lavf/webm_chunk: Fix NULL dereference

The earlier version of the webm_chunk muxer had several bugs: 1. If the first packet of an audio stream didn't have a PTS of zero, then no chunk will be started before a packet is delivered to the underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write these packets had a NULL as AVIOContext for output. This is behind the crash in ticket #5752. 2. If an error happens during writing a packet, the underlyimg Matroska/WebM muxer context is freed. This leads to a use-after-free coupled with a double-free in webm_chunk_write_trailer (which supposes that the underlying AVFormatContext is still valid). 3. Even when no error occurs at all, webm_chunk_write_trailer is still buggy: After the underlying Matroska/WebM muxer has written its trailer, ending the chunk implicitly flushes it again which is illegal at this point. These bugs have been fixed. Fixes #5752. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit 8c6ee7626b) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/ttaenc: Fix undefined shift
2020-07-03 14:13:50 +02:00 · 2020-07-03 14:13:50 +02:00 · 2020-07-03 14:13:50 +02:00 · 2020-07-03 14:13:50 +02:00 · 2020-07-03 14:13:50 +02:00 · 2020-07-03 14:13:50 +02:00
363 changed files with 4837 additions and 2242 deletions
--- a/711
+++ b/711
@ -1,7 +1,713 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

-version <next>:
+version 3.3.9:
+- avcodec/pngdec: Check compression method
+- fftools/ffmpeg: Repair reinit_filter feature
+- avcodec/shorten: Fix integer overflow with offset
+- avcodec/cavsdec: Propagate error codes inside decode_mb_i()
+- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
+- avutil/integer: Fix integer overflow in av_mul_i()
+- avcodec/msrle: Check that the input is large enough to contain a end of picture code
+- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
+- avcodec/mpeg4videodec: Fix typo in sprite delta check
+- avcodec/h264_cavlc: Check mb_skip_run
+- avcodec/ra144: Fix integer overflow in add_wav()
+- avformat/utils: Never store negative values in last_IP_duration
+- avformat/utils: Fix integer overflow in discontinuity check
+- avcodec/unary: Improve get_unary() docs
+- avcodec/dvdsubdec: Sanity check len in decode_rle()
+- avcodec/mpeg4videodec: Fix undefined shift in get_amv()
+- avcodec/zmbv: Check that the decompressed data size is correct
+- avcodec/zmbv: Update decomp_len in raw frames
+- avcodec/shorten: Fix bitstream end check in read_header()
+- avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
+- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
+- avcodec/ra144: Fix undefined integer overflow in add_wav()
+- avcodec/indeo4: Check dimensions in decode_pic_hdr()
+- avformat/mov: Error on too large stsd entry counts.
+- examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER
+- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
+- avcodec/vb: Check for end of bytestream before reading blocktype
+- avcodec/snowdec: Fix integer overflow with motion vector residual
+- avformat/nsvdec: Do not parse multiple NSVf
+- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
+- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
+- avcodec/scpr: Check for min > max in decompress_p()
+- avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()
+- avcodec/shorten: Fix integer overflow in residual/LPC combination
+- avcodec/shorten: Check verbatim length
+- avcodec/mpegaudio_parser: Initialize poutbuf*
+- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
+- avformat/flvenc: Check audio packet size
+- lavc/svq3: Fix regression decoding some files.
+- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
+- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
+- avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions
+- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
+- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
+- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
+- swresample/swresample: Fix input channel count in resample_first computation
+- avutil/pixfmt: Document chroma plane size for odd resolutions
+- avcodec/cuviddec: properly take deinterlacing and display delay into account for buffer_full check
+- avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL
+
+
+version 3.3.8:
+- avcodec/dvdsub_parser: Allocate input padding
+- avcodec/dvdsub_parser: Init output buf/size
+- avcodec/imgconvert: fix possible null pointer dereference
+- avcodec/dirac_dwt_template: Fix signedness regression in interleave()
+- avformat/movenc: Write version 2 of audio atom if channels is not known
+- swresample/arm: rename labels to fix xcode build error
+- avformat/movenc: Check input sample count
+- avcodec/mjpegdec: Check for odd progressive RGB
+- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
+- avcodec/vp8_parser: Do not leave data/size uninitialized
+- avformat/mms: Add missing chunksize check
+- avformat/pva: Check for EOF before retrying in read_part_of_packet()
+- avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
+- avcodec/indeo4: Check for end of bitstream in decode_mb_info()
+- avcodec/shorten: Fix undefined addition in shorten_decode_frame()
+- avcodec/shorten: Fix undefined integer overflow
+- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
+- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
+- avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample
+- avcodec/escape124: Fix spelling errors in comment
+- avcodec/ra144: Fix integer overflow in ff_eval_refl()
+- avcodec/cscd: Check output buffer size for lzo.
+- avcodec/escape124: Check buf_size against num_superblocks
+- avcodec/h264_parser: Reduce needed history for parsing mb index
+- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
+- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
+- avcodec/dirac_dwt_template: Fix undefined behavior in interleave()
+- avutil/common: Fix undefined behavior in av_clip_uintp2_c()
+- fftools/ffmpeg: Fallback to duration if sample rate is unavailable
+- avformat/mov: Only set pkt->duration to non negative values
+- avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei
+- avcodec/h264_mc_template: Only prefetch motion if the list is used.
+- avcodec/xwddec: Use ff_set_dimensions()
+- avcodec/wavpack: Fix overflow in adding tail
+- avcodec/shorten: Fix multiple integer overflows
+- avcodec/shorten: Fix undefined shift in fix_bitshift()
+- avcodec/shorten: Fix a negative left shift in shorten_decode_frame()
+- avcodec/shorten: Sanity check nmeans
+- avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header()
+- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
+- avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
+- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
+- avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
+- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
+- avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
+- avcodec/fic: Avoid some magic numbers related to cursors
+- avcodec/g2meet: ask for sample with overflowing RGB
+- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
+- oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior
+- avcodec/g723_1dec: Clip bits2 in both directions
+- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
+- avcodec/mlpdec: Only change noise_type if the related fields are valid
+- indeo4: Decode all or nothing of a band header.
+- avformat/mov: Only fail for STCO/STSC contradictions if both exist
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
+- avcodec/fic: Check available input space for cursor
+- avcodec/g2meet: Check RGB upper limit
+- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
+- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
+- avcodec/g2meet: Change order of operations to avoid undefined behavior
+- avcodec/flac_parser: Fix infinite loop
+- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
+- avcodec/error_resilience: Fix integer overflow in filter181()
+- avcodec/h263dec: Check slice_ret in mspeg4 slice loop
+- avcodec/elsdec: Fix memleaks
+- avcodec/vc1_block: simplify ac_val computation
+- avcodec/ffv1enc: Check that the crc + version combination is supported
+- lavf/http.c: Free allocated client URLContext in case of error.
+- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
+- avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
+- avcodec/dfa: Check dimension against maximum
+- avcodec/cinepak: Skip empty frames
+- avcodec/cinepak: move some checks prior to frame allocation
+- swresample/arm: remove unintentional relocation.
+- doc/APIchanges: Fix typos in hashes
+- avdevice/iec61883: free the private context at the end
+- avdevice/iec61883: return reference counted packets
+
+version 3.3.7:
+- avformat/utils: Check cur_dts in update_initial_timestamps() more
+- avcodec/utils: Enforce minimum width also for VP5/6
+- avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
+- avformat/utils: Fix integer overflow in end time calculation in update_stream_timings()
+- avformat/utils: fix mixed declarations and code
+- avcodec/mjpegdec: Check input buffer size.
+- avcodec/h264_slice: Fix integer overflow with last_poc
+- avformat/mov: Fix extradata memleak
+- lavc/libopusdec: Allow avcodec_open2 to call .close
+- avcodec/movtextdec: Check style_start/end
+- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
+- libavcodec/rv34: error out earlier on missing references
+- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
+- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
+- avcodec/cscd: Error out when LZ* decompression fails
+- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
+- avfilter/vf_signature: use av_strlcpy()
+- avcodec/utvideodec: Set pro flag based on fourcc
+- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
+- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
+- avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()
+- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
+- avformat/mov: Check STSC and remove invalid entries
+- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
+- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
+- avcodec/wmalosslessdec: Reset num_saved_bits on error path
+- avformat/mov: Fix integer overflows related to sample_duration
+- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
+- avformat/oggparseogm: Check lb against psize
+- avformat/oggparseogm: Fix undefined shift in ogm_packet()
+- avformat/avidec: Fix integer overflow in cum_len check
+- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
+- avformat/utils: Fix integer overflow of fps_first/last_dts
+- avformat/oggdec: Fix metadata memleak on multiple headers
+- libavformat/oggparsevorbis: Fix memleak on multiple headers
+- avcodec/truemotion2rt: Check input buffer size
+- avcodec/g2meet: Check tile dimensions with av_image_check_size2()
+- avcodec/exr: fix invalid shift in unpack_14()
+- avcodec/bintext: sanity check dimensions
+- avcodec/utvideodec: Check subsample factors
+- avcodec/smc: Check input packet size
+- avcodec/cavsdec: Check alpha/beta offset
+- avcodec/diracdec: Fix integer overflow in mv computation
+- avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table()
+- avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
+- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
+- avcodec/diracdec: Use int64 in global mv to prevent overflow
+- avcodec/dxtory: Remove code that corrupts dimensions
+- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
+- avcodec/hevcdec: Check luma/chroma_log2_weight_denom
+- avcodec/jpeg2000dec: Use av_image_check_size2()
+- avcodec/vp8: Check for bitstream end before vp7_fade_frame()
+- avcodec/exr: Check remaining bits in last get code loop
+- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
+- avcodec/h264_cabac: Tighten allowed coeff_abs range
+- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
+- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
+- avcodec/mpeg4videodec: Ignore multiple VOL headers
+- avcodec/vp3: Check eob_run
+- avcodec/pafvideo: Check allocated frame size
+- avcodec/scpr: Fix reading a pixel before the first
+- avcodec/mpeg2dec: Fix field selection for skipped macroblocks
+- avcodec/huffyuvdec: Check input buffer size
+- avcodec/utvideodec: Fix bytes left check in decode_frame()
+- avcodec/wavpack: Fix integer overflow in FFABS
+- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
+- avcodec/exr: Fix memleaks in decode_header()
+- avcodec/dirac_dwt: Fix several integer overflows
+- avcodec/indeo5: Do not leave frame_type set to an invalid value
+- avcodec/hevc_ps: Check log2_sao_offset_scale_*
+- avcodec/hevc_ps: extract SPS fields required for hvcC construction
+- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
+- avcodec/get_bits: Document the return code of get_vlc2()
+- avcodec/mpeg4videodec: Check mb_num also against 0
+- avfilter/vf_transpose: Fix used plane count.
+- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
+- avcodec/mjpegdec: Fix integer overflow in DC dequantization
+- avcodec/dxtory: Fix bits left checks
+- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
+- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
+- avcodec/snowdec: Fix integer overflow before htaps check
+- avcodec/ulti: Check number of blocks at init
+- avcodec/jpeg2000: Check sum of sizes of band->prec before allocating
+- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
+- avformat/lrcdec: Fix memory leak in lrc_read_header()
+- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
+- configure: bump year
+- avcodec/utils: Avoid hardcoding duplicated types in sizeof()
+- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
+- avcodec/h264addpx_template: Fixes integer overflows
+- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
+- avcodec/diracdec: Fix integer overflow with quant
+- avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
+- avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
+- avcodec/h264_slice: Do not attempt to render into frames already output
+- avcodec/dnxhddec: Check dc vlc
+- avformat/hvcc: zero initialize the nal buffers past the last written byte
+- swresample/rematrix: fix update of channel matrix if input or output layout is undefined
+- configure: add support for libnpp* from cuda sdk 9
+- avcodec/nvenc: also clear data pointer after unregistering a resource
+- avcodec/nvenc: add some more error case checks
+- avcodec/nvenc: unregister input resource when unmapping
+- avcodec/nvenc: refcount input frame mappings
+- avformat/libssh: check the user provided a password before trying to use it
+
+
+version 3.3.6:
+- x264: Support version 153
+- avcodec/exr: Check buf_size more completely
+- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
+- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
+- avcodec/flacdec: avoid undefined shift
+- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
+- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
+- tests/audiomatch: Add missing return code at the end of main()
+- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
+- libavfilter/af_dcshift.c: Fixed repeated spelling error
+- avfilter/formats: fix wrong function name in error message
+- avcodec/amrwbdec: Fix division by 0 in voice_factor()
+- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
+- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
+- avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing
+- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
+- Don't manipulate duration when it's AV_NOPTS_VALUE.
+- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
+- avformat/utils: Prevent undefined shift with wrap_bits > 64.
+- avcodec/j2kenc: Fix out of array access in encode_cblk()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
+- avcodec/mlpdsp: Fix signed integer overflow, 2nd try
+- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
+- avcodec/mpeg4videodec: Check also for negative versions in the validity check
+- Close ogg stream upon error when using AV_EF_EXPLODE.
+- Fix undefined shift on assumed 8-bit input.
+- Use ff_thread_once for fixed, float table init.
+- Fix leak of frame_duration_buffer in mov_fix_index().
+- avformat/mov: Propagate errors in mov_switch_root.
+- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
+- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
+- avcodec/zmbv: Check that the buffer is large enough for mvec
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
+- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()
+- avcodec/snowdec: Check for remaining bitstream in decode_blocks()
+- avcodec/snowdec: Check intra block dc differences.
+- avformat/mov: Check size of STSC allocation
+- avcodec/vc2enc: Clear coef_buf on allocation
+- avcodec/h264dec: Fix potential array overread
+- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
+- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
+- avcodec/aacdec_fixed: Fix undefined shift
+- avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
+- avcodec/snowdec: Fix integer overflow in header parsing
+- avcodec/cngdec: Fix integer clipping
+- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
+- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
+- avutil/softfloat: Add FLOAT_MIN
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Check for bitstream end in xan_huffman_decode()
+- avcodec/exr: fix undefined shift in pxr24_uncompress()
+- avformat: Free the internal codec context at the end
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Improve overlapping check
+- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()
+- avcodec/aacdec_fixed: Fix integer overflow in predict()
+- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
+- avcodec/jpeglsdec: Check ilv for being a supported value
+- lavfi/af_pan: fix sign handling in channel coefficient parser
+- vc2enc_dwt: pad the temporary buffer by the slice siz
+
+version 3.3.5:
+- ffserver: Fix off by 1 error in path
+- avcodec/snowdec: Check mv_scale
+- avcodec/pafvideo: Check for bitstream end in decode_0()
+- avcodec/ffv1dec: Fix out of array read in slice counting
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()
+- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()
+- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta
+- avcodec/x86/lossless_videoencdsp: Fix warning: signed dword value exceeds bounds
+- avcodec/x86/lossless_videoencdsp: Fix handling of small widths
+- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma()
+- avcodec/aacdec_template: Clear tns present flag on error
+- avcodec/proresdec2: SKIP_BITS() does not work with len=32
+- avcodec/hevcdsp_template: Fix undefined shift
+- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
+- avcodec/takdec: Fix integer overflow in decode_lpc()
+- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift
+- avcodec/takdec: Fix integer overflows in decode_subframe()
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()
+- avcodec/ffv1dec: Fix integer overflow in read_quant_table()
+- avcodec/svq3: Fix overflow in svq3_add_idct_c()
+- avcodec/pngdec: Clean up on av_frame_ref() failure
+
+version 3.3.4:
+- avcodec/hevc_ps: improve check for missing default display window bitstream
+- avcodec/hevc_ps: Fix c?_qp_offset_list size
+- avcodec/shorten: Move buffer allocation and offset init to end of read_header()
+- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
+- avcodec/diracdec: Fix overflow in DC computation
+- avcodec/scpr: optimize shift loop.
+- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
+- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0
+- avformat/asfdec: Fix DoS in asf_build_simple_index()
+- avformat/mov: Fix DoS in read_tfra()
+- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
+- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
+- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
+- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
+- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
+- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
+- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
+- avcodec/hevc_ps: Fix undefined shift in pcm code
+- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
+- avformat/mvdec: Fix DoS due to lack of eof check
+- avformat/rl2: Fix DoS due to lack of eof check
+- avformat/rmdec: Fix DoS due to lack of eof check
+- avformat/cinedec: Fix DoS due to lack of eof check
+- avformat/asfdec: Fix DoS due to lack of eof check
+- avformat/hls: Fix DoS due to infinite loop
+- ffprobe: Fix NULL pointer handling in color parameter printing
+- ffprobe: Fix null pointer dereference with color primaries
+- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
+- avformat/rtpdec_h264: Fix heap-buffer-overflow
+- avformat/aviobuf: Fix signed integer overflow in avio_seek()
+- avformat/mov: Fix signed integer overflows with total_size
+- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
+- avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
+- avcodec/me_cmp: Fix crashes on ARM due to misalignment
+- avcodec/pixlet: Fixes: undefined shift in av_mod_uintp2()
+- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
+- avcodec/fic: Fixes signed integer overflow
+- avcodec/snowdec: Fix off by 1 error
+- avcodec/pixlet: fixes integer overflow in read_highpass()
+- avcodec/zmbv: Check decomp_size
+- avcodec/diracdec: Fixes integer overflow
+- avcodec/diracdec: Check perspective_exp and zrs_exp.
+- avcodec/ffv1dec_template: Fix undefined shift
+- avcodec/mpeg4videodec: Clear mcsel before decoding an image
+- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
+- avcodec/aacdec_fixed: fix invalid shift in predict()
+- avcodec/h264_slice: Fix overflow in slice offset
+- avformat/utils: fix memory leak in avformat_free_context
+- swscale: fix gbrap16 alpha channel issues
+- avcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add()
+- avcodec/diracdsp: fix integer overflow
+- avcodec/diracdec: Check weight_log2denom
+- avcodec/nvenc: only push cuda context on encoder close if encoder exists
+- avfilter/vf_ssim: fix temp size calculation
+
+version 3.3.3:
+- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
+- avcodec/diracdec: Fix integer overflow in divide3()
+- avcodec/takdec: Fix integer overflow in decode_subframe()
+- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
+- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
+- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()
+- avcodec/pixlet: Simplify nbits computation
+- avcodec/dnxhddec: Move mb height check out of non hr branch
+- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
+- avformat/oggparsecelt: Do not re-allocate os->private
+- avcodec/ylc: Fix shift overflow
+- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
+- avcodec/aacdec_fixed: fix: left shift of negative value -1
+- avcodec/dirac_vlc: Fix undefined shift
+- doc/filters: typo in frei0r
+- avcodec/cfhd: Fix decoding regression due to height check
+- avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later
+- avcodec/ffv1dec_template: Fix signed integer overflow
+- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns()
+- avcodec/magicyuv: Check that vlc len is not too large
+- avcodec/mjpegdec: Clip DC also on the negative side.
+- avcodec/aacps (fixed point): Fix multiple signed integer overflows
+- avcodec/ylc: Fix vlc of 31 bits
+- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise()
+- avcodec/hevcdec: do not let updated extradata corrupt state
+- avcodec/wavpack: Fix invalid shift
+- avcodec/h264_slice: Fix signed integer overflow
+- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets
+- avcodec/cfhd: Fix invalid left shift of negative value
+- avcodec/vb: Check vertical GMC component before multiply
+- avcodec/hevcdec: do basic validity check on delta_chroma_weight and offset
+- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
+- avcodec/apedec: Fix integer overflow
+- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo()
+- avcodec/hevc_ps: Fix max_dec_buffer check
+- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1
+- avcodec/wavpack: Fix integer overflow
+- avcodec/takdec: Fix integer overflow
+- avcodec/tiff: Update pointer only when the result is used
+- avcodec/cfhd: Check bpc before setting bpc in context
+- avcodec/cfhd: Fix undefined shift
+- avcodec/hevc_filter: Fix invalid shift
+- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation
+- avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed)
+- avcodec/wavpack: Fix undefined integer negation
+- avcodec/aacdec_fixed: Check s for being too small
+- avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code
+- avcodec/h264: Fix mix of lossless and lossy MBs decoding
+- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264
+- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4
+- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output
+- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows
+- avcodec/hevcpred_template: Fix left shift of negative value
+- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()
+- avcodec/jpeg2000dec: Check nonzerobits more completely
+- avcodec/shorten: Sanity check maxnlpc
+- avcodec/truemotion2: Move skip computation after checks
+- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()
+- avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error
+- avcodec/hevcdec: Check nb_sps
+- avcodec/hevc_refs: Check nb_refs in add_candidate_ref()
+- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
+- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case
+- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
+- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible
+- avcodec/libvpxdec: Check that display dimensions fit in the storage dimensions
+- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123
+- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int'
+- avcodec/snowdec: Fix runtime error: left shift of negative value -1
+- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616
+- avcodec/tiff: Fix leak of geotags[].val
+- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int'
+- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int'
+- avcodec/cfhd: Check band parameters before storing them
+- avcodec/h264_parse: Check picture structure when initializig weight table
+- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code
+- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int'
+- lavc/aarch64/simple_idct: fix idct_col4_top coefficient
+
+
+version 3.3.2:
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
+- avcodec/pafvideo: Fix assertion failure
+- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'
+- avcodec/mjpegdec: Check that reference frame matches the current frame
+- avcodec/tiff: Avoid loosing allocated geotag values
+- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'
+- avformat/hls: Check local file extensions
+- avcodec/qdrw: Fix null pointer dereference
+- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
+- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
+- avcodec/dxv: Check remaining bytes in dxv_decompress_raw()
+- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
+- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'
+- avformat/options: log filename on open
+- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')
+- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
+- avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int'
+- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'
+- avcodec/cinepak: Check input packet size before frame reallocation
+- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'
+- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'
+- avcodec/pnm: Use ff_set_dimensions()
+- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'
+- avcodec/nvenc: fix hw accelerated transcode with bframes
+- libavformat/hls: Observe Set-Cookie headers
+- libavformat/http: Ignore expired cookies
+- avformat/avidec: Limit formats in gab2 to srt and ass/ssa
+- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'
+- avcodec/wavpack: Check float_shift
+- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'
+- avcodec/ansi: Fix frame memleak
+- avcodec/dds: Fix runtime error: left shift of 145 by 24 places cannot be represented in type 'int'
+- avcodec/jpeg2000dec: Use ff_set_dimensions()
+- avcodec/truemotion2: Fix passing null pointer to memset()
+- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'
+- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'
+- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro
+- avcodec/webp: Fixes null pointer dereference
+- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/ylc: Check count in build_vlc()
+- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'
+- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'
+- avcodec/jpeg2000dec: Check tile offsets more completely
+- avcodec/sheervideo: Check input buffer size before allocating and decoding
+- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int'
+- avcodec/wnv1: More strict buffer size check
+- avcodec/libfdk-aacdec: Correct buffer_size parameter
+- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
+- doc/filters: Clarify scale2ref example
+- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
+- avcodec/ra144dec: Fix runtime error: left shift of negative value -17
+- avcodec/pixlet: Fix runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
+- avformat/mux: Fix copy an paste typo
+- avutil/internal: Do not enable CHECKED with DEBUG
+- avcodec/clearvideo: Check buf_size before decoding frame
+- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
+- avcodec/smc: Check remaining input
+- avcodec/diracdec: Fix off by 1 error in quant check
+- avcodec/jpeg2000dec: Fix copy and paste error
+- avcodec/jpeg2000dec: Check tile offsets
+- avcodec/sanm: Fix uninitialized reference frames
+- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
+- avcodec/fmvc: Fix use of uninitialized memory when the first frame is not a keyframe
+- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int'
+- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int'
+- avcodec/mpeg4videodec: Check for multiple VOL headers
+- avcodec/vp9block: fix runtime error: signed integer overflow: 196675 * 20670 cannot be represented in type 'int'
+- avcodec/vmnc: Check location before use
+- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int'
+- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2
+- avcodec/takdec: Fix runtime error: left shift of negative value -63
+- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int'
+- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int'
+- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context
+- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int'
+- avcodec/mimic: Use ff_set_dimensions() to set the dimensions
+- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int'
+- avcodec/pixlet: Fix reading invalid numbers of bits
+- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
+- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
+- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
+- avcodec/aacdec_template: Fix fixed point scale in decode_cce()
+- avcodec/fmvc: Fix off by 1 error
+- avcodec/flicvideo: Check frame_size before decrementing
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix  runtime error: left shift of negative value -42
+- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int'
+- avcodec/scpr: mask bits to prevent out of array read
+- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
+- avcodec/svq3: Fix runtime error: left shift of negative value -6
+- avcodec/tiff: reset sampling[] if its invalid
+- configure: Fix the msvcrt version check for mingw32
+- lavf/mov: make invalid m{d,v}hd time_scale default to 1 instead of erroring out
+- lavc/ffjni: add missing '\n'
+- lavc/mediacodec_wrapper: do not declare JNIAMedia{Codec,CodecList,Format}Fields on the stack
+- lavc/mediacodec_wrapper: fix local reference leaks
+- avcodec/nvenc: remove unnecessary alignment
+- Use AVOnce as a static variable consistently
+- avfilter: take_samples: do not directly return frame when samples are skipped
+- avutil/hwcontext_dxva2: Don't improperly free IDirect3DSurface9 objects
+
+version 3.3.1:
+- libswscale/tests/swscale: Fix uninitialized variables
+- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int'
+- avcodec/webp: Fix signedness in prefix_code check
+- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int'
+- avcodec/mlpdec: Check that there is enough data for headers
+- avcodec/ac3dec: Keep track of band structure
+- avcodec/webp: Add missing input padding
+- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1
+- avcodec/aacsbr_template: Do not change bs_num_env before its checked
+- avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned int [256]'
+- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1
+- avcodec/xpmdec: Fix multiple pointer/memory issues
+- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int'
+- avcodec/avcodec: Limit the number of side data elements per packet
+- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int'
+- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610
+- avcodec/msmpeg4dec: Check for cbpy VLC errors
+- avcodec/cllc: Check num_bits
+- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers
+- avcodec/scpr: Check y in first line loop in decompress_i()
+- avcodec/dvbsubdec: Check entry_id
+- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int'
+- avcodec/mpeg12dec: Fixes runtime error: division by zero
+- avcodec/pixlet: Fix runtime error: signed integer overflow: 436207616 * -5160230545260541 cannot be represented in type 'long'
+- avcodec/webp: Always set pix_fmt
+- avfilter/vf_uspp: Fix currently unused input frame dimensions
+- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1
+- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int'
+- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int'
+- avformat/wavdec: Check chunk_size
+- avcodec/cavs: Check updated MV
+- avcodec/y41pdec: Fix width in input buffer size check
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int'
+- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int'
+- avcodec/lagarith: Check scale_factor
+- avcodec/lagarith: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix multiple  runtime error: left shift of negative value -1
+- avcodec/indeo2: Check for invalid VLCs
+- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour
+- avcodec/htmlsubtitles: Check for string truncation and return error
+- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int'
+- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int'
+- avcodec/dvbsubdec: check region dimensions
+- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int'
+- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col()
+- avcodec/cavsdec: Check sym_factor
+- avcodec/cdxl: Check format for BGR24
+- avcodec/ffv1dec: Fix copying planes of paletted formats
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int'
+- avcodec/xwddec: Check bpp more completely
+- avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure
+- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int'
+- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int'
+- avcodec/g726: Fix runtime error: left shift of negative value -2
+- avcodec/magicyuv: Check len to be supported
+- avcodec/ra144: Fix runtime error: left shift of negative value -798
+- avcodec/mss34dsp: Fix multiple signed integer overflow
+- avcodec/targa_y216dec: Fix width type
+- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix multiple left shift of negative value -2
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int'
+- avcodec/msmpeg4dec: Correct table depth
+- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/cdxl: Check format parameter
+- avutil/softfloat: Fix overflow in av_div_sf()
+- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207
+- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from
+- avcodec/shorten: Check k in get_uint()
+- avcodec/webp: Fix null pointer dereference
+- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
+- avcodec/g723_1: Fix multiple runtime error: left shift of negative value
+- avcodec/mimic: Fix runtime error: left shift of negative value -1
+- avcodec/clearvideo: Fix multiple runtime error: left shift of negative value -1024
+- avcodec/fic: Fix multiple left shift of negative value -15
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -22
+- avcodec/snowdec: Check qbias
+- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8
+- avcodec/aacsbr_template: Do not leave bs_num_env invalid
+- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int'
+- avcodec/dfa: Fix off by 1 error
+- avcodec/nellymoser: Fix multiple left shift of negative value -8591
+- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int'
+- avcodec/g722: Fix multiple runtime error: left shift of negative value -1
+- avcodec/dss_sp: Fix multiple left shift of negative value -466
+- avcodec/wnv1: Fix runtime error: left shift of negative value -1
+- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'
+- avcodec/cavsdec: Fix undefined behavior from integer overflow
+- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int'
+- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit
+- avcodec/pngdec: Use ff_set_dimensions()
+- avcodec/msvideo1: Check buffer size before re-getting the frame
+- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow
+- avcodec/dcadsp: Fix runtime error: signed integer overflow
+- avcodec/svq3: Reject dx/dy beyond 16bit
+- avcodec/svq3: Increase offsets to prevent integer overflows
+- avcodec/indeo2: Check remaining bits in ir2_decode_plane()
+- avcodec/vp3: Check remaining bits in unpack_dct_coeffs()
+- doc/developer: Add terse documentation of assumed C implementation defined behavior
+- avcodec/bmp: Use ff_set_dimensions()
+- avcodec/mdec: Fix runtime error: left shift of negative value -127
+- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang
+- libavcodec/exr : fix float to uint16 conversion for negative float value
+- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter
+- avformat/webmdashenc: Require the 'adaptation_sets' option to be set
+- lavfi/avfiltergraph: only return EOF in avfilter_graph_request_oldest if all sinks EOFed
+- ffmpeg: check for unconnected outputs
+- avformat/utils: free AVStream.codec properly in free_stream()
+- avcodec/options: do a more thorough clean up in avcodec_copy_context()
+- avcodec/options: factorize avcodec_copy_context() cleanup code
+- ffmpeg: count packets when queued
+- avformat/concatdec: fix the h264 annexb extradata check
+- avcodec/dnxhd_parser: fix parsing interlaced video, simplify code
+- ffmpeg; check return code of avcodec_send_frame when flushing encoders
+- avcodec/g723_1dec: Fix LCG type
+- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int'
+- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]'
+- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode
+- avcodec/pixlet: Fixes: runtime error: signed integer overflow: 9203954323419769657 + 29897660706736950 cannot be represented in type 'long'
+- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int'
+- avcodec/rscc: Check pixel_size for overflow
+- avcodec/fmvc: Check nb_blocks
+- avcodec/cllc: Check prefix
+- avcodec/webp: Factor update_canvas_size() out
+- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame()
+- avcodec/snowdec: Check width
+- avcodec/flacdec: Return error code instead of 0 for failures
+- avcodec/opus_silk: Fix integer overflow and out of array read
+- avcodec/aacps: Fix undefined behavior
+- avcodec/pixlet: Fix shift exponent 4294967268 is too large for 32-bit type 'int'
+- doc/general: fix project name after 2b1a6b1ae
+
+
+version 3.3:
 - CrystalHD decoder moved to new decode API
 - add internal ebur128 library, remove external libebur128 dependency
 - Pro-MPEG CoP #3-R2 FEC protocol
@ -22,6 +728,7 @@ version <next>:
 - threshold filter
 - midequalizer filter
 - Optimal Huffman tables for (M)JPEG encoding
+- VAAPI-accelerated MPEG-2 and VP8 encoding
 - FM Screen Capture Codec decoder
 - native Opus encoder
 - ScreenPressor decoder
@ -32,6 +739,7 @@ version <next>:
 - Removed the legacy X11 screen grabber, use XCB instead
 - MPEG-7 Video Signature filter
 - Removed asyncts filter (use af_aresample instead)
+- Intel QSV-accelerated VP8 video decoding


