diff --git a/lib/ffmpeg/Changelog b/lib/ffmpeg/Changelog
index 646ae0251..4d131d957 100644
--- a/lib/ffmpeg/Changelog
+++ b/lib/ffmpeg/Changelog
@@ -1,6 +1,773 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 2.8.18:
+ lavf/rawenc: Only accept the appropriate stream type for raw muxers.
+ avformat/icodec: Check for zero streams and stream creation failure
+ avformat/bintext: Check width in idf_read_header()
+ avformat/bintext: Check width
+ configure: update copyright year
+ avformat/wavdec: Check smv_block_size
+ avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+ oavformat/avidec: Check offset in odml
+ avcodec/mxpegdec: Check for AVDISCARD_ALL
+ avcodec/flicvideo: Check remaining bytes in FLI*COPY
+ avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return
+ avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
+ avformat/jacosubdec: Check for min in t overflow in get_shift()
+ avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
+ avcodec/jpeg2000dec: Check that atom header is within bytsetream
+ avcodec/apedec: Fix 2 integer overflows in filter_3800()
+ avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac()
+ avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata
+ avcodec/webp: Check available space in loop in decode_entropy_coded_image()
+ avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode
+ avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init
+ avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line()
+ avcodec/vc1dec: Disable error concealment for *IMAGE
+ avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c()
+ avformat/wtvdec: Check for EOF before seeking back in parse_media_type()
+ avformat/wavdec: Use 64bit in new_pos computation
+ avformat/sbgdec: Check for overflow in timestamp preparation
+ avformat/dsicin: Check packet size for overflow
+ avformat/bfi: check nframes
+ avformat/avidec: fix position overflow in avi_load_index()
+ avformat/aiffdec: Check for size overflow in header parsing
+ avformat/mxfdec: Check size for shrinking
+ avcodec/dnxhddec: check and propagate function return value
+ swscale/slice: Fix wrong return on error
+ swscale/slice: Check slice for allocation failure
+ avformat/matroskadec: Fix handling of huge default durations
+ avcodec/lpc: check for zero err in normalization in compute_lpc_coefs()
+ avformat/ftp: Check for av_strtok() failure
+ tools/cws2fws: Check read() for failure
+ avcodec/cpia: Fix missing src_size update
+ avformat/rmdec: Check old_format len for overflow
+ avformat/realtextdec: Check the pts difference before using it for the duration computation
+ avformat/qcp: Avoid negative nb_rates
+ avformat/nutdec: Check tmp_size
+ avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
+ avformat/dxa: Check fps to be within the supported range more precissely
+ avformat/tta: Check for EOF in index reading loop
+ Update missed irc links
+ avformat/rpl: The associative law doesnt hold for signed integers in C
+ avcodec/faxcompr: Check available bits in decode_uncompressed()
+ avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10
+ avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
+ avformat/rpl: Check for EOF and zero framesize
+ avcodec/svq1enc: Do not print debug RD value before it has been computed
+ avcodec/aacpsy: Check bandwidth
+ avfilter/vf_yadif: Fix handing of tiny images
+ avformat/cinedec: Fix index_entries size check
+ avcodec/lpc: Avoid floating point division by 0
+ avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
+ avcodec/exr: x/ymax cannot be INT_MAX
+ avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line()
+ avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
+ avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
+ avformat/id3v2: Check end for overflow in id3v2_parse()
+ avformat/wtvdec: Improve size overflow checks in parse_chunks()
+ avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
+ avcodec/dpx: Check bits_per_color earlier
+ avcodec/pnm_parser: Check image size addition for overflow
+ avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change()
+ avformat/mov: Ignore multiple STSC / STCO
+ avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields()
+ avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice()
+ avutil/common: Add FF_PTR_ADD()
+ avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid
+ avformat/cafdec: Do not build an index if all packets are the same
+ avcodec/sonic: Use unsigned temporary in predictor_calc_error()
+ avformat/flvdec: Check array entry number
+ avformat/movenc: Avoid loosing cluster array on failure
+ avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb
+ avcodec/ffwavesynth: Avoid signed integer overflow in phi_at()
+ avcodec/mpeg4videoenc: Check extradata malloc()
+ avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular()
+ avutil/timecode: Avoid fps overflow
+ avformat/mvi: Check audio size for more overflows
+ avcodec/ffv1dec: Check if trailer is available
+ avcodec/4xm: Check pre_gb in decode_i_block()
+ avformat/flvdec: Check double before cast in parse_keyframes_index()
+ avformat/paf: Check for EOF before allocation in read_header()
+ avformat/aiffdec: Check that SSND is at least 8 bytes
+ avcodec/alsdec: Check bitstream input in read_block()
+ avformat/mov: Extend data_size check in mov_read_udta_string()
+ avformat/microdvddec: use 64bit for durations
+ avcodec/hapdec: Change compressed_offset to unsigned 32bit
+ avformat/rmdec: Check codec_length without overflow
+ avformat/nutdec: Check timebase count against main header length
+ avformat/electronicarts: Clear partial_packet on error
+ avcodec/pnm_parser: Check av_image_get_buffer_size() for failure
+ avformat/samidec: Sanity check pts
+ avformat/avidec: Use 64bit in get_duration()
+ avformat/mvdec: Check for EOF in read_index()
+ avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular()
+ avformat/id3v2: Check the return from avio_get_str()
+ avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
+ libavutil/eval: Remove CONFIG_TRAPV special handling
+ avformat/wtvdec: Check len in parse_chunks() to avoid overflow
+ avformat/4xm: Make audio_frame_count 64bit
+ avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper
+ avformat/rmdec: Reorder operations to avoid overflow
+ avcodec/mxpegdec: fix SOF counting
+ avformat/rmdec: Fix codecdata_length overflow check
+ avcodec/simple_idct: Fix undefined integer overflow in idct4row()
+ avformat/tta: Use 64bit intermediate for index
+ avcodec/vp3: Check input amount in theora_decode_header()
+ avformat/wavdec: Check avio_get_str16le() for failure
+ avformat/flvdec: Check for EOF in amf_skip_tag()
+ avformat/tedcaptionsdec: Check for overflow in parse_int()
+ avformat/mpc8: Check size before implicitly converting to int
+ avformat/nutdec: Fix integer overflow in count computation
+ avformat/utils: Check dts in update_initial_timestamps() more
+ avformat/flvdec: Check for avio_read() failure in amf_get_string()
+ avformat/flvdec: Check for nesting depth in amf_skip_tag()
+ avformat/flvdec: Check for nesting depth in amf_parse_object()
+ avformat/asfdec_o: Check for EOF in asf_read_marker()
+ avformat/utils: Check dts - (1<<pts_wrap_bits) overflow
+ avformat/bfi: Check chunk_header
+ avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
+ avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()
+ avformat/avidec: dv does not support palettes
+ libavformat/utils: consider avio_size() failure in ffio_limit()
+ avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
+ avformat/utils: check for integer overflow in av_get_frame_filename2()
+ avutil/timecode: Avoid undefined behavior with large framenum
+ avformat/sbgdec: Reduce the amount of floating point in str_to_time()
+ avformat/mxfdec: Free all types for both Descriptors
+ avcodec/wmaprodec: Check packet size
+ avformat/mpegts: Fix argument type for av_log
+ avcodec/ffv1dec: Fix off by 1 error with quant tables
+ avformat/mpegts: Increase pcr_incr width to 64bit
+ avformat/mov: Check if hoov is at the end
+ avcodec/hevc_ps: check scaling_list_dc_coef
+ avformat/matroskadec: Sanity check codec_id/track type
+ avformat/rpl: Check the number of streams
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avformat/mpc8: Check remaining space in mpc8_parse_seektable()
+ avformat/id3v2: Sanity check tlen before alloc and uncompress
+ avformat/vqf: Check len for COMM chunks
+ avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter
+ avformat/cafdec: Check the return code from av_add_index_entry()
+ avformat/cafdec: Check for EOF in index read loop
+ avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative
+ avcodec/exr: Check ymin vs. h
+ avformat/avs: Use 64bit for the avio_tell() output
+ avformat/wavdec: More complete size check in find_guid()
+ avformat/iff: Check size before skip
+ avformat/rmdec: Check for EOF in index packet reading
+ avformat/sbgdec: Check that end is not before start
+ avformat/lvfdec: Check stream_index before use
+ avformat/mpegts: Limit copied data to space
+ avformat/iff: check size against INT64_MAX
+ avformat/paf: Check for EOF in read_table()
+ avformat/gxf: Check pkt_len
+ avformat/concatdec: use av_strstart()
+ avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header()
+ avformat/xwma: Check for EOF in dpds_table read code
+ avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration()
+ avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET
+ avformat/rmdec: Make expected_len 64bit
+ avformat/lrcdec: Clip timestamps
+ avcodec/vp9dsp_template: Fix some overflows in iadst8_1d()
+ avformat/jacosubdec: Use 64bit inside get_shift()
+ avformat/mvi: Check count for overflow
+ avformat/asfdec_f: Check for negative ext_len
+ avformat/bethsoftvid: Check image dimensions before use
+ avformat/segafilm: Check that there is a stream
+ avformat/wtvdec: Check dir_length
+ avcodec/exr: Check limits to avoid overflow in delta computation
+ avformat/asfdec_f: Check name_len for overflow
+ avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct()
+ avcodec/aacdec_fixed: Limit index in vector_pow43()
+ avformat/rmdec: sanity check coded_framesize
+ avformat/flvdec: Check for EOF in amf_parse_object()
+ avcodec/smacker: Check remaining bits in SMK_BLK_FULL
+ avcodec/cook: Check subpacket index against max
+ avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred
+ avformat/icodec: Change order of operations to avoid NULL dereference
+ avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
+ avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset
+ avformat/subviewerdec: fail on AV_NOPTS_VALUE
+ avcodec/exr: Check xdelta, ydelta
+ avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420()
+ avformat/asfdec_f: Change order or operations slightly
+ avformat/dxa: Use av_rescale() for duration computation
+ avcodec/vc1_block: Fix integer overflow in ac value
+ avformat/iff: Check data_size not overflowing int64
+ avcodec/dxtory: Fix negative shift in dx2_decode_slice_410()
+ avcodec/sonic: Check channels before deallocating
+ avcodec/ansi: Check nb_args for overflow
+ avformat/wc3movie: Move wc3_read_close() up
+ avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c()
+ avcodec/wmalosslessdec: Check remaining space before padding and channel residue
+ avformat/cdg: Fix integer overflow in duration computation
+ avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()
+ avformat/electronicarts: Check if there are any streams
+ avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE
+ avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()
+ avformat/avidec: Fix io_fsize overflow
+ avcodec/tiff: Restrict tag order based on specification
+ avformat/siff: Reject audio packets without audio stream
+ avformat/mpeg: Check avio_read() return value in get_pts()
+ avcodec/tiff: Check bpp/bppcount for 0
+ avcodec/snowdec: Sanity check hcoeff
+ avformat/mov: Check comp_brand_size
+ avcodec/alac: Check decorr_shift to avoid invalid shift
+ avcodec/tdsc: Fix tile checks
+ avformat/mm: Check for existence of audio stream
+ avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default
+
+
+version 2.8.17:
+ avcodec/apedec: Fix undefined integer overflow with 24bit
+ avcodec/loco: Fix integer overflow with large values from loco_get_rice()
+ avformat/smjpegdec: Check the existence of referred streams
+ avcodec/pnmdec: Fix misaligned reads
+ avformat/utils: reorder duration computation to avoid overflow
+ avcodec/pngdec: Check for fctl after idat
+ png: split header state and data state in two separate variables.
+ avformat/hls: Pass a copy of the URL for probing
+ avformat/hls: check segment duration value of EXTINF
+ avutil/common: Fix integer overflow in av_ceil_log2_c()
+ avformat/microdvddec: skip malformed lines without frame number.
+ avformat/4xm: Check that a video stream was created before returning packets for it
+ avcodec/ffwavesynth: Avoid undefined operation on ts overflow
+ avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()
+ avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c()
+ avcodec/sonic: Fix several integer overflows
+ avcodec/iff: Fix off by x error
+ avcodec/wmalosslessdec: Check block_align maximum
+ avcodec/loco: Fix signed integer overflow in loco_get_rice()
+ avformat/thp: Check fps
+ avformat/mpl2dec: Fix integer overflow with duration
+ avcodec/mpeg12dec: remove outdated comments
+ avcodec/snowdec: Avoid integer overflow with huge qlog
+ avcodec/mpeg12dec: Fix got_output
+ avformat/4xm: Cleanup on GET_LIST_HEADER() failure
+ avformat/mlvdec: fail reading a packet with 0 streams
+ avformat/thp: Check compcount
+ avcodec/adpcm: XA: Check shift similar to filter
+ avcodec/huffyuvdec: Test vertical coordinate more often
+ avcodec/hq_hqa: Check info size
+ avcodec/wmalosslessdec: Fix integer overflow in mclms_predict()
+ avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d()
+ avcodec/h264dec: Disable forced small_padding on flag2 fast
+ avcodec/pnmdec: Use unsigned for maxval rescaling
+ avcodec/ivi: Clear got_p_frame before decoding a new frame using it
+ avcodec/dsddec: Check channels
+ avcodec/xvididct: Fix integer overflow in idct_row()
+ avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr()
+ avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE
+ avformat/aadec: Check toc_size to contain the minimum to demuxer uses
+ avformat/mov: Don't allow negative sample sizes.
+ mpeg4videoenc: Don't crash with -fsanitize=bounds
+ avcodec/binkaudio: Fix 2Ghz sample_rate
+ avcodec/adpcm: Fix integer overflow in ADPCM THP
+ avcodec/ralf: Check num_blocks before use
+ avcodec/utvideodec: Fix integer overflow in decode_plane()
+ avcodec/ralf: Fix integer overflow in decode_block()
+ avcodec/nuv: widen buf_size type
+ avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1
+ avformat/thp: Require a video stream
+ avformat/mpeg: Decrease score by 1 for files with very little valid data
+ avcodec/pngdec: Check length in fdAT
+ avcodec/g2meet: Check tile_width in epic_jb_decode_tile()
+ avcodec/vp9dsp_template: Fix integer overflows in idct32_1d()
+ libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative
+ avcodec/txd: Check for input size against the header size.
+ avcodec/svq1dec: Check that there is data left after the header
+ avformat/mov: fix memleaks
+ libavformat/mov: Fix memleaks when demuxing DV audio
+ libavcodec/libvpxenc: Don't free user-provided AVPacket
+ avcodec/libopusenc: Don't free user-provided AVPacket
+
+version 2.8.16:
+- avcodec/hevc_mp4toannexb_bsf: Check nalu_size
+- avcodec/iff: Check length before memcpy() in decode_deep_rle32()
+- avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32()
+- avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*()
+- avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()
+- avcodec/flac_parser: Do not lose header count in find_headers_search()
+- avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c()
+- avformat/oggdec: Check for EOF after page header
+- swscale/yuv2rgb: Fix vertical dither offset with slices
+- avcodec/dpcm: clip exponent into supported range in XAN DPCM
+- avcodec/flacdsp_template: Fix invalid shifts in decorrelate
+- avcodec/xvididct: Fix integer overflow in MULT()
+- avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT
+- swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input
+- libavformat/amr.c: Check return value from avio_read()
+- libavformat/mov.c: Free aes_decrypt to avoid leaking memory
+- libavformat/oggdec.c: Check return value from avio_read()
+- avformat/asfdec_f: Fix overflow check in get_tag()
+- avformat/nsvdec: Fix memleaks on errors while reading the header
+- avcodec/ffwavesynth: Fix integer overflow in computation of ddphi
+- avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra()
+- avcodec/mpegaudioenc_template: fix invalid shift of sample
+- avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search()
+- avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
+- avformat/mvdec: Check stream numbers
+- avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF
+- avcodec/qdm2: Check fft_coefs_index
+- avformat/avidec: Avoid integer overflow in NI switch check
+- avfilter/vf_aspect: Fix integer overflow in compute_dar()
+- avcodec/apedec: Fix invalid shift with 24 bps
+- avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
+- avcodec/wmalosslessdec: Fix loop in revert_acfilter()
+- avcodec/lagarith: Sanity check scale
+- avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950()
+- avcodec/ralf: Fix integer overflow in apply_lpc()
+- avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response()
+- avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF
+- avcodec/snappy: Sanity check bytestream2_get_levarint()
+- avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel()
+- avcodec/avdct: Clear IDCTDSPContext context
+- avcodec/apedec: Fix undefined integer overflow in decode_array_0000()
+- avcodec/smacker: Check space before decoding type
+- avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
+- avfilter/vf_find_rect: Remove assert
+- avfilter/vf_find_rect: Increase worst case score
+- swscale/input: Fix several invalid shifts related to rgb2yuv constants
+- swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template()
+- swscale/swscale: Fix several invalid shifts related to vChrDrop
+- avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy()
+- avcodec/wmalosslessdec: move channel check up
+- avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS
+- avcodec/alac: Fix integer overflow in LPC coefficient adaption
+- avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp()
+- avcodec/vc1dec: Check field_mode for sprites
+- avcodec/vc1dec: Limit bits by the actual bitstream size
+- avcodec/vmdaudio: Check block_align more
+- configure: bump year
+- avcodec/pgssubdec: Free subtitle on error
+- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample()
+- avcodec/cook: Use 3 stage VLC decoding for channel_coupling
+- avcodec/sonic: Check e in get_symbol()
+- avcodec/twinvqdec: Correct overflow in block align check
+- avcodec/vc1dec: Fix "return -1" cases
+- avcodec/vc1dec: Free sprite_output_frame on error
+- avcodec/wmadec: Keep track of exponent initialization per channel
+- avcodec/adpcm: Clip predictor for APC
+- avcodec/targa: Check colors vs. available space
+- avcodec/wmavoice: Check remaining input in parse_packet_header()
+- avcodec/wmalosslessdec: Fix 2 overflows in mclms
+- avcodec/wmaprodec: Fixes integer overflow with 32bit samples
+- avcodec/adpcm: Fix invalid shift in xa_decode()
+- avcodec/wmalosslessdec: Fix several integer issues
+- avcodec/pnm: Check that the header is not truncated
+- avcodec/mp3_header_decompress_bsf: Check sample_rate_index
+- avcodec/apedec: Fix 2 integer overflows
+- avcodec/wmaprodec: Set packet_loss when we error out on a sanity check
+- avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block()
+- avformat/matroskadec: Fix default value of BlockAddID
+- avcodec/utils: Check block_align
+- avcodec/utils: Check sample_rate before opening the decoder
+- avcodec/g729dec: require buf_size to be non 0
+- avcodec/alac: Fix integer overflow in lpc_prediction() with sign
+- avcodec/wmaprodec: Fix buflen computation in save_bits()
+- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()
+- avcodec/vmdaudio: Check chunk counts to avoid integer overflow
+- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
+- avcodec/nuv: Use ff_set_dimensions()
+- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next
+- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
+- avcodec/g729dec: Use 64bit and clip in scalar product
+- avcodec/mxpegdec: Check for multiple SOF
+- avcodec/nuv: Move comptype check up
+- avcodec/wmavoice: Fix integer overflow in synth_frame()
+- avutil/lfg: Correct index increment type to avoid undefined behavior
+- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY
+- avcodec/iff: Move index use after check in decodeplane8()
+- avcodec/atrac3: Check for huge block aligns
+- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block()
+- avcodec/wmadec: Require previous exponents for reuse
+- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling
+- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter()
+- avcodec/sonic: Fix integer overflow in predictor_calc_error()
+- lavc/tableprint_vlc: Remove avpriv_request_sample() from included files.
+- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI
+- avcodec/cook: Move up and extend block_align check
+- avcodec/twinvq: Check block_align
+- avcodec/cook: Enlarge gain table
+- avcodec/atrac3plus: Check split point in fill mode 3
+- avcodec/wmavoice: Check sample_rate
+- avcodec/apedec: Fix integer overflow in filter_3800()
+- avcodec/ffv1dec: Use a different error message for the slice level CRC
+- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
+- avcodec/snowenc: Fix 2 undefined shifts
+- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags()
+- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block()
+- avcodec/adpcm: Fix invalid shifts in ADPCM DTK
+- avcodec/apedec: Only clear the needed buffer space, instead of all
+- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads
+- avcodec/vp5: Check render_x/y
+- avcodec/ralf: Skip initializing unused filter variables
+- avformat/pjsdec: Check duration for overflow
+- avcodec/ptx: Check that the input contains at least one line
+- avcodec/alac: Fix integer overflow in LPC
+- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame()
+- avcodec/aliaspixdec: Check input size against minimal picture size
+- avcodec/ffwavesynth: Fix integer overflows in pink noise addition
+- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv()
+- avcodec/wmalosslessdec: Check block_align
+- avcodec/g729postfilter: Fix left shift of negative value
+- avcodec/binkaudio: Check sample rate
+- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS
+- avcodec/apedec: Fix integer overflow in predictor_update_3930()
+- avcodec/g729postfilter: Fix undefined intermediate pointers
+- avcodec/g729postfilter: Fix undefined shifts
+- avcodec/lsp: Fix undefined shifts in lsp2poly()
+- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA
+- avfilter/vf_geq: Use av_clipd() instead of av_clipf()
+- avcodec/ituh263dec: Check input for minimal frame size
+- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream
+- avformat/mpsubdec: Clear queue on error
+- avcodec/sunrast: Check that the input is large enough for the maximally compressed image
+- avcodec/sunrast: Check for availability of maplength before allocating image
+- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize()
+- avcodec/g2meet: Check for end of input in jpg_decode_block()
+- avcodec/g2meet: Check if adjusted pixel was on the stack
+- avcodec/motionpixels: Mark 2 functions as always_inline
+- avcodec/ralf: Fix integer overflow in decode_channel()
+- vcodec/vc1: compute rangex/y only for P/B frames
+- avcodec/vc1_pred: Fix invalid shifts in scaleforopp()
+- avcodec/vc1_block: Fix invalid shift with rangeredfrm
+- avcodec/vc1: Check for excessive resolution
+- avcodec/vc1: check REFDIST
+- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter()
+- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs()
+- avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
+- avcodec/atrac3: Check block_align
+- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop
+- avcodec/g729_parser: Check block_size
+- avcodec/aacdec: Check if we run out of input in read_stream_mux_config()
+- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL
+- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction()
+- avcodec/ffwavesynth: Fix integer overflow in timestamps
+- avcodec/sunrast: Fix indention
+- avcodec/sunrast: Fix return type for "unsupported (compression) type"
+- avformat/cdxl: Fix integer overflow in intermediate
+- avcodec/hevcdec: repeat character in skiped
+- avcodec/alsdec: Check k from being outside what our implementation can handle
+- avcodec/vp56rac: delay signaling an error on truncated input
+- avcodec/vp5/6/8: use vpX_rac_is_end()
+- avcodec/vp56: Add vpX_rac_is_end() to check for the end of input
+- avcodec/qdm2: Check frame size
+- avcodec/vc1_pred: Fix refdist in scaleforopp()
+- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2
+- avcodec/iff: Check for overlap in cmap_read_palette()
+- avcodec/apedec: Fix 32bit int overflow in do_apply_filter()
+- avcodec/ralf: fix undefined shift in extend_code()
+- avcodec/ralf: fix undefined shift
+- avcodec/bgmc: Check input space in ff_bgmc_decode_init()
+- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block()
+- avcodec/vc1dec: Require res_sprite for wmv3images
+- avcodec/vc1_block: Check for double escapes
+- avcodec/vorbisdec: Check get_vlc2() failure
+- avcodec/tta: Fix integer overflow in prediction
+- avcodec/vb: Check input packet size to be large enough to contain flags
+- avcodec/cavsdec: Limit the number of access units per packet to 2
+- avcodec/alac: Fix multiple integer overflows in lpc_prediction()
+- avcodec/rl2: set dimensions
+- avformat/realtextdec: free queue on error
+- avcodec/alsdec: Fix integer overflow in decode_var_block_data()
+- avcodec/alsdec: Limit maximum channels to 512
+- avcodec/anm: Check input size for a frame with just a stop code
+- avcodec/loco: Check left column value
+- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking
+- avcodec/ffwavesynth: Fix integer overflow for some corner case values
+- avcodec/indeo2: Check remaining input more often
+- avcodec/vp56: Consider the alpha start as end of the prior header
+- avcodec/4xm: Check for end of input in decode_p_block()
+- avcodec/hnm4video: Optimize postprocess_current_frame()
+- avcodec/hevc_refs: Optimize 16bit generate_missing_ref()
+- avcodec/dds: Use ff_set_dimensions()
+- avcodec/mpc8: Fix 32bit mask/enum
+- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data()
+- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks()
+- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing()
+- libavcodec/iff: Use unsigned to avoid undefined behaviour
+- avcodec/alsdec: Check for block_length <= 0 in read_var_block_data()
+- avcodec/vqavideo: Set video size
+- avcodec/sanm: Check extradata_size before allocations
+- avcodec/mss1: check for overread and forward errors
+- avcodec/dirac_parser: Fix overflow in dts
+- avcodec/ralf: Fix undefined pointer in decode_channel()
+- avcodec/ralf: Fix integer overflow in apply_lpc()
+- avcodec/vorbisdec: Implement vr->classifications = 1
+- avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide
+- avcodec/apedec: Fix 2 signed overflows
+- avcodec/mss3: Check for the rac stream being invalid in rac_normalize()
+- avcodec/vc1_block: Check get_vlc2() return before use
+- avcodec/apedec: Do not partially clear data array
+- avcodec/hnm4video: Forward errors of decode_interframe_v4()
+- avcodec/vp3: Check that theora is theora
+- avcodec/vc1_pred: Fix invalid shift in scaleforsame()
+- avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc()
+- avcodec/truemotion2: Fix several integer overflows in tm2_motion_block()
+- avcodec/apedec: make left/right unsigned to avoid undefined behavior
+- avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800()
+- avcodec/eatgv: Check remaining size after the keyframe header
+- avcodec/assdec: undefined use of memcpy()
+- avcodec/brenderpix: Check input size before allocating image
+- lafv/wavdec: Fail bext parsing on incomplete reads
+- avcodec/vorbisdec: Check vlc for floor0 dec vector offset
+- avcodec/vorbisdec: amplitude bits can be more than 25 bits
+- avcodec/apedec: Fix various integer overflows
+- avcodec/apedec: Fix multiple integer overflows in predictor_update_filter()
+- avcodec/alsdec: Fix 2 integer overflows
+- avcodec/flicvideo: Make line_packets int
+- avcodec/dvbsubdec: Use ff_set_dimensions()
+- avcodec/ffwavesynth: Check if there is enough extradata before allocation
+- avcodec/ffwavesynth: More correct cast in wavesynth_seek()
+- avcodec/ffwavesynth: Check sample rate before use
+- avformat/utils: Check rfps_duration_sum for overflow
+- avcodec/parser: Check next index validity in ff_combine_frame()
+- avcodec/ivi: Ask for samples with odd tiles
+- avformat/xmv: Make bitrate 64bit
+- avcodec/pngdec: Check that previous_picture has same w/h/format
+- avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation)
+- avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame()
+- avcodec/hq_hqa: Use ff_set_dimensions()
+- avcodec/rv10: Fix integer overflow in aspect ratio compare
+- avcodec/4xm: Fix signed integer overflows in idct()
+- avcodec/qdm2: Check checksum_size for 0
+- avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop
+- avcodec/qdm2: Do not read out of array in fix_coding_method_array()
+- avcodec/svq3: Use ff_set_dimension()
+- avcodec/iff: Check ham vs bpp
+- avcodec/ffwavesynth: use uint32_t to compute difference, it is enough
+- avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case
+- avcodec/ffwavesynth: Fix backward lcg_seek()
+- avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()
+- avcodec/alac: Check lpc_quant
+- avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP
+- avcodec/alsdec: Fix integer overflow with buffer number
+- avcodec/alsdec: Check opt_order / sb_length in ra_block handling
+- avcodec/alsdec: Fix integer overflow with shifting samples
+- avcodec/alsdec: Fix undefined behavior in decode_rice()
+- avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()
+- avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check
+- avcodec/qdm2: Move fft_order check up
+- avcodec/libvorbisdec: Check extradata size
+- avcodec/videodsp_template: Fix overflow of addition
+- avcodec/ffwavesynth: Check ts_end - ts_start for overflow
+- avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c
+- avcodec/tta: Fix undefined shift
+- avcodec/bintext: Check font height
+- avcodec/binkdsp: Fix integer overflows in idct
+- avcodec/motionpixels: Check for vlc error in mp_get_vlc()
+- avcodec/loco: Limit lossy parameter so it is sane and does not overflow
+- avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed
+- avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()
+- avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()
+- avcodec/iff: finetune the palette size check in the mask case
+- avcodec/bink: Reorder operations in init to avoid memleak on error
+- avformat/wtvdec: Avoid (32bit signed) sectors
+- avcodec/bitstream: Check for more conflicting codes in build_table()
+- avcodec/bitstream: Check for integer code truncation in build_table()
+- avformat/sbgdec: Fixes integer overflow in str_to_time() with hours
+- avcodec/mjpegdec: Check for non ls PAL8
+- avcodec/mss4: Check input size against skip bits
+- avcodec/diracdec: Fix integer overflow in global_mv()
+- avcodec/vmnc: Check available space against chunks before reget_buffer()
+- avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)
+- avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
+- avcodec/aacdec_template: Merge 3 #ifs related to noise handling
+- avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
+- avformat/mp3enc: Avoid SEEK_END as it is unsupported
+- avcodec/truemotion2: Fix several integer overflows in tm2_update_block()
+- avformat/webm_chunk: Specify expected argument length of get_chunk_filename()
+- avformat/webm_chunk: Check header filename length
+- avcodec/cpia: Check input size also against linesizes and EOL
+- libswcale: Fix possible string overflow in test.
+- avcodec/hq_hqa: Check available space before reading slice offsets
+- lavf/webm_chunk: Respect buffer size
+- avcodec/jvdec: Use ff_get_buffer() when the content is not reused
+- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
+- avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
+- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp()
+- avformat/aadec: Check for scanf() failure
+- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
+- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
+- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
+- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
+- avcodec/hevcdec: Avoid only partly skiping duplicate first slices
+- lavc/bmp: Avoid a heap buffer overwrite for 1bpp input.
+- avcodec/truemotion2: Fix integer overflow in tm2_null_res_block()
+- avcodec/dfa: Check the chunk header is not truncated
+- avcodec/dvbsubdec: Check object position
+- avcodec/cdgraphics: Use ff_set_dimensions()
+- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes
+- avcodec/aic: Check remaining bits in aic_decode_coeffs()
+- avcodec/bethsoftvideo: Check block_type
+- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
+- avcodec/error_resilience: Use a symmetric check for skipping MV estimation
+- avcodec/mlpdec: Insuffient typo
+- avcodec/jvdec: Check available input space before decode8x8()
+- avformat/webmdashenc: Check id in adaption_sets
+- avformat/http: Fix Out-of-Bounds access in process_line()
+- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393
+- avformat/mov.c: require tfhd to begin parsing trun
+- avcodec/pgssubdec: Check for duplicate display segments
+- avformat/rtsp: Check number of streams in sdp_parse_line()
+- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()
+- avcodec/fic: Check that there is input left in fic_decode_block()
+- avutil/mem: Optimize fill32() by unrolling and using 64bit
+- configure: bump year
+- avcodec/4xm: Fix returned error codes
+- avcodec/mjpegbdec: Fix some misplaced {} and spaces
+- avformat/wvdec: detect and error out on WavPack DSD files
+- avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa
+- avcodec/fic: Fail on invalid slice size/off
+- postproc/postprocess_template: Avoid using %4 for the threshold compare
+- avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan()
+- lavf/id3v2: fail read_apic on EOF reading mimetype
+- avformat/nutenc: Document trailer index assert better
+- lavf/mov: ensure only one tkhd per trak
+- avcodec/msvideo1: Check for too small dimensions
+- avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size
+- avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size
+- avcodec/truemotion2: fix integer overflows in tm2_low_chroma()
+- avutil/mem: Fix invalid use of av_alloc_size
+- avcodec/hevcdec: decode at most one slice reporting being the first in the picture
+- avfilter/af_silenceremove: fix possible crash if supplied duration is negative
+- avcodec/pngdec: Check compression method
+- avcodec/shorten: Fix integer overflow with offset
+- avcodec/cavsdec: Propagate error codes inside decode_mb_i()
+- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
+- avformat/flvenc: Check audio packet size
+- avutil/integer: Fix integer overflow in av_mul_i()
+- avcodec/msrle: Check that the input is large enough to contain a end of picture code
+- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
+- avcodec/mpeg4videodec: Fix typo in sprite delta check
+- avcodec/h264_cavlc: Check mb_skip_run
+- avcodec/ra144: Fix integer overflow in add_wav()
+- avformat/utils: Never store negative values in last_IP_duration
+- avformat/utils: Fix integer overflow in discontinuity check
+- avcodec/unary: Improve get_unary() docs
+- avcodec/dvdsubdec: Sanity check len in decode_rle()
+- avcodec/mpeg4videodec: Fix undefined shift in get_amv()
+- avcodec/zmbv: Check that the decompressed data size is correct
+- avcodec/zmbv: Update decomp_len in raw frames
+- avcodec/shorten: Fix bitstream end check in read_header()
+- avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
+- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
+- avcodec/ra144: Fix undefined integer overflow in add_wav()
+- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
+- avcodec/vb: Check for end of bytestream before reading blocktype
+- avcodec/snowdec: Fix integer overflow with motion vector residual
+- avformat/nsvdec: Do not parse multiple NSVf
+- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
+- avcodec/shorten: Fix integer overflow in residual/LPC combination
+- avcodec/shorten: Check verbatim length
+- avcodec/mpegaudio_parser: Initialize poutbuf*
+- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
+- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
+- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
+- swresample/swresample: Fix input channel count in resample_first computation
+- avutil/pixfmt: Document chroma plane size for odd resolutions
+
+version 2.8.15:
+- avcodec/dvdsub_parser: Allocate input padding
+- avcodec/dvdsub_parser: Init output buf/size
+- avcodec/imgconvert: fix possible null pointer dereference
+- swresample/arm: rename labels to fix xcode build error
+- avformat/utils: fix mixed declarations and code
+- libwebpenc_animencoder: add missing braces to struct initialization
+- avformat/movenc: Check input sample count
+- avcodec/mjpegdec: Check for odd progressive RGB
+- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
+- avformat/mms: Add missing chunksize check
+- avformat/pva: Check for EOF before retrying in read_part_of_packet()
+- avcodec/indeo4: Check for end of bitstream in decode_mb_info()
+- avcodec/shorten: Fix undefined addition in shorten_decode_frame()
+- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
+- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
+- avcodec/escape124: Fix spelling errors in comment
+- avcodec/ra144: Fix integer overflow in ff_eval_refl()
+- avcodec/cscd: Check output buffer size for lzo.
+- avcodec/escape124: Check buf_size against num_superblocks
+- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
+- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
+- avutil/common: Fix undefined behavior in av_clip_uintp2_c()
+- fftools/ffmpeg: Fallback to duration if sample rate is unavailable
+- avformat/mov: Only set pkt->duration to non negative values
+- avcodec/h264_mc_template: Only prefetch motion if the list is used.
+- avcodec/xwddec: Use ff_set_dimensions()
+- avcodec/wavpack: Fix overflow in adding tail
+- avcodec/shorten: Fix multiple integer overflows
+- avcodec/shorten: Sanity check nmeans
+- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
+- avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
+- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
+- avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
+- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
+- avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
+- avcodec/fic: Avoid some magic numbers related to cursors
+- avcodec/g2meet: ask for sample with overflowing RGB
+- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
+- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
+- avcodec/mlpdec: Only change noise_type if the related fields are valid
+- indeo4: Decode all or nothing of a band header.
+- avformat/mov: Only fail for STCO/STSC contradictions if both exist
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
+- avcodec/fic: Check available input space for cursor
+- avcodec/g2meet: Check RGB upper limit
+- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
+- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
+- avcodec/g2meet: Change order of operations to avoid undefined behavior
+- avcodec/flac_parser: Fix infinite loop
+- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
+- avcodec/error_resilience: Fix integer overflow in filter181()
+- avcodec/h263dec: Check slice_ret in mspeg4 slice loop
+- avcodec/elsdec: Fix memleaks
+- avcodec/vc1_block: simplify ac_val computation
+- avcodec/ffv1enc: Check that the crc + version combination is supported
+- lavf/http.c: Free allocated client URLContext in case of error.
+- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
+- avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
+- avcodec/dfa: Check dimension against maximum
+- avcodec/cinepak: Skip empty frames
+- avcodec/cinepak: move some checks prior to frame allocation
+- swresample/arm: remove unintentional relocation.
+- doc/APIchanges: Fix typos in hashes
+- avformat/utils: Check cur_dts in update_initial_timestamps() more
+- avcodec/utils: Enforce minimum width also for VP5/6
+- avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
+- avcodec/mjpegdec: Check input buffer size.
+- lavc/libopusdec: Allow avcodec_open2 to call .close
+- avcodec/movtextdec: Check style_start/end
+- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
+- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
+- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
+- avcodec/cscd: Error out when LZ* decompression fails
+- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
+- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
+- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
+- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
+- avformat/mov: Check STSC and remove invalid entries
+- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
+- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
+- avcodec/wmalosslessdec: Reset num_saved_bits on error path
+- avformat/mov: Fix integer overflows related to sample_duration
+- avformat/oggparseogm: Check lb against psize
+- avformat/oggparseogm: Fix undefined shift in ogm_packet()
+- avformat/avidec: Fix integer overflow in cum_len check
+- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
+- avformat/utils: Fix integer overflow of fps_first/last_dts
+- libavformat/oggparsevorbis: Fix memleak on multiple headers
+- avcodec/bintext: sanity check dimensions
+- avcodec/utvideodec: Check subsample factors
+- avcodec/smc: Check input packet size
+- avcodec/cavsdec: Check alpha/beta offset
+- avcodec/diracdec: Fix integer overflow in mv computation
+- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
+- avcodec/diracdec: Use int64 in global mv to prevent overflow
+- avformat/hvcc: zero initialize the nal buffers past the last written byte
+
 version 2.8.14:
 - avcodec/vp8: Check for bitstream end before vp7_fade_frame()
 - avcodec/exr: Check remaining bits in last get code loop
diff --git a/lib/ffmpeg/RELEASE b/lib/ffmpeg/RELEASE
index 63cb62ffd..e8f6dcdb3 100644
--- a/lib/ffmpeg/RELEASE
+++ b/lib/ffmpeg/RELEASE
@@ -1 +1 @@
-2.8.14
+2.8.18
diff --git a/lib/ffmpeg/RELEASE_NOTES b/lib/ffmpeg/RELEASE_NOTES
index 3f4ccaa99..63d0257e6 100644
--- a/lib/ffmpeg/RELEASE_NOTES
+++ b/lib/ffmpeg/RELEASE_NOTES
@@ -11,5 +11,5 @@
 
