lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}()

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Changelog

@@ -1,6 +1,151 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.2.4:
+- avcodec/h264_slice: Clear ref_counts on redundant slices
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
+- avcodec/pictordec: Fix logic error
+- ffserver_config: Setup codecpar in add_codec()
+- Changelog: fix typos
+
+version 3.2.3:
+- avcodec/movtextdec: Fix decode_styl() cleanup
+- lavf/matroskadec: fix is_keyframe for early Blocks
+- configure: bump year
+- avcodec/pngdec: Check trns more completely
+- avcodec/interplayvideo: Move parameter change check up
+- avcodec/dca_lbr: Fix off by 1 error in freq check
+- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
+- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
+- swscale: save ebx register when it is not available
+- avformat/flacdec: Check avio_read result when reading flac block header.
+- avcodec/utils: correct align value for interplay
+- avcodec/vp56: Check for the bitstream end, pass error codes on
+- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
+- avcodec/pngdec: Fix off by 1 size in decode_zbuf()
+- libopenmpt: add missing avio_read return value check
+- avcodec/bsf: Fix av_bsf_list_free()
+- avcodec/omx: Do not pass negative value into av_malloc()
+- avformat/avidec: skip odml master index chunks in avi_sync
+- avcodec/mjpegdec: Check for rgb before flipping
+- lavf/utils.c Protect against accessing entries[nb_entries]
+- avutil/random_seed: Reduce the time needed on systems with very low precision clock()
+- swscale/swscale: Fix dereference of stride array before null check
+- avutil/random_seed: Improve get_generic_seed() with higher precision clock()
+- avformat/mp3dec: fix msan warning when verifying mpa header
+- avformat/utils: Print verbose error message if stream count exceeds max_streams
+- avformat/options_table: Set the default maximum number of streams to 1000
+- lavf/chromaprint: Update for version 1.4
+- avutil: Add av_image_check_size2()
+- avformat: Add max_streams option
+- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
+- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
+- avformat/oggdec: Skip streams in duration correction that did not had their duration set.
+- avcodec/ffv1enc: Fix size of first slice
+- ffplay: fix sws_scale possible out of bounds array access
+- avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
+
+version 3.2.2:
+- ffserver: Check chunk size
+- Avoid using the term "file" and prefer "url" in some docs and comments
+- avformat/rtmppkt: Check for packet size mismatches
+- zmqsend: Initialize ret to 0
+- avcodec/flacdec: Fix undefined shift in decode_subframe()
+- avcodec/get_bits: Fix get_sbits_long(0)
+- avformat/ffmdec: Check media type for chunks
+- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
+- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
+- avformat/oggparsespeex: Check frames_per_packet and packet_size
+- avformat/utils: Check start/end before computing duration in update_stream_timings()
+- avcodec/flac_parser: Update nb_headers_buffered
+- avformat/idroqdec: Check chunk_size for being too large
+- avcodec/me_cmp: Fix median_sad size
+- avformat/utils: Fix type mismatch
+- configure: check for strtoull on msvc
+- http: move chunk handling from http_read_stream() to http_buf_read().
+- http: make length/offset-related variables unsigned
+
+version 3.2.1:
+- avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC
+- mss2: only use error correction for matching block counts
+- softfloat: decrease MIN_EXP to cover full float range
+- libopusdec: default to stereo for invalid number of channels
+- flvdec: require need_context_update when changing codec id
+- pgssubdec: only set w/h/linesize when allocating data
+- sbgdec: prevent NULL pointer access
+- rmdec: validate block alignment
+- smacker: limit recursion depth of smacker_decode_bigtree
+- mxfdec: fix NULL pointer dereference in mxf_read_packet_old
+- ffmdec: validate codec parameters
+- avformat/mpeg: Adjust vid probe threshold to correct mis-detection
+- avcodec/ass_split: Change order of operations in ass_split_section()
+- avcodec/rawdec: check for side data before checking its size
+- avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()
+- avformat/apngenc: use the stream parameters extradata if available
+- Revert "apngdec: use side data to pass extradata to the decoder"
+- ffprobe: fix crash in case -of is specified with an empty string
+- libavcodec/exr : fix channel size calculation for uint32 channel
+- exr: fix out-of-bounds read
+- libschroedingerdec: fix leaking of framewithpts
+- libschroedingerdec: don't produce empty frames
+- dds: limit 4 bpp handling to AV_PIX_FMT_PAL8
+- mlz: limit next_code to data buffer size
+- softfloat: handle -INT_MAX correctly
+- filmstripdec: correctly check image dimensions
+- pnmdec: make sure v is capped by maxval
+- smvjpegdec: make sure cur_frame is not negative
+- icodec: correctly check avio_read return value
+- icodec: fix leaking pkt on error
+- dvbsubdec: fix division by zero in compute_default_clut
+- proresdec_lgpl: explicitly check coff[3] against slice_data_size
+- escape124: reject codebook size 0
+- mpegts: prevent division by zero
+- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
+- mpegaudio_parser: don't return AVERROR_PATCHWELCOME
+- mxfdec: fix NULL pointer dereference
+- lzf: update pointer p after realloc
+- diracdec: check return code of get_buffer_with_edge
+- diracdec: clear slice_params_num_buf on allocation failure
+- diracdec: use correct buffer for slice_params_buf realloc
+- ppc: pixblockdsp: do unaligned block accesses correctly again
+- avformat: close parser if codec changed
+- fate: add streamcopy test for apng
+- apngdec: use side data to pass extradata to the decoder
+- mov: immediately return from mov_fix_index without old index entries
+- interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
+- interplayacm: validate number of channels
+- interplayacm: check for too large b
+- doc: fix spelling errors
+- configure: make sure LTO does not optimize out the test functions
+- fate: add apng encoding/muxing test
+- apng: use side data to pass extradata to muxer
+- avcodec/mpeg4videodec: Workaround interlaced mpeg4 edge MC bug
+- avcodec/mpegvideo: Fix edge emu buffer overlap with interlaced mpeg4
+- avcodec/rv40: Test remaining space in loop of get_dimension()
+- avcodec/ituh263dec: Avoid spending a long time in slice sync
+- avcodec/movtextdec: Add error message for tsmb_size check
+- avcodec/movtextdec: Fix tsmb_size check==0 check
+- avcodec/movtextdec: Fix potential integer overflow
+- ffmpeg: Fix bsf corrupting merged side data
+- avcodec/sunrast: Fix input buffer pointer check
+- avcodec/tscc:  Check side data size before use
+- avcodec/rscc: Fix constant
+- avcodec/rawdec: Check side data size before use
+- avcodec/rscc: Check side data size before use
+- avcodec/msvideo1: Check side data size before use
+- avcodec/qpeg:  Check side data size before use
+- avcodec/qtrle:  Check side data size before use
+- avcodec/msrle:  Check side data size before use
+- avcodec/kmvc:  Check side data size before use
+- avcodec/idcinvideo: Check side data size before use
+- avcodec/cinepak: Check side data size before use
+- avcodec/8bps: Check side data size before use
+- avformat/flvdec: Fix regression losing streams
+- avformat/hls: Add missing error check for avcodec_parameters_copy()
+- avformat/hls: Fix probing mpegts audio streams that use probing
+- avformat/hls: Factor copying stream info to a separate function
+
 version 3.2:
 - libopenmpt demuxer
 - tee protocol

RELEASE

@@ -1 +1 @@
-3.0.git
+3.2.4

RELEASE_NOTES

@@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 3.2 "Hypatia" │
+              └────────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 3.2 "Hypatia", about 4
+   months after the release of FFmpeg 3.1.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on http://source.ffmpeg.org.
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   on the mailing-lists.

configure

@@ -1146,10 +1146,16 @@ check_func_headers(){
         for hdr in $headers; do
             print_include $hdr
         done
+        echo "#include <stdint.h>"
         for func in $funcs; do
             echo "long check_$func(void) { return (long) $func; }"
         done
-        echo "int main(void) { return 0; }"
+        echo "int main(void) { int ret = 0;"
+        # LTO could optimize out the test functions without this
+        for func in $funcs; do
+            echo " ret |= ((intptr_t)check_$func) & 0xFFFF;"
+        done
+        echo "return ret; }"
     } | check_ld "cc" "$@" && enable $funcs && enable_safe $headers
 }
 
@@ -1645,7 +1651,6 @@ CONFIG_LIST="
     $PROGRAM_LIST
     $SUBSYSTEM_LIST
     fontconfig
-    incompatible_libav_abi
     memalign_hack
     memory_poisoning
     neon_clobber_test
@@ -1798,7 +1803,6 @@ HAVE_LIST_CMDLINE="
 HAVE_LIST_PUB="
     bigendian
     fast_unaligned
-    incompatible_libav_abi
 "
 
 HEADERS_LIST="
@@ -6267,6 +6271,7 @@ __declspec($_restrict) void* foo(int);
 EOF
     fi
     check_func strtoll || add_cflags -Dstrtoll=_strtoi64
+    check_func strtoull || add_cflags -Dstrtoull=_strtoui64
     # the new SSA optimzer in VS2015 U3 is mis-optimizing some parts of the code
     # this flag should be re-checked on newer compiler releases and put under a
     # version check once its fixed
@@ -6698,7 +6703,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2016
+#define CONFIG_THIS_YEAR 2017
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"

doc/Doxyfile

@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 3.2.4
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

doc/ffmpeg.texi

@@ -12,7 +12,7 @@
 
 @chapter Synopsis
 
-ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ...
+ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ...
 
 @chapter Description
 @c man begin DESCRIPTION
@@ -24,10 +24,10 @@ rates and resize video on the fly with a high quality polyphase filter.
 @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular
 files, pipes, network streams, grabbing devices, etc.), specified by the
 @code{-i} option, and writes to an arbitrary number of output "files", which are
-specified by a plain output filename. Anything found on the command line which
-cannot be interpreted as an option is considered to be an output filename.
+specified by a plain output url. Anything found on the command line which
+cannot be interpreted as an option is considered to be an output url.
 
-Each input or output file can, in principle, contain any number of streams of
+Each input or output url can, in principle, contain any number of streams of
 different types (video/audio/subtitle/attachment/data). The allowed number and/or
 types of streams may be limited by the container format. Selecting which
 streams from which inputs will go into which output is either done automatically
@@ -243,8 +243,8 @@ Force input or output file format. The format is normally auto detected for inpu
 files and guessed from the file extension for output files, so this option is not
 needed in most cases.
 
-@item -i @var{filename} (@emph{input})
-input file name
+@item -i @var{url} (@emph{input})
+input file url
 
 @item -y (@emph{global})
 Overwrite output files without asking.
@@ -281,7 +281,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis.
 When used as an input option (before @code{-i}), limit the @var{duration} of
 data read from the input file.
 
-When used as an output option (before an output filename), stop writing the
+When used as an output option (before an output url), stop writing the
 output after its duration reaches @var{duration}.
 
 @var{duration} must be a time duration specification,
@@ -310,7 +310,7 @@ extra segment between the seek point and @var{position} will be decoded and
 discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it
 will be preserved.
 
-When used as an output option (before an output filename), decodes but discards
+When used as an output option (before an output url), decodes but discards
 input until the timestamps reach @var{position}.
 
 @var{position} must be a time duration specification,
@@ -1129,7 +1129,7 @@ may be reassigned to a different value.
 For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for
 an output mpegts file:
 @example
-ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts
+ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts
 @end example
 
 @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream})

doc/ffplay.texi

@@ -12,7 +12,7 @@
 
 @chapter Synopsis
 
-ffplay [@var{options}] [@file{input_file}]
+ffplay [@var{options}] [@file{input_url}]
 
 @chapter Description
 @c man begin DESCRIPTION
@@ -106,8 +106,8 @@ the input audio.
 Use the option "-filters" to show all the available filters (including
 sources and sinks).
 
-@item -i @var{input_file}
-Read @var{input_file}.
+@item -i @var{input_url}
+Read @var{input_url}.
 @end table
 
 @section Advanced options

doc/ffprobe.texi

@@ -12,7 +12,7 @@
 
 @chapter Synopsis
 
-ffprobe [@var{options}] [@file{input_file}]
+ffprobe [@var{options}] [@file{input_url}]
 
 @chapter Description
 @c man begin DESCRIPTION
@@ -24,8 +24,8 @@ For example it can be used to check the format of the container used
 by a multimedia stream and the format and type of each media stream
 contained in it.
 
-If a filename is specified in input, ffprobe will try to open and
-probe the file content. If the file cannot be opened or recognized as
+If a url is specified in input, ffprobe will try to open and
+probe the url content. If the url cannot be opened or recognized as
 a multimedia file, a positive exit code is returned.
 
 ffprobe may be employed both as a standalone application or in
@@ -332,8 +332,8 @@ with name "PIXEL_FORMAT".
 Force bitexact output, useful to produce output which is not dependent
 on the specific build.
 
-@item -i @var{input_file}
-Read @var{input_file}.
+@item -i @var{input_url}
+Read @var{input_url}.
 
