                             \
-static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\
-    (*b) += bytes;\
-    return read(*b - bytes);\
-}\
-static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\
-    write(*b, value);\
-    (*b) += bytes;\
-}\
-static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g)\
-{\
-    return bytestream_get_ ## name(&g->buffer);\
-}\
-static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\
-{\
-    if (g->buffer_end - g->buffer < bytes)\
-        return 0;\
-    return bytestream2_get_ ## name ## u(g);\
-}\
-static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\
-{\
-    if (g->buffer_end - g->buffer < bytes)\
-        return 0;\
-    return read(g->buffer);\
+typedef struct {
+    uint8_t *buffer, *buffer_end, *buffer_start;
+    int eof;
+} PutByteContext;
+
+#define DEF_T(type, name, bytes, read, write)                                  \
+static av_always_inline type bytestream_get_ ## name(const uint8_t **b)        \
+{                                                                              \
+    (*b) += bytes;                                                             \
+    return read(*b - bytes);                                                   \
+}                                                                              \
+static av_always_inline void bytestream_put_ ## name(uint8_t **b,              \
+                                                     const type value)         \
+{                                                                              \
+    write(*b, value);                                                          \
+    (*b) += bytes;                                                             \
+}                                                                              \
+static av_always_inline void bytestream2_put_ ## name ## u(PutByteContext *p,  \
+                                                           const type value)   \
+{                                                                              \
+    bytestream_put_ ## name(&p->buffer, value);                                \
+}                                                                              \
+static av_always_inline void bytestream2_put_ ## name(PutByteContext *p,       \
+                                                      const type value)        \
+{                                                                              \
+    if (!p->eof && (p->buffer_end - p->buffer >= bytes)) {                     \
+        write(p->buffer, value);                                               \
+        p->buffer += bytes;                                                    \
+    } else                                                                     \
+        p->eof = 1;                                                            \
+}                                                                              \
+static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g)  \
+{                                                                              \
+    return bytestream_get_ ## name(&g->buffer);                                \
+}                                                                              \
+static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)       \
+{                                                                              \
+    if (g->buffer_end - g->buffer < bytes)                                     \
+        return 0;                                                              \
+    return bytestream2_get_ ## name ## u(g);                                   \
+}                                                                              \
+static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)      \
+{                                                                              \
+    if (g->buffer_end - g->buffer < bytes)                                     \
+        return 0;                                                              \
+    return read(g->buffer);                                                    \
 }
 
-#define DEF(name, bytes, read, write) \
+#define DEF(name, bytes, read, write)                                          \
     DEF_T(unsigned int, name, bytes, read, write)
-#define DEF64(name, bytes, read, write) \
+#define DEF64(name, bytes, read, write)                                        \
     DEF_T(uint64_t, name, bytes, read, write)
 
 DEF64(le64, 8, AV_RL64, AV_WL64)
@@ -112,11 +136,22 @@ DEF  (byte, 1, AV_RB8 , AV_WB8 )
 #endif
 
 static av_always_inline void bytestream2_init(GetByteContext *g,
-                                              const uint8_t *buf, int buf_size)
+                                              const uint8_t *buf,
+                                              int buf_size)
 {
-    g->buffer =  buf;
+    g->buffer       = buf;
     g->buffer_start = buf;
-    g->buffer_end = buf + buf_size;
+    g->buffer_end   = buf + buf_size;
+}
+
+static av_always_inline void bytestream2_init_writer(PutByteContext *p,
+                                                     uint8_t *buf,
+                                                     int buf_size)
+{
+    p->buffer       = buf;
+    p->buffer_start = buf;
+    p->buffer_end   = buf + buf_size;
+    p->eof          = 0;
 }
 
 static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g)
@@ -124,32 +159,71 @@ static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *
     return g->buffer_end - g->buffer;
 }
 
+static av_always_inline unsigned int bytestream2_get_bytes_left_p(PutByteContext *p)
+{
+    return p->buffer_end - p->buffer;
+}
+
 static av_always_inline void bytestream2_skip(GetByteContext *g,
                                               unsigned int size)
 {
     g->buffer += FFMIN(g->buffer_end - g->buffer, size);
 }
 
+static av_always_inline void bytestream2_skipu(GetByteContext *g,
+                                               unsigned int size)
+{
+    g->buffer += size;
+}
+
+static av_always_inline void bytestream2_skip_p(PutByteContext *p,
+                                                unsigned int size)
+{
+    int size2;
+    if (p->eof)
+        return;
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+    p->buffer += size2;
+}
+
 static av_always_inline int bytestream2_tell(GetByteContext *g)
 {
     return (int)(g->buffer - g->buffer_start);
 }
 
-static av_always_inline int bytestream2_seek(GetByteContext *g, int offset,
+static av_always_inline int bytestream2_tell_p(PutByteContext *p)
+{
+    return (int)(p->buffer - p->buffer_start);
+}
+
+static av_always_inline int bytestream2_size(GetByteContext *g)
+{
+    return (int)(g->buffer_end - g->buffer_start);
+}
+
+static av_always_inline int bytestream2_size_p(PutByteContext *p)
+{
+    return (int)(p->buffer_end - p->buffer_start);
+}
+
+static av_always_inline int bytestream2_seek(GetByteContext *g,
+                                             int offset,
                                              int whence)
 {
     switch (whence) {
     case SEEK_CUR:
-        offset = av_clip(offset, -(g->buffer - g->buffer_start),
-                         g->buffer_end - g->buffer);
+        offset     = av_clip(offset, -(g->buffer - g->buffer_start),
+                             g->buffer_end - g->buffer);
         g->buffer += offset;
         break;
     case SEEK_END:
-        offset = av_clip(offset, -(g->buffer_end - g->buffer_start), 0);
+        offset    = av_clip(offset, -(g->buffer_end - g->buffer_start), 0);
         g->buffer = g->buffer_end + offset;
         break;
     case SEEK_SET:
-        offset = av_clip(offset, 0, g->buffer_end - g->buffer_start);
+        offset    = av_clip(offset, 0, g->buffer_end - g->buffer_start);
         g->buffer = g->buffer_start + offset;
         break;
     default:
@@ -158,6 +232,37 @@ static av_always_inline int bytestream2_seek(GetByteContext *g, int offset,
     return bytestream2_tell(g);
 }
 
+static av_always_inline int bytestream2_seek_p(PutByteContext *p,
+                                               int offset,
+                                               int whence)
+{
+    p->eof = 0;
+    switch (whence) {
+    case SEEK_CUR:
+        if (p->buffer_end - p->buffer < offset)
+            p->eof = 1;
+        offset     = av_clip(offset, -(p->buffer - p->buffer_start),
+                             p->buffer_end - p->buffer);
+        p->buffer += offset;
+        break;
+    case SEEK_END:
+        if (offset > 0)
+            p->eof = 1;
+        offset    = av_clip(offset, -(p->buffer_end - p->buffer_start), 0);
+        p->buffer = p->buffer_end + offset;
+        break;
+    case SEEK_SET:
+        if (p->buffer_end - p->buffer_start < offset)
+            p->eof = 1;
+        offset    = av_clip(offset, 0, p->buffer_end - p->buffer_start);
+        p->buffer = p->buffer_start + offset;
+        break;
+    default:
+        return AVERROR(EINVAL);
+    }
+    return bytestream2_tell_p(p);
+}
+
 static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g,
                                                             uint8_t *dst,
                                                             unsigned int size)
@@ -168,14 +273,104 @@ static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g,
     return size2;
 }
 
-static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size)
+static av_always_inline unsigned int bytestream2_get_bufferu(GetByteContext *g,
+                                                             uint8_t *dst,
+                                                             unsigned int size)
+{
+    memcpy(dst, g->buffer, size);
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_put_buffer(PutByteContext *p,
+                                                            const uint8_t *src,
+                                                            unsigned int size)
+{
+    int size2;
+    if (p->eof)
+        return 0;
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+    memcpy(p->buffer, src, size2);
+    p->buffer += size2;
+    return size2;
+}
+
+static av_always_inline unsigned int bytestream2_put_bufferu(PutByteContext *p,
+                                                             const uint8_t *src,
+                                                             unsigned int size)
+{
+    memcpy(p->buffer, src, size);
+    p->buffer += size;
+    return size;
+}
+
+static av_always_inline void bytestream2_set_buffer(PutByteContext *p,
+                                                    const uint8_t c,
+                                                    unsigned int size)
+{
+    int size2;
+    if (p->eof)
+        return;
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+    memset(p->buffer, c, size2);
+    p->buffer += size2;
+}
+
+static av_always_inline void bytestream2_set_bufferu(PutByteContext *p,
+                                                     const uint8_t c,
+                                                     unsigned int size)
+{
+    memset(p->buffer, c, size);
+    p->buffer += size;
+}
+
+static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p)
+{
+    return p->eof;
+}
+
+static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p,
+                                                              GetByteContext *g,
+                                                              unsigned int size)
+{
+    memcpy(p->buffer, g->buffer, size);
+    p->buffer += size;
+    g->buffer += size;
+    return size;
+}
+
+static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p,
+                                                             GetByteContext *g,
+                                                             unsigned int size)
+{
+    int size2;
+
+    if (p->eof)
+        return 0;
+    size  = FFMIN(g->buffer_end - g->buffer, size);
+    size2 = FFMIN(p->buffer_end - p->buffer, size);
+    if (size2 != size)
+        p->eof = 1;
+
+    return bytestream2_copy_bufferu(p, g, size2);
+}
+
+static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b,
+                                                           uint8_t *dst,
+                                                           unsigned int size)
 {
     memcpy(dst, *b, size);
     (*b) += size;
     return size;
 }
 
-static av_always_inline void bytestream_put_buffer(uint8_t **b, const uint8_t *src, unsigned int size)
+static av_always_inline void bytestream_put_buffer(uint8_t **b,
+                                                   const uint8_t *src,
+                                                   unsigned int size)
 {
     memcpy(*b, src, size);
     (*b) += size;

libavcodec/cavsdec.c

@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
         return -1;
     }
     h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }
@@ -468,6 +468,11 @@ static int decode_pic(AVSContext *h) {
     int skip_count = -1;
     enum cavs_mb mb_type;
 
+    if (!h->top_qp) {
+        av_log(h, AV_LOG_ERROR, "No sequence header decoded yet\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (!s->context_initialized) {
         s->avctx->idct_algo = FF_IDCT_CAVS;
         if (MPV_common_init(s) < 0)
@@ -609,12 +614,21 @@ static int decode_pic(AVSContext *h) {
 static int decode_seq_header(AVSContext *h) {
     MpegEncContext *s = &h->s;
     int frame_rate_code;
+    int width, height;
 
     h->profile =         get_bits(&s->gb,8);
     h->level =           get_bits(&s->gb,8);
     skip_bits1(&s->gb); //progressive sequence
-    s->width =           get_bits(&s->gb,14);
-    s->height =          get_bits(&s->gb,14);
+
+    width  = get_bits(&s->gb, 14);
+    height = get_bits(&s->gb, 14);
+    if ((s->width || s->height) && (s->width != width || s->height != height)) {
+        av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
+        return AVERROR_PATCHWELCOME;
+    }
+    s->width  = width;
+    s->height = height;
+
     skip_bits(&s->gb,2); //chroma format
     skip_bits(&s->gb,3); //sample_precision
     h->aspect_ratio =    get_bits(&s->gb,4);
@@ -656,7 +670,8 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
     if (buf_size == 0) {
         if (!s->low_delay && h->DPB[0].f.data[0]) {
             *data_size = sizeof(AVPicture);
-            *picture = *(AVFrame *) &h->DPB[0];
+            *picture = h->DPB[0].f;
+            memset(&h->DPB[0], 0, sizeof(h->DPB[0]));
         }
         return 0;
     }

libavcodec/cdgraphics.c

@@ -20,6 +20,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 
 /**
@@ -268,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                             void *data, int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
     int buf_size       = avpkt->size;
     int ret;
     uint8_t command, inst;
@@ -280,6 +281,12 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
         return AVERROR(EINVAL);
     }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }
+
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
 
     ret = avctx->reget_buffer(avctx, &cc->frame);
     if (ret) {
@@ -287,11 +294,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         return ret;
     }
 