 version 3.2:
@ -119,7 +827,6 @@ version 3.1:
 - libutvideo wrapper removed
 - YUY2 Lossless Codec decoder
 - VideoToolbox H.264 encoder
- VAAPI-accelerated MPEG-2 and VP8 encoding


 version 3.0:
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.git
+3.3.9
--- a/15
+++ b/15
@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 3.3 "Hilbert" │
+              └────────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 3.3 "Hilbert", about 5
+   months after the release of FFmpeg 3.2.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on http://source.ffmpeg.org.
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   on the mailing-lists.
--- a/10
+++ b/10
@ -1513,6 +1513,7 @@ EXTERNAL_LIBRARY_GPL_LIST="
 "

 EXTERNAL_LIBRARY_NONFREE_LIST="
+    decklink
    libfdk_aac
    openssl
 "
@ -1536,7 +1537,6 @@ EXTERNAL_LIBRARY_LIST="
    $EXTERNAL_LIBRARY_GPLV3_LIST
    chromaprint
    crystalhd
-    decklink
    gcrypt
    gnutls
    jni
@ -5067,7 +5067,7 @@ probe_libc(){
        add_${pfx}cppflags -U__STRICT_ANSI__ -D__USE_MINGW_ANSI_STDIO=1
        check_${pfx}cpp_condition _mingw.h "defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0502" ||
            add_${pfx}cppflags -D_WIN32_WINNT=0x0502
-        check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700__" &&
+        check_${pfx}cpp_condition _mingw.h "__MSVCRT_VERSION__ < 0x0700" &&
            add_${pfx}cppflags -D__MSVCRT_VERSION__=0x0700
        eval test \$${pfx_no_}cc_type = "gcc" &&
            add_${pfx}cppflags -D__printf__=__gnu_printf__
@ -5797,7 +5797,9 @@ enabled libmfx            && require_pkg_config libmfx "mfx/mfxvideo.h" MFXInit
 enabled libmodplug        && require_pkg_config libmodplug libmodplug/modplug.h ModPlug_Load
 enabled libmp3lame        && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame
 enabled libnut            && require libnut libnut.h nut_demuxer_init -lnut
-enabled libnpp            && require libnpp npp.h nppGetLibVersion -lnppi -lnppc
+enabled libnpp            && { check_lib npp.h nppGetLibVersion -lnppig -lnppicc -lnppc ||
+                               check_lib npp.h nppGetLibVersion -lnppi -lnppc ||
+                               die "ERROR: libnpp not found"; }
 enabled libopencore_amrnb && require libopencore_amrnb opencore-amrnb/interf_dec.h Decoder_Interface_init -lopencore-amrnb
 enabled libopencore_amrwb && require libopencore_amrwb opencore-amrwb/dec_if.h D_IF_init -lopencore-amrwb
 enabled libopencv         && { check_header opencv2/core/core_c.h &&
@ -6797,7 +6799,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2017
+#define CONFIG_THIS_YEAR 2018
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
--- a/doc/APIchanges
+++ b/doc/APIchanges
@ -15,11 +15,11 @@ libavutil:     2015-08-28

 API changes, most recent first:

-2017-03-31 - xxxxxxx - lavu 55.57.100 - spherical.h
+2017-03-31 - 9033e8723c - lavu 55.57.100 - spherical.h
  Add av_spherical_projection_name().
  Add av_spherical_from_name().

-2017-03-30 - xxxxxxx - lavu 55.53.100 / 55.27.0 - hwcontext.h
+2017-03-30 - 4cda23f1f1 - lavu 55.53.100 / 55.27.0 - hwcontext.h
  Add av_hwframe_map() and associated AV_HWFRAME_MAP_* flags.
  Add av_hwframe_ctx_create_derived().

@ -44,7 +44,7 @@ API changes, most recent first:
  Add AVCodecContext.hwaccel_flags field. This will control some hwaccels at
  a later point.

-2017-03-21 - xxxxxxx - lavf 57.67.100 / 57.08.0 - avio.h
+2017-03-21 - fc9f14c7de - lavf 57.67.100 / 57.08.0 - avio.h
  Add AVIO_SEEKABLE_TIME flag.

 2017-03-21 - d682ae70b4 - lavf 57.66.105, lavc 57.83.101 - avformat.h, avcodec.h
@ -52,7 +52,7 @@ API changes, most recent first:
  bump, and libavformat will behave as if it were always set.
  Deprecate av_packet_merge_side_data() and av_packet_split_side_data().

-2016-03-20 - xxxxxxx - lavu 55.50.100 / 55.21.0 - imgutils.h
+2016-03-20 - 8200b16a9c - lavu 55.50.100 / 55.21.0 - imgutils.h
  Add av_image_copy_uc_from(), a version of av_image_copy() for copying
  from GPU mapped memory.

@ -63,7 +63,7 @@ API changes, most recent first:
  Deprecate AVFilterGraph.resample_lavr_opts
  It's never been used by avfilter nor passed to anything.

-2017-02-10 - xxxxxxx - lavu 55.48.100 / 55.33.0 - spherical.h
+2017-02-10 - 1b7ffddb3a - lavu 55.48.100 / 55.33.0 - spherical.h
  Add AV_SPHERICAL_EQUIRECTANGULAR_TILE, av_spherical_tile_bounds(),
  and projection-specific properties (bound_left, bound_top, bound_right,
  bound_bottom, padding) to AVSphericalMapping.
@ -83,7 +83,7 @@ API changes, most recent first:
 2017-02-11 - e3af49b14b - lavu 55.47.100 - frame.h
  Add AVFrame.opaque_ref.

-2017-01-31 - xxxxxxx - lavu 55.46.100 / 55.20.0 - cpu.h
+2017-01-31 - 2eab48177d - lavu 55.46.100 / 55.20.0 - cpu.h
  Add AV_CPU_FLAG_SSSE3SLOW.

 2017-01-24 - c4618f842a - lavu 55.45.100 - channel_layout.h
@ -96,20 +96,20 @@ API changes, most recent first:
  Deprecate struct vaapi_context and the vaapi.h installed header.
  Callers should set AVCodecContext.hw_frames_ctx instead.

-2017-01-12 - dbe9dbed31 - lavfi 6.69.100- buffersink.h
+2017-01-12 - dbe9dbed31 - lavfi 6.69.100 - buffersink.h
  Add av_buffersink_get_*() functions.

-2017-01-06 - 9488032e10 - lavf 57.62.100- avio.h
+2017-01-06 - 9488032e10 - lavf 57.62.100 - avio.h
  Add avio_get_dyn_buf()

-2016-12-10 - xxxxxxx - lavu xx.xx.100- imgutils.h
+2016-12-10 - f542b152aa - lavu 55.43.100 - imgutils.h
  Add av_image_check_size2()

-2016-xx-xx - xxxxxxx - lavc 57.67.100 / 57.29.0 - avcodec.h
+2016-12-07 - e7a6f8c972 - lavc 57.67.100 / 57.29.0 - avcodec.h
  Add AV_PKT_DATA_SPHERICAL packet side data to export AVSphericalMapping
  information from containers.

-2016-xx-xx - xxxxxxx - lavu 55.42.100 / 55.30.0 - spherical.h
+2016-12-07 - 8f58ecc344 - lavu 55.42.100 / 55.30.0 - spherical.h
  Add AV_FRAME_DATA_SPHERICAL value, av_spherical_alloc() API and
  AVSphericalMapping type to export and describe spherical video properties.

@ -626,7 +626,7 @@ API changes, most recent first:
  Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support
  dictionary types being set as options.

-2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h
+2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h
  Add AVFormatContext.event_flags and AVStream.event_flags for signaling to
  the user when events happen in the file/stream.

@ -643,7 +643,7 @@ API changes, most recent first:
 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h
  Add avio_feof() and deprecate url_feof().

-2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h
+2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h
  sws_getContext is not going to be removed in the future.

 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 3.3.9

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file,
 which in this case is @file{input.mp4} as the GIF in this example loops
 infinitely.

+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
@section image2

 Image file demuxer.
--- a/doc/developer.texi
+++ b/doc/developer.texi
@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};});

@item
 compound literals (@samp{x = (struct s) @{ 17, 23 @};}).
+
+@item
+Implementation defined behavior for signed integers is assumed to match the
+expected behavior for two's complement. Non representable values in integer
+casts are binary truncated. Shift right of signed values uses sign extension.
@end itemize

 These features are supported by all compilers we care about, so we will not
--- a/doc/examples/decode_video.c
+++ b/doc/examples/decode_video.c
@ -64,7 +64,7 @@ static int decode_write_frame(const char *outfilename, AVCodecContext *avctx,
        fflush(stdout);

        /* the picture is allocated by the decoder, no need to free it */
-        snprintf(buf, sizeof(buf), outfilename, *frame_count);
+        snprintf(buf, sizeof(buf), "%s-%d", outfilename, *frame_count);
        pgm_save(frame->data[0], frame->linesize[0],
                 frame->width, frame->height, buf);
        (*frame_count)++;
--- a/doc/examples/transcoding.c
+++ b/doc/examples/transcoding.c
@ -173,6 +173,9 @@ static int open_output_file(const char *filename)
                enc_ctx->time_base = (AVRational){1, enc_ctx->sample_rate};
            }

+            if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER)
+                enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER;
+
            /* Third parameter can be used to pass settings to encoder */
            ret = avcodec_open2(enc_ctx, encoder, NULL);
            if (ret < 0) {
@ -184,8 +187,6 @@ static int open_output_file(const char *filename)
                av_log(NULL, AV_LOG_ERROR, "Failed to copy encoder parameters to output stream #%u\n", i);
                return ret;
            }
-            if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER)
-                enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER;

            out_stream->time_base = enc_ctx->time_base;
            stream_ctx[i].enc_ctx = enc_ctx;
--- a/doc/filters.texi
+++ b/doc/filters.texi
@ -8263,7 +8263,7 @@ It accepts the following parameters:
@item filter_name
 The name of the frei0r effect to load. If the environment variable
@env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the
-directories specified by the colon-separated list in @env{FREIOR_PATH}.
+directories specified by the colon-separated list in @env{FREI0R_PATH}.
 Otherwise, the standard frei0r paths are searched, in this order:
@file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/},
@file{/usr/lib/frei0r-1/}.
@ -12077,7 +12077,7 @@ uses the reference video instead of the main input as basis.