 @end table
 @c man end

doc/filters.texi

@@ -9665,7 +9665,7 @@ Scene change detection method. Scene change leads motion vectors to be in random
 @item none
 Disable scene change detection.
 @item fdiff
-Frame difference. Corresponding pixel values are compared and if it statisfies @var{scd_threshold} scene change is detected.
+Frame difference. Corresponding pixel values are compared and if it satisfies @var{scd_threshold} scene change is detected.
 @end table
 Default method is @samp{fdiff}.
 

doc/formats.texi

@@ -63,7 +63,7 @@ This ensures that file and data checksums are reproducible and match between
 platforms. Its primary use is for regression testing.
 @item shortest
 Stop muxing at the end of the shortest stream.
-It may be needed to increase max_interleave_delta to avoid flusing the longer
+It may be needed to increase max_interleave_delta to avoid flushing the longer
 streams before EOF.
 @end table
 
@@ -209,6 +209,10 @@ For example to separate the fields with newlines and indention:
 ffprobe -dump_separator "
                           "  -i ~/videos/matrixbench_mpeg2.mpg
 @end example
+
+@item max_streams @var{integer} (@emph{input})
+Specifies the maximum number of streams. This can be used to reject files that
+would require too many resources due to a large number of streams.
 @end table
 
 @c man end FORMAT OPTIONS

ffmpeg.c

@@ -789,6 +789,7 @@ static void output_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
     if (ost->nb_bitstream_filters) {
         int idx;
 
+        av_packet_split_side_data(pkt);
         ret = av_bsf_send_packet(ost->bsf_ctx[0], pkt);
         if (ret < 0)
             goto finish;

ffmpeg_opt.c

@@ -3108,8 +3108,8 @@ enum OptGroup {
 };
 
 static const OptionGroupDef groups[] = {
-    [GROUP_OUTFILE] = { "output file",  NULL, OPT_OUTPUT },
-    [GROUP_INFILE]  = { "input file",   "i",  OPT_INPUT },
+    [GROUP_OUTFILE] = { "output url",  NULL, OPT_OUTPUT },
+    [GROUP_INFILE]  = { "input url",   "i",  OPT_INPUT },
 };
 
 static int open_files(OptionGroupList *l, const char *inout,

ffplay.c

@@ -874,11 +874,11 @@ static int upload_texture(SDL_Texture *tex, AVFrame *frame, struct SwsContext **
                 frame->width, frame->height, frame->format, frame->width, frame->height,
                 AV_PIX_FMT_BGRA, sws_flags, NULL, NULL, NULL);
             if (*img_convert_ctx != NULL) {
-                uint8_t *pixels;
-                int pitch;
-                if (!SDL_LockTexture(tex, NULL, (void **)&pixels, &pitch)) {
+                uint8_t *pixels[4];
+                int pitch[4];
+                if (!SDL_LockTexture(tex, NULL, (void **)pixels, pitch)) {
                     sws_scale(*img_convert_ctx, (const uint8_t * const *)frame->data, frame->linesize,
-                              0, frame->height, &pixels, &pitch);
+                              0, frame->height, pixels, pitch);
                     SDL_UnlockTexture(tex);
                 }
             } else {
@@ -904,8 +904,8 @@ static void video_image_display(VideoState *is)
 
                 if (vp->pts >= sp->pts + ((float) sp->sub.start_display_time / 1000)) {
                     if (!sp->uploaded) {
-                        uint8_t *pixels;
-                        int pitch;
+                        uint8_t* pixels[4];
+                        int pitch[4];
                         int i;
                         if (!sp->width || !sp->height) {
                             sp->width = vp->width;
@@ -930,9 +930,9 @@ static void video_image_display(VideoState *is)
                                 av_log(NULL, AV_LOG_FATAL, "Cannot initialize the conversion context\n");
                                 return;
                             }
-                            if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)&pixels, &pitch)) {
+                            if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)pixels, pitch)) {
                                 sws_scale(is->sub_convert_ctx, (const uint8_t * const *)sub_rect->data, sub_rect->linesize,
-                                          0, sub_rect->h, &pixels, &pitch);
+                                          0, sub_rect->h, pixels, pitch);
                                 SDL_UnlockTexture(is->sub_texture);
                             }
                         }

ffprobe.c

@@ -3311,6 +3311,12 @@ int main(int argc, char **argv)
         goto end;
     }
     w_name = av_strtok(print_format, "=", &buf);
+    if (!w_name) {
+        av_log(NULL, AV_LOG_ERROR,
+               "No name specified for the output format\n");
+        ret = AVERROR(EINVAL);
+        goto end;
+    }
     w_args = buf;
 
     if (show_data_hash) {

ffserver.c

@@ -2702,8 +2702,10 @@ static int http_receive_data(HTTPContext *c)
         } else if (c->buffer_ptr - c->buffer >= 2 &&
                    !memcmp(c->buffer_ptr - 1, "\r\n", 2)) {
             c->chunk_size = strtol(c->buffer, 0, 16);
-            if (c->chunk_size == 0) // end of stream
+            if (c->chunk_size <= 0) { // end of stream or invalid chunk size
+                c->chunk_size = 0;
                 goto fail;
+            }
             c->buffer_ptr = c->buffer;
             break;
         } else if (++loop_run > 10)
@@ -2725,6 +2727,7 @@ static int http_receive_data(HTTPContext *c)
             /* end of connection : close it */
             goto fail;
         else {
+            av_assert0(len <= c->chunk_size);
             c->chunk_size -= len;
             c->buffer_ptr += len;
             c->data_count += len;

ffserver_config.c

@@ -323,6 +323,8 @@ done:
     av_dict_free(&recommended);
     av_stream_set_recommended_encoder_configuration(st, enc_config);
     st->codec = av;
+    st->codecpar = avcodec_parameters_alloc();
+    avcodec_parameters_from_context(st->codecpar, av);
     stream->streams[stream->nb_streams++] = st;
 }
 

libavcodec/4xm.c

@@ -532,7 +532,7 @@ static int decode_i_block(FourXContext *f, int16_t *block)
             }
             i    += code >> 4;
             if (i >= 64) {
-                av_log(f->avctx, AV_LOG_ERROR, "run %d oveflow\n", i);
+                av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
                 return 0;
             }
 

libavcodec/8bps.c

@@ -122,12 +122,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     }
 
     if (avctx->bits_per_coded_sample <= 8) {
+        int size;
         const uint8_t *pal = av_packet_get_side_data(avpkt,
                                                      AV_PKT_DATA_PALETTE,
-                                                     NULL);
-        if (pal) {
+                                                     &size);
+        if (pal && size == AVPALETTE_SIZE) {
             frame->palette_has_changed = 1;
             memcpy(c->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
 
         memcpy (frame->data[1], c->pal, AVPALETTE_SIZE);

libavcodec/aac_adtstoasc_bsf.c

@@ -136,8 +136,16 @@ fail:
 
 static int aac_adtstoasc_init(AVBSFContext *ctx)
 {
-    av_freep(&ctx->par_out->extradata);
-    ctx->par_out->extradata_size = 0;
+    /* Validate the extradata if the stream is already MPEG-4 AudioSpecificConfig */
+    if (ctx->par_in->extradata) {
+        MPEG4AudioConfig mp4ac;
+        int ret = avpriv_mpeg4audio_get_config(&mp4ac, ctx->par_in->extradata,
+                                               ctx->par_in->extradata_size * 8, 1);
+        if (ret < 0) {
+            av_log(ctx, AV_LOG_ERROR, "Error parsing AudioSpecificConfig extradata!\n");
+            return ret;
+        }
+    }
 
     return 0;
 }

libavcodec/ass_split.c

@@ -275,7 +275,7 @@ static const char *ass_split_section(ASSSplitContext *ctx, const char *buf)
         }
         if (section->format_header && !order) {
             len = strlen(section->format_header);
-            if (buf[len] == ':' && !strncmp(buf, section->format_header, len)) {
+            if (!strncmp(buf, section->format_header, len) && buf[len] == ':') {
                 buf += len + 1;
                 while (!is_eol(*buf)) {
                     buf = skip_space(buf);

libavcodec/avcodec.h

@@ -2878,6 +2878,7 @@ typedef struct AVCodecContext {
 #define FF_BUG_DC_CLIP          4096
 #define FF_BUG_MS               8192 ///< Work around various bugs in Microsoft's broken decoders.
 #define FF_BUG_TRUNCATED       16384
+#define FF_BUG_IEDGE           32768
 
     /**
      * strictly follow the standard (MPEG-4, ...).
@@ -5566,15 +5567,8 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_2(enum AVPixelFormat dst_pix_fmt
                                             enum AVPixelFormat src_pix_fmt, int has_alpha, int *loss_ptr);
 
 attribute_deprecated
-#if AV_HAVE_INCOMPATIBLE_LIBAV_ABI
-enum AVPixelFormat avcodec_find_best_pix_fmt2(const enum AVPixelFormat *pix_fmt_list,
-                                              enum AVPixelFormat src_pix_fmt,
-                                              int has_alpha, int *loss_ptr);
-#else
 enum AVPixelFormat avcodec_find_best_pix_fmt2(enum AVPixelFormat dst_pix_fmt1, enum AVPixelFormat dst_pix_fmt2,
                                             enum AVPixelFormat src_pix_fmt, int has_alpha, int *loss_ptr);
-#endif
-
 
 enum AVPixelFormat avcodec_default_get_format(struct AVCodecContext *s, const enum AVPixelFormat * fmt);
 

libavcodec/avpacket.c

@@ -295,16 +295,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
 int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
                             uint8_t *data, size_t size)
 {
+    AVPacketSideData *tmp;
     int elems = pkt->side_data_elems;
 
     if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
         return AVERROR(ERANGE);
 
-    pkt->side_data = av_realloc(pkt->side_data,
-                                (elems + 1) * sizeof(*pkt->side_data));
-    if (!pkt->side_data)
+    tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
+    if (!tmp)
         return AVERROR(ENOMEM);
 
+    pkt->side_data = tmp;
     pkt->side_data[elems].data = data;
     pkt->side_data[elems].size = size;
     pkt->side_data[elems].type = type;

libavcodec/bsf.c

@@ -403,7 +403,7 @@ void av_bsf_list_free(AVBSFList **lst)
 {
     int i;
 
-    if (*lst)
+    if (!*lst)
         return;
 
     for (i = 0; i < (*lst)->nb_bsfs; ++i)

libavcodec/cinepak.c

@@ -443,10 +443,13 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
         return ret;
 
     if (s->palette_video) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
-        if (pal) {
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
+        if (pal && size == AVPALETTE_SIZE) {
             s->frame->palette_has_changed = 1;
             memcpy(s->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
     }
 

libavcodec/dca_lbr.c

@@ -310,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group)
                 break;  // End of subframe
 
             freq += diff - 2;
-            if (freq >> (5 - group) > s->nsubbands * 4 - 5) {
+            if (freq >> (5 - group) > s->nsubbands * 4 - 6) {
                 av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n");
                 return -1;
             }

libavcodec/dds.c

@@ -680,7 +680,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
         /* Use the decompress function on the texture, one block per thread. */
         ctx->tex_data = gbc->buffer;
         avctx->execute2(avctx, decompress_texture_thread, frame, NULL, ctx->slice_count);
-    } else if (!ctx->paletted && ctx->bpp == 4) {
+    } else if (!ctx->paletted && ctx->bpp == 4 && avctx->pix_fmt == AV_PIX_FMT_PAL8) {
         uint8_t *dst = frame->data[0];
         int x, y, i;
 

libavcodec/diracdec.c

@@ -907,9 +907,10 @@ static int decode_lowdelay(DiracContext *s)
     int slice_num = 0;
 
     if (s->slice_params_num_buf != (s->num_x * s->num_y)) {
-        s->slice_params_buf = av_realloc_f(s->thread_buf, s->num_x * s->num_y, sizeof(DiracSlice));
+        s->slice_params_buf = av_realloc_f(s->slice_params_buf, s->num_x * s->num_y, sizeof(DiracSlice));
         if (!s->slice_params_buf) {
             av_log(s->avctx, AV_LOG_ERROR, "slice params buffer allocation failure\n");
+            s->slice_params_num_buf = 0;
             return AVERROR(ENOMEM);
         }
         s->slice_params_num_buf = s->num_x * s->num_y;
@@ -1974,7 +1975,9 @@ static int dirac_decode_picture_header(DiracContext *s)
             for (j = 0; j < MAX_FRAMES; j++)
                 if (!s->all_frames[j].avframe->data[0]) {
                     s->ref_pics[i] = &s->all_frames[j];
-                    get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF);
+                    ret = get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF);
+                    if (ret < 0)
+                        return ret;
                     break;
                 }
 

libavcodec/dvbsubdec.c

@@ -810,7 +810,7 @@ static void compute_default_clut(AVSubtitleRect *rect, int w, int h)
         list_inv[     i ] = bestv;
     }
 
-    count = i - 1;
+    count = FFMAX(i - 1, 1);
     for (i--; i>=0; i--) {
         int v = i*255/count;
         AV_WN32(rect->data[1] + 4*list_inv[i], RGBA(v/2,v,v/2,v));

libavcodec/escape124.c

@@ -249,6 +249,10 @@ static int escape124_decode_frame(AVCodecContext *avctx,
                 // This codebook can be cut off at places other than
                 // powers of 2, leaving some of the entries undefined.
                 cb_size = get_bits_long(&gb, 20);
+                if (!cb_size) {
+                    av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 cb_depth = av_log2(cb_size - 1) + 1;
             } else {
                 cb_depth = get_bits(&gb, 4);

libavcodec/exr.c

@@ -1428,8 +1428,7 @@ static int decode_header(EXRContext *s)
                     return AVERROR_PATCHWELCOME;
                 }
 
-                if (s->channel_offsets[channel_index] == -1){/* channel have not been previously assign */
-                    if (channel_index >= 0) {
+                if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */
                         if (s->pixel_type != EXR_UNKNOWN &&
                             s->pixel_type != current_pixel_type) {
                             av_log(s->avctx, AV_LOG_ERROR,
@@ -1438,7 +1437,6 @@ static int decode_header(EXRContext *s)
                         }
                         s->pixel_type                     = current_pixel_type;
                         s->channel_offsets[channel_index] = s->current_channel_offset;
-                    }
                 }
 
                 s->channels = av_realloc(s->channels,
@@ -1450,7 +1448,11 @@ static int decode_header(EXRContext *s)
                 channel->xsub       = xsub;
                 channel->ysub       = ysub;
 
-                s->current_channel_offset += 1 << current_pixel_type;
+                if (current_pixel_type == EXR_HALF) {
+                    s->current_channel_offset += 2;
+                } else {/* Float or UINT32 */
+                    s->current_channel_offset += 4;
+                }
             }
 