-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
     inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
 
     if ((command & CDG_MASK) == CDG_COMMAND) {
         switch (inst) {
@@ -333,7 +340,7 @@ static int cdg_decode_frame(AVCodecContext *avctx,
             }
 
             cdg_init_frame(&new_frame);
-            ret = avctx->get_buffer(avctx, &new_frame);
+            ret = ff_get_buffer(avctx, &new_frame);
             if (ret) {
                 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
                 return ret;
@@ -350,11 +357,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         *data_size = sizeof(AVFrame);
     } else {
         *data_size = 0;
-        buf_size   = 0;
     }
 
     *(AVFrame *) data = cc->frame;
-    return buf_size;
+    return avpkt->size;
 }
 
 static av_cold int cdg_decode_end(AVCodecContext *avctx)

libavcodec/celp_filters.c

@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
         out2 -= val * old_out2;
         out3 -= val * old_out3;
 
-        old_out3 = out[-5];
-
         for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
             val = filter_coeffs[i-1];
 
             out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
 
             FFSWAP(float, old_out0, old_out2);
             old_out1 = old_out3;
-            old_out3 = out[-i-2];
         }
 
         tmp0 = out0;

libavcodec/cook.c

@@ -44,6 +44,7 @@
 
 #include "libavutil/lfg.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "bytestream.h"
@@ -321,11 +322,11 @@ static av_cold int cook_decode_close(AVCodecContext *avctx)
 
     /* Free the VLC tables. */
     for (i = 0; i < 13; i++)
-        free_vlc(&q->envelope_quant_index[i]);
+        ff_free_vlc(&q->envelope_quant_index[i]);
     for (i = 0; i < 7; i++)
-        free_vlc(&q->sqvh[i]);
+        ff_free_vlc(&q->sqvh[i]);
     for (i = 0; i < q->num_subpackets; i++)
-        free_vlc(&q->subpacket[i].ccpl);
+        ff_free_vlc(&q->subpacket[i].ccpl);
 
     av_log(avctx, AV_LOG_DEBUG, "Memory deallocated.\n");
 
@@ -366,8 +367,8 @@ static void decode_gain_info(GetBitContext *gb, int *gaininfo)
  * @param q                 pointer to the COOKContext
  * @param quant_index_table pointer to the array
  */
-static void decode_envelope(COOKContext *q, COOKSubpacket *p,
-                            int *quant_index_table)
+static int decode_envelope(COOKContext *q, COOKSubpacket *p,
+                           int *quant_index_table)
 {
     int i, j, vlc_index;
 
@@ -388,7 +389,15 @@ static void decode_envelope(COOKContext *q, COOKSubpacket *p,
         j = get_vlc2(&q->gb, q->envelope_quant_index[vlc_index - 1].table,
                      q->envelope_quant_index[vlc_index - 1].bits, 2);
         quant_index_table[i] = quant_index_table[i - 1] + j - 12; // differential encoding
+        if (quant_index_table[i] > 63 || quant_index_table[i] < -63) {
+            av_log(q->avctx, AV_LOG_ERROR,
+                   "Invalid quantizer %d at position %d, outside [-63, 63] range\n",
+                   quant_index_table[i], i);
+            return AVERROR_INVALIDDATA;
+        }
     }
+
+    return 0;
 }
 
 /**
@@ -507,7 +516,11 @@ static inline void expand_category(COOKContext *q, int *category,
 {
     int i;
     for (i = 0; i < q->num_vectors; i++)
-        ++category[category_index[i]];
+    {
+        int idx = category_index[i];
+        if (++category[idx] >= FF_ARRAY_ELEMS(dither_tab))
+            --category[idx];
+    }
 }
 
 /**
@@ -635,20 +648,24 @@ static void decode_vectors(COOKContext *q, COOKSubpacket *p, int *category,
  * @param q                 pointer to the COOKContext
  * @param mlt_buffer        pointer to mlt coefficients
  */
-static void mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer)
+static int mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer)
 {
     int category_index[128];
     int quant_index_table[102];
     int category[128];
+    int res;
 
     memset(&category,       0, sizeof(category));
     memset(&category_index, 0, sizeof(category_index));
 
-    decode_envelope(q, p, quant_index_table);
+    if ((res = decode_envelope(q, p, quant_index_table)) < 0)
+        return res;
     q->num_vectors = get_bits(&q->gb, p->log2_numvector_size);
     categorize(q, p, quant_index_table, category, category_index);
     expand_category(q, category, category_index);
     decode_vectors(q, p, category, quant_index_table, mlt_buffer);
+
+    return 0;
 }
 
 
@@ -798,10 +815,10 @@ static void decouple_float(COOKContext *q,
  * @param mlt_buffer1       pointer to left channel mlt coefficients
  * @param mlt_buffer2       pointer to right channel mlt coefficients
  */
-static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1,
-                         float *mlt_buffer2)
+static int joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1,
+                        float *mlt_buffer2)
 {
-    int i, j;
+    int i, j, res;
     int decouple_tab[SUBBAND_SIZE];
     float *decode_buffer = q->decode_buffer_0;
     int idx, cpl_tmp;
@@ -815,7 +832,8 @@ static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1,
     memset(mlt_buffer1, 0, 1024 * sizeof(*mlt_buffer1));
     memset(mlt_buffer2, 0, 1024 * sizeof(*mlt_buffer2));
     decouple_info(q, p, decouple_tab);
-    mono_decode(q, p, decode_buffer);
+    if ((res = mono_decode(q, p, decode_buffer)) < 0)
+        return res;
 
     /* The two channels are stored interleaved in decode_buffer. */
     for (i = 0; i < p->js_subband_start; i++) {
@@ -832,11 +850,13 @@ static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1,
         cpl_tmp = cplband[i];
         idx -= decouple_tab[cpl_tmp];
         cplscale = q->cplscales[p->js_vlc_bits - 2];  // choose decoupler table
-        f1 = cplscale[decouple_tab[cpl_tmp]];
-        f2 = cplscale[idx - 1];
+        f1 = cplscale[decouple_tab[cpl_tmp] + 1];
+        f2 = cplscale[idx];
         q->decouple(q, p, i, f1, f2, decode_buffer, mlt_buffer1, mlt_buffer2);
         idx = (1 << p->js_vlc_bits) - 1;
     }
+
+    return 0;
 }
 
 /**
@@ -909,10 +929,11 @@ static inline void mlt_compensate_output(COOKContext *q, float *decode_buffer,
  * @param inbuffer          pointer to the inbuffer
  * @param outbuffer         pointer to the outbuffer
  */
-static void decode_subpacket(COOKContext *q, COOKSubpacket *p,
-                             const uint8_t *inbuffer, float *outbuffer)
+static int decode_subpacket(COOKContext *q, COOKSubpacket *p,
+                            const uint8_t *inbuffer, float *outbuffer)
 {
     int sub_packet_size = p->size;
+    int res;
     /* packet dump */
     // for (i = 0; i < sub_packet_size ; i++)
     //     av_log(q->avctx, AV_LOG_ERROR, "%02x", inbuffer[i]);
@@ -921,13 +942,16 @@ static void decode_subpacket(COOKContext *q, COOKSubpacket *p,
     decode_bytes_and_gain(q, p, inbuffer, &p->gains1);
 
     if (p->joint_stereo) {
-        joint_decode(q, p, q->decode_buffer_1, q->decode_buffer_2);
+        if ((res = joint_decode(q, p, q->decode_buffer_1, q->decode_buffer_2)) < 0)
+            return res;
     } else {
-        mono_decode(q, p, q->decode_buffer_1);
+        if ((res = mono_decode(q, p, q->decode_buffer_1)) < 0)
+            return res;
 
         if (p->num_channels == 2) {
             decode_bytes_and_gain(q, p, inbuffer + sub_packet_size / 2, &p->gains2);
-            mono_decode(q, p, q->decode_buffer_2);
+            if ((res = mono_decode(q, p, q->decode_buffer_2)) < 0)
+                return res;
         }
     }
 
@@ -941,6 +965,8 @@ static void decode_subpacket(COOKContext *q, COOKSubpacket *p,
         else
             mlt_compensate_output(q, q->decode_buffer_2, &p->gains2,
                                   p->mono_previous_buffer2, outbuffer, p->ch_idx + 1);
+
+    return 0;
 }
 
 
@@ -966,7 +992,7 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data,
     /* get output buffer */
     if (q->discarded_packets >= 2) {
         q->frame.nb_samples = q->samples_per_channel;
-        if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) {
+        if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) {
             av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
             return ret;
         }
@@ -996,7 +1022,8 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data,
                i, q->subpacket[i].size, q->subpacket[i].joint_stereo, offset,
                avctx->block_align);
 
-        decode_subpacket(q, &q->subpacket[i], buf + offset, samples);
+        if ((ret = decode_subpacket(q, &q->subpacket[i], buf + offset, samples)) < 0)
+            return ret;
         offset += q->subpacket[i].size;
         chidx += q->subpacket[i].num_channels;
         av_log(avctx, AV_LOG_DEBUG, "subpacket[%i] %i %i\n",
@@ -1078,6 +1105,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
     q->sample_rate = avctx->sample_rate;
     q->nb_channels = avctx->channels;
     q->bit_rate = avctx->bit_rate;
+    if (!q->nb_channels) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     /* Initialize RNG. */
     av_lfg_init(&q->random_state, 0);
@@ -1205,6 +1236,11 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
         q->subpacket[s].gains2.now      = q->subpacket[s].gain_3;
         q->subpacket[s].gains2.previous = q->subpacket[s].gain_4;
 
+        if (q->num_subpackets + q->subpacket[s].num_channels > q->nb_channels) {
+            av_log(avctx, AV_LOG_ERROR, "Too many subpackets %d for channels %d\n", q->num_subpackets, q->nb_channels);
+            return AVERROR_INVALIDDATA;
+        }
+
         q->num_subpackets++;
         s++;
         if (s > MAX_SUBPACKETS) {

libavcodec/cookdata.h

@@ -36,8 +36,8 @@ static const int expbits_tab[8] = {
     52,47,43,37,29,22,16,0,
 };
 
-static const float dither_tab[8] = {
-  0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107,
+static const float dither_tab[9] = {
+  0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107, 1.0
 };
 
 static const float quant_centroid_tab[7][14] = {
@@ -510,23 +510,37 @@ static const int cplband[51] = {
     19,
 };
 
