Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
swscale: aarch64: Fix yuv2rgb with negative strides
2022-11-04 21:19:58 +01:00 · 2022-11-04 14:28:37 +02:00 · 2022-11-04 09:12:19 -03:00 · 2022-11-04 09:06:50 -03:00 · 2022-11-04 09:04:41 -03:00 · 2022-11-04 11:07:53 +01:00
174 changed files with 2045 additions and 942 deletions
--- a/180
+++ b/180
@@ -1,7 +1,184 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

-version <next>:
+version 5.0.2:
+- swscale: aarch64: Fix yuv2rgb with negative strides
+- avcodec/atrac3plusdec: fix compilation failure after last commit
+- avcodec/atrac3plus: reorder channels to match the output layout
+- avcodec/aacdec: fix parsing streams with channel configuration 11
+- Changelog: update
+- avcodec/speexdec: Check channels > 2
+- avformat/vividas: Check packet size
+- avcodec/dstdec: Check for overflow in build_filter()
+- avformat/spdifdec: Use 64bit to compute bit rate
+- avformat/rpl: Use 64bit for duration computation
+- avformat/xwma: Use av_rescale() for duration computation
+- avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation
+- avformat/sbgdec: Check ts_int in genrate_intervals
+- avformat/sbgdec: clamp end_ts
+- avformat/rmdec: check tag_size
+- avformat/nutdec: Check fields
+- avformat/flvdec: Use 64bit for sum_flv_tag_size
+- avformat/jacosubdec: Fix overflow in get_shift()
+- avformat/dxa: avoid bpc overflows
+- avformat/dhav: Use 64bit seek_back
+- avformat/cafdec: Check that nb_frasmes fits within 64bit
+- avformat/asfdec_o: Limit packet offset
+- avformat/ape: Check frames size
+- avformat/icodec: Check nb_pal
+- avformat/aiffdec: Use 64bit for block_duration use
+- avformat/aiffdec: Check block_duration
+- avformat/mxfdec: only probe max run in
+- avformat/mxfdec: Check run_in is within 65536
+- avcodec/mjpegdec: Check for unsupported bayer case
+- avcodec/apedec: Fix integer overflow in filter_3800()
+- avcodec/tta: Check 24bit scaling for overflow
+- avcodec/mobiclip: Check quantizer for overflow
+- avcodec/exr: Check preview psize
+- avcodec/tiff: Fix loop detection
+- libavformat/hls: Free keys
+- avcodec/fmvc: Move frame allocation to a later stage
+- avfilter/vf_showinfo: remove backspaces
+- avcodec/speedhq: Check width
+- avcodec/bink: disallow odd positioned scaled blocks
+- libswscale: force a minimum size of the slide for bayer sources
+- lavc/videotoolbox: do not pass AVCodecContext to decoder output callback
+- lavc/pthread_frame: always transfer stashed hwaccel state
+- avformat/cafenc: derive Opus frame size from the relevant stream parameters
+- avcodec/arm/sbcenc: avoid callee preserved vfp registers
+- avfilter/vf_scale: overwrite the width and height expressions with the original values
+- lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads
+- Update for 5.0.2
+- avformat/asfdec_o: limit recursion depth in asf_read_unknown()
+- doc/git-howto.texi: Document commit signing
+- libavcodec/8bps: Check that line lengths fit within the buffer
+- avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer()
+- libavformat/iff: Check for overflow in body_end calculation
+- avformat/avidec: Prevent entity expansion attacks
+- avcodec/h263dec: Sanity check against minimal I/P frame size
+- avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel
+- avcodec/mpegaudiodec_template: use unsigned shift in handle_crc()
+- avformat/subviewerdec: Make read_ts() more flexible
+- avcodec/mjpegdec: bayer and rct are incompatible
+- MAINTAINERS: Add ED25519 key for signing my commits in the future
+- avcodec/hevc_filter: copy_CTB() only within width&height
+- avcodec/tiff: Check tile_length and tile_width
+- avcodec/mss4: Check image size with av_image_check_size2()
+- avformat/flvdec: Check for EOF in index reading
+- avformat/nutdec: Check get_packetheader() in mainheader
+- avformat/asfdec_f: Use 64bit for packet start time
+- avcodec/exr: Check x/ysize
+- tools/target_dec_fuzzer: Adjust threshold for MMVIDEO
+- avcodec/lagarith: Check dst/src in zero run code
+- avcodec/h264dec: Skip late SEI
+- avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c()
+- avfilter/vf_signature: Fix integer overflow in filter_frame()
+- avformat/rtsp: break on unknown protocols
+- avcodec/hevcdsp_template: stay within tables in sao_band_filter()
+- avcodec/tiff: Check pixel format types for dng
+- avcodec/qpeldsp: copy less for the mc0x cases
+- avformat/aaxdec: Check for empty segments
+- avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
+- avformat/iff: simplify duration calculation
+- avcodec/wnv1: Check for width =1
+- avcodec/ffv1dec_template: fix indention
+- avformat/sctp: close socket on errors
+- avformat/cinedec: Check size and pos more
+- avcodec/aasc: Fix indention
+- avcodec/qdrw: adjust max colors to array size
+- avcodec/alacdsp: Make intermediates unsigned
+- avformat/aiffdec: cleanup size handling for extreem cases
+- avformat/matroskadec: avoid integer overflows in SAR computation
+- avcodec/jpeglsdec: fix end check for xfrm
+- avcodec/cdgraphics: limit scrolling to the line
+- avformat/hls: Limit start_seq_no to one bit less
+- avformat/aiffdec: avoid integer overflow in get_meta()
+- avformat/aaxdec: Check for overlaping segments
+- avformat/ape: more bits in size for less overflows
+- avformat/aviobuf: Check buf_size in ffio_ensure_seekback()
+- avformat/bfi: Check offsets better
+- avformat/asfdec_f: Check packet_frag_timestamp
+- avcodec/texturedspenc: Fix indexing in color distribution determination
+- avformat/act: Check ff_get_wav_header() for failure
+- avcodec/libxavs2: Improve r redundancy in occured
+- avformat/libzmq: Improve r redundancy in occured
+- avfilter/vf_libplacebo: Match AV_OPT_TYPE_FLOAT to dbl
+- avfilter/vsrc_mandelbrot: Check for malloc failure
+- avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements
+- avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment
+- avformat/genh: Check sample rate
+- avformat/demux: Use unsigned to check duration vs duration_text
+- avutil/hwcontext_d3d11va: fix texture_infos writes on non-fixed-size pools
+- avcodec/cuviddec: fix null pointer dereference
+- avcodec/cuviddec: fix AV1 decoding error
+- configure: extend SDL check to accept all 2.x versions
+- lavf/tls_mbedtls: add support for mbedtls version 3
+- fate: update reference files after the recent dash manifest muxer changes
+- avformat/webmdashenc: fix on-demand profile string
+- avcodec/libdav1d: don't depend on the event flags API to init sequence params the first time
+
+version 5.0.1:
+- avcodec/exr: Avoid signed overflow in displayWindow
+- avcodec/diracdec: avoid signed integer overflow in global mv
+- avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+- avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+- avdevice/dshow: fix regression
+- avfilter/vf_subtitles: pass storage size to libass
+- avcodec/vp9_superframe_split_bsf: Don't read inexistent data
+- avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames
+- avcodec/vp9_superframe_bsf: Check for existence of data before reading it
+- avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it
+- avformat/imf: fix packet pts, dts and muxing
+- avformat/imf: open resources only when first needed
+- avformat/imf: cosmetics
+- avformat/imf_cpl: do not use filesize when reading XML file
+- avformat/imfdec: Use proper logcontext
+- avformat/imfdec: do not use filesize when reading XML file
+- doc/utils: add missing 22.2 layout entry
+- avcodec/av1: only set the private context pix_fmt field if get_pixel_format() succeeds
+- avformat/aqtitledec: Skip unrepresentable durations
+- avformat/cafdec: Do not store empty keys in read_info_chunk()
+- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing
+- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
+- avformat/mxfdec: Check count in mxf_read_strong_ref_array()
+- avformat/hls: Check target_duration
+- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+- avformat/matroskadec: Check pre_ns
+- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+- avcodec/libuavs3d: Check ff_set_dimensions() for failure
+- avcodec/speexdec: Align some comments
+- avcodec/speexdec: Use correct doxygen comments
+- avcodec/mjpegbdec: Set buf_size
+- avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+- avcodec/argo: Check packet size
+- avcodec/g729_parser: Check channels
+- avformat/avidec: Check height
+- avformat/rmdec: Better duplicate tags check
+- avformat/mov: Disallow empty sidx
+- avformat/argo_cvg:: Fix order of operations in error check in argo_cvg_write_trailer()
+- avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer()
+- avcodec/movtextdec: add () to CMP() macro to avoid unexpected behavior
+- avformat/matroskadec: Check duration
+- avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+- avcodec/jpeglsdec: Fix if( code style
+- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+- avcodec/motion_est: fix indention of ff_get_best_fcode()
+- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+- avformat/hls: Use unsigned for iv computation
+- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
+- avformat/matroskadec: Check desc_bytes
+- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+- avformat/matroskadec: Fix infinite loop with bz decompression
+- avformat/utils: keep chapter monotonicity on chapter updates
+- avformat/mov: Check size before subtraction
+- avcodec/cfhd: Avoid signed integer overflow in coeff
+- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure
+- avcodec/h264_parser: don't alter decoder private data
+- configure: link to libatomic when it's present
+- fate/ffmpeg: add missing samples dependency to fate-shortest
+
+
+version 5.0:
 - ADPCM IMA Westwood encoder
 - Westwood AUD muxer
 - ADPCM IMA Acorn Replay decoder
@@ -44,6 +221,7 @@ version <next>:
 - yadif_videotoolbox filter
 - VideoToolbox ProRes encoder
 - anlmf audio filter
+- IMF demuxer (experimental)


 version 4.4:
--- a/1
+++ b/1
@@ -618,6 +618,7 @@ Jean Delvare                  7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A
 Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
 Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
 Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
+                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
 Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
 Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
 Panagiotis Issaris            6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029
--- a/2
+++ b/2
@@ -1 +1 @@
-4.4.git
+5.0.2
--- a/15
+++ b/15
@@ -0,0 +1,15 @@
+
+              ┌────────────────────────────────────────┐
+              │ RELEASE NOTES for FFmpeg 5.0 "Lorentz" │
+              └────────────────────────────────────────┘
+
+   The FFmpeg Project proudly presents FFmpeg 5.0 "Lorentz", about 9
+   months after the release of FFmpeg 4.4.
+
+   A complete Changelog is available at the root of the project, and the
+   complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git
+
+   We hope you will like this release as much as we enjoyed working on it, and
+   as usual, if you have any questions about it, or any FFmpeg related topic,
+   feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
+   on the mailing-lists.
--- a/34
+++ b/34
@@ -3353,7 +3353,7 @@ librav1e_encoder_deps="librav1e"
 librav1e_encoder_select="extract_extradata_bsf"
 librsvg_decoder_deps="librsvg"
 libshine_encoder_deps="libshine"
-libshine_encoder_select="audio_frame_queue"
+libshine_encoder_select="audio_frame_queue mpegaudioheader"
 libspeex_decoder_deps="libspeex"
 libspeex_encoder_deps="libspeex"
 libspeex_encoder_select="audio_frame_queue"
@@ -3391,6 +3391,7 @@ ac3_demuxer_select="ac3_parser"
 act_demuxer_select="riffdec"
 adts_muxer_select="mpeg4audio"
 aiff_muxer_select="iso_media"
+amv_muxer_select="riffenc"
 asf_demuxer_select="riffdec"
 asf_o_demuxer_select="riffdec"
 asf_muxer_select="riffenc"
@@ -3476,7 +3477,6 @@ w64_muxer_select="wav_muxer"
 wav_demuxer_select="riffdec"
 wav_muxer_select="riffenc"
 webm_chunk_muxer_select="webm_muxer"
-webm_muxer_select="mpeg4audio riffenc"
 webm_dash_manifest_demuxer_select="matroska_demuxer"
 wtv_demuxer_select="mpegts_demuxer riffdec"
 wtv_muxer_select="mpegts_muxer riffenc"
@@ -3498,6 +3498,7 @@ caca_outdev_deps="libcaca"
 decklink_deps_any="libdl LoadLibrary"
 decklink_indev_deps="decklink threads"
 decklink_indev_extralibs="-lstdc++"
+decklink_indev_suggest="libzvbi"
 decklink_outdev_deps="decklink threads"
 decklink_outdev_suggest="libklvanc"
 decklink_outdev_extralibs="-lstdc++"
@@ -3790,20 +3791,20 @@ cws2fws_extralibs="zlib_extralibs"

 # libraries, in any order
 avcodec_deps="avutil"
-avcodec_suggest="libm"
+avcodec_suggest="libm stdatomic"
 avdevice_deps="avformat avcodec avutil"
-avdevice_suggest="libm"
+avdevice_suggest="libm stdatomic"
 avfilter_deps="avutil"
-avfilter_suggest="libm"
+avfilter_suggest="libm stdatomic"
 avformat_deps="avcodec avutil"
-avformat_suggest="libm network zlib"
-avutil_suggest="clock_gettime ffnvcodec libm libdrm libmfx opencl user32 vaapi vulkan videotoolbox corefoundation corevideo coremedia bcrypt"
+avformat_suggest="libm network zlib stdatomic"
+avutil_suggest="clock_gettime ffnvcodec libm libdrm libmfx opencl user32 vaapi vulkan videotoolbox corefoundation corevideo coremedia bcrypt stdatomic"
 postproc_deps="avutil gpl"
-postproc_suggest="libm"
+postproc_suggest="libm stdatomic"
 swresample_deps="avutil"
-swresample_suggest="libm libsoxr"
+swresample_suggest="libm libsoxr stdatomic"
 swscale_deps="avutil"
-swscale_suggest="libm"
+swscale_suggest="libm stdatomic"

 avcodec_extralibs="pthreads_extralibs iconv_extralibs dxva2_extralibs"
 avfilter_extralibs="pthreads_extralibs"
@@ -6320,7 +6321,14 @@ check_headers asm/types.h
 # it seems there are versions of clang in some distros that try to use the
 # gcc headers, which explodes for stdatomic
 # so we also check that atomics actually work here
-check_builtin stdatomic stdatomic.h "atomic_int foo, bar = ATOMIC_VAR_INIT(-1); atomic_store(&foo, 0); foo += bar"
+#
+# some configurations also require linking to libatomic, so try
+# both with -latomic and without
+for LATOMIC in "-latomic" ""; do
+    check_builtin stdatomic stdatomic.h                                                 \
+        "atomic_int foo, bar = ATOMIC_VAR_INIT(-1); atomic_store(&foo, 0); foo += bar"  \
+        $LATOMIC && eval stdatomic_extralibs="\$LATOMIC" && break
+done

 check_lib advapi32 "windows.h"            RegCloseKey          -ladvapi32
 check_lib bcrypt   "windows.h bcrypt.h"   BCryptGenRandom      -lbcrypt &&
@@ -6586,7 +6594,7 @@ enabled libopus           && {
        require_pkg_config libopus opus opus_multistream.h opus_multistream_surround_encoder_create
    }
 }
-enabled libplacebo        && require_pkg_config libplacebo "libplacebo >= 4.184.0" libplacebo/vulkan.h pl_vulkan_create
+enabled libplacebo        && require_pkg_config libplacebo "libplacebo >= 4.192.0" libplacebo/vulkan.h pl_vulkan_create
 enabled libpulse          && require_pkg_config libpulse libpulse pulse/pulseaudio.h pa_context_new
 enabled librabbitmq       && require_pkg_config librabbitmq "librabbitmq >= 0.7.1" amqp.h amqp_new_connection
 enabled librav1e          && require_pkg_config librav1e "rav1e >= 0.4.0" rav1e.h rav1e_context_new
@@ -6731,7 +6739,7 @@ fi

 if enabled sdl2; then
    SDL2_CONFIG="${cross_prefix}sdl2-config"
-    test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent
+    test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent
    if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then
        sdl2_cflags=$("${SDL2_CONFIG}" --cflags)
        sdl2_extralibs=$("${SDL2_CONFIG}" --libs)
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         =
+PROJECT_NUMBER         = 5.0.2

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
--- a/doc/git-howto.texi
+++ b/doc/git-howto.texi
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
 git add [-i|-p|-A] <filenames/dirnames>
@end example

-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key

@example
 git config --global user.name "My Name"
 git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
@end example

 Use @option{--global} to set the global configuration for all your Git checkouts.
@@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
 where @var{$SHA1} is the commit hash from the @command{git log} output.