             /* Check if all channels are set with an offset or if the channels

libavcodec/ffv1enc.c

@@ -1089,7 +1089,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
     FFV1Context *f      = avctx->priv_data;
     RangeCoder *const c = &f->slice_context[0]->c;
     AVFrame *const p    = f->picture.f;
-    int used_count      = 0;
     uint8_t keystate    = 128;
     uint8_t *buf_p;
     int i, ret;
@@ -1145,6 +1144,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
     if (f->version > 3)
         maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4;
 
+    if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) {
+        av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n");
+        maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32;
+    }
+
     if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0)
         return ret;
 
@@ -1178,11 +1182,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
         }
     }
 
-    for (i = 1; i < f->slice_count; i++) {
+    for (i = 0; i < f->slice_count; i++) {
         FFV1Context *fs = f->slice_context[i];
-        uint8_t *start  = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count;
+        uint8_t *start  = pkt->data + pkt->size * (int64_t)i / f->slice_count;
         int len         = pkt->size / f->slice_count;
-        ff_init_range_encoder(&fs->c, start, len);
+        if (i) {
+            ff_init_range_encoder(&fs->c, start, len);
+        } else {
+            av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len);
+            av_assert0(fs->c.bytestream < fs->c.bytestream_start + len);
+            fs->c.bytestream_end = fs->c.bytestream_start + len;
+        }
     }
     avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL,
                    f->slice_count, sizeof(void *));

libavcodec/flac_parser.c

@@ -586,10 +586,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
             temp = curr->next;
             av_freep(&curr->link_penalty);
             av_free(curr);
+            fpc->nb_headers_buffered--;
         }
         fpc->headers = fpc->best_header->next;
         av_freep(&fpc->best_header->link_penalty);
         av_freep(&fpc->best_header);
+        fpc->nb_headers_buffered--;
     }
 
     /* Find and score new headers.                                     */

libavcodec/flacdec.c

@@ -268,7 +268,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
                                  int pred_order, int bps)
 {
     const int blocksize = s->blocksize;
-    int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i;
+    unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d);
+    int i;
     int ret;
 
     /* warm up samples */
@@ -447,7 +448,7 @@ static inline int decode_subframe(FLACContext *s, int channel)
     if (wasted) {
         int i;
         for (i = 0; i < s->blocksize; i++)
-            decoded[i] <<= wasted;
+            decoded[i] = (unsigned)decoded[i] << wasted;
     }
 
     return 0;

libavcodec/flacdsp_template.c

@@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in,
 
     for (j = 0; j < len; j++)
         for (i = 0; i < channels; i++)
-            S(samples, i, j) = in[i][j] << shift;
+            S(samples, i, j) = (int)((unsigned)in[i][j] << shift);
 }
 
 static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in,

libavcodec/get_bits.h

@@ -369,6 +369,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n)
  */
 static inline int get_sbits_long(GetBitContext *s, int n)
 {
+    // sign_extend(x, 0) is undefined
+    if (!n)
+        return 0;
+
     return sign_extend(get_bits_long(s, n), n);
 }
 

libavcodec/h264_slice.c

@@ -1771,8 +1771,10 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl,
         return ret;
 
     // discard redundant pictures
-    if (sl->redundant_pic_count > 0)
+    if (sl->redundant_pic_count > 0) {
+        sl->ref_count[0] = sl->ref_count[1] = 0;
         return 0;
+    }
 
     if (sl->first_mb_addr == 0 || !h->current_slice) {
         if (h->setup_finished) {

libavcodec/idcinvideo.c

@@ -214,7 +214,8 @@ static int idcin_decode_frame(AVCodecContext *avctx,
     const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
     IdcinContext *s = avctx->priv_data;
-    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+    int pal_size;
+    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size);
     AVFrame *frame = data;
     int ret;
 
@@ -227,9 +228,11 @@ static int idcin_decode_frame(AVCodecContext *avctx,
     if (idcin_decode_vlcs(s, frame))
         return AVERROR_INVALIDDATA;
 
-    if (pal) {
+    if (pal && pal_size == AVPALETTE_SIZE) {
         frame->palette_has_changed = 1;
         memcpy(s->pal, pal, AVPALETTE_SIZE);
+    } else if (pal) {
+        av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size);
     }
     /* make the palette available on the way out */
     memcpy(frame->data[1], s->pal, AVPALETTE_SIZE);

libavcodec/imgconvert.c

@@ -57,19 +57,11 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_2(enum AVPixelFormat dst_pix_fmt
     return av_find_best_pix_fmt_of_2(dst_pix_fmt1, dst_pix_fmt2, src_pix_fmt, has_alpha, loss_ptr);
 }
 
-#if AV_HAVE_INCOMPATIBLE_LIBAV_ABI
-enum AVPixelFormat avcodec_find_best_pix_fmt2(const enum AVPixelFormat *pix_fmt_list,
-                                            enum AVPixelFormat src_pix_fmt,
-                                            int has_alpha, int *loss_ptr){
-    return avcodec_find_best_pix_fmt_of_list(pix_fmt_list, src_pix_fmt, has_alpha, loss_ptr);
-}
-#else
 enum AVPixelFormat avcodec_find_best_pix_fmt2(enum AVPixelFormat dst_pix_fmt1, enum AVPixelFormat dst_pix_fmt2,
                                             enum AVPixelFormat src_pix_fmt, int has_alpha, int *loss_ptr)
 {
     return avcodec_find_best_pix_fmt_of_2(dst_pix_fmt1, dst_pix_fmt2, src_pix_fmt, has_alpha, loss_ptr);
 }
-#endif
 
 enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *pix_fmt_list,
                                             enum AVPixelFormat src_pix_fmt,

libavcodec/interplayacm.c

@@ -62,6 +62,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
     if (avctx->extradata_size < 14)
         return AVERROR_INVALIDDATA;
 
+    if (avctx->channels <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels: %d\n", avctx->channels);
+        return AVERROR_INVALIDDATA;
+    }
+
     s->level = AV_RL16(avctx->extradata + 12) & 0xf;
     s->rows  = AV_RL16(avctx->extradata + 12) >>  4;
     s->cols  = 1 << s->level;
@@ -72,7 +77,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->block   = av_calloc(s->block_len, sizeof(int));
     s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
     s->ampbuf  = av_calloc(0x10000, sizeof(int));
-    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
+    s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream));
     if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream)
         return AVERROR(ENOMEM);
 
@@ -326,6 +331,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 3) + (x3 * 9) */
         b = get_bits(gb, 5);
+        if (b > 26) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x3[b] & 0x0F) - 1;
         n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
@@ -351,6 +360,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 5) + (x3 * 25) */
         b = get_bits(gb, 7);
+        if (b > 124) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x5[b] & 0x0F) - 2;
         n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
@@ -375,6 +388,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 11) */
         b = get_bits(gb, 7);
+        if (b > 120) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_2x11[b] & 0x0F) - 5;
         n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;

libavcodec/interplayvideo.c

@@ -989,6 +989,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
     AVFrame *frame = data;
     int ret;
 
+    if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) {
+        av_frame_unref(s->last_frame);
+        av_frame_unref(s->second_last_frame);
+    }
+
     if (buf_size < 2)
         return AVERROR_INVALIDDATA;
 
@@ -1000,10 +1005,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
     if (buf_size < s->decoding_map_size + 2)
         return buf_size;
 
-    if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) {
-        av_frame_unref(s->last_frame);
-        av_frame_unref(s->second_last_frame);
-    }
 
     s->decoding_map = buf + 2;
     bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size,

libavcodec/ituh263dec.c

@@ -167,6 +167,7 @@ static int h263_decode_gob_header(MpegEncContext *s)
         /* We have a GBSC probably with GSTUFF */
     skip_bits(&s->gb, 16); /* Drop the zeros */
     left= get_bits_left(&s->gb);
+    left = FFMIN(left, 32);
     //MN: we must check the bits left or we might end in an infinite loop (or segfault)
     for(;left>13; left--){
         if(get_bits1(&s->gb)) break; /* Seek the '1' bit */

libavcodec/kmvc.c

@@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame,
     int i, ret;
     int header;
     int blocksize;
-    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+    int pal_size;
+    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size);
 
     bytestream2_init(&ctx->g, avpkt->data, avpkt->size);
 
@@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame,
         }
     }
 
-    if (pal) {
+    if (pal && pal_size == AVPALETTE_SIZE) {
         frame->palette_has_changed = 1;
         memcpy(ctx->pal, pal, AVPALETTE_SIZE);
+    } else if (pal) {
+        av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size);
     }
 
     if (ctx->setpal) {

libavcodec/libopusdec.c

@@ -47,6 +47,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc)
     int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled;
     uint8_t mapping_arr[8] = { 0, 1 }, *mapping;
 
+    avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2;
+    if (avc->channels <= 0) {
+        av_log(avc, AV_LOG_WARNING,
+               "Invalid number of channels %d, defaulting to stereo\n", avc->channels);
+        avc->channels = 2;
+    }
+
     avc->sample_rate    = 48000;
     avc->sample_fmt     = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ?
                           AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16;

libavcodec/libschroedingerdec.c

@@ -218,6 +218,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx,
     int outer = 1;
     SchroParseUnitContext parse_ctx;
     LibSchroFrameContext *framewithpts = NULL;
+    int ret;
 
     *got_frame = 0;
 
@@ -307,11 +308,10 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx,
     /* Grab next frame to be returned from the top of the queue. */
     framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue);
 
-    if (framewithpts && framewithpts->frame) {
-        int ret;
+    if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) {
 
         if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0)
-            return ret;
+            goto end;
 
         memcpy(avframe->data[0],
                framewithpts->frame->components[0].data,
@@ -337,15 +337,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
         avframe->linesize[2] = framewithpts->frame->components[2].stride;
 
         *got_frame      = 1;
-
-        /* Now free the frame resources. */
-        libschroedinger_decode_frame_free(framewithpts->frame);
-        av_free(framewithpts);
     } else {
         data       = NULL;
         *got_frame = 0;
     }
-    return buf_size;
+    ret = buf_size;
+end:
+    /* Now free the frame resources. */
+    if (framewithpts && framewithpts->frame)
+        libschroedinger_decode_frame_free(framewithpts->frame);
+    av_freep(&framewithpts);
+    return ret;
 }
 
 

libavcodec/lzf.c

@@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             bytestream2_get_buffer(gb, p, s);
@@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             av_memcpy_backptr(p, off, l);

libavcodec/me_cmp.h

@@ -76,7 +76,7 @@ typedef struct MECmpContext {
     me_cmp_func frame_skip_cmp[6]; // only width 8 used
 
     me_cmp_func pix_abs[2][4];
-    me_cmp_func median_sad[2];
+    me_cmp_func median_sad[6];
 } MECmpContext;
 
 void ff_me_cmp_init_static(void);

libavcodec/mjpegdec.c

@@ -1082,6 +1082,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
 
     for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
         for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+            if (get_bits_left(&s->gb) < 1) {
+                av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n");
+                return AVERROR_INVALIDDATA;
+            }
             if (s->restart_interval && !s->restart_count){
                 s->restart_count = s->restart_interval;
                 resync_mb_x = mb_x;
@@ -1393,6 +1397,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
         int block_idx    = mb_y * s->block_stride[c];
         int16_t (*block)[64] = &s->blocks[c][block_idx];
         uint8_t *last_nnz    = &s->last_nnz[c][block_idx];
+        if (get_bits_left(&s->gb) <= 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n");
+            return AVERROR_INVALIDDATA;
+        }
         for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) {
                 int ret;
                 if (s->restart_interval && !s->restart_count)
@@ -2386,7 +2394,7 @@ the_end:
             }
         }
     }
-    if (s->flipped) {
+    if (s->flipped && !s->rgb) {
         int j;
         avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift);
         av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format));

libavcodec/mlz.c

@@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                         }
                         output_chars += ret;
                         set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+                        if (mlz->next_code >= TABLE_SIZE - 1) {
+                            av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+                            return output_chars;
+                        }
                         mlz->next_code++;
                     } else {
                         int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
@@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                         if (output_chars <= size && !mlz->freeze_flag) {
                             if (last_string_code != -1) {
                                 set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+                                if (mlz->next_code >= TABLE_SIZE - 1) {
+                                    av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+                                    return output_chars;
+                                }
                                 mlz->next_code++;
                             }
                         } else {

libavcodec/movtextdec.c

@@ -116,6 +116,8 @@ static void mov_text_cleanup(MovTextContext *m)
             av_freep(&m->s[i]);
         }
         av_freep(&m->s);
+        m->count_s = 0;
+        m->style_entries = 0;
     }
 }
 
@@ -279,12 +281,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
 static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
 {
     int i;
-    m->style_entries = AV_RB16(tsmb);
+    int style_entries = AV_RB16(tsmb);
     tsmb += 2;
     // A single style record is of length 12 bytes.
-    if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size)
+    if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size)
         return -1;
 
+    m->style_entries = style_entries;
+
     m->box_flags |= STYL_BOX;
     for(i = 0; i < m->style_entries; i++) {
         m->s_temp = av_malloc(sizeof(*m->s_temp));
@@ -471,10 +475,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
             tsmb_type = AV_RB32(tsmb);
             tsmb += 4;
 
-            if (tsmb_size == 0) {
-              return AVERROR_INVALIDDATA;
-            }
-
             if (tsmb_size == 1) {
                 if (m->tracksize + 16 > avpkt->size)
                     break;
@@ -485,7 +485,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
                 m->size_var = 8;
             //size_var is equal to 8 or 16 depending on the size of box
 