    We hope you will like this release as much as we enjoyed working on it, and
    as usual, if you have any questions about it, or any FFmpeg related topic,
-   feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+   feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
    on the mailing-lists.
diff --git a/lib/ffmpeg/VERSION b/lib/ffmpeg/VERSION
index 63cb62ffd..e8f6dcdb3 100644
--- a/lib/ffmpeg/VERSION
+++ b/lib/ffmpeg/VERSION
@@ -1 +1 @@
-2.8.14
+2.8.18
diff --git a/lib/ffmpeg/configure b/lib/ffmpeg/configure
index 908473edf..c7d889d16 100755
--- a/lib/ffmpeg/configure
+++ b/lib/ffmpeg/configure
@@ -443,7 +443,7 @@ die(){
 
 If you think configure made a mistake, make sure you are using the latest
 version from Git.  If the latest version fails, report the problem to the
-ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
 EOF
     if disabled logging; then
         cat <<EOF
@@ -6144,7 +6144,7 @@ cat > $TMPH <<EOF
 #define FFMPEG_CONFIG_H
 #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
 #define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2018
+#define CONFIG_THIS_YEAR 2021
 #define FFMPEG_DATADIR "$(eval c_escape $datadir)"
 #define AVCONV_DATADIR "$(eval c_escape $datadir)"
 #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
diff --git a/lib/ffmpeg/doc/APIchanges b/lib/ffmpeg/doc/APIchanges
index 459fa5bc5..2dba53320 100644
--- a/lib/ffmpeg/doc/APIchanges
+++ b/lib/ffmpeg/doc/APIchanges
@@ -232,7 +232,7 @@ API changes, most recent first:
   Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support
   dictionary types being set as options.
 
-2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h
+2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h
   Add AVFormatContext.event_flags and AVStream.event_flags for signaling to
   the user when events happen in the file/stream.
 
@@ -249,7 +249,7 @@ API changes, most recent first:
 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h
   Add avio_feof() and deprecate url_feof().
 
-2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h
+2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h
   sws_getContext is not going to be removed in the future.
 
 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h
diff --git a/lib/ffmpeg/doc/Doxyfile b/lib/ffmpeg/doc/Doxyfile
index b260e1960..19a9a4407 100644
--- a/lib/ffmpeg/doc/Doxyfile
+++ b/lib/ffmpeg/doc/Doxyfile
@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 2.8.14
+PROJECT_NUMBER         = 2.8.18
 
 # With the PROJECT_LOGO tag one can specify a logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55
diff --git a/lib/ffmpeg/doc/writing_filters.txt b/lib/ffmpeg/doc/writing_filters.txt
index eb16d4248..ccbd52215 100644
--- a/lib/ffmpeg/doc/writing_filters.txt
+++ b/lib/ffmpeg/doc/writing_filters.txt
@@ -420,4 +420,4 @@ done:
 
 When all of this is done, you can submit your patch to the ffmpeg-devel
 mailing-list for review.  If you need any help, feel free to come on our IRC
-channel, #ffmpeg-devel on irc.freenode.net.
+channel, #ffmpeg-devel on irc.libera.chat.
diff --git a/lib/ffmpeg/ffmpeg.c b/lib/ffmpeg/ffmpeg.c
index 2887e91d1..528202789 100644
--- a/lib/ffmpeg/ffmpeg.c
+++ b/lib/ffmpeg/ffmpeg.c
@@ -2396,8 +2396,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt)
         ist->dts = ist->next_dts;
         switch (ist->dec_ctx->codec_type) {
         case AVMEDIA_TYPE_AUDIO:
-            ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
-                             ist->dec_ctx->sample_rate;
+            if (ist->dec_ctx->sample_rate) {
+                ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) /
+                                  ist->dec_ctx->sample_rate;
+            } else {
+                ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q);
+            }
             break;
         case AVMEDIA_TYPE_VIDEO:
             if (ist->framerate.num) {
diff --git a/lib/ffmpeg/libavcodec/4xm.c b/lib/ffmpeg/libavcodec/4xm.c
index a7a757a07..0539ea5a4 100644
--- a/lib/ffmpeg/libavcodec/4xm.c
+++ b/lib/ffmpeg/libavcodec/4xm.c
@@ -158,7 +158,7 @@ typedef struct FourXContext {
 #define FIX_1_847759065 121095
 #define FIX_2_613125930 171254
 
-#define MULTIPLY(var, const) (((var) * (const)) >> 16)
+#define MULTIPLY(var, const) ((int)((var) * (unsigned)(const)) >> 16)
 
 static void idct(int16_t block[64])
 {
@@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src,
     index = size2index[log2h][log2w];
     av_assert0(index >= 0);
 
+    if (get_bits_left(&f->gb) < 1)
+        return AVERROR_INVALIDDATA;
     h     = 1 << log2h;
     code  = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table,
                      BLOCK_TYPE_VLC_BITS, 1);
@@ -496,9 +498,9 @@ static int decode_i_block(FourXContext *f, int16_t *block)
 {
     int code, i, j, level, val;
 
-    if (get_bits_left(&f->gb) < 2){
-        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb));
-        return -1;
+    if (get_bits_left(&f->pre_gb) < 2) {
+        av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb));
+        return AVERROR_INVALIDDATA;
     }
 
     /* DC coef */
@@ -523,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block)
             break;
         if (code == 0xf0) {
             i += 16;
+            if (i >= 64) {
+                av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
+                return 0;
+            }
         } else {
             if (code & 0xf) {
                 level = get_xbits(&f->gb, code & 0xf);
@@ -732,7 +738,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length)
         for (x = 0; x < width; x += 16) {
             unsigned int color[4] = { 0 }, bits;
             if (buf_end - buf < 8)
-                return -1;
+                return AVERROR_INVALIDDATA;
             // warning following is purely guessed ...
             color[0] = bytestream2_get_le16u(&g3);
             color[1] = bytestream2_get_le16u(&g3);
diff --git a/lib/ffmpeg/libavcodec/aacdec.c b/lib/ffmpeg/libavcodec/aacdec.c
index 950cec05b..b7b784d91 100644
--- a/lib/ffmpeg/libavcodec/aacdec.c
+++ b/lib/ffmpeg/libavcodec/aacdec.c
@@ -403,6 +403,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx,
             } else {
                 int esc;
                 do {
+                    if (get_bits_left(gb) < 9)
+                        return AVERROR_INVALIDDATA;
                     esc = get_bits(gb, 1);
                     skip_bits(gb, 8);
                 } while (esc);
diff --git a/lib/ffmpeg/libavcodec/aacdec_fixed.c b/lib/ffmpeg/libavcodec/aacdec_fixed.c
index 539f9eefb..b24e6552c 100644
--- a/lib/ffmpeg/libavcodec/aacdec_fixed.c
+++ b/lib/ffmpeg/libavcodec/aacdec_fixed.c
@@ -154,9 +154,9 @@ static void vector_pow43(int *coefs, int len)
     for (i=0; i<len; i++) {
         coef = coefs[i];
         if (coef < 0)
-            coef = -(int)cbrt_tab[-coef];
+            coef = -(int)cbrt_tab[(-coef) & 8191];
         else
-            coef = (int)cbrt_tab[coef];
+            coef =  (int)cbrt_tab[  coef  & 8191];
         coefs[i] = coef;
     }
 }
@@ -194,12 +194,12 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)
 
 static void noise_scale(int *coefs, int scale, int band_energy, int len)
 {
-    int ssign = scale < 0 ? -1 : 1;
-    int s = FFABS(scale);
+    int s = -scale;
     unsigned int round;
     int i, out, c = exp2tab[s & 3];
     int nlz = 0;
 
+    av_assert0(s >= 0);
     while (band_energy > 0x7fff) {
         band_energy >>= 1;
         nlz++;
@@ -215,15 +215,20 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
         round = s ? 1 << (s-1) : 0;
         for (i=0; i<len; i++) {
             out = (int)(((int64_t)coefs[i] * c) >> 32);
-            coefs[i] = ((int)(out+round) >> s) * ssign;
+            coefs[i] = -((int)(out+round) >> s);
         }
     }
     else {
         s = s + 32;
-        round = 1 << (s-1);
-        for (i=0; i<len; i++) {
-            out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
-            coefs[i] = out * ssign;
+        if (s > 0) {
+            round = 1 << (s-1);
+            for (i=0; i<len; i++) {
+                out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
+                coefs[i] = -out;
+            }
+        } else {
+            for (i=0; i<len; i++)
+                coefs[i] = -(int64_t)coefs[i] * c * (1 << -s);
         }
     }
 }
@@ -384,7 +389,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
                         for (k = offsets[i]; k < offsets[i + 1]; k++) {
                             tmp = (int)(((int64_t)src[group * 128 + k] * c + \
                                        (int64_t)0x1000000000) >> 37);
-                            dest[group * 128 + k] += (tmp + round) >> shift;
+                            dest[group * 128 + k] += (tmp + (int64_t)round) >> shift;
                         }
                     }
                 }
@@ -416,7 +421,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
     int i, c, shift, round, tmp;
     const int gain = cce->coup.gain[index][0];
     const int *src = cce->ch[0].ret;
-    int *dest = target->ret;
+    unsigned int *dest = target->ret;
     const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);
 
     c = cce_scale_fixed[gain & 7];
@@ -433,7 +438,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
     else {
       for (i = 0; i < len; i++) {
           tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37);
-          dest[i] += tmp * (1 << shift);
+          dest[i] += tmp * (1U << shift);
       }
     }
 }
diff --git a/lib/ffmpeg/libavcodec/aacdec_template.c b/lib/ffmpeg/libavcodec/aacdec_template.c
index 1f87bb8ad..6000fd890 100644
--- a/lib/ffmpeg/libavcodec/aacdec_template.c
+++ b/lib/ffmpeg/libavcodec/aacdec_template.c
@@ -1602,25 +1602,24 @@ static int decode_spectrum_and_dequant(AACContext *ac, INTFLOAT coef[1024],
                 }
             } else if (cbt_m1 == NOISE_BT - 1) {
                 for (group = 0; group < (AAC_SIGNE)g_len; group++, cfo+=128) {
-#if !USE_FIXED
-                    float scale;
-#endif /* !USE_FIXED */
                     INTFLOAT band_energy;
-
+#if USE_FIXED
                     for (k = 0; k < off_len; k++) {
                         ac->random_state  = lcg_random(ac->random_state);
-#if USE_FIXED
                         cfo[k] = ac->random_state >> 3;
-#else
-                        cfo[k] = ac->random_state;
-#endif /* USE_FIXED */
                     }
 