+@chapter gpg key generation
+
+If you have no gpg key yet, we recommend that you create a ed25519 based key as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com"
+@end example
+
+When generating a key, make sure the email specified matches the email used in git as some sites like
+github consider mismatches a reason to declare such commits unverified. After generating a key you
+can add it to the MAINTAINER file and upload it to a keyserver.
+
@chapter Pre-push checklist

 Once you have a set of commits that you feel are ready for pushing,
--- a/doc/utils.texi
+++ b/doc/utils.texi
@@ -719,6 +719,8 @@ FL+FR+FC+BL+BR+BC+SL+SR
 FL+FR+FC+BL+BR+BC+SL+SR+WL+WR+TBL+TBR+TBC+TFC+TFL+TFR
@item downmix
 DL+DR
+@item 22.2
+FL+FR+FC+LFE+BL+BR+FLC+FRC+BC+SL+SR+TC+TFL+TFC+TFR+TBL+TBC+TBR+LFE2+TSL+TSR+BFC+BFL+BFR
@end table

 A custom channel layout can be specified as a sequence of terms, separated by
--- a/fftools/cmdutils.c
+++ b/fftools/cmdutils.c
@@ -1823,7 +1823,7 @@ int show_sample_fmts(void *optctx, const char *opt, const char *arg)
 int show_dispositions(void *optctx, const char *opt, const char *arg)
 {
    for (int i = 0; i < 32; i++) {
-        const char *str = av_disposition_to_string(1 << i);
+        const char *str = av_disposition_to_string(1U << i);
        if (str)
            printf("%s\n", str);
    }
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    unsigned char *planemap = c->planemap;
    int ret;

+    if (buf_size < planes * height *2)
+        return AVERROR_INVALIDDATA;
+
    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
        return ret;

--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -118,7 +118,8 @@ OBJS-$(CONFIG_MDCT)                    += mdct_float.o mdct_fixed_32.o
 OBJS-$(CONFIG_ME_CMP)                  += me_cmp.o
 OBJS-$(CONFIG_MEDIACODEC)              += mediacodecdec_common.o mediacodec_surface.o mediacodec_wrapper.o mediacodec_sw_buffer.o
 OBJS-$(CONFIG_MPEG_ER)                 += mpeg_er.o
-OBJS-$(CONFIG_MPEGAUDIO)               += mpegaudio.o mpegaudiodec_common.o
+OBJS-$(CONFIG_MPEGAUDIO)               += mpegaudio.o mpegaudiodec_common.o \
+                                          mpegaudiodata.o
 OBJS-$(CONFIG_MPEGAUDIODSP)            += mpegaudiodsp.o                \
                                          mpegaudiodsp_data.o           \
                                          mpegaudiodsp_fixed.o          \
@@ -133,7 +134,6 @@ OBJS-$(CONFIG_MPEGVIDEOENC)            += mpegvideo_enc.o mpeg12data.o  \
                                          motion_est.o ratecontrol.o    \
                                          mpegvideoencdsp.o
 OBJS-$(CONFIG_MSS34DSP)                += mss34dsp.o
-OBJS-$(CONFIG_NVENC)                   += nvenc.o
 OBJS-$(CONFIG_PIXBLOCKDSP)             += pixblockdsp.o
 OBJS-$(CONFIG_QPELDSP)                 += qpeldsp.o
 OBJS-$(CONFIG_QSV)                     += qsv.o
@@ -381,7 +381,7 @@ OBJS-$(CONFIG_H264_CUVID_DECODER)      += cuviddec.o
 OBJS-$(CONFIG_H264_MEDIACODEC_DECODER) += mediacodecdec.o
 OBJS-$(CONFIG_H264_MF_ENCODER)         += mfenc.o mf_utils.o
 OBJS-$(CONFIG_H264_MMAL_DECODER)       += mmaldec.o
-OBJS-$(CONFIG_H264_NVENC_ENCODER)      += nvenc_h264.o
+OBJS-$(CONFIG_H264_NVENC_ENCODER)      += nvenc_h264.o nvenc.o
 OBJS-$(CONFIG_H264_OMX_ENCODER)        += omx.o
 OBJS-$(CONFIG_H264_QSV_DECODER)        += qsvdec.o
 OBJS-$(CONFIG_H264_QSV_ENCODER)        += qsvenc_h264.o
@@ -396,12 +396,13 @@ OBJS-$(CONFIG_HCA_DECODER)             += hcadec.o
 OBJS-$(CONFIG_HCOM_DECODER)            += hcom.o
 OBJS-$(CONFIG_HEVC_DECODER)            += hevcdec.o hevc_mvs.o \
                                          hevc_cabac.o hevc_refs.o hevcpred.o    \
-                                          hevcdsp.o hevc_filter.o hevc_data.o
+                                          hevcdsp.o hevc_filter.o hevc_data.o \
+                                          h274.o
 OBJS-$(CONFIG_HEVC_AMF_ENCODER)        += amfenc_hevc.o
 OBJS-$(CONFIG_HEVC_CUVID_DECODER)      += cuviddec.o
 OBJS-$(CONFIG_HEVC_MEDIACODEC_DECODER) += mediacodecdec.o
 OBJS-$(CONFIG_HEVC_MF_ENCODER)         += mfenc.o mf_utils.o
-OBJS-$(CONFIG_HEVC_NVENC_ENCODER)      += nvenc_hevc.o
+OBJS-$(CONFIG_HEVC_NVENC_ENCODER)      += nvenc_hevc.o nvenc.o
 OBJS-$(CONFIG_HEVC_QSV_DECODER)        += qsvdec.o
 OBJS-$(CONFIG_HEVC_QSV_ENCODER)        += qsvenc_hevc.o hevc_ps_enc.o       \
                                          hevc_data.o
@@ -886,6 +887,7 @@ OBJS-$(CONFIG_ADPCM_G726LE_DECODER)       += g726.o
 OBJS-$(CONFIG_ADPCM_G726LE_ENCODER)       += g726.o
 OBJS-$(CONFIG_ADPCM_IMA_ACORN_DECODER)    += adpcm.o adpcm_data.o
 OBJS-$(CONFIG_ADPCM_IMA_AMV_DECODER)      += adpcm.o adpcm_data.o
+OBJS-$(CONFIG_ADPCM_IMA_AMV_ENCODER)      += adpcmenc.o adpcm_data.o
 OBJS-$(CONFIG_ADPCM_IMA_ALP_DECODER)      += adpcm.o adpcm_data.o
 OBJS-$(CONFIG_ADPCM_IMA_ALP_ENCODER)      += adpcmenc.o adpcm_data.o
 OBJS-$(CONFIG_ADPCM_IMA_APC_DECODER)      += adpcm.o adpcm_data.o
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -716,9 +716,7 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id)
            return ac->tag_che_map[TYPE_CPE][elem_id] = ac->che[TYPE_CPE][2];
        }
    case 11:
-        if (ac->tags_mapped == 2 &&
-            ac->oc[1].m4ac.chan_config == 11 &&
-            type == TYPE_SCE) {
+        if (ac->tags_mapped == 3 && type == TYPE_SCE) {
            ac->tags_mapped++;
            return ac->tag_che_map[TYPE_SCE][elem_id] = ac->che[TYPE_SCE][1];
        }
--- a/libavcodec/aacdectab.h
+++ b/libavcodec/aacdectab.h
@@ -35,7 +35,7 @@

 #include <stdint.h>

-static const int8_t tags_per_config[16] = { 0, 1, 1, 2, 3, 3, 4, 5, 0, 0, 0, 4, 5, 16, 5, 0 };
+static const int8_t tags_per_config[16] = { 0, 1, 1, 2, 3, 3, 4, 5, 0, 0, 0, 5, 5, 16, 5, 0 };

 static const uint8_t aac_channel_layout_map[16][16][3] = {
    { { TYPE_SCE, 0, AAC_CHANNEL_FRONT }, },
@@ -83,7 +83,7 @@ static const uint64_t aac_channel_layout[16] = {
    0,
    0,
    0,
-    AV_CH_LAYOUT_6POINT1,
+    AV_CH_LAYOUT_6POINT1_BACK,
    AV_CH_LAYOUT_7POINT1,
    AV_CH_LAYOUT_22POINT2,
    0,
--- a/libavcodec/aarch64/hevcdsp_init_aarch64.c
+++ b/libavcodec/aarch64/hevcdsp_init_aarch64.c
@@ -75,7 +75,11 @@ av_cold void ff_hevc_dsp_init_aarch64(HEVCDSPContext *c, const int bit_depth)
        c->idct_dc[1]                  = ff_hevc_idct_8x8_dc_8_neon;
        c->idct_dc[2]                  = ff_hevc_idct_16x16_dc_8_neon;
        c->idct_dc[3]                  = ff_hevc_idct_32x32_dc_8_neon;
-        c->sao_band_filter[0]          = ff_hevc_sao_band_filter_8x8_8_neon;
+        // This function is disabled, as it doesn't handle widths that aren't
+        // an even multiple of 8 correctly. fate-hevc doesn't exercise that
+        // for the current size, but if enabled for bigger sizes, the cases
+        // of non-multiple of 8 seem to arise.
+//        c->sao_band_filter[0]          = ff_hevc_sao_band_filter_8x8_8_neon;
    }
    if (bit_depth == 10) {
        c->add_residual[0]             = ff_hevc_add_residual_4x4_10_neon;
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx,
        ff_msrle_decode(avctx, s->frame, 8, &s->gb);
        break;
    case MKTAG('A', 'A', 'S', 'C'):
-    switch (compr) {
-    case 0:
-        stride = (avctx->width * psize + psize) & ~psize;
-        if (buf_size < stride * avctx->height)
+        switch (compr) {
+        case 0:
+            stride = (avctx->width * psize + psize) & ~psize;
+            if (buf_size < stride * avctx->height)
+                return AVERROR_INVALIDDATA;
+            for (i = avctx->height - 1; i >= 0; i--) {
+                memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
+                buf += stride;
+                buf_size -= stride;
+            }
+            break;
+        case 1:
+            bytestream2_init(&s->gb, buf, buf_size);
+            ff_msrle_decode(avctx, s->frame, 8, &s->gb);
+            break;
+        default:
+            av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
            return AVERROR_INVALIDDATA;
-        for (i = avctx->height - 1; i >= 0; i--) {
-            memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize);
-            buf += stride;
-            buf_size -= stride;
        }
        break;
-    case 1:
-        bytestream2_init(&s->gb, buf, buf_size);
-        ff_msrle_decode(avctx, s->frame, 8, &s->gb);
-        break;
-    default:
-        av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
-        return AVERROR_INVALIDDATA;
-    }
-        break;
    default:
        av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag);
        return -1;
--- a/libavcodec/alacdsp.c
+++ b/libavcodec/alacdsp.c
@@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples,
    int i;

    for (i = 0; i < nb_samples; i++) {
-        int32_t a, b;
+        uint32_t a, b;

        a = buffer[0][i];
        b = buffer[1][i];

-        a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
+        a -= (int)(b * decorr_left_weight) >> decorr_shift;
        b += a;

        buffer[0][i] = b;
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -930,7 +930,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
    p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign;
    p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;

-    p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
+    p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift);
    p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);

    return p->filterA[filter];
@@ -955,7 +955,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
            dotprod += delay[j] * (unsigned)coeffs[j];
            coeffs[j] += ((delay[j] >> 31) | 1) * sign;
        }
-        buffer[i] -= dotprod >> shift;
+        buffer[i] -= (unsigned)(dotprod >> shift);
        for (j = 0; j < order - 1; j++)
            delay[j] = delay[j + 1];
        delay[order - 1] = buffer[i];
@@ -1088,13 +1088,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                                                  const int delayA)
 {
    int32_t predictionA, sign;
-    int32_t d0, d1, d2, d3;
+    uint32_t d0, d1, d2, d3;

    p->buf[delayA]     = p->lastA[filter];
    d0 = p->buf[delayA    ];
-    d1 = p->buf[delayA    ] - p->buf[delayA - 1];
-    d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-    d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+    d1 = p->buf[delayA    ] - (unsigned)p->buf[delayA - 1];
+    d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+    d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];

    predictionA = d0 * p->coeffsA[filter][0] +
                  d1 * p->coeffsA[filter][1] +
@@ -1105,10 +1105,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);

    sign = APESIGN(decoded);
-    p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-    p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+    p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;

    return p->filterA[filter];
 }
--- a/libavcodec/argo.c
+++ b/libavcodec/argo.c
@@ -607,6 +607,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    uint32_t chunk;
    int ret;

+    if (avpkt->size < 4)
+        return AVERROR_INVALIDDATA;
+
    bytestream2_init(gb, avpkt->data, avpkt->size);

    if ((ret = ff_reget_buffer(avctx, frame, 0)) < 0)
--- a/libavcodec/arm/sbcdsp_neon.S
+++ b/libavcodec/arm/sbcdsp_neon.S
@@ -38,49 +38,49 @@ function ff_sbc_analyze_4_neon, export=1
        /* TODO: merge even and odd cases (or even merge all four calls to this
         * function) in order to have only aligned reads from 'in' array
         * and reduce number of load instructions */
-        vld1.16         {d4, d5}, [r0, :64]!
-        vld1.16         {d8, d9}, [r2, :128]!
+        vld1.16         {d16, d17}, [r0, :64]!
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmull.s16       q0, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmull.s16       q1, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
+        vmull.s16       q0, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmull.s16       q1, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!

-        vmlal.s16       q0, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmlal.s16       q1, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmlal.s16       q0, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmlal.s16       q1, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q0, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmlal.s16       q1, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
+        vmlal.s16       q0, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmlal.s16       q1, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!

-        vmlal.s16       q0, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmlal.s16       q1, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmlal.s16       q0, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmlal.s16       q1, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q0, d4, d8
-        vmlal.s16       q1, d5, d9
+        vmlal.s16       q0, d16, d20
+        vmlal.s16       q1, d17, d21

        vpadd.s32       d0, d0, d1
        vpadd.s32       d1, d2, d3

        vrshrn.s32      d0, q0, SBC_PROTO_FIXED_SCALE

-        vld1.16         {d2, d3, d4, d5}, [r2, :128]!
+        vld1.16         {d16, d17, d18, d19}, [r2, :128]!

        vdup.i32        d1, d0[1]  /* TODO: can be eliminated */
        vdup.i32        d0, d0[0]  /* TODO: can be eliminated */

-        vmull.s16       q3, d2, d0
-        vmull.s16       q4, d3, d0
-        vmlal.s16       q3, d4, d1
-        vmlal.s16       q4, d5, d1
+        vmull.s16       q10, d16, d0
+        vmull.s16       q11, d17, d0
+        vmlal.s16       q10, d18, d1
+        vmlal.s16       q11, d19, d1

-        vpadd.s32       d0, d6, d7 /* TODO: can be eliminated */
-        vpadd.s32       d1, d8, d9 /* TODO: can be eliminated */
+        vpadd.s32       d0, d20, d21 /* TODO: can be eliminated */
+        vpadd.s32       d1, d22, d23 /* TODO: can be eliminated */

        vst1.32         {d0, d1}, [r1, :128]

@@ -91,57 +91,57 @@ function ff_sbc_analyze_8_neon, export=1
        /* TODO: merge even and odd cases (or even merge all four calls to this
         * function) in order to have only aligned reads from 'in' array
         * and reduce number of load instructions */
-        vld1.16         {d4, d5}, [r0, :64]!
-        vld1.16         {d8, d9}, [r2, :128]!
+        vld1.16         {d16, d17}, [r0, :64]!
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmull.s16       q6, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmull.s16       q7, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
-        vmull.s16       q8, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmull.s16       q9, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmull.s16       q12, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmull.s16       q13, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!
+        vmull.s16       q14, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmull.s16       q15, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q6, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmlal.s16       q7, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
-        vmlal.s16       q8, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmlal.s16       q9, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmlal.s16       q12, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmlal.s16       q13, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!
+        vmlal.s16       q14, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmlal.s16       q15, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q6, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmlal.s16       q7, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
-        vmlal.s16       q8, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmlal.s16       q9, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmlal.s16       q12, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmlal.s16       q13, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!
+        vmlal.s16       q14, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmlal.s16       q15, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q6, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmlal.s16       q7, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
-        vmlal.s16       q8, d6, d10
-        vld1.16         {d4, d5}, [r0, :64]!
-        vmlal.s16       q9, d7, d11
-        vld1.16         {d8, d9}, [r2, :128]!
+        vmlal.s16       q12, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmlal.s16       q13, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!
+        vmlal.s16       q14, d18, d22
+        vld1.16         {d16, d17}, [r0, :64]!
+        vmlal.s16       q15, d19, d23
+        vld1.16         {d20, d21}, [r2, :128]!

-        vmlal.s16       q6, d4, d8
-        vld1.16         {d6,  d7}, [r0, :64]!
-        vmlal.s16       q7, d5, d9
-        vld1.16         {d10, d11}, [r2, :128]!
+        vmlal.s16       q12, d16, d20
+        vld1.16         {d18, d19}, [r0, :64]!
+        vmlal.s16       q13, d17, d21
+        vld1.16         {d22, d23}, [r2, :128]!

-        vmlal.s16       q8, d6, d10
-        vmlal.s16       q9, d7, d11
+        vmlal.s16       q14, d18, d22
+        vmlal.s16       q15, d19, d23

-        vpadd.s32       d0, d12, d13
-        vpadd.s32       d1, d14, d15
-        vpadd.s32       d2, d16, d17
-        vpadd.s32       d3, d18, d19
+        vpadd.s32       d0, d24, d25
+        vpadd.s32       d1, d26, d27
+        vpadd.s32       d2, d28, d29
+        vpadd.s32       d3, d30, d31

        vrshr.s32       q0, q0, SBC_PROTO_FIXED_SCALE
        vrshr.s32       q1, q1, SBC_PROTO_FIXED_SCALE
@@ -153,38 +153,38 @@ function ff_sbc_analyze_8_neon, export=1
        vdup.i32        d1, d0[1]  /* TODO: can be eliminated */
        vdup.i32        d0, d0[0]  /* TODO: can be eliminated */

-        vld1.16         {d4, d5}, [r2, :128]!
-        vmull.s16       q6, d4, d0
-        vld1.16         {d6, d7}, [r2, :128]!
-        vmull.s16       q7, d5, d0
-        vmull.s16       q8, d6, d0
-        vmull.s16       q9, d7, d0
+        vld1.16         {d16, d17}, [r2, :128]!
+        vmull.s16       q12, d16, d0
+        vld1.16         {d18, d19}, [r2, :128]!
+        vmull.s16       q13, d17, d0
+        vmull.s16       q14, d18, d0
+        vmull.s16       q15, d19, d0

-        vld1.16         {d4, d5}, [r2, :128]!
-        vmlal.s16       q6, d4, d1
-        vld1.16         {d6, d7}, [r2, :128]!
-        vmlal.s16       q7, d5, d1
-        vmlal.s16       q8, d6, d1
-        vmlal.s16       q9, d7, d1
+        vld1.16         {d16, d17}, [r2, :128]!
+        vmlal.s16       q12, d16, d1
+        vld1.16         {d18, d19}, [r2, :128]!
+        vmlal.s16       q13, d17, d1
+        vmlal.s16       q14, d18, d1
+        vmlal.s16       q15, d19, d1

-        vld1.16         {d4, d5}, [r2, :128]!
-        vmlal.s16       q6, d4, d2
-        vld1.16         {d6, d7}, [r2, :128]!
-        vmlal.s16       q7, d5, d2
-        vmlal.s16       q8, d6, d2
-        vmlal.s16       q9, d7, d2
+        vld1.16         {d16, d17}, [r2, :128]!
+        vmlal.s16       q12, d16, d2
+        vld1.16         {d18, d19}, [r2, :128]!
+        vmlal.s16       q13, d17, d2
+        vmlal.s16       q14, d18, d2
+        vmlal.s16       q15, d19, d2

-        vld1.16         {d4, d5}, [r2, :128]!
-        vmlal.s16       q6, d4, d3
-        vld1.16         {d6, d7}, [r2, :128]!
-        vmlal.s16       q7, d5, d3
-        vmlal.s16       q8, d6, d3
-        vmlal.s16       q9, d7, d3
+        vld1.16         {d16, d17}, [r2, :128]!
+        vmlal.s16       q12, d16, d3
+        vld1.16         {d18, d19}, [r2, :128]!
+        vmlal.s16       q13, d17, d3
+        vmlal.s16       q14, d18, d3
+        vmlal.s16       q15, d19, d3