@itemize
@item
-Scale a subtitle stream to match the main video in size before overlaying
+Scale a subtitle stream (b) to match the main video (a) in size before overlaying
@example
 'scale2ref[b][a];[a][b]overlay'
@end example
--- a/doc/general.texi
+++ b/doc/general.texi
@ -188,7 +188,7 @@ For Linux and OS X, the supported AviSynth variant is

@float NOTE
 There is currently a regression in AviSynth+'s @code{capi.h} header as of
-October 2016, which interferes with the ability for builds of Libav to use
+October 2016, which interferes with the ability for builds of FFmpeg to use
 MSVC-built binaries of AviSynth. Until this is resolved, you can make sure
 a known good version is installed by checking out a version from before
 the regression occurred:
--- a/ffmpeg.c
+++ b/ffmpeg.c
@ -30,6 +30,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <limits.h>
+#include <stdatomic.h>
 #include <stdint.h>

 #if HAVE_IO_H
@ -319,7 +320,7 @@ void term_exit(void)

 static volatile int received_sigterm = 0;
 static volatile int received_nb_signals = 0;
-static volatile int transcode_init_done = 0;
+static atomic_int transcode_init_done = ATOMIC_VAR_INIT(0);
 static volatile int ffmpeg_exited = 0;
 static int main_return_code = 0;

@ -457,7 +458,7 @@ static int read_key(void)

 static int decode_interrupt_cb(void *ctx)
 {
-    return received_nb_signals > transcode_init_done;
+    return received_nb_signals > atomic_load(&transcode_init_done);
 }

 const AVIOInterruptCB int_cb = { decode_interrupt_cb, NULL };
@ -553,6 +554,7 @@ static void ffmpeg_cleanup(int ret)
        ost->audio_channels_mapped = 0;

        av_dict_free(&ost->sws_dict);
+        av_dict_free(&ost->swr_opts);

        avcodec_free_context(&ost->enc_ctx);
        avcodec_parameters_free(&ost->ref_par);
@ -612,7 +614,7 @@ static void ffmpeg_cleanup(int ret)
    if (received_sigterm) {
        av_log(NULL, AV_LOG_INFO, "Exiting normally, received signal %d.\n",
               (int) received_sigterm);
-    } else if (ret && transcode_init_done) {
+    } else if (ret && atomic_load(&transcode_init_done)) {
        av_log(NULL, AV_LOG_INFO, "Conversion failed!\n");
    }
    term_exit();
@ -668,12 +670,28 @@ static void close_all_output_streams(OutputStream *ost, OSTFinished this_stream,
    }
 }

-static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
+static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost, int unqueue)
 {
    AVFormatContext *s = of->ctx;
    AVStream *st = ost->st;
    int ret;

+    /*
+     * Audio encoders may split the packets --  #frames in != #packets out.
+     * But there is no reordering, so we can limit the number of output packets
+     * by simply dropping them here.
+     * Counting encoded video frames needs to be done separately because of
+     * reordering, see do_video_out().
+     * Do not count the packet when unqueued because it has been counted when queued.
+     */
+    if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed) && !unqueue) {
+        if (ost->frame_number >= ost->max_frames) {
+            av_packet_unref(pkt);
+            return;
+        }
+        ost->frame_number++;
+    }
+
    if (!of->header_written) {
        AVPacket tmp_pkt = {0};
        /* the muxer is not initialized yet, buffer the packet */
@ -702,20 +720,6 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
        (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && audio_sync_method < 0))
        pkt->pts = pkt->dts = AV_NOPTS_VALUE;

-    /*
-     * Audio encoders may split the packets --  #frames in != #packets out.
-     * But there is no reordering, so we can limit the number of output packets
-     * by simply dropping them here.
-     * Counting encoded video frames needs to be done separately because of
-     * reordering, see do_video_out()
-     */
-    if (!(st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && ost->encoding_needed)) {
-        if (ost->frame_number >= ost->max_frames) {
-            av_packet_unref(pkt);
-            return;
-        }
-        ost->frame_number++;
-    }
    if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) {
        int i;
        uint8_t *sd = av_packet_get_side_data(pkt, AV_PKT_DATA_QUALITY_STATS,
@ -860,10 +864,10 @@ static void output_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
                    goto finish;
                idx++;
            } else
-                write_packet(of, pkt, ost);
+                write_packet(of, pkt, ost, 0);
        }
    } else
-        write_packet(of, pkt, ost);
+        write_packet(of, pkt, ost, 0);

 finish:
    if (ret < 0 && ret != AVERROR_EOF) {
@ -1903,8 +1907,6 @@ static void flush_encoders(void)
        if (enc->codec_type != AVMEDIA_TYPE_VIDEO && enc->codec_type != AVMEDIA_TYPE_AUDIO)
            continue;

-        avcodec_send_frame(enc, NULL);
-
        for (;;) {
            const char *desc = NULL;
            AVPacket pkt;
@ -1926,7 +1928,17 @@ static void flush_encoders(void)
                pkt.size = 0;

                update_benchmark(NULL);
-                ret = avcodec_receive_packet(enc, &pkt);
+
+                while ((ret = avcodec_receive_packet(enc, &pkt)) == AVERROR(EAGAIN)) {
+                    ret = avcodec_send_frame(enc, NULL);
+                    if (ret < 0) {
+                        av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n",
+                               desc,
+                               av_err2str(ret));
+                        exit_program(1);
+                    }
+                }
+
                update_benchmark("flush_%s %d.%d", desc, ost->file_index, ost->index);
                if (ret < 0 && ret != AVERROR_EOF) {
                    av_log(NULL, AV_LOG_FATAL, "%s encoding failed: %s\n",
@ -2143,9 +2155,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame)

    /* determine if the parameters for this input changed */
    need_reinit = ifilter->format != frame->format;
-    if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx ||
-        (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data))
-        need_reinit = 1;

    switch (ifilter->ist->st->codecpar->codec_type) {
    case AVMEDIA_TYPE_AUDIO:
@ -2159,6 +2168,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame)
        break;
    }

+    if (!ifilter->ist->reinit_filters && fg->graph)
+        need_reinit = 0;
+
+    if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx ||
+        (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data))
+        need_reinit = 1;
+
    if (need_reinit) {
        ret = ifilter_parameters_from_frame(ifilter, frame);
        if (ret < 0)
@ -2714,8 +2730,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo
        ist->dts = ist->next_dts;
        switch (ist->dec_ctx->codec_type) {
        case AVMEDIA_TYPE_AUDIO:
-            ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
-                             ist->dec_ctx->sample_rate;
+            if (ist->dec_ctx->sample_rate) {
+                ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
+                                  ist->dec_ctx->sample_rate;
+            } else {
+                ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q);
+            }
            break;
        case AVMEDIA_TYPE_VIDEO:
            if (ist->framerate.num) {
@ -2962,7 +2982,7 @@ static int check_init_output_file(OutputFile *of, int file_index)
        while (av_fifo_size(ost->muxing_queue)) {
            AVPacket pkt;
            av_fifo_generic_read(ost->muxing_queue, &pkt, sizeof(pkt), NULL);
-            write_packet(of, &pkt, ost);
+            write_packet(of, &pkt, ost, 1);
        }
    }

@ -3758,7 +3778,7 @@ static int transcode_init(void)
        return ret;
    }

-    transcode_init_done = 1;
+    atomic_store(&transcode_init_done, 1);

    return 0;
 }
--- a/ffmpeg.h
+++ b/ffmpeg.h
@ -638,6 +638,7 @@ void choose_sample_fmt(AVStream *st, AVCodec *codec);

 int configure_filtergraph(FilterGraph *fg);
 int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOut *out);
+void check_filter_outputs(void);
 int ist_in_filtergraph(FilterGraph *fg, InputStream *ist);
 int filtergraph_is_simple(FilterGraph *fg);
 int init_simple_filtergraph(InputStream *ist, OutputStream *ost);
--- a/ffmpeg_filter.c
+++ b/ffmpeg_filter.c
@ -678,6 +678,21 @@ int configure_output_filter(FilterGraph *fg, OutputFilter *ofilter, AVFilterInOu
    }
 }

+void check_filter_outputs(void)
+{
+    int i;
+    for (i = 0; i < nb_filtergraphs; i++) {
+        int n;
+        for (n = 0; n < filtergraphs[i]->nb_outputs; n++) {
+            OutputFilter *output = filtergraphs[i]->outputs[n];
+            if (!output->ost) {
+                av_log(NULL, AV_LOG_FATAL, "Filter %s has an unconnected output\n", output->name);
+                exit_program(1);
+            }
+        }
+    }
+}
+
 static int sub2video_prepare(InputStream *ist, InputFilter *ifilter)
 {
    AVFormatContext *avf = input_files[ist->file_index]->ctx;
--- a/ffmpeg_opt.c
+++ b/ffmpeg_opt.c
@ -1,3 +1,4 @@
+
 /*
 * ffmpeg option parsing
 *
@ -2303,12 +2304,14 @@ loop_end:
                   o->attachments[i]);
            exit_program(1);
        }
-        if (!(attachment = av_malloc(len))) {
-            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n",
+        if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE ||
+            !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
+            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n",
                   o->attachments[i]);
            exit_program(1);
        }
        avio_read(pb, attachment, len);
+        memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);

        ost = new_attachment_stream(o, oc, -1);
        ost->stream_copy               = 0;
@ -2700,13 +2703,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg)
    } else {
        /* Try to determine PAL/NTSC by peeking in the input files */
        if (nb_input_files) {
-            int i, j, fr;
+            int i, j;
            for (j = 0; j < nb_input_files; j++) {
                for (i = 0; i < input_files[j]->nb_streams; i++) {
                    AVStream *st = input_files[j]->ctx->streams[i];
+                    int64_t fr;
                    if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
                        continue;
-                    fr = st->time_base.den * 1000 / st->time_base.num;
+                    fr = st->time_base.den * 1000LL / st->time_base.num;
                    if (fr == 25000) {
                        norm = PAL;
                        break;
@ -3260,6 +3264,8 @@ int ffmpeg_parse_options(int argc, char **argv)
        goto fail;
    }

+    check_filter_outputs();
+
 fail:
    uninit_parse_context(&octx);
    if (ret < 0) {
--- a/ffprobe.c
+++ b/ffprobe.c
@ -1899,6 +1899,57 @@ static void print_pkt_side_data(WriterContext *w,
    writer_print_section_footer(w);
 }

+static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback)
+{
+    const char *val = av_color_range_name(color_range);
+    if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
+        print_str_opt("color_range", fallback);
+    } else {
+        print_str("color_range", val);
+    }
+}
+
+static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
+{
+    const char *val = av_color_space_name(color_space);
+    if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
+        print_str_opt("color_space", "unknown");
+    } else {
+        print_str("color_space", val);
+    }
+}
+
+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
+{
+    const char *val = av_color_primaries_name(color_primaries);
+    if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+        print_str_opt("color_primaries", "unknown");
+    } else {
+        print_str("color_primaries", val);
+    }
+}
+
+static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc)
+{
+    const char *val = av_color_transfer_name(color_trc);
+    if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
+        print_str_opt("color_transfer", "unknown");
+    } else {
+        print_str("color_transfer", val);
+    }
+}
+
+static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location)
+{
+    const char *val = av_chroma_location_name(chroma_location);
+    if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
+        print_str_opt("chroma_location", "unspecified");
+    } else {
+        print_str("chroma_location", val);
+    }
+}
+
+
 static void clear_log(int need_lock)
 {
    int i;
@ -2406,29 +2457,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
        if (s) print_str    ("pix_fmt", s);
        else   print_str_opt("pix_fmt", "unknown");
        print_int("level",   par->level);
-        if (par->color_range != AVCOL_RANGE_UNSPECIFIED)
-            print_str    ("color_range", av_color_range_name(par->color_range));
-        else
-            print_str_opt("color_range", "N/A");

-        s = av_get_colorspace_name(par->color_space);
-        if (s) print_str    ("color_space", s);
-        else   print_str_opt("color_space", "unknown");
-
-        if (par->color_trc != AVCOL_TRC_UNSPECIFIED)
-            print_str("color_transfer", av_color_transfer_name(par->color_trc));
-        else
-            print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
-
-        if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
-            print_str("color_primaries", av_color_primaries_name(par->color_primaries));
-        else
-            print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
-
-        if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
-            print_str("chroma_location", av_chroma_location_name(par->chroma_location));
-        else
-            print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location));
+        print_color_range(w, par->color_range, "N/A");
+        print_color_space(w, par->color_space);
+        print_color_trc(w, par->color_trc);
+        print_primaries(w, par->color_primaries);
+        print_chroma_location(w, par->chroma_location);

        if (par->field_order == AV_FIELD_PROGRESSIVE)
            print_str("field_order", "progressive");
@ -3442,8 +3476,6 @@ int main(int argc, char **argv)
        goto end;
    }
 #endif
-    av_log_set_callback(log_callback);
-
    av_log_set_flags(AV_LOG_SKIP_REPEATED);
    register_exit(ffprobe_cleanup);

@ -3459,6 +3491,9 @@ int main(int argc, char **argv)
    show_banner(argc, argv, options);
    parse_options(NULL, argc, argv, options, opt_input_file);

+    if (do_show_log)
+        av_log_set_callback(log_callback);
+
    /* mark things to show, based on -show_entries */
    SET_DO_SHOW(CHAPTERS, chapters);
    SET_DO_SHOW(ERROR, error);
--- a/ffserver.c
+++ b/ffserver.c
@ -476,7 +476,7 @@ static int compute_datarate(DataRateData *drd, int64_t count)
 static void start_children(FFServerStream *feed)
 {
    char *pathname;
-    char *slash;
+    char *dirname, *prog;
    int i;
    size_t cmd_length;

@ -495,22 +495,18 @@ static void start_children(FFServerStream *feed)
        return;
    }

-    slash = strrchr(my_program_name, '/');
-    if (!slash) {
-        pathname = av_mallocz(sizeof("ffmpeg"));
-    } else {
-        pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg"));
-        if (pathname != NULL) {
-            memcpy(pathname, my_program_name, slash - my_program_name);
-        }
+   /* use "ffmpeg" in the path of current program. Ignore user provided path */
+    prog = av_strdup(my_program_name);
+    if (prog) {
+        dirname = av_dirname(prog);
+        pathname = *dirname ? av_asprintf("%s/%s", dirname, "ffmpeg")
+                            : av_asprintf("ffmpeg");
+        av_free(prog);
    }
-    if (!pathname) {
+    if (!prog || !pathname) {
        http_log("Could not allocate memory for children cmd line\n");
        return;
    }
-   /* use "ffmpeg" in the path of current program. Ignore user provided path */
-
-    strcat(pathname, "ffmpeg");

    for (; feed; feed = feed->next) {

--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@ -973,7 +973,8 @@ OBJS-$(CONFIG_AAC_ADTSTOASC_BSF)          += aac_adtstoasc_bsf.o aacadtsdec.o \
 OBJS-$(CONFIG_CHOMP_BSF)                  += chomp_bsf.o
 OBJS-$(CONFIG_DUMP_EXTRADATA_BSF)         += dump_extradata_bsf.o
 OBJS-$(CONFIG_DCA_CORE_BSF)               += dca_core_bsf.o
-OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF)      += extract_extradata_bsf.o
+OBJS-$(CONFIG_EXTRACT_EXTRADATA_BSF)      += extract_extradata_bsf.o    \
+                                             h2645_parse.o
 OBJS-$(CONFIG_H264_MP4TOANNEXB_BSF)       += h264_mp4toannexb_bsf.o
 OBJS-$(CONFIG_HEVC_MP4TOANNEXB_BSF)       += hevc_mp4toannexb_bsf.o
 OBJS-$(CONFIG_IMX_DUMP_HEADER_BSF)        += imx_dump_header_bsf.o
--- a/libavcodec/aac_adtstoasc_bsf.c
+++ b/libavcodec/aac_adtstoasc_bsf.c
@ -49,14 +49,14 @@ static int aac_adtstoasc_filter(AVBSFContext *bsfc, AVPacket *out)
    if (ret < 0)
        return ret;

+    if (bsfc->par_in->extradata && in->size >= 2 && (AV_RB16(in->data) >> 4) != 0xfff)
+        goto finish;
+
    if (in->size < AAC_ADTS_HEADER_SIZE)
        goto packet_too_small;

    init_get_bits(&gb, in->data, AAC_ADTS_HEADER_SIZE * 8);

-    if (bsfc->par_in->extradata && show_bits(&gb, 12) != 0xfff)
-        goto finish;
-
    if (avpriv_aac_parse_header(&gb, &hdr) < 0) {
        av_log(bsfc, AV_LOG_ERROR, "Error parsing ADTS frame header!\n");
        ret = AVERROR_INVALIDDATA;
--- a/libavcodec/aac_defines.h
+++ b/libavcodec/aac_defines.h
@ -35,6 +35,7 @@
 #define AAC_RENAME(x)       x ## _fixed
 #define AAC_RENAME_32(x)    x ## _fixed_32
 typedef int                 INTFLOAT;
+typedef unsigned            UINTFLOAT;  ///< Equivalent to INTFLOAT, Used as temporal cast to avoid undefined sign overflow operations.
 typedef int64_t             INT64FLOAT;
 typedef int16_t             SHORTFLOAT;
 typedef SoftFloat           AAC_FLOAT;
@ -45,7 +46,7 @@ typedef int                 AAC_SIGNE;
 #define Q30(x)              (int)((x)*1073741824.0 + 0.5)
 #define Q31(x)              (int)((x)*2147483648.0 + 0.5)
 #define RANGE15(x)          x
-#define GET_GAIN(x, y)      (-(y) << (x)) + 1024
+#define GET_GAIN(x, y)      (-(y) * (1 << (x))) + 1024
 #define AAC_MUL16(x, y)     (int)(((int64_t)(x) * (y) + 0x8000) >> 16)
 #define AAC_MUL26(x, y)     (int)(((int64_t)(x) * (y) + 0x2000000) >> 26)
 #define AAC_MUL30(x, y)     (int)(((int64_t)(x) * (y) + 0x20000000) >> 30)
@ -72,7 +73,7 @@ typedef int                 AAC_SIGNE;
 #define AAC_MSUB31_V3(x, y, z)    (int)((((int64_t)(x) * (z)) - \
                                      ((int64_t)(y) * (z)) + \
                                        0x40000000) >> 31)
-#define AAC_HALF_SUM(x, y)  (x) >> 1 + (y) >> 1
+#define AAC_HALF_SUM(x, y)  (((x) >> 1) + ((y) >> 1))
 #define AAC_SRA_R(x, y)     (int)(((x) + (1 << ((y) - 1))) >> (y))

 #else
@ -83,6 +84,7 @@ typedef int                 AAC_SIGNE;
 #define AAC_RENAME(x)       x
 #define AAC_RENAME_32(x)    x
 typedef float               INTFLOAT;
+typedef float               UINTFLOAT;
 typedef float               INT64FLOAT;
 typedef float               SHORTFLOAT;
 typedef float               AAC_FLOAT;
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@ -431,6 +431,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
    if (ctx->frame_length_type == 0) {
        int mux_slot_length = 0;
        do {
+            if (get_bits_left(gb) < 8)
+                return AVERROR_INVALIDDATA;
            tmp = get_bits(gb, 8);
            mux_slot_length += tmp;
        } while (tmp == 255);
@ -460,7 +462,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
    }
    if (latmctx->audio_mux_version_A == 0) {
        int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
-        if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
+        if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
            av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
            return AVERROR_INVALIDDATA;
        } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx)
 static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign)
 {
    dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE));
-    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1));
+    dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2));

    return dst + 2;
 }
@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign)
 {
    unsigned nz = idx >> 12;

-    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2));
    sign <<= nz & 1;
    nz >>= 1;
-    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1));
+    dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2));

    return dst + 4;
 }
@ -171,20 +171,25 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)

    s = offset - (s >> 2);

-    if (s > 0) {
+    if (s > 31) {
+        for (i=0; i<len; i++) {
+            dst[i] = 0;
+        }
+    } else if (s > 0) {
        round = 1 << (s-1);
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)src[i] * c) >> 32);
            dst[i] = ((int)(out+round) >> s) * ssign;
        }
-    }
-    else {
+    } else if (s > -32) {
        s = s + 32;
        round = 1 << (s-1);
        for (i=0; i<len; i++) {
            out = (int)((int64_t)((int64_t)src[i] * c + round) >> s);
-            dst[i] = out * ssign;
+            dst[i] = out * (unsigned)ssign;
        }
+    } else {
+        av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n");
    }
 }

@ -203,8 +208,12 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
    c /= band_energy;
    s = 21 + nlz - (s >> 2);

-    if (s > 0) {
-        round = 1 << (s-1);
+    if (s > 31) {
+        for (i=0; i<len; i++) {
+            coefs[i] = 0;
+        }
+    } else if (s >= 0) {
+        round = s ? 1 << (s-1) : 0;
        for (i=0; i<len; i++) {
            out = (int)(((int64_t)coefs[i] * c) >> 32);
            coefs[i] = ((int)(out+round) >> s) * ssign;
@ -296,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef,
    if (output_enable) {
        int shift = 28 - pv.exp;

-        if (shift < 31)
-            *coef += (pv.mant + (1 << (shift - 1))) >> shift;
+        if (shift < 31) {
+            if (shift > 0) {
+                *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
+            } else
+                *coef += (unsigned)pv.mant << -shift;
+        }
    }

    e0 = av_int2sf(*coef, 2);
@ -362,7 +375,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                    shift = (gain-1024) >> 3;
                }

-                if (shift < 0) {
+                if (shift < -31) {
+                    // Nothing to do
+                } else if (shift < 0) {
                    shift = -shift;
                    round = 1 << (shift - 1);

@ -370,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                        for (k = offsets[i]; k < offsets[i + 1]; k++) {
                            tmp = (int)(((int64_t)src[group * 128 + k] * c + \
                                       (int64_t)0x1000000000) >> 37);
-                            dest[group * 128 + k] += (tmp + round) >> shift;
+                            dest[group * 128 + k] += (tmp + (int64_t)round) >> shift;
                        }
                    }
                }
@ -379,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                        for (k = offsets[i]; k < offsets[i + 1]; k++) {
                            tmp = (int)(((int64_t)src[group * 128 + k] * c + \
                                        (int64_t)0x1000000000) >> 37);
-                            dest[group * 128 + k] += tmp << shift;
+                            dest[group * 128 + k] += tmp * (1U << shift);
                        }
                    }
                }
@ -402,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
    int i, c, shift, round, tmp;
    const int gain = cce->coup.gain[index][0];
    const int *src = cce->ch[0].ret;
-    int *dest = target->ret;
+    unsigned int *dest = target->ret;
    const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);

    c = cce_scale_fixed[gain & 7];
@ -419,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
    else {
      for (i = 0; i < len; i++) {
          tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37);
-          dest[i] += tmp << shift;
+          dest[i] += tmp * (1U << shift);
      }
    }
 }
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 /**
 * Save current output configuration if and only if it has been locked.
 */
-static void push_output_configuration(AACContext *ac) {
+static int push_output_configuration(AACContext *ac) {
+    int pushed = 0;
+
    if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
        ac->oc[0] = ac->oc[1];
+        pushed = 1;
    }
    ac->oc[1].status = OC_NONE;
+    return pushed;
 }

 /**
@ -1277,6 +1281,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
    const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac;
    const int aot = m4ac->object_type;
    const int sampling_index = m4ac->sampling_index;
+    int ret_fail = AVERROR_INVALIDDATA;
+
    if (aot != AOT_ER_AAC_ELD) {
        if (get_bits1(gb)) {
            av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@ -1327,8 +1333,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
                ics->num_swb       =    ff_aac_num_swb_512[sampling_index];
                ics->tns_max_bands =  ff_tns_max_bands_512[sampling_index];
            }
-            if (!ics->num_swb || !ics->swb_offset)
-                return AVERROR_BUG;
+            if (!ics->num_swb || !ics->swb_offset) {
+                ret_fail = AVERROR_BUG;
+                goto fail;
+            }
        } else {
            ics->swb_offset    =    ff_swb_offset_1024[sampling_index];
            ics->num_swb       =   ff_aac_num_swb_1024[sampling_index];
@ -1352,7 +1360,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
                if (aot == AOT_ER_AAC_LD) {
                    av_log(ac->avctx, AV_LOG_ERROR,
                           "LTP in ER AAC LD not yet implemented.\n");
-                    return AVERROR_PATCHWELCOME;
+                    ret_fail = AVERROR_PATCHWELCOME;
+                    goto fail;
                }
                if ((ics->ltp.present = get_bits(gb, 1)))
                    decode_ltp(&ics->ltp, gb, ics->max_sfb);
@ -1371,7 +1380,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
    return 0;
 fail:
    ics->max_sfb = 0;
-    return AVERROR_INVALIDDATA;
+    return ret_fail;
 }