-#if USE_FIXED
                     band_energy = ac->fdsp->scalarproduct_fixed(cfo, cfo, off_len);
                     band_energy = fixed_sqrt(band_energy, 31);
                     noise_scale(cfo, sf[idx], band_energy, off_len);
 #else
+                    float scale;
+
+                    for (k = 0; k < off_len; k++) {
+                        ac->random_state  = lcg_random(ac->random_state);
+                        cfo[k] = ac->random_state;
+                    }
+
                     band_energy = ac->fdsp->scalarproduct_float(cfo, cfo, off_len);
                     scale = sf[idx] / sqrtf(band_energy);
                     ac->fdsp->vector_fmul_scalar(cfo, cfo, scale, off_len);
@@ -2385,6 +2384,9 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns,
     INTFLOAT lpc[TNS_MAX_ORDER];
     INTFLOAT tmp[TNS_MAX_ORDER+1];
 
+    if(!mmm)
+        return;
+
     for (w = 0; w < ics->num_windows; w++) {
         bottom = ics->num_swb;
         for (filt = 0; filt < tns->n_filt[w]; filt++) {
@@ -2549,7 +2551,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce)
         ac->mdct.imdct_half(&ac->mdct, buf, in);
 #if USE_FIXED
         for (i=0; i<1024; i++)
-          buf[i] = (buf[i] + 4) >> 3;
+          buf[i] = (buf[i] + 4LL) >> 3;
 #endif /* USE_FIXED */
     }
 
diff --git a/lib/ffmpeg/libavcodec/aacpsdsp_template.c b/lib/ffmpeg/libavcodec/aacpsdsp_template.c
index 3049ce8b7..b555de886 100644
--- a/lib/ffmpeg/libavcodec/aacpsdsp_template.c
+++ b/lib/ffmpeg/libavcodec/aacpsdsp_template.c
@@ -54,10 +54,10 @@ static void ps_hybrid_analysis_c(INTFLOAT (*out)[2], INTFLOAT (*in)[2],
         INT64FLOAT sum_im = (INT64FLOAT)filter[i][6][0] * in[6][1];
 
         for (j = 0; j < 6; j++) {
-            INTFLOAT in0_re = in[j][0];
-            INTFLOAT in0_im = in[j][1];
-            INTFLOAT in1_re = in[12-j][0];
-            INTFLOAT in1_im = in[12-j][1];
+            INT64FLOAT in0_re = in[j][0];
+            INT64FLOAT in0_im = in[j][1];
+            INT64FLOAT in1_re = in[12-j][0];
+            INT64FLOAT in1_im = in[12-j][1];
             sum_re += (INT64FLOAT)filter[i][j][0] * (in0_re + in1_re) -
                       (INT64FLOAT)filter[i][j][1] * (in0_im - in1_im);
             sum_im += (INT64FLOAT)filter[i][j][0] * (in0_im + in1_im) +
diff --git a/lib/ffmpeg/libavcodec/aacpsy.c b/lib/ffmpeg/libavcodec/aacpsy.c
index 82b670d49..20e0c3500 100644
--- a/lib/ffmpeg/libavcodec/aacpsy.c
+++ b/lib/ffmpeg/libavcodec/aacpsy.c
@@ -303,6 +303,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
     const int bandwidth    = ctx->avctx->cutoff ? ctx->avctx->cutoff : AAC_CUTOFF(ctx->avctx);
     const float num_bark   = calc_bark((float)bandwidth);
 
+    if (bandwidth <= 0)
+        return AVERROR(EINVAL);
+
     ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext));
     if (!ctx->model_priv_data)
         return AVERROR(ENOMEM);
@@ -747,7 +750,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel,
 
         if (pe < 1.15f * desired_pe) {
             /* 6.6.1.3.6 "Final threshold modification by linearization" */
-            norm_fac = 1.0f / norm_fac;
+            norm_fac = norm_fac ? 1.0f / norm_fac : 0;
             for (w = 0; w < wi->num_windows*16; w += 16) {
                 for (g = 0; g < num_bands; g++) {
                     AacPsyBand *band = &pch->band[w+g];
diff --git a/lib/ffmpeg/libavcodec/aacsbr_fixed.c b/lib/ffmpeg/libavcodec/aacsbr_fixed.c
index 44c899a7f..2addbafb5 100644
--- a/lib/ffmpeg/libavcodec/aacsbr_fixed.c
+++ b/lib/ffmpeg/libavcodec/aacsbr_fixed.c
@@ -574,7 +574,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
                 int idx = indexsine&1;
                 int A = (1-((indexsine+(kx & 1))&2));
                 int B = (A^(-idx)) + idx;
-                int *out = &Y1[i][kx][idx];
+                unsigned *out = &Y1[i][kx][idx];
                 int shift;
                 unsigned round;
 
diff --git a/lib/ffmpeg/libavcodec/ac3dec_fixed.c b/lib/ffmpeg/libavcodec/ac3dec_fixed.c
index 332a0622f..760b74135 100644
--- a/lib/ffmpeg/libavcodec/ac3dec_fixed.c
+++ b/lib/ffmpeg/libavcodec/ac3dec_fixed.c
@@ -107,29 +107,30 @@ static void scale_coefs (
       }
     } else {
       shift = -shift;
+      mul <<= shift;
       for (i=0; i<len; i+=8) {
 
           temp = src[i] * mul;
           temp1 = src[i+1] * mul;
           temp2 = src[i+2] * mul;
 
-          dst[i] = temp << shift;
+          dst[i] = temp;
           temp3 = src[i+3] * mul;
 
-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
           temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;
 
           temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
           temp6 = src[i+6] * mul;
 
-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
           temp7 = src[i+7] * mul;
 
-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;
 
       }
     }
diff --git a/lib/ffmpeg/libavcodec/adpcm.c b/lib/ffmpeg/libavcodec/adpcm.c
index 52d0d44cc..b3d07c4a2 100644
--- a/lib/ffmpeg/libavcodec/adpcm.c
+++ b/lib/ffmpeg/libavcodec/adpcm.c
@@ -127,8 +127,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
         break;
     case AV_CODEC_ID_ADPCM_IMA_APC:
         if (avctx->extradata && avctx->extradata_size >= 8) {
-            c->status[0].predictor = AV_RL32(avctx->extradata);
-            c->status[1].predictor = AV_RL32(avctx->extradata + 4);
+            c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata    ), 18);
+            c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18);
         }
         break;
     case AV_CODEC_ID_ADPCM_IMA_WS:
@@ -277,7 +277,7 @@ static inline short adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nibbl
     c->predictor = av_clip_intp2(predictor, 11);
     c->step_index = step_index;
 
-    return c->predictor << 4;
+    return c->predictor * 16;
 }
 
 static inline short adpcm_ct_expand_nibble(ADPCMChannelStatus *c, char nibble)
@@ -357,6 +357,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
             avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
             filter=0;
         }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }
         f0 = xa_adpcm_table[filter][0];
         f1 = xa_adpcm_table[filter][1];
 
@@ -367,7 +371,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
             d = in[16+i+j*4];
 
             t = sign_extend(d, 4);
-            s = ( t<<shift ) + ((s_1*f0 + s_2*f1+32)>>6);
+            s = t*(1<<shift) + ((s_1*f0 + s_2*f1+32)>>6);
             s_2 = s_1;
             s_1 = av_clip_int16(s);
             out0[j] = s_1;
@@ -382,10 +386,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
 
         shift  = 12 - (in[5+i*2] & 15);
         filter = in[5+i*2] >> 4;
-        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) {
+        if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) {
             avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
             filter=0;
         }
+        if (shift < 0) {
+            avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
+            shift = 0;
+        }
 
         f0 = xa_adpcm_table[filter][0];
         f1 = xa_adpcm_table[filter][1];
@@ -394,7 +402,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
             d = in[16+i+j*4];
 
             t = sign_extend(d >> 4, 4);
-            s = ( t<<shift ) + ((s_1*f0 + s_2*f1+32)>>6);
+            s = t*(1<<shift) + ((s_1*f0 + s_2*f1+32)>>6);
             s_2 = s_1;
             s_1 = av_clip_int16(s);
             out1[j] = s_1;
@@ -1064,8 +1072,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                 return AVERROR_INVALIDDATA;
             }
         }
-        for (i=0; i<=st; i++)
+        for (i=0; i<=st; i++) {
             c->status[i].predictor  = bytestream2_get_le32u(&gb);
+            if (FFABS((int64_t)c->status[i].predictor) > (1<<16))
+                return AVERROR_INVALIDDATA;
+        }
 
         for (n = nb_samples >> (1 - st); n > 0; n--) {
             int byte   = bytestream2_get_byteu(&gb);
@@ -1213,10 +1224,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
                     for (count2=0; count2<28; count2++) {
                         if (count2 & 1)
-                            next_sample = sign_extend(byte,    4) << shift;
+                            next_sample = (unsigned)sign_extend(byte,    4) << shift;
                         else {
                             byte = bytestream2_get_byte(&gb);
-                            next_sample = sign_extend(byte >> 4, 4) << shift;
+                            next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift;
                         }
 
                         next_sample += (current_sample  * coeff1) +
@@ -1476,8 +1487,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                 int byte = bytestream2_get_byteu(&gb);
                 int index = (byte >> 4) & 7;
                 unsigned int exp = byte & 0x0F;
-                int factor1 = table[ch][index * 2];
-                int factor2 = table[ch][index * 2 + 1];
+                int64_t factor1 = table[ch][index * 2];
+                int64_t factor2 = table[ch][index * 2 + 1];
 
                 /* Decode 14 samples.  */
                 for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) {
@@ -1538,7 +1549,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                     else
                         sampledat = sign_extend(byte >> 4, 4);
 
-                    sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev;
+                    sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev;
                     *samples++ = av_clip_int16(sampledat >> 6);
                     c->status[channel].sample2 = c->status[channel].sample1;
                     c->status[channel].sample1 = sampledat;
diff --git a/lib/ffmpeg/libavcodec/aic.c b/lib/ffmpeg/libavcodec/aic.c
index 5decc7874..e9be557c6 100644
--- a/lib/ffmpeg/libavcodec/aic.c
+++ b/lib/ffmpeg/libavcodec/aic.c
@@ -207,6 +207,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
     int mb, idx;
     unsigned val;
 
+    if (get_bits_left(gb) < 5)
+        return AVERROR_INVALIDDATA;
+
     has_skips  = get_bits1(gb);
     coeff_type = get_bits1(gb);
     coeff_bits = get_bits(gb, 3);
diff --git a/lib/ffmpeg/libavcodec/alac.c b/lib/ffmpeg/libavcodec/alac.c
index 13607b3e2..36477c9eb 100644
--- a/lib/ffmpeg/libavcodec/alac.c
+++ b/lib/ffmpeg/libavcodec/alac.c
@@ -167,12 +167,12 @@ static inline int sign_only(int v)
     return v ? FFSIGN(v) : 0;
 }
 
-static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
+static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out,
                            int nb_samples, int bps, int16_t *lpc_coefs,
                            int lpc_order, int lpc_quant)
 {
     int i;
-    int32_t *pred = buffer_out;
+    uint32_t *pred = buffer_out;
 
     /* first sample always copies */
     *buffer_out = *error_buffer;
@@ -204,27 +204,27 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out,
     for (; i < nb_samples; i++) {
         int j;
         int val = 0;
-        int error_val = error_buffer[i];
+        unsigned error_val = error_buffer[i];
         int error_sign;
         int d = *pred++;
 
         /* LPC prediction */
         for (j = 0; j < lpc_order; j++)
             val += (pred[j] - d) * lpc_coefs[j];
-        val = (val + (1 << (lpc_quant - 1))) >> lpc_quant;
+        val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant;
         val += d + error_val;
         buffer_out[i] = sign_extend(val, bps);
 
         /* adapt LPC coefficients */
         error_sign = sign_only(error_val);
         if (error_sign) {
-            for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) {
+            for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) {
                 int sign;
                 val  = d - pred[j];
                 sign = sign_only(val) * error_sign;
                 lpc_coefs[j] -= sign;
-                val *= sign;
-                error_val -= (val >> lpc_quant) * (j + 1);
+                val *= (unsigned)sign;
+                error_val -= (val >> lpc_quant) * (j + 1U);
             }
         }
     }
@@ -325,13 +325,16 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index,
         decorr_shift       = get_bits(&alac->gb, 8);
         decorr_left_weight = get_bits(&alac->gb, 8);
 
+        if (channels == 2 && decorr_left_weight && decorr_shift > 31)
+            return AVERROR_INVALIDDATA;
+
         for (ch = 0; ch < channels; ch++) {
             prediction_type[ch]   = get_bits(&alac->gb, 4);
             lpc_quant[ch]         = get_bits(&alac->gb, 4);
             rice_history_mult[ch] = get_bits(&alac->gb, 3);
             lpc_order[ch]         = get_bits(&alac->gb, 5);
 
-            if (lpc_order[ch] >= alac->max_samples_per_frame)
+            if (lpc_order[ch] >= alac->max_samples_per_frame || !lpc_quant[ch])
                 return AVERROR_INVALIDDATA;
 
             /* read the predictor table */
diff --git a/lib/ffmpeg/libavcodec/aliaspixdec.c b/lib/ffmpeg/libavcodec/aliaspixdec.c
index 087b18fb9..def7e17c0 100644
--- a/lib/ffmpeg/libavcodec/aliaspixdec.c
+++ b/lib/ffmpeg/libavcodec/aliaspixdec.c
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     if (ret < 0)
         return ret;
 
+    if (bytestream2_get_bytes_left(&gb) < width*height / 255)
+        return AVERROR_INVALIDDATA;
+
     ret = ff_get_buffer(avctx, f, 0);
     if (ret < 0)
         return ret;
diff --git a/lib/ffmpeg/libavcodec/alsdec.c b/lib/ffmpeg/libavcodec/alsdec.c
index d2c3485ee..e8b95c56e 100644
--- a/lib/ffmpeg/libavcodec/alsdec.c
+++ b/lib/ffmpeg/libavcodec/alsdec.c
@@ -337,6 +337,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
     if (als_id != MKBETAG('A','L','S','\0'))
         return AVERROR_INVALIDDATA;
 
+    if (avctx->channels > FF_SANE_NB_CHANNELS) {
+        avpriv_request_sample(avctx, "Huge number of channels\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     ctx->cur_frame_length = sconf->frame_length;
 
     // read channel config
@@ -477,7 +482,7 @@ static void parse_bs_info(const uint32_t bs_info, unsigned int n,
 static int32_t decode_rice(GetBitContext *gb, unsigned int k)
 {
     int max = get_bits_left(gb) - k;
-    int q   = get_unary(gb, 0, max);
+    unsigned q = get_unary(gb, 0, max);
     int r   = k ? get_bits1(gb) : !(q & 1);
 
     if (k > 1) {
@@ -497,7 +502,7 @@ static void parcor_to_lpc(unsigned int k, const int32_t *par, int32_t *cof)
     int i, j;
 
     for (i = 0, j = k - 1; i < j; i++, j--) {
-        int tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
+        unsigned tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20);
         cof[j]  += ((MUL64(par[k], cof[i]) + (1 << 19)) >> 20);
         cof[i]  += tmp1;
     }
@@ -647,7 +652,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
     // do not continue in case of a damaged stream since
     // block_length must be evenly divisible by sub_blocks
-    if (bd->block_length & (sub_blocks - 1)) {
+    if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) {
         av_log(avctx, AV_LOG_WARNING,
                "Block length is not evenly divisible by the number of subblocks.\n");
         return AVERROR_INVALIDDATA;
@@ -762,8 +767,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         if (*bd->use_ltp) {
             int r, c;
 
-            bd->ltp_gain[0]   = decode_rice(gb, 1) << 3;
-            bd->ltp_gain[1]   = decode_rice(gb, 2) << 3;
+            bd->ltp_gain[0]   = decode_rice(gb, 1) * 8;
+            bd->ltp_gain[1]   = decode_rice(gb, 2) * 8;
 
             r                 = get_unary(gb, 0, 4);
             c                 = get_bits(gb, 2);
@@ -774,8 +779,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
             bd->ltp_gain[2]   = ltp_gain_values[r][c];
 
-            bd->ltp_gain[3]   = decode_rice(gb, 2) << 3;
-            bd->ltp_gain[4]   = decode_rice(gb, 1) << 3;
+            bd->ltp_gain[3]   = decode_rice(gb, 2) * 8;
+            bd->ltp_gain[4]   = decode_rice(gb, 1) * 8;
 
             *bd->ltp_lag      = get_bits(gb, ctx->ltp_lag_length);
             *bd->ltp_lag     += FFMAX(4, opt_order + 1);
@@ -784,14 +789,20 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
     // read first value and residuals in case of a random access block
     if (bd->ra_block) {
+        start = FFMIN(opt_order, 3);
+        av_assert0(sb_length <= sconf->frame_length);
+        if (sb_length <= start) {
+            // opt_order or sb_length may be corrupted, either way this is unsupported and not well defined in the specification
+            av_log(avctx, AV_LOG_ERROR, "Sub block length smaller or equal start\n");
+            return AVERROR_PATCHWELCOME;
+        }
+
         if (opt_order)
             bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4);
         if (opt_order > 1)
             bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max));
         if (opt_order > 2)
             bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max));
-
-        start = FFMIN(opt_order, 3);
     }
 
     // read all residuals
@@ -805,7 +816,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         unsigned int low;
         unsigned int value;
 
-        ff_bgmc_decode_init(gb, &high, &low, &value);
+        int ret = ff_bgmc_decode_init(gb, &high, &low, &value);
+        if (ret < 0)
+            return ret;
 
         current_res = bd->raw_samples + start;
 
@@ -815,6 +828,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             k    [sb] = s[sb] > b ? s[sb] - b : 0;
             delta[sb] = 5 - s[sb] + k[sb];
 
+            if (k[sb] >= 32)
+                return AVERROR_INVALIDDATA;
+
             ff_bgmc_decode(gb, sb_len, current_res,
                         delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);
 
@@ -910,7 +926,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             y = 1 << 6;
 
             for (base = begin; base < end; base++, tab++)
-                y += MUL64(bd->ltp_gain[tab], raw_samples[base]);
+                y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]);
 
             raw_samples[ltp_smp] += y >> 7;
         }
@@ -922,7 +938,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             y = 1 << 19;
 
             for (sb = 0; sb < smp; sb++)
-                y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);
+                y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]);
 
             *raw_samples++ -= y >> 20;
             parcor_to_lpc(smp, quant_cof, lpc_cof);
@@ -938,7 +954,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
         // reconstruct difference signal for prediction (joint-stereo)
         if (bd->js_blocks && bd->raw_other) {
-            int32_t *left, *right;
+            uint32_t *left, *right;
 
             if (bd->raw_other > raw_samples) {  // D = R - L
                 left  = raw_samples;
@@ -972,7 +988,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         y = 1 << 19;
 
         for (sb = -opt_order; sb < 0; sb++)
-            y += MUL64(lpc_cof[sb], raw_samples[sb]);
+            y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[sb]);
 
         *raw_samples -= y >> 20;
     }
@@ -996,6 +1012,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
     GetBitContext *gb        = &ctx->gb;
 
     *bd->shift_lsbs = 0;
+
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
     // read block type flag and read the samples accordingly
     if (get_bits1(gb)) {
         ret = read_var_block_data(ctx, bd);
@@ -1027,7 +1047,7 @@ static int decode_block(ALSDecContext *ctx, ALSBlockData *bd)
 
     if (*bd->shift_lsbs)
         for (smp = 0; smp < bd->block_length; smp++)
-            bd->raw_samples[smp] <<= *bd->shift_lsbs;
+            bd->raw_samples[smp] = (unsigned)bd->raw_samples[smp] << *bd->shift_lsbs;
 
     return 0;
 }
@@ -1163,10 +1183,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame,
                 av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n");
 
             for (s = 0; s < div_blocks[b]; s++)
-                bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s];
+                bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s];
         } else if (bd[1].js_blocks) {
             for (s = 0; s < div_blocks[b]; s++)
-                bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s];
+                bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s];
         }
 
         offset  += div_blocks[b];
@@ -1552,15 +1572,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     #define INTERLEAVE_OUTPUT(bps)                                                   \
     {                                                                                \
         int##bps##_t *dest = (int##bps##_t*)frame->data[0];                          \
+        int channels = avctx->channels;                                              \
+        int32_t **raw_samples = ctx->raw_samples;                                    \
         shift = bps - ctx->avctx->bits_per_raw_sample;                               \
         if (!ctx->cs_switch) {                                                       \
             for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[c][sample] << shift;                  \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[c][sample] * (1U << shift);                \
         } else {                                                                     \
             for (sample = 0; sample < ctx->cur_frame_length; sample++)               \
-                for (c = 0; c < avctx->channels; c++)                                \
-                    *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] << shift; \
+                for (c = 0; c < channels; c++)                                       \
+                    *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\
         }                                                                            \
     }
 
@@ -1727,6 +1749,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
 
     // allocate quantized parcor coefficient buffer
     num_buffers = sconf->mc_coding ? avctx->channels : 1;
+    if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation
+        return AVERROR_INVALIDDATA;
 
     ctx->quant_cof        = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof));
     ctx->lpc_cof          = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));
@@ -1833,7 +1857,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
     return 0;
 
 fail:
-    decode_end(avctx);
     return ret;
 }
 
@@ -1859,4 +1882,5 @@ AVCodec ff_als_decoder = {
     .decode         = decode_frame,
     .flush          = flush,
     .capabilities   = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 };
diff --git a/lib/ffmpeg/libavcodec/amrwbdec.c b/lib/ffmpeg/libavcodec/amrwbdec.c
index d5e0431f3..bc5e15721 100644
--- a/lib/ffmpeg/libavcodec/amrwbdec.c
+++ b/lib/ffmpeg/libavcodec/amrwbdec.c
@@ -865,15 +865,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth,
 {
     int wsp = (vad > 0);
     float tilt;
+    float tmp;
 
     if (ctx->fr_cur_mode == MODE_23k85)
         return qua_hb_gain[hb_idx] * (1.0f / (1 << 14));
 
-    tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) /
-           ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1);
+
+    if (tmp > 0) {
+        tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+    } else
+        tilt = 0;
 
     /* return gain bounded by [0.1, 1.0] */
-    return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0);
+    return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0);
 }
 
 /**
diff --git a/lib/ffmpeg/libavcodec/anm.c b/lib/ffmpeg/libavcodec/anm.c
index 29d59fbce..c3b3ecc62 100644
--- a/lib/ffmpeg/libavcodec/anm.c
+++ b/lib/ffmpeg/libavcodec/anm.c
@@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx,
     uint8_t *dst, *dst_end;
     int count, ret;
 
+    if (buf_size < 7)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
         return ret;
     dst     = s->frame->data[0];
diff --git a/lib/ffmpeg/libavcodec/ansi.c b/lib/ffmpeg/libavcodec/ansi.c
index 31405b4a9..293504759 100644
--- a/lib/ffmpeg/libavcodec/ansi.c
+++ b/lib/ffmpeg/libavcodec/ansi.c
@@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx,
                     s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                 break;
             case ';':
-                s->nb_args++;
+                if (s->nb_args < MAX_NB_ARGS)
+                    s->nb_args++;
                 if (s->nb_args < MAX_NB_ARGS)
                     s->args[s->nb_args] = 0;
                 break;
diff --git a/lib/ffmpeg/libavcodec/apedec.c b/lib/ffmpeg/libavcodec/apedec.c
index 0dbde8276..37ef4e282 100644
--- a/lib/ffmpeg/libavcodec/apedec.c
+++ b/lib/ffmpeg/libavcodec/apedec.c
@@ -460,7 +460,7 @@ static inline void update_rice(APERice *rice, unsigned int x)
 
     if (rice->ksum < lim)
         rice->k--;
-    else if (rice->ksum >= (1 << (rice->k + 5)))
+    else if (rice->ksum >= (1 << (rice->k + 5)) && rice->k < 24)
         rice->k++;
 }
 