-        vpadd.s32       d0, d12, d13 /* TODO: can be eliminated */
-        vpadd.s32       d1, d14, d15 /* TODO: can be eliminated */
-        vpadd.s32       d2, d16, d17 /* TODO: can be eliminated */
-        vpadd.s32       d3, d18, d19 /* TODO: can be eliminated */
+        vpadd.s32       d0, d24, d25 /* TODO: can be eliminated */
+        vpadd.s32       d1, d26, d27 /* TODO: can be eliminated */
+        vpadd.s32       d2, d28, d29 /* TODO: can be eliminated */
+        vpadd.s32       d3, d30, d31 /* TODO: can be eliminated */

        vst1.32         {d0, d1, d2, d3}, [r1, :128]

--- a/libavcodec/atrac3plusdec.c
+++ b/libavcodec/atrac3plusdec.c
@@ -47,6 +47,17 @@
 #include "atrac.h"
 #include "atrac3plus.h"

+static const uint8_t channel_map[8][8] = {
+    { 0, },
+    { 0, 1, },
+    { 0, 1, 2, },
+    { 0, 1, 2, 3, },
+    { 0, },
+    { 0, 1, 2, 4, 5, 3, },
+    { 0, 1, 2, 4, 5, 6, 3, },
+    { 0, 1, 2, 4, 5, 6, 7, 3, },
+};
+
 typedef struct ATRAC3PContext {
    GetBitContext gb;
    AVFloatDSPContext *fdsp;
@@ -65,6 +76,7 @@ typedef struct ATRAC3PContext {
    int num_channel_blocks;     ///< number of channel blocks
    uint8_t channel_blocks[5];  ///< channel configuration descriptor
    uint64_t my_channel_layout; ///< current channel layout
+    const uint8_t *channel_map; ///< channel layout map
 } ATRAC3PContext;

 static av_cold int atrac3p_decode_close(AVCodecContext *avctx)
@@ -143,6 +155,8 @@ static av_cold int set_channel_params(ATRAC3PContext *ctx,
        return AVERROR_INVALIDDATA;
    }

+    ctx->channel_map = channel_map[avctx->channels - 1];
+
    return 0;
 }

@@ -381,7 +395,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data,
                          channels_to_process, avctx);

        for (i = 0; i < channels_to_process; i++)
-            memcpy(samples_p[out_ch_index + i], ctx->outp_buf[i],
+            memcpy(samples_p[ctx->channel_map[out_ch_index + i]], ctx->outp_buf[i],
                   ATRAC3P_FRAME_SAMPLES * sizeof(**samples_p));

        ch_block++;
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -499,9 +499,8 @@ static int get_pixel_format(AVCodecContext *avctx)

    if (pix_fmt == AV_PIX_FMT_NONE)
        return -1;
-    s->pix_fmt = pix_fmt;

-    switch (s->pix_fmt) {
+    switch (pix_fmt) {
    case AV_PIX_FMT_YUV420P:
 #if CONFIG_AV1_DXVA2_HWACCEL
        *fmtp++ = AV_PIX_FMT_DXVA2_VLD;
@@ -544,7 +543,7 @@ static int get_pixel_format(AVCodecContext *avctx)
        break;
    }

-    *fmtp++ = s->pix_fmt;
+    *fmtp++ = pix_fmt;
    *fmtp = AV_PIX_FMT_NONE;

    ret = ff_thread_get_format(avctx, pix_fmts);
@@ -562,6 +561,7 @@ static int get_pixel_format(AVCodecContext *avctx)
        return AVERROR(ENOSYS);
    }

+    s->pix_fmt = pix_fmt;
    avctx->pix_fmt = ret;

    return 0;
@@ -1240,6 +1240,7 @@ const AVCodec ff_av1_decoder = {
    .flush                 = av1_decode_flush,
    .profiles              = NULL_IF_CONFIG_SMALL(ff_av1_profiles),
    .priv_class            = &av1_class,
+    .bsfs                  = "av1_frame_split",
    .hw_configs            = (const AVCodecHWConfigInternal *const []) {
 #if CONFIG_AV1_DXVA2_HWACCEL
        HWACCEL_DXVA2(av1),
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -1087,7 +1087,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
        for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
            blk = get_value(c, BINK_SRC_BLOCK_TYPES);
            // 16x16 block type on odd line means part of the already decoded block, so skip it
-            if ((by & 1) && blk == SCALED_BLOCK) {
+            if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) {
                bx++;
                dst  += 8;
                prev += 8;
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
    for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++)
        memcpy(out + FFMAX(0, hinc) + stride * y,
               in + FFMAX(0, hinc) - hinc + (y - vinc) * stride,
-               FFMIN(stride + hinc, stride));
+               FFABS(stride) - FFABS(hinc));

    if (vinc > 0)
        cdg_fill_wrapper(0, 0, out,
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -838,7 +838,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                            const uint16_t q = s->quantisation;

                            for (i = 0; i < run; i++) {
-                                *coeff_data |= coeff * 256;
+                                *coeff_data |= coeff * 256U;
                                *coeff_data++ *= q;
                            }
                        } else {
@@ -869,7 +869,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                            const uint16_t q = s->quantisation;

                            for (i = 0; i < run; i++) {
-                                *coeff_data |= coeff * 256;
+                                *coeff_data |= coeff * 256U;
                                *coeff_data++ *= q;
                            }
                        } else {
--- a/libavcodec/cuviddec.c
+++ b/libavcodec/cuviddec.c
@@ -653,21 +653,23 @@ error:
 static av_cold int cuvid_decode_end(AVCodecContext *avctx)
 {
    CuvidContext *ctx = avctx->priv_data;
-    AVHWDeviceContext *device_ctx = (AVHWDeviceContext *)ctx->hwdevice->data;
-    AVCUDADeviceContext *device_hwctx = device_ctx->hwctx;
-    CUcontext dummy, cuda_ctx = device_hwctx->cuda_ctx;
+    AVHWDeviceContext *device_ctx = ctx->hwdevice ? (AVHWDeviceContext *)ctx->hwdevice->data : NULL;
+    AVCUDADeviceContext *device_hwctx = device_ctx ? device_ctx->hwctx : NULL;
+    CUcontext dummy, cuda_ctx = device_hwctx ? device_hwctx->cuda_ctx : NULL;

    av_fifo_freep(&ctx->frame_queue);

-    ctx->cudl->cuCtxPushCurrent(cuda_ctx);
+    if (cuda_ctx) {
+        ctx->cudl->cuCtxPushCurrent(cuda_ctx);

-    if (ctx->cuparser)
-        ctx->cvdl->cuvidDestroyVideoParser(ctx->cuparser);
+        if (ctx->cuparser)
+            ctx->cvdl->cuvidDestroyVideoParser(ctx->cuparser);

-    if (ctx->cudecoder)
-        ctx->cvdl->cuvidDestroyDecoder(ctx->cudecoder);
+        if (ctx->cudecoder)
+            ctx->cvdl->cuvidDestroyDecoder(ctx->cudecoder);

-    ctx->cudl->cuCtxPopCurrent(&dummy);
+        ctx->cudl->cuCtxPopCurrent(&dummy);
+    }

    ctx->cudl = NULL;

@@ -951,6 +953,16 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx)
        extradata_size = avctx->extradata_size;
    }

+    // Check first bit to determine whether it's AV1CodecConfigurationRecord.
+    // Skip first 4 bytes of AV1CodecConfigurationRecord to keep configOBUs
+    // only, otherwise cuvidParseVideoData report unknown error.
+    if (avctx->codec->id == AV_CODEC_ID_AV1 &&
+            extradata_size > 4 &&
+            extradata[0] & 0x80) {
+        extradata += 4;
+        extradata_size -= 4;
+    }
+
    ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext)
            + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0));
    if (!ctx->cuparse_ext) {
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1432,8 +1432,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *c      = s->globalmc[ref].perspective;

    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
-    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
-    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
+    int64_t mx  = m * (uint64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (uint64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);

    block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
    block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
--- a/libavcodec/dstdec.c
+++ b/libavcodec/dstdec.c
@@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c)
    return (ff_reverse[c & 127] >> 1) + 1;
 }

-static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
+static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets)
 {
    int i, j, k, l;

@@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *
            int total = av_clip(length - j * 8, 0, 8);

            for (k = 0; k < 256; k++) {
-                int v = 0;
+                int64_t v = 0;

                for (l = 0; l < total; l++)
                    v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l];
+                if ((int16_t)v != v)
+                    return AVERROR_INVALIDDATA;
                table[i][j][k] = v;
            }
        }
    }
+    return 0;
 }

 static int decode_frame(AVCodecContext *avctx, void *data,
@@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    ac_init(ac, gb);

-    build_filter(s->filter, &s->fsets);
+    ret = build_filter(s->filter, &s->fsets);
+    if (ret < 0)
+        return ret;

    memset(s->status, 0xAA, sizeof(s->status));
    memset(dsd, 0, frame->nb_samples * 4 * channels);
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1240,7 +1240,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize);
        td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize);

-        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX ||
+            av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0)
            return AVERROR_INVALIDDATA;

        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
@@ -1264,7 +1265,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
        td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
        td->xsize          = s->xdelta;

-        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX ||
+            av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0)
            return AVERROR_INVALIDDATA;

        td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
@@ -1832,8 +1834,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
            dx = bytestream2_get_le32(gb);
            dy = bytestream2_get_le32(gb);

-            s->w = dx - sx + 1;
-            s->h = dy - sy + 1;
+            s->w = (unsigned)dx - sx + 1;
+            s->h = (unsigned)dy - sy + 1;

            continue;
        } else if ((var_size = check_header_variable(s, "lineOrder",
@@ -1948,9 +1950,12 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                                                     "preview", 16)) >= 0) {
            uint32_t pw = bytestream2_get_le32(gb);
            uint32_t ph = bytestream2_get_le32(gb);
-            int64_t psize = 4LL * pw * ph;
+            uint64_t psize = pw * ph;
+            if (psize > INT64_MAX / 4)
+                return AVERROR_INVALIDDATA;
+            psize *= 4;

-            if (psize >= bytestream2_get_bytes_left(gb))
+            if ((int64_t)psize >= bytestream2_get_bytes_left(gb))
                return AVERROR_INVALIDDATA;

            bytestream2_skip(gb, psize);
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -185,6 +185,9 @@ static int decode_slice_header(const FFV1Context *f, FFV1Context *fs)
         || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
        return -1;

+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
+
    for (i = 0; i < f->plane_count; i++) {
        PlaneContext * const p = &fs->plane[i];
        int idx = get_symbol(c, state, 0);
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w,
                        run_count--;
                    }
                } else {
-                while (run_count > 1 && w-x > 1) {
-                    sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x);
-                    x++;
-                    run_count--;
-                }
+                    while (run_count > 1 && w-x > 1) {
+                        sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x);
+                        x++;
+                        run_count--;
+                    }
                }
                run_count--;
                if (run_count < 0) {
--- a/libavcodec/fmvc.c
+++ b/libavcodec/fmvc.c
@@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    PutByteContext *pb = &s->pb;
    AVFrame *frame = data;
    int ret, y, x;
+    int key_frame;

    if (avpkt->size < 8)
        return AVERROR_INVALIDDATA;

-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-
    bytestream2_init(gb, avpkt->data, avpkt->size);
    bytestream2_skip(gb, 2);

-    frame->key_frame = !!bytestream2_get_le16(gb);
-    frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
+    key_frame = !!bytestream2_get_le16(gb);

-    if (frame->key_frame) {
+    if (key_frame) {
        const uint8_t *src;
        unsigned type, size;
        uint8_t *dst;
@@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
            return AVERROR_PATCHWELCOME;
        }

+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
+        frame->key_frame = 1;
+        frame->pict_type = AV_PICTURE_TYPE_I;
+
        src = s->buffer;
        dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
        for (y = 0; y < avctx->height; y++) {
@@ -514,6 +517,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
            dst = &rect[block_h * s->stride];
        }

+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
+        frame->key_frame = 0;
+        frame->pict_type = AV_PICTURE_TYPE_P;
+
        ssrc = s->buffer;
        ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0];
        for (y = 0; y < avctx->height; y++) {
--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx,
        s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
        if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN)
            s->block_size++;
+        // channels > 2 is invalid, we pass the packet on unchanged
+        if (avctx->channels > 2)
+            s->block_size = 0;
        s->block_size *= avctx->channels;
        s->duration   = avctx->frame_size;
    }
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -551,6 +551,8 @@ retry:
    avctx->has_b_frames = !s->low_delay;

    if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) {
+        if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
        if (ff_mpeg4_workaround_bugs(avctx) == 1)
            goto retry;
        if (s->studio_profile != (s->idsp.idct == NULL))
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -247,7 +247,6 @@ static inline int parse_nal_units(AVCodecParserContext *s,
                                  const uint8_t * const buf, int buf_size)
 {
    H264ParseContext *p = s->priv_data;
-    H264Context *h = avctx->priv_data;
    H2645RBSP rbsp = { NULL };
    H2645NAL nal = { NULL };
    int buf_index, next_avc;
@@ -553,11 +552,9 @@ static inline int parse_nal_units(AVCodecParserContext *s,
                p->last_picture_structure = s->picture_structure;
                p->last_frame_num = p->poc.frame_num;
            }
-            if (h && sps->timing_info_present_flag) {
+            if (sps->timing_info_present_flag) {
                int64_t den = sps->time_scale;
-                if (p->sei.unregistered.x264_build >= 0)
-                    h->x264_build = p->sei.unregistered.x264_build;
-                if (h->x264_build < 44U)
+                if (p->sei.unregistered.x264_build < 44U)
                    den *= 2;
                av_reduce(&avctx->framerate.den, &avctx->framerate.num,
                          sps->num_units_in_tick * avctx->ticks_per_frame, den, 1 << 30);
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -680,6 +680,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size)
            avpriv_request_sample(avctx, "data partitioning");
            break;
        case H264_NAL_SEI:
+            if (h->setup_finished) {
+                avpriv_request_sample(avctx, "Late SEI");
+                break;
+            }
            ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx);
            h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1;
            if (avctx->debug & FF_DEBUG_GREEN_MD)
--- a/libavcodec/hevc_filter.c
+++ b/libavcodec/hevc_filter.c
@@ -142,11 +142,22 @@ static void copy_CTB(uint8_t *dst, const uint8_t *src, int width, int height,

    if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) {
        for (i = 0; i < height; i++) {
-            for (j = 0; j < width; j+=8)
+            for (j = 0; j < width - 7; j+=8)
                AV_COPY64U(dst+j, src+j);
            dst += stride_dst;
            src += stride_src;
        }
+        if (width&7) {
+            dst += ((width>>3)<<3) - stride_dst * height;
+            src += ((width>>3)<<3) - stride_src * height;
+            width &= 7;
+            for (i = 0; i < height; i++) {
+                for (j = 0; j < width; j++)
+                    dst[j] = src[j];
+                dst += stride_dst;
+                src += stride_src;
+            }
+        }
    } else {
        for (i = 0; i < height; i++) {
            for (j = 0; j < width; j+=16)
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3499,7 +3499,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output,
        }
    } else {
        /* verify the SEI checksum */
-        if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded &&
+        if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded &&
            s->sei.picture_hash.is_md5) {
            ret = verify_md5(s, s->ref->frame);
            if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) {
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src,
        offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1];
    for (y = 0; y < height; y++) {
        for (x = 0; x < width; x++)
-            dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]);
+            dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]);
        dst += stride_dst;
        src += stride_src;
    }
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        s->t3     = get_bits(&s->gb, 16);
        s->reset  = get_bits(&s->gb, 16);

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n",
                   s->maxval, s->t1, s->t2, s->t3, s->reset);
        }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
        else
            maxtab = 65530/wt - 1;

-        if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+        if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
            av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab);
        }
        if (maxtab >= 256) {
@@ -191,7 +191,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
    if (RItype)
        temp += state->N[Q] >> 1;

-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
        ;

 #ifdef JLS_BROKEN
@@ -200,6 +200,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
 #endif
    ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
                               state->qbpp);
+    if (ret < 0)
+        return -0x10000;

    /* decode mapped error */
    map = 0;
@@ -214,7 +216,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
        ret = ret >> 1;
    }

-    if(FFABS(ret) > 0xFFFF)
+    if (FFABS(ret) > 0xFFFF)
        return -0x10000;
    /* update state */
    state->A[Q] += FFABS(ret) - RItype;
@@ -483,19 +485,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
            for (i = 0; i < s->height; i++) {
                switch(s->xfrm) {
                case 1:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        src[x  ] += src[x+1] + 128;
                        src[x+2] += src[x+1] + 128;
                    }
                    break;
                case 2:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        src[x  ] += src[x+1] + 128;
                        src[x+2] += ((src[x  ] + src[x+1])>>1) + 128;
                    }
                    break;
                case 3:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64;
                        src[x+0] = src[x+2] + g + 128;
                        src[x+2] = src[x+1] + g + 128;
@@ -503,7 +505,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
                    }
                    break;
                case 4:
-                    for (x = off; x < w; x += 3) {
+                    for (x = off; x + 2 < w; x += 3) {
                        int r    = src[x+0] - ((                       359 * (src[x+2]-128) + 490) >> 8);
                        int g    = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) +  30) >> 8);
                        int b    = src[x+0] + ((454 * (src[x+1]-128)                        + 574) >> 8);
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -409,6 +409,9 @@ output_zeros:
        if (zero_run) {
            zero_run = 0;
            i += esc_count;
+            if (i >  end - dst ||
+                i >= src_end - src)
+                return AVERROR_INVALIDDATA;
            memcpy(dst, src, i);
            dst += i;
            l->zeros_rem = lag_calc_zero_run(src[i]);
--- a/libavcodec/libdav1d.c
+++ b/libavcodec/libdav1d.c
@@ -230,12 +230,15 @@ static av_cold int libdav1d_init(AVCodecContext *c)
    s.frame_size_limit = c->max_pixels;
    if (dav1d->apply_grain >= 0)
        s.apply_grain = dav1d->apply_grain;
-    else if (c->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN)
-        s.apply_grain = 0;
+    else
+        s.apply_grain = !(c->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN);

    s.all_layers = dav1d->all_layers;
    if (dav1d->operating_point >= 0)
        s.operating_point = dav1d->operating_point;
+#if FF_DAV1D_VERSION_AT_LEAST(6,2)
+    s.strict_std_compliance = c->strict_std_compliance > 0;
+#endif

 #if FF_DAV1D_VERSION_AT_LEAST(6,0)
    if (dav1d->frame_threads || dav1d->tile_threads)
@@ -344,8 +347,10 @@ static int libdav1d_receive_frame(AVCodecContext *c, AVFrame *frame)
    if (res < 0) {
        if (res == AVERROR(EINVAL))
            res = AVERROR_INVALIDDATA;
-        if (res != AVERROR(EAGAIN))
+        if (res != AVERROR(EAGAIN)) {
+            dav1d_data_unref(data);
            return res;
+        }
    }

    res = dav1d_get_picture(dav1d->c, p);
@@ -376,7 +381,8 @@ static int libdav1d_receive_frame(AVCodecContext *c, AVFrame *frame)