 /**
@ -1958,16 +1967,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
    global_gain = get_bits(gb, 8);

    if (!common_window && !scale_flag) {
-        if (decode_ics_info(ac, ics, gb) < 0)
-            return AVERROR_INVALIDDATA;
+        ret = decode_ics_info(ac, ics, gb);
+        if (ret < 0)
+            goto fail;
    }

    if ((ret = decode_band_types(ac, sce->band_type,
                                 sce->band_type_run_end, gb, ics)) < 0)
-        return ret;
+        goto fail;
    if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
                                  sce->band_type, sce->band_type_run_end)) < 0)
-        return ret;
+        goto fail;

    pulse_present = 0;
    if (!scale_flag) {
@ -1975,37 +1985,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
            if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
                av_log(ac->avctx, AV_LOG_ERROR,
                       "Pulse tool not allowed in eight short sequence.\n");
-                return AVERROR_INVALIDDATA;
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
            }
            if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
                av_log(ac->avctx, AV_LOG_ERROR,
                       "Pulse data corrupt or invalid.\n");
-                return AVERROR_INVALIDDATA;
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
            }
        }
        tns->present = get_bits1(gb);
-        if (tns->present && !er_syntax)
-            if (decode_tns(ac, tns, gb, ics) < 0)
-                return AVERROR_INVALIDDATA;
+        if (tns->present && !er_syntax) {
+            ret = decode_tns(ac, tns, gb, ics);
+            if (ret < 0)
+                goto fail;
+        }
        if (!eld_syntax && get_bits1(gb)) {
            avpriv_request_sample(ac->avctx, "SSR");
-            return AVERROR_PATCHWELCOME;
+            ret = AVERROR_PATCHWELCOME;
+            goto fail;
        }
        // I see no textual basis in the spec for this occurring after SSR gain
        // control, but this is what both reference and real implmentations do
-        if (tns->present && er_syntax)
-            if (decode_tns(ac, tns, gb, ics) < 0)
-                return AVERROR_INVALIDDATA;
+        if (tns->present && er_syntax) {
+            ret = decode_tns(ac, tns, gb, ics);
+            if (ret < 0)
+                goto fail;
+        }
    }

-    if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
-                                    &pulse, ics, sce->band_type) < 0)
-        return AVERROR_INVALIDDATA;
+    ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
+                                    &pulse, ics, sce->band_type);
+    if (ret < 0)
+        goto fail;

    if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window)
        apply_prediction(ac, sce);

    return 0;
+fail:
+    tns->present = 0;
+    return ret;
 }

 /**
@ -2177,7 +2198,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
    coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1);

    sign  = get_bits(gb, 1);
-    scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)];
+#if USE_FIXED
+    scale = get_bits(gb, 2);
+#else
+    scale = cce_scale[get_bits(gb, 2)];
+#endif

    if ((ret = decode_ics(ac, sce, gb, 0, 0)))
        return ret;
@ -2191,6 +2216,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
            cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb);
            gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0;
            gain_cache = GET_GAIN(scale, gain);
+#if USE_FIXED
+            if ((abs(gain_cache)-1024) >> 3 > 30)
+                return AVERROR(ERANGE);
+#endif
        }
        if (coup->coupling_point == AFTER_IMDCT) {
            coup->gain[c][0] = gain_cache;
@ -2208,6 +2237,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che)
                                    t >>= 1;
                                }
                                gain_cache = GET_GAIN(scale, t) * s;
+#if USE_FIXED
+                                if ((abs(gain_cache)-1024) >> 3 > 30)
+                                    return AVERROR(ERANGE);
+#endif
                            }
                        }
                        coup->gain[c][idx] = gain_cache;
@ -2381,7 +2414,7 @@ static int decode_extension_payload(AACContext *ac, GetBitContext *gb, int cnt,
 * @param   decode  1 if tool is used normally, 0 if tool is used in LTP.
 * @param   coef    spectral coefficients
 */
-static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns,
+static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns,
                      IndividualChannelStream *ics, int decode)
 {
    const int mmm = FFMIN(ics->tns_max_bands, ics->max_sfb);
@ -2389,6 +2422,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns,
    int bottom, top, order, start, end, size, inc;
    INTFLOAT lpc[TNS_MAX_ORDER];
    INTFLOAT tmp[TNS_MAX_ORDER+1];
+    UINTFLOAT *coef = coef_param;

    for (w = 0; w < ics->num_windows; w++) {
        bottom = ics->num_swb;
@ -2418,7 +2452,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns,
                // ar filter
                for (m = 0; m < size; m++, start += inc)
                    for (i = 1; i <= FFMIN(m, order); i++)
-                        coef[start] -= AAC_MUL26(coef[start - i * inc], lpc[i - 1]);
+                        coef[start] -= AAC_MUL26((INTFLOAT)coef[start - i * inc], lpc[i - 1]);
            } else {
                // ma filter
                for (m = 0; m < size; m++, start += inc) {
@ -2488,7 +2522,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce)
        for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++)
            if (ltp->used[sfb])
                for (i = offsets[sfb]; i < offsets[sfb + 1]; i++)
-                    sce->coeffs[i] += predFreq[i];
+                    sce->coeffs[i] += (UINTFLOAT)predFreq[i];
    }
 }

@ -3026,7 +3060,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
        case TYPE_PCE: {
            uint8_t layout_map[MAX_ELEM_ID*4][3];
            int tags;
-            push_output_configuration(ac);
+
+            int pushed = push_output_configuration(ac);
+            if (pce_found && !pushed) {
+                err = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+
            tags = decode_pce(avctx, &ac->oc[1].m4ac, layout_map, gb,
                              payload_alignment);
            if (tags < 0) {
--- a/libavcodec/aacenc_ltp.c
+++ b/libavcodec/aacenc_ltp.c
@ -74,8 +74,8 @@ void ff_aac_ltp_insert_new_frame(AACEncContext *s)

 static void get_lag(float *buf, const float *new, LongTermPrediction *ltp)
 {
-    int i, j, lag, max_corr = 0;
-    float max_ratio;
+    int i, j, lag = 0, max_corr = 0;
+    float max_ratio = 0.0f;
    for (i = 0; i < 2048; i++) {
        float corr, s0 = 0.0f, s1 = 0.0f;
        const int start = FFMAX(0, i - 1024);
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full)
 static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC])
 {
 #if USE_FIXED
-    par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \
+    par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \
                      0x40000000) >> 31);
-    par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \
+    par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \
                      0x40000000) >> 31);
-    par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \
+    par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \
                      0x40000000) >> 31);
-    par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \
+    par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \
                      0x40000000) >> 31);
 #else
    par[ 0] = (2*par[ 0] +   par[ 1]) * 0.33333333f;
@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT
    for (i = 0; i < NR_PAR_BANDS[is34]; i++) {
        for (n = n0; n < nL; n++) {
            int decayed_peak;
-            int denom;
-
            decayed_peak = (int)(((int64_t)peak_decay_factor * \
                                           peak_decay_nrg[i] + 0x40000000) >> 31);
            peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]);
-            power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2;
-            peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \
-                                          peak_decay_diff_smooth[i] + 2) >> 2;
-            denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1);
-            if (denom > power_smooth[i]) {
-              int p = power_smooth[i];
-              while (denom < 0x40000000) {
-                denom <<= 1;
-                p <<= 1;
-              }
-              transient_gain[i][n] = p / (denom >> 16);
-            }
-            else {
-              transient_gain[i][n] = 1 << 16;
-            }
+            power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2;
+            peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \
+                                          peak_decay_diff_smooth[i]) >> 2;
+
+            if (peak_decay_diff_smooth[i]) {
+                transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16);
+            } else
+                transient_gain[i][n] = 1 << 16;
        }
    }
 #else
@ -942,7 +933,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
            int stop  = ps->border_position[e+1];
            INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1);
 #if USE_FIXED
-            width <<= 1;
+            width = FFMIN(2U*width, INT_MAX);
 #endif
            b = k_to_i[k];
            h[0][0] = H11[0][e][b];
@ -975,7 +966,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
                h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width);
            }
            ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd](
-                l[k] + start + 1, r[k] + start + 1,
+                l[k] + 1 + start, r[k] + 1 + start,
                h, h_step, stop - start);
        }
    }
--- a/libavcodec/aacpsdsp_template.c
+++ b/libavcodec/aacpsdsp_template.c
@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2],
            INTFLOAT apd_im = in_im;
            in_re = AAC_MSUB30(link_delay_re, fractional_delay_re,
                    link_delay_im, fractional_delay_im);
-            in_re -= a_re;
+            in_re -= (UINTFLOAT)a_re;
            in_im = AAC_MADD30(link_delay_re, fractional_delay_im,
                    link_delay_im, fractional_delay_re);
-            in_im -= a_im;
-            ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re);
-            ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im);
+            in_im -= (UINTFLOAT)a_im;
+            ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re);
+            ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im);
        }
        out[n][0] = AAC_MUL16(transient_gain[n], in_re);
        out[n][1] = AAC_MUL16(transient_gain[n], in_im);
@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
    INTFLOAT h1 = h[0][1];
    INTFLOAT h2 = h[0][2];
    INTFLOAT h3 = h[0][3];
-    INTFLOAT hs0 = h_step[0][0];
-    INTFLOAT hs1 = h_step[0][1];
-    INTFLOAT hs2 = h_step[0][2];
-    INTFLOAT hs3 = h_step[0][3];
+    UINTFLOAT hs0 = h_step[0][0];
+    UINTFLOAT hs1 = h_step[0][1];
+    UINTFLOAT hs2 = h_step[0][2];
+    UINTFLOAT hs3 = h_step[0][3];
    int n;

    for (n = 0; n < len; n++) {
@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2],
    INTFLOAT h01  = h[0][1],      h11  = h[1][1];
    INTFLOAT h02  = h[0][2],      h12  = h[1][2];
    INTFLOAT h03  = h[0][3],      h13  = h[1][3];
-    INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
-    INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
-    INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
-    INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
+    UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0];
+    UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1];
+    UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2];
+    UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3];
    int n;

    for (n = 0; n < len; n++) {
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a00.exp;
        if (shift >= 3)
            alpha0[k][0] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha0[k][0] = 0;
        else {
            a00.mant <<= 1;
            shift = 2-shift;
@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a01.exp;
        if (shift >= 3)
            alpha0[k][1] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha0[k][1] = 0;
        else {
            a01.mant <<= 1;
            shift = 2-shift;
@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a10.exp;
        if (shift >= 3)
            alpha1[k][0] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha1[k][0] = 0;
        else {
            a10.mant <<= 1;
            shift = 2-shift;
@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
        shift = a11.exp;
        if (shift >= 3)
            alpha1[k][1] = 0x7fffffff;
+        else if (shift <= -30)
+            alpha1[k][1] = 0;
        else {
            a11.mant <<= 1;
            shift = 2-shift;
@ -429,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr,
                                                av_add_sf(FLOAT_1, sbr->e_curr[e][m]),
                                                av_add_sf(FLOAT_1, sbr->q_mapped[e][m]))));
                }
+                sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN);
            }
            for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) {
                sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]);
@ -562,25 +571,39 @@ static void sbr_hf_assemble(int Y1[38][64][2],
                int idx = indexsine&1;
                int A = (1-((indexsine+(kx & 1))&2));
                int B = (A^(-idx)) + idx;
-                int *out = &Y1[i][kx][idx];
-                int shift, round;
+                unsigned *out = &Y1[i][kx][idx];
+                int shift;
+                unsigned round;

                SoftFloat *in  = sbr->s_m[e];
                for (m = 0; m+1 < m_max; m+=2) {
-                  shift = 22 - in[m  ].exp;
-                  round = 1 << (shift-1);
-                  out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    int shift2;
+                    shift = 22 - in[m  ].exp;
+                    shift2= 22 - in[m+1].exp;
+                    if (shift < 1 || shift2 < 1) {
+                        av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2);
+                        return;
+                    }
+                    if (shift < 32) {
+                        round = 1 << (shift-1);
+                        out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
+                    }

-                  shift = 22 - in[m+1].exp;
-                  round = 1 << (shift-1);
-                  out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+                    if (shift2 < 32) {
+                        round = 1 << (shift2-1);
+                        out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2;
+                    }
                }
                if(m_max&1)
                {
-                  shift = 22 - in[m  ].exp;
-                  round = 1 << (shift-1);
-
-                  out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+                    shift = 22 - in[m  ].exp;
+                    if (shift < 1) {
+                        av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift);
+                        return;
+                    } else if (shift < 32) {
+                        round = 1 << (shift-1);
+                        out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
+                    }
                }
            }
            indexnoise = (indexnoise + m_max) & 0x1ff;
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@ -624,24 +624,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
    int abs_bord_trail = 16;
    int num_rel_lead, num_rel_trail;
    unsigned bs_num_env_old = ch_data->bs_num_env;
+    int bs_frame_class, bs_num_env;

    ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env];
    ch_data->bs_amp_res = sbr->bs_amp_res_header;
    ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old];

-    switch (ch_data->bs_frame_class = get_bits(gb, 2)) {
+    switch (bs_frame_class = get_bits(gb, 2)) {
    case FIXFIX:
-        ch_data->bs_num_env                 = 1 << get_bits(gb, 2);
+        bs_num_env = 1 << get_bits(gb, 2);
+        if (bs_num_env > 4) {
+            av_log(ac->avctx, AV_LOG_ERROR,
+                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
+                   bs_num_env);
+            return -1;
+        }
+        ch_data->bs_num_env = bs_num_env;
        num_rel_lead                        = ch_data->bs_num_env - 1;
        if (ch_data->bs_num_env == 1)
            ch_data->bs_amp_res = 0;

-        if (ch_data->bs_num_env > 4) {
-            av_log(ac->avctx, AV_LOG_ERROR,
-                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
-                   ch_data->bs_num_env);
-            return -1;
-        }

        ch_data->t_env[0]                   = 0;
        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;
@ -689,14 +691,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        abs_bord_trail                     += get_bits(gb, 2);
        num_rel_lead                        = get_bits(gb, 2);
        num_rel_trail                       = get_bits(gb, 2);
-        ch_data->bs_num_env                 = num_rel_lead + num_rel_trail + 1;
+        bs_num_env                          = num_rel_lead + num_rel_trail + 1;

-        if (ch_data->bs_num_env > 5) {
+        if (bs_num_env > 5) {
            av_log(ac->avctx, AV_LOG_ERROR,
                   "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
-                   ch_data->bs_num_env);
+                   bs_num_env);
            return -1;
        }
+        ch_data->bs_num_env = bs_num_env;

        ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;

@ -711,6 +714,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
        get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env);
        break;
    }
+    ch_data->bs_frame_class = bs_frame_class;

    av_assert0(bs_pointer >= 0);
    if (bs_pointer > ch_data->bs_num_env + 1) {
--- a/libavcodec/aarch64/simple_idct_neon.S
+++ b/libavcodec/aarch64/simple_idct_neon.S
@ -61,37 +61,37 @@ endconst
        br              x10
 .endm

-.macro smull1 a b c
+.macro smull1 a, b, c
        smull           \a, \b, \c
 .endm

-.macro smlal1 a b c
+.macro smlal1 a, b, c
        smlal           \a, \b, \c
 .endm

-.macro smlsl1 a b c
+.macro smlsl1 a, b, c
        smlsl           \a, \b, \c
 .endm

-.macro idct_col4_top y1 y2 y3 y4 i l
-        smull\i         v7.4S,  \y3\().\l, z2
-        smull\i         v16.4S, \y3\().\l, z6
-        smull\i         v17.4S, \y2\().\l, z1
+.macro idct_col4_top y1, y2, y3, y4, i, l
+        smull\i         v7.4S,  \y3\l, z2
+        smull\i         v16.4S, \y3\l, z6
+        smull\i         v17.4S, \y2\l, z1
        add             v19.4S, v23.4S, v7.4S
-        smull\i         v18.4S, \y2\().\l, z3
+        smull\i         v18.4S, \y2\l, z3
        add             v20.4S, v23.4S, v16.4S
-        smull\i         v5.4S,  \y2\().\l, z5
+        smull\i         v5.4S,  \y2\l, z5
        sub             v21.4S, v23.4S, v16.4S
-        smull\i         v6.4S,  \y2\().\l, z7
+        smull\i         v6.4S,  \y2\l, z7
        sub             v22.4S, v23.4S, v7.4S

-        smlal\i         v17.4S, \y4\().\l, z3
-        smlsl\i         v18.4S, \y4\().\l, z7
-        smlsl\i         v5.4S,  \y4\().\l, z1
-        smlsl\i         v6.4S,  \y4\().\l, z5
+        smlal\i         v17.4S, \y4\l, z3
+        smlsl\i         v18.4S, \y4\l, z7
+        smlsl\i         v5.4S,  \y4\l, z1
+        smlsl\i         v6.4S,  \y4\l, z5
 .endm

-.macro idct_row4_neon y1 y2 y3 y4 pass
+.macro idct_row4_neon y1, y2, y3, y4, pass
        ld1             {\y1\().2D-\y2\().2D}, [x2], #32
        movi            v23.4S, #1<<2, lsl #8
        orr             v5.16B, \y1\().16B, \y2\().16B
@ -101,7 +101,7 @@ endconst
        mov             x3, v5.D[1]
        smlal           v23.4S, \y1\().4H, z4

-        idct_col4_top   \y1 \y2 \y3 \y4 1 4H
+        idct_col4_top   \y1, \y2, \y3, \y4, 1, .4H

        cmp             x3, #0
        beq             \pass\()f
@ -153,7 +153,7 @@ endconst
        trn2            \y4\().4S, v17.4S, v19.4S
 .endm

-.macro declare_idct_col4_neon i l
+.macro declare_idct_col4_neon i, l
 function idct_col4_neon\i
        dup             v23.4H, z4c
 .if \i == 1
@ -164,14 +164,14 @@ function idct_col4_neon\i
 .endif
        smull           v23.4S, v23.4H, z4

-        idct_col4_top   v24 v25 v26 v27 \i \l
+        idct_col4_top   v24, v25, v26, v27, \i, \l

        mov             x4, v28.D[\i - 1]
        mov             x5, v29.D[\i - 1]
        cmp             x4, #0
        beq             1f

-        smull\i         v7.4S,  v28.\l, z4
+        smull\i         v7.4S,  v28\l,  z4
        add             v19.4S, v19.4S, v7.4S
        sub             v20.4S, v20.4S, v7.4S
        sub             v21.4S, v21.4S, v7.4S
@ -181,17 +181,17 @@ function idct_col4_neon\i
        cmp             x5, #0
        beq             2f

-        smlal\i         v17.4S, v29.\l, z5
-        smlsl\i         v18.4S, v29.\l, z1
-        smlal\i         v5.4S,  v29.\l, z7
-        smlal\i         v6.4S,  v29.\l, z3
+        smlal\i         v17.4S, v29\l, z5
+        smlsl\i         v18.4S, v29\l, z1
+        smlal\i         v5.4S,  v29\l, z7
+        smlal\i         v6.4S,  v29\l, z3

 2:      mov             x5, v31.D[\i - 1]
        cmp             x4, #0
        beq             3f

-        smull\i         v7.4S,  v30.\l, z6
-        smull\i         v16.4S, v30.\l, z2
+        smull\i         v7.4S,  v30\l, z6
+        smull\i         v16.4S, v30\l, z2
        add             v19.4S, v19.4S, v7.4S
        sub             v22.4S, v22.4S, v7.4S
        sub             v20.4S, v20.4S, v16.4S
@ -200,10 +200,10 @@ function idct_col4_neon\i
 3:      cmp             x5, #0
        beq             4f

-        smlal\i         v17.4S, v31.\l, z7
-        smlsl\i         v18.4S, v31.\l, z5
-        smlal\i         v5.4S,  v31.\l, z3
-        smlsl\i         v6.4S,  v31.\l, z1
+        smlal\i         v17.4S, v31\l, z7
+        smlsl\i         v18.4S, v31\l, z5
+        smlal\i         v5.4S,  v31\l, z3
+        smlsl\i         v6.4S,  v31\l, z1

 4:      addhn           v7.4H, v19.4S, v17.4S
        addhn2          v7.8H, v20.4S, v18.4S
@ -219,14 +219,14 @@ function idct_col4_neon\i
 endfunc
 .endm

-declare_idct_col4_neon 1 4H
-declare_idct_col4_neon 2 8H
+declare_idct_col4_neon 1, .4H
+declare_idct_col4_neon 2, .8H

 function ff_simple_idct_put_neon, export=1
        idct_start      x2

-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        bl              idct_col4_neon1

        sqshrun         v1.8B,  v7.8H, #COL_SHIFT-16
@ -263,8 +263,8 @@ endfunc
 function ff_simple_idct_add_neon, export=1
        idct_start      x2

-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        bl              idct_col4_neon1

        sshr            v1.8H, V7.8H, #COL_SHIFT-16
@ -328,8 +328,8 @@ function ff_simple_idct_neon, export=1
        idct_start      x0

        mov             x2,  x0
-        idct_row4_neon  v24 v25 v26 v27 1
-        idct_row4_neon  v28 v29 v30 v31 2
+        idct_row4_neon  v24, v25, v26, v27, 1
+        idct_row4_neon  v28, v29, v30, v31, 2
        add             x2, x2, #-128
        bl              idct_col4_neon1

--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@ -761,30 +761,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s)
 * @param[in] default_band_struct default band structure table
 * @param[out] num_bands number of bands (optionally NULL)
 * @param[out] band_sizes array containing the number of bins in each band (optionally NULL)
+ * @param[in,out] band_struct current band structure
 */
 static void decode_band_structure(GetBitContext *gbc, int blk, int eac3,
                                  int ecpl, int start_subband, int end_subband,
                                  const uint8_t *default_band_struct,
-                                  int *num_bands, uint8_t *band_sizes)
+                                  int *num_bands, uint8_t *band_sizes,
+                                  uint8_t *band_struct, int band_struct_size)
 {
    int subbnd, bnd, n_subbands, n_bands=0;
    uint8_t bnd_sz[22];
-    uint8_t coded_band_struct[22];
-    const uint8_t *band_struct;

    n_subbands = end_subband - start_subband;