-            if (m->tracksize + tsmb_size > avpkt->size)
+            if (tsmb_size == 0) {
+                av_log(avctx, AV_LOG_ERROR, "tsmb_size is 0\n");
+                return AVERROR_INVALIDDATA;
+            }
+
+            if (tsmb_size > avpkt->size - m->tracksize)
                 break;
 
             for (size_t i = 0; i < box_count; i++) {

libavcodec/mpeg4videodec.c

@@ -315,13 +315,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
         min_ab = FFMIN(alpha, beta);
         w3     = w2 >> min_ab;
         h3     = h2 >> min_ab;
-        s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) +
+        s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) +
                                  (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
                                  h3 * (-vop_ref[0][0]) +
                                  (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
                                  w3 * (-vop_ref[0][1]) +
                                  (1 << (alpha + beta + rho - min_ab - 1));
-        s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) +
+        s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
                                  (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
                                  h3 * (-vop_ref[0][0]) +
                                  (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
@@ -368,10 +368,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
         int shift_y = 16 - ctx->sprite_shift[0];
         int shift_c = 16 - ctx->sprite_shift[1];
         for (i = 0; i < 2; i++) {
-            s->sprite_offset[0][i] <<= shift_y;
-            s->sprite_offset[1][i] <<= shift_c;
-            s->sprite_delta[0][i]  <<= shift_y;
-            s->sprite_delta[1][i]  <<= shift_y;
+            s->sprite_offset[0][i] *= 1 << shift_y;
+            s->sprite_offset[1][i] *= 1 << shift_c;
+            s->sprite_delta[0][i]  *= 1 << shift_y;
+            s->sprite_delta[1][i]  *= 1 << shift_y;
             ctx->sprite_shift[i]     = 16;
         }
         s->real_sprite_warping_points = ctx->num_sprite_warping_points;
@@ -2195,6 +2195,13 @@ int ff_mpeg4_workaround_bugs(AVCodecContext *avctx)
         if (ctx->lavc_build <= 4712U)
             s->workaround_bugs |= FF_BUG_DC_CLIP;
 
+        if ((ctx->lavc_build&0xFF) >= 100) {
+            if (ctx->lavc_build > 3621476 && ctx->lavc_build < 3752552 &&
+               (ctx->lavc_build < 3752037 || ctx->lavc_build > 3752191) // 3.2.1+
+            )
+                s->workaround_bugs |= FF_BUG_IEDGE;
+        }
+
         if (ctx->divx_version >= 0)
             s->workaround_bugs |= FF_BUG_DIRECT_BLOCKSIZE;
         if (ctx->divx_version == 501 && ctx->divx_build == 20020416)

libavcodec/mpegaudio_parser.c

@@ -98,7 +98,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
                     } else if (codec_id == AV_CODEC_ID_MP3ADU) {
                         avpriv_report_missing_feature(avctx,
                             "MP3ADU full parser");
-                        return AVERROR_PATCHWELCOME;
+                        return 0; /* parsers must not return error codes */
                     }
 
                     break;

libavcodec/mpegpicture.c

@@ -76,7 +76,7 @@ int ff_mpeg_framesize_alloc(AVCodecContext *avctx, MotionEstContext *me,
     // at uvlinesize. It supports only YUV420 so 24x24 is enough
     // linesize * interlaced * MBsize
     // we also use this buffer for encoding in encode_mb_internal() needig an additional 32 lines
-    FF_ALLOCZ_ARRAY_OR_GOTO(avctx, sc->edge_emu_buffer, alloc_size, 4 * 68,
+    FF_ALLOCZ_ARRAY_OR_GOTO(avctx, sc->edge_emu_buffer, alloc_size, 4 * 70,
                       fail);
 
     FF_ALLOCZ_ARRAY_OR_GOTO(avctx, me->scratchpad, alloc_size, 4 * 16 * 2,

libavcodec/mpegvideo.c

@@ -2116,7 +2116,9 @@ static av_always_inline void mpeg_motion_lowres(MpegEncContext *s,
         ptr_y = s->sc.edge_emu_buffer;
         if (!CONFIG_GRAY || !(s->avctx->flags & AV_CODEC_FLAG_GRAY)) {
             uint8_t *ubuf = s->sc.edge_emu_buffer + 18 * s->linesize;
-            uint8_t *vbuf =ubuf + 9 * s->uvlinesize;
+            uint8_t *vbuf =ubuf + 10 * s->uvlinesize;
+            if (s->workaround_bugs & FF_BUG_IEDGE)
+                vbuf -= s->uvlinesize;
             s->vdsp.emulated_edge_mc(ubuf,  ptr_cb,
                                      uvlinesize >> field_based, uvlinesize >> field_based,
                                      9, 9 + field_based,

libavcodec/mpegvideo_enc.c

@@ -2276,7 +2276,7 @@ static av_always_inline void encode_mb_internal(MpegEncContext *s,
              (mb_y * mb_block_height * wrap_c) + mb_x * mb_block_width;
 
     if((mb_x * 16 + 16 > s->width || mb_y * 16 + 16 > s->height) && s->codec_id != AV_CODEC_ID_AMV){
-        uint8_t *ebuf = s->sc.edge_emu_buffer + 36 * wrap_y;
+        uint8_t *ebuf = s->sc.edge_emu_buffer + 38 * wrap_y;
         int cw = (s->width  + s->chroma_x_shift) >> s->chroma_x_shift;
         int ch = (s->height + s->chroma_y_shift) >> s->chroma_y_shift;
         s->vdsp.emulated_edge_mc(ebuf, ptr_y,

libavcodec/mpegvideo_motion.c

@@ -326,7 +326,9 @@ void mpeg_motion_internal(MpegEncContext *s,
         ptr_y = s->sc.edge_emu_buffer;
         if (!CONFIG_GRAY || !(s->avctx->flags & AV_CODEC_FLAG_GRAY)) {
             uint8_t *ubuf = s->sc.edge_emu_buffer + 18 * s->linesize;
-            uint8_t *vbuf = ubuf + 9 * s->uvlinesize;
+            uint8_t *vbuf = ubuf + 10 * s->uvlinesize;
+            if (s->workaround_bugs & FF_BUG_IEDGE)
+                vbuf -= s->uvlinesize;
             uvsrc_y = (unsigned)uvsrc_y << field_based;
             s->vdsp.emulated_edge_mc(ubuf, ptr_cb,
                                      s->uvlinesize, s->uvlinesize,
@@ -549,7 +551,9 @@ static inline void qpel_motion(MpegEncContext *s,
         ptr_y = s->sc.edge_emu_buffer;
         if (!CONFIG_GRAY || !(s->avctx->flags & AV_CODEC_FLAG_GRAY)) {
             uint8_t *ubuf = s->sc.edge_emu_buffer + 18 * s->linesize;
-            uint8_t *vbuf = ubuf + 9 * s->uvlinesize;
+            uint8_t *vbuf = ubuf + 10 * s->uvlinesize;
+            if (s->workaround_bugs & FF_BUG_IEDGE)
+                vbuf -= s->uvlinesize;
             s->vdsp.emulated_edge_mc(ubuf, ptr_cb,
                                      s->uvlinesize, s->uvlinesize,
                                      9, 9 + field_based,

libavcodec/msrle.c

@@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx,
         return ret;
 
     if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
 
-        if (pal) {
+        if (pal && size == AVPALETTE_SIZE) {
             s->frame->palette_has_changed = 1;
             memcpy(s->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
         /* make the palette available */
         memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE);

libavcodec/mss2.c

@@ -422,7 +422,13 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size,
 
     ff_vc1_decode_blocks(v);
 
-    ff_er_frame_end(&s->er);
+    if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) {
+        ff_er_frame_end(&s->er);
+    } else {
+        av_log(v->s.avctx, AV_LOG_WARNING,
+               "disabling error correction due to block count mismatch %dx%d != %dx%d\n",
+               v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height);
+    }
 
     ff_mpv_frame_end(s);
 

libavcodec/msvideo1.c

@@ -305,11 +305,14 @@ static int msvideo1_decode_frame(AVCodecContext *avctx,
         return ret;
 
     if (s->mode_8bit) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
 
-        if (pal) {
+        if (pal && size == AVPALETTE_SIZE) {
             memcpy(s->pal, pal, AVPALETTE_SIZE);
             s->frame->palette_has_changed = 1;
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
     }
 

libavcodec/omx.c

@@ -761,7 +761,10 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
             } else {
                 // If not, we need to allocate a new buffer with the right
                 // size and copy the input frame into it.
-                uint8_t *buf = av_malloc(av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1));
+                uint8_t *buf = NULL;
+                int image_buffer_size = av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1);
+                if (image_buffer_size >= 0)
+                    buf = av_malloc(image_buffer_size);
                 if (!buf) {
                     // Return the buffer to the queue so it's not lost
                     append_buffer(&s->input_mutex, &s->input_cond, &s->num_free_in_buffers, s->free_in_buffers, buffer);

libavcodec/options_table.h

@@ -163,6 +163,7 @@ static const AVOption avcodec_options[] = {
 {"dc_clip", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_BUG_DC_CLIP }, INT_MIN, INT_MAX, V|D, "bug"},
 {"ms", "work around various bugs in Microsoft's broken decoders", 0, AV_OPT_TYPE_CONST, {.i64 = FF_BUG_MS }, INT_MIN, INT_MAX, V|D, "bug"},
 {"trunc", "truncated frames", 0, AV_OPT_TYPE_CONST, {.i64 = FF_BUG_TRUNCATED}, INT_MIN, INT_MAX, V|D, "bug"},
+{"iedge", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_BUG_IEDGE }, INT_MIN, INT_MAX, V|D, "bug"},
 {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|V|D|E, "strict"},
 {"very", "strictly conform to a older more strict version of the spec or reference software", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_VERY_STRICT }, INT_MIN, INT_MAX, A|V|D|E, "strict"},
 {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, A|V|D|E, "strict"},

libavcodec/pgssubdec.c

@@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx,
 
     av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
 
-    if (!object->rle)
+    if (!object->rle) {
+        object->rle_data_len = 0;
+        object->rle_remaining_len = 0;
         return AVERROR(ENOMEM);
+    }
 
     memcpy(object->rle, buf, buf_size);
     object->rle_data_len = buf_size;
@@ -556,12 +559,13 @@ static int display_end_segment(AVCodecContext *avctx, void *data,
 
         sub->rects[i]->x    = ctx->presentation.objects[i].x;
         sub->rects[i]->y    = ctx->presentation.objects[i].y;
-        sub->rects[i]->w    = object->w;
-        sub->rects[i]->h    = object->h;
-
-        sub->rects[i]->linesize[0] = object->w;
 
         if (object->rle) {
+            sub->rects[i]->w    = object->w;
+            sub->rects[i]->h    = object->h;
+
+            sub->rects[i]->linesize[0] = object->w;
+
             if (object->rle_remaining_len) {
                 av_log(avctx, AV_LOG_ERROR, "RLE data length %u is %u bytes shorter than expected\n",
                        object->rle_data_len, object->rle_remaining_len);

libavcodec/pictordec.c

@@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx,
 
     if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
         return -1;
-    if (s->width != avctx->width && s->height != avctx->height) {
+    if (s->width != avctx->width || s->height != avctx->height) {
         ret = ff_set_dimensions(avctx, s->width, s->height);
         if (ret < 0)
             return ret;

libavcodec/pngdec.c

@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
     av_bprint_init(bp, 0, -1);
 
     while (zstream.avail_in > 0) {
-        av_bprint_get_buffer(bp, 1, &buf, &buf_size);
-        if (!buf_size) {
+        av_bprint_get_buffer(bp, 2, &buf, &buf_size);
+        if (buf_size < 2) {
             ret = AVERROR(ENOMEM);
             goto fail;
         }
         zstream.next_out  = buf;
-        zstream.avail_out = buf_size;
+        zstream.avail_out = buf_size - 1;
         ret = inflate(&zstream, Z_PARTIAL_FLUSH);
         if (ret != Z_OK && ret != Z_STREAM_END) {
             ret = AVERROR_EXTERNAL;
@@ -772,6 +772,16 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
 {
     int v, i;
 
+    if (!(s->state & PNG_IHDR)) {
+        av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (s->state & PNG_IDAT) {
+        av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
         if (length > 256 || !(s->state & PNG_PLTE))
             return AVERROR_INVALIDDATA;
@@ -782,7 +792,8 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
         }
     } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) {
         if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) ||
-            (s->color_type == PNG_COLOR_TYPE_RGB && length != 6))
+            (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) ||
+            s->bit_depth == 1)
             return AVERROR_INVALIDDATA;
 
         for (i = 0; i < length / 2; i++) {
@@ -1241,6 +1252,8 @@ exit_loop:
         size_t raw_bpp = s->bpp - byte_depth;
         unsigned x, y;
 
+        av_assert0(s->bit_depth > 1);
+
         for (y = 0; y < s->height; ++y) {
             uint8_t *row = &s->image_buf[s->image_linesize * y];
 

libavcodec/pngenc.c

@@ -68,6 +68,9 @@ typedef struct PNGEncContext {
     // APNG
     uint32_t palette_checksum;   // Used to ensure a single unique palette
     uint32_t sequence_number;
+    int extra_data_updated;
+    uint8_t *extra_data;
+    int extra_data_size;
 
     AVFrame *prev_frame;
     AVFrame *last_frame;
@@ -870,15 +873,15 @@ static int encode_apng(AVCodecContext *avctx, AVPacket *pkt,
         if (!pict)
             return AVERROR(EINVAL);
 
-        s->bytestream = avctx->extradata = av_malloc(FF_MIN_BUFFER_SIZE);
-        if (!avctx->extradata)
+        s->bytestream = s->extra_data = av_malloc(FF_MIN_BUFFER_SIZE);
+        if (!s->extra_data)
             return AVERROR(ENOMEM);
 
         ret = encode_headers(avctx, pict);
         if (ret < 0)
             return ret;
 
-        avctx->extradata_size = s->bytestream - avctx->extradata;
+        s->extra_data_size = s->bytestream - s->extra_data;
 
         s->last_frame_packet = av_malloc(max_packet_size);
         if (!s->last_frame_packet)
@@ -917,6 +920,13 @@ static int encode_apng(AVCodecContext *avctx, AVPacket *pkt,
     if (s->last_frame) {
         uint8_t* last_fctl_chunk_start = pkt->data;
         uint8_t buf[26];
+        if (!s->extra_data_updated) {
+            uint8_t *side_data = av_packet_new_side_data(pkt, AV_PKT_DATA_NEW_EXTRADATA, s->extra_data_size);
+            if (!side_data)
+                return AVERROR(ENOMEM);
+            memcpy(side_data, s->extra_data, s->extra_data_size);
+            s->extra_data_updated = 1;
+        }
 