-static const float cplscale2[3] = {
+// The 1 and 0 at the beginning/end are to prevent overflows with
+// bitstream-read indexes. E.g. if n_bits=5, we can access any
+// index from [1, (1<<n_bits)] for the first decoupling coeff,
+// and (1<<n_bits)-coeff1 as index for coeff2, i.e.:
+// coeff1_idx = [1, 32], and coeff2_idx = [0, 31].
+// These values aren't part of the tables in the original binary.
+
+static const float cplscale2[5] = {
+1,
 0.953020632266998,0.70710676908493,0.302905440330505,
+0,
 };
 
-static const float cplscale3[7] = {
+static const float cplscale3[9] = {
+1,
 0.981279790401459,0.936997592449188,0.875934481620789,0.70710676908493,
 0.482430040836334,0.349335819482803,0.192587479948997,
+0,
 };
 
-static const float cplscale4[15] = {
+static const float cplscale4[17] = {
+1,
 0.991486728191376,0.973249018192291,0.953020632266998,0.930133521556854,
 0.903453230857849,0.870746195316315,0.826180458068848,0.70710676908493,
 0.563405573368073,0.491732746362686,0.428686618804932,0.367221474647522,
 0.302905440330505,0.229752898216248,0.130207896232605,
+0,
 };
 
-static const float cplscale5[31] = {
+static const float cplscale5[33] = {
+1,
 0.995926380157471,0.987517595291138,0.978726446628571,0.969505727291107,
 0.95979779958725,0.949531257152557,0.938616216182709,0.926936149597168,
 0.914336204528809,0.900602877140045,0.885426938533783,0.868331849575043,
@@ -535,9 +549,11 @@ static const float cplscale5[31] = {
 0.464778542518616,0.434642940759659,0.404955863952637,0.375219136476517,
 0.344963222742081,0.313672333955765,0.280692428350449,0.245068684220314,
 0.205169528722763,0.157508864998817,0.0901700109243393,
+0,
 };
 
-static const float cplscale6[63] = {
+static const float cplscale6[65] = {
+1,
 0.998005926609039,0.993956744670868,0.989822506904602,0.985598564147949,
 0.981279790401459,0.976860702037811,0.972335040569305,0.967696130275726,
 0.962936460971832,0.958047747612000,0.953020632266998,0.947844684123993,
@@ -554,6 +570,7 @@ static const float cplscale6[63] = {
 0.302905440330505,0.286608695983887,0.269728302955627,0.252119421958923,
 0.233590632677078,0.213876649737358,0.192587479948997,0.169101938605309,
 0.142307326197624,0.109772264957428,0.0631198287010193,
+0,
 };
 
 static const float* const cplscales[5] = {

libavcodec/cscd.c

@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
             av_log(avctx, AV_LOG_ERROR,
                    "CamStudio codec error: invalid depth %i bpp\n",
                    avctx->bits_per_coded_sample);
-            return 1;
+            return AVERROR_INVALIDDATA;
     }
     c->bpp = avctx->bits_per_coded_sample;
     avcodec_get_frame_defaults(&c->pic);
@@ -242,7 +242,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
     c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
     if (!c->decomp_buf) {
         av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
-        return 1;
+        return AVERROR(ENOMEM);
     }
     return 0;
 }

libavcodec/dca.c

@@ -29,8 +29,10 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "dsputil.h"
 #include "fft.h"
 #include "get_bits.h"
@@ -576,6 +578,11 @@ static int dca_parse_frame_header(DCAContext *s)
     s->lfe               = get_bits(&s->gb, 2);
     s->predictor_history = get_bits(&s->gb, 1);
 
+    if (s->lfe > 2) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* TODO: check CRC */
     if (s->crc_present)
         s->header_crc    = get_bits(&s->gb, 16);
@@ -638,13 +645,20 @@ static int dca_parse_frame_header(DCAContext *s)
 }
 
 
-static inline int get_scale(GetBitContext *gb, int level, int value)
+static inline int get_scale(GetBitContext *gb, int level, int value, int log2range)
 {
     if (level < 5) {
         /* huffman encoded */
         value += get_bitalloc(gb, &dca_scalefactor, level);
-    } else if (level < 8)
-        value = get_bits(gb, level + 1);
+        value = av_clip(value, 0, (1 << log2range) - 1);
+    } else if (level < 8) {
+        if (level + 1 > log2range) {
+            skip_bits(gb, level + 1 - log2range);
+            value = get_bits(gb, log2range);
+        } else {
+            value = get_bits(gb, level + 1);
+        }
+    }
     return value;
 }
 
@@ -717,28 +731,31 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
 
     for (j = base_channel; j < s->prim_channels; j++) {
         const uint32_t *scale_table;
-        int scale_sum;
+        int scale_sum, log_size;
 
         memset(s->scale_factor[j], 0,
                s->subband_activity[j] * sizeof(s->scale_factor[0][0][0]) * 2);
 
-        if (s->scalefactor_huffman[j] == 6)
+        if (s->scalefactor_huffman[j] == 6) {
             scale_table = scale_factor_quant7;
-        else
+            log_size = 7;
+        } else {
             scale_table = scale_factor_quant6;
+            log_size = 6;
+        }
 
         /* When huffman coded, only the difference is encoded */
         scale_sum = 0;
 
         for (k = 0; k < s->subband_activity[j]; k++) {
             if (k >= s->vq_start_subband[j] || s->bitalloc[j][k] > 0) {
-                scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum);
+                scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum, log_size);
                 s->scale_factor[j][k][0] = scale_table[scale_sum];
             }
 
             if (k < s->vq_start_subband[j] && s->transition_mode[j][k]) {
                 /* Get second scale factor */
-                scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum);
+                scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum, log_size);
                 s->scale_factor[j][k][1] = scale_table[scale_sum];
             }
         }
@@ -767,8 +784,7 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
              * (is this valid as well for joint scales ???) */
 
             for (k = s->subband_activity[j]; k < s->subband_activity[source_channel]; k++) {
-                scale = get_scale(&s->gb, s->joint_huff[j], 0);
-                scale += 64;    /* bias */
+                scale = get_scale(&s->gb, s->joint_huff[j], 64 /* bias */, 7);
                 s->joint_scale_factor[j][k] = scale;    /*joint_scale_table[scale]; */
             }
 
@@ -789,6 +805,18 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
             }
         } else {
             int am = s->amode & DCA_CHANNEL_MASK;
+            if (am >= FF_ARRAY_ELEMS(dca_default_coeffs)) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "Invalid channel mode %d\n", am);
+                return AVERROR_INVALIDDATA;
+            }
+
+            if (s->prim_channels > FF_ARRAY_ELEMS(dca_default_coeffs[0])) {
+                av_log_ask_for_sample(s->avctx, "Downmixing %d channels",
+                                      s->prim_channels);
+                return AVERROR_PATCHWELCOME;
+            }
+
             for (j = base_channel; j < s->prim_channels; j++) {
                 s->downmix_coef[j][0] = dca_default_coeffs[am][j][0];
                 s->downmix_coef[j][1] = dca_default_coeffs[am][j][1];
@@ -828,7 +856,8 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
         }
 
         /* Scale factor index */
-        s->lfe_scale_factor = scale_factor_quant7[get_bits(&s->gb, 8)];
+        skip_bits(&s->gb, 1);
+        s->lfe_scale_factor = scale_factor_quant7[get_bits(&s->gb, 7)];
 
         /* Quantization step size * scale factor */
         lfe_scale = 0.035 * s->lfe_scale_factor;
@@ -1237,6 +1266,7 @@ static int dca_subsubframe(DCAContext *s, int base_channel, int block_index)
 #endif
         } else {
             av_log(s->avctx, AV_LOG_ERROR, "Didn't get subframe DSYNC\n");
+            return AVERROR_INVALIDDATA;
         }
     }
 
@@ -1866,7 +1896,7 @@ static int dca_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = 256 * (s->sample_blocks / 8);
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }

libavcodec/dcadata.h

@@ -7528,7 +7528,7 @@ static const float dca_downmix_coeffs[65] = {
   0.001412537544623, 0.001000000000000, 0.000501187233627, 0.000251188643151, 0.000000000000000,
 };
 
-static const uint8_t dca_default_coeffs[16][5][2] = {
+static const uint8_t dca_default_coeffs[10][5][2] = {
     { { 13, 13 },                                                 },
     { {  0, 64 }, { 64,  0 },                                     },
     { {  0, 64 }, { 64,  0 },                                     },

libavcodec/dct-test.c

@@ -234,8 +234,10 @@ static void init_block(DCTELEM block[64], int test, int is_idct, AVLFG *prng, in
         break;
     case 1:
         j = av_lfg_get(prng) % 10 + 1;
-        for (i = 0; i < j; i++)
-            block[av_lfg_get(prng) % 64] = av_lfg_get(prng) % (2*vals) -vals;
+        for (i = 0; i < j; i++) {
+            int idx = av_lfg_get(prng) % 64;
+            block[idx] = av_lfg_get(prng) % (2*vals) -vals;
+        }
         break;
     case 2:
         block[ 0] = av_lfg_get(prng) % (16*vals) - (8*vals);

libavcodec/dfa.c

@@ -21,8 +21,10 @@
  */
 
 #include "avcodec.h"
-#include "libavutil/intreadwrite.h"
+#include "internal.h"
 #include "bytestream.h"
+
+#include "libavutil/imgutils.h"
 #include "libavutil/lzo.h" // for av_memcpy_backptr
 
 typedef struct DfaContext {
@@ -35,9 +37,13 @@ typedef struct DfaContext {
 static av_cold int dfa_decode_init(AVCodecContext *avctx)
 {
     DfaContext *s = avctx->priv_data;
+    int ret;
 
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
     s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING);
     if (!s->frame_buf)
         return AVERROR(ENOMEM);
@@ -45,19 +51,16 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int decode_copy(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_copy(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     const int size = width * height;
 
-    if (src_end - src < size)
-        return -1;
-    bytestream_get_buffer(&src, frame, size);
+    if (bytestream2_get_buffer(gb, frame, size) != size)
+        return AVERROR_INVALIDDATA;
     return 0;
 }
 
-static int decode_tsw1(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     const uint8_t *frame_start = frame;
     const uint8_t *frame_end   = frame + width * height;
@@ -65,31 +68,31 @@ static int decode_tsw1(uint8_t *frame, int width, int height,
     int v, count, segments;
     unsigned offset;
 
-    segments = bytestream_get_le32(&src);
-    offset   = bytestream_get_le32(&src);
+    segments = bytestream2_get_le32(gb);
+    offset   = bytestream2_get_le32(gb);
     if (frame_end - frame <= offset)
-        return -1;
+        return AVERROR_INVALIDDATA;
     frame += offset;
     while (segments--) {
+        if (bytestream2_get_bytes_left(gb) < 2)
+            return AVERROR_INVALIDDATA;
         if (mask == 0x10000) {
-            if (src >= src_end)
-                return -1;
-            bitbuf = bytestream_get_le16(&src);
+            bitbuf = bytestream2_get_le16u(gb);
             mask = 1;
         }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+        if (frame_end - frame < 2)
+            return AVERROR_INVALIDDATA;
         if (bitbuf & mask) {
-            v = bytestream_get_le16(&src);
+            v = bytestream2_get_le16(gb);
             offset = (v & 0x1FFF) << 1;
             count = ((v >> 13) + 2) << 1;
             if (frame - frame_start < offset || frame_end - frame < count)
-                return -1;
+                return AVERROR_INVALIDDATA;
             av_memcpy_backptr(frame, offset, count);
             frame += count;
         } else {
-            *frame++ = *src++;
-            *frame++ = *src++;
+            *frame++ = bytestream2_get_byte(gb);
+            *frame++ = bytestream2_get_byte(gb);
         }
         mask <<= 1;
     }
@@ -97,39 +100,38 @@ static int decode_tsw1(uint8_t *frame, int width, int height,
     return 0;
 }
 