 #if FF_DAV1D_VERSION_AT_LEAST(5,1)
    dav1d_get_event_flags(dav1d->c, &event_flags);
-    if (event_flags & DAV1D_EVENT_FLAG_NEW_SEQUENCE)
+    if (c->pix_fmt == AV_PIX_FMT_NONE ||
+        (event_flags & DAV1D_EVENT_FLAG_NEW_SEQUENCE))
 #endif
    libdav1d_init_params(c, p->seq_hdr);
    res = ff_decode_frame_props(c, frame);
--- a/libavcodec/libuavs3d.c
+++ b/libavcodec/libuavs3d.c
@@ -208,7 +208,9 @@ static int libuavs3d_decode_frame(AVCodecContext *avctx, void *data, int *got_fr
                }
                avctx->has_b_frames  = !seqh->low_delay;
                avctx->pix_fmt = seqh->bit_depth_internal == 8 ? AV_PIX_FMT_YUV420P : AV_PIX_FMT_YUV420P10LE;
-                ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size);
+                ret = ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size);
+                if (ret < 0)
+                    return ret;
                h->got_seqhdr = 1;

                if (seqh->colour_description) {
--- a/libavcodec/libxavs2.c
+++ b/libavcodec/libxavs2.c
@@ -206,7 +206,7 @@ static int xavs2_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
        ret = cae->api->encoder_encode(cae->encoder, &pic, &cae->packet);

        if (ret) {
-            av_log(avctx, AV_LOG_ERROR, "Encoding error occured.\n");
+            av_log(avctx, AV_LOG_ERROR, "Encoding error occurred.\n");
            return AVERROR_EXTERNAL;
        }

--- a/libavcodec/midivid.c
+++ b/libavcodec/midivid.c
@@ -202,12 +202,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    bytestream2_skip(gb, 8);
    uncompressed = bytestream2_get_le32(gb);

-    if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
-        return ret;
-
-    if (uncompressed) {
-        ret = decode_mvdv(s, avctx, frame);
-    } else {
+    if (!uncompressed) {
        av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL * (avpkt->size - 12));
        if (!s->uncompressed)
            return AVERROR(ENOMEM);
@@ -216,9 +211,13 @@ static int decode_frame(AVCodecContext *avctx, void *data,
        if (ret < 0)
            return ret;
        bytestream2_init(gb, s->uncompressed, ret);
-        ret = decode_mvdv(s, avctx, frame);
    }

+    if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
+        return ret;
+
+    ret = decode_mvdv(s, avctx, frame);
+
    if (ret < 0)
        return ret;
    key = ret;
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
    buf_end = buf + buf_size;
    s->got_picture = 0;
    s->adobe_transform = -1;
+    s->buf_size = buf_size;

 read_header:
    /* reset on every SOI */
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1088,6 +1088,10 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
        return AVERROR_INVALIDDATA;
    if (s->v_max != 1 || s->h_max != 1 || !s->lossless)
        return AVERROR_INVALIDDATA;
+    if (s->bayer) {
+        if (s->rct || s->pegasus_rct)
+            return AVERROR_INVALIDDATA;
+    }


    s->restart_count = s->restart_interval;
@@ -1204,6 +1208,8 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
                ptr[3*mb_x + 2] = buffer[mb_x][2] + ptr[3*mb_x + 1];
            }
        } else if (s->bayer) {
+            if (s->bits <= 8)
+                return AVERROR_PATCHWELCOME;
            if (nb_components == 1) {
                /* Leave decoding to the TIFF/DNG decoder (see comment in ff_mjpeg_decode_sof) */
                for (mb_x = 0; mb_x < width; mb_x++)
@@ -1938,6 +1944,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
        }

        len -= 9;
+        if (s->bayer)
+            goto out;
        if (s->got_picture)
            if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
                av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
--- a/libavcodec/mobiclip.c
+++ b/libavcodec/mobiclip.c
@@ -329,7 +329,7 @@ static av_cold int mobiclip_init(AVCodecContext *avctx)
    return 0;
 }

-static int setup_qtables(AVCodecContext *avctx, int quantizer)
+static int setup_qtables(AVCodecContext *avctx, int64_t quantizer)
 {
    MobiClipContext *s = avctx->priv_data;
    int qx, qy;
@@ -1255,7 +1255,7 @@ static int mobiclip_decode(AVCodecContext *avctx, void *data,
        frame->key_frame = 0;
        s->dct_tab_idx = 0;

-        ret = setup_qtables(avctx, s->quantizer + get_se_golomb(gb));
+        ret = setup_qtables(avctx, s->quantizer + (int64_t)get_se_golomb(gb));
        if (ret < 0)
            return ret;

--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
        for(y=0; y<s->mb_height; y++){
            int x;
            int xy= y*s->mb_stride;
-            for(x=0; x<s->mb_width; x++){
+            for(x=0; x<s->mb_width; x++, xy++){
                if(s->mb_type[xy] & type){
                    int mx= mv_table[xy][0];
                    int my= mv_table[xy][1];
@@ -1622,16 +1622,15 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type)
                                     fcode_tab[my + MAX_MV]);
                    int j;

-                        if(mx >= range || mx < -range ||
-                           my >= range || my < -range)
-                            continue;
+                    if (mx >= range || mx < -range ||
+                        my >= range || my < -range)
+                        continue;

                    for(j=0; j<fcode && j<8; j++){
                        if(s->pict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])
                            score[j]-= 170;
                    }
                }
-                xy++;
            }
        }

--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -263,7 +263,7 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, uint64_t size)

 static int styles_equivalent(const StyleBox *a, const StyleBox *b)
 {
-#define CMP(field) a->field == b->field
+#define CMP(field) ((a)->field == (b)->field)
    return CMP(bold)  && CMP(italic)   && CMP(underline) && CMP(color) &&
           CMP(alpha) && CMP(fontsize) && CMP(font_id);
 #undef CMP
--- a/libavcodec/mpegaudiodec_template.c
+++ b/libavcodec/mpegaudiodec_template.c
@@ -372,7 +372,7 @@ static int handle_crc(MPADecodeContext *s, int sec_len)
        crc_val = av_crc(crc_tab, crc_val, &buf[6], sec_byte_len);

        AV_WB32(tmp_buf,
-                ((buf[6 + sec_byte_len] & (0xFF00 >> sec_rem_bits)) << 24) +
+                ((buf[6 + sec_byte_len] & (0xFF00U >> sec_rem_bits)) << 24) +
                ((s->crc << 16) >> sec_rem_bits));

        crc_val = av_crc(crc_tab, crc_val, tmp_buf, 3);
--- a/libavcodec/mss4.c
+++ b/libavcodec/mss4.c
@@ -26,6 +26,7 @@
 */

 #include "libavutil/thread.h"
+#include "libavutil/imgutils.h"

 #include "avcodec.h"
 #include "bytestream.h"
@@ -476,6 +477,9 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
               width, height);
        return AVERROR_INVALIDDATA;
    }
+    if (av_image_check_size2(width, height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx) < 0)
+        return AVERROR_INVALIDDATA;
+
    if (quality < 1 || quality > 100) {
        av_log(avctx, AV_LOG_ERROR, "Invalid quality setting %d\n", quality);
        return AVERROR_INVALIDDATA;
--- a/libavcodec/nvenc.c
+++ b/libavcodec/nvenc.c
@@ -1856,7 +1856,7 @@ static int nvenc_register_frame(AVCodecContext *avctx, const AVFrame *frame)
    NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs;

    AVHWFramesContext *frames_ctx = (AVHWFramesContext*)frame->hw_frames_ctx->data;
-    NV_ENC_REGISTER_RESOURCE reg;
+    NV_ENC_REGISTER_RESOURCE reg = { 0 };
    int i, idx, ret;

    for (i = 0; i < ctx->nb_registered_frames; i++) {
--- a/libavcodec/pixlet.c
+++ b/libavcodec/pixlet.c
@@ -405,7 +405,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                (int64_t) low [i - 1] * -INT64_C(325392907)  +
                (int64_t) high[i + 0] *  INT64_C(1518500249) +
                (int64_t) high[i - 1] *  INT64_C(1518500249);
-        dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
    }

    for (i = 0; i < hsize; i++) {
@@ -416,7 +416,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale)
                (int64_t) high[i + 1] *  INT64_C(303700064)  +
                (int64_t) high[i + 0] * -INT64_C(3644400640) +
                (int64_t) high[i - 1] *  INT64_C(303700064);
-        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32);
+        dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
    }
 }

--- a/libavcodec/pthread_frame.c
+++ b/libavcodec/pthread_frame.c
@@ -145,6 +145,12 @@ typedef struct FrameThreadContext {
                                    * Set for the first N packets, where N is the number of threads.
                                    * While it is set, ff_thread_en/decode_frame won't return any results.
                                    */
+
+    /* hwaccel state is temporarily stored here in order to transfer its ownership
+     * to the next decoding thread without the need for extra synchronization */
+    const AVHWAccel *stash_hwaccel;
+    void            *stash_hwaccel_context;
+    void            *stash_hwaccel_priv;
 } FrameThreadContext;

 #if FF_API_THREAD_SAFE_CALLBACKS
@@ -229,9 +235,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
            ff_thread_finish_setup(avctx);

        if (p->hwaccel_serializing) {
+            /* wipe hwaccel state to avoid stale pointers lying around;
+             * the state was transferred to FrameThreadContext in
+             * ff_thread_finish_setup(), so nothing is leaked */
+            avctx->hwaccel                     = NULL;
+            avctx->hwaccel_context             = NULL;
+            avctx->internal->hwaccel_priv_data = NULL;
+
            p->hwaccel_serializing = 0;
            pthread_mutex_unlock(&p->parent->hwaccel_mutex);
        }
+        av_assert0(!avctx->hwaccel);

        if (p->async_serializing) {
            p->async_serializing = 0;
@@ -294,14 +308,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
        dst->color_range = src->color_range;
        dst->chroma_sample_location = src->chroma_sample_location;

-        dst->hwaccel = src->hwaccel;
-        dst->hwaccel_context = src->hwaccel_context;
-
        dst->channels       = src->channels;
        dst->sample_rate    = src->sample_rate;
        dst->sample_fmt     = src->sample_fmt;
        dst->channel_layout = src->channel_layout;
-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;

        if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
            (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
@@ -444,6 +454,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
        }
    }

+    /* transfer the stashed hwaccel state, if any */
+    av_assert0(!p->avctx->hwaccel);
+    FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
+    FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+    FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
    av_packet_unref(p->avpkt);
    ret = av_packet_ref(p->avpkt, avpkt);
    if (ret < 0) {
@@ -647,6 +663,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
        async_lock(p->parent);
    }

+    /* save hwaccel state for passing to the next thread;
+     * this is done here so that this worker thread can wipe its own hwaccel
+     * state after decoding, without requiring synchronization */
+    av_assert0(!p->parent->stash_hwaccel);
+    p->parent->stash_hwaccel         = avctx->hwaccel;
+    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
+
    pthread_mutex_lock(&p->progress_mutex);
    if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
        av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
@@ -700,13 +724,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)

    park_frame_worker_threads(fctx, thread_count);

-    if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
-                             fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
-        if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
-            av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
-        }
-    }
-
    if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
        if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
            av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
@@ -760,6 +777,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
    av_freep(&fctx->threads);
    ff_pthread_free(fctx, thread_ctx_offsets);

+    /* if we have stashed hwaccel state, move it to the user-facing context,
+     * so it will be freed in avcodec_close() */
+    av_assert0(!avctx->hwaccel);
+    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
+    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
    av_freep(&avctx->internal->thread_ctx);
 }

--- a/libavcodec/qdrw.c
+++ b/libavcodec/qdrw.c
@@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx,
            bytestream2_skip(&gbc, 18);
            colors = bytestream2_get_be16(&gbc);

-            if (colors < 0 || colors > 256) {
+            if (colors < 0 || colors > 255) {
                av_log(avctx, AV_LOG_ERROR,
                       "Error color count - %i(0x%X)\n", colors, colors);
                return AVERROR_INVALIDDATA;
--- a/libavcodec/qpeldsp.c
+++ b/libavcodec/qpeldsp.c
@@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src,          \
    uint8_t full[16 * 9];                                                     \
    uint8_t half[64];                                                         \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
    OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8);                \
 }                                                                             \
@@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src,          \
 {                                                                             \
    uint8_t full[16 * 9];                                                     \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16);                   \
 }                                                                             \
                                                                              \
@@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src,          \
    uint8_t full[16 * 9];                                                     \
    uint8_t half[64];                                                         \
                                                                              \
-    copy_block9(full, src, 16, stride, 9);                                    \
+    copy_block8(full, src, 16, stride, 9);                                    \
    put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16);                   \
    OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8);           \
 }                                                                             \
@@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src,         \
    uint8_t full[24 * 17];                                                    \
    uint8_t half[256];                                                        \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
    OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16);             \
 }                                                                             \
@@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src,         \
 {                                                                             \
    uint8_t full[24 * 17];                                                    \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24);                  \
 }                                                                             \
                                                                              \
@@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src,         \
    uint8_t full[24 * 17];                                                    \
    uint8_t half[256];                                                        \
                                                                              \
-    copy_block17(full, src, 24, stride, 17);                                  \
+    copy_block16(full, src, 24, stride, 17);                                  \
    put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24);                 \
    OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16);        \
 }                                                                             \
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src)
 {
    int i;
    for (i = 0; i < 32; i++) {
-        v[     i] = ( src[63 - 2*i    ] + 0x10) >> 5;
-        v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5;
+        v[     i] = (int)(0x10U + src[63 - 2*i    ]) >> 5;
+        v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5;
    }
 }

--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -1003,7 +1003,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,

    // dequantize
    for (i = 0; i < s->num_taps; i++)
-        s->predictor_k[i] *= s->tap_quant[i];
+        s->predictor_k[i] *= (unsigned) s->tap_quant[i];

    if (s->lossless)
        quant = 1;
--- a/libavcodec/speedhq.c
+++ b/libavcodec/speedhq.c
@@ -497,7 +497,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
    uint32_t second_field_offset;
    int ret;

-    if (buf_size < 4 || avctx->width < 8)
+    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
        return AVERROR_INVALIDDATA;

    quality = buf[0];
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -164,39 +164,39 @@ typedef struct SpeexSubmode {
 } SpeexSubmode;

 typedef struct SpeexMode {
-    int modeID; /** ID of the mode */
+    int modeID;                 /**< ID of the mode */
    int (*decode)(AVCodecContext *avctx, void *dec, GetBitContext *gb, float *out);
-    int frame_size; /**< Size of frames used for decoding */
-    int subframe_size; /**< Size of sub-frames used for decoding */
-    int lpc_size; /**< Order of LPC filter */
-    float folding_gain; /**< Folding gain */
+    int frame_size;             /**< Size of frames used for decoding */
+    int subframe_size;          /**< Size of sub-frames used for decoding */
+    int lpc_size;               /**< Order of LPC filter */
+    float folding_gain;         /**< Folding gain */
    const SpeexSubmode *submodes[NB_SUBMODES]; /**< Sub-mode data for the mode */
-    int default_submode; /**< Default sub-mode to use when decoding */
+    int default_submode;        /**< Default sub-mode to use when decoding */
 } SpeexMode;

 typedef struct DecoderState {
    const SpeexMode *mode;
-    int modeID; /** ID of the decoder mode */
-    int first; /** Is first frame  */
-    int full_frame_size; /**< Length of full-band frames */
-    int is_wideband; /**< If wideband is present */
-    int count_lost; /**< Was the last frame lost? */
-    int frame_size; /**< Length of high-band frames */
-    int subframe_size; /**< Length of high-band sub-frames */
-    int nb_subframes; /**< Number of high-band sub-frames */
-    int lpc_size; /**< Order of high-band LPC analysis */
-    float last_ol_gain; /**< Open-loop gain for previous frame */
-    float *innov_save; /** If non-NULL, innovation is copied here */
+    int modeID;             /**< ID of the decoder mode */
+    int first;              /**< Is first frame  */
+    int full_frame_size;    /**< Length of full-band frames */
+    int is_wideband;        /**< If wideband is present */
+    int count_lost;         /**< Was the last frame lost? */
+    int frame_size;         /**< Length of high-band frames */
+    int subframe_size;      /**< Length of high-band sub-frames */
+    int nb_subframes;       /**< Number of high-band sub-frames */
+    int lpc_size;           /**< Order of high-band LPC analysis */
+    float last_ol_gain;     /**< Open-loop gain for previous frame */
+    float *innov_save;      /**< If non-NULL, innovation is copied here */

    /* This is used in packet loss concealment */
-    int last_pitch; /**< Pitch of last correctly decoded frame */
-    float last_pitch_gain; /**< Pitch gain of last correctly decoded frame */
-    uint32_t seed; /** Seed used for random number generation */
+    int last_pitch;         /**< Pitch of last correctly decoded frame */
+    float last_pitch_gain;  /**< Pitch gain of last correctly decoded frame */
+    uint32_t seed;          /**< Seed used for random number generation */

    int encode_submode;
    const SpeexSubmode *const *submodes; /**< Sub-mode data */
-    int submodeID; /**< Activated sub-mode */
-    int lpc_enh_enabled; /**< 1 when LPC enhancer is on, 0 otherwise */
+    int submodeID;          /**< Activated sub-mode */
+    int lpc_enh_enabled;    /**< 1 when LPC enhancer is on, 0 otherwise */

    /* Vocoder data */
    float voc_m1;
@@ -205,10 +205,10 @@ typedef struct DecoderState {
    int voc_offset;

    int dtx_enabled;
-    int highpass_enabled; /**< Is the input filter enabled */
+    int highpass_enabled;   /**< Is the input filter enabled */