         AV_WB32(buf + 0, s->last_frame_fctl.sequence_number);
         AV_WB32(buf + 4, s->last_frame_fctl.width);
@@ -1093,6 +1103,8 @@ static av_cold int png_enc_close(AVCodecContext *avctx)
     av_frame_free(&s->last_frame);
     av_frame_free(&s->prev_frame);
     av_freep(&s->last_frame_packet);
+    av_freep(&s->extra_data);
+    s->extra_data_size = 0;
     return 0;
 }
 

libavcodec/pnmdec.c

@@ -43,7 +43,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
     int buf_size         = avpkt->size;
     PNMContext * const s = avctx->priv_data;
     AVFrame * const p    = data;
-    int i, j, n, linesize, h, upgrade = 0, is_mono = 0;
+    int i, j, k, n, linesize, h, upgrade = 0, is_mono = 0;
     unsigned char *ptr;
     int components, sample_len, ret;
 
@@ -143,10 +143,14 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                         v = (*s->bytestream++)&1;
                     } else {
                         /* read a sequence of digits */
-                        do {
+                        for (k = 0; k < 5 && c <= 9; k += 1) {
                             v = 10*v + c;
                             c = (*s->bytestream++) - '0';
-                        } while (c <= 9);
+                        }
+                        if (v > s->maxval) {
+                            av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval);
+                            return AVERROR_INVALIDDATA;
+                        }
                     }
                     if (sample_len == 16) {
                         ((uint16_t*)ptr)[j] = (((1<<sample_len)-1)*v + (s->maxval>>1))/s->maxval;

libavcodec/ppc/pixblockdsp.c

@@ -67,10 +67,10 @@ static void get_pixels_altivec(int16_t *restrict block, const uint8_t *pixels,
                                ptrdiff_t line_size)
 {
     int i;
-    vec_u8 perm = vec_lvsl(0, pixels);
     const vec_u8 zero = (const vec_u8)vec_splat_u8(0);
 
     for (i = 0; i < 8; i++) {
+        vec_u8 perm = vec_lvsl(0, pixels);
         /* Read potentially unaligned pixels.
          * We're reading 16 pixels, and actually only want 8,
          * but we simply ignore the extras. */
@@ -157,8 +157,7 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1,
                                 const uint8_t *s2, int stride)
 {
     int i;
-    vec_u8 perm1 = vec_lvsl(0, s1);
-    vec_u8 perm2 = vec_lvsl(0, s2);
+    vec_u8 perm;
     const vec_u8 zero = (const vec_u8)vec_splat_u8(0);
     vec_s16 shorts1, shorts2;
 
@@ -166,17 +165,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1,
         /* Read potentially unaligned pixels.
          * We're reading 16 pixels, and actually only want 8,
          * but we simply ignore the extras. */
+        perm = vec_lvsl(0, s1);
         vec_u8 pixl  = vec_ld(0,  s1);
         vec_u8 pixr  = vec_ld(15, s1);
-        vec_u8 bytes = vec_perm(pixl, pixr, perm1);
+        vec_u8 bytes = vec_perm(pixl, pixr, perm);
 
         // Convert the bytes into shorts.
         shorts1 = (vec_s16)vec_mergeh(zero, bytes);
 
         // Do the same for the second block of pixels.
+        perm = vec_lvsl(0, s2);
         pixl  = vec_ld(0,  s2);
         pixr  = vec_ld(15, s2);
-        bytes = vec_perm(pixl, pixr, perm2);
+        bytes = vec_perm(pixl, pixr, perm);
 
         // Convert the bytes into shorts.
         shorts2 = (vec_s16)vec_mergeh(zero, bytes);
@@ -197,17 +198,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1,
         /* Read potentially unaligned pixels.
          * We're reading 16 pixels, and actually only want 8,
          * but we simply ignore the extras. */
+        perm = vec_lvsl(0, s1);
         pixl  = vec_ld(0,  s1);
         pixr  = vec_ld(15, s1);
-        bytes = vec_perm(pixl, pixr, perm1);
+        bytes = vec_perm(pixl, pixr, perm);
 
         // Convert the bytes into shorts.
         shorts1 = (vec_s16)vec_mergeh(zero, bytes);
 
         // Do the same for the second block of pixels.
+        perm = vec_lvsl(0, s2);
         pixl  = vec_ld(0,  s2);
         pixr  = vec_ld(15, s2);
-        bytes = vec_perm(pixl, pixr, perm2);
+        bytes = vec_perm(pixl, pixr, perm);
 
         // Convert the bytes into shorts.
         shorts2 = (vec_s16)vec_mergeh(zero, bytes);

libavcodec/proresdec_lgpl.c

@@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
 
     /* if V or alpha component size is negative that means that previous
        component sizes are too large */
-    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) {
+    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) {
         av_log(avctx, AV_LOG_ERROR, "invalid data size\n");
         return AVERROR_INVALIDDATA;
     }

libavcodec/qpeg.c

@@ -260,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame * const ref = a->ref;
     uint8_t* outdata;
     int delta, ret;
-    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+    int pal_size;
+    const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size);
 
     if (avpkt->size < 0x86) {
         av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
@@ -287,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     /* make the palette available on the way out */
-    if (pal) {
+    if (pal && pal_size == AVPALETTE_SIZE) {
         p->palette_has_changed = 1;
         memcpy(a->pal, pal, AVPALETTE_SIZE);
+    } else if (pal) {
+        av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size);
     }
     memcpy(p->data[1], a->pal, AVPALETTE_SIZE);
 

libavcodec/qtrle.c

@@ -506,11 +506,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx,
     }
 
     if(has_palette) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
 
-        if (pal) {
+        if (pal && size == AVPALETTE_SIZE) {
             s->frame->palette_has_changed = 1;
             memcpy(s->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
 
         /* make the palette available on the way out */

libavcodec/rawdec.c

@@ -364,9 +364,16 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
     }
 
     if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
+        int pal_size;
         const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE,
-                                                     NULL);
+                                                     &pal_size);
         int ret;
+
+        if (pal && pal_size != AVPALETTE_SIZE) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size);
+            pal = NULL;
+        }
+
         if (!context->palette)
             context->palette = av_buffer_alloc(AVPALETTE_SIZE);
         if (!context->palette) {

libavcodec/rscc.c

@@ -310,12 +310,15 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
         frame->pict_type = AV_PICTURE_TYPE_P;
     }
     if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
+        int size;
         const uint8_t *pal = av_packet_get_side_data(avpkt,
                                                      AV_PKT_DATA_PALETTE,
-                                                     NULL);
-        if (pal) {
+                                                     &size);
+        if (pal && size == AVPALETTE_SIZE) {
             frame->palette_has_changed = 1;
             memcpy(ctx->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
         memcpy (frame->data[1], ctx->pal, AVPALETTE_SIZE);
     }

libavcodec/rv40.c

@@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim)
         val = dim[get_bits1(gb) - val];
     if(!val){
         do{
+            if (get_bits_left(gb) < 8)
+                return AVERROR_INVALIDDATA;
             t = get_bits(gb, 8);
             val += t << 2;
         }while(t == 0xFF);

libavcodec/smacker.c

@@ -129,8 +129,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 /**
  * Decode header tree
  */
-static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
+static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length)
 {
+    if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion.
+        av_log(NULL, AV_LOG_ERROR, "length too long\n");
+        return AVERROR_INVALIDDATA;
+    }
     if (hc->current + 1 >= hc->length) {
         av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
         return AVERROR_INVALIDDATA;
@@ -159,12 +163,12 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
         int r = 0, r_new, t;
 
         t = hc->current++;
-        r = smacker_decode_bigtree(gb, hc, ctx);
+        r = smacker_decode_bigtree(gb, hc, ctx, length + 1);
         if(r < 0)
             return r;
         hc->values[t] = SMK_NODE | r;
         r++;
-        r_new = smacker_decode_bigtree(gb, hc, ctx);
+        r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1);
         if (r_new < 0)
             return r_new;
         return r + r_new;
@@ -275,7 +279,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
         goto error;
     }
 
-    if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+    if (smacker_decode_bigtree(gb, &huff, &ctx, 0) < 0)
         err = -1;
     skip_bits1(gb);
     if(ctx.last[0] == -1) ctx.last[0] = huff.current++;

libavcodec/smvjpegdec.c

@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
 
     cur_frame = avpkt->pts % s->frames_per_jpeg;
 
+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
     /* Are we at the start of a block? */
     if (!cur_frame) {
         av_frame_unref(mjpeg_data);

libavcodec/sunrast.c

@@ -168,7 +168,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
         }
     } else {
         for (y = 0; y < h; y++) {
-            if (buf_end - buf < len)
+            if (buf_end - buf < alen)
                 break;
             memcpy(ptr, buf, len);
             ptr += stride;

libavcodec/tscc.c

@@ -98,11 +98,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 
     /* make the palette available on the way out */
     if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
 
-        if (pal) {
+        if (pal && size == AVPALETTE_SIZE) {
             frame->palette_has_changed = 1;
             memcpy(c->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
         memcpy(frame->data[1], c->pal, AVPALETTE_SIZE);
     }

libavcodec/utils.c

@@ -376,6 +376,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
             w_align = 4;
             h_align = 4;
         }
+        if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) {
+            w_align = 8;
+            h_align = 8;
+        }
         break;
     case AV_PIX_FMT_PAL8:
     case AV_PIX_FMT_BGR8:
@@ -385,7 +389,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
             w_align = 4;
             h_align = 4;
         }
-        if (s->codec_id == AV_CODEC_ID_JV) {
+        if (s->codec_id == AV_CODEC_ID_JV ||
+            s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) {
             w_align = 8;
             h_align = 8;
         }

libavcodec/version.h

@@ -28,8 +28,8 @@
 #include "libavutil/version.h"
 
 #define LIBAVCODEC_VERSION_MAJOR  57
-#define LIBAVCODEC_VERSION_MINOR  65
-#define LIBAVCODEC_VERSION_MICRO 100
+#define LIBAVCODEC_VERSION_MINOR  64
+#define LIBAVCODEC_VERSION_MICRO 101
 
 #define LIBAVCODEC_VERSION_INT  AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \
                                                LIBAVCODEC_VERSION_MINOR, \

libavcodec/vp5.c

@@ -170,7 +170,7 @@ static int vp5_parse_coeff_models(VP56Context *s)
     return 0;
 }
 
-static void vp5_parse_coeff(VP56Context *s)
+static int vp5_parse_coeff(VP56Context *s)
 {
     VP56RangeCoder *c = &s->c;
     VP56Model *model = s->modelp;
@@ -180,6 +180,11 @@ static void vp5_parse_coeff(VP56Context *s)
     int b, i, cg, idx, ctx, ctx_last;
     int pt = 0;    /* plane type (0 for Y, 1 for U or V) */
 
+    if (c->end >= c->buffer && c->bits >= 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     for (b=0; b<6; b++) {
         int ct = 1;    /* code type */
 
@@ -245,6 +250,7 @@ static void vp5_parse_coeff(VP56Context *s)
                 s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5;
         s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0];
     }
+    return 0;
 }
 
 static void vp5_default_models_init(VP56Context *s)

libavcodec/vp56.c

@@ -381,12 +381,13 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src,
     }
 }
 
-static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
 {
     AVFrame *frame_current, *frame_ref;
     VP56mb mb_type;
     VP56Frame ref_frame;
     int b, ab, b_max, plane, off;
+    int ret;
 
     if (s->frames[VP56_FRAME_CURRENT]->key_frame)
         mb_type = VP56_MB_INTRA;
@@ -394,14 +395,16 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
         mb_type = vp56_decode_mv(s, row, col);
     ref_frame = ff_vp56_reference_frame[mb_type];
 
-    s->parse_coeff(s);
+    ret = s->parse_coeff(s);
+    if (ret < 0)
+        return ret;
 
     vp56_add_predictors_dc(s, ref_frame);
 
     frame_current = s->frames[VP56_FRAME_CURRENT];
     frame_ref = s->frames[ref_frame];
     if (mb_type != VP56_MB_INTRA && !frame_ref->data[0])
-        return;
+        return 0;
 
     ab = 6*is_alpha;
     b_max = 6 - 2*is_alpha;
@@ -451,6 +454,7 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
         s->block_coeff[4][0] = 0;
         s->block_coeff[5][0] = 0;
     }
+    return 0;
 }
 
 static int vp56_size_changed(VP56Context *s)
@@ -653,7 +657,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
         s->block_offset[5] = s->block_offset[4];
 
         for (mb_col=0; mb_col<s->mb_width; mb_col++) {
-            vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+            int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+            if (ret < 0)
+                return ret;
 
             for (y=0; y<4; y++) {
                 s->above_block_idx[y] += 2;

libavcodec/vp56.h

@@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s,
 typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src,
                            int offset1, int offset2, int stride,
                            VP56mv mv, int mask, int select, int luma);
-typedef void (*VP56ParseCoeff)(VP56Context *s);
+typedef int  (*VP56ParseCoeff)(VP56Context *s);
 typedef void (*VP56DefaultModelsInit)(VP56Context *s);
 typedef void (*VP56ParseVectorModels)(VP56Context *s);
 typedef int  (*VP56ParseCoeffModels)(VP56Context *s);

libavcodec/vp6.c

@@ -40,8 +40,8 @@
 
 #define VP6_MAX_HUFF_SIZE 12
 
-static void vp6_parse_coeff(VP56Context *s);
-static void vp6_parse_coeff_huffman(VP56Context *s);
+static int vp6_parse_coeff(VP56Context *s);
+static int vp6_parse_coeff_huffman(VP56Context *s);
 
 static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
 {
@@ -380,7 +380,7 @@ static unsigned vp6_get_nb_null(VP56Context *s)
     return val;
 }
 