-static int decode_dsw1(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_dsw1(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     const uint8_t *frame_start = frame;
     const uint8_t *frame_end   = frame + width * height;
     int mask = 0x10000, bitbuf = 0;
     int v, offset, count, segments;
 
-    segments = bytestream_get_le16(&src);
+    segments = bytestream2_get_le16(gb);
     while (segments--) {
+        if (bytestream2_get_bytes_left(gb) < 2)
+            return AVERROR_INVALIDDATA;
         if (mask == 0x10000) {
-            if (src >= src_end)
-                return -1;
-            bitbuf = bytestream_get_le16(&src);
+            bitbuf = bytestream2_get_le16u(gb);
             mask = 1;
         }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+        if (frame_end - frame < 2)
+            return AVERROR_INVALIDDATA;
         if (bitbuf & mask) {
-            v = bytestream_get_le16(&src);
+            v = bytestream2_get_le16(gb);
             offset = (v & 0x1FFF) << 1;
             count = ((v >> 13) + 2) << 1;
             if (frame - frame_start < offset || frame_end - frame < count)
-                return -1;
+                return AVERROR_INVALIDDATA;
             // can't use av_memcpy_backptr() since it can overwrite following pixels
             for (v = 0; v < count; v++)
                 frame[v] = frame[v - offset];
             frame += count;
         } else if (bitbuf & (mask << 1)) {
-            frame += bytestream_get_le16(&src);
+            frame += bytestream2_get_le16(gb);
         } else {
-            *frame++ = *src++;
-            *frame++ = *src++;
+            *frame++ = bytestream2_get_byte(gb);
+            *frame++ = bytestream2_get_byte(gb);
         }
         mask <<= 2;
     }
@@ -137,30 +139,28 @@ static int decode_dsw1(uint8_t *frame, int width, int height,
     return 0;
 }
 
-static int decode_dds1(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     const uint8_t *frame_start = frame;
     const uint8_t *frame_end   = frame + width * height;
     int mask = 0x10000, bitbuf = 0;
     int i, v, offset, count, segments;
 
-    segments = bytestream_get_le16(&src);
+    segments = bytestream2_get_le16(gb);
     while (segments--) {
+        if (bytestream2_get_bytes_left(gb) < 2)
+            return AVERROR_INVALIDDATA;
         if (mask == 0x10000) {
-            if (src >= src_end)
-                return -1;
-            bitbuf = bytestream_get_le16(&src);
+            bitbuf = bytestream2_get_le16u(gb);
             mask = 1;
         }
-        if (src_end - src < 2 || frame_end - frame < 2)
-            return -1;
+
         if (bitbuf & mask) {
-            v = bytestream_get_le16(&src);
+            v = bytestream2_get_le16(gb);
             offset = (v & 0x1FFF) << 2;
             count = ((v >> 13) + 2) << 1;
             if (frame - frame_start < offset || frame_end - frame < count*2 + width)
-                return -1;
+                return AVERROR_INVALIDDATA;
             for (i = 0; i < count; i++) {
                 frame[0] = frame[1] =
                 frame[width] = frame[width + 1] = frame[-offset];
@@ -168,13 +168,18 @@ static int decode_dds1(uint8_t *frame, int width, int height,
                 frame += 2;
             }
         } else if (bitbuf & (mask << 1)) {
-            frame += bytestream_get_le16(&src) * 2;
+            v = bytestream2_get_le16(gb)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
         } else {
+            if (frame_end - frame < width + 3)
+                return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
-            frame[width] = frame[width + 1] =  *src++;
+            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
             frame += 2;
             frame[0] = frame[1] =
-            frame[width] = frame[width + 1] =  *src++;
+            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
             frame += 2;
         }
         mask <<= 2;
@@ -183,40 +188,40 @@ static int decode_dds1(uint8_t *frame, int width, int height,
     return 0;
 }
 
-static int decode_bdlt(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_bdlt(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     uint8_t *line_ptr;
     int count, lines, segments;
 
-    count = bytestream_get_le16(&src);
+    count = bytestream2_get_le16(gb);
     if (count >= height)
-        return -1;
+        return AVERROR_INVALIDDATA;
     frame += width * count;
-    lines = bytestream_get_le16(&src);
-    if (count + lines > height || src >= src_end)
-        return -1;
+    lines = bytestream2_get_le16(gb);
+    if (count + lines > height)
+        return AVERROR_INVALIDDATA;
 
     while (lines--) {
+        if (bytestream2_get_bytes_left(gb) < 1)
+            return AVERROR_INVALIDDATA;
         line_ptr = frame;
         frame += width;
-        segments = *src++;
+        segments = bytestream2_get_byteu(gb);
         while (segments--) {
-            if (src_end - src < 3)
-                return -1;
-            if (frame - line_ptr <= *src)
-                return -1;
-            line_ptr += *src++;
-            count = (int8_t)*src++;
+            if (frame - line_ptr <= bytestream2_peek_byte(gb))
+                return AVERROR_INVALIDDATA;
+            line_ptr += bytestream2_get_byte(gb);
+            count = (int8_t)bytestream2_get_byte(gb);
             if (count >= 0) {
-                if (frame - line_ptr < count || src_end - src < count)
-                    return -1;
-                bytestream_get_buffer(&src, line_ptr, count);
+                if (frame - line_ptr < count)
+                    return AVERROR_INVALIDDATA;
+                if (bytestream2_get_buffer(gb, line_ptr, count) != count)
+                    return AVERROR_INVALIDDATA;
             } else {
                 count = -count;
-                if (frame - line_ptr < count || src >= src_end)
-                    return -1;
-                memset(line_ptr, *src++, count);
+                if (frame - line_ptr < count)
+                    return AVERROR_INVALIDDATA;
+                memset(line_ptr, bytestream2_get_byte(gb), count);
             }
             line_ptr += count;
         }
@@ -225,49 +230,55 @@ static int decode_bdlt(uint8_t *frame, int width, int height,
     return 0;
 }
 
-static int decode_wdlt(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     const uint8_t *frame_end   = frame + width * height;
     uint8_t *line_ptr;
     int count, i, v, lines, segments;
+    int y = 0;
 
-    lines = bytestream_get_le16(&src);
-    if (lines > height || src >= src_end)
-        return -1;
+    lines = bytestream2_get_le16(gb);
+    if (lines > height)
+        return AVERROR_INVALIDDATA;
 
     while (lines--) {
-        segments = bytestream_get_le16(&src);
+        if (bytestream2_get_bytes_left(gb) < 2)
+            return AVERROR_INVALIDDATA;
+        segments = bytestream2_get_le16u(gb);
         while ((segments & 0xC000) == 0xC000) {
+            unsigned skip_lines = -(int16_t)segments;
             unsigned delta = -((int16_t)segments * width);
-            if (frame_end - frame <= delta)
-                return -1;
+            if (frame_end - frame <= delta || y + lines + skip_lines > height)
+                return AVERROR_INVALIDDATA;
             frame    += delta;
-            segments = bytestream_get_le16(&src);
+            y        += skip_lines;
+            segments = bytestream2_get_le16(gb);
         }
         if (segments & 0x8000) {
             frame[width - 1] = segments & 0xFF;
-            segments = bytestream_get_le16(&src);
+            segments = bytestream2_get_le16(gb);
         }
         line_ptr = frame;
+        if (frame_end - frame < width)
+            return AVERROR_INVALIDDATA;
         frame += width;
+        y++;
         while (segments--) {
-            if (src_end - src < 2)
-                return -1;
-            if (frame - line_ptr <= *src)
-                return -1;
-            line_ptr += *src++;
-            count = (int8_t)*src++;
+            if (frame - line_ptr <= bytestream2_peek_byte(gb))
+                return AVERROR_INVALIDDATA;
+            line_ptr += bytestream2_get_byte(gb);
+            count = (int8_t)bytestream2_get_byte(gb);
             if (count >= 0) {
-                if (frame - line_ptr < count*2 || src_end - src < count*2)
-                    return -1;
-                bytestream_get_buffer(&src, line_ptr, count*2);
+                if (frame - line_ptr < count * 2)
+                    return AVERROR_INVALIDDATA;
+                if (bytestream2_get_buffer(gb, line_ptr, count * 2) != count * 2)
+                    return AVERROR_INVALIDDATA;
                 line_ptr += count * 2;
             } else {
                 count = -count;
-                if (frame - line_ptr < count*2 || src_end - src < 2)
-                    return -1;
-                v = bytestream_get_le16(&src);
+                if (frame - line_ptr < count * 2)
+                    return AVERROR_INVALIDDATA;
+                v = bytestream2_get_le16(gb);
                 for (i = 0; i < count; i++)
                     bytestream_put_le16(&line_ptr, v);
             }
@@ -277,22 +288,19 @@ static int decode_wdlt(uint8_t *frame, int width, int height,
     return 0;
 }
 
-static int decode_unk6(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_unk6(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
-    return -1;
+    return AVERROR_PATCHWELCOME;
 }
 
-static int decode_blck(uint8_t *frame, int width, int height,
-                       const uint8_t *src, const uint8_t *src_end)
+static int decode_blck(GetByteContext *gb, uint8_t *frame, int width, int height)
 {
     memset(frame, 0, width * height);
     return 0;
 }
 
 
-typedef int (*chunk_decoder)(uint8_t *frame, int width, int height,
-                             const uint8_t *src, const uint8_t *src_end);
+typedef int (*chunk_decoder)(GetByteContext *gb, uint8_t *frame, int width, int height);
 
 static const chunk_decoder decoder[8] = {
     decode_copy, decode_tsw1, decode_bdlt, decode_wdlt,
@@ -308,9 +316,8 @@ static int dfa_decode_frame(AVCodecContext *avctx,
                             AVPacket *avpkt)
 {
     DfaContext *s = avctx->priv_data;
+    GetByteContext gb;
     const uint8_t *buf = avpkt->data;
-    const uint8_t *buf_end = avpkt->data + avpkt->size;
-    const uint8_t *tmp_buf;
     uint32_t chunk_type, chunk_size;
     uint8_t *dst;
     int ret;
@@ -319,35 +326,30 @@ static int dfa_decode_frame(AVCodecContext *avctx,
     if (s->pic.data[0])
         avctx->release_buffer(avctx, &s->pic);
 
-    if ((ret = avctx->get_buffer(avctx, &s->pic))) {
+    if ((ret = ff_get_buffer(avctx, &s->pic))) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
 