-    float *exc; /**< Start of excitation frame */
-    float mem_hp[2]; /**< High-pass filter memory */
+    float *exc;             /**< Start of excitation frame */
+    float mem_hp[2];        /**< High-pass filter memory */
    float exc_buf[NB_DEC_BUFFER]; /**< Excitation buffer */
    float old_qlsp[NB_ORDER]; /**< Quantized LSPs for previous frame */
    float interp_qlpc[NB_ORDER]; /**< Interpolated quantized LPCs */
@@ -1451,7 +1451,7 @@ static av_cold int speex_decode_init(AVCodecContext *avctx)
            return AVERROR_INVALIDDATA;

        s->nb_channels = avctx->channels;
-        if (s->nb_channels <= 0)
+        if (s->nb_channels <= 0 || s->nb_channels > 2)
            return AVERROR_INVALIDDATA;

        switch (s->rate) {
--- a/libavcodec/takdsp.c
+++ b/libavcodec/takdsp.c
@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
    for (i = 0; i < length; i++) {
        int32_t a = p1[i];
        int32_t b = p2[i];
-        b         = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
+        b         = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
        p1[i]     = b - a;
    }
 }
--- a/libavcodec/texturedspenc.c
+++ b/libavcodec/texturedspenc.c
@@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride,

        muv = minv = maxv = bp[0];
        for (y = 0; y < 4; y++) {
-            for (x = 4; x < 4; x += 4) {
+            for (x = 0; x < 4; x++) {
                muv += bp[x * 4 + y * stride];
-                if (bp[x] < minv)
+                if (bp[x * 4 + y * stride] < minv)
                    minv = bp[x * 4 + y * stride];
-                else if (bp[x] > maxv)
+                else if (bp[x * 4 + y * stride] > maxv)
                    maxv = bp[x * 4 + y * stride];
            }
        }
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -759,6 +759,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
    if (s->is_bayer) {
        av_assert0(width == (s->bpp * s->width + 7) >> 3);
    }
+    av_assert0(!(s->is_bayer && is_yuv));
    if (p->format == AV_PIX_FMT_GRAY12) {
        av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, width);
        if (s->yuv_line == NULL) {
@@ -842,6 +843,8 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid
            av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips unsupported\n");
            return AVERROR_PATCHWELCOME;
        }
+        if (!s->is_bayer)
+            return AVERROR_PATCHWELCOME;
        if ((ret = dng_decode_jpeg(s->avctx, p, s->stripsize, 0, 0, s->width, s->height)) < 0)
            return ret;
        return 0;
@@ -960,6 +963,9 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame,
    int pos_x = 0, pos_y = 0;
    int ret;

+    if (s->tile_width <= 0 || s->tile_length <= 0)
+        return AVERROR_INVALIDDATA;
+
    has_width_leftover = (s->width % s->tile_width != 0);
    has_height_leftover = (s->height % s->tile_length != 0);

@@ -1744,7 +1750,7 @@ static int decode_frame(AVCodecContext *avctx,
    TiffContext *const s = avctx->priv_data;
    AVFrame *const p = data;
    ThreadFrame frame = { .f = data };
-    unsigned off, last_off;
+    unsigned off, last_off = 0;
    int le, ret, plane, planes;
    int i, j, entries, stride;
    unsigned soff, ssize;
@@ -1809,7 +1815,6 @@ again:
    /** whether we should process this multi-page IFD's next page */
    retry_for_page = s->get_page && s->cur_page + 1 < s->get_page;  // get_page is 1-indexed

-    last_off = off;
    if (retry_for_page) {
        // set offset to the next IFD
        off = ff_tget_long(&s->gb, le);
@@ -1827,6 +1832,7 @@ again:
            avpriv_request_sample(s->avctx, "non increasing IFD offset");
            return AVERROR_INVALIDDATA;
        }
+        last_off = off;
        if (off >= UINT_MAX - 14 || avpkt->size < off + 14) {
            av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
            return AVERROR_INVALIDDATA;
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -373,8 +373,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
    case 3: {
        // shift samples for 24-bit sample format
        int32_t *samples = (int32_t *)frame->data[0];
-        for (i = 0; i < framelen * s->channels; i++)
-            *samples++ *= 256;
+        int overflow = 0;
+
+        for (i = 0; i < framelen * s->channels; i++) {
+            int scaled = *samples * 256U;
+            overflow += (scaled >> 8 != *samples);
+            *samples++ = scaled;
+        }
+        if (overflow)
+            av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow);
        // reset decode buffer
        s->decode_buffer = NULL;
        break;
--- a/libavcodec/v4l2_context.c
+++ b/libavcodec/v4l2_context.c
@@ -153,6 +153,21 @@ static inline void v4l2_save_to_context(V4L2Context* ctx, struct v4l2_format_upd
    }
 }

+static int v4l2_start_decode(V4L2Context *ctx)
+{
+    struct v4l2_decoder_cmd cmd = {
+        .cmd = V4L2_DEC_CMD_START,
+        .flags = 0,
+    };
+    int ret;
+
+    ret = ioctl(ctx_to_m2mctx(ctx)->fd, VIDIOC_DECODER_CMD, &cmd);
+    if (ret)
+        return AVERROR(errno);
+
+    return 0;
+}
+
 /**
 * handle resolution change event and end of stream event
 * returns 1 if reinit was successful, negative if it failed
@@ -162,9 +177,8 @@ static int v4l2_handle_event(V4L2Context *ctx)
 {
    V4L2m2mContext *s = ctx_to_m2mctx(ctx);
    struct v4l2_format cap_fmt = s->capture.format;
-    struct v4l2_format out_fmt = s->output.format;
    struct v4l2_event evt = { 0 };
-    int full_reinit, reinit, ret;
+    int reinit, ret;

    ret = ioctl(s->fd, VIDIOC_DQEVENT, &evt);
    if (ret < 0) {
@@ -180,44 +194,25 @@ static int v4l2_handle_event(V4L2Context *ctx)
    if (evt.type != V4L2_EVENT_SOURCE_CHANGE)
        return 0;

-    ret = ioctl(s->fd, VIDIOC_G_FMT, &out_fmt);
-    if (ret) {
-        av_log(logger(ctx), AV_LOG_ERROR, "%s VIDIOC_G_FMT\n", s->output.name);
-        return 0;
-    }
-
    ret = ioctl(s->fd, VIDIOC_G_FMT, &cap_fmt);
    if (ret) {
        av_log(logger(ctx), AV_LOG_ERROR, "%s VIDIOC_G_FMT\n", s->capture.name);
        return 0;
    }

-    full_reinit = v4l2_resolution_changed(&s->output, &out_fmt);
-    if (full_reinit) {
-        s->output.height = v4l2_get_height(&out_fmt);
-        s->output.width = v4l2_get_width(&out_fmt);
-        s->output.sample_aspect_ratio = v4l2_get_sar(&s->output);
-    }
-
    reinit = v4l2_resolution_changed(&s->capture, &cap_fmt);
    if (reinit) {
        s->capture.height = v4l2_get_height(&cap_fmt);
        s->capture.width = v4l2_get_width(&cap_fmt);
        s->capture.sample_aspect_ratio = v4l2_get_sar(&s->capture);
+    } else {
+        v4l2_start_decode(ctx);
+        return 0;
    }

-    if (full_reinit || reinit)
+    if (reinit)
        s->reinit = 1;

-    if (full_reinit) {
-        ret = ff_v4l2_m2m_codec_full_reinit(s);
-        if (ret) {
-            av_log(logger(ctx), AV_LOG_ERROR, "v4l2_m2m_codec_full_reinit\n");
-            return AVERROR(EINVAL);
-        }
-        goto reinit_run;
-    }
-
    if (reinit) {
        if (s->avctx)
            ret = ff_set_dimensions(s->avctx, s->capture.width, s->capture.height);
--- a/libavcodec/videotoolbox.c
+++ b/libavcodec/videotoolbox.c
@@ -680,8 +680,7 @@ static void videotoolbox_decoder_callback(void *opaque,
                                          CMTime pts,
                                          CMTime duration)
 {
-    AVCodecContext *avctx = opaque;
-    VTContext *vtctx = avctx->internal->hwaccel_priv_data;
+    VTContext *vtctx = opaque;

    if (vtctx->frame) {
        CVPixelBufferRelease(vtctx->frame);
@@ -689,7 +688,8 @@ static void videotoolbox_decoder_callback(void *opaque,
    }

    if (!image_buffer) {
-        av_log(avctx, AV_LOG_DEBUG, "vt decoder cb: output image buffer is null\n");
+        av_log(vtctx->logctx,  AV_LOG_DEBUG,
+               "vt decoder cb: output image buffer is null: %i\n", status);
        return;
    }

@@ -825,11 +825,13 @@ static CFDictionaryRef videotoolbox_decoder_config_create(CMVideoCodecType codec
        if (data)
            CFDictionarySetValue(avc_info, CFSTR("hvcC"), data);
        break;
+#if CONFIG_VP9_VIDEOTOOLBOX_HWACCEL
    case kCMVideoCodecType_VP9 :
        data = ff_videotoolbox_vpcc_extradata_create(avctx);
        if (data)
            CFDictionarySetValue(avc_info, CFSTR("vpcC"), data);
        break;
+#endif
    default:
        break;
    }
@@ -937,7 +939,7 @@ static int videotoolbox_start(AVCodecContext *avctx)
                                                     videotoolbox->cv_pix_fmt_type);

    decoder_cb.decompressionOutputCallback = videotoolbox_decoder_callback;
-    decoder_cb.decompressionOutputRefCon   = avctx;
+    decoder_cb.decompressionOutputRefCon   = avctx->internal->hwaccel_priv_data;

    status = VTDecompressionSessionCreate(NULL,                      // allocator
                                          videotoolbox->cm_fmt_desc, // videoFormatDescription
@@ -1167,6 +1169,8 @@ int ff_videotoolbox_common_init(AVCodecContext *avctx)
    AVHWFramesContext *hw_frames;
    int err;

+    vtctx->logctx = avctx;
+
    // Old API - do nothing.
    if (avctx->hwaccel_context)
        return 0;
--- a/libavcodec/vp9_raw_reorder_bsf.c
+++ b/libavcodec/vp9_raw_reorder_bsf.c
@@ -292,6 +292,11 @@ static int vp9_raw_reorder_filter(AVBSFContext *bsf, AVPacket *out)
            return err;
        }

+        if (!in->size) {
+            av_packet_free(&in);
+            return AVERROR_INVALIDDATA;
+        }
+
        if ((in->data[in->size - 1] & 0xe0) == 0xc0) {
            av_log(bsf, AV_LOG_ERROR, "Input in superframes is not "
                   "supported.\n");
--- a/libavcodec/vp9_superframe_bsf.c
+++ b/libavcodec/vp9_superframe_bsf.c
@@ -108,6 +108,15 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *pkt)
    if (res < 0)
        return res;

+    if (!pkt->size) {
+        /* In case the cache is empty we can pass side-data-only packets
+         * through unchanged. Otherwise, such a packet makes no sense. */
+        if (!s->n_cache)
+            return 0;
+        res = AVERROR_INVALIDDATA;
+        goto done;
+    }
+
    marker = pkt->data[pkt->size - 1];
    if ((marker & 0xe0) == 0xc0) {
        int nbytes = 1 + ((marker >> 3) & 0x3);
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@@ -51,6 +51,9 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
            return ret;
        in = s->buffer_pkt;

+        if (!in->size)
+            goto passthrough;
+
        marker = in->data[in->size - 1];
        if ((marker & 0xe0) == 0xc0) {
            int length_size = 1 + ((marker >> 3) & 0x3);
@@ -70,7 +73,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
                        frame_size |= bytestream2_get_byte(&bc) << (j * 8);

                    total_size += frame_size;
-                    if (frame_size < 0 || total_size > in->size - idx_size) {
+                    if (frame_size <= 0 || total_size > in->size - idx_size) {
                        av_log(ctx, AV_LOG_ERROR,
                               "Invalid frame size in a superframe: %d\n", frame_size);
                        ret = AVERROR(EINVAL);
@@ -121,6 +124,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
            out->pts = AV_NOPTS_VALUE;

    } else {
+passthrough:
        av_packet_move_ref(out, s->buffer_pkt);
    }

--- a/libavcodec/vt_internal.h
+++ b/libavcodec/vt_internal.h
@@ -45,6 +45,8 @@ typedef struct VTContext {
    // Current H264 parameters (used to trigger decoder restart on SPS changes).
    uint8_t                     sps[3];
    bool                        reconfig_needed;
+
+    void *logctx;
 } VTContext;

 int ff_videotoolbox_alloc_frame(AVCodecContext *avctx, AVFrame *frame);
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -126,6 +126,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
 {
    static AVOnce init_static_once = AV_ONCE_INIT;

+    if (avctx->width <= 1)
+        return AVERROR_INVALIDDATA;
+
    avctx->pix_fmt = AV_PIX_FMT_YUV422P;

    ff_thread_once(&init_static_once, wnv1_init_static);
--- a/libavdevice/dshow.c
+++ b/libavdevice/dshow.c
@@ -1002,23 +1002,12 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype,
                );
                continue;
            }
-            if (requested_sample_rate) {
-                if (requested_sample_rate > acaps->MaximumSampleFrequency ||
-                    requested_sample_rate < acaps->MinimumSampleFrequency)
-                    goto next;
-                fx->nSamplesPerSec = requested_sample_rate;
-            }
-            if (requested_sample_size) {
-                if (requested_sample_size > acaps->MaximumBitsPerSample ||
-                    requested_sample_size < acaps->MinimumBitsPerSample)
-                    goto next;
-                fx->wBitsPerSample = requested_sample_size;
-            }
-            if (requested_channels) {
-                if (requested_channels > acaps->MaximumChannels ||
-                    requested_channels < acaps->MinimumChannels)
-                    goto next;
-                fx->nChannels = requested_channels;
+            if (
+                (ctx->sample_rate && ctx->sample_rate != fx->nSamplesPerSec) ||
+                (ctx->sample_size && ctx->sample_size != fx->wBitsPerSample) ||
+                (ctx->channels    && ctx->channels    != fx->nChannels     )
+            ) {
+                goto next;
            }
        }

--- a/libavdevice/iec61883.c
+++ b/libavdevice/iec61883.c
@@ -220,6 +220,7 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt)

 static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt)
 {
+#if CONFIG_MPEGTS_DEMUXER
    DVPacket *packet;
    int size;

@@ -235,7 +236,7 @@ static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt)
        if (size > 0)
            return size;
    }
-
+#endif
    return -1;
 }

--- a/libavfilter/drawutils.c
+++ b/libavfilter/drawutils.c
@@ -21,6 +21,7 @@

 #include <string.h>

+#include "libavutil/avassert.h"
 #include "libavutil/avutil.h"
 #include "libavutil/colorspace.h"
 #include "libavutil/intreadwrite.h"
@@ -32,50 +33,46 @@ enum { RED = 0, GREEN, BLUE, ALPHA };

 int ff_fill_rgba_map(uint8_t *rgba_map, enum AVPixelFormat pix_fmt)
 {
-    switch (pix_fmt) {
-    case AV_PIX_FMT_0RGB:
-    case AV_PIX_FMT_ARGB:  rgba_map[ALPHA] = 0; rgba_map[RED  ] = 1; rgba_map[GREEN] = 2; rgba_map[BLUE ] = 3; break;
-    case AV_PIX_FMT_0BGR:
-    case AV_PIX_FMT_ABGR:  rgba_map[ALPHA] = 0; rgba_map[BLUE ] = 1; rgba_map[GREEN] = 2; rgba_map[RED  ] = 3; break;
-    case AV_PIX_FMT_RGB48LE:
-    case AV_PIX_FMT_RGB48BE:
-    case AV_PIX_FMT_RGBA64BE:
-    case AV_PIX_FMT_RGBA64LE:
-    case AV_PIX_FMT_RGB0:
-    case AV_PIX_FMT_RGBA:
-    case AV_PIX_FMT_RGB24: rgba_map[RED  ] = 0; rgba_map[GREEN] = 1; rgba_map[BLUE ] = 2; rgba_map[ALPHA] = 3; break;
-    case AV_PIX_FMT_BGR48LE:
-    case AV_PIX_FMT_BGR48BE:
-    case AV_PIX_FMT_BGRA64BE:
-    case AV_PIX_FMT_BGRA64LE:
-    case AV_PIX_FMT_BGRA:
-    case AV_PIX_FMT_BGR0:
-    case AV_PIX_FMT_BGR24: rgba_map[BLUE ] = 0; rgba_map[GREEN] = 1; rgba_map[RED  ] = 2; rgba_map[ALPHA] = 3; break;
-    case AV_PIX_FMT_GBRP9LE:
-    case AV_PIX_FMT_GBRP9BE:
-    case AV_PIX_FMT_GBRP10LE:
-    case AV_PIX_FMT_GBRP10BE:
-    case AV_PIX_FMT_GBRP12LE:
-    case AV_PIX_FMT_GBRP12BE:
-    case AV_PIX_FMT_GBRP14LE:
-    case AV_PIX_FMT_GBRP14BE:
-    case AV_PIX_FMT_GBRP16LE:
-    case AV_PIX_FMT_GBRP16BE:
-    case AV_PIX_FMT_GBRAP:
-    case AV_PIX_FMT_GBRAP10LE:
-    case AV_PIX_FMT_GBRAP10BE:
-    case AV_PIX_FMT_GBRAP12LE:
-    case AV_PIX_FMT_GBRAP12BE:
-    case AV_PIX_FMT_GBRAP16LE:
-    case AV_PIX_FMT_GBRAP16BE:
-    case AV_PIX_FMT_GBRPF32LE:
-    case AV_PIX_FMT_GBRPF32BE:
-    case AV_PIX_FMT_GBRAPF32LE:
-    case AV_PIX_FMT_GBRAPF32BE:
-    case AV_PIX_FMT_GBRP:  rgba_map[GREEN] = 0; rgba_map[BLUE ] = 1; rgba_map[RED  ] = 2; rgba_map[ALPHA] = 3; break;
-    default:                    /* unsupported */
+    const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(pix_fmt);
+    if (!(desc->flags & AV_PIX_FMT_FLAG_RGB))
        return AVERROR(EINVAL);
+    if (desc->flags & AV_PIX_FMT_FLAG_BITSTREAM)
+        return AVERROR(EINVAL);
+    av_assert0(desc->nb_components == 3 + !!(desc->flags & AV_PIX_FMT_FLAG_ALPHA));
+    if (desc->flags & AV_PIX_FMT_FLAG_PLANAR) {
+        rgba_map[RED]   = desc->comp[0].plane;
+        rgba_map[GREEN] = desc->comp[1].plane;
+        rgba_map[BLUE]  = desc->comp[2].plane;
+        rgba_map[ALPHA] = (desc->flags & AV_PIX_FMT_FLAG_ALPHA) ? desc->comp[3].plane : 3;
+    } else {
+        int had0 = 0;
+        unsigned depthb = 0;
+        unsigned i;
+        for (i = 0; i < desc->nb_components; i++) {
+            /* all components must have same depth in bytes */
+            unsigned db = (desc->comp[i].depth + 7) / 8;
+            unsigned pos = desc->comp[i].offset / db;
+            if (depthb && (depthb != db))
+                return AVERROR(ENOSYS);
+
+            if (desc->comp[i].offset % db)
+                return AVERROR(ENOSYS);
+
+            had0 |= pos == 0;
+            rgba_map[i] = pos;
+        }
+
+        if (desc->nb_components == 3)
+            rgba_map[ALPHA] = had0 ? 3 : 0;
    }
+
+    av_assert0(rgba_map[RED]   != rgba_map[GREEN]);
+    av_assert0(rgba_map[GREEN] != rgba_map[BLUE]);
+    av_assert0(rgba_map[BLUE]  != rgba_map[RED]);
+    av_assert0(rgba_map[RED]   != rgba_map[ALPHA]);
+    av_assert0(rgba_map[GREEN] != rgba_map[ALPHA]);
+    av_assert0(rgba_map[BLUE]  != rgba_map[ALPHA]);
+
    return 0;
 }