-static void vp6_parse_coeff_huffman(VP56Context *s)
+static int vp6_parse_coeff_huffman(VP56Context *s)
 {
     VP56Model *model = s->modelp;
     uint8_t *permute = s->idct_scantable;
@@ -402,7 +402,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
                     break;
             } else {
                 if (get_bits_left(&s->gb) <= 0)
-                    return;
+                    return AVERROR_INVALIDDATA;
                 coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3);
                 if (coeff == 0) {
                     if (coeff_idx) {
@@ -437,9 +437,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
             vlc_coeff = &s->ract_vlc[pt][ct][cg];
         }
     }
+    return 0;
 }
 
-static void vp6_parse_coeff(VP56Context *s)
+static int vp6_parse_coeff(VP56Context *s)
 {
     VP56RangeCoder *c = s->ccp;
     VP56Model *model = s->modelp;
@@ -449,6 +450,11 @@ static void vp6_parse_coeff(VP56Context *s)
     int b, i, cg, idx, ctx;
     int pt = 0;    /* plane type (0 for Y, 1 for U or V) */
 
+    if (c->end >= c->buffer && c->bits >= 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     for (b=0; b<6; b++) {
         int ct = 1;    /* code type */
         int run = 1;
@@ -512,6 +518,7 @@ static void vp6_parse_coeff(VP56Context *s)
         s->left_block[ff_vp56_b6to4[b]].not_null_dc =
         s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0];
     }
+    return 0;
 }
 
 static int vp6_block_variance(uint8_t *src, int stride)

libavdevice/version.h

@@ -28,7 +28,7 @@
 #include "libavutil/version.h"
 
 #define LIBAVDEVICE_VERSION_MAJOR  57
-#define LIBAVDEVICE_VERSION_MINOR   2
+#define LIBAVDEVICE_VERSION_MINOR   1
 #define LIBAVDEVICE_VERSION_MICRO 100
 
 #define LIBAVDEVICE_VERSION_INT AV_VERSION_INT(LIBAVDEVICE_VERSION_MAJOR, \

libavfilter/version.h

@@ -30,7 +30,7 @@
 #include "libavutil/version.h"
 
 #define LIBAVFILTER_VERSION_MAJOR   6
-#define LIBAVFILTER_VERSION_MINOR  66
+#define LIBAVFILTER_VERSION_MINOR  65
 #define LIBAVFILTER_VERSION_MICRO 100
 
 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \

libavfilter/vf_hwupload_cuda.c

@@ -191,7 +191,7 @@ fail:
 #define OFFSET(x) offsetof(CudaUploadContext, x)
 #define FLAGS (AV_OPT_FLAG_FILTERING_PARAM | AV_OPT_FLAG_VIDEO_PARAM)
 static const AVOption cudaupload_options[] = {
-    { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, .flags = FLAGS },
+    { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, FLAGS },
     { NULL },
 };
 

libavformat/apngenc.c

@@ -44,6 +44,9 @@ typedef struct APNGMuxContext {
     AVRational prev_delay;
 
     int framerate_warned;
+
+    uint8_t *extra_data;
+    int extra_data_size;
 } APNGMuxContext;
 
 static uint8_t *apng_find_chunk(uint32_t tag, uint8_t *buf, size_t length)
@@ -78,6 +81,7 @@ static void apng_write_chunk(AVIOContext *io_context, uint32_t tag,
 static int apng_write_header(AVFormatContext *format_context)
 {
     APNGMuxContext *apng = format_context->priv_data;
+    AVCodecParameters *par = format_context->streams[0]->codecpar;
 
     if (format_context->nb_streams != 1 ||
         format_context->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_VIDEO ||
@@ -98,18 +102,38 @@ static int apng_write_header(AVFormatContext *format_context)
     avio_wb64(format_context->pb, PNGSIG);
     // Remaining headers are written when they are copied from the encoder
 
+    if (par->extradata_size) {
+        apng->extra_data = av_mallocz(par->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (!apng->extra_data)
+            return AVERROR(ENOMEM);
+        apng->extra_data_size = par->extradata_size;
+        memcpy(apng->extra_data, par->extradata, par->extradata_size);
+    }
+
     return 0;
 }
 
-static void flush_packet(AVFormatContext *format_context, AVPacket *packet)
+static int flush_packet(AVFormatContext *format_context, AVPacket *packet)
 {
     APNGMuxContext *apng = format_context->priv_data;
     AVIOContext *io_context = format_context->pb;
     AVStream *codec_stream = format_context->streams[0];
-    AVCodecParameters *codec_par = codec_stream->codecpar;
+    uint8_t *side_data = NULL;
+    int side_data_size = 0;
 
     av_assert0(apng->prev_packet);
 
+    side_data = av_packet_get_side_data(apng->prev_packet, AV_PKT_DATA_NEW_EXTRADATA, &side_data_size);
+
+    if (side_data_size) {
+        av_freep(&apng->extra_data);
+        apng->extra_data = av_mallocz(side_data_size + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (!apng->extra_data)
+            return AVERROR(ENOMEM);
+        apng->extra_data_size = side_data_size;
+        memcpy(apng->extra_data, side_data, apng->extra_data_size);
+    }
+
     if (apng->frame_number == 0 && !packet) {
         uint8_t *existing_acTL_chunk;
         uint8_t *existing_fcTL_chunk;
@@ -117,13 +141,13 @@ static void flush_packet(AVFormatContext *format_context, AVPacket *packet)
         av_log(format_context, AV_LOG_INFO, "Only a single frame so saving as a normal PNG.\n");
 
         // Write normal PNG headers without acTL chunk
-        existing_acTL_chunk = apng_find_chunk(MKBETAG('a', 'c', 'T', 'L'), codec_par->extradata, codec_par->extradata_size);
+        existing_acTL_chunk = apng_find_chunk(MKBETAG('a', 'c', 'T', 'L'), apng->extra_data, apng->extra_data_size);
         if (existing_acTL_chunk) {
             uint8_t *chunk_after_acTL = existing_acTL_chunk + AV_RB32(existing_acTL_chunk) + 12;
-            avio_write(io_context, codec_par->extradata, existing_acTL_chunk - codec_par->extradata);
-            avio_write(io_context, chunk_after_acTL, codec_par->extradata + codec_par->extradata_size - chunk_after_acTL);
+            avio_write(io_context, apng->extra_data, existing_acTL_chunk - apng->extra_data);
+            avio_write(io_context, chunk_after_acTL, apng->extra_data + apng->extra_data_size - chunk_after_acTL);
         } else {
-            avio_write(io_context, codec_par->extradata, codec_par->extradata_size);
+            avio_write(io_context, apng->extra_data, apng->extra_data_size);
         }
 
         // Write frame data without fcTL chunk
@@ -142,9 +166,9 @@ static void flush_packet(AVFormatContext *format_context, AVPacket *packet)
             uint8_t *existing_acTL_chunk;
 
             // Write normal PNG headers
-            avio_write(io_context, codec_par->extradata, codec_par->extradata_size);
+            avio_write(io_context, apng->extra_data, apng->extra_data_size);
 
-            existing_acTL_chunk = apng_find_chunk(MKBETAG('a', 'c', 'T', 'L'), codec_par->extradata, codec_par->extradata_size);
+            existing_acTL_chunk = apng_find_chunk(MKBETAG('a', 'c', 'T', 'L'), apng->extra_data, apng->extra_data_size);
             if (!existing_acTL_chunk) {
                 uint8_t buf[8];
                 // Write animation control header
@@ -195,11 +219,13 @@ static void flush_packet(AVFormatContext *format_context, AVPacket *packet)
     av_packet_unref(apng->prev_packet);
     if (packet)
         av_copy_packet(apng->prev_packet, packet);
+    return 0;
 }
 
 static int apng_write_packet(AVFormatContext *format_context, AVPacket *packet)
 {
     APNGMuxContext *apng = format_context->priv_data;
+    int ret;
 
     if (!apng->prev_packet) {
         apng->prev_packet = av_malloc(sizeof(*apng->prev_packet));
@@ -208,7 +234,9 @@ static int apng_write_packet(AVFormatContext *format_context, AVPacket *packet)
 
         av_copy_packet(apng->prev_packet, packet);
     } else {
-        flush_packet(format_context, packet);
+        ret = flush_packet(format_context, packet);
+        if (ret < 0)
+            return ret;
     }
 
     return 0;
@@ -219,10 +247,13 @@ static int apng_write_trailer(AVFormatContext *format_context)
     APNGMuxContext *apng = format_context->priv_data;
     AVIOContext *io_context = format_context->pb;
     uint8_t buf[8];
+    int ret;
 
     if (apng->prev_packet) {
-        flush_packet(format_context, NULL);
+        ret = flush_packet(format_context, NULL);
         av_freep(&apng->prev_packet);
+        if (ret < 0)
+            return ret;
     }
 
     apng_write_chunk(io_context, MKBETAG('I', 'E', 'N', 'D'), NULL, 0);
@@ -235,6 +266,9 @@ static int apng_write_trailer(AVFormatContext *format_context)
         apng_write_chunk(io_context, MKBETAG('a', 'c', 'T', 'L'), buf, 8);
     }
 
+    av_freep(&apng->extra_data);
+    apng->extra_data = 0;
+
     return 0;
 }
 

libavformat/avformat.h

@@ -1899,6 +1899,13 @@ typedef struct AVFormatContext {
      * - decoding: set by user through AVOptions (NO direct access)
      */
     char *protocol_blacklist;
+
+    /**
+     * The maximum number of streams.
+     * - encoding: unused
+     * - decoding: set by user through AVOptions (NO direct access)
+     */
+    int max_streams;
 } AVFormatContext;
 
 int av_format_get_probe_score(const AVFormatContext *s);

libavformat/avidec.c

@@ -1203,7 +1203,8 @@ start_sync:
         if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) ||
             // parse JUNK
             (d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') ||
-            (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) {
+            (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') ||
+            (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) {
             avio_skip(pb, size);
             goto start_sync;
         }

libavformat/avisynth.c

@@ -690,8 +690,10 @@ static int avisynth_read_packet_video(AVFormatContext *s, AVPacket *pkt,
 #ifdef USING_AVISYNTH
         /* Flip Planar RGB video. */
         if (avsplus && (avs_library.avs_is_planar_rgb(avs->vi) ||
-                        avs_library.avs_is_planar_rgba(avs->vi)))
+                        avs_library.avs_is_planar_rgba(avs->vi))) {
+            src_p = src_p + (planeheight - 1) * pitch;
             pitch = -pitch;
+        }
 #endif
 
         avs_library.avs_bit_blt(avs->env, dst_p, rowsize, src_p, pitch,

libavformat/chromaprint.c

@@ -39,7 +39,11 @@ typedef struct ChromaprintMuxContext {
     int silence_threshold;
     int algorithm;
     FingerprintFormat fp_format;
+#if CPR_VERSION_INT >= AV_VERSION_INT(1, 4, 0)
+    ChromaprintContext *ctx;
+#else
     ChromaprintContext ctx;
+#endif
 } ChromaprintMuxContext;
 
 static void cleanup(ChromaprintMuxContext *cpr)

libavformat/ffmdec.c

@@ -21,6 +21,7 @@
 
 #include <stdint.h>
 
+#include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/intfloat.h"
@@ -28,6 +29,7 @@
 #include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/pixdesc.h"
+#include "libavcodec/internal.h"
 #include "avformat.h"
 #include "internal.h"
 #include "ffm.h"
@@ -277,6 +279,14 @@ static int ffm_append_recommended_configuration(AVStream *st, char **conf)
     return 0;
 }
 