-    while (buf < buf_end) {
-        chunk_size = AV_RL32(buf + 4);
-        chunk_type = AV_RL32(buf + 8);
-        buf += 12;
-        if (buf_end - buf < chunk_size) {
-            av_log(avctx, AV_LOG_ERROR, "Chunk size is too big (%d bytes)\n", chunk_size);
-            return -1;
-        }
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+    while (bytestream2_get_bytes_left(&gb) > 0) {
+        bytestream2_skip(&gb, 4);
+        chunk_size = bytestream2_get_le32(&gb);
+        chunk_type = bytestream2_get_le32(&gb);
         if (!chunk_type)
             break;
         if (chunk_type == 1) {
             pal_elems = FFMIN(chunk_size / 3, 256);
-            tmp_buf = buf;
             for (i = 0; i < pal_elems; i++) {
-                s->pal[i] = bytestream_get_be24(&tmp_buf) << 2;
+                s->pal[i] = bytestream2_get_be24(&gb) << 2;
                 s->pal[i] |= 0xFF << 24 | (s->pal[i] >> 6) & 0x30303;
             }
             s->pic.palette_has_changed = 1;
         } else if (chunk_type <= 9) {
-            if (decoder[chunk_type - 2](s->frame_buf, avctx->width, avctx->height,
-                                        buf, buf + chunk_size)) {
+            if (decoder[chunk_type - 2](&gb, s->frame_buf, avctx->width, avctx->height)) {
                 av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n",
                        chunk_name[chunk_type - 2]);
-                return -1;
+                return AVERROR_INVALIDDATA;
             }
         } else {
             av_log(avctx, AV_LOG_WARNING, "Ignoring unknown chunk type %d\n",

libavcodec/diracdec.c

@@ -491,10 +491,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
     }
 
     if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
+        int quant = b->quant;
         if (is_arith)
-            b->quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+            quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
         else
-            b->quant += dirac_get_se_golomb(gb);
+            quant += dirac_get_se_golomb(gb);
+        if (quant < 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
+            return;
+        }
+        b->quant = quant;
     }
 
     b->quant = FFMIN(b->quant, MAX_QUANT);
@@ -619,7 +625,7 @@ static void decode_component(DiracContext *s, int comp)
                 b->quant = svq3_get_ue_golomb(&s->gb);
                 align_get_bits(&s->gb);
                 b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8;
-                b->length = FFMIN(b->length, get_bits_left(&s->gb)/8);
+                b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0));
                 skip_bits_long(&s->gb, b->length*8);
             }
         }
@@ -1172,7 +1178,7 @@ static void propagate_block_data(DiracBlock *block, int stride, int size)
  * Dirac Specification ->
  * 12. Block motion data syntax
  */
-static void dirac_unpack_block_motion_data(DiracContext *s)
+static int dirac_unpack_block_motion_data(DiracContext *s)
 {
     GetBitContext *gb = &s->gb;
     uint8_t *sbsplit = s->sbsplit;
@@ -1192,7 +1198,9 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
     ff_dirac_init_arith_decoder(arith, gb, svq3_get_ue_golomb(gb));     /* svq3_get_ue_golomb(gb) is the length */
     for (y = 0; y < s->sbheight; y++) {
         for (x = 0; x < s->sbwidth; x++) {
-            int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            unsigned int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            if (split > 2)
+                return -1;
             sbsplit[x] = (split + pred_sbsplit(sbsplit+x, s->sbwidth, x, y)) % 3;
         }
         sbsplit += s->sbwidth;
@@ -1221,6 +1229,8 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
                     propagate_block_data(block, s->blwidth, step);
                 }
         }
+
+    return 0;
 }
 
 static int weight(int i, int blen, int offset)
@@ -1322,8 +1332,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5],
         motion_y >>= s->chroma_y_shift;
     }
 
-    mx         = motion_x & ~(-1 << s->mv_precision);
-    my         = motion_y & ~(-1 << s->mv_precision);
+    mx         = motion_x & ~(-1U << s->mv_precision);
+    my         = motion_y & ~(-1U << s->mv_precision);
     motion_x >>= s->mv_precision;
     motion_y >>= s->mv_precision;
     /* normalize subpel coordinates to epel */
@@ -1675,7 +1685,8 @@ static int dirac_decode_picture_header(DiracContext *s)
     if (s->num_refs) {
         if (dirac_unpack_prediction_parameters(s))  /* [DIRAC_STD] 11.2 Picture Prediction Data. picture_prediction() */
             return -1;
-        dirac_unpack_block_motion_data(s);          /* [DIRAC_STD] 12. Block motion data syntax                       */
+        if (dirac_unpack_block_motion_data(s))      /* [DIRAC_STD] 12. Block motion data syntax                       */
+            return -1;
     }
     if (dirac_unpack_idwt_params(s))                /* [DIRAC_STD] 11.3 Wavelet transform data                        */
         return -1;

libavcodec/dnxhddata.c

@@ -1038,7 +1038,7 @@ int ff_dnxhd_find_cid(AVCodecContext *avctx, int bit_depth)
         if (cid->width == avctx->width && cid->height == avctx->height &&
             cid->interlaced == !!(avctx->flags & CODEC_FLAG_INTERLACED_DCT) &&
             cid->bit_depth == bit_depth) {
-            for (j = 0; j < sizeof(cid->bit_rates); j++) {
+            for (j = 0; j < FF_ARRAY_ELEMS(cid->bit_rates); j++) {
                 if (cid->bit_rates[j] == mbs)
                     return cid->cid;
             }

libavcodec/dnxhddec.c

@@ -38,6 +38,7 @@ typedef struct DNXHDContext {
     GetBitContext gb;
     int cid;                            ///< compression id
     unsigned int width, height;
+    enum PixelFormat pix_fmt;
     unsigned int mb_width, mb_height;
     uint32_t mb_scan_index[68];         /* max for 1080p */
     int cur_field;                      ///< current interlaced field
@@ -84,9 +85,9 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, int cid)
         }
         ctx->cid_table = &ff_dnxhd_cid_table[index];
 
-        free_vlc(&ctx->ac_vlc);
-        free_vlc(&ctx->dc_vlc);
-        free_vlc(&ctx->run_vlc);
+        ff_free_vlc(&ctx->ac_vlc);
+        ff_free_vlc(&ctx->dc_vlc);
+        ff_free_vlc(&ctx->run_vlc);
 
         init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
                  ctx->cid_table->ac_bits, 1, 1,
@@ -129,7 +130,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
     av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height);
 
     if (buf[0x21] & 0x40) {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P10;
+        ctx->pix_fmt = PIX_FMT_YUV422P10;
         ctx->avctx->bits_per_raw_sample = 10;
         if (ctx->bit_depth != 10) {
             dsputil_init(&ctx->dsp, ctx->avctx);
@@ -137,7 +138,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
             ctx->decode_dct_block = dnxhd_decode_dct_block_10;
         }
     } else {
-        ctx->avctx->pix_fmt = PIX_FMT_YUV422P;
+        ctx->pix_fmt = PIX_FMT_YUV422P;
         ctx->avctx->bits_per_raw_sample = 8;
         if (ctx->bit_depth != 8) {
             dsputil_init(&ctx->dsp, ctx->avctx);
@@ -380,9 +381,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                avctx->width, avctx->height, ctx->width, ctx->height);
         first_field = 1;
     }
+    if (avctx->pix_fmt != PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) {
+        av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt));
+        first_field = 1;
+    }
 
     if (av_image_check_size(ctx->width, ctx->height, 0, avctx))
         return -1;
+    avctx->pix_fmt = ctx->pix_fmt;
     avcodec_set_dimensions(avctx, ctx->width, ctx->height);
 
     if (first_field) {
@@ -416,9 +423,9 @@ static av_cold int dnxhd_decode_close(AVCodecContext *avctx)
 
     if (ctx->picture.data[0])
         ff_thread_release_buffer(avctx, &ctx->picture);
-    free_vlc(&ctx->ac_vlc);
-    free_vlc(&ctx->dc_vlc);
-    free_vlc(&ctx->run_vlc);
+    ff_free_vlc(&ctx->ac_vlc);
+    ff_free_vlc(&ctx->dc_vlc);
+    ff_free_vlc(&ctx->run_vlc);
     return 0;
 }
 

libavcodec/dnxhdenc.c

@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)
 
 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
     if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
         FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);
 

libavcodec/dpcm.c

@@ -39,6 +39,7 @@
 
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 
 typedef struct DPCMContext {
@@ -183,6 +184,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     int stereo = s->channels - 1;
     int16_t *output_samples;
 
+    if (stereo && (buf_size & 1)) {
+        buf_size--;
+        buf_end--;
+    }
+
     /* calculate output size */
     switch(avctx->codec->id) {
     case CODEC_ID_ROQ_DPCM:
@@ -211,7 +217,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     s->frame.nb_samples = (out + s->channels - 1) / s->channels;
-    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -320,7 +326,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame_ptr   = 1;
     *(AVFrame *)data = s->frame;
 
-    return buf_size;
+    return avpkt->size;
 }
 
 #define DPCM_DECODER(id_, name_, long_name_)                \

libavcodec/dsicinav.c

@@ -25,6 +25,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "bytestream.h"
 #include "mathops.h"
 
@@ -108,27 +109,31 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size)
+static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst,
+                                 int size)
 {
     while (size--)
         *dst++ += *src++;
 }
 
-static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_huffman(const unsigned char *src, int src_size,
+                              unsigned char *dst, int dst_size)
 {
     int b, huff_code = 0;
     unsigned char huff_code_table[15];
-    unsigned char *dst_cur = dst;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_cur       = dst;
+    unsigned char *dst_end       = dst + dst_size;
     const unsigned char *src_end = src + src_size;
 
-    memcpy(huff_code_table, src, 15); src += 15; src_size -= 15;
+    memcpy(huff_code_table, src, 15);
+    src += 15;
+    src_size -= 15;
 
     while (src < src_end) {
         huff_code = *src++;
         if ((huff_code >> 4) == 15) {
-            b = huff_code << 4;
-            huff_code = *src++;
+            b          = huff_code << 4;
+            huff_code  = *src++;
             *dst_cur++ = b | (huff_code >> 4);
         } else
             *dst_cur++ = huff_code_table[huff_code >> 4];
@@ -147,11 +152,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
     return dst_cur - dst;
 }
 
-static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static int cin_decode_lzss(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
     uint16_t cmd;
     int i, sz, offset, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end       = dst + dst_size, *dst_start = dst;
     const unsigned char *src_end = src + src_size;
 
     while (src < src_end && dst < dst_end) {
@@ -160,11 +166,15 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
             if (code & (1 << i)) {
                 *dst++ = *src++;
             } else {
-                cmd = AV_RL16(src); src += 2;
+                cmd  = AV_RL16(src);
+                src += 2;
                 offset = cmd >> 4;
+                if ((int)(dst - dst_start) < offset + 1)
+                    return AVERROR_INVALIDDATA;
                 sz = (cmd & 0xF) + 2;
-                /* don't use memcpy/memmove here as the decoding routine (ab)uses */
-                /* buffer overlappings to repeat bytes in the destination */
+                /* don't use memcpy/memmove here as the decoding routine
+                 * (ab)uses buffer overlappings to repeat bytes in the
+                 * destination */
                 sz = FFMIN(sz, dst_end - dst);
                 while (sz--) {
                     *dst = *(dst - offset - 1);
@@ -173,22 +183,27 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
             }
         }
     }
+
+    return 0;
 }
 