@@ -86,25 +83,37 @@ int ff_draw_init(FFDrawContext *draw, enum AVPixelFormat format, unsigned flags)
    unsigned i, nb_planes = 0;
    int pixelstep[MAX_PLANES] = { 0 };
    int full_range = 0;
+    int depthb = 0;

    if (!desc || !desc->name)
        return AVERROR(EINVAL);
-    if (desc->flags & ~(AV_PIX_FMT_FLAG_PLANAR | AV_PIX_FMT_FLAG_RGB | AV_PIX_FMT_FLAG_ALPHA))
+    if (desc->flags & AV_PIX_FMT_FLAG_BE)
        return AVERROR(ENOSYS);
-    if (format == AV_PIX_FMT_P010LE || format == AV_PIX_FMT_P010BE || format == AV_PIX_FMT_P016LE || format == AV_PIX_FMT_P016BE)
+    if (desc->flags & ~(AV_PIX_FMT_FLAG_PLANAR | AV_PIX_FMT_FLAG_RGB | AV_PIX_FMT_FLAG_ALPHA))
        return AVERROR(ENOSYS);
    if (format == AV_PIX_FMT_YUVJ420P || format == AV_PIX_FMT_YUVJ422P || format == AV_PIX_FMT_YUVJ444P ||
        format == AV_PIX_FMT_YUVJ411P || format == AV_PIX_FMT_YUVJ440P)
        full_range = 1;
    for (i = 0; i < desc->nb_components; i++) {
+        int db;
        c = &desc->comp[i];
        /* for now, only 8-16 bits formats */
        if (c->depth < 8 || c->depth > 16)
            return AVERROR(ENOSYS);
-        if (desc->flags & AV_PIX_FMT_FLAG_BE)
-            return AVERROR(ENOSYS);
        if (c->plane >= MAX_PLANES)
            return AVERROR(ENOSYS);
+        /* data must either be in the high or low bits, never middle */
+        if (c->shift && ((c->shift + c->depth) & 0x7))
+            return AVERROR(ENOSYS);
+        /* mixed >8 and <=8 depth */
+        db = (c->depth + 7) / 8;
+        if (depthb && (depthb != db))
+            return AVERROR(ENOSYS);
+        depthb = db;
+        if (db * (c->offset + 1) > 16)
+            return AVERROR(ENOSYS);
+        if (c->offset % db)
+            return AVERROR(ENOSYS);
        /* strange interleaving */
        if (pixelstep[c->plane] != 0 &&
            pixelstep[c->plane] != c->step)
@@ -126,66 +135,49 @@ int ff_draw_init(FFDrawContext *draw, enum AVPixelFormat format, unsigned flags)
    memcpy(draw->pixelstep, pixelstep, sizeof(draw->pixelstep));
    draw->hsub[1] = draw->hsub[2] = draw->hsub_max = desc->log2_chroma_w;
    draw->vsub[1] = draw->vsub[2] = draw->vsub_max = desc->log2_chroma_h;
-    for (i = 0; i < (desc->nb_components - !!(desc->flags & AV_PIX_FMT_FLAG_ALPHA && !(flags & FF_DRAW_PROCESS_ALPHA))); i++)
-        draw->comp_mask[desc->comp[i].plane] |=
-            1 << desc->comp[i].offset;
    return 0;
 }

 void ff_draw_color(FFDrawContext *draw, FFDrawColor *color, const uint8_t rgba[4])
 {
    unsigned i;
-    uint8_t rgba_map[4];
+    uint8_t tmp8[4];
+    const AVPixFmtDescriptor *desc = draw->desc;

    if (rgba != color->rgba)
        memcpy(color->rgba, rgba, sizeof(color->rgba));
-    if ((draw->desc->flags & AV_PIX_FMT_FLAG_RGB) &&
-        ff_fill_rgba_map(rgba_map, draw->format) >= 0) {
-        if (draw->nb_planes == 1) {
-            for (i = 0; i < 4; i++) {
-                color->comp[0].u8[rgba_map[i]] = rgba[i];
-                if (draw->desc->comp[rgba_map[i]].depth > 8) {
-                    color->comp[0].u16[rgba_map[i]] = color->comp[0].u8[rgba_map[i]] << 8;
-                }
-            }
-        } else {
-            for (i = 0; i < 4; i++) {
-                color->comp[rgba_map[i]].u8[0] = rgba[i];
-                if (draw->desc->comp[rgba_map[i]].depth > 8)
-                    color->comp[rgba_map[i]].u16[0] = color->comp[rgba_map[i]].u8[0] << (draw->desc->comp[rgba_map[i]].depth - 8);
-            }
-        }
+
+    memset(color->comp, 0, sizeof(color->comp));
+
+    if (draw->desc->flags & AV_PIX_FMT_FLAG_RGB) {
+        memcpy(tmp8, rgba, sizeof(tmp8));
    } else if (draw->nb_planes >= 2) {
        /* assume YUV */
-        const AVPixFmtDescriptor *desc = draw->desc;
-        color->comp[desc->comp[0].plane].u8[desc->comp[0].offset] = draw->full_range ? RGB_TO_Y_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_Y_CCIR(rgba[0], rgba[1], rgba[2]);
-        color->comp[desc->comp[1].plane].u8[desc->comp[1].offset] = draw->full_range ? RGB_TO_U_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_U_CCIR(rgba[0], rgba[1], rgba[2], 0);
-        color->comp[desc->comp[2].plane].u8[desc->comp[2].offset] = draw->full_range ? RGB_TO_V_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_V_CCIR(rgba[0], rgba[1], rgba[2], 0);
-        color->comp[3].u8[0] = rgba[3];
-#define EXPAND(compn) \
-        if (desc->comp[compn].depth > 8) \
-            color->comp[desc->comp[compn].plane].u16[desc->comp[compn].offset] = \
-            color->comp[desc->comp[compn].plane].u8[desc->comp[compn].offset] << \
-                (draw->desc->comp[compn].depth + draw->desc->comp[compn].shift - 8)
-        EXPAND(3);
-        EXPAND(2);
-        EXPAND(1);
-        EXPAND(0);
+        tmp8[0] = draw->full_range ? RGB_TO_Y_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_Y_CCIR(rgba[0], rgba[1], rgba[2]);
+        tmp8[1] = draw->full_range ? RGB_TO_U_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_U_CCIR(rgba[0], rgba[1], rgba[2], 0);
+        tmp8[2] = draw->full_range ? RGB_TO_V_JPEG(rgba[0], rgba[1], rgba[2]) : RGB_TO_V_CCIR(rgba[0], rgba[1], rgba[2], 0);
+        tmp8[3] = rgba[3];
    } else if (draw->format == AV_PIX_FMT_GRAY8 || draw->format == AV_PIX_FMT_GRAY8A ||
               draw->format == AV_PIX_FMT_GRAY16LE || draw->format == AV_PIX_FMT_YA16LE ||
               draw->format == AV_PIX_FMT_GRAY9LE  ||
               draw->format == AV_PIX_FMT_GRAY10LE ||
               draw->format == AV_PIX_FMT_GRAY12LE ||
               draw->format == AV_PIX_FMT_GRAY14LE) {
-        const AVPixFmtDescriptor *desc = draw->desc;
-        color->comp[0].u8[0] = RGB_TO_Y_CCIR(rgba[0], rgba[1], rgba[2]);
-        EXPAND(0);
-        color->comp[1].u8[0] = rgba[3];
-        EXPAND(1);
+        tmp8[0] = RGB_TO_Y_CCIR(rgba[0], rgba[1], rgba[2]);
+        tmp8[1] = rgba[3];
    } else {
        av_log(NULL, AV_LOG_WARNING,
               "Color conversion not implemented for %s\n", draw->desc->name);
        memset(color, 128, sizeof(*color));
+        return;
+    }
+
+    for (i = 0; i < desc->nb_components; i++) {
+        if (desc->comp[i].depth > 8)
+            color->comp[desc->comp[i].plane].u16[desc->comp[i].offset / 2] = tmp8[i] <<
+                (draw->desc->comp[i].depth + draw->desc->comp[i].shift - 8);
+        else
+            color->comp[desc->comp[i].plane].u8[desc->comp[i].offset] = tmp8[i];
    }
 }

@@ -291,11 +283,6 @@ static void subsampling_bounds(int sub, int *x, int *w, int *start, int *end)
    *w >>= sub;
 }

-static int component_used(FFDrawContext *draw, int plane, int comp)
-{
-    return (draw->comp_mask[plane] >> comp) & 1;
-}
-
 /* If alpha is in the [ 0 ; 0x1010101 ] range,
   then alpha * value is in the [ 0 ; 0xFFFFFFFF ] range,
   and >> 24 gives a correct rounding. */
@@ -355,6 +342,9 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color,
    int w_sub, h_sub, x_sub, y_sub, left, right, top, bottom, y;
    uint8_t *p0, *p;

+    nb_comp = draw->desc->nb_components -
+        !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA && !(draw->flags & FF_DRAW_PROCESS_ALPHA));
+
    /* TODO optimize if alpha = 0xFF */
    clip_interval(dst_w, &x0, &w, NULL);
    clip_interval(dst_h, &y0, &h, NULL);
@@ -370,7 +360,6 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color,
    nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA && !(draw->flags & FF_DRAW_PROCESS_ALPHA));
    nb_planes += !nb_planes;
    for (plane = 0; plane < nb_planes; plane++) {
-        nb_comp = draw->pixelstep[plane];
        p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0);
        w_sub = w;
        h_sub = h;
@@ -380,17 +369,19 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color,
        subsampling_bounds(draw->vsub[plane], &y_sub, &h_sub, &top, &bottom);
        for (comp = 0; comp < nb_comp; comp++) {
            const int depth = draw->desc->comp[comp].depth;
+            const int offset = draw->desc->comp[comp].offset;
+            const int index = offset / ((depth + 7) / 8);

-            if (!component_used(draw, plane, comp))
+            if (draw->desc->comp[comp].plane != plane)
                continue;
-            p = p0 + comp;
+            p = p0 + offset;
            if (top) {
                if (depth <= 8) {
-                    blend_line(p, color->comp[plane].u8[comp], alpha >> 1,
+                    blend_line(p, color->comp[plane].u8[index], alpha >> 1,
                               draw->pixelstep[plane], w_sub,
                               draw->hsub[plane], left, right);
                } else {
-                    blend_line16(p, color->comp[plane].u16[comp], alpha >> 1,
+                    blend_line16(p, color->comp[plane].u16[index], alpha >> 1,
                                 draw->pixelstep[plane], w_sub,
                                 draw->hsub[plane], left, right);
                }
@@ -398,14 +389,14 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color,
            }
            if (depth <= 8) {
                for (y = 0; y < h_sub; y++) {
-                    blend_line(p, color->comp[plane].u8[comp], alpha,
+                    blend_line(p, color->comp[plane].u8[index], alpha,
                               draw->pixelstep[plane], w_sub,
                               draw->hsub[plane], left, right);
                    p += dst_linesize[plane];
                }
            } else {
                for (y = 0; y < h_sub; y++) {
-                    blend_line16(p, color->comp[plane].u16[comp], alpha,
+                    blend_line16(p, color->comp[plane].u16[index], alpha,
                                 draw->pixelstep[plane], w_sub,
                                 draw->hsub[plane], left, right);
                    p += dst_linesize[plane];
@@ -413,11 +404,11 @@ void ff_blend_rectangle(FFDrawContext *draw, FFDrawColor *color,
            }
            if (bottom) {
                if (depth <= 8) {
-                    blend_line(p, color->comp[plane].u8[comp], alpha >> 1,
+                    blend_line(p, color->comp[plane].u8[index], alpha >> 1,
                               draw->pixelstep[plane], w_sub,
                               draw->hsub[plane], left, right);
                } else {
-                    blend_line16(p, color->comp[plane].u16[comp], alpha >> 1,
+                    blend_line16(p, color->comp[plane].u16[index], alpha >> 1,
                                 draw->pixelstep[plane], w_sub,
                                 draw->hsub[plane], left, right);
                }
@@ -533,6 +524,9 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
    uint8_t *p0, *p;
    const uint8_t *m;

+    nb_comp = draw->desc->nb_components -
+        !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA && !(draw->flags & FF_DRAW_PROCESS_ALPHA));
+
    clip_interval(dst_w, &x0, &mask_w, &xm0);
    clip_interval(dst_h, &y0, &mask_h, &ym0);
    mask += ym0 * mask_linesize;
@@ -548,7 +542,6 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
    nb_planes = draw->nb_planes - !!(draw->desc->flags & AV_PIX_FMT_FLAG_ALPHA && !(draw->flags & FF_DRAW_PROCESS_ALPHA));
    nb_planes += !nb_planes;
    for (plane = 0; plane < nb_planes; plane++) {
-        nb_comp = draw->pixelstep[plane];
        p0 = pointer_at(draw, dst, dst_linesize, plane, x0, y0);
        w_sub = mask_w;
        h_sub = mask_h;
@@ -558,21 +551,23 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
        subsampling_bounds(draw->vsub[plane], &y_sub, &h_sub, &top, &bottom);
        for (comp = 0; comp < nb_comp; comp++) {
            const int depth = draw->desc->comp[comp].depth;
+            const int offset = draw->desc->comp[comp].offset;
+            const int index = offset / ((depth + 7) / 8);

-            if (!component_used(draw, plane, comp))
+            if (draw->desc->comp[comp].plane != plane)
                continue;
-            p = p0 + comp;
+            p = p0 + offset;
            m = mask;
            if (top) {
                if (depth <= 8) {
                    blend_line_hv(p, draw->pixelstep[plane],
-                                  color->comp[plane].u8[comp], alpha,
+                                  color->comp[plane].u8[index], alpha,
                                  m, mask_linesize, l2depth, w_sub,
                                  draw->hsub[plane], draw->vsub[plane],
                                  xm0, left, right, top);
                } else {
                    blend_line_hv16(p, draw->pixelstep[plane],
-                                    color->comp[plane].u16[comp], alpha,
+                                    color->comp[plane].u16[index], alpha,
                                    m, mask_linesize, l2depth, w_sub,
                                    draw->hsub[plane], draw->vsub[plane],
                                    xm0, left, right, top);
@@ -583,7 +578,7 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
            if (depth <= 8) {
                for (y = 0; y < h_sub; y++) {
                    blend_line_hv(p, draw->pixelstep[plane],
-                                  color->comp[plane].u8[comp], alpha,
+                                  color->comp[plane].u8[index], alpha,
                                  m, mask_linesize, l2depth, w_sub,
                                  draw->hsub[plane], draw->vsub[plane],
                                  xm0, left, right, 1 << draw->vsub[plane]);
@@ -593,7 +588,7 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
            } else {
                for (y = 0; y < h_sub; y++) {
                    blend_line_hv16(p, draw->pixelstep[plane],
-                                    color->comp[plane].u16[comp], alpha,
+                                    color->comp[plane].u16[index], alpha,
                                    m, mask_linesize, l2depth, w_sub,
                                    draw->hsub[plane], draw->vsub[plane],
                                    xm0, left, right, 1 << draw->vsub[plane]);
@@ -604,13 +599,13 @@ void ff_blend_mask(FFDrawContext *draw, FFDrawColor *color,
            if (bottom) {
                if (depth <= 8) {
                    blend_line_hv(p, draw->pixelstep[plane],
-                                  color->comp[plane].u8[comp], alpha,
+                                  color->comp[plane].u8[index], alpha,
                                  m, mask_linesize, l2depth, w_sub,
                                  draw->hsub[plane], draw->vsub[plane],
                                  xm0, left, right, bottom);
                } else {
                    blend_line_hv16(p, draw->pixelstep[plane],
-                                    color->comp[plane].u16[comp], alpha,
+                                    color->comp[plane].u16[index], alpha,
                                    m, mask_linesize, l2depth, w_sub,
                                    draw->hsub[plane], draw->vsub[plane],
                                    xm0, left, right, bottom);
--- a/libavfilter/drawutils.h
+++ b/libavfilter/drawutils.h
@@ -37,7 +37,6 @@ typedef struct FFDrawContext {
    enum AVPixelFormat format;
    unsigned nb_planes;
    int pixelstep[MAX_PLANES]; /*< offset between pixels */
-    uint8_t comp_mask[MAX_PLANES]; /*< bitmask of used non-alpha components */
    uint8_t hsub[MAX_PLANES];  /*< horizontal subsampling */
    uint8_t vsub[MAX_PLANES];  /*< vertical subsampling */
    uint8_t hsub_max;
--- a/libavfilter/vf_blend.c
+++ b/libavfilter/vf_blend.c
@@ -279,7 +279,11 @@ static AVFrame *blend_frame(AVFilterContext *ctx, AVFrame *top_buf,
    dst_buf = ff_get_video_buffer(outlink, outlink->w, outlink->h);
    if (!dst_buf)
        return top_buf;
-    av_frame_copy_props(dst_buf, top_buf);
+
+    if (av_frame_copy_props(dst_buf, top_buf) < 0) {
+        av_frame_free(&dst_buf);
+        return top_buf;
+    }

    for (plane = 0; plane < s->nb_planes; plane++) {
        int hsub = plane == 1 || plane == 2 ? s->hsub : 0;
--- a/libavfilter/vf_frei0r.c
+++ b/libavfilter/vf_frei0r.c
@@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
 {
    Frei0rContext *s = inlink->dst->priv;
    AVFilterLink *outlink = inlink->dst->outputs[0];
-    AVFrame *out;
+    AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);
+    if (!out)
+        goto fail;

-    out = ff_get_video_buffer(outlink, outlink->w, outlink->h);
-    if (!out) {
-        av_frame_free(&in);
-        return AVERROR(ENOMEM);
-    }
    av_frame_copy_props(out, in);