@@ -554,7 +554,7 @@ static inline int ape_decode_value_3990(APEContext *ctx, APERice *rice)
     overflow = range_get_symbol(ctx, counts_3980, counts_diff_3980);
 
     if (overflow == (MODEL_ELEMENTS - 1)) {
-        overflow  = range_decode_bits(ctx, 16) << 16;
+        overflow  = (unsigned)range_decode_bits(ctx, 16) << 16;
         overflow |= range_decode_bits(ctx, 16);
     }
 
@@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
                               int32_t *out, APERice *rice, int blockstodecode)
 {
     int i;
-    int ksummax, ksummin;
+    unsigned ksummax, ksummin;
 
     rice->ksum = 0;
     for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
@@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
     ksummin = rice->k ? (1 << rice->k + 6) : 0;
     for (; i < blockstodecode; i++) {
         out[i] = get_rice_ook(&ctx->gb, rice->k);
-        rice->ksum += out[i] - out[i - 64];
+        rice->ksum += out[i] - (unsigned)out[i - 64];
         while (rice->ksum < ksummin) {
             rice->k--;
             ksummin = rice->k ? ksummin >> 1 : 0;
@@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p,
     else
         p->coeffsA[filter][0]--;
 
-    p->filterA[filter] += p->lastA[filter];
+    p->filterA[filter] += (unsigned)p->lastA[filter];
 
     return p->filterA[filter];
 }
@@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p,
         return predictionA;
     }
     d2 =  p->buf[delayA];
-    d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1;
-    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3);
-    d3 =  p->buf[delayB] * 2 - p->buf[delayB - 1];
+    d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2;
+    d0 =  p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8);
+    d3 =  p->buf[delayB] * 2U - p->buf[delayB - 1];
     d4 =  p->buf[delayB];
 
     predictionA = d0 * p->coeffsA[filter][0] +
@@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
     p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;
 
     p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
-    p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);
 
     return p->filterA[filter];
 }
@@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
         dotprod = 0;
         sign = APESIGN(buffer[i]);
         for (j = 0; j < order; j++) {
-            dotprod += delay[j] * coeffs[j];
+            dotprod += delay[j] * (unsigned)coeffs[j];
             coeffs[j] += ((delay[j] >> 31) | 1) * sign;
         }
         buffer[i] -= dotprod >> shift;
@@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
 {
     int i, j;
     int32_t dotprod, sign;
-    int32_t coeffs[8] = { 0 }, delay[8] = { 0 };
+    int32_t delay[8] = { 0 };
+    uint32_t coeffs[8] = { 0 };
 
     for (i = 0; i < length; i++) {
         dotprod = 0;
@@ -928,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length)
         for (j = 7; j > 0; j--)
             delay[j] = delay[j - 1];
         delay[0] = buffer[i];
-        buffer[i] -= dotprod >> 9;
+        buffer[i] -= (unsigned)(dotprod >> 9);
     }
 }
 
@@ -1051,7 +1052,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p,
                   d3 * p->coeffsA[filter][3];
 
     p->lastA[filter] = decoded + (predictionA >> 9);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);
 
     sign = APESIGN(decoded);
     p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
@@ -1121,7 +1122,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
 
     p->buf[delayA]     = p->lastA[filter];
     p->buf[adaptA]     = APESIGN(p->buf[delayA]);
-    p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1];
+    p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1];
     p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]);
 
     predictionA = p->buf[delayA    ] * p->coeffsA[filter][0] +
@@ -1130,9 +1131,9 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                   p->buf[delayA - 3] * p->coeffsA[filter][3];
 
     /*  Apply a scaled first-order filter compression */
-    p->buf[delayB]     = p->filterA[filter ^ 1] - ((p->filterB[filter] * 31) >> 5);
+    p->buf[delayB]     = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5);
     p->buf[adaptB]     = APESIGN(p->buf[delayB]);
-    p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1];
+    p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1];
     p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]);
     p->filterB[filter] = p->filterA[filter ^ 1];
 
@@ -1142,8 +1143,8 @@ static av_always_inline int predictor_update_filter(APEPredictor *p,
                   p->buf[delayB - 3] * p->coeffsB[filter][3] +
                   p->buf[delayB - 4] * p->coeffsB[filter][4];
 
-    p->lastA[filter] = decoded + ((predictionA + (predictionB >> 1)) >> 10);
-    p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5);
+    p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10);
+    p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5);
 
     sign = APESIGN(decoded);
     p->coeffsA[filter][0] += p->buf[adaptA    ] * sign;
@@ -1202,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
         A = *decoded0;
 
         p->buf[YDELAYA] = currentA;
-        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1];
+        p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1];
 
         predictionA = p->buf[YDELAYA    ] * p->coeffsA[0][0] +
                       p->buf[YDELAYA - 1] * p->coeffsA[0][1] +
                       p->buf[YDELAYA - 2] * p->coeffsA[0][2] +
                       p->buf[YDELAYA - 3] * p->coeffsA[0][3];
 
-        currentA = A + (predictionA >> 10);
+        currentA = A + (unsigned)(predictionA >> 10);
 
         p->buf[YADAPTCOEFFSA]     = APESIGN(p->buf[YDELAYA    ]);
         p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]);
@@ -1229,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count)
             p->buf = p->historybuffer;
         }
 
-        p->filterA[0] = currentA + ((p->filterA[0] * 31) >> 5);
+        p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5);
         *(decoded0++) = p->filterA[0];
     }
 
@@ -1266,8 +1267,8 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
                                                      f->delay - order,
                                                      f->adaptcoeffs - order,
                                                      order, APESIGN(*data));
-        res = (res + (1 << (fracbits - 1))) >> fracbits;
-        res += *data;
+        res = (int)(res + (1U << (fracbits - 1))) >> fracbits;
+        res += (unsigned)*data;
         *data++ = res;
 
         /* Update the output history */
@@ -1282,14 +1283,14 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f,
             /* Version 3.98 and later files */
 
             /* Update the adaption coefficients */
-            absres = FFABS(res);
+            absres = res < 0 ? -(unsigned)res : res;
             if (absres)
                 *f->adaptcoeffs = ((res & (-1<<31)) ^ (-1<<30)) >>
                                   (25 + (absres <= f->avg*3) + (absres <= f->avg*4/3));
             else
                 *f->adaptcoeffs = 0;
 
-            f->avg += (absres - f->avg) / 16;
+            f->avg += (int)(absres - (unsigned)f->avg) / 16;
 
             f->adaptcoeffs[-1] >>= 1;
             f->adaptcoeffs[-2] >>= 1;
@@ -1368,7 +1369,7 @@ static void ape_unpack_mono(APEContext *ctx, int count)
 
 static void ape_unpack_stereo(APEContext *ctx, int count)
 {
-    int32_t left, right;
+    unsigned left, right;
     int32_t *decoded0 = ctx->decoded[0];
     int32_t *decoded1 = ctx->decoded[1];
 
@@ -1385,7 +1386,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count)
 
     /* Decorrelate and scale to output depth */
     while (count--) {
-        left = *decoded1 - (*decoded0 / 2);
+        left = *decoded1 - (unsigned)(*decoded0 / 2);
         right = left + *decoded0;
 
         *(decoded0++) = left;
@@ -1443,7 +1444,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
         if (s->fileversion >= 3900) {
             if (offset > 3) {
                 av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n");
-                s->data = NULL;
+                av_freep(&s->data);
+                s->data_size = 0;
                 return AVERROR_INVALIDDATA;
             }
             if (s->data_end - s->ptr < offset) {
@@ -1491,7 +1493,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
     av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size);
     if (!s->decoded_buffer)
         return AVERROR(ENOMEM);
-    memset(s->decoded_buffer, 0, s->decoded_size);
+    memset(s->decoded_buffer, 0, decoded_buffer_size);
     s->decoded[0] = s->decoded_buffer;
     s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8);
 
@@ -1533,7 +1535,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
         for (ch = 0; ch < s->channels; ch++) {
             sample24 = (int32_t *)frame->data[ch];
             for (i = 0; i < blockstodecode; i++)
-                *sample24++ = s->decoded[ch][i] << 8;
+                *sample24++ = s->decoded[ch][i] * 256U;
         }
         break;
     }
diff --git a/lib/ffmpeg/libavcodec/assdec.c b/lib/ffmpeg/libavcodec/assdec.c
index 11dbde0b8..1dbb15391 100644
--- a/lib/ffmpeg/libavcodec/assdec.c
+++ b/lib/ffmpeg/libavcodec/assdec.c
@@ -32,7 +32,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx)
     avctx->subtitle_header = av_malloc(avctx->extradata_size + 1);
     if (!avctx->subtitle_header)
         return AVERROR(ENOMEM);
-    memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
+    if (avctx->extradata_size)
+        memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size);
     avctx->subtitle_header[avctx->extradata_size] = 0;
     avctx->subtitle_header_size = avctx->extradata_size;
     avctx->priv_data = ff_ass_split(avctx->extradata);
diff --git a/lib/ffmpeg/libavcodec/atrac3.c b/lib/ffmpeg/libavcodec/atrac3.c
index 4bdb63f98..0ecbb8617 100644
--- a/lib/ffmpeg/libavcodec/atrac3.c
+++ b/lib/ffmpeg/libavcodec/atrac3.c
@@ -882,7 +882,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
-    if (avctx->block_align >= UINT_MAX / 2)
+    if (avctx->block_align > 1024 || avctx->block_align <= 0)
         return AVERROR(EINVAL);
 
     q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) +
diff --git a/lib/ffmpeg/libavcodec/atrac3plus.c b/lib/ffmpeg/libavcodec/atrac3plus.c
index b16a13971..9dc1ac0f1 100644
--- a/lib/ffmpeg/libavcodec/atrac3plus.c
+++ b/lib/ffmpeg/libavcodec/atrac3plus.c
@@ -459,6 +459,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx,
     } else if (chan->fill_mode == 3) {
         pos = ch_num ? chan->num_coded_vals + chan->split_point
                      : ctx->num_quant_units - chan->split_point;
+        if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) {
+            av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n");
+            pos = FF_ARRAY_ELEMS(chan->qu_wordlen);
+        }
         for (i = chan->num_coded_vals; i < pos; i++)
             chan->qu_wordlen[i] = 1;
     }
diff --git a/lib/ffmpeg/libavcodec/audiodsp.c b/lib/ffmpeg/libavcodec/audiodsp.c
index 85b5a7494..3a60c2c91 100644
--- a/lib/ffmpeg/libavcodec/audiodsp.c
+++ b/lib/ffmpeg/libavcodec/audiodsp.c
@@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src,
 static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2,
                                      int order)
 {
-    int res = 0;
+    unsigned res = 0;
 
     while (order--)
         res += *v1++ **v2++;
diff --git a/lib/ffmpeg/libavcodec/avcodec.h b/lib/ffmpeg/libavcodec/avcodec.h
index fe68b9abc..4c1c31a4e 100644
--- a/lib/ffmpeg/libavcodec/avcodec.h
+++ b/lib/ffmpeg/libavcodec/avcodec.h
@@ -532,10 +532,6 @@ enum AVCodecID {
     AV_CODEC_ID_ASS        = MKBETAG('A','S','S',' '),  ///< ASS as defined in Matroska
     AV_CODEC_ID_HDMV_TEXT_SUBTITLE = MKBETAG('B','D','T','X'),
 
-    /* data codecs */
-    AV_CODEC_ID_VBI_DATA= 0x17500,
-    AV_CODEC_ID_VBI_TELETEXT,
-
     /* other specific kind of codecs (generally used for attachments) */
     AV_CODEC_ID_FIRST_UNKNOWN = 0x18000,           ///< A dummy ID pointing at the start of various fake codecs.
     AV_CODEC_ID_TTF = 0x18000,
@@ -2818,7 +2814,6 @@ typedef struct AVCodecContext {
 #define FF_BUG_DC_CLIP          4096
 #define FF_BUG_MS               8192 ///< Work around various bugs in Microsoft's broken decoders.
 #define FF_BUG_TRUNCATED       16384
-#define FF_BUG_GMC_UNSUPPORTED 32768
 
     /**
      * strictly follow the standard (MPEG4, ...).
diff --git a/lib/ffmpeg/libavcodec/avdct.c b/lib/ffmpeg/libavcodec/avdct.c
index 3b622bac2..fcd56602f 100644
--- a/lib/ffmpeg/libavcodec/avdct.c
+++ b/lib/ffmpeg/libavcodec/avdct.c
@@ -109,7 +109,7 @@ int avcodec_dct_init(AVDCT *dsp)
 
 #if CONFIG_IDCTDSP
     {
-        IDCTDSPContext idsp;
+        IDCTDSPContext idsp = {0};
         ff_idctdsp_init(&idsp, avctx);
         COPY(idsp, idct);
         COPY(idsp, idct_permutation);
diff --git a/lib/ffmpeg/libavcodec/bethsoftvideo.c b/lib/ffmpeg/libavcodec/bethsoftvideo.c
index 97b745d38..9fe26e81f 100644
--- a/lib/ffmpeg/libavcodec/bethsoftvideo.c
+++ b/lib/ffmpeg/libavcodec/bethsoftvideo.c
@@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
             if(yoffset >= avctx->height)
                 return AVERROR_INVALIDDATA;
             dst += vid->frame->linesize[0] * yoffset;
+        case VIDEO_P_FRAME:
+        case VIDEO_I_FRAME:
+            break;
+        default:
+            return AVERROR_INVALIDDATA;
     }
 
     // main code
diff --git a/lib/ffmpeg/libavcodec/bgmc.c b/lib/ffmpeg/libavcodec/bgmc.c
index 1a6817b73..2d59aa37a 100644
--- a/lib/ffmpeg/libavcodec/bgmc.c
+++ b/lib/ffmpeg/libavcodec/bgmc.c
@@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status)
 
 
 /** Initialize decoding and reads the first value */
-void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
+int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
                          unsigned int *l, unsigned int *v)
 {
+    if (get_bits_left(gb) < VALUE_BITS)
+        return AVERROR_INVALIDDATA;
+
     *h = TOP_VALUE;
     *l = 0;
     *v = get_bits_long(gb, VALUE_BITS);
+
+    return 0;
 }
 
 
diff --git a/lib/ffmpeg/libavcodec/bgmc.h b/lib/ffmpeg/libavcodec/bgmc.h
index 4893736af..466df31a2 100644
--- a/lib/ffmpeg/libavcodec/bgmc.h
+++ b/lib/ffmpeg/libavcodec/bgmc.h
@@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status);
 void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status);
 
 
-void ff_bgmc_decode_init(GetBitContext *gb,
+int ff_bgmc_decode_init(GetBitContext *gb,
                       unsigned int *h, unsigned int *l, unsigned int *v);
 
 
diff --git a/lib/ffmpeg/libavcodec/bink.c b/lib/ffmpeg/libavcodec/bink.c
index 131eaa16f..f24acaed6 100644
--- a/lib/ffmpeg/libavcodec/bink.c
+++ b/lib/ffmpeg/libavcodec/bink.c
@@ -1299,13 +1299,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
     }
     c->avctx = avctx;
 
+    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
+        return ret;
+
     c->last = av_frame_alloc();
     if (!c->last)
         return AVERROR(ENOMEM);
 
-    if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0)
-        return ret;
-
     avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
 
     ff_blockdsp_init(&c->bdsp, avctx);
diff --git a/lib/ffmpeg/libavcodec/binkaudio.c b/lib/ffmpeg/libavcodec/binkaudio.c
index 5cc23311f..21e737a19 100644
--- a/lib/ffmpeg/libavcodec/binkaudio.c
+++ b/lib/ffmpeg/libavcodec/binkaudio.c
@@ -93,6 +93,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
     if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
         // audio is already interleaved for the RDFT format variant
         avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+        if (sample_rate > INT_MAX / avctx->channels)
+            return AVERROR_INVALIDDATA;
         sample_rate  *= avctx->channels;
         s->channels = 1;
         if (!s->version_b)
@@ -105,7 +107,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->frame_len     = 1 << frame_len_bits;
     s->overlap_len   = s->frame_len / 16;
     s->block_size    = (s->frame_len - s->overlap_len) * s->channels;
-    sample_rate_half = (sample_rate + 1) / 2;
+    sample_rate_half = (sample_rate + 1LL) / 2;
     if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT)
         s->root = 2.0 / (sqrt(s->frame_len) * 32768.0);
     else
diff --git a/lib/ffmpeg/libavcodec/binkdsp.c b/lib/ffmpeg/libavcodec/binkdsp.c
index 9d70e2326..a357d3167 100644
--- a/lib/ffmpeg/libavcodec/binkdsp.c
+++ b/lib/ffmpeg/libavcodec/binkdsp.c
@@ -33,20 +33,22 @@
 #define A3  3784
 #define A4 -5352
 
+#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11)
+
 #define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\
     const int a0 = (src)[s0] + (src)[s4]; \
     const int a1 = (src)[s0] - (src)[s4]; \
     const int a2 = (src)[s2] + (src)[s6]; \
-    const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \
+    const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \
     const int a4 = (src)[s5] + (src)[s3]; \
     const int a5 = (src)[s5] - (src)[s3]; \
     const int a6 = (src)[s1] + (src)[s7]; \
     const int a7 = (src)[s1] - (src)[s7]; \
     const int b0 = a4 + a6; \
-    const int b1 = (A3*(a5 + a7)) >> 11; \
-    const int b2 = ((A4*a5) >> 11) - b0 + b1; \
-    const int b3 = (A1*(a6 - a4) >> 11) - b2; \
-    const int b4 = ((A2*a7) >> 11) + b3 - b1; \
+    const int b1 = MUL(A3, a5 + a7); \
+    const int b2 = MUL(A4, a5) - b0 + b1; \
+    const int b3 = MUL(A1, a6 - a4) - b2; \
+    const int b4 = MUL(A2, a7) + b3 - b1; \
     (dest)[d0] = munge(a0+a2   +b0); \
     (dest)[d1] = munge(a1+a3-a2+b2); \
     (dest)[d2] = munge(a1-a3+a2+b3); \
diff --git a/lib/ffmpeg/libavcodec/bintext.c b/lib/ffmpeg/libavcodec/bintext.c
index 90bbe67b5..8e5c44446 100644
--- a/lib/ffmpeg/libavcodec/bintext.c
+++ b/lib/ffmpeg/libavcodec/bintext.c
@@ -35,6 +35,8 @@
 #include "bintext.h"
 #include "internal.h"
 
+#define FONT_WIDTH 8
+
 typedef struct XbinContext {
     AVFrame *frame;
     int palette[16];
@@ -61,6 +63,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
             av_log(avctx, AV_LOG_ERROR, "not enough extradata\n");
             return AVERROR_INVALIDDATA;
         }
+        if (!s->font_height) {
+            av_log(avctx, AV_LOG_ERROR, "invalid font height\n");
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         s->font_height = 8;
         s->flags = 0;
@@ -91,6 +97,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
             break;
         }
     }
+    if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
+        return AVERROR_INVALIDDATA;
+
 
     s->frame = av_frame_alloc();
     if (!s->frame)
@@ -113,8 +122,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
     }
 }
 
-#define FONT_WIDTH 8
-
 /**
  * Draw character to screen
  */
diff --git a/lib/ffmpeg/libavcodec/bitstream.c b/lib/ffmpeg/libavcodec/bitstream.c
index 924cc519a..0e85f6906 100644
--- a/lib/ffmpeg/libavcodec/bitstream.c
+++ b/lib/ffmpeg/libavcodec/bitstream.c
@@ -194,8 +194,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
             }
             for (k = 0; k < nb; k++) {
                 int bits = table[j][1];
+                int oldsym  = table[j][0];
                 ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n);
-                if (bits != 0 && bits != n) {
+                if ((bits || oldsym) && (bits != n || oldsym != symbol)) {
                     av_log(NULL, AV_LOG_ERROR, "incorrect codes\n");
                     return AVERROR_INVALIDDATA;
                 }
@@ -232,6 +233,10 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes,
             /* note: realloc has been done, so reload tables */
             table = (volatile VLC_TYPE (*)[2])&vlc->table[table_index];
             table[j][0] = index; //code
+            if (table[j][0] != index) {
+                avpriv_request_sample(NULL, "strange codes");
+                return AVERROR_PATCHWELCOME;
+            }
             i = k-1;
         }
     }
diff --git a/lib/ffmpeg/libavcodec/bmp.c b/lib/ffmpeg/libavcodec/bmp.c
index 42270da6e..9a613672c 100644
--- a/lib/ffmpeg/libavcodec/bmp.c
+++ b/lib/ffmpeg/libavcodec/bmp.c
@@ -286,7 +286,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
         case 1:
             for (i = 0; i < avctx->height; i++) {
                 int j;
-                for (j = 0; j < n; j++) {
+                for (j = 0; j < avctx->width >> 3; j++) {
                     ptr[j*8+0] =  buf[j] >> 7;
                     ptr[j*8+1] = (buf[j] >> 6) & 1;
                     ptr[j*8+2] = (buf[j] >> 5) & 1;
@@ -296,6 +296,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,
                     ptr[j*8+6] = (buf[j] >> 1) & 1;
                     ptr[j*8+7] =  buf[j]       & 1;
                 }
+                for (j = 0; j < (avctx->width & 7); j++) {
+                    ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1;
+                }
                 buf += n;
                 ptr += linesize;
             }
diff --git a/lib/ffmpeg/libavcodec/brenderpix.c b/lib/ffmpeg/libavcodec/brenderpix.c
index 0556858de..46b7a59aa 100644
--- a/lib/ffmpeg/libavcodec/brenderpix.c
+++ b/lib/ffmpeg/libavcodec/brenderpix.c
@@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         avpriv_request_sample(avctx, "Format %d", hdr.format);
         return AVERROR_PATCHWELCOME;
     }
+    bytes_per_scanline = bytes_pp * hdr.width;
+
+    if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline)
+        return AVERROR_INVALIDDATA;
 
     if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0)
         return ret;
@@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     bytestream2_skip(&gb, 8);
 
     // read the image data to the buffer
-    bytes_per_scanline = bytes_pp * hdr.width;
     bytes_left = bytestream2_get_bytes_left(&gb);
 
     if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left ||
diff --git a/lib/ffmpeg/libavcodec/cavsdec.c b/lib/ffmpeg/libavcodec/cavsdec.c
index 3aec0dd5e..f470a13a9 100644
--- a/lib/ffmpeg/libavcodec/cavsdec.c
+++ b/lib/ffmpeg/libavcodec/cavsdec.c
@@ -592,14 +592,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
 }
 
 
-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-    if (h->cbp & (1 << 4))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+    if (h->cbp & (1 << 4)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                               ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-    if (h->cbp & (1 << 5))
-        decode_residual_block(h, &h->gb, chroma_dec, 0,
+        if (ret < 0)
+            return ret;
+    }
+    if (h->cbp & (1 << 5)) {
+        int ret = decode_residual_block(h, &h->gb, chroma_dec, 0,
                               ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+        if (ret < 0)
+            return ret;
+    }
+    return 0;
 }
 
 static inline int decode_residual_inter(AVSContext *h)
@@ -650,6 +657,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
     uint8_t top[18];
     uint8_t *left = NULL;
     uint8_t *d;
+    int ret;
 
     ff_cavs_init_mb(h);
 
@@ -693,8 +701,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
         ff_cavs_load_intra_pred_luma(h, top, &left, block);
         h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
             (d, top, left, h->l_stride);
-        if (h->cbp & (1<<block))
-            decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+        if (h->cbp & (1<<block)) {
+            ret = decode_residual_block(h, gb, intra_dec, 1, h->qp, d, h->l_stride);
+            if (ret < 0)
+                return ret;
+        }
     }
 
     /* chroma intra prediction */
@@ -704,7 +715,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
     h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10],
                                   h->left_border_v, h->c_stride);
 