-static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
+static void cin_decode_rle(const unsigned char *src, int src_size,
+                           unsigned char *dst, int dst_size)
 {
     int len, code;
-    unsigned char *dst_end = dst + dst_size;
+    unsigned char *dst_end       = dst + dst_size;
     const unsigned char *src_end = src + src_size;
 
     while (src < src_end && dst < dst_end) {
         code = *src++;
         if (code & 0x80) {
+            if (src >= src_end)
+                break;
             len = code - 0x7F;
             memset(dst, *src++, FFMIN(len, dst_end - dst));
         } else {
             len = code + 1;
-            memcpy(dst, src, FFMIN(len, dst_end - dst));
+            memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
             src += len;
         }
         dst += len;
@@ -199,21 +214,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
                                  void *data, int *data_size,
                                  AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    int buf_size = avpkt->size;
+    const uint8_t *buf   = avpkt->data;
+    int buf_size         = avpkt->size;
     CinVideoContext *cin = avctx->priv_data;
-    int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size;
+    int i, y, palette_type, palette_colors_count,
+        bitmap_frame_type, bitmap_frame_size, res = 0;
 
-    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
-    if (avctx->reget_buffer(avctx, &cin->frame)) {
-        av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
-        return -1;
-    }
-
-    palette_type = buf[0];
+    palette_type         = buf[0];
     palette_colors_count = AV_RL16(buf+1);
-    bitmap_frame_type = buf[3];
-    buf += 4;
+    bitmap_frame_type    = buf[3];
+    buf                 += 4;
 
     bitmap_frame_size = buf_size - 4;
 
@@ -224,67 +234,85 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
         if (palette_colors_count > 256)
             return AVERROR_INVALIDDATA;
         for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[i] = 0xFF << 24 | bytestream_get_le24(&buf);
+            cin->palette[i]    = 0xFF << 24 | bytestream_get_le24(&buf);
             bitmap_frame_size -= 3;
         }
     } else {
         for (i = 0; i < palette_colors_count; ++i) {
-            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf+1);
-            buf += 4;
-            bitmap_frame_size -= 4;
+            cin->palette[buf[0]] = 0xFF << 24 | AV_RL24(buf + 1);
+            buf                 += 4;
+            bitmap_frame_size   -= 4;
         }
     }
-    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
-    cin->frame.palette_has_changed = 1;
 
-    /* note: the decoding routines below assumes that surface.width = surface.pitch */
+    bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size);
+
+    /* note: the decoding routines below assumes that
+     * surface.width = surface.pitch */
     switch (bitmap_frame_type) {
     case 9:
         cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 34:
         cin_decode_rle(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 35:
         cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
         cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 36:
         bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
+                                               cin->bitmap_table[CIN_INT_BMP],
+                                               cin->bitmap_size);
         cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 37:
         cin_decode_huffman(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                           cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 38:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
         break;
     case 39:
-        cin_decode_lzss(buf, bitmap_frame_size,
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        res = cin_decode_lzss(buf, bitmap_frame_size,
+                              cin->bitmap_table[CIN_CUR_BMP],
+                              cin->bitmap_size);
+        if (res < 0)
+            return res;
         cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
-          cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     }
 
+    cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
+    if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) {
+        av_log(cin->avctx, AV_LOG_ERROR,
+               "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
+        return res;
+    }
+
+    memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
+    cin->frame.palette_has_changed = 1;
     for (y = 0; y < cin->avctx->height; ++y)
         memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
-          cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
-          cin->avctx->width);
+               cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,
+               cin->avctx->width);
 
-    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]);
+    FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP],
+                      cin->bitmap_table[CIN_PRE_BMP]);
 
     *data_size = sizeof(AVFrame);
     *(AVFrame *)data = cin->frame;
@@ -328,15 +356,15 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx)
 static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
                                  int *got_frame_ptr, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
-    CinAudioContext *cin = avctx->priv_data;
+    const uint8_t *buf     = avpkt->data;
+    CinAudioContext *cin   = avctx->priv_data;
     const uint8_t *buf_end = buf + avpkt->size;
     int16_t *samples;
     int delta, ret;
 
     /* get output buffer */
     cin->frame.nb_samples = avpkt->size - cin->initial_decode_frame;
-    if ((ret = avctx->get_buffer(avctx, &cin->frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, &cin->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
@@ -345,13 +373,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data,
     delta = cin->delta;
     if (cin->initial_decode_frame) {
         cin->initial_decode_frame = 0;
-        delta = sign_extend(AV_RL16(buf), 16);
-        buf += 2;
-        *samples++ = delta;
+        delta                     = sign_extend(AV_RL16(buf), 16);
+        buf                      += 2;
+        *samples++                = delta;
     }
     while (buf < buf_end) {
-        delta += cinaudio_delta16_table[*buf++];
-        delta = av_clip_int16(delta);
+        delta     += cinaudio_delta16_table[*buf++];
+        delta      = av_clip_int16(delta);
         *samples++ = delta;
     }
     cin->delta = delta;

libavcodec/dsputil.c

@@ -367,18 +367,17 @@ void ff_put_pixels_clamped_c(const DCTELEM *block, uint8_t *restrict pixels,
                              int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<8;i++) {
-        pixels[0] = cm[block[0]];
-        pixels[1] = cm[block[1]];
-        pixels[2] = cm[block[2]];
-        pixels[3] = cm[block[3]];
-        pixels[4] = cm[block[4]];
-        pixels[5] = cm[block[5]];
-        pixels[6] = cm[block[6]];
-        pixels[7] = cm[block[7]];
+        pixels[0] = av_clip_uint8(block[0]);
+        pixels[1] = av_clip_uint8(block[1]);
+        pixels[2] = av_clip_uint8(block[2]);
+        pixels[3] = av_clip_uint8(block[3]);
+        pixels[4] = av_clip_uint8(block[4]);
+        pixels[5] = av_clip_uint8(block[5]);
+        pixels[6] = av_clip_uint8(block[6]);
+        pixels[7] = av_clip_uint8(block[7]);
 
         pixels += line_size;
         block += 8;
@@ -389,14 +388,13 @@ static void put_pixels_clamped4_c(const DCTELEM *block, uint8_t *restrict pixels
                                  int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<4;i++) {
-        pixels[0] = cm[block[0]];
-        pixels[1] = cm[block[1]];
-        pixels[2] = cm[block[2]];
-        pixels[3] = cm[block[3]];
+        pixels[0] = av_clip_uint8(block[0]);
+        pixels[1] = av_clip_uint8(block[1]);
+        pixels[2] = av_clip_uint8(block[2]);
+        pixels[3] = av_clip_uint8(block[3]);
 
         pixels += line_size;
         block += 8;
@@ -407,12 +405,11 @@ static void put_pixels_clamped2_c(const DCTELEM *block, uint8_t *restrict pixels
                                  int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<2;i++) {
-        pixels[0] = cm[block[0]];
-        pixels[1] = cm[block[1]];
+        pixels[0] = av_clip_uint8(block[0]);
+        pixels[1] = av_clip_uint8(block[1]);
 
         pixels += line_size;
         block += 8;
@@ -444,18 +441,17 @@ void ff_add_pixels_clamped_c(const DCTELEM *block, uint8_t *restrict pixels,
                              int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<8;i++) {
-        pixels[0] = cm[pixels[0] + block[0]];
-        pixels[1] = cm[pixels[1] + block[1]];
-        pixels[2] = cm[pixels[2] + block[2]];
-        pixels[3] = cm[pixels[3] + block[3]];
-        pixels[4] = cm[pixels[4] + block[4]];
-        pixels[5] = cm[pixels[5] + block[5]];
-        pixels[6] = cm[pixels[6] + block[6]];
-        pixels[7] = cm[pixels[7] + block[7]];
+        pixels[0] = av_clip_uint8(pixels[0] + block[0]);
+        pixels[1] = av_clip_uint8(pixels[1] + block[1]);
+        pixels[2] = av_clip_uint8(pixels[2] + block[2]);
+        pixels[3] = av_clip_uint8(pixels[3] + block[3]);
+        pixels[4] = av_clip_uint8(pixels[4] + block[4]);
+        pixels[5] = av_clip_uint8(pixels[5] + block[5]);
+        pixels[6] = av_clip_uint8(pixels[6] + block[6]);
+        pixels[7] = av_clip_uint8(pixels[7] + block[7]);
         pixels += line_size;
         block += 8;
     }
@@ -465,14 +461,13 @@ static void add_pixels_clamped4_c(const DCTELEM *block, uint8_t *restrict pixels
                           int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<4;i++) {
-        pixels[0] = cm[pixels[0] + block[0]];
-        pixels[1] = cm[pixels[1] + block[1]];
-        pixels[2] = cm[pixels[2] + block[2]];
-        pixels[3] = cm[pixels[3] + block[3]];
+        pixels[0] = av_clip_uint8(pixels[0] + block[0]);
+        pixels[1] = av_clip_uint8(pixels[1] + block[1]);
+        pixels[2] = av_clip_uint8(pixels[2] + block[2]);
+        pixels[3] = av_clip_uint8(pixels[3] + block[3]);
         pixels += line_size;
         block += 8;
     }
@@ -482,12 +477,11 @@ static void add_pixels_clamped2_c(const DCTELEM *block, uint8_t *restrict pixels
                           int line_size)
 {
     int i;
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
 
     /* read the pixels */
     for(i=0;i<2;i++) {
-        pixels[0] = cm[pixels[0] + block[0]];
-        pixels[1] = cm[pixels[1] + block[1]];
+        pixels[0] = av_clip_uint8(pixels[0] + block[0]);
+        pixels[1] = av_clip_uint8(pixels[1] + block[1]);
         pixels += line_size;
         block += 8;
     }
@@ -1918,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
 
 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
     long i;
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src+i);
         long b = *(long*)(dst+i);
         *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1943,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
         }
     }else
 #endif
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src1+i);
         long b = *(long*)(src2+i);
         *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
@@ -2779,15 +2773,11 @@ static void ff_jref_idct2_add(uint8_t *dest, int line_size, DCTELEM *block)
 
 static void ff_jref_idct1_put(uint8_t *dest, int line_size, DCTELEM *block)
 {
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
-
-    dest[0] = cm[(block[0] + 4)>>3];
+    dest[0] = av_clip_uint8((block[0] + 4)>>3);
 }
 static void ff_jref_idct1_add(uint8_t *dest, int line_size, DCTELEM *block)
 {
-    uint8_t *cm = ff_cropTbl + MAX_NEG_CROP;
-
-    dest[0] = cm[dest[0] + ((block[0] + 4)>>3)];
+    dest[0] = av_clip_uint8(dest[0] + ((block[0] + 4)>>3));
 }
 
 static void just_return(void *mem av_unused, int stride av_unused, int h av_unused) { return; }
@@ -2832,7 +2822,7 @@ int ff_check_alignment(void){
 
 av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
 {
-    int i;
+    int i, j;
 
     ff_check_alignment();
 
@@ -3194,11 +3184,15 @@ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx)
     if (ARCH_SH4)        dsputil_init_sh4   (c, avctx);
     if (ARCH_BFIN)       dsputil_init_bfin  (c, avctx);
 