+#define VALIDATE_PARAMETER(parameter, name, check) {                              \
+    if (check) {                                                                  \
+        av_log(codec, AV_LOG_ERROR, "Invalid " name " %d\n", codec->parameter);   \
+        ret = AVERROR_INVALIDDATA;                                                \
+        goto fail;                                                                \
+    }                                                                             \
+}
+
 static int ffm2_read_header(AVFormatContext *s)
 {
     FFMContext *ffm = s->priv_data;
@@ -342,6 +352,7 @@ static int ffm2_read_header(AVFormatContext *s)
             if (!codec_desc) {
                 av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id);
                 codec->codec_id = AV_CODEC_ID_NONE;
+                ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
             codec->codec_type = avio_r8(pb);
@@ -350,14 +361,25 @@ static int ffm2_read_header(AVFormatContext *s)
                        codec_desc->type, codec->codec_type);
                 codec->codec_id = AV_CODEC_ID_NONE;
                 codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+                ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
             codec->bit_rate = avio_rb32(pb);
+            if (codec->bit_rate < 0) {
+                av_log(codec, AV_LOG_ERROR, "Invalid bit rate %"PRId64"\n", codec->bit_rate);
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             codec->flags = avio_rb32(pb);
             codec->flags2 = avio_rb32(pb);
             codec->debug = avio_rb32(pb);
             if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
                 int size = avio_rb32(pb);
+                if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
+                    av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size);
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                 codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
                 if (!codec->extradata)
                     return AVERROR(ENOMEM);
@@ -366,7 +388,7 @@ static int ffm2_read_header(AVFormatContext *s)
             }
             break;
         case MKBETAG('S', 'T', 'V', 'I'):
-            if (f_stvi++) {
+            if (f_stvi++ || codec->codec_type != AVMEDIA_TYPE_VIDEO) {
                 ret = AVERROR(EINVAL);
                 goto fail;
             }
@@ -380,6 +402,9 @@ static int ffm2_read_header(AVFormatContext *s)
             }
             codec->width = avio_rb16(pb);
             codec->height = avio_rb16(pb);
+            ret = av_image_check_size(codec->width, codec->height, 0, s);
+            if (ret < 0)
+                goto fail;
             codec->gop_size = avio_rb16(pb);
             codec->pix_fmt = avio_rb32(pb);
             if (!av_pix_fmt_desc_get(codec->pix_fmt)) {
@@ -427,13 +452,16 @@ static int ffm2_read_header(AVFormatContext *s)
             codec->refs = avio_rb32(pb);
             break;
         case MKBETAG('S', 'T', 'A', 'U'):
-            if (f_stau++) {
+            if (f_stau++ || codec->codec_type != AVMEDIA_TYPE_AUDIO) {
                 ret = AVERROR(EINVAL);
                 goto fail;
             }
             codec->sample_rate = avio_rb32(pb);
+            VALIDATE_PARAMETER(sample_rate, "sample rate",        codec->sample_rate < 0)
             codec->channels = avio_rl16(pb);
+            VALIDATE_PARAMETER(channels,    "number of channels", codec->channels < 0)
             codec->frame_size = avio_rl16(pb);
+            VALIDATE_PARAMETER(frame_size,  "frame size",         codec->frame_size < 0)
             break;
         case MKBETAG('C', 'P', 'R', 'V'):
             if (f_cprv++) {
@@ -453,7 +481,7 @@ static int ffm2_read_header(AVFormatContext *s)
             }
             break;
         case MKBETAG('S', '2', 'V', 'I'):
-            if (f_stvi++ || !size) {
+            if (f_stvi++ || !size || codec->codec_type != AVMEDIA_TYPE_VIDEO) {
                 ret = AVERROR(EINVAL);
                 goto fail;
             }
@@ -468,7 +496,7 @@ static int ffm2_read_header(AVFormatContext *s)
                 goto fail;
             break;
         case MKBETAG('S', '2', 'A', 'U'):
-            if (f_stau++ || !size) {
+            if (f_stau++ || !size || codec->codec_type != AVMEDIA_TYPE_AUDIO) {
                 ret = AVERROR(EINVAL);
                 goto fail;
             }
@@ -513,7 +541,7 @@ static int ffm_read_header(AVFormatContext *s)
     AVIOContext *pb = s->pb;
     AVCodecContext *codec;
     const AVCodecDescriptor *codec_desc;
-    int i, nb_streams;
+    int i, nb_streams, ret;
     uint32_t tag;
 
     /* header */
@@ -565,6 +593,10 @@ static int ffm_read_header(AVFormatContext *s)
             goto fail;
         }
         codec->bit_rate = avio_rb32(pb);
+        if (codec->bit_rate < 0) {
+            av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate);
+            goto fail;
+        }
         codec->flags = avio_rb32(pb);
         codec->flags2 = avio_rb32(pb);
         codec->debug = avio_rb32(pb);
@@ -580,6 +612,8 @@ static int ffm_read_header(AVFormatContext *s)
             }
             codec->width = avio_rb16(pb);
             codec->height = avio_rb16(pb);
+            if (av_image_check_size(codec->width, codec->height, 0, s) < 0)
+                goto fail;
             codec->gop_size = avio_rb16(pb);
             codec->pix_fmt = avio_rb32(pb);
             if (!av_pix_fmt_desc_get(codec->pix_fmt)) {
@@ -628,14 +662,21 @@ static int ffm_read_header(AVFormatContext *s)
             break;
         case AVMEDIA_TYPE_AUDIO:
             codec->sample_rate = avio_rb32(pb);
+            VALIDATE_PARAMETER(sample_rate, "sample rate",        codec->sample_rate < 0)
             codec->channels = avio_rl16(pb);
+            VALIDATE_PARAMETER(channels,    "number of channels", codec->channels < 0)
             codec->frame_size = avio_rl16(pb);
+            VALIDATE_PARAMETER(frame_size,  "frame size",         codec->frame_size < 0)
             break;
         default:
             goto fail;
         }
         if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
             int size = avio_rb32(pb);
+            if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
+                av_log(s, AV_LOG_ERROR, "Invalid extradata size %d\n", size);
+                goto fail;
+            }
             codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!codec->extradata)
                 return AVERROR(ENOMEM);

libavformat/filmstripdec.c

@@ -25,6 +25,7 @@
  */
 
 #include "libavutil/intreadwrite.h"
+#include "libavutil/imgutils.h"
 #include "avformat.h"
 #include "internal.h"
 
@@ -68,10 +69,8 @@ static int read_header(AVFormatContext *s)
     st->codecpar->height     = avio_rb16(pb);
     film->leading         = avio_rb16(pb);
 
-    if (st->codecpar->width * 4LL * st->codecpar->height >= INT_MAX) {
-        av_log(s, AV_LOG_ERROR, "dimensions too large\n");
-        return AVERROR_PATCHWELCOME;
-    }
+    if (av_image_check_size(st->codecpar->width, st->codecpar->height, 0, s) < 0)
+        return AVERROR_INVALIDDATA;
 
     avpriv_set_pts_info(st, 64, 1, avio_rb16(pb));
 

libavformat/flacdec.c

@@ -65,7 +65,8 @@ static int flac_read_header(AVFormatContext *s)
 
     /* process metadata blocks */
     while (!avio_feof(s->pb) && !metadata_last) {
-        avio_read(s->pb, header, 4);
+        if (avio_read(s->pb, header, 4) != 4)
+            return AVERROR(AVERROR_INVALIDDATA);
         flac_parse_block_header(header, &metadata_last, &metadata_type,
                                    &metadata_size);
         switch (metadata_type) {

libavformat/flvdec.c

@@ -66,6 +66,7 @@ typedef struct FLVContext {
     int keyframe_count;
     int64_t *keyframe_times;
     int64_t *keyframe_filepositions;
+    int missing_streams;
 } FLVContext;
 
 static int probe(AVProbeData *p, int live)
@@ -137,6 +138,11 @@ static AVStream *create_stream(AVFormatContext *s, int codec_type)
                            && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE
                            && s->streams[1]->codecpar->codec_type != AVMEDIA_TYPE_SUBTITLE))
         s->ctx_flags &= ~AVFMTCTX_NOHEADER;
+    if (codec_type == AVMEDIA_TYPE_AUDIO)
+        flv->missing_streams &= ~FLV_HEADER_FLAG_HASAUDIO;
+    if (codec_type == AVMEDIA_TYPE_VIDEO)
+        flv->missing_streams &= ~FLV_HEADER_FLAG_HASVIDEO;
+
 
     avpriv_set_pts_info(st, 32, 1, 1000); /* 32 bit pts in ms */
     flv->last_keyframe_stream_index = s->nb_streams - 1;
@@ -283,7 +289,9 @@ static int flv_same_video_codec(AVCodecParameters *vpar, int flags)
 static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream,
                                int flv_codecid, int read)
 {
+    int ret = 0;
     AVCodecParameters *par = vstream->codecpar;
+    enum AVCodecID old_codec_id = vstream->codecpar->codec_id;
     switch (flv_codecid) {
     case FLV_CODECID_H263:
         par->codec_id = AV_CODEC_ID_FLV1;
@@ -311,20 +319,28 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream,
             else
                 avio_skip(s->pb, 1);
         }
-        return 1;     // 1 byte body size adjustment for flv_read_packet()
+        ret = 1;     // 1 byte body size adjustment for flv_read_packet()
+        break;
     case FLV_CODECID_H264:
         par->codec_id = AV_CODEC_ID_H264;
         vstream->need_parsing = AVSTREAM_PARSE_HEADERS;
-        return 3;     // not 4, reading packet type will consume one byte
+        ret = 3;     // not 4, reading packet type will consume one byte
+        break;
     case FLV_CODECID_MPEG4:
         par->codec_id = AV_CODEC_ID_MPEG4;
-        return 3;
+        ret = 3;
+        break;
     default:
         avpriv_request_sample(s, "Video codec (%x)", flv_codecid);
         par->codec_tag = flv_codecid;
     }
 
-    return 0;
+    if (!vstream->internal->need_context_update && par->codec_id != old_codec_id) {
+        avpriv_request_sample(s, "Changing the codec id midstream");
+        return AVERROR_PATCHWELCOME;
+    }
+
+    return ret;
 }
 
 static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize)
@@ -539,7 +555,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream,
                     st->codecpar->codec_id = AV_CODEC_ID_TEXT;
                 } else if (flv->trust_metadata) {
                     if (!strcmp(key, "videocodecid") && vpar) {
-                        flv_set_video_codec(s, vstream, num_val, 0);
+                        int ret = flv_set_video_codec(s, vstream, num_val, 0);
+                        if (ret < 0)
+                            return ret;
                     } else if (!strcmp(key, "audiocodecid") && apar) {
                         int id = ((int)num_val) << FLV_AUDIO_CODECID_OFFSET;
                         flv_set_audio_codec(s, astream, apar, id);
@@ -674,11 +692,14 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos)
 
 static int flv_read_header(AVFormatContext *s)
 {
+    int flags;
     FLVContext *flv = s->priv_data;
     int offset;
 
     avio_skip(s->pb, 4);
-    avio_r8(s->pb); // flags
+    flags = avio_r8(s->pb);
+
+    flv->missing_streams = flags & (FLV_HEADER_FLAG_HASVIDEO | FLV_HEADER_FLAG_HASAUDIO);
 
     s->ctx_flags |= AVFMTCTX_NOHEADER;
 
@@ -1087,7 +1108,10 @@ retry_duration:
             avcodec_parameters_free(&par);
         }
     } else if (stream_type == FLV_STREAM_TYPE_VIDEO) {
-        size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1);
+        int ret = flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1);
+        if (ret < 0)
+            return ret;
+        size -= ret;
     } else if (stream_type == FLV_STREAM_TYPE_DATA) {
         st->codecpar->codec_id = AV_CODEC_ID_TEXT;
     }
@@ -1216,6 +1240,7 @@ static int flv_read_seek(AVFormatContext *s, int stream_index,
 #define VD AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM
 static const AVOption options[] = {
     { "flv_metadata", "Allocate streams according to the onMetaData array", OFFSET(trust_metadata), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VD },
+    { "missing_streams", "", OFFSET(missing_streams), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 0xFF, VD | AV_OPT_FLAG_EXPORT | AV_OPT_FLAG_READONLY },
     { NULL }
 };
 

libavformat/hls.c

@@ -1528,9 +1528,29 @@ static void add_stream_to_programs(AVFormatContext *s, struct playlist *pls, AVS
         av_dict_set_int(&stream->metadata, "variant_bitrate", bandwidth, 0);
 }
 
+static int set_stream_info_from_input_stream(AVStream *st, struct playlist *pls, AVStream *ist)
+{
+    int err;
+
+    err = avcodec_parameters_copy(st->codecpar, ist->codecpar);
+    if (err < 0)
+        return err;
+
+    if (pls->is_id3_timestamped) /* custom timestamps via id3 */
+        avpriv_set_pts_info(st, 33, 1, MPEG_TIME_BASE);
+    else
+        avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den);
+
+    st->internal->need_context_update = 1;
+
+    return 0;
+}
+
 /* add new subdemuxer streams to our context, if any */
 static int update_streams_from_subdemuxer(AVFormatContext *s, struct playlist *pls)
 {
+    int err;
+
     while (pls->n_main_streams < pls->ctx->nb_streams) {
         int ist_idx = pls->n_main_streams;
         AVStream *st = avformat_new_stream(s, NULL);
@@ -1540,17 +1560,13 @@ static int update_streams_from_subdemuxer(AVFormatContext *s, struct playlist *p
             return AVERROR(ENOMEM);
 
         st->id = pls->index;
-
-        avcodec_parameters_copy(st->codecpar, ist->codecpar);
-
-        if (pls->is_id3_timestamped) /* custom timestamps via id3 */
-            avpriv_set_pts_info(st, 33, 1, MPEG_TIME_BASE);
-        else
-            avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den);
-
         dynarray_add(&pls->main_streams, &pls->n_main_streams, st);
 
         add_stream_to_programs(s, pls, st);
+
+        err = set_stream_info_from_input_stream(st, pls, ist);
+        if (err < 0)
+            return err;
     }
 
     return 0;
@@ -1946,6 +1962,8 @@ static int hls_read_packet(AVFormatContext *s, AVPacket *pkt)
     /* If we got a packet, return it */
     if (minplaylist >= 0) {
         struct playlist *pls = c->playlists[minplaylist];
+        AVStream *ist;
+        AVStream *st;
 
         ret = update_streams_from_subdemuxer(s, pls);
         if (ret < 0) {
@@ -1968,15 +1986,28 @@ static int hls_read_packet(AVFormatContext *s, AVPacket *pkt)
             return AVERROR_BUG;
         }
 
+        ist = pls->ctx->streams[pls->pkt.stream_index];
+        st = pls->main_streams[pls->pkt.stream_index];
+
         *pkt = pls->pkt;
-        pkt->stream_index = pls->main_streams[pls->pkt.stream_index]->index;
+        pkt->stream_index = st->index;
         reset_packet(&c->playlists[minplaylist]->pkt);
 
         if (pkt->dts != AV_NOPTS_VALUE)
             c->cur_timestamp = av_rescale_q(pkt->dts,
-                                            pls->ctx->streams[pls->pkt.stream_index]->time_base,
+                                            ist->time_base,
                                             AV_TIME_BASE_Q);
 