-    decode_residual_chroma(h);
+    ret = decode_residual_chroma(h);
+    if (ret < 0)
+        return ret;
     ff_cavs_filter(h, I_8X8);
     set_mv_intra(h);
     return 0;
@@ -1068,6 +1081,11 @@ static int decode_pic(AVSContext *h)
     if (!h->loop_filter_disable && get_bits1(&h->gb)) {
         h->alpha_offset        = get_se_golomb(&h->gb);
         h->beta_offset         = get_se_golomb(&h->gb);
+        if (   h->alpha_offset < -64 || h->alpha_offset > 64
+            || h-> beta_offset < -64 || h-> beta_offset > 64) {
+            h->alpha_offset = h->beta_offset  = 0;
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         h->alpha_offset = h->beta_offset  = 0;
     }
@@ -1189,6 +1207,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int input_size, ret;
     const uint8_t *buf_end;
     const uint8_t *buf_ptr;
+    int frame_start = 0;
 
     if (buf_size == 0) {
         if (!h->low_delay && h->DPB[0].f->data[0]) {
@@ -1222,6 +1241,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                 h->got_keyframe = 1;
             }
         case PIC_PB_START_CODE:
+            if (frame_start > 1)
+                return AVERROR_INVALIDDATA;
+            frame_start ++;
             if (*got_frame)
                 av_frame_unref(data);
             *got_frame = 0;
diff --git a/lib/ffmpeg/libavcodec/ccaption_dec.c b/lib/ffmpeg/libavcodec/ccaption_dec.c
index dbd62cd8d..51de92905 100644
--- a/lib/ffmpeg/libavcodec/ccaption_dec.c
+++ b/lib/ffmpeg/libavcodec/ccaption_dec.c
@@ -137,9 +137,9 @@ static const uint8_t parity_table[256] = { 0, 1, 1, 0, 1, 0, 0, 1,
 
 struct Screen {
     /* +1 is used to compensate null character of string */
-    uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1];
+    uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
     /*
      * Bitmask of used rows; if a bit is not set, the
      * corresponding row is not used.
diff --git a/lib/ffmpeg/libavcodec/cdgraphics.c b/lib/ffmpeg/libavcodec/cdgraphics.c
index aca7cb057..6c7ffb58d 100644
--- a/lib/ffmpeg/libavcodec/cdgraphics.c
+++ b/lib/ffmpeg/libavcodec/cdgraphics.c
@@ -77,11 +77,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx)
     if (!cc->frame)
         return AVERROR(ENOMEM);
 
-    avctx->width   = CDG_FULL_WIDTH;
-    avctx->height  = CDG_FULL_HEIGHT;
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
-
-    return 0;
+    return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT);
 }
 
 static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data)
diff --git a/lib/ffmpeg/libavcodec/cinepak.c b/lib/ffmpeg/libavcodec/cinepak.c
index 7a7466204..9060e31fb 100644
--- a/lib/ffmpeg/libavcodec/cinepak.c
+++ b/lib/ffmpeg/libavcodec/cinepak.c
@@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s,
     return AVERROR_INVALIDDATA;
 }
 
-static int cinepak_decode (CinepakContext *s)
+static int cinepak_predecode_check (CinepakContext *s)
 {
-    const uint8_t  *eod = (s->data + s->size);
-    int           i, result, strip_size, frame_flags, num_strips;
-    int           y0 = 0;
+    int           num_strips;
     int           encoded_buf_size;
 
-    frame_flags = s->data[0];
     num_strips  = AV_RB16 (&s->data[8]);
     encoded_buf_size = AV_RB24(&s->data[1]);
 
@@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s)
             s->sega_film_skip_bytes = 0;
     }
 
+    if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
+        return AVERROR_INVALIDDATA;
+
+    return 0;
+}
+
+static int cinepak_decode (CinepakContext *s)
+{
+    const uint8_t  *eod = (s->data + s->size);
+    int           i, result, strip_size, frame_flags, num_strips;
+    int           y0 = 0;
+
+    frame_flags = s->data[0];
+    num_strips  = AV_RB16 (&s->data[8]);
+
     s->data += 10 + s->sega_film_skip_bytes;
 
     num_strips = FFMIN(num_strips, MAX_STRIPS);
@@ -432,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
     const uint8_t *buf = avpkt->data;
     int ret = 0, buf_size = avpkt->size;
     CinepakContext *s = avctx->priv_data;
+    int num_strips;
 
     s->data = buf;
     s->size = buf_size;
@@ -439,6 +452,17 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
     if (s->size < 10)
         return AVERROR_INVALIDDATA;
 
+    num_strips = AV_RB16 (&s->data[8]);
+
+    //Empty frame, do not waste time
+    if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL)))
+        return buf_size;
+
+    if ((ret = cinepak_predecode_check(s)) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
+        return ret;
+    }
+
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
         return ret;
 
diff --git a/lib/ffmpeg/libavcodec/cngdec.c b/lib/ffmpeg/libavcodec/cngdec.c
index b725dbfe6..b7821ff5b 100644
--- a/lib/ffmpeg/libavcodec/cngdec.c
+++ b/lib/ffmpeg/libavcodec/cngdec.c
@@ -167,5 +167,5 @@ AVCodec ff_comfortnoise_decoder = {
     .close          = cng_decode_close,
     .sample_fmts    = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16,
                                                      AV_SAMPLE_FMT_NONE },
-    .capabilities   = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1,
+    .capabilities   = AV_CODEC_CAP_DR1,
 };
diff --git a/lib/ffmpeg/libavcodec/cook.c b/lib/ffmpeg/libavcodec/cook.c
index 673896d6c..211c9093b 100644
--- a/lib/ffmpeg/libavcodec/cook.c
+++ b/lib/ffmpeg/libavcodec/cook.c
@@ -143,7 +143,7 @@ typedef struct cook {
 
     /* generatable tables and related variables */
     int                 gain_size_factor;
-    float               gain_table[23];
+    float               gain_table[31];
 
     /* data buffers */
 
@@ -178,8 +178,8 @@ static av_cold void init_gain_table(COOKContext *q)
 {
     int i;
     q->gain_size_factor = q->samples_per_channel / 8;
-    for (i = 0; i < 23; i++)
-        q->gain_table[i] = pow(pow2tab[i + 52],
+    for (i = 0; i < 31; i++)
+        q->gain_table[i] = pow(pow2tab[i + 48],
                                (1.0 / (double) q->gain_size_factor));
 }
 
@@ -663,7 +663,7 @@ static void interpolate_float(COOKContext *q, float *buffer,
         for (i = 0; i < q->gain_size_factor; i++)
             buffer[i] *= fc1;
     } else {                                        // smooth gain
-        fc2 = q->gain_table[11 + (gain_index_next - gain_index)];
+        fc2 = q->gain_table[15 + (gain_index_next - gain_index)];
         for (i = 0; i < q->gain_size_factor; i++) {
             buffer[i] *= fc1;
             fc1       *= fc2;
@@ -752,7 +752,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab)
         for (i = 0; i < length; i++)
             decouple_tab[start + i] = get_vlc2(&q->gb,
                                                p->channel_coupling.table,
-                                               p->channel_coupling.bits, 2);
+                                               p->channel_coupling.bits, 3);
     else
         for (i = 0; i < length; i++) {
             int v = get_bits(&q->gb, p->js_vlc_bits);
@@ -1068,12 +1068,19 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
+    if (avctx->block_align >= INT_MAX / 8)
+        return AVERROR(EINVAL);
+
     /* Initialize RNG. */
     av_lfg_init(&q->random_state, 0);
 
     ff_audiodsp_init(&q->adsp);
 
     while (edata_ptr < edata_ptr_end) {
+        if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
+            return AVERROR_PATCHWELCOME;
+        }
         /* 8 for mono, 16 for stereo, ? for multichannel
            Swap to right endianness so we don't need to care later on. */
         if (extradata_size >= 8) {
@@ -1213,10 +1220,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
 
         q->num_subpackets++;
         s++;
-        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
-            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
-            return AVERROR_PATCHWELCOME;
-        }
     }
     /* Generate tables */
     init_pow2table();
@@ -1226,10 +1229,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
     if ((ret = init_cook_vlc_tables(q)))
         return ret;
 
-
-    if (avctx->block_align >= UINT_MAX / 2)
-        return AVERROR(EINVAL);
-
     /* Pad the databuffer with:
        DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(),
        AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */
diff --git a/lib/ffmpeg/libavcodec/cpia.c b/lib/ffmpeg/libavcodec/cpia.c
index 6b784b205..4b345c78d 100644
--- a/lib/ffmpeg/libavcodec/cpia.c
+++ b/lib/ffmpeg/libavcodec/cpia.c
@@ -63,7 +63,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
     uint8_t *y, *u, *v, *y_end, *u_end, *v_end;
 
     // Check header
-    if ( avpkt->size < FRAME_HEADER_SIZE
+    if ( avpkt->size < FRAME_HEADER_SIZE + avctx->height * 3
       || header[0] != MAGIC_0 || header[1] != MAGIC_1
       || (header[17] != SUBSAMPLE_420 && header[17] != SUBSAMPLE_422)
       || (header[18] != YUVORDER_YUYV && header[18] != YUVORDER_UYVY)
@@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx,
         // Read line length, two byte little endian
         linelength = AV_RL16(src);
         src += 2;
+        src_size -= 2;
 
         if (src_size < linelength) {
             av_frame_set_decode_error_flags(frame, FF_DECODE_ERROR_INVALID_BITSTREAM);
diff --git a/lib/ffmpeg/libavcodec/cscd.c b/lib/ffmpeg/libavcodec/cscd.c
index 278093fdb..8fd121a2c 100644
--- a/lib/ffmpeg/libavcodec/cscd.c
+++ b/lib/ffmpeg/libavcodec/cscd.c
@@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     switch ((buf[0] >> 1) & 7) {
         case 0: { // lzo compression
             int outlen = c->decomp_size, inlen = buf_size - 2;
-            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen))
+            if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) {
                 av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
             break;
         }
         case 1: { // zlib compression
 #if CONFIG_ZLIB
             unsigned long dlen = c->decomp_size;
-            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK)
+            if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) {
                 av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
+                return AVERROR_INVALIDDATA;
+            }
             break;
 #else
             av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");
diff --git a/lib/ffmpeg/libavcodec/dds.c b/lib/ffmpeg/libavcodec/dds.c
index 02051b873..718384700 100644
--- a/lib/ffmpeg/libavcodec/dds.c
+++ b/lib/ffmpeg/libavcodec/dds.c
@@ -600,6 +600,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
     AVFrame *frame = data;
     int mipmap;
     int ret;
+    int width, height;
 
     ff_texturedsp_init(&ctx->texdsp);
     bytestream2_init(gbc, avpkt->data, avpkt->size);
@@ -618,9 +619,9 @@ static int dds_decode(AVCodecContext *avctx, void *data,
 
     bytestream2_skip(gbc, 4); // flags
 
-    avctx->height = bytestream2_get_le32(gbc);
-    avctx->width  = bytestream2_get_le32(gbc);
-    ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
+    height = bytestream2_get_le32(gbc);
+    width  = bytestream2_get_le32(gbc);
+    ret = ff_set_dimensions(avctx, width, height);
     if (ret < 0) {
         av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n",
                avctx->width, avctx->height);
diff --git a/lib/ffmpeg/libavcodec/dfa.c b/lib/ffmpeg/libavcodec/dfa.c
index 8067ac94e..0cb5fe933 100644
--- a/lib/ffmpeg/libavcodec/dfa.c
+++ b/lib/ffmpeg/libavcodec/dfa.c
@@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)
 
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
-    if (!avctx->width || !avctx->height)
+    if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16))
         return AVERROR_INVALIDDATA;
 
     av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0);
@@ -353,6 +353,8 @@ static int dfa_decode_frame(AVCodecContext *avctx,
 
     bytestream2_init(&gb, avpkt->data, avpkt->size);
     while (bytestream2_get_bytes_left(&gb) > 0) {
+        if (bytestream2_get_bytes_left(&gb) < 12)
+            return AVERROR_INVALIDDATA;
         bytestream2_skip(&gb, 4);
         chunk_size = bytestream2_get_le32(&gb);
         chunk_type = bytestream2_get_le32(&gb);
diff --git a/lib/ffmpeg/libavcodec/dirac_dwt.h b/lib/ffmpeg/libavcodec/dirac_dwt.h
index 0744c5797..d0495cd5e 100644
--- a/lib/ffmpeg/libavcodec/dirac_dwt.h
+++ b/lib/ffmpeg/libavcodec/dirac_dwt.h
@@ -90,10 +90,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
     (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-    (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
+    (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 +  8) >> 4)))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-    (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
+    (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
     ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))
diff --git a/lib/ffmpeg/libavcodec/dirac_parser.c b/lib/ffmpeg/libavcodec/dirac_parser.c
index 1ca7e31f1..647419a38 100644
--- a/lib/ffmpeg/libavcodec/dirac_parser.c
+++ b/lib/ffmpeg/libavcodec/dirac_parser.c
@@ -204,10 +204,10 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
         if (parse_timing_info && pu1.prev_pu_offset >= 13) {
             uint8_t *cur_pu = pc->buffer +
                               pc->index - 13 - pu1.prev_pu_offset;
-            int pts = AV_RB32(cur_pu + 13);
+            int64_t pts = AV_RB32(cur_pu + 13);
             if (s->last_pts == 0 && s->last_dts == 0)
                 s->dts = pts - 1;
-            else
+            else if (s->last_dts != AV_NOPTS_VALUE)
                 s->dts = s->last_dts + 1;
             s->pts = pts;
             if (!avctx->has_b_frames && (cur_pu[4] & 0x03))
diff --git a/lib/ffmpeg/libavcodec/diracdec.c b/lib/ffmpeg/libavcodec/diracdec.c
index 7c7a31e83..87cb093ed 100644
--- a/lib/ffmpeg/libavcodec/diracdec.c
+++ b/lib/ffmpeg/libavcodec/diracdec.c
@@ -142,7 +142,7 @@ typedef struct DiracContext {
     GetBitContext gb;
     dirac_source_params source;
     int seen_sequence_header;
-    int frame_number;           /* number of the next frame to display       */
+    int64_t frame_number;       /* number of the next frame to display       */
     Plane plane[3];
     int chroma_x_shift;
     int chroma_y_shift;
@@ -1185,9 +1185,9 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
     int *b      = s->globalmc[ref].pan_tilt;
     int *c      = s->globalmc[ref].perspective;
 
-    int m       = (1<<ep) - (c[0]*x + c[1]*y);
-    int mx      = m * ((A[0][0] * x + A[0][1]*y) + (1<<ez) * b[0]);
-    int my      = m * ((A[1][0] * x + A[1][1]*y) + (1<<ez) * b[1]);
+    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
+    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1LL<<ez) * b[0]);
+    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1LL<<ez) * b[1]);
 
     block->u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
     block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);
@@ -1224,8 +1224,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock
                 global_mv(s, block, x, y, i);
             } else {
                 pred_mv(block, stride, x, y, i);
-                block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
-                block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
+                block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA);
             }
         }
 }
@@ -2040,7 +2040,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     }
 
     if (*got_frame)
-        s->frame_number = picture->display_picture_number + 1;
+        s->frame_number = picture->display_picture_number + 1LL;
 
     return buf_idx;
 }
diff --git a/lib/ffmpeg/libavcodec/dnxhddec.c b/lib/ffmpeg/libavcodec/dnxhddec.c
index 4a4236038..b930453cd 100644
--- a/lib/ffmpeg/libavcodec/dnxhddec.c
+++ b/lib/ffmpeg/libavcodec/dnxhddec.c
@@ -78,6 +78,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx)
 
 static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid)
 {
+    int ret;
     if (cid != ctx->cid) {
         int index;
 
@@ -96,21 +97,28 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid)
         ff_free_vlc(&ctx->dc_vlc);
         ff_free_vlc(&ctx->run_vlc);
 
-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
                  ctx->cid_table->ac_bits, 1, 1,
-                 ctx->cid_table->ac_codes, 2, 2, 0);
-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, ctx->bit_depth + 4,
+                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, ctx->bit_depth + 4,
                  ctx->cid_table->dc_bits, 1, 1,
-                 ctx->cid_table->dc_codes, 1, 1, 0);
-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
                  ctx->cid_table->run_bits, 1, 1,
-                 ctx->cid_table->run_codes, 2, 2, 0);
+                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
+            goto out;
 
         ff_init_scantable(ctx->idsp.idct_permutation, &ctx->scantable,
                           ff_zigzag_direct);
         ctx->cid = cid;
     }
-    return 0;
+    ret = 0;
+out:
+    if (ret < 0)
+        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
+    return ret;
 }
 
 static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame,
diff --git a/lib/ffmpeg/libavcodec/dpcm.c b/lib/ffmpeg/libavcodec/dpcm.c
index c13945edb..16e8920e8 100644
--- a/lib/ffmpeg/libavcodec/dpcm.c
+++ b/lib/ffmpeg/libavcodec/dpcm.c
@@ -276,9 +276,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
                 shift[ch] -= (2 * n);
             diff = sign_extend((diff &~ 3) << 8, 16);
 
-            /* saturate the shifter to a lower limit of 0 */
-            if (shift[ch] < 0)
-                shift[ch] = 0;
+            /* saturate the shifter to 0..31 */
+            shift[ch] = av_clip_uintp2(shift[ch], 5);
 
             diff >>= shift[ch];
             predictor[ch] += diff;
diff --git a/lib/ffmpeg/libavcodec/dpx.c b/lib/ffmpeg/libavcodec/dpx.c
index af7276adb..582b8b7e2 100644
--- a/lib/ffmpeg/libavcodec/dpx.c
+++ b/lib/ffmpeg/libavcodec/dpx.c
@@ -147,6 +147,9 @@ static int decode_frame(AVCodecContext *avctx,
         return AVERROR_PATCHWELCOME;
     }
 
+    if (bits_per_color > 32)
+        return AVERROR_INVALIDDATA;
+
     buf += 820;
     avctx->sample_aspect_ratio.num = read32(&buf, endian);
     avctx->sample_aspect_ratio.den = read32(&buf, endian);
diff --git a/lib/ffmpeg/libavcodec/dsddec.c b/lib/ffmpeg/libavcodec/dsddec.c
index f1dfd4b23..c23ff0fa6 100644
--- a/lib/ffmpeg/libavcodec/dsddec.c
+++ b/lib/ffmpeg/libavcodec/dsddec.c
@@ -93,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
     DSDContext * s;
     int i;
 
+    if (!avctx->channels)
+        return AVERROR_INVALIDDATA;
+
     init_static_data();
 
     s = av_malloc_array(sizeof(DSDContext), avctx->channels);
diff --git a/lib/ffmpeg/libavcodec/dsicinvideo.c b/lib/ffmpeg/libavcodec/dsicinvideo.c
index f95cbc74a..aa080417d 100644
--- a/lib/ffmpeg/libavcodec/dsicinvideo.c
+++ b/lib/ffmpeg/libavcodec/dsicinvideo.c
@@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size,
         }
     }
 
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size,
         }
         dst += len;
     }
+
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -226,27 +233,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
      * surface.width = surface.pitch */
     switch (bitmap_frame_type) {
     case 9:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                        cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
         break;
     case 34:
-        cin_decode_rle(buf, bitmap_frame_size,
+        res =  cin_decode_rle(buf, bitmap_frame_size,
                        cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
         cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                              cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 35:
         bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                            cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res =  cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                        cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
         break;
     case 36:
         bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
                                                cin->bitmap_table[CIN_INT_BMP],
                                                cin->bitmap_size);
-        cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+        res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
                        cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+        if (res < 0)
+            return res;
         cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
                              cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
diff --git a/lib/ffmpeg/libavcodec/dvbsubdec.c b/lib/ffmpeg/libavcodec/dvbsubdec.c
index 73669cf14..b637d8101 100644
--- a/lib/ffmpeg/libavcodec/dvbsubdec.c
+++ b/lib/ffmpeg/libavcodec/dvbsubdec.c
@@ -1341,6 +1341,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
         display->y_pos = AV_RB16(buf) & 0xfff;
         buf += 2;
 
+        if (display->x_pos >= region->width ||
+            display->y_pos >= region->height) {
+            av_log(avctx, AV_LOG_ERROR, "Object outside region\n");
+            av_free(display);
+            return AVERROR_INVALIDDATA;
+        }
+
         if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) {
             display->fgcolor = *buf++;
             display->bgcolor = *buf++;
@@ -1574,8 +1581,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx,
     display_def->width   = bytestream_get_be16(&buf) + 1;
     display_def->height  = bytestream_get_be16(&buf) + 1;
     if (!avctx->width || !avctx->height) {
-        avctx->width  = display_def->width;
-        avctx->height = display_def->height;
+        int ret = ff_set_dimensions(avctx, display_def->width, display_def->height);
+        if (ret < 0)
+            return ret;
     }
 
     if (info_byte & 1<<3) { // display_window_flag
diff --git a/lib/ffmpeg/libavcodec/dvdsub_parser.c b/lib/ffmpeg/libavcodec/dvdsub_parser.c
index 32a945ed6..698ccb698 100644
--- a/lib/ffmpeg/libavcodec/dvdsub_parser.c
+++ b/lib/ffmpeg/libavcodec/dvdsub_parser.c
@@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s,
 {
     DVDSubParseContext *pc = s->priv_data;
 
+    *poutbuf      = buf;
+    *poutbuf_size = buf_size;
+
     if (pc->packet_index == 0) {
         if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
             if (buf_size)
@@ -54,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
         if (pc->packet_len == 0) /* HD-DVD subpicture packet */
             pc->packet_len = AV_RB32(buf+2);
         av_freep(&pc->packet);
-        pc->packet = av_malloc(pc->packet_len);
+        if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
+            return buf_size;
+        }
+        pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
     }
     if (pc->packet) {
         if (pc->packet_index + buf_size <= pc->packet_len) {
diff --git a/lib/ffmpeg/libavcodec/dvdsubdec.c b/lib/ffmpeg/libavcodec/dvdsubdec.c
index 6d25b9b78..4bdffeb70 100644
--- a/lib/ffmpeg/libavcodec/dvdsubdec.c
+++ b/lib/ffmpeg/libavcodec/dvdsubdec.c
@@ -64,24 +64,6 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t *
     }
 }
 
-static void ayvu_to_argb(const uint8_t *ayvu, uint32_t *argb, int num_values)
-{
-    uint8_t *cm = ff_crop_tab + MAX_NEG_CROP;
-    uint8_t r, g, b;
-    int i, y, cb, cr, a;
-    int r_add, g_add, b_add;
-
-    for (i = num_values; i > 0; i--) {
-        a = *ayvu++;
-        y = *ayvu++;
-        cr = *ayvu++;
-        cb = *ayvu++;
-        YUV_TO_RGB1_CCIR(cb, cr);
-        YUV_TO_RGB2_CCIR(r, g, b, y);
-        *argb++ = (a << 24) | (r << 16) | (g << 8) | b;
-    }
-}
-
 static int decode_run_2bit(GetBitContext *gb, int *color)
 {
     unsigned int v, t;
@@ -100,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
     int len;
     int has_run = get_bits1(gb);
-    if (get_bits1(gb))
-        *color = get_bits(gb, 8);
-    else
-        *color = get_bits(gb, 2);
+    *color = get_bits(gb, 2 + 6*get_bits1(gb));
     if (has_run) {
         if (get_bits1(gb)) {
             len = get_bits(gb, 7);
@@ -145,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
             len = decode_run_8bit(&gb, &color);
         else
             len = decode_run_2bit(&gb, &color);
+        if (len != INT_MAX && len > w - x)
+            return AVERROR_INVALIDDATA;
         len = FFMIN(len, w - x);
         memset(d + x, color, len);
         x += len;
@@ -727,12 +708,6 @@ static av_cold int dvdsub_init(AVCodecContext *avctx)
         parse_ifo_palette(ctx, ctx->ifo_str);
     if (ctx->palette_str)
         parse_palette(ctx, ctx->palette_str);
-
-    if (!ctx->has_palette && avctx->extradata_size == 64) {
-        ayvu_to_argb((uint8_t*)avctx->extradata, ctx->palette, 16);
-        ctx->has_palette = 1;
-    }
-
     if (ctx->has_palette) {
         int i;
         av_log(avctx, AV_LOG_DEBUG, "palette:");
diff --git a/lib/ffmpeg/libavcodec/dxtory.c b/lib/ffmpeg/libavcodec/dxtory.c
index 578ac02ef..1241bda1a 100644
--- a/lib/ffmpeg/libavcodec/dxtory.c
+++ b/lib/ffmpeg/libavcodec/dxtory.c
@@ -399,7 +399,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, int width, int height,
             V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80;
         }
 