-    for(i=0; i<64; i++){
-        if(!c->put_2tap_qpel_pixels_tab[0][i])
-            c->put_2tap_qpel_pixels_tab[0][i]= c->put_h264_qpel_pixels_tab[0][i];
-        if(!c->avg_2tap_qpel_pixels_tab[0][i])
-            c->avg_2tap_qpel_pixels_tab[0][i]= c->avg_h264_qpel_pixels_tab[0][i];
+    for (i = 0; i < 4; i++) {
+        for (j = 0; j < 16; j++) {
+            if(!c->put_2tap_qpel_pixels_tab[i][j])
+                c->put_2tap_qpel_pixels_tab[i][j] =
+                    c->put_h264_qpel_pixels_tab[i][j];
+            if(!c->avg_2tap_qpel_pixels_tab[i][j])
+                c->avg_2tap_qpel_pixels_tab[i][j] =
+                    c->avg_h264_qpel_pixels_tab[i][j];
+        }
     }
 
     ff_init_scantable_permutation(c->idct_permutation,

libavcodec/dsputil.h

@@ -33,6 +33,7 @@
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
 
+typedef int emuedge_linesize_type;
 
 //#define DEBUG
 /* dct code */

libavcodec/dv.c

@@ -312,7 +312,7 @@ static av_cold int dvvideo_init(AVCodecContext *avctx)
             dv_rl_vlc[i].level = level;
             dv_rl_vlc[i].run   = run;
         }
-        free_vlc(&dv_vlc);
+        ff_free_vlc(&dv_vlc);
 
         dv_vlc_map_tableinit();
     }
@@ -372,11 +372,6 @@ typedef struct BlockInfo {
 static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5;
 static const int mb_area_start[5] = { 1, 6, 21, 43, 64 };
 
-static inline int put_bits_left(PutBitContext* s)
-{
-    return (s->buf_end - s->buf) * 8 - put_bits_count(s);
-}
-
 /* decode AC coefficients */
 static void dv_decode_ac(GetBitContext *gb, BlockInfo *mb, DCTELEM *block)
 {

libavcodec/dvdsubdec.c

@@ -94,6 +94,12 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
     int x, y, len, color;
     uint8_t *d;
 
+    if (start >= buf_size)
+        return -1;
+
+    if (w <= 0 || h <= 0)
+        return -1;
+
     bit_len = (buf_size - start) * 8;
     init_get_bits(&gb, buf + start, bit_len);
 
@@ -336,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
                 sub_header->num_rects = 1;
                 sub_header->rects[0]->pict.data[0] = bitmap;
-                decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-                           buf, offset1, buf_size, is_8bit);
-                decode_rle(bitmap + w, w * 2, w, h / 2,
-                           buf, offset2, buf_size, is_8bit);
+                if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+                               buf, offset1, buf_size, is_8bit) < 0)
+                    goto fail;
+                if (decode_rle(bitmap + w, w * 2, w, h / 2,
+                               buf, offset2, buf_size, is_8bit) < 0)
+                    goto fail;
                 sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
                 if (is_8bit) {
                     if (yuv_palette == 0)

libavcodec/dxa.c

@@ -255,6 +255,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     case 5:
         c->pic.key_frame = !(compr & 1);
         c->pic.pict_type = (compr & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I;
+
+        if (!tmpptr && !c->pic.key_frame) {
+            av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         for(j = 0; j < avctx->height; j++){
             if(compr & 1){
                 for(i = 0; i < avctx->width; i++)
@@ -295,6 +301,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
     c->avctx = avctx;
     avctx->pix_fmt = PIX_FMT_PAL8;
 
+    if (avctx->width%4 || avctx->height%4) {
+        av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4");
+        return AVERROR_INVALIDDATA;
+    }
+
     avcodec_get_frame_defaults(&c->pic);
     avcodec_get_frame_defaults(&c->prev);
 

libavcodec/dxtory.c

@@ -21,6 +21,7 @@
  */
 
 #include "avcodec.h"
+#include "internal.h"
 #include "libavutil/intreadwrite.h"
 
 static av_cold int decode_init(AVCodecContext *avctx)
@@ -51,7 +52,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     }
 
     pic->reference = 0;
-    if ((ret = avctx->get_buffer(avctx, pic)) < 0)
+    if ((ret = ff_get_buffer(avctx, pic)) < 0)
         return ret;
 
     pic->pict_type = AV_PICTURE_TYPE_I;

libavcodec/dxva2_internal.h

@@ -25,7 +25,14 @@
 
 #define _WIN32_WINNT 0x0600
 #define COBJMACROS
+
+#include "config.h"
+
 #include "dxva2.h"
+#if HAVE_DXVA_H
+#include <dxva.h>
+#endif
+
 #include "avcodec.h"
 #include "mpegvideo.h"
 

libavcodec/eacmv.c

@@ -112,8 +112,8 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
             int yoffset = ((buf[i] >> 4)) - 7;
             if (s->last_frame.data[0])
                 cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
-                          s->last_frame.data[0], s->last_frame.linesize[0],
-                          x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+                            s->last_frame.data[0], s->last_frame.linesize[0],
+                            x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
         }
         i++;
     }

libavcodec/eamad.c

@@ -29,6 +29,7 @@
  */
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 #include "aandcttab.h"
@@ -143,6 +144,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -157,6 +163,11 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return -1;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -168,10 +179,6 @@ static inline int decode_block_intra(MadContext * t, DCTELEM * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return -1;
-            }
 
             block[j] = level;
         }
@@ -246,32 +253,34 @@ static int decode_frame(AVCodecContext *avctx,
 {
     const uint8_t *buf = avpkt->data;
     int buf_size       = avpkt->size;
-    const uint8_t *buf_end = buf+buf_size;
     MadContext *t     = avctx->priv_data;
+    GetByteContext gb;
     MpegEncContext *s = &t->s;
     int chunk_type;
     int inter;
 
-    if (buf_size < 17) {
-        av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
-        *data_size = 0;
-        return -1;
-    }
+    bytestream2_init(&gb, buf, buf_size);
 
-    chunk_type = AV_RL32(&buf[0]);
+    chunk_type = bytestream2_get_le32(&gb);
     inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG);
-    buf += 8;
+    bytestream2_skip(&gb, 10);
 
     av_reduce(&avctx->time_base.num, &avctx->time_base.den,
-              AV_RL16(&buf[6]), 1000, 1<<30);
+              bytestream2_get_le16(&gb), 1000, 1<<30);
 
-    s->width  = AV_RL16(&buf[8]);
-    s->height = AV_RL16(&buf[10]);
-    calc_intra_matrix(t, buf[13]);
-    buf += 16;
+    s->width  = bytestream2_get_le16(&gb);
+    s->height = bytestream2_get_le16(&gb);
+    bytestream2_skip(&gb, 1);
+    calc_intra_matrix(t, bytestream2_get_byte(&gb));
+    bytestream2_skip(&gb, 2);
+
+    if (bytestream2_get_bytes_left(&gb) < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Input data too small\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     if (avctx->width != s->width || avctx->height != s->height) {
-        if((s->width * s->height)/2048*7 > buf_end-buf)
+        if((s->width * s->height)/2048*7 > bytestream2_get_bytes_left(&gb))
             return -1;
         if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
             return -1;
@@ -290,13 +299,14 @@ static int decode_frame(AVCodecContext *avctx,
         }
     }
 
-    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, (buf_end-buf) + FF_INPUT_BUFFER_PADDING_SIZE);
+    av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size,
+                   bytestream2_get_bytes_left(&gb) + FF_INPUT_BUFFER_PADDING_SIZE);
     if (!t->bitstream_buf)
         return AVERROR(ENOMEM);
-    bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2);
-    memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE);
-    init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf));
-
+    bswap16_buf(t->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)),
+                bytestream2_get_bytes_left(&gb) / 2);
+    memset((uint8_t*)t->bitstream_buf + bytestream2_get_bytes_left(&gb), 0, FF_INPUT_BUFFER_PADDING_SIZE);
+    init_get_bits(&s->gb, t->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb)));
     for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++)
         for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++)
             if(decode_mb(t, inter) < 0)

libavcodec/eatgq.c

@@ -43,6 +43,7 @@ typedef struct TgqContext {
     ScanTable scantable;
     int qtable[64];
     DECLARE_ALIGNED(16, DCTELEM, block)[6][64];
+    GetByteContext gb;
 } TgqContext;
 
 static av_cold int tgq_decode_init(AVCodecContext *avctx){
@@ -141,39 +142,36 @@ static void tgq_idct_put_mb_dconly(TgqContext *s, int mb_x, int mb_y, const int8
     }
 }
 
-static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){
+static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x){
     int mode;
     int i;
     int8_t dc[6];
 
-    mode = bytestream_get_byte(bs);
-    if (mode>buf_end-*bs) {
-        av_log(s->avctx, AV_LOG_ERROR, "truncated macroblock\n");
-        return;
-    }
-
+    mode = bytestream2_get_byte(&s->gb);
     if (mode>12) {
         GetBitContext gb;
-        init_get_bits(&gb, *bs, mode*8);
+        init_get_bits(&gb, s->gb.buffer, FFMIN(s->gb.buffer_end - s->gb.buffer, mode) * 8);
         for(i=0; i<6; i++)
             tgq_decode_block(s, s->block[i], &gb);
         tgq_idct_put_mb(s, s->block, mb_x, mb_y);
+        bytestream2_skip(&s->gb, mode);
     }else{
         if (mode==3) {
-            memset(dc, (*bs)[0], 4);
-            dc[4] = (*bs)[1];
-            dc[5] = (*bs)[2];
+            memset(dc, bytestream2_get_byte(&s->gb), 4);
+            dc[4] = bytestream2_get_byte(&s->gb);
+            dc[5] = bytestream2_get_byte(&s->gb);
         }else if (mode==6) {
-            memcpy(dc, *bs, 6);
+            bytestream2_get_buffer(&s->gb, dc, 6);
         }else if (mode==12) {
-            for(i=0; i<6; i++)
-                dc[i] = (*bs)[i*2];
+            for (i = 0; i < 6; i++) {
+                dc[i] = bytestream2_get_byte(&s->gb);
+                bytestream2_skip(&s->gb, 1);
+            }
         }else{
             av_log(s->avctx, AV_LOG_ERROR, "unsupported mb mode %i\n", mode);
         }
         tgq_idct_put_mb_dconly(s, mb_x, mb_y, dc);
     }
-    *bs += mode;
 }
 
 static void tgq_calculate_qtable(TgqContext *s, int quant){
@@ -193,28 +191,30 @@ static int tgq_decode_frame(AVCodecContext *avctx,
                             AVPacket *avpkt){
     const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
-    const uint8_t *buf_start = buf;
-    const uint8_t *buf_end = buf + buf_size;
     TgqContext *s = avctx->priv_data;
     int x,y;
-
     int big_endian = AV_RL32(&buf[4]) > 0x000FFFFF;
-    buf += 8;
 
-    if(8>buf_end-buf) {
+    if (buf_size < 16) {
         av_log(avctx, AV_LOG_WARNING, "truncated header\n");
         return -1;
     }
-    s->width  = big_endian ? AV_RB16(&buf[0]) : AV_RL16(&buf[0]);
-    s->height = big_endian ? AV_RB16(&buf[2]) : AV_RL16(&buf[2]);
+    bytestream2_init(&s->gb, buf + 8, buf_size - 8);
+    if (big_endian) {
+        s->width  = bytestream2_get_be16u(&s->gb);
+        s->height = bytestream2_get_be16u(&s->gb);
+    } else {
+        s->width  = bytestream2_get_le16u(&s->gb);
+        s->height = bytestream2_get_le16u(&s->gb);
+    }
 
     if (s->avctx->width!=s->width || s->avctx->height!=s->height) {
         avcodec_set_dimensions(s->avctx, s->width, s->height);
         if (s->frame.data[0])
             avctx->release_buffer(avctx, &s->frame);
     }
-    tgq_calculate_qtable(s, buf[4]);
-    buf += 8;
+    tgq_calculate_qtable(s, bytestream2_get_byteu(&s->gb));
+    bytestream2_skip(&s->gb, 3);
 
     if (!s->frame.data[0]) {
         s->frame.key_frame = 1;
@@ -226,14 +226,14 @@ static int tgq_decode_frame(AVCodecContext *avctx,
         }
     }
 