+        /* There may be more situations where this would be useful, but this at least
+         * handles newly probed codecs properly (i.e. request_probe by mpegts). */
+        if (ist->codecpar->codec_id != st->codecpar->codec_id) {
+            ret = set_stream_info_from_input_stream(st, pls, ist);
+            if (ret < 0) {
+                av_packet_unref(pkt);
+                return ret;
+            }
+        }
+
         return 0;
     }
     return AVERROR_EOF;

libavformat/http.c

@@ -62,8 +62,8 @@ typedef struct HTTPContext {
     int line_count;
     int http_code;
     /* Used if "Transfer-Encoding: chunked" otherwise -1. */
-    int64_t chunksize;
-    int64_t off, end_off, filesize;
+    uint64_t chunksize;
+    uint64_t off, end_off, filesize;
     char *location;
     HTTPAuthState auth_state;
     HTTPAuthState proxy_auth_state;
@@ -95,9 +95,9 @@ typedef struct HTTPContext {
     AVDictionary *cookie_dict;
     int icy;
     /* how much data was read since the last ICY metadata packet */
-    int icy_data_read;
+    uint64_t icy_data_read;
     /* after how many bytes of read data a new metadata packet will be found */
-    int icy_metaint;
+    uint64_t icy_metaint;
     char *icy_metadata_headers;
     char *icy_metadata_packet;
     AVDictionary *metadata;
@@ -489,7 +489,7 @@ static int http_open(URLContext *h, const char *uri, int flags,
     else
         h->is_streamed = 1;
 
-    s->filesize = -1;
+    s->filesize = UINT64_MAX;
     s->location = av_strdup(uri);
     if (!s->location)
         return AVERROR(ENOMEM);
@@ -616,9 +616,9 @@ static void parse_content_range(URLContext *h, const char *p)
 
     if (!strncmp(p, "bytes ", 6)) {
         p     += 6;
-        s->off = strtoll(p, NULL, 10);
+        s->off = strtoull(p, NULL, 10);
         if ((slash = strchr(p, '/')) && strlen(slash) > 0)
-            s->filesize = strtoll(slash + 1, NULL, 10);
+            s->filesize = strtoull(slash + 1, NULL, 10);
     }
     if (s->seekable == -1 && (!s->is_akamai || s->filesize != 2147483647))
         h->is_streamed = 0; /* we _can_ in fact seek */
@@ -808,8 +808,9 @@ static int process_line(URLContext *h, char *line, int line_count,
             if ((ret = parse_location(s, p)) < 0)
                 return ret;
             *new_location = 1;
-        } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) {
-            s->filesize = strtoll(p, NULL, 10);
+        } else if (!av_strcasecmp(tag, "Content-Length") &&
+                   s->filesize == UINT64_MAX) {
+            s->filesize = strtoull(p, NULL, 10);
         } else if (!av_strcasecmp(tag, "Content-Range")) {
             parse_content_range(h, p);
         } else if (!av_strcasecmp(tag, "Accept-Ranges") &&
@@ -818,7 +819,7 @@ static int process_line(URLContext *h, char *line, int line_count,
             h->is_streamed = 0;
         } else if (!av_strcasecmp(tag, "Transfer-Encoding") &&
                    !av_strncasecmp(p, "chunked", 7)) {
-            s->filesize  = -1;
+            s->filesize  = UINT64_MAX;
             s->chunksize = 0;
         } else if (!av_strcasecmp(tag, "WWW-Authenticate")) {
             ff_http_auth_handle_header(&s->auth_state, tag, p);
@@ -842,7 +843,7 @@ static int process_line(URLContext *h, char *line, int line_count,
             if (parse_cookie(s, p, &s->cookie_dict))
                 av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p);
         } else if (!av_strcasecmp(tag, "Icy-MetaInt")) {
-            s->icy_metaint = strtoll(p, NULL, 10);
+            s->icy_metaint = strtoull(p, NULL, 10);
         } else if (!av_strncasecmp(tag, "Icy-", 4)) {
             if ((ret = parse_icy(s, tag, p)) < 0)
                 return ret;
@@ -972,7 +973,7 @@ static int http_read_header(URLContext *h, int *new_location)
     char line[MAX_URL_SIZE];
     int err = 0;
 
-    s->chunksize = -1;
+    s->chunksize = UINT64_MAX;
 
     for (;;) {
         if ((err = http_get_line(s, line, sizeof(line))) < 0)
@@ -1006,7 +1007,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     int post, err;
     char headers[HTTP_HEADERS_SIZE] = "";
     char *authstr = NULL, *proxyauthstr = NULL;
-    int64_t off = s->off;
+    uint64_t off = s->off;
     int len = 0;
     const char *method;
     int send_expect_100 = 0;
@@ -1060,7 +1061,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     // server supports seeking by analysing the reply headers.
     if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 || s->end_off || s->seekable == -1)) {
         len += av_strlcatf(headers + len, sizeof(headers) - len,
-                           "Range: bytes=%"PRId64"-", s->off);
+                           "Range: bytes=%"PRIu64"-", s->off);
         if (s->end_off)
             len += av_strlcatf(headers + len, sizeof(headers) - len,
                                "%"PRId64, s->end_off - 1);
@@ -1135,7 +1136,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
     s->line_count       = 0;
     s->off              = 0;
     s->icy_data_read    = 0;
-    s->filesize         = -1;
+    s->filesize         = UINT64_MAX;
     s->willclose        = 0;
     s->end_chunked_post = 0;
     s->end_header       = 0;
@@ -1167,6 +1168,34 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
 {
     HTTPContext *s = h->priv_data;
     int len;
+
+    if (s->chunksize != UINT64_MAX) {
+        if (!s->chunksize) {
+            char line[32];
+            int err;
+
+            do {
+                if ((err = http_get_line(s, line, sizeof(line))) < 0)
+                    return err;
+            } while (!*line);    /* skip CR LF from last chunk */
+
+            s->chunksize = strtoull(line, NULL, 16);
+
+            av_log(h, AV_LOG_TRACE,
+                   "Chunked encoding data size: %"PRIu64"'\n",
+                    s->chunksize);
+
+            if (!s->chunksize)
+                return 0;
+            else if (s->chunksize == UINT64_MAX) {
+                av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n",
+                       s->chunksize);
+                return AVERROR(EINVAL);
+            }
+        }
+        size = FFMIN(size, s->chunksize);
+    }
+
     /* read bytes from input buffer first */
     len = s->buf_end - s->buf_ptr;
     if (len > 0) {
@@ -1175,15 +1204,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
         memcpy(buf, s->buf_ptr, len);
         s->buf_ptr += len;
     } else {
-        int64_t target_end = s->end_off ? s->end_off : s->filesize;
-        if ((!s->willclose || s->chunksize < 0) &&
-            target_end >= 0 && s->off >= target_end)
+        uint64_t target_end = s->end_off ? s->end_off : s->filesize;
+        if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end)
             return AVERROR_EOF;
         len = ffurl_read(s->hd, buf, size);
-        if (!len && (!s->willclose || s->chunksize < 0) &&
-            target_end >= 0 && s->off < target_end) {
+        if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) {
             av_log(h, AV_LOG_ERROR,
-                   "Stream ends prematurely at %"PRId64", should be %"PRId64"\n",
+                   "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n",
                    s->off, target_end
                   );
             return AVERROR(EIO);
@@ -1191,8 +1218,10 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
     }
     if (len > 0) {
         s->off += len;
-        if (s->chunksize > 0)
+        if (s->chunksize > 0) {
+            av_assert0(s->chunksize >= len);
             s->chunksize -= len;
+        }
     }
     return len;
 }
@@ -1247,25 +1276,6 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
             return err;
     }
 
-    if (s->chunksize >= 0) {
-        if (!s->chunksize) {
-            char line[32];
-
-                do {
-                    if ((err = http_get_line(s, line, sizeof(line))) < 0)
-                        return err;
-                } while (!*line);    /* skip CR LF from last chunk */
-
-                s->chunksize = strtoll(line, NULL, 16);
-
-                av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n",
-                        s->chunksize);
-
-                if (!s->chunksize)
-                    return 0;
-        }
-        size = FFMIN(size, s->chunksize);
-    }
 #if CONFIG_ZLIB
     if (s->compressed)
         return http_buf_read_compressed(h, buf, size);
@@ -1273,17 +1283,17 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size)
     read_ret = http_buf_read(h, buf, size);
     if (   (read_ret  < 0 && s->reconnect        && (!h->is_streamed || s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize)
         || (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed || s->reconnect_streamed))) {
-        int64_t target = h->is_streamed ? 0 : s->off;
+        uint64_t target = h->is_streamed ? 0 : s->off;
 
         if (s->reconnect_delay > s->reconnect_delay_max)
             return AVERROR(EIO);
 
-        av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret));
+        av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret));
         av_usleep(1000U*1000*s->reconnect_delay);
         s->reconnect_delay = 1 + 2*s->reconnect_delay;
         seek_ret = http_seek_internal(h, target, SEEK_SET, 1);
         if (seek_ret != target) {
-            av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target);
+            av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target);
             return read_ret;
         }
 
@@ -1338,10 +1348,11 @@ static int store_icy(URLContext *h, int size)
 {
     HTTPContext *s = h->priv_data;
     /* until next metadata packet */
-    int remaining = s->icy_metaint - s->icy_data_read;
+    uint64_t remaining;
 
-    if (remaining < 0)
+    if (s->icy_metaint < s->icy_data_read)
         return AVERROR_INVALIDDATA;
+    remaining = s->icy_metaint - s->icy_data_read;
 
     if (!remaining) {
         /* The metadata packet is variable sized. It has a 1 byte header
@@ -1455,7 +1466,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
 {
     HTTPContext *s = h->priv_data;
     URLContext *old_hd = s->hd;
-    int64_t old_off = s->off;
+    uint64_t old_off = s->off;
     uint8_t old_buf[BUFFER_SIZE];
     int old_buf_size, ret;
     AVDictionary *options = NULL;
@@ -1466,7 +1477,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo
              ((whence == SEEK_CUR && off == 0) ||
               (whence == SEEK_SET && off == s->off)))
         return s->off;
-    else if ((s->filesize == -1 && whence == SEEK_END))
+    else if ((s->filesize == UINT64_MAX && whence == SEEK_END))
         return AVERROR(ENOSYS);
 
     if (whence == SEEK_CUR)
@@ -1621,7 +1632,7 @@ redo:
     s->buf_ptr    = s->buffer;
     s->buf_end    = s->buffer;
     s->line_count = 0;
-    s->filesize   = -1;
+    s->filesize   = UINT64_MAX;
     cur_auth_type = s->proxy_auth_state.auth_type;
 
     /* Note: This uses buffering, potentially reading more than the

libavformat/icodec.c

@@ -109,6 +109,10 @@ static int read_header(AVFormatContext *s)
         avio_skip(pb, 5);
 
         ico->images[i].size   = avio_rl32(pb);
+        if (ico->images[i].size <= 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size);
+            return AVERROR_INVALIDDATA;
+        }
         ico->images[i].offset = avio_rl32(pb);
 
         if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0)
@@ -174,8 +178,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         bytestream_put_le16(&buf, 0);
         bytestream_put_le32(&buf, 0);
 
-        if ((ret = avio_read(pb, buf, image->size)) < 0)
-            return ret;
+        if ((ret = avio_read(pb, buf, image->size)) != image->size) {
+            av_packet_unref(pkt);
+            return ret < 0 ? ret : AVERROR_INVALIDDATA;
+        }
 
         st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14);
 

libavformat/idroqdec.c

@@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s,
             chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 +
                 codebook_size;
 
+            if (chunk_size > INT_MAX)
+                return AVERROR_INVALIDDATA;
+
             /* rewind */
             avio_seek(pb, codebook_offset, SEEK_SET);
 

libavformat/libopenmpt.c

@@ -82,6 +82,11 @@ static int read_header_openmpt(AVFormatContext *s)
     if (!buf)
         return AVERROR(ENOMEM);
     size = avio_read(s->pb, buf, size);
+    if (size < 0) {
+        av_log(s, AV_LOG_ERROR, "Reading input buffer failed.\n");
+        av_freep(&buf);
+        return size;
+    }
 
     openmpt->module = openmpt_module_create_from_memory(buf, size, openmpt_logfunc, s, NULL);
     av_freep(&buf);

libavformat/matroskadec.c

@@ -88,6 +88,7 @@ typedef const struct EbmlSyntax {
     int list_elem_size;
     int data_offset;
     union {
+        int64_t     i;
         uint64_t    u;
         double      f;
         const char *s;
@@ -676,7 +677,7 @@ static const EbmlSyntax matroska_blockgroup[] = {
     { MATROSKA_ID_SIMPLEBLOCK,    EBML_BIN,  0, offsetof(MatroskaBlock, bin) },
     { MATROSKA_ID_BLOCKDURATION,  EBML_UINT, 0, offsetof(MatroskaBlock, duration) },
     { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) },
-    { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) },
+    { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } },
     { MATROSKA_ID_CODECSTATE,     EBML_NONE },
     {                          1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } },
     { 0 }
@@ -1051,6 +1052,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax,
 
     for (i = 0; syntax[i].id; i++)
         switch (syntax[i].type) {
+        case EBML_SINT:
+            *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i;
+            break;
         case EBML_UINT:
             *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u;
             break;
@@ -3289,7 +3293,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska)
         matroska->current_cluster_num_blocks = blocks_list->nb_elem;
         i                                    = blocks_list->nb_elem - 1;
         if (blocks[i].bin.size > 0 && blocks[i].bin.data) {
-            int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1;
+            int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1;
             uint8_t* additional = blocks[i].additional.size > 0 ?
                                     blocks[i].additional.data : NULL;
             if (!blocks[i].non_simple)
@@ -3327,7 +3331,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska)
     blocks      = blocks_list->elem;
     for (i = 0; i < blocks_list->nb_elem; i++)
         if (blocks[i].bin.size > 0 && blocks[i].bin.data) {
-            int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1;
+            int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1;
             res = matroska_parse_block(matroska, blocks[i].bin.data,
                                        blocks[i].bin.size, blocks[i].bin.pos,
                                        cluster.timecode, blocks[i].duration,
@@ -3772,6 +3776,11 @@ static int webm_dash_manifest_read_header(AVFormatContext *s)
         av_log(s, AV_LOG_ERROR, "Failed to read file headers\n");
         return -1;
     }
+    if (!s->nb_streams) {
+        matroska_read_close(s);
+        av_log(s, AV_LOG_ERROR, "No streams found\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     if (!matroska->is_live) {
         buf = av_asprintf("%g", matroska->duration);