-        Y += ystride << 2;
+        Y += ystride * 4;
         U += ustride;
         V += vstride;
     }
@@ -502,7 +502,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, int width, int height,
             V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80;
         }
 
-        Y += ystride << 1;
+        Y += ystride * 2;
         U += ustride;
         V += vstride;
     }
diff --git a/lib/ffmpeg/libavcodec/dxva2_h264.c b/lib/ffmpeg/libavcodec/dxva2_h264.c
index 242a79e43..99b80ba37 100644
--- a/lib/ffmpeg/libavcodec/dxva2_h264.c
+++ b/lib/ffmpeg/libavcodec/dxva2_h264.c
@@ -248,7 +248,7 @@ static void fill_slice_long(AVCodecContext *avctx, DXVA_Slice_H264_Long *slice,
                 else
                     index = get_refpic_index(pp, ff_dxva2_get_surface_index(avctx, ctx, r->f));
                 fill_picture_entry(&slice->RefPicList[list][i], index,
-                                   sl->ref_list[list][i].reference == PICT_BOTTOM_FIELD);
+                                   r->reference == PICT_BOTTOM_FIELD);
                 for (plane = 0; plane < 3; plane++) {
                     int w, o;
                     if (plane == 0 && sl->luma_weight_flag[list]) {
@@ -497,14 +497,6 @@ static int dxva2_h264_end_frame(AVCodecContext *avctx)
 
     if (ctx_pic->slice_count <= 0 || ctx_pic->bitstream_size <= 0)
         return -1;
-
-    // Wait for an I-frame before start decoding. Workaround for ATI UVD and UVD+ GPUs
-    if (!h->got_first_iframe) {
-        if (!(ctx_pic->pp.wBitFields & (1 << 15)))
-            return -1;
-        h->got_first_iframe = 1;
-    }
-
     ret = ff_dxva2_common_end_frame(avctx, h->cur_pic_ptr->f,
                                     &ctx_pic->pp, sizeof(ctx_pic->pp),
                                     &ctx_pic->qm, sizeof(ctx_pic->qm),
diff --git a/lib/ffmpeg/libavcodec/eatgv.c b/lib/ffmpeg/libavcodec/eatgv.c
index 882bf077b..6d35fdf01 100644
--- a/lib/ffmpeg/libavcodec/eatgv.c
+++ b/lib/ffmpeg/libavcodec/eatgv.c
@@ -299,6 +299,9 @@ static int tgv_decode_frame(AVCodecContext *avctx,
             s->palette[i] = 0xFFU << 24 | AV_RB24(buf);
             buf += 3;
         }
+        if (buf_end - buf < 5) {
+            return AVERROR_INVALIDDATA;
+        }
     }
 
     if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
diff --git a/lib/ffmpeg/libavcodec/elsdec.c b/lib/ffmpeg/libavcodec/elsdec.c
index 479796545..cb0e9c653 100644
--- a/lib/ffmpeg/libavcodec/elsdec.c
+++ b/lib/ffmpeg/libavcodec/elsdec.c
@@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size)
 
 void ff_els_decoder_uninit(ElsUnsignedRung *rung)
 {
-    av_free(rung->rem_rung_list);
+    av_freep(&rung->rem_rung_list);
 }
 
 static int els_import_byte(ElsDecCtx *ctx)
@@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur)
                 if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) {
                     // remember rung_node position
                     ptrdiff_t pos     = rung_node - ur->rem_rung_list;
-                    ur->rem_rung_list = av_realloc(ur->rem_rung_list,
+                    ctx->err = av_reallocp(&ur->rem_rung_list,
                                                    ur->rung_list_size +
                                                    RUNG_SPACE);
-                    if (!ur->rem_rung_list) {
-                        av_free(ur->rem_rung_list);
-                        ctx->err = AVERROR(ENOMEM);
+                    if (ctx->err < 0) {
                         return 0;
                     }
                     memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0,
diff --git a/lib/ffmpeg/libavcodec/error_resilience.c b/lib/ffmpeg/libavcodec/error_resilience.c
index 5a75faddf..1892c73da 100644
--- a/lib/ffmpeg/libavcodec/error_resilience.c
+++ b/lib/ffmpeg/libavcodec/error_resilience.c
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
             dc = -prev_dc +
                  data[x     + y * stride] * 8 -
                  data[x + 1 + y * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
             prev_dc = data[x + y * stride];
             data[x + y * stride] = dc;
         }
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, int stride)
             dc = -prev_dc +
                  data[x +  y      * stride] * 8 -
                  data[x + (y + 1) * stride];
-            dc = (dc * 10923 + 32768) >> 16;
+            dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
             prev_dc = data[x + y * stride];
             data[x + y * stride] = dc;
         }
@@ -417,7 +417,7 @@ static void guess_mv(ERContext *s)
     }
 
     if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) ||
-        num_avail <= mb_width / 2) {
+        num_avail <= FFMAX(mb_width, mb_height) / 2) {
         for (mb_y = 0; mb_y < mb_height; mb_y++) {
             for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                 const int mb_xy = mb_x + mb_y * s->mb_stride;
diff --git a/lib/ffmpeg/libavcodec/escape124.c b/lib/ffmpeg/libavcodec/escape124.c
index d8a89a934..fab56b59e 100644
--- a/lib/ffmpeg/libavcodec/escape124.c
+++ b/lib/ffmpeg/libavcodec/escape124.c
@@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
 
     // This call also guards the potential depth reads for the
     // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immediately next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skipped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
         return -1;
 
     frame_flags = get_bits_long(&gb, 32);
diff --git a/lib/ffmpeg/libavcodec/exr.c b/lib/ffmpeg/libavcodec/exr.c
index 329db6614..bfc9c7a8b 100644
--- a/lib/ffmpeg/libavcodec/exr.c
+++ b/lib/ffmpeg/libavcodec/exr.c
@@ -1166,13 +1166,25 @@ static int decode_header(EXRContext *s)
             continue;
         } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
                                                      31)) >= 0) {
+            int xmin, ymin, xmax, ymax;
             if (!var_size)
                 return AVERROR_INVALIDDATA;
 
-            s->xmin   = bytestream2_get_le32(&s->gb);
-            s->ymin   = bytestream2_get_le32(&s->gb);
-            s->xmax   = bytestream2_get_le32(&s->gb);
-            s->ymax   = bytestream2_get_le32(&s->gb);
+            xmin   = bytestream2_get_le32(&s->gb);
+            ymin   = bytestream2_get_le32(&s->gb);
+            xmax   = bytestream2_get_le32(&s->gb);
+            ymax   = bytestream2_get_le32(&s->gb);
+
+            if (xmin > xmax || ymin > ymax ||
+                ymax == INT_MAX || xmax == INT_MAX ||
+                (unsigned)xmax - xmin >= INT_MAX ||
+                (unsigned)ymax - ymin >= INT_MAX) {
+                return AVERROR_INVALIDDATA;
+            }
+            s->xmin = xmin;
+            s->xmax = xmax;
+            s->ymin = ymin;
+            s->ymax = ymax;
             s->xdelta = (s->xmax - s->xmin) + 1;
             s->ydelta = (s->ymax - s->ymin) + 1;
 
@@ -1311,7 +1323,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         s->ymin > s->ymax                  ||
         s->xdelta != s->xmax - s->xmin + 1 ||
         s->xmax >= s->w                    ||
-        s->ymax >= s->h) {
+        s->ymax >= s->h                    ||
+        s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF
+    ) {
         av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n");
         return AVERROR_INVALIDDATA;
     }
@@ -1338,7 +1352,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     ptr         = picture->data[0];
 
     // Zero out the start if ymin is not 0
-    for (y = 0; y < s->ymin; y++) {
+    for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
         memset(ptr, 0, out_line_size);
         ptr += picture->linesize[0];
     }
diff --git a/lib/ffmpeg/libavcodec/faxcompr.c b/lib/ffmpeg/libavcodec/faxcompr.c
index 2a1d2bc3f..5393fcf82 100644
--- a/lib/ffmpeg/libavcodec/faxcompr.c
+++ b/lib/ffmpeg/libavcodec/faxcompr.c
@@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb,
                 return AVERROR_INVALIDDATA;
             }
             cwi = 10 - av_log2(cwi);
+            if (get_bits_left(gb) < cwi + 1)
+                return AVERROR_INVALIDDATA;
             skip_bits(gb, cwi + 1);
             if (cwi > 5) {
                 newmode = get_bits1(gb);
@@ -206,6 +208,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
     unsigned int run = 0;
     unsigned int t;
     for (;;) {
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
         t    = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
         run += t;
         if (t < 64) {
@@ -224,7 +228,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
             run       = 0;
             mode      = !mode;
         } else if ((int)t == -1) {
-            if (show_bits(gb, 12) == 15) {
+            if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
                 int ret;
                 skip_bits(gb, 12);
                 ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode);
@@ -251,7 +255,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
     unsigned int offs = 0, run = 0;
 
     while (offs < width) {
-        int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
+        int cmode;
+        if (get_bits_left(gb) <= 0)
+            return AVERROR_INVALIDDATA;
+        cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
         if (cmode == -1) {
             av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n");
             return AVERROR_INVALIDDATA;
@@ -273,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
             for (k = 0; k < 2; k++) {
                 run = 0;
                 for (;;) {
+                    if (get_bits_left(gb) <= 0)
+                        return AVERROR_INVALIDDATA;
                     t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
                     if (t == -1) {
                         av_log(avctx, AV_LOG_ERROR, "Incorrect code\n");
@@ -296,7 +305,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb,
                 mode = !mode;
             }
         } else if (cmode == 9 || cmode == 10) {
-            int xxx = get_bits(gb, 3);
+            int xxx;
+            if (get_bits_left(gb) < 3)
+                return AVERROR_INVALIDDATA;
+            xxx = get_bits(gb, 3);
             if (cmode == 9 && xxx == 7) {
                 int ret;
                 int pix_left = width - offs;
diff --git a/lib/ffmpeg/libavcodec/ffv1dec.c b/lib/ffmpeg/libavcodec/ffv1dec.c
index a05d398cf..91ee4883f 100644
--- a/lib/ffmpeg/libavcodec/ffv1dec.c
+++ b/lib/ffmpeg/libavcodec/ffv1dec.c
@@ -836,7 +836,7 @@ static int read_header(FFV1Context *f)
 
             if (f->version == 2) {
                 int idx = get_symbol(c, state, 0);
-                if (idx > (unsigned)f->quant_table_count) {
+                if (idx >= (unsigned)f->quant_table_count) {
                     av_log(f->avctx, AV_LOG_ERROR,
                            "quant_table_index out of range\n");
                     return AVERROR_INVALIDDATA;
@@ -940,8 +940,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
         int trailer = 3 + 5*!!f->ec;
         int v;
 
-        if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer;
-        else                     v = buf_p - c->bytestream_start;
+        if (i || f->version > 2) {
+            if (trailer > buf_p - buf) v = INT_MAX;
+            else                       v = AV_RB24(buf_p-trailer) + trailer;
+        } else                         v = buf_p - c->bytestream_start;
         if (buf_p - c->bytestream_start < v) {
             av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n");
             ff_thread_report_progress(&f->picture, INT_MAX, 0);
@@ -953,7 +955,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
             unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v);
             if (crc) {
                 int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts;
-                av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc);
+                av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc);
                 if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) {
                     av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase));
                 } else if (ts != AV_NOPTS_VALUE) {
diff --git a/lib/ffmpeg/libavcodec/ffv1enc.c b/lib/ffmpeg/libavcodec/ffv1enc.c
index 3b425d68e..b27c3a132 100644
--- a/lib/ffmpeg/libavcodec/ffv1enc.c
+++ b/lib/ffmpeg/libavcodec/ffv1enc.c
@@ -690,6 +690,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
         s->ec = (s->version >= 3);
     }
 
+    // CRC requires version 3+
+    if (s->ec)
+        s->version = FFMAX(s->version, 3);
+
     if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) {
         av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n");
         return AVERROR_INVALIDDATA;
diff --git a/lib/ffmpeg/libavcodec/ffwavesynth.c b/lib/ffmpeg/libavcodec/ffwavesynth.c
index 9d055e401..a7bb351ee 100644
--- a/lib/ffmpeg/libavcodec/ffwavesynth.c
+++ b/lib/ffmpeg/libavcodec/ffwavesynth.c
@@ -113,18 +113,12 @@ static uint32_t lcg_next(uint32_t *s)
     return *s;
 }
 
-static void lcg_seek(uint32_t *s, int64_t dt)
+static void lcg_seek(uint32_t *s, uint32_t dt)
 {
     uint32_t a, c, t = *s;
 
-    if (dt >= 0) {
-        a = LCG_A;
-        c = LCG_C;
-    } else { /* coefficients for a step backward */
-        a = LCG_AI;
-        c = (uint32_t)(LCG_AI * LCG_C);
-        dt = -dt;
-    }
+    a = LCG_A;
+    c = LCG_C;
     while (dt) {
         if (dt & 1)
             t = a * t + c;
@@ -194,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b)
 
 static uint64_t phi_at(struct ws_interval *in, int64_t ts)
 {
-    uint64_t dt = ts - in->ts_start;
+    uint64_t dt = ts - (uint64_t)in->ts_start;
     uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */
                    dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1);
     return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi;
@@ -221,12 +215,12 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
     ws->next_inter = i;
     ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS;
     *last = -1;
-    lcg_seek(&ws->dither_state, ts - ws->cur_ts);
+    lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
     if (ws->pink_need) {
-        int64_t pink_ts_cur  = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
-        int64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_cur  = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1);
+        uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
         int pos = ts & (PINK_UNIT - 1);
-        lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1);
+        lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
         if (pos) {
             pink_fill(ws);
             ws->pink_pos = pos;
@@ -253,7 +247,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
     edata_end = edata + avc->extradata_size;
     ws->nb_inter = AV_RL32(edata);
     edata += 4;
-    if (ws->nb_inter < 0)
+    if (ws->nb_inter < 0 || (edata_end - edata) / 24 < ws->nb_inter)
         return AVERROR(EINVAL);
     ws->inter = av_calloc(ws->nb_inter, sizeof(*ws->inter));
     if (!ws->inter)
@@ -267,13 +261,16 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
         in->type     = AV_RL32(edata + 16);
         in->channels = AV_RL32(edata + 20);
         edata += 24;
-        if (in->ts_start < cur_ts || in->ts_end <= in->ts_start)
+        if (in->ts_start < cur_ts ||
+            in->ts_end <= in->ts_start ||
+            (uint64_t)in->ts_end - in->ts_start > INT64_MAX
+        )
             return AVERROR(EINVAL);
         cur_ts = in->ts_start;
         dt = in->ts_end - in->ts_start;
         switch (in->type) {
             case WS_SINE:
-                if (edata_end - edata < 20)
+                if (edata_end - edata < 20 || avc->sample_rate <= 0)
                     return AVERROR(EINVAL);
                 f1  = AV_RL32(edata +  0);
                 f2  = AV_RL32(edata +  4);
@@ -284,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
                 dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16);
                 dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16);
                 in->dphi0 = dphi1;
-                in->ddphi = (dphi2 - dphi1) / dt;
+                in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt;
                 if (phi & 0x80000000) {
                     phi &= ~0x80000000;
                     if (phi >= i)
@@ -304,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc)
             default:
                 return AVERROR(EINVAL);
         }
-        in->amp0 = (int64_t)a1 << 32;
-        in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt;
+        in->amp0 = (uint64_t)a1 << 32;
+        in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt;
     }
     if (edata != edata_end)
         return AVERROR(EINVAL);
@@ -353,7 +350,8 @@ static av_cold int wavesynth_init(AVCodecContext *avc)
 static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
                                    int32_t *channels)
 {
-    int32_t amp, val, *cv;
+    int32_t amp, *cv;
+    unsigned val;
     struct ws_interval *in;
     int i, *last, pink;
     uint32_t c, all_ch = 0;
@@ -375,12 +373,12 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
         in->amp  += in->damp;
         switch (in->type) {
             case WS_SINE:
-                val = amp * ws->sin[in->phi >> (64 - SIN_BITS)];
+                val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)];
                 in->phi  += in->dphi;
                 in->dphi += in->ddphi;
                 break;
             case WS_NOISE:
-                val = amp * pink;
+                val = amp * (unsigned)pink;
                 break;
             default:
                 val = 0;
@@ -388,7 +386,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts,
         all_ch |= in->channels;
         for (c = in->channels, cv = channels; c; c >>= 1, cv++)
             if (c & 1)
-                *cv += val;
+                *cv += (unsigned)val;
     }
     val = (int32_t)lcg_next(&ws->dither_state) >> 16;
     for (c = all_ch, cv = channels; c; c >>= 1, cv++)
@@ -446,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
     if (r < 0)
         return r;
     pcm = (int16_t *)frame->data[0];
-    for (s = 0; s < duration; s++, ts++) {
+    for (s = 0; s < duration; s++, ts+=(uint64_t)1) {
         memset(channels, 0, avc->channels * sizeof(*channels));
         if (ts >= ws->next_ts)
             wavesynth_enter_intervals(ws, ts);
@@ -454,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame,
         for (c = 0; c < avc->channels; c++)
             *(pcm++) = channels[c] >> 16;
     }
-    ws->cur_ts += duration;
+    ws->cur_ts += (uint64_t)duration;
     *rgot_frame = 1;
     return packet->size;
 }
diff --git a/lib/ffmpeg/libavcodec/fic.c b/lib/ffmpeg/libavcodec/fic.c
index 6940cb623..e1f4178c8 100644
--- a/lib/ffmpeg/libavcodec/fic.c
+++ b/lib/ffmpeg/libavcodec/fic.c
@@ -81,6 +81,7 @@ static const uint8_t fic_qmat_lq[64] = {
 static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };
 
 #define FIC_HEADER_SIZE 27
+#define CURSOR_OFFSET 59
 
 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
 {
@@ -137,6 +138,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb,
 {
     int i, num_coeff;
 
+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;
+
     /* Is it a skip block? */
     if (get_bits1(gb)) {
         /* This is a P-frame. */
@@ -334,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
         skip_cursor = 1;
     }
 
+    if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
+        skip_cursor = 1;
+    }
+
     /* Slice height for all but the last slice. */
     ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
     if (ctx->slice_h % 16)
@@ -381,6 +389,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
             slice_h      = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16);
         } else {
             slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
+            if (slice_size < slice_off)
+                return AVERROR_INVALIDDATA;
         }
 
         if (slice_size < slice_off || slice_size > msize)
@@ -413,7 +423,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
 
     /* Draw cursor. */
     if (!skip_cursor) {
-        memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4);
+        memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf));
         fic_draw_cursor(avctx, cur_x, cur_y);
     }
 
diff --git a/lib/ffmpeg/libavcodec/flac_parser.c b/lib/ffmpeg/libavcodec/flac_parser.c
index 6df531b7b..ffa6a2845 100644
--- a/lib/ffmpeg/libavcodec/flac_parser.c
+++ b/lib/ffmpeg/libavcodec/flac_parser.c
@@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size
     uint32_t x;
 
     for (i = 0; i < mod_offset; i++) {
-        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8)
-            size = find_headers_search_validate(fpc, search_start + i);
+        if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) {
+            int ret = find_headers_search_validate(fpc, search_start + i);
+            size = FFMAX(size, ret);
+        }
     }
 
     for (; i < buf_size - 1; i += 4) {
         x = AV_RB32(buf + i);
         if (((x & ~(x + 0x01010101)) & 0x80808080)) {
             for (j = 0; j < 4; j++) {
-                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8)
-                    size = find_headers_search_validate(fpc, search_start + i + j);
+                if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) {
+                    int ret = find_headers_search_validate(fpc, search_start + i + j);
+                    size = FFMAX(size, ret);
+                }
             }
         }
     }
@@ -686,12 +690,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
     }
 
     for (curr = fpc->headers; curr; curr = curr->next) {
-        if (curr->max_score > 0 &&
-            (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) {
+        if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) {
             fpc->best_header = curr;
         }
     }
 
+    if (fpc->best_header && fpc->best_header->max_score <= 0) {
+        // Only accept a bad header if there is no other option to continue
+        if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS)
+            fpc->best_header = NULL;
+    }
+
     if (fpc->best_header) {
         fpc->best_header_valid = 1;
         if (fpc->best_header->offset > 0) {
diff --git a/lib/ffmpeg/libavcodec/flacdsp_template.c b/lib/ffmpeg/libavcodec/flacdsp_template.c
index 776c78da7..892418cdd 100644
--- a/lib/ffmpeg/libavcodec/flacdsp_template.c
+++ b/lib/ffmpeg/libavcodec/flacdsp_template.c
@@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in,
     int i;
 
     for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
         S(samples, 0, i) =  a      << shift;
         S(samples, 1, i) = (a - b) << shift;
     }
@@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in,
     int i;
 
     for (i = 0; i < len; i++) {
-        int a = in[0][i];
-        int b = in[1][i];
+        unsigned a = in[0][i];
+        unsigned b = in[1][i];
         S(samples, 0, i) = (a + b) << shift;
         S(samples, 1, i) =  b      << shift;
     }
@@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in,
     int i;
 
     for (i = 0; i < len; i++) {
-        int a = in[0][i];
+        unsigned a = in[0][i];
         int b = in[1][i];
         a -= b >> 1;
         S(samples, 0, i) = (a + b) << shift;
diff --git a/lib/ffmpeg/libavcodec/flicvideo.c b/lib/ffmpeg/libavcodec/flicvideo.c
index 0ef7797a8..9788b6853 100644
--- a/lib/ffmpeg/libavcodec/flicvideo.c
+++ b/lib/ffmpeg/libavcodec/flicvideo.c
@@ -178,7 +178,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
     int lines;
     int compressed_lines;
     int starting_line;
-    signed short line_packets;
+    int line_packets;
     int y_ptr;
     int byte_run;
     int pixel_skip;
@@ -277,7 +277,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
                     break;
                 if (y_ptr > pixel_limit)
                     return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                 if ((line_packets & 0xC000) == 0xC000) {
                     // line skip opcode
                     line_packets = -line_packets;
@@ -505,7 +505,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
 
     int lines;
     int compressed_lines;
-    signed short line_packets;
+    int line_packets;
     int y_ptr;
     int byte_run;
     int pixel_skip;
@@ -569,7 +569,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                     break;
                 if (y_ptr > pixel_limit)
                     return AVERROR_INVALIDDATA;
-                line_packets = bytestream2_get_le16(&g2);
+                line_packets = sign_extend(bytestream2_get_le16(&g2), 16);
                 if (line_packets < 0) {
                     line_packets = -line_packets;
                     if (line_packets > s->avctx->height)
@@ -732,6 +732,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
                 bytestream2_skip(&g2, chunk_size - 6);
             } else {
 
+                if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
+                    return AVERROR_INVALIDDATA;
                 for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height;
                      y_ptr += s->frame->linesize[0]) {
 
diff --git a/lib/ffmpeg/libavcodec/frame_thread_encoder.c b/lib/ffmpeg/libavcodec/frame_thread_encoder.c
index 14f2ea241..daeaaaa64 100644
--- a/lib/ffmpeg/libavcodec/frame_thread_encoder.c
+++ b/lib/ffmpeg/libavcodec/frame_thread_encoder.c
@@ -119,7 +119,7 @@ static void * attribute_align_arg worker(void *v){
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
     int i=0;
     ThreadContext *c;
-
+    AVCodecContext *thread_avctx = NULL;
 
     if(   !(avctx->thread_type & FF_THREAD_FRAME)
        || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY))
@@ -189,7 +189,7 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
     for(i=0; i<avctx->thread_count ; i++){
         AVDictionary *tmp = NULL;
         void *tmpv;
-        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
+        thread_avctx = avcodec_alloc_context3(avctx->codec);
         if(!thread_avctx)
             goto fail;
         tmpv = thread_avctx->priv_data;
@@ -218,6 +218,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
 
     return 0;
 fail:
+    avcodec_close(thread_avctx);
+    av_freep(&thread_avctx);
     avctx->thread_count = i;
     av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
     ff_frame_thread_encoder_free(avctx);
diff --git a/lib/ffmpeg/libavcodec/frame_thread_encoder.h b/lib/ffmpeg/libavcodec/frame_thread_encoder.h
index 1da0ce180..f6d02ad25 100644
--- a/lib/ffmpeg/libavcodec/frame_thread_encoder.h
+++ b/lib/ffmpeg/libavcodec/frame_thread_encoder.h
@@ -20,6 +20,10 @@
 