-    for (y=0; y<(avctx->height+15)/16; y++)
-    for (x=0; x<(avctx->width+15)/16; x++)
-        tgq_decode_mb(s, y, x, &buf, buf_end);
+    for (y = 0; y < FFALIGN(avctx->height, 16) >> 4; y++)
+        for (x = 0; x < FFALIGN(avctx->width, 16) >> 4; x++)
+            tgq_decode_mb(s, y, x);
 
     *data_size = sizeof(AVFrame);
     *(AVFrame*)data = s->frame;
 
-    return buf-buf_start;
+    return avpkt->size;
 }
 
 static av_cold int tgq_decode_end(AVCodecContext *avctx){

libavcodec/eatqi.c

@@ -62,7 +62,7 @@ static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64])
     int n;
     s->dsp.clear_blocks(block[0]);
     for (n=0; n<6; n++)
-        if(ff_mpeg1_decode_block_intra(s, block[n], n)<0)
+        if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0)
             return -1;
 
     return 0;
@@ -137,7 +137,7 @@ static int tqi_decode_frame(AVCodecContext *avctx,
     for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++)
     for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++)
     {
-        if(tqi_decode_mb(s, t->block) < 0)
+        if (tqi_decode_mb(s, t->block) < 0)
             break;
         tqi_idct_put(t, t->block);
     }

libavcodec/elbg.c

@@ -110,7 +110,7 @@ static int get_high_utility_cell(elbg_data *elbg)
     while (elbg->utility_inc[i] < r)
         i++;
 
-    assert(!elbg->cells[i]);
+    assert(elbg->cells[i]);
 
     return i;
 }

libavcodec/error_resilience.c

@@ -440,9 +440,14 @@ static void guess_mv(MpegEncContext *s)
     if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) ||
         num_avail <= mb_width / 2) {
         for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+            s->mb_x = 0;
+            s->mb_y = mb_y;
+            ff_init_block_index(s);
             for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                 const int mb_xy = mb_x + mb_y * s->mb_stride;
 
+                ff_update_block_index(s);
+
                 if (IS_INTRA(s->current_picture.f.mb_type[mb_xy]))
                     continue;
                 if (!(s->error_status_table[mb_xy] & ER_MV_ERROR))
@@ -477,6 +482,9 @@ static void guess_mv(MpegEncContext *s)
 
             changed = 0;
             for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+                s->mb_x = 0;
+                s->mb_y = mb_y;
+                ff_init_block_index(s);
                 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                     const int mb_xy        = mb_x + mb_y * s->mb_stride;
                     int mv_predictor[8][2] = { { 0 } };
@@ -488,6 +496,8 @@ static void guess_mv(MpegEncContext *s)
                     const int mot_index    = (mb_x + mb_y * mot_stride) * mot_step;
                     int prev_x, prev_y, prev_ref;
 
+                    ff_update_block_index(s);
+
                     if ((mb_x ^ mb_y ^ pass) & 1)
                         continue;
 
@@ -911,6 +921,12 @@ void ff_er_frame_end(MpegEncContext *s)
         return;
     };
 
+    if (s->picture_structure == PICT_FRAME &&
+        s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) {
+        av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
+        return;
+    }
+
     if (s->current_picture.f.motion_val[0] == NULL) {
         av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
 
@@ -1098,11 +1114,16 @@ void ff_er_frame_end(MpegEncContext *s)
 
     /* handle inter blocks with damaged AC */
     for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+        s->mb_x = 0;
+        s->mb_y = mb_y;
+        ff_init_block_index(s);
         for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
             const int mb_xy   = mb_x + mb_y * s->mb_stride;
             const int mb_type = s->current_picture.f.mb_type[mb_xy];
             int dir           = !s->last_picture.f.data[0];
 
+            ff_update_block_index(s);
+
             error = s->error_status_table[mb_xy];
 
             if (IS_INTRA(mb_type))
@@ -1140,11 +1161,16 @@ void ff_er_frame_end(MpegEncContext *s)
     /* guess MVs */
     if (s->pict_type == AV_PICTURE_TYPE_B) {
         for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+            s->mb_x = 0;
+            s->mb_y = mb_y;
+            ff_init_block_index(s);
             for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                 int       xy      = mb_x * 2 + mb_y * 2 * s->b8_stride;
                 const int mb_xy   = mb_x + mb_y * s->mb_stride;
                 const int mb_type = s->current_picture.f.mb_type[mb_xy];
 
+                ff_update_block_index(s);
+
                 error = s->error_status_table[mb_xy];
 
                 if (IS_INTRA(mb_type))

libavcodec/escape124.c

@@ -48,8 +48,8 @@ typedef struct Escape124Context {
     CodeBook codebooks[3];
 } Escape124Context;
 
-static int can_safely_read(GetBitContext* gb, int bits) {
-    return get_bits_count(gb) + bits <= gb->size_in_bits;
+static int can_safely_read(GetBitContext* gb, uint64_t bits) {
+    return get_bits_left(gb) >= bits;
 }
 
 /**
@@ -90,7 +90,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth,
     unsigned i, j;
     CodeBook cb = { 0 };
 
-    if (!can_safely_read(gb, size * 34))
+    if (!can_safely_read(gb, size * 34L))
         return cb;
 
     if (size >= INT_MAX / sizeof(MacroBlock))

libavcodec/faxcompr.c

@@ -110,11 +110,11 @@ av_cold void ff_ccitt_unpack_init(void)
     ccitt_vlc[1].table = code_table2;
     ccitt_vlc[1].table_allocated = 648;
     for(i = 0; i < 2; i++){
-        init_vlc_sparse(&ccitt_vlc[i], 9, CCITT_SYMS,
-                        ccitt_codes_lens[i], 1, 1,
-                        ccitt_codes_bits[i], 1, 1,
-                        ccitt_syms, 2, 2,
-                        INIT_VLC_USE_NEW_STATIC);
+        ff_init_vlc_sparse(&ccitt_vlc[i], 9, CCITT_SYMS,
+                           ccitt_codes_lens[i], 1, 1,
+                           ccitt_codes_bits[i], 1, 1,
+                           ccitt_syms, 2, 2,
+                           INIT_VLC_USE_NEW_STATIC);
     }
     INIT_VLC_STATIC(&ccitt_group3_2d_vlc, 9, 11,
                     ccitt_group3_2d_lens, 1, 1,
@@ -228,7 +228,7 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
             mode = !mode;
         }
         //sync line pointers
-        while(run_off <= offs){
+        while(offs < width && run_off <= offs){
             run_off += *ref++;
             run_off += *ref++;
         }
@@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs)
     PutBitContext pb;
     int run, mode = ~0, pix_left = width, run_idx = 0;
 
-    init_put_bits(&pb, dst, size*8);
+    init_put_bits(&pb, dst, size);
     while(pix_left > 0){
         run = runs[run_idx++];
         mode = ~mode;

libavcodec/ffv1.c

@@ -255,7 +255,7 @@ static void find_best_state(uint8_t best_state[256][256], const uint8_t one_stat
             occ[j]=1.0;
             for(k=0; k<256; k++){
                 double newocc[256]={0};
-                for(m=0; m<256; m++){
+                for(m=1; m<256; m++){
                     if(occ[m]){
                         len -=occ[m]*(     p *l2tab[    m]
                                       + (1-p)*l2tab[256-m]);
@@ -451,7 +451,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w,
     int run_mode=0;
 
     if(s->ac){
-        if(c->bytestream_end - c->bytestream < w*20){
+        if(c->bytestream_end - c->bytestream < w*35){
             av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n");
             return -1;
         }
@@ -722,6 +722,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){
     int i;
 
     f->slice_count= f->num_h_slices * f->num_v_slices;
+    if (f->slice_count <= 0) {
+        av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n");
+        return AVERROR(EINVAL);
+    }
 
     for(i=0; i<f->slice_count; i++){
         FFV1Context *fs= av_mallocz(sizeof(*fs));
@@ -993,7 +997,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
                 }
             }
             gob_count= strtol(p, &next, 0);
-            if(next==p || gob_count <0){
+            if(next==p || gob_count <=0){
                 av_log(avctx, AV_LOG_ERROR, "2Pass file invalid\n");
                 return -1;
             }
@@ -1547,20 +1551,48 @@ static int read_header(FFV1Context *f){
     memset(state, 128, sizeof(state));
 
     if(f->version < 2){
-        f->version= get_symbol(c, state, 0);
-        f->ac= f->avctx->coder_type= get_symbol(c, state, 0);
-        if(f->ac>1){
-            for(i=1; i<256; i++){
-                f->state_transition[i]= get_symbol(c, state, 1) + c->one_state[i];
+        int chroma_h_shift, chroma_v_shift, colorspace, bits_per_raw_sample;
+        int transparency;
+        unsigned v = get_symbol(c, state, 0);
+        if (v > 1) {
+            av_log(f->avctx, AV_LOG_ERROR,
+                   "invalid version %d in version 1 header\n", v);
+            return AVERROR_INVALIDDATA;
+        }
+        f->version = v;
+
+        f->ac = f->avctx->coder_type = get_symbol(c, state, 0);
+
+        if (f->ac > 1) {
+            for (i = 1; i < 256; i++)
+                f->state_transition[i] =
+                    get_symbol(c, state, 1) + c->one_state[i];
+        }
+
+        colorspace          = get_symbol(c, state, 0); //YUV cs type
+        bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample;
+        get_rac(c, state); //no chroma = false
+        chroma_h_shift      = get_symbol(c, state, 0);
+        chroma_v_shift      = get_symbol(c, state, 0);
+        transparency        = get_rac(c, state);
+
+        if (f->plane_count) {
+            if (colorspace          != f->colorspace                 ||
+                bits_per_raw_sample != f->avctx->bits_per_raw_sample ||
+                chroma_h_shift      != f->chroma_h_shift             ||
+                chroma_v_shift      != f->chroma_v_shift             ||
+                transparency        != f->transparency) {
+                av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n");
+                return AVERROR_INVALIDDATA;
             }
         }
-        f->colorspace= get_symbol(c, state, 0); //YUV cs type
-        if(f->version>0)
-            f->avctx->bits_per_raw_sample= get_symbol(c, state, 0);
-        get_rac(c, state); //no chroma = false
-        f->chroma_h_shift= get_symbol(c, state, 0);
-        f->chroma_v_shift= get_symbol(c, state, 0);
-        f->transparency= get_rac(c, state);
+
+        f->colorspace                 = colorspace;
+        f->avctx->bits_per_raw_sample = bits_per_raw_sample;
+        f->chroma_h_shift             = chroma_h_shift;
+        f->chroma_v_shift             = chroma_v_shift;
+        f->transparency               = transparency;
+
         f->plane_count= 2 + f->transparency;
     }