+    if (!blk)
+        memcpy(band_struct, default_band_struct, band_struct_size);
+
+    av_assert0(band_struct_size >= start_subband + n_subbands);
+
+    band_struct += start_subband + 1;
+
    /* decode band structure from bitstream or use default */
    if (!eac3 || get_bits1(gbc)) {
        for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) {
-            coded_band_struct[subbnd] = get_bits1(gbc);
+            band_struct[subbnd] = get_bits1(gbc);
        }
-        band_struct = coded_band_struct;
-    } else if (!blk) {
-        band_struct = &default_band_struct[start_subband+1];
-    } else {
-        /* no change in band structure */
-        return;
    }

    /* calculate number of bands and band sizes based on band structure.
@ -863,7 +864,8 @@ static inline int spx_strategy(AC3DecodeContext *s, int blk)
                          start_subband, end_subband,
                          ff_eac3_default_spx_band_struct,
                          &s->num_spx_bands,
-                          s->spx_band_sizes);
+                          s->spx_band_sizes,
+                          s->spx_band_struct, sizeof(s->spx_band_struct));
    return 0;
 }

@ -1000,7 +1002,8 @@ static inline int coupling_strategy(AC3DecodeContext *s, int blk,
        decode_band_structure(bc, blk, s->eac3, 0, cpl_start_subband,
                              cpl_end_subband,
                              ff_eac3_default_cpl_band_struct,
-                              &s->num_cpl_bands, s->cpl_band_sizes);
+                              &s->num_cpl_bands, s->cpl_band_sizes,
+                              s->cpl_band_struct, sizeof(s->cpl_band_struct));
    } else {
        /* coupling not in use */
        for (ch = 1; ch <= fbw_channels; ch++) {
@ -1386,7 +1389,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
    for (ch = 1; ch <= s->channels; ch++) {
        int audio_channel = 0;
        INTFLOAT gain;
-        if (s->channel_mode == AC3_CHMODE_DUALMONO)
+        if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2)
            audio_channel = 2-ch;
        if (s->heavy_compression && s->compression_exists[audio_channel])
            gain = s->heavy_dynamic_range[audio_channel];
--- a/libavcodec/ac3dec.h
+++ b/libavcodec/ac3dec.h
@ -128,6 +128,7 @@ typedef struct AC3DecodeContext {
    int phase_flags_in_use;                 ///< phase flags in use                     (phsflginu)
    int phase_flags[AC3_MAX_CPL_BANDS];     ///< phase flags                            (phsflg)
    int num_cpl_bands;                      ///< number of coupling bands               (ncplbnd)
+    uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS];
    uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band
    int firstchincpl;                       ///< first channel in coupling
    int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states      (firstcplcos)
@ -144,6 +145,7 @@ typedef struct AC3DecodeContext {
    int spx_dst_start_freq;                     ///< spx starting frequency bin for copying (copystartmant)
                                                ///< the copy region ends at the start of the spx region.
    int num_spx_bands;                          ///< number of spx bands                    (nspxbnds)
+    uint8_t spx_band_struct[SPX_MAX_BANDS];
    uint8_t spx_band_sizes[SPX_MAX_BANDS];      ///< number of bins in each spx band
    uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states           (firstspxcos)
    INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor  (nblendfact)
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@ -64,12 +64,12 @@ static void scale_coefs (
    int dynrng,
    int len)
 {
-    int i, shift, round;
-    int16_t mul;
+    int i, shift;
+    unsigned mul, round;
    int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;

    mul = (dynrng & 0x1f) + 0x20;
-    shift = 4 - ((dynrng << 23) >> 28);
+    shift = 4 - (sign_extend(dynrng, 9) >> 5);
    if (shift > 0 ) {
      round = 1 << (shift-1);
      for (i=0; i<len; i+=8) {
--- a/libavcodec/ac3enc.c
+++ b/libavcodec/ac3enc.c
@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset)
 {
    int blk, ch;

-    snr_offset = (snr_offset - 240) << 2;
+    snr_offset = (snr_offset - 240) * 4;

    reset_block_bap(s);
    for (blk = 0; blk < s->num_blocks; blk++) {
--- a/libavcodec/acelp_pitch_delay.c
+++ b/libavcodec/acelp_pitch_delay.c
@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy,
        ff_exp10(0.05 *
              (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) +
               energy_mean)) /
-        sqrtf(fixed_mean_energy);
+        sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0);

    // update quantified prediction error energy history
    memmove(&prediction_error[0], &prediction_error[1],
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@ -1182,8 +1182,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,

            for (count2 = 0; count2 < 28; count2++) {
                byte = bytestream2_get_byteu(&gb);
-                next_left_sample  = sign_extend(byte >> 4, 4) << shift_left;
-                next_right_sample = sign_extend(byte,      4) << shift_right;
+                next_left_sample  = sign_extend(byte >> 4, 4) * (1 << shift_left);
+                next_right_sample = sign_extend(byte,      4) * (1 << shift_right);

                next_left_sample = (next_left_sample +
                    (current_left_sample * coeff1l) +
@ -1222,7 +1222,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
            if (st) byte[1] = bytestream2_get_byteu(&gb);
            for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */
                for(channel = 0; channel < avctx->channels; channel++) {
-                    int sample = sign_extend(byte[channel] >> i, 4) << shift[channel];
+                    int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]);
                    sample = (sample +
                             c->status[channel].sample1 * coeff[channel][0] +
                             c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8;
@ -1337,11 +1337,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    int level, pred;
                    int byte = bytestream2_get_byteu(&gb);

-                    level = sign_extend(byte >> 4, 4) << shift[n];
+                    level = sign_extend(byte >> 4, 4) * (1 << shift[n]);
                    pred  = s[-1] * coeff[0][n] + s[-2] * coeff[1][n];
                    s[0]  = av_clip_int16((level + pred + 0x80) >> 8);

-                    level = sign_extend(byte, 4) << shift[n];
+                    level = sign_extend(byte, 4) * (1 << shift[n]);
                    pred  = s[0] * coeff[0][n] + s[-1] * coeff[1][n];
                    s[1]  = av_clip_int16((level + pred + 0x80) >> 8);
                }
@ -1498,8 +1498,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                        sampledat = sign_extend(byte >> 4, 4);
                    }

-                    sampledat = ((prev1 * factor1 + prev2 * factor2) +
-                                 ((sampledat * scale) << 11)) >> 11;
+                    sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) +
+                                sampledat * scale;
                    *samples = av_clip_int16(sampledat);
                    prev2 = prev1;
                    prev1 = *samples++;
@ -1576,7 +1576,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                    }

                    sampledat = ((c->status[ch].sample1 * factor1
-                                + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp);
+                                + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp);
                    *samples = av_clip_int16(sampledat);
                    c->status[ch].sample2 = c->status[ch].sample1;
                    c->status[ch].sample1 = *samples++;
--- a/libavcodec/adxenc.c
+++ b/libavcodec/adxenc.c
@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
        s0 = wav[i];
-        d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);
        if (max < d)
            max = d;
        if (min > d)
@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav,
    s1 = prev->s1;
    s2 = prev->s2;
    for (i = 0, j = 0; j < 32; i += channels, j++) {
-        d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS;
+        d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS);

        d = av_clip_intp2(ROUNDED_DIV(d, scale), 3);

        put_sbits(&pb, 4, d);

-        s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+        s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS);
        s2 = s1;
        s1 = s0;
    }
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain,
                                                          AMRWB_SFR_SIZE) *
                    f_gain * f_gain;

-    return (p_ener - f_ener) / (p_ener + f_ener);
+    return (p_ener - f_ener) / (p_ener + f_ener + 0.01);
 }

 /**
@ -862,15 +862,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth,
 {
    int wsp = (vad > 0);
    float tilt;
+    float tmp;

    if (ctx->fr_cur_mode == MODE_23k85)
        return qua_hb_gain[hb_idx] * (1.0f / (1 << 14));

-    tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) /
-           ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1);
+
+    if (tmp > 0) {
+        tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    } else
+        tilt = 0;

    /* return gain bounded by [0.1, 1.0] */
-    return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0);
+    return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0);
 }

 /**
--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
    AnsiContext *s = avctx->priv_data;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;

-    s->frame = av_frame_alloc();
-    if (!s->frame)
-        return AVERROR(ENOMEM);
-
    /* defaults */
    s->font        = avpriv_vga16_font;
    s->font_height = 16;
@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
        av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height);
        return AVERROR(EINVAL);
    }
+
+    s->frame = av_frame_alloc();
+    if (!s->frame)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@ -1412,6 +1412,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
    int32_t *sample24;
    int i, ch, ret;
    int blockstodecode;
+    uint64_t decoded_buffer_size;

    /* this should never be negative, but bad things will happen if it is, so
       check it just to make sure. */
@ -1467,7 +1468,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
                skip_bits_long(&s->gb, offset);
        }

-        if (!nblocks || nblocks > INT_MAX) {
+        if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) {
            av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n",
                   nblocks);
            return AVERROR_INVALIDDATA;
@ -1493,8 +1494,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
        blockstodecode = s->samples;

    /* reallocate decoded sample buffer if needed */
-    av_fast_malloc(&s->decoded_buffer, &s->decoded_size,
-                   2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer));
+    decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer);
+    av_assert0(decoded_buffer_size <= INT_MAX);
+    av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
    if (!s->decoded_buffer)
        return AVERROR(ENOMEM);
    memset(s->decoded_buffer, 0, s->decoded_size);
--- a/libavcodec/arm/sbrdsp_neon.S
+++ b/libavcodec/arm/sbrdsp_neon.S
@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
        vld1.32         {d0},     [r0,:64]
        vld1.32         {d6},     [lr,:64]
        vld1.32         {d2[]},   [r1,:32]!
-        vld1.32         {d3[]},   [r2,:32]!
+        vld1.32         {d18[]},  [r2,:32]!
        vceq.f32        d4,  d2,  #0
        veor            d2,  d2,  d3
        vmov            d1,  d0
-        vmla.f32        d0,  d6,  d3
+        vmla.f32        d0,  d6,  d18
        vadd.f32        s2,  s2,  s4
        vbif            d0,  d1,  d4
        vst1.32         {d0},     [r0,:64]!
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@ -1583,6 +1583,16 @@ enum AVPacketSideDataType {
     * to the AVSphericalMapping structure.
     */
    AV_PKT_DATA_SPHERICAL,
+
+    /**
+     * The number of side data elements (in fact a bit more than it).
+     * This is not part of the public API/ABI in the sense that it may
+     * change when new side data types are added.
+     * This must stay the last enum value.
+     * If its value becomes huge, some code using it
+     * needs to be updated as it assumes it to be smaller than other limits.
+     */
+    AV_PKT_DATA_NB
 };

 #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@ -296,9 +296,20 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
                            uint8_t *data, size_t size)
 {
    AVPacketSideData *tmp;
-    int elems = pkt->side_data_elems;
+    int i, elems = pkt->side_data_elems;

-    if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
+    for (i = 0; i < elems; i++) {
+        AVPacketSideData *sd = &pkt->side_data[i];
+
+        if (sd->type == type) {
+            av_free(sd->data);
+            sd->data = data;
+            sd->size = size;
+            return 0;
+        }
+    }
+
+    if ((unsigned)elems + 1 > AV_PKT_DATA_NB)
        return AVERROR(ERANGE);

    tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
@ -436,6 +447,9 @@ int av_packet_split_side_data(AVPacket *pkt){
            p-= size+5;
        }

+        if (i > AV_PKT_DATA_NB)
+            return AVERROR(ERANGE);
+
        pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data));
        if (!pkt->side_data)
            return AVERROR(ENOMEM);
--- a/libavcodec/bintext.c
+++ b/libavcodec/bintext.c
@ -35,6 +35,8 @@
 #include "bintext.h"
 #include "internal.h"

+#define FONT_WIDTH 8
+
 typedef struct XbinContext {
    AVFrame *frame;
    int palette[16];
@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
            break;
        }
    }
+    if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
+        return AVERROR_INVALIDDATA;
+

    s->frame = av_frame_alloc();
    if (!s->frame)
@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
    }
 }

-#define FONT_WIDTH 8
-
 /**
 * Draw character to screen
 */
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
    uint32_t code;
    volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2

-    table_size = 1 << table_nb_bits;
    if (table_nb_bits > 30)
       return -1;
+    table_size = 1 << table_nb_bits;
    table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC);
    ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size);
    if (table_index < 0)
--- a/libavcodec/bitstream_filters.c
+++ b/libavcodec/bitstream_filters.c
@ -59,6 +59,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name)
 {
    int i;

+    if (!name)
+        return NULL;
+
    for (i = 0; bitstream_filters[i]; i++) {
        const AVBitStreamFilter *f = bitstream_filters[i];
        if (!strcmp(f->name, name))
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@ -133,8 +133,11 @@ static int bmp_decode_frame(AVCodecContext *avctx,
        alpha = bytestream_get_le32(&buf);
    }

-    avctx->width  = width;
-    avctx->height = height > 0 ? height : -(unsigned)height;
+    ret = ff_set_dimensions(avctx, width, height > 0 ? height : -(unsigned)height);
+    if (ret < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Failed to set dimensions %d %d\n", width, height);
+        return AVERROR_INVALIDDATA;
+    }

    avctx->pix_fmt = AV_PIX_FMT_NONE;

--- a/libavcodec/bmvvideo.c
+++ b/libavcodec/bmvvideo.c
@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
                    if (src < source || src >= source_end)
                        return AVERROR_INVALIDDATA;
                    shift += 2;
-                    val |= *src << shift;
+                    val |= (unsigned)*src << shift;
                    if (*src & 0xC)
                        break;
                }
--- a/libavcodec/cavs.c
+++ b/libavcodec/cavs.c
@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type)
 static inline void scale_mv(AVSContext *h, int *d_x, int *d_y,
                            cavs_vector *src, int distp)
 {
-    int den = h->scale_den[FFMAX(src->ref, 0)];
-
+    int64_t den = h->scale_den[FFMAX(src->ref, 0)];
    *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9;
    *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9;
 }
@ -613,8 +612,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC,
        mv_pred_median(h, mvP, mvA, mvB, mvC);

    if (mode < MV_PRED_PSKIP) {
-        mvP->x += get_se_golomb(&h->gb);
-        mvP->y += get_se_golomb(&h->gb);
+        int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x;
+        int my = get_se_golomb(&h->gb) + (unsigned)mvP->y;
+
+        if (mx != (int16_t)mx || my != (int16_t)my) {
+            av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my);
+        } else {
+            mvP->x = mx;
+            mvP->y = my;
+        }
    }
    set_mvs(mvP, size);
 }
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw,
                                  cavs_vector *col_mv)
 {
    cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS;
-    int den = h->direct_den[col_mv->ref];
+    unsigned den = h->direct_den[col_mv->ref];
    int m = FF_SIGNBIT(col_mv->x);

    pmv_fw->dist = h->dist[1];
@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
 }


-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-    if (h->cbp & (1 << 4))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+    if (h->cbp & (1 << 4)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                              ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-    if (h->cbp & (1 << 5))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+        if (ret < 0)
+            return ret;
+    }
+    if (h->cbp & (1 << 5)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                              ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+        if (ret < 0)
+            return ret;
+    }
+    return 0;
 }

 static inline int decode_residual_inter(AVSContext *h)
@ -615,7 +622,7 @@ static inline int decode_residual_inter(AVSContext *h)

    /* get quantizer */
    if (h->cbp && !h->qp_fixed)
-        h->qp = (h->qp + get_se_golomb(&h->gb)) & 63;
+        h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63;
    for (block = 0; block < 4; block++)
        if (h->cbp & (1 << block))
            decode_residual_block(h, &h->gb, inter_dec, 0, h->qp,
@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
    uint8_t top[18];
    uint8_t *left = NULL;
    uint8_t *d;
+    int ret;

    ff_cavs_init_mb(h);

@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
        ff_cavs_load_intra_pred_luma(h, top, &left, block);
        h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
            (d, top, left, h->l_stride);
-        if (h->cbp & (1<<block))
-            decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+        if (h->cbp & (1<<block)) {
+            ret = decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+            if (ret < 0)
+                return ret;
+        }
    }

    /* chroma intra prediction */
@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
    h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10],
                                  h->left_border_v, h->c_stride);

-    decode_residual_chroma(h);
+    ret = decode_residual_chroma(h);
+    if (ret < 0)
+        return ret;
    ff_cavs_filter(h, I_8X8);
    set_mv_intra(h);
    return 0;
@ -1031,6 +1044,10 @@ static int decode_pic(AVSContext *h)
    h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0;
    if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) {
        h->sym_factor = h->dist[0] * h->scale_den[1];
+        if (FFABS(h->sym_factor) > 32768) {
+            av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor);
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0;
        h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;
@ -1063,6 +1080,11 @@ static int decode_pic(AVSContext *h)
    if (!h->loop_filter_disable && get_bits1(&h->gb)) {
        h->alpha_offset        = get_se_golomb(&h->gb);
        h->beta_offset         = get_se_golomb(&h->gb);
+        if (   h->alpha_offset < -64 || h->alpha_offset > 64
+            || h-> beta_offset < -64 || h-> beta_offset > 64) {
+            h->alpha_offset = h->beta_offset  = 0;
+            return AVERROR_INVALIDDATA;
+        }
    } else {
        h->alpha_offset = h->beta_offset  = 0;
    }
--- a/libavcodec/cavsdsp.c
+++ b/libavcodec/cavsdsp.c
@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
    src[0][0] += 8;

    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[i][1] - (src[i][7]<<1);
-        const int a1 =  3*src[i][3] + (src[i][5]<<1);
-        const int a2 =  (src[i][3]<<1) - 3*src[i][5];
-        const int a3 =  (src[i][1]<<1) + 3*src[i][7];
+        const int a0 = 3 * src[i][1] - 2 * src[i][7];
+        const int a1 = 3 * src[i][3] + 2 * src[i][5];
+        const int a2 = 2 * src[i][3] - 3 * src[i][5];
+        const int a3 = 2 * src[i][1] + 3 * src[i][7];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[i][2]<<2) - 10*src[i][6];
-        const int a6 = (src[i][6]<<2) + 10*src[i][2];
-        const int a5 = ((src[i][0] - src[i][4]) << 3) + 4;
-        const int a4 = ((src[i][0] + src[i][4]) << 3) + 4;
+        const int a7 = 4 * src[i][2] - 10 * src[i][6];
+        const int a6 = 4 * src[i][6] + 10 * src[i][2];
+        const int a5 = 8 * (src[i][0] - src[i][4]) + 4;
+        const int a4 = 8 * (src[i][0] + src[i][4]) + 4;

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride)
        src[i][7] = (b0 - b4) >> 3;
    }
    for( i = 0; i < 8; i++ ) {
-        const int a0 =  3*src[1][i] - (src[7][i]<<1);
-        const int a1 =  3*src[3][i] + (src[5][i]<<1);
-        const int a2 =  (src[3][i]<<1) - 3*src[5][i];
-        const int a3 =  (src[1][i]<<1) + 3*src[7][i];
+        const int a0 = 3 * src[1][i] - 2 * src[7][i];
+        const int a1 = 3 * src[3][i] + 2 * src[5][i];
+        const int a2 = 2 * src[3][i] - 3 * src[5][i];
+        const int a3 = 2 * src[1][i] + 3 * src[7][i];

-        const int b4 = ((a0 + a1 + a3)<<1) + a1;
-        const int b5 = ((a0 - a1 + a2)<<1) + a0;
-        const int b6 = ((a3 - a2 - a1)<<1) + a3;
-        const int b7 = ((a0 - a2 - a3)<<1) - a2;
+        const int b4 = 2 * (a0 + a1 + a3) + a1;
+        const int b5 = 2 * (a0 - a1 + a2) + a0;
+        const int b6 = 2 * (a3 - a2 - a1) + a3;
+        const int b7 = 2 * (a0 - a2 - a3) - a2;

-        const int a7 = (src[2][i]<<2) - 10*src[6][i];
-        const int a6 = (src[6][i]<<2) + 10*src[2][i];
-        const int a5 = (src[0][i] - src[4][i]) << 3;
-        const int a4 = (src[0][i] + src[4][i]) << 3;
+        const int a7 = 4 * src[2][i] - 10 * src[6][i];
+        const int a6 = 4 * src[6][i] + 10 * src[2][i];
+        const int a5 = 8 * (src[0][i] - src[4][i]);
+        const int a4 = 8 * (src[0][i] + src[4][i]);

        const int b0 = a4 + a6;
        const int b1 = a5 + a7;
--- a/libavcodec/cdxl.c
+++ b/libavcodec/cdxl.c
@ -275,11 +275,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,
    else
        aligned_width = FFALIGN(c->avctx->width, 16);
    c->padded_bits  = aligned_width - c->avctx->width;
-    if (c->video_size < aligned_width * avctx->height * c->bpp / 8)
+    if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
        return AVERROR_INVALIDDATA;
-    if (!encoding && c->palette_size && c->bpp <= 8) {
+    if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
        avctx->pix_fmt = AV_PIX_FMT_PAL8;
-    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
+    } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) {
        if (c->palette_size != (1 << (c->bpp - 1)))
            return AVERROR_INVALIDDATA;
        avctx->pix_fmt = AV_PIX_FMT_BGR24;
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@ -258,6 +258,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            s->coded_height = data;
        } else if (tag == 101) {
            av_log(avctx, AV_LOG_DEBUG, "Bits per component: %"PRIu16"\n", data);
+            if (data < 1 || data > 31) {
+                av_log(avctx, AV_LOG_ERROR, "Bits per component %d is invalid\n", data);
+                ret = AVERROR(EINVAL);
+                break;
+            }
            s->bpc = data;
        } else if (tag == 12) {
            av_log(avctx, AV_LOG_DEBUG, "Channel Count: %"PRIu16"\n", data);
@ -317,22 +322,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            s->prescale_shift[2] = (data >> 6) & 0x7;
            av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data);
        } else if (tag == 27) {
-            s->plane[s->channel_num].band[0][0].width  = data;
-            s->plane[s->channel_num].band[0][0].stride = data;
            av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
            if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) {
                av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[0][0].width  = data;
+            s->plane[s->channel_num].band[0][0].stride = data;
        } else if (tag == 28) {
-            s->plane[s->channel_num].band[0][0].height = data;
            av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
-            if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
+            if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) {
                av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[0][0].height = data;
        } else if (tag == 1)
            av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data);
        else if (tag == 10) {
@ -363,39 +368,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2);
            }
        } else if (tag == 41) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
            av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num);
            if (data < 3) {
                av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
        } else if (tag == 42) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
            av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
            if (data < 3) {
                av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
        } else if (tag == 49) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
            av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
            if (data < 3) {
                av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
        } else if (tag == 50) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
            av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
            if (data < 3) {
                av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
        } else if (tag == 71) {
            s->codebook = data;
            av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook);
@ -404,12 +409,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            av_log(avctx, AV_LOG_DEBUG, "Other codebook? %i\n", s->codebook);
        } else if (tag == 70) {
            av_log(avctx, AV_LOG_DEBUG, "Subsampling or bit-depth flag? %i\n", data);
-            s->bpc = data;
-            if (!(s->bpc == 10 || s->bpc == 12)) {
+            if (!(data == 10 || data == 12)) {
                av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n");
                ret = AVERROR(EINVAL);
                break;
            }
+            s->bpc = data;
        } else if (tag == 84) {
            av_log(avctx, AV_LOG_DEBUG, "Sample format? %i\n", data);
            if (data == 1)
@ -501,7 +506,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
            int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
            int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
-            int expected = highpass_height * highpass_stride;
+            int expected;
            int a_expected = highpass_a_height * highpass_a_width;
            int level, run, coeff;
            int count = 0, bytes;
@ -512,11 +517,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                goto end;
            }