+    if (in->linesize[0] != out->linesize[0]) {
+        AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);
+        if (!in2)
+            goto fail;
+        av_frame_copy(in2, in);
+        av_frame_free(&in);
+        in = in2;
+    }
+
    s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000,
                   (const uint32_t *)in->data[0],
                   (uint32_t *)out->data[0]);
@@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
    av_frame_free(&in);

    return ff_filter_frame(outlink, out);
+fail:
+    av_frame_free(&in);
+    av_frame_free(&out);
+    return AVERROR(ENOMEM);
 }

 static int process_command(AVFilterContext *ctx, const char *cmd, const char *args,
@@ -465,7 +475,7 @@ static int source_config_props(AVFilterLink *outlink)
 static int source_request_frame(AVFilterLink *outlink)
 {
    Frei0rContext *s = outlink->src->priv;
-    AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h);
+    AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16);

    if (!frame)
        return AVERROR(ENOMEM);
--- a/libavfilter/vf_libplacebo.c
+++ b/libavfilter/vf_libplacebo.c
@@ -47,6 +47,7 @@ typedef struct LibplaceboContext {
    int force_divisible_by;
    int normalize_sar;
    int apply_filmgrain;
+    int apply_dovi;
    int colorspace;
    int color_range;
    int color_primaries;
@@ -281,8 +282,16 @@ static int process_frames(AVFilterContext *avctx, AVFrame *out, AVFrame *in)
    LibplaceboContext *s = avctx->priv;
    struct pl_render_params params;
    struct pl_frame image, target;
-    ok = pl_map_avframe(s->gpu, &image, NULL, in);
-    ok &= pl_map_avframe(s->gpu, &target, NULL, out);
+    ok = pl_map_avframe_ex(s->gpu, &image, pl_avframe_params(
+        .frame    = in,
+        .map_dovi = s->apply_dovi,
+    ));
+
+    ok &= pl_map_avframe_ex(s->gpu, &target, pl_avframe_params(
+        .frame    = out,
+        .map_dovi = false,
+    ));
+
    if (!ok) {
        err = AVERROR_EXTERNAL;
        goto fail;
@@ -381,7 +390,7 @@ fail:

 static int filter_frame(AVFilterLink *link, AVFrame *in)
 {
-    int err;
+    int err, changed_csp;
    AVFilterContext *ctx = link->dst;
    LibplaceboContext *s = ctx->priv;
    AVFilterLink *outlink = ctx->outputs[0];
@@ -400,6 +409,14 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
    out->width = outlink->w;
    out->height = outlink->h;

+    if (s->apply_dovi && av_frame_get_side_data(in, AV_FRAME_DATA_DOVI_METADATA)) {
+        /* Output of dovi reshaping is always BT.2020+PQ, so infer the correct
+         * output colorspace defaults */
+        out->colorspace = AVCOL_SPC_BT2020_NCL;
+        out->color_primaries = AVCOL_PRI_BT2020;
+        out->color_trc = AVCOL_TRC_SMPTE2084;
+    }
+
    if (s->colorspace >= 0)
        out->colorspace = s->colorspace;
    if (s->color_range >= 0)
@@ -409,11 +426,25 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
    if (s->color_primaries >= 0)
        out->color_primaries = s->color_primaries;

-    RET(process_frames(ctx, out, in));
+    changed_csp = in->colorspace      != out->colorspace     ||
+                  in->color_range     != out->color_range    ||
+                  in->color_trc       != out->color_trc      ||
+                  in->color_primaries != out->color_primaries;

+    /* Strip side data if no longer relevant */
+    if (changed_csp) {
+        av_frame_remove_side_data(out, AV_FRAME_DATA_MASTERING_DISPLAY_METADATA);
+        av_frame_remove_side_data(out, AV_FRAME_DATA_CONTENT_LIGHT_LEVEL);
+    }
+    if (s->apply_dovi || changed_csp) {
+        av_frame_remove_side_data(out, AV_FRAME_DATA_DOVI_RPU_BUFFER);
+        av_frame_remove_side_data(out, AV_FRAME_DATA_DOVI_METADATA);
+    }
    if (s->apply_filmgrain)
        av_frame_remove_side_data(out, AV_FRAME_DATA_FILM_GRAIN_PARAMS);

+    RET(process_frames(ctx, out, in));
+
    av_frame_free(&in);

    return ff_filter_frame(outlink, out);
@@ -559,6 +590,7 @@ static const AVOption libplacebo_options[] = {
    { "antiringing", "Antiringing strength (for non-EWA filters)", OFFSET(antiringing), AV_OPT_TYPE_FLOAT, {.dbl = 0.0}, 0.0, 1.0, DYNAMIC },
    { "sigmoid", "Enable sigmoid upscaling", OFFSET(sigmoid), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, DYNAMIC },
    { "apply_filmgrain", "Apply film grain metadata", OFFSET(apply_filmgrain), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, DYNAMIC },
+    { "apply_dolbyvision", "Apply Dolby Vision metadata", OFFSET(apply_dovi), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, DYNAMIC },

    { "deband", "Enable debanding", OFFSET(deband), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
    { "deband_iterations", "Deband iterations", OFFSET(deband_iterations), AV_OPT_TYPE_INT, {.i64 = 1}, 0, 16, DYNAMIC },
@@ -620,7 +652,7 @@ static const AVOption libplacebo_options[] = {

    /* Performance/quality tradeoff options */
    { "skip_aa", "Skip anti-aliasing", OFFSET(skip_aa), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 0, DYNAMIC },
-    { "polar_cutoff", "Polar LUT cutoff", OFFSET(polar_cutoff), AV_OPT_TYPE_FLOAT, {.i64 = 0}, 0.0, 1.0, DYNAMIC },
+    { "polar_cutoff", "Polar LUT cutoff", OFFSET(polar_cutoff), AV_OPT_TYPE_FLOAT, {.dbl = 0}, 0.0, 1.0, DYNAMIC },
    { "disable_linear", "Disable linear scaling", OFFSET(disable_linear), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
    { "disable_builtin", "Disable built-in scalers", OFFSET(disable_builtin), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
    { "force_icc_lut", "Force the use of a full ICC 3DLUT for color mapping", OFFSET(force_icc_lut), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -488,19 +488,19 @@ static int config_props(AVFilterLink *outlink)
    if ((ret = scale_eval_dimensions(ctx)) < 0)
        goto fail;

-    ff_scale_adjust_dimensions(inlink, &scale->w, &scale->h,
+    outlink->w = scale->w;
+    outlink->h = scale->h;
+
+    ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h,
                               scale->force_original_aspect_ratio,
                               scale->force_divisible_by);

-    if (scale->w > INT_MAX ||
-        scale->h > INT_MAX ||
-        (scale->h * inlink->w) > INT_MAX ||
-        (scale->w * inlink->h) > INT_MAX)
+    if (outlink->w > INT_MAX ||
+        outlink->h > INT_MAX ||
+        (outlink->h * inlink->w) > INT_MAX ||
+        (outlink->w * inlink->h) > INT_MAX)
        av_log(ctx, AV_LOG_ERROR, "Rescaled value for width or height is too big.\n");

-    outlink->w = scale->w;
-    outlink->h = scale->h;
-
    /* TODO: make algorithm configurable */

    scale->input_is_pal = desc->flags & AV_PIX_FMT_FLAG_PAL;
@@ -705,9 +705,9 @@ static int scale_frame(AVFilterLink *link, AVFrame *in, AVFrame **frame_out)
            goto scale;

        if (scale->eval_mode == EVAL_MODE_INIT) {
-            snprintf(buf, sizeof(buf)-1, "%d", outlink->w);
+            snprintf(buf, sizeof(buf) - 1, "%d", scale->w);
            av_opt_set(scale, "w", buf, 0);
-            snprintf(buf, sizeof(buf)-1, "%d", outlink->h);
+            snprintf(buf, sizeof(buf) - 1, "%d", scale->h);
            av_opt_set(scale, "h", buf, 0);

            ret = scale_parse_expr(ctx, NULL, &scale->w_pexpr, "width", scale->w_expr);
--- a/libavfilter/vf_showinfo.c
+++ b/libavfilter/vf_showinfo.c
@@ -499,7 +499,7 @@ static void dump_dovi_metadata(AVFilterContext *ctx, const AVFrameSideData *sd)
            av_log(ctx, AV_LOG_INFO, "} ");
        }

-        av_log(ctx, AV_LOG_INFO, "}; nlq_offset=%"PRIu64"; ", nlq->nlq_offset);
+        av_log(ctx, AV_LOG_INFO, "}; nlq_offset=%"PRIu16"; ", nlq->nlq_offset);
        av_log(ctx, AV_LOG_INFO, "vdr_in_max=%"PRIu64"; ", nlq->vdr_in_max);
        switch (mapping->nlq_method_idc) {
        case AV_DOVI_NLQ_LINEAR_DZ:
@@ -654,12 +654,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
            av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]);
        av_log(ctx, AV_LOG_INFO, "] mean:[");
        for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++)
-            av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]);
-        av_log(ctx, AV_LOG_INFO, "\b] stdev:[");
+            av_log(ctx, AV_LOG_INFO, "%s%"PRId64,
+                   plane ? " ":"",
+                   (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]);
+        av_log(ctx, AV_LOG_INFO, "] stdev:[");
        for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++)
-            av_log(ctx, AV_LOG_INFO, "%3.1f ",
+            av_log(ctx, AV_LOG_INFO, "%s%3.1f",
+                   plane ? " ":"",
                   sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane]));
-        av_log(ctx, AV_LOG_INFO, "\b]");
+        av_log(ctx, AV_LOG_INFO, "]");
    }
    av_log(ctx, AV_LOG_INFO, "\n");

--- a/libavfilter/vf_signature.c
+++ b/libavfilter/vf_signature.c
@@ -219,7 +219,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref)
    dw1 = inlink->w / 32;
    if (inlink->w % 32)
        dw2 = dw1 + 1;
-    denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1;
+    denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1;

    for (i = 0; i < 32; i++) {
        rowcount = 0;
@@ -245,7 +245,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref)
        }
    }

-    denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2;
+    denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2;

    for (i = 0; i < ELEMENT_COUNT; i++) {
        const ElemCat* elemcat = elements[i];
--- a/libavfilter/vf_subtitles.c
+++ b/libavfilter/vf_subtitles.c
@@ -146,9 +146,13 @@ static int config_input(AVFilterLink *inlink)
    ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0);

    ass_set_frame_size  (ass->renderer, inlink->w, inlink->h);
-    if (ass->original_w && ass->original_h)
+    if (ass->original_w && ass->original_h) {
        ass_set_pixel_aspect(ass->renderer, (double)inlink->w / inlink->h /
                             ((double)ass->original_w / ass->original_h));
+        ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h);
+    } else
+        ass_set_storage_size(ass->renderer, inlink->w, inlink->h);
+
    if (ass->shaping != -1)
        ass_set_shaper(ass->renderer, ass->shaping);

--- a/libavfilter/vf_tonemap.c
+++ b/libavfilter/vf_tonemap.c
@@ -119,18 +119,19 @@ static float mobius(float in, float j, double peak)
 static void tonemap(TonemapContext *s, AVFrame *out, const AVFrame *in,
                    const AVPixFmtDescriptor *desc, int x, int y, double peak)
 {
-    const float *r_in = (const float *)(in->data[0] + x * desc->comp[0].step + y * in->linesize[0]);
-    const float *b_in = (const float *)(in->data[1] + x * desc->comp[1].step + y * in->linesize[1]);
-    const float *g_in = (const float *)(in->data[2] + x * desc->comp[2].step + y * in->linesize[2]);
-    float *r_out = (float *)(out->data[0] + x * desc->comp[0].step + y * out->linesize[0]);
-    float *b_out = (float *)(out->data[1] + x * desc->comp[1].step + y * out->linesize[1]);
-    float *g_out = (float *)(out->data[2] + x * desc->comp[2].step + y * out->linesize[2]);
+    int map[3] = { desc->comp[0].plane, desc->comp[1].plane, desc->comp[2].plane };
+    const float *r_in = (const float *)(in->data[map[0]] + x * desc->comp[map[0]].step + y * in->linesize[map[0]]);
+    const float *g_in = (const float *)(in->data[map[1]] + x * desc->comp[map[1]].step + y * in->linesize[map[1]]);
+    const float *b_in = (const float *)(in->data[map[2]] + x * desc->comp[map[2]].step + y * in->linesize[map[2]]);
+    float *r_out = (float *)(out->data[map[0]] + x * desc->comp[map[0]].step + y * out->linesize[map[0]]);
+    float *g_out = (float *)(out->data[map[1]] + x * desc->comp[map[1]].step + y * out->linesize[map[1]]);
+    float *b_out = (float *)(out->data[map[2]] + x * desc->comp[map[2]].step + y * out->linesize[map[2]]);
    float sig, sig_orig;

    /* load values */
    *r_out = *r_in;
-    *b_out = *b_in;
    *g_out = *g_in;
+    *b_out = *b_in;

    /* desaturate to prevent unnatural colors */
    if (s->desat > 0) {
--- a/libavfilter/vf_vpp_qsv.c
+++ b/libavfilter/vf_vpp_qsv.c
@@ -26,6 +26,7 @@
 #include "libavutil/opt.h"
 #include "libavutil/eval.h"
 #include "libavutil/hwcontext.h"
+#include "libavutil/hwcontext_qsv.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/mathematics.h"

@@ -139,8 +140,9 @@ static const AVOption options[] = {
    { "height", "Output video height", OFFSET(oh), AV_OPT_TYPE_STRING, { .str="w*ch/cw" }, 0, 255, .flags = FLAGS },
    { "format", "Output pixel format", OFFSET(output_format_str), AV_OPT_TYPE_STRING, { .str = "same" }, .flags = FLAGS },
    { "async_depth", "Internal parallelization depth, the higher the value the higher the latency.", OFFSET(async_depth), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, .flags = FLAGS },
+#ifdef QSV_HAVE_SCALING_CONFIG
    { "scale_mode", "scale mode: 0=auto, 1=low power, 2=high quality", OFFSET(scale_mode), AV_OPT_TYPE_INT, { .i64 = MFX_SCALING_MODE_DEFAULT }, MFX_SCALING_MODE_DEFAULT, MFX_SCALING_MODE_QUALITY, .flags = FLAGS, "scale mode" },
-
+#endif
    { NULL }
 };

@@ -297,6 +299,32 @@ static int config_input(AVFilterLink *inlink)
    return 0;
 }

+static mfxStatus get_mfx_version(const AVFilterContext *ctx, mfxVersion *mfx_version)
+{
+    const AVFilterLink *inlink = ctx->inputs[0];
+    AVBufferRef *device_ref;
+    AVHWDeviceContext *device_ctx;
+    AVQSVDeviceContext *device_hwctx;
+
+    if (inlink->hw_frames_ctx) {
+        AVHWFramesContext *frames_ctx = (AVHWFramesContext *)inlink->hw_frames_ctx->data;
+        device_ref = frames_ctx->device_ref;
+    } else if (ctx->hw_device_ctx) {
+        device_ref = ctx->hw_device_ctx;
+    } else {
+        // Unavailable hw context doesn't matter in pass-through mode,
+        // so don't error here but let runtime version checks fail by setting to 0.0
+        mfx_version->Major = 0;
+        mfx_version->Minor = 0;
+        return MFX_ERR_NONE;
+    }
+
+    device_ctx   = (AVHWDeviceContext *)device_ref->data;
+    device_hwctx = device_ctx->hwctx;
+
+    return MFXQueryVersion(device_hwctx->session, mfx_version);
+}
+
 static int config_output(AVFilterLink *outlink)
 {
    AVFilterContext *ctx = outlink->src;
@@ -304,6 +332,7 @@ static int config_output(AVFilterLink *outlink)
    QSVVPPParam     param = { NULL };
    QSVVPPCrop      crop  = { 0 };
    mfxExtBuffer    *ext_buf[ENH_FILTERS_COUNT];
+    mfxVersion      mfx_version;
    AVFilterLink    *inlink = ctx->inputs[0];
    enum AVPixelFormat in_format;

@@ -317,6 +346,11 @@ static int config_output(AVFilterLink *outlink)
    param.ext_buf       = ext_buf;
    param.async_depth   = vpp->async_depth;

+    if (get_mfx_version(ctx, &mfx_version) != MFX_ERR_NONE) {
+        av_log(ctx, AV_LOG_ERROR, "Failed to query mfx version.\n");
+        return AVERROR(EINVAL);
+    }
+
    if (inlink->format == AV_PIX_FMT_QSV) {
         if (!inlink->hw_frames_ctx || !inlink->hw_frames_ctx->data)
             return AVERROR(EINVAL);
@@ -467,19 +501,20 @@ static int config_output(AVFilterLink *outlink)
 #endif
    }

-    if (inlink->w != outlink->w || inlink->h != outlink->h) {
 #ifdef QSV_HAVE_SCALING_CONFIG
-        memset(&vpp->scale_conf, 0, sizeof(mfxExtVPPScaling));
-        vpp->scale_conf.Header.BufferId    = MFX_EXTBUFF_VPP_SCALING;
-        vpp->scale_conf.Header.BufferSz    = sizeof(mfxExtVPPScaling);
-        vpp->scale_conf.ScalingMode        = vpp->scale_mode;
+    if (inlink->w != outlink->w || inlink->h != outlink->h) {
+        if (QSV_RUNTIME_VERSION_ATLEAST(mfx_version, 1, 19)) {
+            memset(&vpp->scale_conf, 0, sizeof(mfxExtVPPScaling));
+            vpp->scale_conf.Header.BufferId    = MFX_EXTBUFF_VPP_SCALING;
+            vpp->scale_conf.Header.BufferSz    = sizeof(mfxExtVPPScaling);
+            vpp->scale_conf.ScalingMode        = vpp->scale_mode;

-        param.ext_buf[param.num_ext_buf++] = (mfxExtBuffer*)&vpp->scale_conf;
-#else
-        av_log(ctx, AV_LOG_WARNING, "The QSV VPP Scale option is "
-            "not supported with this MSDK version.\n");
-#endif
+            param.ext_buf[param.num_ext_buf++] = (mfxExtBuffer*)&vpp->scale_conf;
+        } else
+            av_log(ctx, AV_LOG_WARNING, "The QSV VPP Scale option is "
+                "not supported with this MSDK version.\n");
    }
+#endif

    if (vpp->use_frc || vpp->use_crop || vpp->deinterlace || vpp->denoise ||
        vpp->detail || vpp->procamp || vpp->rotate || vpp->hflip ||
--- a/libavfilter/video.c
+++ b/libavfilter/video.c
@@ -24,6 +24,7 @@
 #include <stdio.h>

 #include "libavutil/buffer.h"
+#include "libavutil/cpu.h"
 #include "libavutil/hwcontext.h"
 #include "libavutil/imgutils.h"

@@ -40,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h)
    return ff_get_video_buffer(link->dst->outputs[0], w, h);
 }

-AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align)
 {
    AVFrame *frame = NULL;
    int pool_width = 0;
@@ -95,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
    return frame;
 }

+AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+{
+    return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align());
+}
+
 AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h)
 {
    AVFrame *ret = NULL;
--- a/libavfilter/video.h
+++ b/libavfilter/video.h
@@ -24,6 +24,7 @@
 #include "avfilter.h"

 AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h);
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align);
 AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h);