 #include "avcodec.h"
 
+/**
+ * Initialize frame thread encoder.
+ * @note hardware encoders are not supported
+ */
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options);
 void ff_frame_thread_encoder_free(AVCodecContext *avctx);
 int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr);
diff --git a/lib/ffmpeg/libavcodec/g2meet.c b/lib/ffmpeg/libavcodec/g2meet.c
index 7d052224c..57c99b635 100644
--- a/lib/ffmpeg/libavcodec/g2meet.c
+++ b/lib/ffmpeg/libavcodec/g2meet.c
@@ -243,6 +243,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb,
     const int is_chroma = !!plane;
     const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant;
 
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
     c->bdsp.clear_block(block);
     dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3);
     if (dc < 0)
@@ -555,8 +558,8 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y,
         B     = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
     }
 
-    if (R<0 || G<0 || B<0) {
-        av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
+    if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
+        avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B);
         return 0;
     }
 
@@ -853,6 +856,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height,
                     uint32_t ref_pix = curr_row[x - 1];
                     if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) {
                         pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row);
+                        if (is_pixel_on_stack(dc, pix))
+                            return AVERROR_INVALIDDATA;
+
                         if (x) {
                             int ret = epic_add_pixel_to_cache(&dc->hash,
                                                               ref_pix,
@@ -910,6 +916,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
     awidth      = FFALIGN(tile_width,  16);
     aheight     = FFALIGN(tile_height, 16);
 
+    if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) {
+        avpriv_request_sample(avctx, "large tile width");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (els_dsize) {
         int ret, i, j, k;
         uint8_t tr_r, tr_g, tr_b, *buf;
@@ -926,6 +937,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y,
         if (c->ec.els_ctx.err != 0) {
             av_log(avctx, AV_LOG_ERROR,
                    "ePIC: couldn't decode transparency pixel!\n");
+            ff_els_decoder_uninit(&c->ec.unsigned_rung);
             return AVERROR_INVALIDDATA;
         }
 
@@ -1354,14 +1366,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride)
     } else {
         dst    +=  x * 3;
     }
-    if (y < 0) {
+
+    if (y < 0)
         h      +=  y;
+    if (w < 0 || h < 0)
+        return;
+    if (y < 0) {
         cursor += -y * c->cursor_stride;
     } else {
         dst    +=  y * stride;
     }
-    if (w < 0 || h < 0)
-        return;
 
     for (j = 0; j < h; j++) {
         for (i = 0; i < w; i++) {
diff --git a/lib/ffmpeg/libavcodec/g729_parser.c b/lib/ffmpeg/libavcodec/g729_parser.c
index d13c99080..a2cecb722 100644
--- a/lib/ffmpeg/libavcodec/g729_parser.c
+++ b/lib/ffmpeg/libavcodec/g729_parser.c
@@ -51,6 +51,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx,
         s->duration   = avctx->frame_size;
     }
 
+    if (!s->block_size) {
+        *poutbuf      = buf;
+        *poutbuf_size = buf_size;
+        return buf_size;
+    }
+
     if (!s->remaining)
         s->remaining = s->block_size;
     if (s->remaining <= buf_size) {
diff --git a/lib/ffmpeg/libavcodec/g729dec.c b/lib/ffmpeg/libavcodec/g729dec.c
index 99053add4..42e1b4402 100644
--- a/lib/ffmpeg/libavcodec/g729dec.c
+++ b/lib/ffmpeg/libavcodec/g729dec.c
@@ -336,11 +336,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in
 
 static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order)
 {
-    int res = 0;
+    int64_t res = 0;
 
     while (order--)
         res += *v1++ * *v2++;
 
+    if      (res > INT32_MAX) return INT32_MAX;
+    else if (res < INT32_MIN) return INT32_MIN;
+
     return res;
 }
 
@@ -421,7 +424,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
         return ret;
     out_frame = (int16_t*) frame->data[0];
 
-    if (buf_size % 10 == 0) {
+    if (buf_size && buf_size % 10 == 0) {
         packet_type = FORMAT_G729_8K;
         format = &format_g729_8k;
         //Reset voice decision
diff --git a/lib/ffmpeg/libavcodec/g729postfilter.c b/lib/ffmpeg/libavcodec/g729postfilter.c
index 9a775c47b..1167e0914 100644
--- a/lib/ffmpeg/libavcodec/g729postfilter.c
+++ b/lib/ffmpeg/libavcodec/g729postfilter.c
@@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
             sig_scaled[i] = residual[i] >> shift;
     else
         for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++)
-            sig_scaled[i] = residual[i] << -shift;
+            sig_scaled[i] = (unsigned)residual[i] << -shift;
 
     /* Start of best delay searching code */
     gain_num = 0;
@@ -200,8 +200,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
         }
         if (corr_int_num) {
             /* Compute denominator of pseudo-normalized correlation R'(0). */
-            corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
-                                                    sig_scaled - best_delay_int + RES_PREV_DATA_SIZE,
+            corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
+                                                     sig_scaled + RES_PREV_DATA_SIZE - best_delay_int,
                                                     subframe_size);
 
             /* Compute signals with non-integer delay k (with 1/8 precision),
@@ -343,7 +343,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
         L_temp1 = gain_long_num * gain_long_num;
         L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS);
 
-        tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den);
+        tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den);
         if (tmp > 0)
             L_temp0 >>= tmp;
         else
@@ -364,7 +364,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
         /* Rescale selected signal to original value. */
         if (shift > 0)
             for (i = 0; i < subframe_size; i++)
-                selected_signal[i] <<= shift;
+                selected_signal[i] *= 1 << shift;
         else
             for (i = 0; i < subframe_size; i++)
                 selected_signal[i] >>= -shift;
@@ -461,7 +461,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn,
             speech[i] = (speech[i] * temp + 0x4000) >> 15;
     }
 
-    return -(rh1 << 15) / rh0;
+    return -(rh1 * (1 << 15)) / rh0;
 }
 
 /**
@@ -483,29 +483,29 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff,
 
     if (refl_coeff > 0) {
         gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15;
-        fact = 0x4000; // 0.5 in (0.15)
-        sh_fact = 15;
+        fact = 0x2000; // 0.5 in (0.15)
+        sh_fact = 14;
     } else {
         gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15;
-        fact = 0x800; // 0.5 in (3.12)
-        sh_fact = 12;
+        fact = 0x400; // 0.5 in (3.12)
+        sh_fact = 11;
     }
-    ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt));
+    ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt));
     gt >>= 1;
 
     /* Apply tilt compensation filter to signal. */
     tmp = res_pst[subframe_size - 1];
 
     for (i = subframe_size - 1; i >= 1; i--) {
-        tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1);
-        tmp2 = (tmp2 + 0x4000) >> 15;
+        tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000;
+        tmp2 = res_pst[i] + (tmp2 >> 15);
 
-        tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+        tmp2 = (tmp2 * ga + fact) >> sh_fact;
         out[i] = tmp2;
     }
-    tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1);
-    tmp2 = (tmp2 + 0x4000) >> 15;
-    tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact;
+    tmp2 = (gt * ht_prev_data) * 2 + 0x4000;
+    tmp2 = res_pst[0] + (tmp2 >> 15);
+    tmp2 = (tmp2 * ga + fact) >> sh_fact;
     out[0] = tmp2;
 
     return tmp;
@@ -596,6 +596,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *
             gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000;
             gain = bidir_sal(gain, exp_after - exp_before);
         }
+        gain = av_clip_int16(gain);
         gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875)
     } else
         gain = 0;
diff --git a/lib/ffmpeg/libavcodec/get_bits.h b/lib/ffmpeg/libavcodec/get_bits.h
index 72f8b5f29..5a7179591 100644
--- a/lib/ffmpeg/libavcodec/get_bits.h
+++ b/lib/ffmpeg/libavcodec/get_bits.h
@@ -32,6 +32,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/avassert.h"
+#include "avcodec.h"
 #include "mathops.h"
 
 /*
@@ -417,7 +418,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
     int buffer_size;
     int ret = 0;
 
-    if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
+    if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) {
         bit_size    = 0;
         buffer      = NULL;
         ret         = AVERROR_INVALIDDATA;
diff --git a/lib/ffmpeg/libavcodec/h263dec.c b/lib/ffmpeg/libavcodec/h263dec.c
index c85ea9d6c..0b91e5d26 100644
--- a/lib/ffmpeg/libavcodec/h263dec.c
+++ b/lib/ffmpeg/libavcodec/h263dec.c
@@ -637,7 +637,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     slice_ret = decode_slice(s);
     while (s->mb_y < s->mb_height) {
         if (s->msmpeg4_version) {
-            if (s->slice_height == 0 || s->mb_x != 0 ||
+            if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 ||
                 (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0)
                 break;
         } else {
diff --git a/lib/ffmpeg/libavcodec/h264.c b/lib/ffmpeg/libavcodec/h264.c
index 6cad626db..1f399ab83 100644
--- a/lib/ffmpeg/libavcodec/h264.c
+++ b/lib/ffmpeg/libavcodec/h264.c
@@ -293,12 +293,9 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, H264SliceContext *sl,
     if(i>=length-1){ //no escaped 0
         *dst_length= length;
         *consumed= length+1; //+1 for the header
-        if(h->avctx->flags2 & AV_CODEC_FLAG2_FAST){
-            return src;
-        }else{
-            memcpy(dst, src, length);
-            return dst;
-        }
+
+        memcpy(dst, src, length);
+        return dst;
     }
 
     memcpy(dst, src, i);
@@ -1087,7 +1084,6 @@ void ff_h264_flush_change(H264Context *h)
 
     h->next_outputed_poc = INT_MIN;
     h->prev_interlaced_frame = 1;
-    h->got_first_iframe = 0;
     idr(h);
 
     h->prev_frame_num = -1;
diff --git a/lib/ffmpeg/libavcodec/h264.h b/lib/ffmpeg/libavcodec/h264.h
index 32bd14001..981e7b1b3 100644
--- a/lib/ffmpeg/libavcodec/h264.h
+++ b/lib/ffmpeg/libavcodec/h264.h
@@ -814,8 +814,6 @@ typedef struct H264Context {
      * slices) anymore */
     int setup_finished;
 
-    int got_first_iframe;
-
     // Timestamp stuff
     int sei_buffering_period_present;   ///< Buffering period SEI flag
     int initial_cpb_removal_delay[32];  ///< Initial timestamps for CPBs
diff --git a/lib/ffmpeg/libavcodec/h264_cavlc.c b/lib/ffmpeg/libavcodec/h264_cavlc.c
index 97ec6fd4a..250e93bc8 100644
--- a/lib/ffmpeg/libavcodec/h264_cavlc.c
+++ b/lib/ffmpeg/libavcodec/h264_cavlc.c
@@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
     cbp = 0; /* avoid warning. FIXME: find a solution without slowing
                 down the code */
     if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-        if (sl->mb_skip_run == -1)
-            sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
+        if (sl->mb_skip_run == -1) {
+            unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
+            if (mb_skip_run > h->mb_num) {
+                av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
+                return AVERROR_INVALIDDATA;
+            }
+            sl->mb_skip_run = mb_skip_run;
+        }
 
         if (sl->mb_skip_run--) {
             if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {
diff --git a/lib/ffmpeg/libavcodec/h264_mc_template.c b/lib/ffmpeg/libavcodec/h264_mc_template.c
index e4333a733..acdf4d126 100644
--- a/lib/ffmpeg/libavcodec/h264_mc_template.c
+++ b/lib/ffmpeg/libavcodec/h264_mc_template.c
@@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl,
 
     if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME))
         await_references(h, sl);
-    prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
+    if (USES_LIST(mb_type, 0))
+        prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
 
     if (IS_16X16(mb_type)) {
         mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0,
diff --git a/lib/ffmpeg/libavcodec/h264_refs.c b/lib/ffmpeg/libavcodec/h264_refs.c
index a3de6b2f3..5ec7f2d06 100644
--- a/lib/ffmpeg/libavcodec/h264_refs.c
+++ b/lib/ffmpeg/libavcodec/h264_refs.c
@@ -813,6 +813,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
         pps_ref_count[1] = FFMAX(pps_ref_count[1], h->pps.ref_count[1]);
     }
 
+    // Detect unmarked random access points
     if (   err >= 0
         && h->long_ref_count==0
         && (   h->short_ref_count<=2
diff --git a/lib/ffmpeg/libavcodec/h264_slice.c b/lib/ffmpeg/libavcodec/h264_slice.c
index 9dfafab93..cbebec3c1 100644
--- a/lib/ffmpeg/libavcodec/h264_slice.c
+++ b/lib/ffmpeg/libavcodec/h264_slice.c
@@ -1043,7 +1043,6 @@ static int h264_slice_header_init(H264Context *h)
 
     h->first_field           = 0;
     h->prev_interlaced_frame = 1;
-    h->got_first_iframe = 0;
 
     init_scan_tables(h);
     ret = ff_h264_alloc_tables(h);
diff --git a/lib/ffmpeg/libavcodec/h264idct_template.c b/lib/ffmpeg/libavcodec/h264idct_template.c
index e402c9636..d67c766f1 100644
--- a/lib/ffmpeg/libavcodec/h264idct_template.c
+++ b/lib/ffmpeg/libavcodec/h264idct_template.c
@@ -278,13 +278,13 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){
     const int stride= 16*2;
     const int xStride= 16;
     int i;
-    int temp[8];
+    unsigned temp[8];
     static const uint8_t x_offset[2]={0, 16};
     dctcoef *block = (dctcoef*)_block;
 
     for(i=0; i<4; i++){
-        temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1];
-        temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1];
+        temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1];
+        temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1];
     }
 
     for(i=0; i<2; i++){
diff --git a/lib/ffmpeg/libavcodec/hap.h b/lib/ffmpeg/libavcodec/hap.h
index e4762ee43..7543efcf0 100644
--- a/lib/ffmpeg/libavcodec/hap.h
+++ b/lib/ffmpeg/libavcodec/hap.h
@@ -51,7 +51,7 @@ enum HapSectionType {
 
 typedef struct HapChunk {
     enum HapCompressor compressor;
-    int compressed_offset;
+    uint32_t compressed_offset;
     size_t compressed_size;
     int uncompressed_offset;
     size_t uncompressed_size;
diff --git a/lib/ffmpeg/libavcodec/hapdec.c b/lib/ffmpeg/libavcodec/hapdec.c
index 6adac21bb..0a654e2fa 100644
--- a/lib/ffmpeg/libavcodec/hapdec.c
+++ b/lib/ffmpeg/libavcodec/hapdec.c
@@ -129,6 +129,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size)
         size_t running_size = 0;
         for (i = 0; i < ctx->chunk_count; i++) {
             ctx->chunks[i].compressed_offset = running_size;
+            if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size)
+                return AVERROR_INVALIDDATA;
             running_size += ctx->chunks[i].compressed_size;
         }
     }
@@ -207,7 +209,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx)
         HapChunk *chunk = &ctx->chunks[i];
 
         /* Check the compressed buffer is valid */
-        if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc))
+        if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc))
             return AVERROR_INVALIDDATA;
 
         /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed
diff --git a/lib/ffmpeg/libavcodec/hevc.c b/lib/ffmpeg/libavcodec/hevc.c
index 6dcc1c8aa..49f52f818 100644
--- a/lib/ffmpeg/libavcodec/hevc.c
+++ b/lib/ffmpeg/libavcodec/hevc.c
@@ -423,6 +423,11 @@ static int hls_slice_header(HEVCContext *s)
 
     // Coded parameters
     sh->first_slice_in_pic_flag = get_bits1(gb);
+    if (s->ref && sh->first_slice_in_pic_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
+        return 1; // This slice will be skipped later, do not corrupt state
+    }
+
     if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
         s->seq_decode = (s->seq_decode + 1) & 0xff;
         s->max_ra     = INT_MAX;
@@ -682,6 +687,11 @@ static int hls_slice_header(HEVCContext *s)
         if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) {
             sh->slice_cb_qp_offset = get_se_golomb(gb);
             sh->slice_cr_qp_offset = get_se_golomb(gb);
+            if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 ||
+                sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n");
+                return AVERROR_INVALIDDATA;
+            }
         } else {
             sh->slice_cb_qp_offset = 0;
             sh->slice_cr_qp_offset = 0;
@@ -2695,6 +2705,11 @@ static int decode_nal_unit(HEVCContext *s, const HEVCNAL *nal)
         ret = hls_slice_header(s);
         if (ret < 0)
             return ret;
+        if (ret == 1) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
 
         if (s->max_ra == INT_MAX) {
             if (s->nal_unit_type == NAL_CRA_NUT || IS_BLA(s)) {
diff --git a/lib/ffmpeg/libavcodec/hevc_cabac.c b/lib/ffmpeg/libavcodec/hevc_cabac.c
index 0e4c522bb..e56ab8d26 100644
--- a/lib/ffmpeg/libavcodec/hevc_cabac.c
+++ b/lib/ffmpeg/libavcodec/hevc_cabac.c
@@ -629,11 +629,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
     }
     if (prefix_val >= 5) {
         int k = 0;
-        while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) {
+        while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) {
             suffix_val += 1 << k;
             k++;
         }
-        if (k == CABAC_MAX_BIN) {
+        if (k == 7) {
             av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
             return AVERROR_INVALIDDATA;
         }
@@ -985,7 +985,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
     } else {
         int prefix_minus3 = prefix - 3;
 
-        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
             av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
             return 0;
         }
diff --git a/lib/ffmpeg/libavcodec/hevc_mp4toannexb_bsf.c b/lib/ffmpeg/libavcodec/hevc_mp4toannexb_bsf.c
index 54d6d79b8..bcf845d68 100644
--- a/lib/ffmpeg/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/lib/ffmpeg/libavcodec/hevc_mp4toannexb_bsf.c
@@ -161,6 +161,11 @@ static int hevc_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
         for (i = 0; i < ctx->length_size; i++)
             nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb);
 
+        if (nalu_size < 2) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
         nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f;
 
         /* prepend extradata to IRAP frames */
@@ -180,7 +185,7 @@ static int hevc_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
         if (ret < 0)
             goto fail;
 
-        if (add_extradata)
+        if (extra_size)
             memcpy(out + out_size, ctx->spspps_buf, extra_size);
         AV_WB32(out + out_size + extra_size, 1);
         bytestream2_get_buffer(&gb, out + out_size + 4 + extra_size, nalu_size);
diff --git a/lib/ffmpeg/libavcodec/hevc_ps.c b/lib/ffmpeg/libavcodec/hevc_ps.c
index 62e165e4b..5fd3f4747 100644
--- a/lib/ffmpeg/libavcodec/hevc_ps.c
+++ b/lib/ffmpeg/libavcodec/hevc_ps.c
@@ -725,7 +725,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi
                 next_coef = 8;
                 coef_num  = FFMIN(64, 1 << (4 + (size_id << 1)));
                 if (size_id > 1) {
-                    scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8;
+                    int scaling_list_coeff_minus8 = get_se_golomb(gb);
+                    if (scaling_list_coeff_minus8 < -7 ||
+                        scaling_list_coeff_minus8 > 247)
+                        return AVERROR_INVALIDDATA;
+                    scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8;
                     next_coef = scaling_list_dc_coef[size_id - 2][matrix_id];
                     sl->sl_dc[size_id - 2][matrix_id] = next_coef;
                 }
diff --git a/lib/ffmpeg/libavcodec/hevc_refs.c b/lib/ffmpeg/libavcodec/hevc_refs.c
index daea861f1..d8c18616f 100644
--- a/lib/ffmpeg/libavcodec/hevc_refs.c
+++ b/lib/ffmpeg/libavcodec/hevc_refs.c
@@ -401,7 +401,7 @@ static void mark_ref(HEVCFrame *frame, int flag)
 static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
 {
     HEVCFrame *frame;
-    int i, x, y;
+    int i, y;
 
     frame = alloc_frame(s);
     if (!frame)
@@ -414,11 +414,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc)
                        frame->frame->buf[i]->size);
         } else {
             for (i = 0; frame->frame->data[i]; i++)
-                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++)
-                    for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) {
-                        AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x,
-                                1 << (s->ps.sps->bit_depth - 1));
-                    }
+                for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) {
+                    uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i];
+                    AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1));
+                    av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2);
+                }
         }
     }
 
diff --git a/lib/ffmpeg/libavcodec/hevc_sei.c b/lib/ffmpeg/libavcodec/hevc_sei.c
index 4ef9fb4d8..d386396ef 100644
--- a/lib/ffmpeg/libavcodec/hevc_sei.c
+++ b/lib/ffmpeg/libavcodec/hevc_sei.c
@@ -244,6 +244,8 @@ static int decode_nal_sei_message(HEVCContext *s)
         byte          = get_bits(gb, 8);
         payload_size += byte;
     }
+    if (get_bits_left(gb) < 8LL*payload_size)
+        return AVERROR_INVALIDDATA;
     if (s->nal_unit_type == NAL_SEI_PREFIX) {
         return decode_nal_sei_prefix(s, payload_type, payload_size);
     } else { /* nal_unit_type == NAL_SEI_SUFFIX */
diff --git a/lib/ffmpeg/libavcodec/hevcpred_template.c b/lib/ffmpeg/libavcodec/hevcpred_template.c
index 6fe33546b..f1a1f4c1f 100644
--- a/lib/ffmpeg/libavcodec/hevcpred_template.c
+++ b/lib/ffmpeg/libavcodec/hevcpred_template.c
@@ -83,6 +83,7 @@ do {                                  \
     int y = y0 >> vshift;
     int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
     int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask;
+    int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size));
 
     int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb);
 
@@ -103,11 +104,11 @@ do {                                  \
     pixel  *top           = top_array  + 1;
     pixel  *filtered_left = filtered_left_array + 1;
     pixel  *filtered_top  = filtered_top_array  + 1;
-    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask);
+    int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask);
     int cand_left        = lc->na.cand_left;
     int cand_up_left     = lc->na.cand_up_left;
     int cand_up          = lc->na.cand_up;
-    int cand_up_right    = lc->na.cand_up_right    && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);
+    int cand_up_right    = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1);
 
     int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) -
                            (y0 + size_in_luma_v)) >> vshift;
diff --git a/lib/ffmpeg/libavcodec/hnm4video.c b/lib/ffmpeg/libavcodec/hnm4video.c
index a64dbb174..c6b41edd7 100644
--- a/lib/ffmpeg/libavcodec/hnm4video.c
+++ b/lib/ffmpeg/libavcodec/hnm4video.c
@@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src,
 static void postprocess_current_frame(AVCodecContext *avctx)
 {
     Hnm4VideoContext *hnm = avctx->priv_data;
-    uint32_t x, y, src_x, src_y;
+    uint32_t x, y, src_y;
+    int width = hnm->width;
 
     for (y = 0; y < hnm->height; y++) {
+        uint8_t *dst = hnm->processed + y * width;
+        const uint8_t *src = hnm->current;
         src_y = y - (y % 2);
-        src_x = src_y * hnm->width + (y % 2);
-        for (x = 0; x < hnm->width; x++) {
-            hnm->processed[(y * hnm->width) + x] = hnm->current[src_x];
-            src_x += 2;
+        src += src_y * width + (y % 2);
+        for (x = 0; x < width; x++) {
+            dst[x] = *src;
+            src += 2;
         }
     }
 }
@@ -143,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
     }
 }
 
-static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
+static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
 {
     Hnm4VideoContext *hnm = avctx->priv_data;
     GetByteContext gb;
@@ -162,7 +165,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             if (tag == 0) {
                 if (writeoffset + 2 > hnm->width * hnm->height) {
                     av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
                 hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
                 hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
@@ -176,7 +179,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
                 count = bytestream2_get_byte(&gb) * 2;
                 if (writeoffset + count > hnm->width * hnm->height) {
                     av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
                 while (count > 0) {
                     hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
@@ -188,7 +191,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             }
             if (writeoffset > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             }
         } else {
             previous = bytestream2_peek_byte(&gb) & 0x20;
@@ -204,24 +207,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
 
             if (!backward && offset + 2*count > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             } else if (backward && offset + 1 >= hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             } else if (writeoffset + 2*count > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR,
                        "Attempting to write out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
+
             }
             if(backward) {
                 if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
                     av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
             } else {
                 if (offset < (!!backline)*(2 * hnm->width - 1)) {
                     av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
             }
 