-            if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < expected) {
+            if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < highpass_height * (uint64_t)highpass_stride) {
                av_log(avctx, AV_LOG_ERROR, "Too many highpass coefficients\n");
                ret = AVERROR(EINVAL);
                goto end;
            }
+            expected = highpass_height * highpass_stride;

            av_log(avctx, AV_LOG_DEBUG, "Start subband coeffs plane %i level %i codebook %i expected %i\n", s->channel_num, s->level, s->codebook, expected);

@ -657,7 +663,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
            output = s->plane[plane].subband[0];
            for (i = 0; i < lowpass_height * 2; i++) {
                for (j = 0; j < lowpass_width * 2; j++)
-                    output[j] <<= 2;
+                    output[j] *= 4;

                output += lowpass_width * 2;
            }
@ -710,7 +716,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
        output = s->plane[plane].subband[0];
        for (i = 0; i < lowpass_height * 2; i++) {
            for (j = 0; j < lowpass_width * 2; j++)
-                output[j] <<= 2;
+                output[j] *= 4;

            output += lowpass_width * 2;
        }
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@ -315,17 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s,
    return AVERROR_INVALIDDATA;
 }

-static int cinepak_decode (CinepakContext *s)
+static int cinepak_predecode_check (CinepakContext *s)
 {
-    const uint8_t  *eod = (s->data + s->size);
-    int           i, result, strip_size, frame_flags, num_strips;
-    int           y0 = 0;
+    int           num_strips;
    int           encoded_buf_size;

-    if (s->size < 10)
-        return AVERROR_INVALIDDATA;
-
-    frame_flags = s->data[0];
    num_strips  = AV_RB16 (&s->data[8]);
    encoded_buf_size = AV_RB24(&s->data[1]);

@ -356,6 +350,21 @@ static int cinepak_decode (CinepakContext *s)
            s->sega_film_skip_bytes = 0;
    }

+    if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
+        return AVERROR_INVALIDDATA;
+
+    return 0;
+}
+
+static int cinepak_decode (CinepakContext *s)
+{
+    const uint8_t  *eod = (s->data + s->size);
+    int           i, result, strip_size, frame_flags, num_strips;
+    int           y0 = 0;
+
+    frame_flags = s->data[0];
+    num_strips  = AV_RB16 (&s->data[8]);
+
    s->data += 10 + s->sega_film_skip_bytes;

    num_strips = FFMIN(num_strips, MAX_STRIPS);
@ -435,10 +444,25 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int ret = 0, buf_size = avpkt->size;
    CinepakContext *s = avctx->priv_data;
+    int num_strips;

    s->data = buf;
    s->size = buf_size;

+    if (s->size < 10)
+        return AVERROR_INVALIDDATA;
+
+    num_strips = AV_RB16 (&s->data[8]);
+
+    //Empty frame, do not waste time
+    if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL)))
+        return buf_size;
+
+    if ((ret = cinepak_predecode_check(s)) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
+        return ret;
+    }
+
    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
        return ret;

--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@ -185,8 +185,8 @@ static inline int decode_block(CLVContext *ctx, int16_t *blk, int has_ac,
    const int t3 = OP( 2408 * blk[5 * step] - 1609 * blk[3 * step]);    \
    const int t4 = OP( 1108 * blk[2 * step] - 2676 * blk[6 * step]);    \
    const int t5 = OP( 2676 * blk[2 * step] + 1108 * blk[6 * step]);    \
-    const int t6 = ((blk[0 * step] + blk[4 * step]) << dshift) + bias;  \
-    const int t7 = ((blk[0 * step] - blk[4 * step]) << dshift) + bias;  \
+    const int t6 = ((blk[0 * step] + blk[4 * step]) * (1 << dshift)) + bias;  \
+    const int t7 = ((blk[0 * step] - blk[4 * step]) * (1 << dshift)) + bias;  \
    const int t8 = t0 + t2;                                             \
    const int t9 = t0 - t2;                                             \
    const int tA = 181 * (t9 + (t1 - t3)) + 0x80 >> 8;                  \
@ -297,6 +297,11 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
    c->pic->pict_type = frame_type & 0x20 ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;

    if (frame_type & 0x2) {
+        if (buf_size < c->mb_width * c->mb_height) {
+            av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        bytestream2_get_be32(&gb); // frame size;
        c->ac_quant        = bytestream2_get_byte(&gb);
        c->luma_dc_quant   = 32;
--- a/libavcodec/cllc.c
+++ b/libavcodec/cllc.c
@ -29,6 +29,10 @@
 #include "avcodec.h"
 #include "internal.h"

+#define VLC_BITS 7
+#define VLC_DEPTH 2
+
+
 typedef struct CLLCContext {
    AVCodecContext *avctx;
    BswapDSPContext bdsp;
@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

    num_lens = get_bits(gb, 5);

+    if (num_lens > VLC_BITS * VLC_DEPTH) {
+        vlc->table = NULL;
+
+        av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens);
+        return AVERROR_INVALIDDATA;
+    }
+
    for (i = 0; i < num_lens; i++) {
        num_codes      = get_bits(gb, 9);
        num_codes_sum += num_codes;
@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)

            count++;
        }
+        if (prefix > (65535 - 256)/2) {
+            vlc->table = NULL;
+            return AVERROR_INVALIDDATA;
+        }

        prefix <<= 1;
    }

-    return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1,
+    return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1,
                              codes, 2, 2, symbols, 1, 1, 0);
 }

@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
    for (i = 0; i < ctx->avctx->width; i++) {
        /* Always get the alpha component */
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc[0].table, 7, 2);
+        GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH);

        pred[0] += code;
        dst[0]   = pred[0];
@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
        if (dst[0]) {
            /* Red */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[1].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH);

            pred[1] += code;
            dst[1]   = pred[1];

            /* Green */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[2].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH);

            pred[2] += code;
            dst[2]   = pred[2];

            /* Blue */
            UPDATE_CACHE(bits, gb);
-            GET_VLC(code, bits, gb, vlc[3].table, 7, 2);
+            GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH);

            pred[3] += code;
            dst[3]   = pred[3];
@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred  += code;
        dst[0] = pred;
@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb,
    /* Simultaneously read and restore the line */
    for (i = 0; i < ctx->avctx->width >> is_chroma; i++) {
        UPDATE_CACHE(bits, gb);
-        GET_VLC(code, bits, gb, vlc->table, 7, 2);
+        GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);

        pred     += code;
        outbuf[i] = pred;
--- a/libavcodec/cngdec.c
+++ b/libavcodec/cngdec.c
@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data,
        return ret;
    buf_out = (int16_t *)frame->data[0];
    for (i = 0; i < avctx->frame_size; i++)
-        buf_out[i] = p->filter_out[i + p->order];
+        buf_out[i] = av_clip_int16(p->filter_out[i + p->order]);
    memcpy(p->filter_out, p->filter_out + avctx->frame_size,
           p->order * sizeof(*p->filter_out));

--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    switch ((buf[0] >> 1) & 7) {
        case 0: { // lzo compression
            int outlen = c->decomp_size, inlen = buf_size - 2;
-            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen))
+            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) {
                av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
            break;
        }
        case 1: { // zlib compression
 #if CONFIG_ZLIB
            unsigned long dlen = c->decomp_size;
-            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK)
+            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
                av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
            break;
 #else
            av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");
--- a/libavcodec/cuvid.c
+++ b/libavcodec/cuvid.c
@ -367,13 +367,17 @@ static int cuvid_decode_packet(AVCodecContext *avctx, const AVPacket *avpkt)
    AVPacket filter_packet = { 0 };
    AVPacket filtered_packet = { 0 };
    int ret = 0, eret = 0, is_flush = ctx->decoder_flushing;
+    int delay = ctx->cuparseinfo.ulMaxDisplayDelay;

    av_log(avctx, AV_LOG_TRACE, "cuvid_decode_packet\n");

    if (is_flush && avpkt && avpkt->size)
        return AVERROR_EOF;

-    if ((av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + 2 > ctx->nb_surfaces && avpkt && avpkt->size)
+    if (ctx->deint_mode != cudaVideoDeinterlaceMode_Weave && !ctx->drop_second_field)
+        delay *= 2;
+
+    if ((av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + delay >= ctx->nb_surfaces && avpkt && avpkt->size)
        return AVERROR(EAGAIN);

    if (ctx->bsf && avpkt && avpkt->size) {
--- a/libavcodec/dcadsp.c
+++ b/libavcodec/dcadsp.c
@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
    int i;

    for (i = 0; i < len; i++)
-        dst[i] -= mul15(src[i], coeff);
+        dst[i] -= (unsigned)mul15(src[i], coeff);
 }

 static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
--- a/libavcodec/dds.c
+++ b/libavcodec/dds.c
@ -39,7 +39,7 @@

 #define DDPF_FOURCC    (1 <<  2)
 #define DDPF_PALETTE   (1 <<  5)
-#define DDPF_NORMALMAP (1 << 31)
+#define DDPF_NORMALMAP (1U << 31)

 enum DDSPostProc {
    DDS_NONE = 0,
@ -687,7 +687,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
                    (frame->data[1][2+i*4]<<0)+
                    (frame->data[1][1+i*4]<<8)+
                    (frame->data[1][0+i*4]<<16)+
-                    (frame->data[1][3+i*4]<<24)
+                    ((unsigned)frame->data[1][3+i*4]<<24)
            );
        }
        frame->palette_has_changed = 1;
@ -718,7 +718,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
                        (frame->data[1][2+i*4]<<0)+
                        (frame->data[1][1+i*4]<<8)+
                        (frame->data[1][0+i*4]<<16)+
-                        (frame->data[1][3+i*4]<<24)
+                        ((unsigned)frame->data[1][3+i*4]<<24)
                );

            frame->palette_has_changed = 1;
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)

    avctx->pix_fmt = AV_PIX_FMT_PAL8;

-    if (!avctx->width || !avctx->height)
+    if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16))
        return AVERROR_INVALIDDATA;

    av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0);
@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height
    const uint8_t *frame_start = frame;
    const uint8_t *frame_end   = frame + width * height;
    int mask = 0x10000, bitbuf = 0;
-    int v, count, segments;
+    int v, count;
+    unsigned segments;
    unsigned offset;

    segments = bytestream2_get_le32(gb);
@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                return AVERROR_INVALIDDATA;
            frame += v;
        } else {
-            if (frame_end - frame < width + 3)
+            if (frame_end - frame < width + 4)
                return AVERROR_INVALIDDATA;
            frame[0] = frame[1] =
            frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
@ -249,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
        segments = bytestream2_get_le16u(gb);
        while ((segments & 0xC000) == 0xC000) {
            unsigned skip_lines = -(int16_t)segments;
-            unsigned delta = -((int16_t)segments * width);
+            int64_t delta = -((int16_t)segments * (int64_t)width);
            if (frame_end - frame <= delta || y + lines + skip_lines > height)
                return AVERROR_INVALIDDATA;
            frame    += delta;
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@ -93,40 +93,40 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);

 // shared stuff for simd optimizations
 #define COMPOSE_53iL0(b0, b1, b2)\
-    (b1 - ((b0 + b2 + 2) >> 2))
+    (b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))

 #define COMPOSE_DIRAC53iH0(b0, b1, b2)\
-    (b1 + ((b0 + b2 + 1) >> 1))
+    (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))

 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-    (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4))
+    (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 +  8) >> 4)))

 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-    (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5))
+    (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5)))

 #define COMPOSE_HAARiL0(b0, b1)\
-    (b0 - ((b1 + 1) >> 1))
+    ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))

 #define COMPOSE_HAARiH0(b0, b1)\
-    (b0 + b1)
+    ((int)(b0 + (unsigned)(b1)))

 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-    (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8))
+    ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))

 #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-    (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
+    ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))

 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-    (b1 - ((1817*(b0 + b2) + 2048) >> 12))
+    ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-    (b1 - (( 113*(b0 + b2) + 64) >> 7))
+    ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))

 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-    (b1 + (( 217*(b0 + b2) + 2048) >> 12))
+    ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))

 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-    (b1 + ((6497*(b0 + b2) + 2048) >> 12))
+    ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))


 #endif /* AVCODEC_DWT_H */
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_
    TYPE *b1 = (TYPE *)_b1;
    TYPE *b2 = (TYPE *)_b2;
    for (i = 0; i < width; i++)
-        b1[i] -= (b0[i] + b2[i] + 2) >> 2;
+        b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
 }

 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2,
@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src
 {
    int i;
    for (i = 0; i < w2; i++) {
-        dst[2*i  ] = (src0[i] + add) >> shift;
-        dst[2*i+1] = (src1[i] + add) >> shift;
+        dst[2*i  ] = ((int)(src0[i] + (unsigned)add)) >> shift;
+        dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift;
    }
 }

@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w)
    tmp[w2+1] = tmp[w2] = tmp[w2-1];

    for (x = 0; x < w2; x++) {
-        b[2*x  ] = (tmp[x] + 1)>>1;
-        b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
+        b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+        b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
    }
 }

@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w)
    tmp[w2+1] = tmp[w2] = tmp[w2-1];

    for (x = 0; x < w2; x++) {
-        b[2*x  ] = (tmp[x] + 1)>>1;
-        b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1;
+        b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+        b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1;
    }
 }

@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int

    // second stage combined with interleave and shift
    b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
-    b[0] = (b0 + 1) >> 1;
+    b[0] = ~((~b0) >> 1);
    for (x = 1; x < w2; x++) {
        b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x     ], temp[x+w2]);
        b1 = COMPOSE_DAUB97iH0(          b0, temp[x+w2-1], b2        );
-        b[2*x-1] = (b1 + 1) >> 1;
-        b[2*x  ] = (b2 + 1) >> 1;
+        b[2*x-1] = ~((~b1) >> 1);
+        b[2*x  ] = ~((~b2) >> 1);
        b0 = b2;
    }
-    b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
+    b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
 }

 static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2,
--- a/libavcodec/dirac_vlc.c
+++ b/libavcodec/dirac_vlc.c
@ -37,7 +37,7 @@

 #define APPEND_RESIDUE(N, M)                                                   \
    N          |= M >> (N ## _bits);                                           \
-    N ## _bits +=      (M ## _bits)
+    N ## _bits  = (N ## _bits + (M ## _bits)) & 0x3F

 int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
                               int bytes, uint8_t *_dst, int coeffs)
@ -216,9 +216,14 @@ static void generate_offset_lut(DiracGolombLUT *lut, int off)
        INIT_RESIDUE(res);
        SET_RESIDUE(res, idx, LUT_BITS);

-        l->preamble      = CONVERT_TO_RESIDUE(res >> (RSIZE_BITS - off), off);
        l->preamble_bits = off;
-        l->sign = ((l->preamble >> (RSIZE_BITS - l->preamble_bits)) & 1) ? -1 : +1;
+        if (off) {
+            l->preamble  = CONVERT_TO_RESIDUE(res >> (RSIZE_BITS - off), off);
+            l->sign      = ((l->preamble >> (RSIZE_BITS - l->preamble_bits)) & 1) ? -1 : +1;
+        } else {
+            l->preamble  = 0;
+            l->sign = 1;
+        }

        search_for_golomb(l, res << off, LUT_BITS - off);
    }
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@ -140,7 +140,7 @@ typedef struct DiracContext {
    GetBitContext gb;
    AVDiracSeqHeader seq;
    int seen_sequence_header;
-    int frame_number;           /* number of the next frame to display       */
+    int64_t frame_number;       /* number of the next frame to display       */
    Plane plane[3];
    int chroma_x_shift;
    int chroma_y_shift;
@ -249,7 +249,7 @@ enum dirac_subband {
 /* magic number division by 3 from schroedinger */
 static inline int divide3(int x)
 {
-    return ((x+1)*21845 + 10922) >> 16;
+    return (int)((x+1U)*21845 + 10922) >> 16;
 }

 static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum)
@ -442,7 +442,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx)
 static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset)
 {
    int coeff = dirac_get_se_golomb(gb);
-    const int sign = FFSIGN(coeff);
+    const unsigned sign = FFSIGN(coeff);
    if (coeff)
        coeff = sign*((sign * coeff * qfactor + qoffset) >> 2);
    return coeff;
@ -454,7 +454,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse
    static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \
                                              SubBand *b, type *buf, int x, int y) \
    { \
-        int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
+        int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
+        unsigned coeff; \
        const int mstride = -(b->stride >> (1+b->pshift)); \
        if (b->parent) { \
            const type *pbuf = (type *)b->parent->ibuf; \
@ -507,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
    }

    if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
-        int quant = b->quant;
+        int quant;
        if (is_arith)
-            quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+            quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
        else
-            quant += dirac_get_se_golomb(gb);
-        if (quant < 0) {
+            quant = dirac_get_se_golomb(gb);
+        if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
            return;
        }
-        b->quant = quant;
+        b->quant += quant;
    }

    if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) {
@ -585,7 +586,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
    } \

 INTRA_DC_PRED(8, int16_t)
-INTRA_DC_PRED(10, int32_t)
+INTRA_DC_PRED(10, uint32_t)

 /**
 * Dirac Specification ->
@ -823,7 +824,7 @@ static int decode_hq_slice(DiracContext *s, DiracSlice *slice, uint8_t *tmp_buf)
    skip_bits_long(gb, 8*s->highquality.prefix_bytes);
    quant_idx = get_bits(gb, 8);

-    if (quant_idx > DIRAC_MAX_QUANT_INDEX) {
+    if (quant_idx > DIRAC_MAX_QUANT_INDEX - 1) {
        av_log(s->avctx, AV_LOG_ERROR, "Invalid quantization index - %i\n", quant_idx);
        return AVERROR_INVALIDDATA;
    }
@ -984,6 +985,10 @@ static int decode_lowdelay(DiracContext *s)
            for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
                bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den
                       - slice_num    * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den;
+                if (bytes >= INT_MAX || bytes*8 > bufsize) {
+                    av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
+                    return AVERROR_INVALIDDATA;
+                }
                slices[slice_num].bytes   = bytes;
                slices[slice_num].slice_x = slice_x;
                slices[slice_num].slice_y = slice_y;
@ -1160,6 +1165,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)
                s->globalmc[ref].perspective[0]  = dirac_get_se_golomb(gb);
                s->globalmc[ref].perspective[1]  = dirac_get_se_golomb(gb);
            }
+            if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) {
+                return AVERROR_INVALIDDATA;
+            }
+
        }
    }

@ -1178,6 +1187,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s)

    if (get_bits1(gb)) {
        s->weight_log2denom = get_interleaved_ue_golomb(gb);
+        if (s->weight_log2denom < 1 || s->weight_log2denom > 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n");
+            s->weight_log2denom = 1;
+            return AVERROR_INVALIDDATA;
+        }
        s->weight[0] = dirac_get_se_golomb(gb);
        if (s->num_refs == 2)
            s->weight[1] = dirac_get_se_golomb(gb);
@ -1232,7 +1246,10 @@ static int dirac_unpack_idwt_params(DiracContext *s)
    else {
        s->num_x        = get_interleaved_ue_golomb(gb);
        s->num_y        = get_interleaved_ue_golomb(gb);
-        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) {
+        if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX ||
+            s->num_x * (uint64_t)s->avctx->width  > INT_MAX ||
+            s->num_y * (uint64_t)s->avctx->height > INT_MAX
+        ) {
            av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
            s->num_x = s->num_y = 0;
            return AVERROR_INVALIDDATA;
@ -1389,8 +1406,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int m       = (1<<ep) - (c[0]*x + c[1]*y);
-    int mx      = m * ((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
-    int my      = m * ((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);
+    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1<<ez) * b[0]);
+    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@ -1412,7 +1429,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
    if (!block->ref) {
        pred_block_dc(block, stride, x, y);
        for (i = 0; i < 3; i++)
-            block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
+            block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA);
        return;
    }