 /**
--- a/libavfilter/vsrc_mandelbrot.c
+++ b/libavfilter/vsrc_mandelbrot.c
@@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx)
    s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache));
    s-> zyklus    = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus));

+    if (!s->point_cache || !s->next_cache || !s->zyklus)
+        return AVERROR(ENOMEM);
+
    return 0;
 }

--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@ -87,11 +87,11 @@ OBJS-$(CONFIG_AIFF_DEMUXER)              += aiffdec.o aiff.o pcm.o \
 OBJS-$(CONFIG_AIFF_MUXER)                += aiffenc.o aiff.o id3v2enc.o
 OBJS-$(CONFIG_AIX_DEMUXER)               += aixdec.o
 OBJS-$(CONFIG_ALP_DEMUXER)               += alp.o
-OBJS-$(CONFIG_ALP_MUXER)                 += alp.o
-OBJS-$(CONFIG_AMR_DEMUXER)               += amr.o
+OBJS-$(CONFIG_ALP_MUXER)                 += alp.o rawenc.o
+OBJS-$(CONFIG_AMR_DEMUXER)               += amr.o rawdec.o
 OBJS-$(CONFIG_AMR_MUXER)                 += amr.o rawenc.o
-OBJS-$(CONFIG_AMRNB_DEMUXER)             += amr.o
-OBJS-$(CONFIG_AMRWB_DEMUXER)             += amr.o
+OBJS-$(CONFIG_AMRNB_DEMUXER)             += amr.o rawdec.o
+OBJS-$(CONFIG_AMRWB_DEMUXER)             += amr.o rawdec.o
 OBJS-$(CONFIG_AMV_MUXER)                 += amvenc.o
 OBJS-$(CONFIG_ANM_DEMUXER)               += anm.o
 OBJS-$(CONFIG_APC_DEMUXER)               += apc.o
@@ -259,9 +259,11 @@ OBJS-$(CONFIG_IMAGE2PIPE_MUXER)          += img2enc.o img2.o
 OBJS-$(CONFIG_IMAGE2_ALIAS_PIX_DEMUXER)  += img2_alias_pix.o
 OBJS-$(CONFIG_IMAGE2_BRENDER_PIX_DEMUXER) += img2_brender_pix.o
 OBJS-$(CONFIG_IMAGE_BMP_PIPE_DEMUXER)     += img2dec.o img2.o
+OBJS-$(CONFIG_IMAGE_CRI_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_DDS_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_DPX_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_EXR_PIPE_DEMUXER)     += img2dec.o img2.o
+OBJS-$(CONFIG_IMAGE_GEM_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_GIF_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_J2K_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_JPEG_PIPE_DEMUXER)    += img2dec.o img2.o
@@ -271,7 +273,8 @@ OBJS-$(CONFIG_IMAGE_PBM_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PCX_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PGMYUV_PIPE_DEMUXER)  += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PGM_PIPE_DEMUXER)     += img2dec.o img2.o
-OBJS-$(CONFIG_IMAGE_PHOTOCD_DEMUXER)      += img2dec.o img2.o
+OBJS-$(CONFIG_IMAGE_PGX_PIPE_DEMUXER)     += img2dec.o img2.o
+OBJS-$(CONFIG_IMAGE_PHOTOCD_PIPE_DEMUXER) += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PICTOR_PIPE_DEMUXER)  += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PNG_PIPE_DEMUXER)     += img2dec.o img2.o
 OBJS-$(CONFIG_IMAGE_PPM_PIPE_DEMUXER)     += img2dec.o img2.o
@@ -582,9 +585,7 @@ OBJS-$(CONFIG_WAV_DEMUXER)               += wavdec.o pcm.o
 OBJS-$(CONFIG_WAV_MUXER)                 += wavenc.o
 OBJS-$(CONFIG_WC3_DEMUXER)               += wc3movie.o
 OBJS-$(CONFIG_WEBM_MUXER)                += matroskaenc.o matroska.o \
-                                            av1.o avc.o hevc.o isom_tags.o \
-                                            flacenc_header.o avlanguage.o \
-                                            wv.o vorbiscomment.o
+                                            av1.o avlanguage.o
 OBJS-$(CONFIG_WEBM_DASH_MANIFEST_MUXER)  += webmdashenc.o
 OBJS-$(CONFIG_WEBM_CHUNK_MUXER)          += webm_chunk.o
 OBJS-$(CONFIG_WEBP_MUXER)                += webpenc.o
@@ -667,7 +668,7 @@ OBJS-$(CONFIG_UDPLITE_PROTOCOL)          += udp.o ip.o
 OBJS-$(CONFIG_UNIX_PROTOCOL)             += unix.o

 # external library protocols
-OBJS-$(CONFIG_LIBAMQP_PROTOCOL)          += libamqp.o
+OBJS-$(CONFIG_LIBAMQP_PROTOCOL)          += libamqp.o urldecode.o
 OBJS-$(CONFIG_LIBRIST_PROTOCOL)          += librist.o
 OBJS-$(CONFIG_LIBRTMP_PROTOCOL)          += librtmp.o
 OBJS-$(CONFIG_LIBRTMPE_PROTOCOL)         += librtmp.o
--- a/libavformat/aaxdec.c
+++ b/libavformat/aaxdec.c
@@ -249,8 +249,14 @@ static int aax_read_header(AVFormatContext *s)

                start = avio_rb32(pb);
                size  = avio_rb32(pb);
+                if (!size)
+                    return AVERROR_INVALIDDATA;
                a->segments[r].start = start + a->data_offset;
                a->segments[r].end   = a->segments[r].start + size;
+                if (r &&
+                    a->segments[r].start < a->segments[r-1].end &&
+                    a->segments[r].end   > a->segments[r-1].start)
+                    return AVERROR_INVALIDDATA;
            } else
                return AVERROR_INVALIDDATA;
        }
--- a/libavformat/act.c
+++ b/libavformat/act.c
@@ -67,6 +67,7 @@ static int read_header(AVFormatContext *s)
    AVIOContext *pb = s->pb;
    int size;
    AVStream* st;
+    int ret;

    int min,sec,msec;

@@ -76,7 +77,9 @@ static int read_header(AVFormatContext *s)

    avio_skip(pb, 16);
    size=avio_rl32(pb);
-    ff_get_wav_header(s, pb, st->codecpar, size, 0);
+    ret = ff_get_wav_header(s, pb, st->codecpar, size, 0);
+    if (ret < 0)
+        return ret;

    /*
      8000Hz (Fine-rec) file format has 10 bytes long
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -53,9 +53,9 @@ static enum AVCodecID aiff_codec_get_id(int bps)
 }

 /* returns the size of the found tag */
-static int get_tag(AVIOContext *pb, uint32_t * tag)
+static int64_t get_tag(AVIOContext *pb, uint32_t * tag)
 {
-    int size;
+    int64_t size;

    if (avio_feof(pb))
        return AVERROR(EIO);
@@ -63,16 +63,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
    *tag = avio_rl32(pb);
    size = avio_rb32(pb);

-    if (size < 0)
-        size = 0x7fffffff;
-
    return size;
 }

 /* Metadata string read */
-static void get_meta(AVFormatContext *s, const char *key, int size)
+static void get_meta(AVFormatContext *s, const char *key, int64_t size)
 {
-    uint8_t *str = av_malloc(size+1);
+    uint8_t *str = NULL;
+
+    if (size < SIZE_MAX)
+        str = av_malloc(size+1);

    if (str) {
        int res = avio_read(s->pb, str, size);
@@ -89,7 +89,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size)
 }

 /* Returns the number of sound data frames or negative on error */
-static int get_aiff_header(AVFormatContext *s, int size,
+static int get_aiff_header(AVFormatContext *s, int64_t size,
                                    unsigned version)
 {
    AVIOContext *pb        = s->pb;
@@ -100,9 +100,6 @@ static int get_aiff_header(AVFormatContext *s, int size,
    int sample_rate;
    unsigned int num_frames;

-    if (size == INT_MAX)
-        return AVERROR_INVALIDDATA;
-
    if (size & 1)
        size++;
    par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -213,7 +210,8 @@ static int aiff_probe(const AVProbeData *p)
 /* aiff input */
 static int aiff_read_header(AVFormatContext *s)
 {
-    int ret, size, filesize;
+    int ret;
+    int64_t filesize, size;
    int64_t offset = 0, position;
    uint32_t tag;
    unsigned version = AIFF_C_VERSION1;
@@ -224,7 +222,7 @@ static int aiff_read_header(AVFormatContext *s)

    /* check FORM header */
    filesize = get_tag(pb, &tag);
-    if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M'))
+    if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M'))
        return AVERROR_INVALIDDATA;

    /* AIFF data type */
@@ -251,10 +249,7 @@ static int aiff_read_header(AVFormatContext *s)
        if (size < 0)
            return size;

-        if (size >= 0x7fffffff - 8)
-            filesize = 0;
-        else
-            filesize -= size + 8;
+        filesize -= size + 8;

        switch (tag) {
        case MKTAG('C', 'O', 'M', 'M'):     /* Common chunk */
@@ -374,6 +369,8 @@ got_sound:
        av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n");
        return AVERROR_INVALIDDATA;
    }
+    if (aiff->block_duration < 0)
+        return AVERROR_INVALIDDATA;

    /* Now positioned, get the sound data start and end */
    avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate);
@@ -428,7 +425,7 @@ static int aiff_read_packet(AVFormatContext *s,
        pkt->flags &= ~AV_PKT_FLAG_CORRUPT;
    /* Only one stream in an AIFF file */
    pkt->stream_index = 0;
-    pkt->duration     = (res / st->codecpar->block_align) * aiff->block_duration;
+    pkt->duration     = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration;
    return 0;
 }

--- a/libavformat/amr.c
+++ b/libavformat/amr.c
@@ -53,12 +53,10 @@ static int amr_write_header(AVFormatContext *s)
    AVIOContext    *pb  = s->pb;
    AVCodecParameters *par = s->streams[0]->codecpar;

-    s->priv_data = NULL;
-
    if (par->codec_id == AV_CODEC_ID_AMR_NB) {
-        avio_write(pb, AMR_header,   sizeof(AMR_header)   - 1); /* magic number */
+        avio_write(pb, AMR_header,   sizeof(AMR_header));   /* magic number */
    } else if (par->codec_id == AV_CODEC_ID_AMR_WB) {
-        avio_write(pb, AMRWB_header, sizeof(AMRWB_header) - 1); /* magic number */
+        avio_write(pb, AMRWB_header, sizeof(AMRWB_header)); /* magic number */
    } else {
        return -1;
    }
@@ -66,6 +64,7 @@ static int amr_write_header(AVFormatContext *s)
 }
 #endif /* CONFIG_AMR_MUXER */

+#if CONFIG_AMR_DEMUXER
 static int amr_probe(const AVProbeData *p)
 {
    // Only check for "#!AMR" which could be amr-wb, amr-nb.
@@ -92,7 +91,7 @@ static int amr_read_header(AVFormatContext *s)

    read = avio_read(pb, header, sizeof(header));
    if (read < 0)
-        return ret;
+        return read;

    st = avformat_new_stream(s, NULL);
    if (!st)
@@ -140,7 +139,6 @@ static int amr_read_header(AVFormatContext *s)
    return 0;
 }

-#if CONFIG_AMR_DEMUXER
 const AVInputFormat ff_amr_demuxer = {
    .name           = "amr",
    .long_name      = NULL_IF_CONFIG_SMALL("3GPP AMR"),
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -42,8 +42,8 @@

 typedef struct APEFrame {
    int64_t pos;
+    int64_t size;
    int nblocks;
-    int size;
    int skip;
    int64_t pts;
 } APEFrame;
@@ -128,7 +128,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx)

    av_log(s, AV_LOG_DEBUG, "\nFrames\n\n");
    for (i = 0; i < ape_ctx->totalframes; i++)
-        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8d (%d samples)\n", i,
+        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8"PRId64" (%d samples)\n", i,
               ape_ctx->frames[i].pos, ape_ctx->frames[i].size,
               ape_ctx->frames[i].nblocks);

@@ -146,7 +146,8 @@ static int ape_read_header(AVFormatContext * s)
    AVStream *st;
    uint32_t tag;
    int i, ret;
-    int total_blocks, final_size = 0;
+    int total_blocks;
+    int64_t final_size = 0;
    int64_t pts, file_size;

    /* Skip any leading junk such as id3v2 tags */
@@ -297,6 +298,8 @@ static int ape_read_header(AVFormatContext * s)
            ape->frames[i].pos  -= ape->frames[i].skip;
            ape->frames[i].size += ape->frames[i].skip;
        }
+        if (ape->frames[i].size > INT_MAX - 3)
+            return AVERROR_INVALIDDATA;
        ape->frames[i].size = (ape->frames[i].size + 3) & ~3;
    }
    if (ape->fileversion < 3810) {
@@ -387,7 +390,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)

    if (ape->frames[ape->currentframe].size <= 0 ||
        ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
-        av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+        av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n",
               ape->frames[ape->currentframe].size);
        ape->currentframe++;
        return AVERROR(EIO);
--- a/libavformat/aqtitledec.c
+++ b/libavformat/aqtitledec.c
@@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s)
            new_event = 1;
            pos = avio_tell(s->pb);
            if (sub) {
-                sub->duration = frame - sub->pts;
+                if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX)
+                    sub->duration = frame - sub->pts;
                sub = NULL;
            }
        } else if (*line) {
--- a/libavformat/argo_asf.c
+++ b/libavformat/argo_asf.c
@@ -423,7 +423,7 @@ static int argo_asf_write_trailer(AVFormatContext *s)
    ArgoASFMuxContext *ctx = s->priv_data;
    int64_t ret;

-    if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET) < 0))
+    if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET)) < 0)
        return ret;

    avio_wl32(s->pb, (uint32_t)ctx->nb_blocks);
--- a/libavformat/argo_cvg.c
+++ b/libavformat/argo_cvg.c
@@ -350,7 +350,7 @@ static int argo_cvg_write_trailer(AVFormatContext *s)
     */
    avio_wl32(s->pb, ctx->checksum);

-    if ((ret = avio_seek(s->pb, 0, SEEK_SET) < 0))
+    if ((ret = avio_seek(s->pb, 0, SEEK_SET)) < 0)
        return ret;

    avio_wl32(s->pb, (uint32_t)ctx->size);
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -103,7 +103,7 @@ typedef struct ASFContext {
    int ts_is_pts;
    int packet_multi_size;
    int packet_time_delta;
-    int packet_time_start;
+    int64_t packet_time_start;
    int64_t packet_pos;

    int stream_index;
@@ -1216,10 +1216,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
            if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0)
                return ret;
            asf_st->seq              = asf->packet_seq;
-            if (asf->ts_is_pts) {
-                asf_st->pkt.pts          = asf->packet_frag_timestamp - asf->hdr.preroll;
-            } else
-                asf_st->pkt.dts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+            if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) {
+                if (asf->ts_is_pts) {
+                    asf_st->pkt.pts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+                } else
+                    asf_st->pkt.dts          = asf->packet_frag_timestamp - asf->hdr.preroll;
+            }
            asf_st->pkt.stream_index = asf->stream_index;
            asf_st->pkt.pos          = asf_st->packet_pos = asf->packet_pos;
            asf_st->pkt_clean        = 0;
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -109,6 +109,7 @@ typedef struct ASFContext {
    int64_t data_offset;
    int64_t first_packet_offset; // packet offset
    int64_t unknown_offset;   // for top level header objects or subobjects without specified behavior
+    int in_asf_read_unknown;

    // ASF file must not contain more than 128 streams according to the specification
    ASFStream *asf_st[ASF_MAX_STREAMS];
@@ -173,7 +174,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
    uint64_t size   = avio_rl64(pb);
    int ret;

-    if (size > INT64_MAX)
+    if (size > INT64_MAX || asf->in_asf_read_unknown > 5)
        return AVERROR_INVALIDDATA;

    if (asf->is_header)
@@ -182,8 +183,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
    if (!g->is_subobject) {
        if (!(ret = strcmp(g->name, "Header Extension")))
            avio_skip(pb, 22); // skip reserved fields and Data Size
-        if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
-                                            asf->unknown_size)) < 0)
+        asf->in_asf_read_unknown ++;
+        ret = detect_unknown_subobject(s, asf->unknown_offset,
+                                            asf->unknown_size);
+        asf->in_asf_read_unknown --;
+        if (ret < 0)
            return ret;
    } else {
        if (size < 24) {
@@ -1238,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s)
    unsigned char error_flags, len_flags, pay_flags;

    asf->packet_offset = avio_tell(pb);
+    if (asf->packet_offset > INT64_MAX/2)
+        asf->packet_offset = 0;
    error_flags = avio_r8(pb); // read Error Correction Flags
    if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) {
        if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) {
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -79,6 +79,8 @@ typedef struct AVIContext {
    int stream_index;
    DVDemuxContext *dv_demux;
    int odml_depth;
+    int64_t odml_read;
+    int64_t odml_max_pos;
    int use_odml;
 #define MAX_ODML_DEPTH 1000
    int64_t dts_max;
@@ -197,7 +199,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
    st  = s->streams[stream_id];
    ast = st->priv_data;

-    if (index_sub_type)
+    if (index_sub_type || entries_in_use < 0)
        return AVERROR_INVALIDDATA;

    avio_rl32(pb);
@@ -218,11 +220,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
    }

    for (i = 0; i < entries_in_use; i++) {
+        avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb));
+
+        // If we read more than there are bytes then we must have been reading something twice
+        if (avi->odml_read > avi->odml_max_pos)
+            return AVERROR_INVALIDDATA;
+
        if (index_type) {
            int64_t pos = avio_rl32(pb) + base - 8;
            int len     = avio_rl32(pb);
            int key     = len >= 0;
            len &= 0x7FFFFFFF;
+            avi->odml_read += 8;

            av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len);

@@ -241,6 +250,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
            int64_t offset, pos;
            int duration;
            int ret;
+            avi->odml_read += 16;

            offset = avio_rl64(pb);
            avio_rl32(pb);       /* size */
@@ -862,6 +872,8 @@ static int avi_read_header(AVFormatContext *s)
                            memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9,
                                   "BottomUp", 9);
                    }
+                    if (st->codecpar->height == INT_MIN)
+                        return AVERROR_INVALIDDATA;
                    st->codecpar->height = FFABS(st->codecpar->height);

 //                    avio_skip(pb, size - 5 * 4);
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -1062,6 +1062,9 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    if (buf_size <= s->buf_end - s->buf_ptr)
        return 0;

+    if (buf_size > INT_MAX - max_buffer_size)
+        return AVERROR(EINVAL);
+
    buf_size += max_buffer_size - 1;

    if (buf_size + s->buf_ptr - s->buffer <= s->buffer_size || s->seekable || !s->read_packet)
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.git
 .0.2