@ -1427,8 +1444,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
                global_mv(s, block, x, y, i);
            } else {
                pred_mv(block, stride, x, y, i);
-                block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
-                block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
            }
        }
 }
@ -2047,9 +2064,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)

    if (out) {
        out->reference ^= DELAYED_PIC_REF;
-        *got_frame = 1;
        if((ret = av_frame_ref(picture, out->avframe)) < 0)
            return ret;
+        *got_frame = 1;
    }

    return 0;
@ -2290,7 +2307,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    }

    if (*got_frame)
-        s->frame_number = picture->display_picture_number + 1;
+        s->frame_number = picture->display_picture_number + 1LL;

    return buf_idx;
 }
--- a/libavcodec/diracdsp.c
+++ b/libavcodec/diracdsp.c
@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid
    int32_t *src = (int32_t *)_src;                                                                     \
    for (y = 0; y < height; y++) {                                                                      \
        for (x = 0; x < width; x+=4) {                                                                  \
-            dst[x  ] = av_clip_uintp2(src[x  ] + (1 << (PX - 1)), PX);                                  \
-            dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX);                                  \
-            dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX);                                  \
-            dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX);                                  \
+            dst[x  ] = av_clip_uintp2(src[x  ] + (1U << (PX - 1)), PX);                                  \
+            dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX);                                  \
+            dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX);                                  \
+            dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX);                                  \
        }                                                                                               \
        dst += dst_stride >> 1;                                                                         \
        src += src_stride >> 2;                                                                         \
@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s
        for (i = 0; i < tot_h; i++) {                                                      \
            c = *src_r++;                                                                  \
            sign = FFSIGN(c)*(!!c);                                                        \
-            c = (FFABS(c)*qf + qs) >> 2;                                                   \
+            c = (FFABS(c)*(unsigned)qf + qs) >> 2;                                                   \
            *dst_r++ = c*sign;                                                             \
        }                                                                                  \
        src += tot_h << (sizeof(PX) >> 1);                                                 \
--- a/libavcodec/dnxhd_parser.c
+++ b/libavcodec/dnxhd_parser.c
@ -29,8 +29,6 @@

 typedef struct {
    ParseContext pc;
-    int interlaced;
-    int cur_field; /* first field is 0, second is 1 */
    int cur_byte;
    int remaining;
    int w, h;
@ -56,8 +54,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
    uint64_t state = pc->state64;
    int pic_found = pc->frame_start_found;
    int i = 0;
-    int interlaced = dctx->interlaced;
-    int cur_field = dctx->cur_field;

    if (!pic_found) {
        for (i = 0; i < buf_size; i++) {
@ -65,8 +61,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
            if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
                i++;
                pic_found = 1;
-                interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
-                cur_field = state&1;
                dctx->cur_byte = 0;
                dctx->remaining = 0;
                break;
@ -87,23 +81,23 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
                dctx->w = (state >> 32) & 0xFFFF;
            } else if (dctx->cur_byte == 42) {
                int cid = (state >> 32) & 0xFFFFFFFF;
+                int remaining;

                if (cid <= 0)
                    continue;

-                dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
-                if (dctx->remaining <= 0) {
-                    dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
-                    if (dctx->remaining <= 0)
-                        return dctx->remaining;
+                remaining = avpriv_dnxhd_get_frame_size(cid);
+                if (remaining <= 0) {
+                    remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+                    if (remaining <= 0)
+                        continue;
                }
-                if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
+                dctx->remaining = remaining;
+                if (buf_size - i + 47 >= dctx->remaining) {
                    int remaining = dctx->remaining;

                    pc->frame_start_found = 0;
                    pc->state64 = -1;
-                    dctx->interlaced = interlaced;
-                    dctx->cur_field = 0;
                    dctx->cur_byte = 0;
                    dctx->remaining = 0;
                    return remaining;
@ -120,8 +114,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,

            pc->frame_start_found = 0;
            pc->state64 = -1;
-            dctx->interlaced = interlaced;
-            dctx->cur_field = 0;
            dctx->cur_byte = 0;
            dctx->remaining = 0;
            return remaining;
@ -129,8 +121,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
    }
    pc->frame_start_found = pic_found;
    pc->state64 = state;
-    dctx->interlaced = interlaced;
-    dctx->cur_field = cur_field;
    return END_NOT_FOUND;
 }

--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@ -298,14 +298,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
    if (ctx->mb_height > 68 && ff_dnxhd_check_header_prefix_hr(header_prefix)) {
        ctx->data_offset = 0x170 + (ctx->mb_height << 2);
    } else {
-        if (ctx->mb_height > 68 ||
-            (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+        if (ctx->mb_height > 68) {
            av_log(ctx->avctx, AV_LOG_ERROR,
                   "mb height too big: %d\n", ctx->mb_height);
            return AVERROR_INVALIDDATA;
        }
        ctx->data_offset = 0x280;
    }
+    if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) {
+        av_log(ctx->avctx, AV_LOG_ERROR,
+                "mb height too big: %d\n", ctx->mb_height);
+        return AVERROR_INVALIDDATA;
+    }

    if (buf_size < ctx->data_offset) {
        av_log(ctx->avctx, AV_LOG_ERROR,
@ -373,6 +377,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,

    UPDATE_CACHE(bs, &row->gb);
    GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+    if (len < 0) {
+        ret = len;
+        goto error;
+    }
    if (len) {
        level = GET_CACHE(bs, &row->gb);
        LAST_SKIP_BITS(bs, &row->gb, len);
@ -426,7 +434,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx,
        GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
                DNXHD_VLC_BITS, 2);
    }
-
+error:
    CLOSE_READER(bs, &row->gb);
    return ret;
 }
--- a/libavcodec/dnxhdenc.c
+++ b/libavcodec/dnxhdenc.c
@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx)
    ctx->vlc_bits  += max_level * 2;
    for (level = -max_level; level < max_level; level++) {
        for (run = 0; run < 2; run++) {
-            int index = (level << 1) | run;
+            int index = level * (1 << 1) | run;
            int sign, offset = 0, alevel = level;

            MASK_ABS(sign, alevel);
@ -618,7 +618,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block,
        slevel = block[j];
        if (slevel) {
            int run_level = i - last_non_zero - 1;
-            int rlevel = (slevel << 1) | !!run_level;
+            int rlevel = slevel * (1 << 1) | !!run_level;
            put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]);
            if (run_level)
                put_bits(&ctx->m.pb, ctx->run_bits[run_level],
@ -698,7 +698,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index)
        level = block[j];
        if (level) {
            int run_level = i - last_non_zero - 1;
-            bits += ctx->vlc_bits[(level << 1) |
+            bits += ctx->vlc_bits[level * (1 << 1) |
                    !!run_level] + ctx->run_bits[run_level];
            last_non_zero = i;
        }
--- a/libavcodec/dsicinvideo.c
+++ b/libavcodec/dsicinvideo.c
@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size,
        }
    }

+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
    return 0;
 }

@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size,
        }
        dst += len;
    }
+
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
    return 0;
 }

@ -226,27 +233,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
     * surface.width = surface.pitch */
    switch (bitmap_frame_type) {
    case 9:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 34:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
    case 35:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res =  cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        break;
    case 36:
        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                                               cin->bitmap_table[CIN_INT_BMP],
                                               cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                       cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
        cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                             cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
        break;
--- a/libavcodec/dss_sp.c
+++ b/libavcodec/dss_sp.c
@ -33,7 +33,7 @@

 #define DSS_SP_FRAME_SIZE        42
 #define DSS_SP_SAMPLE_COUNT     (66 * SUBFRAMES)
-#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15)
+#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15)

 typedef struct DssSpSubframe {
    int16_t gain;
@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size)
            vec[i] = vec[i] >> -bits;
    else
        for (i = 0; i < size; i++)
-            vec[i] = vec[i] << bits;
+            vec[i] = vec[i] * (1 << bits);
 }

 static void dss_sp_update_buf(int32_t *hist, int32_t *vector)
@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf,
        tmp = dst[a] * filter_buf[0];

        for (i = 14; i > 0; i--)
-            tmp -= error_buf[i] * filter_buf[i];
+            tmp -= error_buf[i] * (unsigned)filter_buf[i];

        for (i = 14; i > 0; i--)
            error_buf[i] = error_buf[i - 1];

-        tmp = (tmp + 4096) >> 13;
+        tmp = (int)(tmp + 4096U) >> 13;

        error_buf[1] = tmp;

--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@ -24,6 +24,7 @@
 #include "bytestream.h"
 #include "internal.h"
 #include "libavutil/colorspace.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/opt.h"

 #define DVBSUB_PAGE_SEGMENT     0x10
@ -1159,9 +1160,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx,
                return AVERROR_INVALIDDATA;
        }

-        if (depth & 0x80)
+        if (depth & 0x80 && entry_id < 4)
            clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha);
-        else if (depth & 0x40)
+        else if (depth & 0x40 && entry_id < 16)
            clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha);
        else if (depth & 0x20)
            clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha);
@ -1184,6 +1185,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    DVBSubObject *object;
    DVBSubObjectDisplay *display;
    int fill;
+    int ret;

    if (buf_size < 10)
        return AVERROR_INVALIDDATA;
@ -1212,6 +1214,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
    region->height = AV_RB16(buf);
    buf += 2;

+    ret = av_image_check_size(region->width, region->height, 0, avctx);
+    if (ret < 0) {
+        region->width= region->height= 0;
+        return ret;
+    }
+
    if (region->width * region->height != region->buf_size) {
        av_free(region->pbuf);

--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s,
 {
    DVDSubParseContext *pc = s->priv_data;

+    *poutbuf      = buf;
+    *poutbuf_size = buf_size;
+
    if (pc->packet_index == 0) {
        if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
            if (buf_size)
@ -54,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
        if (pc->packet_len == 0) /* HD-DVD subpicture packet */
            pc->packet_len = AV_RB32(buf+2);
        av_freep(&pc->packet);
-        pc->packet = av_malloc(pc->packet_len);
+        if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
+            return buf_size;
+        }
+        pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
    }
    if (pc->packet) {
        if (pc->packet_index + buf_size <= pc->packet_len) {
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t *
        cb = *ycbcr++;
        YUV_TO_RGB1_CCIR(cb, cr);
        YUV_TO_RGB2_CCIR(r, g, b, y);
-        *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b;
+        *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b;
    }
 }

@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
    int len;
    int has_run = get_bits1(gb);
-    if (get_bits1(gb))
-        *color = get_bits(gb, 8);
-    else
-        *color = get_bits(gb, 2);
+    *color = get_bits(gb, 2 + 6*get_bits1(gb));
    if (has_run) {
        if (get_bits1(gb)) {
            len = get_bits(gb, 7);
@ -127,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
            len = decode_run_8bit(&gb, &color);
        else
            len = decode_run_2bit(&gb, &color);
+        if (len != INT_MAX && len > w - x)
+            return AVERROR_INVALIDDATA;
        len = FFMIN(len, w - x);
        memset(d + x, color, len);
        x += len;
@ -189,12 +188,12 @@ static void guess_palette(DVDSubContext* ctx,
                r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
                g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
                b = (((subtitle_color >> 0) & 0xff) * level) >> 8;
-                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24);
+                rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24);
                color_used[colormap[i]] = (i + 1);
                j++;
            } else {
                rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) |
-                                    ((alpha[i] * 17) << 24);
+                                    ((alpha[i] * 17U) << 24);
            }
        }
    }
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic,
    }

    if (avctx->height - line) {
-        av_log(avctx, AV_LOG_VERBOSE,
-               "Not enough slice data available, "
-               "cropping the frame by %d pixels\n",
-                avctx->height - line);
-        avctx->height = line;
+        avpriv_request_sample(avctx, "Not enough slice data available");
    }

    return 0;
@ -326,7 +322,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame,
    int stride   = frame->linesize[0];
    uint8_t *dst = frame->data[0] + stride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            b = decode_sym_565(gb, lru[0], 5);
            g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@ -392,7 +388,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame,
    int stride   = frame->linesize[0];
    uint8_t *dst = frame->data[0] + stride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            dst[x * 3 + 0] = decode_sym(gb, lru[0]);
            dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@ -437,7 +433,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
    uint8_t *U  = frame->data[1] + (ustride >> 2) * line;
    uint8_t *V  = frame->data[2] + (vstride >> 2) * line;

-    for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
+    for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
        for (x = 0; x < width; x += 4) {
            for (j = 0; j < 4; j++)
                for (i = 0; i < 4; i++)
@ -481,7 +477,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
    uint8_t *V  = frame->data[2] + (vstride >> 1) * line;


-    for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
+    for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
        for (x = 0; x < width; x += 2) {
            Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
            Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@ -524,7 +520,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame,
    uint8_t *U  = frame->data[1] + ustride * line;
    uint8_t *V  = frame->data[2] + vstride * line;

-    for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+    for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
        for (x = 0; x < width; x++) {
            Y[x] = decode_sym(gb, lru[0]);
            U[x] = decode_sym(gb, lru[1]) ^ 0x80;
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@ -335,6 +335,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx)
    DXVContext *ctx = avctx->priv_data;
    GetByteContext *gbc = &ctx->gbc;

+    if (bytestream2_get_bytes_left(gbc) < ctx->tex_size)
+        return AVERROR_INVALIDDATA;
+
    bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size);
    return 0;
 }
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx,

    if (avctx->width != width || avctx->height != height) {
        av_frame_unref(s->last_frame);
-        if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb))
+        if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb))
            return AVERROR_INVALIDDATA;
        if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
            return ret;
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame,

 static void tqi_calculate_qtable(TqiContext *t, int quant)
 {
-    const int qscale = (215 - 2*quant)*5;
+    const int64_t qscale = (215 - 2*quant)*5;
    int i;

    t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11;
--- a/libavcodec/elsdec.c
+++ b/libavcodec/elsdec.c
@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size)

 void ff_els_decoder_uninit(ElsUnsignedRung *rung)
 {
-    av_free(rung->rem_rung_list);
+    av_freep(&rung->rem_rung_list);
 }

 static int els_import_byte(ElsDecCtx *ctx)
@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur)
                if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) {
                    // remember rung_node position
                    ptrdiff_t pos     = rung_node - ur->rem_rung_list;
-                    ur->rem_rung_list = av_realloc(ur->rem_rung_list,
+                    ctx->err = av_reallocp(&ur->rem_rung_list,
                                                   ur->rung_list_size +
                                                   RUNG_SPACE);
-                    if (!ur->rem_rung_list) {
-                        av_free(ur->rem_rung_list);
-                        ctx->err = AVERROR(ENOMEM);
+                    if (ctx->err < 0) {
                        return 0;
                    }
                    memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0,
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
            dc = -prev_dc +
                 data[x     + y * stride] * 8 -
                 data[x + 1 + y * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
            prev_dc = data[x + y * stride];
            data[x + y * stride] = dc;
        }
@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
            dc = -prev_dc +
                 data[x +  y      * stride] * 8 -
                 data[x + (y + 1) * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
            prev_dc = data[x + y * stride];
            data[x + y * stride] = dc;
        }
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    // This call also guards the potential depth reads for the
    // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immediately next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skipped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
        return -1;

    frame_flags = get_bits_long(&gb, 32);
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@ -220,9 +220,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf)
 *
 * @return normalized 16-bit unsigned int
 */
-static inline uint16_t exr_flt2uint(uint32_t v)
+static inline uint16_t exr_flt2uint(int32_t v)
 {
-    unsigned int exp = v >> 23;
+    int32_t exp = v >> 23;
    // "HACK": negative values result in exp<  0, so clipping them to 0
    // is also handled by this condition, avoids explicit check for sign bit.
    if (exp <= 127 + 7 - 24) // we would shift out all bits anyway
@ -574,7 +574,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
    while (lc > 0) {
        const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK];

-        if (pl.len) {
+        if (pl.len && lc >= pl.len) {
            lc -= pl.len;
            get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
        } else {
@ -866,7 +866,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
                in     = ptr[2] + td->xsize;

                for (j = 0; j < td->xsize; ++j) {
-                    uint32_t diff = (*(ptr[0]++) << 24) |
+                    uint32_t diff = ((unsigned)*(ptr[0]++) << 24) |
                                    (*(ptr[1]++) << 16) |
                                    (*(ptr[2]++) << 8);
                    pixel += diff;
@ -892,7 +892,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
                in     = ptr[3] + s->xdelta;

                for (j = 0; j < s->xdelta; ++j) {
-                    uint32_t diff = (*(ptr[0]++) << 24) |
+                    uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                    (*(ptr[1]++) << 16) |
                    (*(ptr[2]++) << 8 ) |
                    (*(ptr[3]++));
@ -910,7 +910,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,

 static void unpack_14(const uint8_t b[14], uint16_t s[16])
 {
-    unsigned short shift = (b[ 2] >> 2);
+    unsigned short shift = (b[ 2] >> 2) & 15;
    unsigned short bias = (0x20 << shift);
    int i;

@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
    line_offset = AV_RL64(s->gb.buffer + jobnr * 8);

    if (s->is_tile) {
-        if (line_offset > buf_size - 20)
+        if (buf_size < 20 || line_offset > buf_size - 20)
            return AVERROR_INVALIDDATA;

        src  = buf + line_offset + 20;
@ -1073,7 +1073,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        tileLevelY = AV_RL32(src - 8);

        data_size = AV_RL32(src - 4);
-        if (data_size <= 0 || data_size > buf_size)
+        if (data_size <= 0 || data_size > buf_size - line_offset - 20)
            return AVERROR_INVALIDDATA;

        if (tileLevelX || tileLevelY) { /* tile level, is not the full res level */
@ -1106,7 +1106,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
        uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
    } else {
-        if (line_offset > buf_size - 8)
+        if (buf_size < 8 || line_offset > buf_size - 8)
            return AVERROR_INVALIDDATA;

        src  = buf + line_offset + 8;
@ -1116,7 +1116,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
            return AVERROR_INVALIDDATA;

        data_size = AV_RL32(src - 4);
-        if (data_size <= 0 || data_size > buf_size)
+        if (data_size <= 0 || data_size > buf_size - line_offset - 8)
            return AVERROR_INVALIDDATA;

        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
@ -1317,6 +1317,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
    AVDictionary *metadata = NULL;
    int magic_number, version, i, flags, sar = 0;
    int layer_match = 0;
+    int ret;

    s->current_channel_offset = 0;
    s->xmin               = ~0;
@ -1375,8 +1376,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
        if ((var_size = check_header_variable(s, "channels",
                                              "chlist", 38)) >= 0) {
            GetByteContext ch_gb;
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            bytestream2_init(&ch_gb, s->gb.buffer, var_size);

@ -1435,14 +1438,16 @@ static int decode_header(EXRContext *s, AVFrame *frame)

                if (bytestream2_get_bytes_left(&ch_gb) < 4) {
                    av_log(s->avctx, AV_LOG_ERROR, "Incomplete header.\n");
-                    return AVERROR_INVALIDDATA;
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
                }

                current_pixel_type = bytestream2_get_le32(&ch_gb);
                if (current_pixel_type >= EXR_UNKNOWN) {
                    avpriv_report_missing_feature(s->avctx, "Pixel type %d",
                                                  current_pixel_type);
-                    return AVERROR_PATCHWELCOME;
+                    ret = AVERROR_PATCHWELCOME;
+                    goto fail;
                }

                bytestream2_skip(&ch_gb, 4);
@ -1453,7 +1458,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                    avpriv_report_missing_feature(s->avctx,
                                                  "Subsampling %dx%d",
                                                  xsub, ysub);
-                    return AVERROR_PATCHWELCOME;
+                    ret = AVERROR_PATCHWELCOME;
+                    goto fail;
                }

                if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */
@ -1461,7 +1467,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                        s->pixel_type != current_pixel_type) {
                        av_log(s->avctx, AV_LOG_ERROR,
                               "RGB channels not of the same depth.\n");
-                        return AVERROR_INVALIDDATA;
+                        ret = AVERROR_INVALIDDATA;
+                        goto fail;
                    }
                    s->pixel_type                     = current_pixel_type;
                    s->channel_offsets[channel_index] = s->current_channel_offset;
@ -1469,8 +1476,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)

                s->channels = av_realloc(s->channels,
                                         ++s->nb_channels * sizeof(EXRChannel));
-                if (!s->channels)
-                    return AVERROR(ENOMEM);
+                if (!s->channels) {
+                    ret = AVERROR(ENOMEM);
+                    goto fail;
+                }
                channel             = &s->channels[s->nb_channels - 1];
                channel->pixel_type = current_pixel_type;
                channel->xsub       = xsub;
@ -1495,7 +1504,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                        av_log(s->avctx, AV_LOG_ERROR, "Missing green channel.\n");
                    if (s->channel_offsets[2] < 0)
                        av_log(s->avctx, AV_LOG_ERROR, "Missing blue channel.\n");
-                    return AVERROR_INVALIDDATA;
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
                }
            }

@ -1504,8 +1514,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            continue;
        } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
                                                     31)) >= 0) {
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            s->xmin   = bytestream2_get_le32(&s->gb);
            s->ymin   = bytestream2_get_le32(&s->gb);
@ -1517,8 +1529,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            continue;
        } else if ((var_size = check_header_variable(s, "displayWindow",
                                                     "box2i", 34)) >= 0) {
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            bytestream2_skip(&s->gb, 8);
            s->w = bytestream2_get_le32(&s->gb) + 1;
@ -1528,29 +1542,36 @@ static int decode_header(EXRContext *s, AVFrame *frame)
        } else if ((var_size = check_header_variable(s, "lineOrder",
                                                     "lineOrder", 25)) >= 0) {
            int line_order;
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            line_order = bytestream2_get_byte(&s->gb);
            av_log(s->avctx, AV_LOG_DEBUG, "line order: %d.\n", line_order);
            if (line_order > 2) {
                av_log(s->avctx, AV_LOG_ERROR, "Unknown line order.\n");
-                return AVERROR_INVALIDDATA;
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
            }

            continue;
        } else if ((var_size = check_header_variable(s, "pixelAspectRatio",
                                                     "float", 31)) >= 0) {
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            sar = bytestream2_get_le32(&s->gb);

            continue;
        } else if ((var_size = check_header_variable(s, "compression",
                                                     "compression", 29)) >= 0) {
-            if (!var_size)
-                return AVERROR_INVALIDDATA;
+            if (!var_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }

            if (s->compression == EXR_UNKN)
                s->compression = bytestream2_get_byte(&s->gb);
@ -1577,13 +1598,15 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            if (s->tile_attr.level_mode >= EXR_TILE_LEVEL_UNKNOWN){
                avpriv_report_missing_feature(s->avctx, "Tile level mode %d",
                                              s->tile_attr.level_mode);
-                return AVERROR_PATCHWELCOME;
+                ret = AVERROR_PATCHWELCOME;
+                goto fail;
            }

            if (s->tile_attr.level_round >= EXR_TILE_ROUND_UNKNOWN) {
                avpriv_report_missing_feature(s->avctx, "Tile level round %d",
                                              s->tile_attr.level_round);
-                return AVERROR_PATCHWELCOME;
+                ret = AVERROR_PATCHWELCOME;
+                goto fail;
            }

            continue;
@ -1600,7 +1623,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
        // Check if there are enough bytes for a header
        if (bytestream2_get_bytes_left(&s->gb) <= 9) {
            av_log(s->avctx, AV_LOG_ERROR, "Incomplete header\n");
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }

        // Process unknown variables
@ -1615,19 +1639,22 @@ static int decode_header(EXRContext *s, AVFrame *frame)

    if (s->compression == EXR_UNKN) {
        av_log(s->avctx, AV_LOG_ERROR, "Missing compression attribute.\n");
-        return AVERROR_INVALIDDATA;
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
    }

    if (s->is_tile) {
        if (s->tile_attr.xSize < 1 || s->tile_attr.ySize < 1) {
            av_log(s->avctx, AV_LOG_ERROR, "Invalid tile attribute.\n");
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
        }
    }

    if (bytestream2_get_bytes_left(&s->gb) <= 0) {
        av_log(s->avctx, AV_LOG_ERROR, "Incomplete frame.\n");
-        return AVERROR_INVALIDDATA;
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
    }

    av_frame_set_metadata(frame, metadata);
@ -1635,6 +1662,9 @@ static int decode_header(EXRContext *s, AVFrame *frame)
    // aaand we are done
    bytestream2_skip(&s->gb, 1);
    return 0;
+fail:
+    av_dict_free(&metadata);
+    return ret;
 }

 static int decode_frame(AVCodecContext *avctx, void *data,
--- a/libavcodec/extract_extradata_bsf.c
+++ b/libavcodec/extract_extradata_bsf.c
@ -78,7 +78,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt,
    ret = ff_h2645_packet_split(&h2645_pkt, pkt->data, pkt->size,
                                ctx, 0, 0, ctx->par_in->codec_id, 1);
    if (ret < 0)
-        return ret;
+        goto fail;

    for (i = 0; i < h2645_pkt.nb_nals; i++) {
        H2645NAL *nal = &h2645_pkt.nals[i];
@ -101,14 +101,17 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt,

        if (s->remove) {
            filtered_buf = av_buffer_alloc(pkt->size + AV_INPUT_BUFFER_PADDING_SIZE);
-            if (!filtered_buf)
+            if (!filtered_buf) {
+                ret = AVERROR(ENOMEM);
                goto fail;
+            }
            filtered_data = filtered_buf->data;
        }

        extradata = av_malloc(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
        if (!extradata) {
            av_buffer_unref(&filtered_buf);
+            ret = AVERROR(ENOMEM);
            goto fail;
        }

--- a/libavcodec/ffjni.c
+++ b/libavcodec/ffjni.c
@ -85,7 +85,7 @@ JNIEnv *ff_jni_get_env(void *log_ctx)
        av_log(log_ctx, AV_LOG_ERROR, "The specified JNI version is not supported\n");
        break;
    default:
-        av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread");
+        av_log(log_ctx, AV_LOG_ERROR, "Failed to get the JNI environment attached to this thread\n");
        break;
    }

@ -303,6 +303,11 @@ int ff_jni_init_jfields(JNIEnv *env, void *jfields, const struct FFJniField *jfi

            last_clazz = *(jclass*)((uint8_t*)jfields + jfields_mapping[i].offset) =
                    global ? (*env)->NewGlobalRef(env, clazz) : clazz;
+
+            if (global) {
+                (*env)->DeleteLocalRef(env, clazz);
+            }
+
        } else {

            if (!last_clazz) {
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
    if (get_rac(c, state + 0))
        return 0;
    else {
-        int i, e, a;
+        int i, e;
+        unsigned a;
        e = 0;
        while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
            e++;
@ -353,7 +354,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
    memset(state, 128, sizeof(state));

    for (v = 0; i < 128; v++) {
-        unsigned len = get_symbol(c, state, 0) + 1;
+        unsigned len = get_symbol(c, state, 0) + 1U;

        if (len > 128 - i || !len)
            return AVERROR_INVALIDDATA;
@ -698,7 +699,7 @@ static int read_header(FFV1Context *f)
    } else {
        const uint8_t *p = c->bytestream_end;
        for (f->slice_count = 0;
-             f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start;
+             f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start;
             f->slice_count++) {
            int trailer = 3 + 5*!!f->ec;
            int size = AV_RB24(p-trailer);
@ -898,7 +899,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
            const uint8_t *src[4];
            uint8_t *dst[4];
            ff_thread_await_progress(&f->last_picture, INT_MAX, 0);
-            for (j = 0; j < 4; j++) {
+            for (j = 0; j < desc->nb_components; j++) {
                int pixshift = desc->comp[j].depth > 8;
                int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0;
                int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0;
@ -906,6 +907,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
                src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] *
                         (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
+
+            }
+            if (desc->flags & AV_PIX_FMT_FLAG_PAL ||
+                desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) {
+                dst[1] = p->data[1];
+                src[1] = f->last_picture.f->data[1];
            }
            av_image_copy(dst, p->linesize, src,
                          f->last_picture.f->linesize,
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@ -96,7 +96,7 @@ static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w,
        }

        if (sign)
-            diff = -diff;
+            diff = -(unsigned)diff;

        sample[1][x] = av_mod_uintp2(RENAME(predict)(sample[1] + x, sample[0] + x) + diff, bits);
    }
@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int
            }

            if (lbd)
-                *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24);
+                *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24);
            else if (sizeof(TYPE) == 4) {
                *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g;
                *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b;
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@ -539,6 +539,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
        s->ec = (s->version >= 3);
    }

+    // CRC requires version 3+
+    if (s->ec)
+        s->version = FFMAX(s->version, 3);
+
    if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
        av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
        return AVERROR_INVALIDDATA;
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@ -82,29 +82,30 @@ static const uint8_t fic_qmat_lq[64] = {
 static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };

 #define FIC_HEADER_SIZE 27
+#define CURSOR_OFFSET 59

 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
 {
-    const int t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
-    const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
-    const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
-    const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-    const int t4 = 5793 * (t2 + t0 + 0x800 >> 12);
-    const int t5 = 5793 * (t3 + t1 + 0x800 >> 12);
-    const int t6 = t2 - t0;
-    const int t7 = t3 - t1;
-    const int t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
-    const int t9 =  17734 * blk[6 * step] + 42814 * blk[2 * step];
-    const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd;
-    const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd;
-    blk[0 * step] = (  t4       + t9 + tB) >> shift;
-    blk[1 * step] = (  t6 + t7  + t8 + tA) >> shift;
-    blk[2 * step] = (  t6 - t7  - t8 + tA) >> shift;
-    blk[3 * step] = (  t5       - t9 + tB) >> shift;
-    blk[4 * step] = ( -t5       - t9 + tB) >> shift;
-    blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift;
-    blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift;
-    blk[7 * step] = ( -t4       + t9 + tB) >> shift;
+    const unsigned t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
+    const unsigned t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
+    const unsigned t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
+    const unsigned t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
+    const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+    const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
+    const unsigned t6 = t2 - t0;
+    const unsigned t7 = t3 - t1;
+    const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];
+    const unsigned t9 =  17734 * blk[6 * step] + 42814 * blk[2 * step];
+    const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
+    const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
+    blk[0 * step] = (int)(  t4       + t9 + tB) >> shift;
+    blk[1 * step] = (int)(  t6 + t7  + t8 + tA) >> shift;
+    blk[2 * step] = (int)(  t6 - t7  - t8 + tA) >> shift;
+    blk[3 * step] = (int)(  t5       - t9 + tB) >> shift;
+    blk[4 * step] = (int)( -t5       - t9 + tB) >> shift;
+    blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift;
+    blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift;
+    blk[7 * step] = (int)( -t4       + t9 + tB) >> shift;
 }

 static void fic_idct_put(uint8_t *dst, int stride, int16_t *block)
@ -333,6 +334,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
        skip_cursor = 1;
    }

+    if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
+        skip_cursor = 1;
+    }
+
    /* Slice height for all but the last slice. */
    ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
    if (ctx->slice_h % 16)
@ -412,7 +417,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,

    /* Draw cursor. */
    if (!skip_cursor) {
-        memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4);
+        memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf));
        fic_draw_cursor(avctx, cur_x, cur_y);
    }

--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
    }

    for (curr = fpc->headers; curr; curr = curr->next) {
-        if (curr->max_score > 0 &&
-            (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) {
+        if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) {
            fpc->best_header = curr;
        }
    }

+    if (fpc->best_header && fpc->best_header->max_score <= 0) {
+        // Only accept a bad header if there is no other option to continue
+        if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS)
+            fpc->best_header = NULL;
+    }
+
    if (fpc->best_header) {
        fpc->best_header_valid = 1;
        if (fpc->best_header->offset > 0) {
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@ -205,12 +205,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
    buf += 4;
    do {
        if (buf_end - buf < 4)
-            return 0;
+            return AVERROR_INVALIDDATA;
        flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
        buf += 4;
        if (buf_end - buf < metadata_size) {
            /* need more data in order to read the complete header */
-            return 0;
+            return AVERROR_INVALIDDATA;
        }
        buf += metadata_size;
    } while (!metadata_last);
@ -298,7 +298,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
    if (pred_order > 2)
        c = b - decoded[pred_order-2] + decoded[pred_order-3];
    if (pred_order > 3)
-        d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4];
+        d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4];

    switch (pred_order) {
    case 0:
@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int channel)
        return AVERROR_INVALIDDATA;
    }

-    if (wasted) {
+    if (wasted && wasted < 32) {
        int i;
        for (i = 0; i < s->blocksize; i++)
            decoded[i] = (unsigned)decoded[i] << wasted;
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@ -199,6 +199,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    num_chunks = bytestream2_get_le16(&g2);
    bytestream2_skip(&g2, 8);  /* skip padding */

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
+
    frame_size -= 16;

    /* iterate through the chunks */
@ -269,10 +272,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
            while (compressed_lines > 0) {
                if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
                    break;
+                if (y_ptr > pixel_limit)
+                    return AVERROR_INVALIDDATA;
                line_packets = bytestream2_get_le16(&g2);
                if ((line_packets & 0xC000) == 0xC000) {
                    // line skip opcode
                    line_packets = -line_packets;
+                    if (line_packets > s->avctx->height)
+                        return AVERROR_INVALIDDATA;
                    y_ptr += line_packets * s->frame->linesize[0];
                } else if ((line_packets & 0xC000) == 0x4000) {
                    av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets);
@ -321,6 +328,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
        case FLI_LC:
            /* line compressed */
            starting_line = bytestream2_get_le16(&g2);
+            if (starting_line >= s->avctx->height)
+                return AVERROR_INVALIDDATA;
            y_ptr = 0;
            y_ptr += starting_line * s->frame->linesize[0];

@ -519,6 +528,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
    if (frame_size > buf_size)
        frame_size = buf_size;

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
    frame_size -= 16;

    /* iterate through the chunks */
@ -555,9 +566,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
            while (compressed_lines > 0) {
                if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
                    break;
+                if (y_ptr > pixel_limit)
+                    return AVERROR_INVALIDDATA;
                line_packets = bytestream2_get_le16(&g2);
                if (line_packets < 0) {
                    line_packets = -line_packets;
+                    if (line_packets > s->avctx->height)
+                        return AVERROR_INVALIDDATA;
                    y_ptr += line_packets * s->frame->linesize[0];
                } else {
                    compressed_lines--;
@ -804,6 +819,8 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
    if (frame_size > buf_size)
        frame_size = buf_size;

+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
    frame_size -= 16;

    /* iterate through the chunks */
@ -840,9 +857,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
            while (compressed_lines > 0) {
                if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
                    break;
+                if (y_ptr > pixel_limit)
+                    return AVERROR_INVALIDDATA;
                line_packets = bytestream2_get_le16(&g2);
                if (line_packets < 0) {
                    line_packets = -line_packets;
+                    if (line_packets > s->avctx->height)
+                        return AVERROR_INVALIDDATA;
                    y_ptr += line_packets * s->frame->linesize[0];
                } else {
                    compressed_lines--;
--- a/libavcodec/fmvc.c
+++ b/libavcodec/fmvc.c
@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
            int size, offset, start = 0;

            offset = bytestream2_get_le16(gb);
-            if (offset > s->nb_blocks)
+            if (offset >= s->nb_blocks)
                return AVERROR_INVALIDDATA;

            size = bytestream2_get_le16(gb);
@ -561,6 +561,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
    }

    s->nb_blocks = s->xb * s->yb;
+    if (!s->nb_blocks)
+        return AVERROR_INVALIDDATA;
+
    s->blocks = av_calloc(s->nb_blocks, sizeof(*s->blocks));
    if (!s->blocks)
        return AVERROR(ENOMEM);
@ -593,8 +596,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
    s->bpp = avctx->bits_per_coded_sample >> 3;
    s->buffer_size = avctx->width * avctx->height * 4;
    s->pbuffer_size = avctx->width * avctx->height * 4;
-    s->buffer = av_malloc(s->buffer_size);
-    s->pbuffer = av_malloc(s->pbuffer_size);
+    s->buffer = av_mallocz(s->buffer_size);
+    s->pbuffer = av_mallocz(s->pbuffer_size);
    if (!s->buffer || !s->pbuffer)
        return AVERROR(ENOMEM);

--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@ -28,6 +28,7 @@
 #include <inttypes.h>
 #include <zlib.h>

+#include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"

 #include "avcodec.h"
@ -555,8 +556,8 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y,
        B     = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
    }

-    if (R<0 || G<0 || B<0) {
-        av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
+    if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
+        avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B);
        return 0;
    }

@ -926,6 +927,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
        if (c->ec.els_ctx.err != 0) {
            av_log(avctx, AV_LOG_ERROR,
                   "ePIC: couldn't decode transparency pixel!\n");
+            ff_els_decoder_uninit(&c->ec.unsigned_rung);
            return AVERROR_INVALIDDATA;
        }

@ -1354,14 +1356,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride)
    } else {
        dst    +=  x * 3;
    }
-    if (y < 0) {
+
+    if (y < 0)
        h      +=  y;
+    if (w < 0 || h < 0)
+        return;
+    if (y < 0) {
        cursor += -y * c->cursor_stride;
    } else {
        dst    +=  y * stride;
    }
-    if (w < 0 || h < 0)
-        return;

    for (j = 0; j < h; j++) {
        for (i = 0; i < w; i++) {
@ -1451,7 +1455,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,
            c->tile_height = bytestream2_get_be32(&bc);
            if (c->tile_width <= 0 || c->tile_height <= 0 ||
                ((c->tile_width | c->tile_height) & 0xF) ||
-                c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4
+                c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 ||
+                av_image_check_size2(c->tile_width, c->tile_height, avctx->max_pixels, avctx->pix_fmt, 0, avctx) < 0
            ) {
                av_log(avctx, AV_LOG_ERROR,
                       "Invalid tile dimensions %dx%d\n",
--- a/libavcodec/g722.c
+++ b/libavcodec/g722.c
@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band)
        ACCUM(3, band->diff_mem[2], 1);
        ACCUM(2, band->diff_mem[1], 1);
        ACCUM(1, band->diff_mem[0], 1);
-        ACCUM(0, cur_diff << 1, 1);
+        ACCUM(0, cur_diff * 2, 1);
    } else {
        ACCUM(5, band->diff_mem[4], 0);
        ACCUM(4, band->diff_mem[3], 0);
        ACCUM(3, band->diff_mem[2], 0);
        ACCUM(2, band->diff_mem[1], 0);
        ACCUM(1, band->diff_mem[0], 0);
-        ACCUM(0, cur_diff << 1, 0);
+        ACCUM(0, cur_diff * 2, 0);
    }
    #undef ACCUM
    band->s_zero = s_zero;
@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff)
    band->part_reconst_mem[0] = cur_part_reconst;

    band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) +
-                                (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);
+                                (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);

    limit = 15360 - band->pole_mem[1];
    band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit);

    s_zero(cur_diff, band);

-    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1);
+    cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2);
    band->s_predictor = av_clip_int16(band->s_zero +
                                      (band->pole_mem[0] * cur_qtzd_reconst >> 15) +
                                      (band->pole_mem[1] * band->prev_qtzd_reconst >> 15));
--- a/libavcodec/g723_1.c
+++ b/libavcodec/g723_1.c
@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
    bits= FFMAX(bits, 0);

    for (i = 0; i < length; i++)
-        dst[i] = vector[i] << bits >> 3;
+        dst[i] = (vector[i] * (1 << bits)) >> 3;

    return bits - 3;
 }
@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
    for (j = 0; j < LPC_ORDER; j++) {
        int index     = (lpc[j] >> 7) & 0x1FF;
        int offset    = lpc[j] & 0x7f;
-        int temp1     = cos_tab[index] << 16;
+        int temp1     = cos_tab[index] * (1 << 16);
        int temp2     = (cos_tab[index + 1] - cos_tab[index]) *
-                          ((offset << 8) + 0x80) << 1;
+                          (((offset << 8) + 0x80) << 1);

        lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
    }
@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
     */
    /* Initialize with values in Q28 */
    f1[0] = 1 << 28;
-    f1[1] = (lpc[0] << 14) + (lpc[2] << 14);
+    f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
    f1[2] = lpc[0] * lpc[2] + (2 << 28);

    f2[0] = 1 << 28;
-    f2[1] = (lpc[1] << 14) + (lpc[3] << 14);
+    f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
    f2[2] = lpc[1] * lpc[3] + (2 << 28);

    /*
@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)

        f1[0] >>= 1;
        f2[0] >>= 1;
-        f1[1] = ((lpc[2 * i]     << 16 >> i) + f1[1]) >> 1;
-        f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1;
+        f1[1] = ((lpc[2 * i]     * 65536 >> i) + f1[1]) >> 1;
+        f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
    }

    /* Convert polynomial coefficients to LPC coefficients */
@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
        int64_t ff1 = f1[i + 1] + f1[i];
        int64_t ff2 = f2[i + 1] - f2[i];

-        lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16;
-        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) +
+        lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
+        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
                                                (1 << 15)) >> 16;
    }
 }
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@ -55,7 +55,7 @@
 * @param b 16 bit multiplier
 */
 #define MULL2(a, b) \
-        ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15))
+        ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))

 /**
 * G723.1 frame types
--- a/libavcodec/g723_1dec.c
+++ b/libavcodec/g723_1dec.c
@ -488,7 +488,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                          (FRAME_LEN - lag) * sizeof(*out));
    } else {  /* Unvoiced */
        for (i = 0; i < FRAME_LEN; i++) {
-            *rseed = *rseed * 521 + 259;
+            *rseed = (int16_t)(*rseed * 521 + 259);
            out[i] = gain * *rseed >> 15;
        }
        memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf));
@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                      (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
        }\
 \
-        (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\
+        (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
                                   (1 << 15)) >> res_shift;\
    }\
 }
@ -549,7 +549,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy)
        denom <<= bits2;

        bits2 = 5 + bits1 - bits2;
-        bits2 = FFMAX(0, bits2);
+        bits2 = av_clip_uintp2(bits2, 5);

        gain = (num >> 1) / (denom >> 16);
        gain = square_root(gain << 16 >> bits2);
@ -664,7 +664,7 @@ static int estimate_sid_gain(G723_1_Context *p)
        t = p->sid_gain << shift;
    else
        t = p->sid_gain >> -shift;
-    x = t * cng_filt[0] >> 16;
+    x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);

    if (x >= cng_bseg[2])
        return 0x3F;
@ -695,13 +695,13 @@ static int estimate_sid_gain(G723_1_Context *p)
    if (y <= 0) {
        t = seg * 32 + (val + 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val++;
    } else {
        t = seg * 32 + (val - 1 << seg2);
        t = t * t - x;
-        val = (seg2 - 1 << 4) + val;
+        val = (seg2 - 1) * 16 + val;
        if (t >= y)
            val--;
    }
@ -733,7 +733,7 @@ static void generate_noise(G723_1_Context *p)
        off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN;
        t >>= 2;
        for (j = 0; j < 11; j++) {
-            signs[i * 11 + j] = (t & 1) * 2 - 1 << 14;
+            signs[i * 11 + j] = ((t & 1) * 2 - 1)  * (1 << 14);
            t >>= 1;
        }
    }
@ -777,7 +777,7 @@ static void generate_noise(G723_1_Context *p)
        sum = 0;
        if (shift < 0) {
           for (j = 0; j < SUBFRAME_LEN * 2; j++) {
-               t      = vector_ptr[j] << -shift;
+               t      = vector_ptr[j] * (1 << -shift);
               sum   += t * t;
               tmp[j] = t;
           }
@ -815,7 +815,7 @@ static void generate_noise(G723_1_Context *p)
        if (shift < 0)
           x >>= -shift;
        else
-           x <<= shift;
+           x *= 1 << shift;
        x = av_clip(x, -10000, 10000);

        for (j = 0; j < 11; j++) {
@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
                                             &p->subframe[i], p->cur_rate);
                /* Get the total excitation */
                for (j = 0; j < SUBFRAME_LEN; j++) {
-                    int v = av_clip_int16(vector_ptr[j] << 1);
+                    int v = av_clip_int16(vector_ptr[j] * 2);
                    vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
                }
                vector_ptr += SUBFRAME_LEN;
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I)
        c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]);
    c->se >>= 1;

-    return av_clip(re_signal << 2, -0xffff, 0xffff);
+    return av_clip(re_signal * 4, -0xffff, 0xffff);
 }

 static av_cold int g726_reset(G726Context *c)
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@ -32,6 +32,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/avassert.h"
+#include "avcodec.h"
 #include "mathops.h"
 #include "vlc.h"

@ -428,7 +429,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
    int buffer_size;
    int ret = 0;

-    if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
+    if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) {
        bit_size    = 0;
        buffer      = NULL;
        ret         = AVERROR_INVALIDDATA;
@ -550,6 +551,7 @@ static inline const uint8_t *align_get_bits(GetBitContext *s)
 * @param max_depth is the number of times bits bits must be read to completely
 *                  read the longest vlc code
 *                  = (max_vlc_length + bits - 1) / bits
+ * @returns the code parsed or -1 if no vlc matches
 */
 static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2],
                                     int bits, int max_depth)
--- a/Show more
+++ b/Show more
 @ -1 +1 @@
 .3.git
 .3.9