@@ -268,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             }
         }
     }
+    return 0;
 }
 
 static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
@@ -434,7 +439,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
             decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
             memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
         } else {
-            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            if (ret < 0)
+                return ret;
             postprocess_current_frame(avctx);
         }
         copy_processed_frame(avctx, frame);
diff --git a/lib/ffmpeg/libavcodec/hq_hqa.c b/lib/ffmpeg/libavcodec/hq_hqa.c
index d18464769..41bfa20f3 100644
--- a/lib/ffmpeg/libavcodec/hq_hqa.c
+++ b/lib/ffmpeg/libavcodec/hq_hqa.c
@@ -180,6 +180,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup,
     int flag = 0;
     int i, ret, cbp;
 
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
     cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);
 
     for (i = 0; i < 12; i++)
@@ -244,13 +247,18 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
     int width, height, quant;
     const uint8_t *src = ctx->gbc.buffer;
 
+    if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+        return AVERROR_INVALIDDATA;
+
     width  = bytestream2_get_be16(&ctx->gbc);
     height = bytestream2_get_be16(&ctx->gbc);
 
+    ret = ff_set_dimensions(ctx->avctx, width, height);
+    if (ret < 0)
+        return ret;
+
     ctx->avctx->coded_width         = FFALIGN(width,  16);
     ctx->avctx->coded_height        = FFALIGN(height, 16);
-    ctx->avctx->width               = width;
-    ctx->avctx->height              = height;
     ctx->avctx->bits_per_raw_sample = 8;
     ctx->avctx->pix_fmt             = AV_PIX_FMT_YUVA422P;
 
@@ -312,7 +320,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
         int info_size;
         bytestream2_skip(&ctx->gbc, 4);
         info_size = bytestream2_get_le32(&ctx->gbc);
-        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
+        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
             av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
             return AVERROR_INVALIDDATA;
         }
diff --git a/lib/ffmpeg/libavcodec/huffyuvdec.c b/lib/ffmpeg/libavcodec/huffyuvdec.c
index 428547935..58b95f009 100644
--- a/lib/ffmpeg/libavcodec/huffyuvdec.c
+++ b/lib/ffmpeg/libavcodec/huffyuvdec.c
@@ -416,9 +416,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
         case 0x0F0:
             avctx->pix_fmt = AV_PIX_FMT_GRAY16;
             break;
-        case 0x170:
-            avctx->pix_fmt = AV_PIX_FMT_GRAY8A;
-            break;
         case 0x470:
             avctx->pix_fmt = AV_PIX_FMT_GBRP;
             break;
@@ -985,12 +982,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                 left= left_prediction(s, p->data[plane], s->temp[0], w, 0);
 
                 y = 1;
+                if (y >= h)
+                    break;
 
                 /* second line is left predicted for interlaced case */
                 if (s->interlaced) {
                     decode_plane_bitstream(s, w, plane);
                     left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left);
                     y++;
+                    if (y >= h)
+                        break;
                 }
 
                 lefttop = p->data[plane][0];
@@ -1102,6 +1103,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                 }
 
                 cy = y = 1;
+                if (y >= height)
+                    break;
 
                 /* second line is left predicted for interlaced case */
                 if (s->interlaced) {
@@ -1114,6 +1117,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                     }
                     y++;
                     cy++;
+                    if (y >= height)
+                        break;
                 }
 
                 /* next 4 pixels are left predicted too */
diff --git a/lib/ffmpeg/libavcodec/huffyuvenc.c b/lib/ffmpeg/libavcodec/huffyuvenc.c
index 65b165aaa..5c774b47e 100644
--- a/lib/ffmpeg/libavcodec/huffyuvenc.c
+++ b/lib/ffmpeg/libavcodec/huffyuvenc.c
@@ -271,7 +271,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
     case AV_PIX_FMT_YUVA420P:
     case AV_PIX_FMT_YUVA422P:
     case AV_PIX_FMT_GBRAP:
-    case AV_PIX_FMT_GRAY8A:
     case AV_PIX_FMT_YUV420P9:
     case AV_PIX_FMT_YUV420P10:
     case AV_PIX_FMT_YUV420P12:
@@ -1103,7 +1102,6 @@ AVCodec ff_ffvhuff_encoder = {
         AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY16,
         AV_PIX_FMT_YUVA420P, AV_PIX_FMT_YUVA422P, AV_PIX_FMT_YUVA444P,
         AV_PIX_FMT_GBRAP,
-        AV_PIX_FMT_GRAY8A,
         AV_PIX_FMT_YUV420P9, AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV420P12, AV_PIX_FMT_YUV420P14, AV_PIX_FMT_YUV420P16,
         AV_PIX_FMT_YUV422P9, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV422P14, AV_PIX_FMT_YUV422P16,
         AV_PIX_FMT_YUV444P9, AV_PIX_FMT_YUV444P10, AV_PIX_FMT_YUV444P12, AV_PIX_FMT_YUV444P14, AV_PIX_FMT_YUV444P16,
diff --git a/lib/ffmpeg/libavcodec/iff.c b/lib/ffmpeg/libavcodec/iff.c
index 9d1f9a77d..e7048299b 100644
--- a/lib/ffmpeg/libavcodec/iff.c
+++ b/lib/ffmpeg/libavcodec/iff.c
@@ -102,23 +102,23 @@ static const uint64_t plane8_lut[8][256] = {
     LUT8(4), LUT8(5), LUT8(6), LUT8(7),
 };
 
-#define LUT32(plane) {                                \
-             0,          0,          0,          0,   \
-             0,          0,          0, 1 << plane,   \
-             0,          0, 1 << plane,          0,   \
-             0,          0, 1 << plane, 1 << plane,   \
-             0, 1 << plane,          0,          0,   \
-             0, 1 << plane,          0, 1 << plane,   \
-             0, 1 << plane, 1 << plane,          0,   \
-             0, 1 << plane, 1 << plane, 1 << plane,   \
-    1 << plane,          0,          0,          0,   \
-    1 << plane,          0,          0, 1 << plane,   \
-    1 << plane,          0, 1 << plane,          0,   \
-    1 << plane,          0, 1 << plane, 1 << plane,   \
-    1 << plane, 1 << plane,          0,          0,   \
-    1 << plane, 1 << plane,          0, 1 << plane,   \
-    1 << plane, 1 << plane, 1 << plane,          0,   \
-    1 << plane, 1 << plane, 1 << plane, 1 << plane,   \
+#define LUT32(plane) {                                    \
+              0,           0,           0,           0,   \
+              0,           0,           0, 1U << plane,   \
+              0,           0, 1U << plane,           0,   \
+              0,           0, 1U << plane, 1U << plane,   \
+              0, 1U << plane,           0,           0,   \
+              0, 1U << plane,           0, 1U << plane,   \
+              0, 1U << plane, 1U << plane,           0,   \
+              0, 1U << plane, 1U << plane, 1U << plane,   \
+    1U << plane,           0,           0,           0,   \
+    1U << plane,           0,           0, 1U << plane,   \
+    1U << plane,           0, 1U << plane,           0,   \
+    1U << plane,           0, 1U << plane, 1U << plane,   \
+    1U << plane, 1U << plane,           0,           0,   \
+    1U << plane, 1U << plane,           0, 1U << plane,   \
+    1U << plane, 1U << plane, 1U << plane,           0,   \
+    1U << plane, 1U << plane, 1U << plane, 1U << plane,   \
 }
 
 // 32 planes * 4-bit mask * 4 lookup tables each
@@ -171,6 +171,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal)
             pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample);
     }
     if (s->masking == MASK_HAS_MASK) {
+        if ((1 << avctx->bits_per_coded_sample) < count) {
+            avpriv_request_sample(avctx, "overlapping mask");
+            return AVERROR_PATCHWELCOME;
+        }
         memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4);
         for (i = 0; i < count; i++)
             pal[i] &= 0xFFFFFF;
@@ -235,6 +239,16 @@ static int extract_header(AVCodecContext *const avctx,
         for (i = 0; i < 16; i++)
             s->tvdc[i] = bytestream_get_be16(&buf);
 
+        if (s->ham) {
+            if (s->bpp > 8) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
+                return AVERROR_INVALIDDATA;
+            } if (s->ham != (s->bpp > 6 ? 6 : 4)) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u, BPP: %u\n", s->ham, s->bpp);
+                return AVERROR_INVALIDDATA;
+            }
+        }
+
         if (s->masking == MASK_HAS_MASK) {
             if (s->bpp >= 8 && !s->ham) {
                 avctx->pix_fmt = AV_PIX_FMT_RGB32;
@@ -262,9 +276,6 @@ static int extract_header(AVCodecContext *const avctx,
         if (!s->bpp || s->bpp > 32) {
             av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp);
             return AVERROR_INVALIDDATA;
-        } else if (s->ham >= 8) {
-            av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham);
-            return AVERROR_INVALIDDATA;
         }
 
         av_freep(&s->ham_buf);
@@ -274,13 +285,17 @@ static int extract_header(AVCodecContext *const avctx,
             int i, count = FFMIN(palette_size / 3, 1 << s->ham);
             int ham_count;
             const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+            int extra_space = 1;
+
+            if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+                extra_space = 4;
 
             s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!s->ham_buf)
                 return AVERROR(ENOMEM);
 
             ham_count = 8 * (1 << s->ham);
-            s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+            s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!s->ham_palbuf) {
                 av_freep(&s->ham_buf);
                 return AVERROR(ENOMEM);
@@ -392,11 +407,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
  */
 static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane)
 {
-    const uint64_t *lut = plane8_lut[plane];
+    const uint64_t *lut;
     if (plane >= 8) {
         av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n");
         return;
     }
+    lut = plane8_lut[plane];
     do {
         uint64_t v = AV_RN64A(dst) | lut[*buf++];
         AV_WN64A(dst, v);
@@ -574,13 +590,15 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
 {
     const uint8_t *src_end = src + src_size;
     int x = 0, y = 0, i;
-    while (src + 5 <= src_end) {
+    while (src_end - src >= 5) {
         int opcode;
         opcode = *(int8_t *)src++;
         if (opcode >= 0) {
             int size = opcode + 1;
             for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
+                if (src_end - src < length * 4)
+                    return;
                 memcpy(dst + y*linesize + x * 4, src, length * 4);
                 src += length * 4;
                 x += length;
@@ -686,7 +704,7 @@ static int decode_frame(AVCodecContext *avctx,
 
     desc = av_pix_fmt_desc_get(avctx->pix_fmt);
 
-    if (!s->init && avctx->bits_per_coded_sample <= 8 &&
+    if (!s->init && avctx->bits_per_coded_sample <= 8 - (s->masking == MASK_HAS_MASK) &&
         avctx->pix_fmt == AV_PIX_FMT_PAL8) {
         if ((res = cmap_read_palette(avctx, (uint32_t *)s->frame->data[1])) < 0)
             return res;
diff --git a/lib/ffmpeg/libavcodec/imgconvert.c b/lib/ffmpeg/libavcodec/imgconvert.c
index 39cf58a2d..2402718b1 100644
--- a/lib/ffmpeg/libavcodec/imgconvert.c
+++ b/lib/ffmpeg/libavcodec/imgconvert.c
@@ -81,10 +81,15 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p
     int i;
 
     enum AVPixelFormat best = AV_PIX_FMT_NONE;
+    int loss;
 
-    for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++)
-        best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr);
+    for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) {
+        loss = loss_ptr ? *loss_ptr : 0;
+        best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss);
+    }
 
+    if (loss_ptr)
+        *loss_ptr = loss;
     return best;
 }
 
diff --git a/lib/ffmpeg/libavcodec/indeo2.c b/lib/ffmpeg/libavcodec/indeo2.c
index ce8167b3a..4a9fb6055 100644
--- a/lib/ffmpeg/libavcodec/indeo2.c
+++ b/lib/ffmpeg/libavcodec/indeo2.c
@@ -78,10 +78,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
 
     for (j = 1; j < height; j++) {
         out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
         while (out < width) {
-            int c = ir2_get_code(&ctx->gb);
+            int c;
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
+            c = ir2_get_code(&ctx->gb);
             if (c >= 0x80) { /* we have a skip */
                 c -= 0x7F;
                 if (out + c*2 > width)
@@ -122,9 +123,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_
 
     for (j = 0; j < height; j++) {
         out = 0;
-        if (get_bits_left(&ctx->gb) <= 0)
-            return AVERROR_INVALIDDATA;
         while (out < width) {
+            if (get_bits_left(&ctx->gb) <= 0)
+                return AVERROR_INVALIDDATA;
             c = ir2_get_code(&ctx->gb);
             if (c >= 0x80) { /* we have a skip */
                 c   -= 0x7F;
diff --git a/lib/ffmpeg/libavcodec/indeo4.c b/lib/ffmpeg/libavcodec/indeo4.c
index 1bf402551..b2d3cd5f4 100644
--- a/lib/ffmpeg/libavcodec/indeo4.c
+++ b/lib/ffmpeg/libavcodec/indeo4.c
@@ -269,12 +269,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
  *  @param[in]     avctx     pointer to the AVCodecContext
  *  @return        result code: 0 = OK, negative number = error
  */
-static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
+static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
                            AVCodecContext *avctx)
 {
     int plane, band_num, indx, transform_id, scan_indx;
     int i;
     int quant_mat;
+    IVIBandDesc temp_band, *band = &temp_band;
+    memcpy(&temp_band, arg_band, sizeof(temp_band));
 
     plane    = get_bits(&ctx->gb, 2);
     band_num = get_bits(&ctx->gb, 4);
@@ -408,10 +410,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
 
         /* decode block huffman codebook */
         if (!get_bits1(&ctx->gb))
-            band->blk_vlc.tab = ctx->blk_vlc.tab;
+            arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
         else
             if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF,
-                                     &band->blk_vlc, avctx))
+                                     &arg_band->blk_vlc, avctx))
                 return AVERROR_INVALIDDATA;
 
         /* select appropriate rvmap table for this band */
@@ -452,6 +454,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
         return AVERROR_INVALIDDATA;
     }
 
+    band->blk_vlc = arg_band->blk_vlc;
+    memcpy(arg_band, band, sizeof(*arg_band));
+
     return 0;
 }
 
@@ -500,6 +505,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
             mb->b_mv_x   =
             mb->b_mv_y   = 0;
 
+            if (get_bits_left(&ctx->gb) < 1) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             if (get_bits1(&ctx->gb)) {
                 if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) {
                     av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n");
diff --git a/lib/ffmpeg/libavcodec/ituh263dec.c b/lib/ffmpeg/libavcodec/ituh263dec.c
index 2d83bf3d3..e3e3010c4 100644
--- a/lib/ffmpeg/libavcodec/ituh263dec.c
+++ b/lib/ffmpeg/libavcodec/ituh263dec.c
@@ -1089,6 +1089,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
     if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0)
         return ret;
 
+    if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) {
+        if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
+    }
+
     s->mb_width = (s->width  + 15) / 16;
     s->mb_height = (s->height  + 15) / 16;
     s->mb_num = s->mb_width * s->mb_height;
diff --git a/lib/ffmpeg/libavcodec/ivi.c b/lib/ffmpeg/libavcodec/ivi.c
index eab42bb53..eaaef78a3 100644
--- a/lib/ffmpeg/libavcodec/ivi.c
+++ b/lib/ffmpeg/libavcodec/ivi.c
@@ -428,6 +428,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes,
         t_height = !p ? tile_height : (tile_height + 3) >> 2;
 
         if (!p && planes[0].num_bands == 4) {
+            if (t_width % 2 || t_height % 2) {
+                avpriv_request_sample(NULL, "Odd tiles");
+                return AVERROR_PATCHWELCOME;
+            }
             t_width  >>= 1;
             t_height >>= 1;
         }
@@ -487,12 +491,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb)
 static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
                             int blk_size)
 {
-    int buf_size = band->pitch * band->aheight - buf_offs;
-    int min_size = (blk_size - 1) * band->pitch + blk_size;
-
-    if (min_size > buf_size)
-        return AVERROR_INVALIDDATA;
-
     band->dc_transform(prev_dc, band->buf + buf_offs,
                        band->pitch, blk_size);
 
@@ -723,6 +721,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                 if (ret < 0)
                     return ret;
             } else {
+                int buf_size = band->pitch * band->aheight - buf_offs;
+                int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+                if (min_size > buf_size)
+                    return AVERROR_INVALIDDATA;
                 /* block not coded */
                 /* for intra blocks apply the dc slant transform */
                 /* for inter - perform the motion compensation without delta */
@@ -1168,6 +1171,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             AVPacket pkt;
             pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3);
             pkt.size = get_bits_left(&ctx->gb) >> 3;
+            ctx->got_p_frame = 0;
+            av_frame_unref(ctx->p_frame);
             ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt);
         }
     }
diff --git a/lib/ffmpeg/libavcodec/jpeg2000dec.c b/lib/ffmpeg/libavcodec/jpeg2000dec.c
index 9c2aae6d7..23b1d3cd3 100644
--- a/lib/ffmpeg/libavcodec/jpeg2000dec.c
+++ b/lib/ffmpeg/libavcodec/jpeg2000dec.c
@@ -339,7 +339,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
     s->numXtiles = ff_jpeg2000_ceildiv(s->width  - s->tile_offset_x, s->tile_width);
     s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height);
 
-    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
+    // There must be at least a SOT and SOD per tile, their minimum size is 14
+    if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) ||
+        s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g)
+    ) {
         s->numXtiles = s->numYtiles = 0;
         return AVERROR(EINVAL);
     }
@@ -1124,6 +1127,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
             step_x = 32;
             step_y = 32;
 
+            if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
+                continue;
+
             for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) {
                 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; //  ==> N_L - r
                 Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
@@ -1143,10 +1149,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                         int xc = x / s->cdx[compno];
                         int yc = y / s->cdy[compno];
 
-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                             continue;
 
-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                             continue;
 
                         // check if a precinct exists
@@ -1213,10 +1219,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                         if (reslevelno >= codsty->nreslevels)
                             continue;
 
-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                             continue;
 
-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                             continue;
 
                         // check if a precinct exists
@@ -1280,10 +1286,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
                         uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; //  ==> N_L - r
                         Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
 
-                        if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+                        if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
                             continue;
 
-                        if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+                        if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
                             continue;
 
                         // check if a precinct exists
@@ -2000,6 +2006,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                    atom_size >= 16) {
             uint32_t atom2_size, atom2, atom2_end;
             do {
+                if (bytestream2_get_bytes_left(&s->g) < 8)
+                    break;
                 atom2_size = bytestream2_get_be32u(&s->g);
                 atom2      = bytestream2_get_be32u(&s->g);
                 atom2_end  = bytestream2_tell(&s->g) + atom2_size - 8;
diff --git a/lib/ffmpeg/libavcodec/jpeg2000dwt.c b/lib/ffmpeg/libavcodec/jpeg2000dwt.c
index 38a578af3..25440adc9 100644
--- a/lib/ffmpeg/libavcodec/jpeg2000dwt.c
+++ b/lib/ffmpeg/libavcodec/jpeg2000dwt.c
@@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t)
         t[i] = (t[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
 }
 
-static void sr_1d53(int *p, int i0, int i1)
+static void sr_1d53(unsigned *p, int i0, int i1)
 {
     int i;
 
     if (i1 <= i0 + 1) {
         if (i0 == 1)
-            p[1] >>= 1;
+            p[1] = (int)p[1] >> 1;
         return;
     }
 
     extend53(p, i0, i1);
 
     for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++)
-        p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
+        p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
     for (i = (i0 >> 1); i < (i1 >> 1); i++)
-        p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1;
+        p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1;
 }
 
 static void dwt_decode53(DWTContext *s, int *t)
@@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t)
     }
 
     for (i = 0; i < w * h; i++)
-        data[i] = (data[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
+        data[i] = (data[i] + ((1LL<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
 }
 
 int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2],
diff --git a/lib/ffmpeg/libavcodec/jpegls.h b/lib/ffmpeg/libavcodec/jpegls.h
index c8997c786..060ded9df 100644
--- a/lib/ffmpeg/libavcodec/jpegls.h
+++ b/lib/ffmpeg/libavcodec/jpegls.h
@@ -97,7 +97,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q)
 static inline int ff_jpegls_update_state_regular(JLSState *state,
                                                  int Q, int err)
 {
-    if(FFABS(err) > 0xFFFF)
+    if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q])
         return -0x10000;
     state->A[Q] += FFABS(err);
     err         *= state->twonear;
diff --git a/lib/ffmpeg/libavcodec/jpeglsdec.c b/lib/ffmpeg/libavcodec/jpeglsdec.c
index 5e0a3d297..176300cd2 100644
--- a/lib/ffmpeg/libavcodec/jpeglsdec.c
+++ b/lib/ffmpeg/libavcodec/jpeglsdec.c
@@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
             s->avctx->pix_fmt = AV_PIX_FMT_PAL8;
             for (i=s->palette_index; i<=maxtab; i++) {
                 uint8_t k = i << shift;
-                pal[k] = 0;
+                pal[k] = wt < 4 ? 0xFF000000 : 0;
                 for (j=0; j<wt; j++) {
                     pal[k] |= get_bits(&s->gb, 8) << (8*(wt-j-1));
                 }
@@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q)
 {
     int k, ret;
 
-    for (k = 0; (state->N[Q] << k) < state->A[Q]; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++)
         ;
 
 #ifdef JLS_BROKEN
diff --git a/lib/ffmpeg/libavcodec/jvdec.c b/lib/ffmpeg/libavcodec/jvdec.c
index cbe83d3c1..b06e7cf2b 100644
--- a/lib/ffmpeg/libavcodec/jvdec.c
+++ b/lib/ffmpeg/libavcodec/jvdec.c
@@ -163,13 +163,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
             return AVERROR_INVALIDDATA;
         }
-        if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
-            return ret;
 
         if (video_type == 0 || video_type == 1) {
             GetBitContext gb;
             init_get_bits(&gb, buf, 8 * video_size);
 
+            if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
+                return ret;
+
+            if (avctx->height/8 * (avctx->width/8) > 4 * video_size) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             for (j = 0; j < avctx->height; j += 8)
                 for (i = 0; i < avctx->width; i += 8)
                     decode8x8(&gb,
@@ -179,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             buf += video_size;
         } else if (video_type == 2) {
             int v = *buf++;
+
+            av_frame_unref(s->frame);
+            if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0)
+                return ret;
+
             for (j = 0; j < avctx->height; j++)
                 memset(s->frame->data[0] + j * s->frame->linesize[0],
                        v, avctx->width);
diff --git a/lib/ffmpeg/libavcodec/lagarith.c b/lib/ffmpeg/libavcodec/lagarith.c
index ea069b3d0..b0914dc1b 100644
--- a/lib/ffmpeg/libavcodec/lagarith.c
+++ b/lib/ffmpeg/libavcodec/lagarith.c
@@ -222,6 +222,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
         }
     }
 
+    if (scale_factor > 23)
+        return AVERROR_INVALIDDATA;
+
     rac->scale = scale_factor;
 
     /* Fill probability array with cumulative probability for each symbol. */
diff --git a/lib/ffmpeg/libavcodec/libopusdec.c b/lib/ffmpeg/libavcodec/libopusdec.c
index 7a198c46a..4b8167d39 100644
--- a/lib/ffmpeg/libavcodec/libopusdec.c
+++ b/lib/ffmpeg/libavcodec/libopusdec.c
@@ -125,7 +125,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc)
 {
     struct libopus_context *opus = avc->priv_data;
 
-    opus_multistream_decoder_destroy(opus->dec);
+    if (opus->dec) {
+        opus_multistream_decoder_destroy(opus->dec);
+        opus->dec = NULL;
+    }
     return 0;
 }
 
@@ -199,6 +202,7 @@ AVCodec ff_libopus_decoder = {
     .decode         = libopus_decode,
     .flush          = libopus_flush,
     .capabilities   = AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
     .sample_fmts    = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT,
                                                      AV_SAMPLE_FMT_S16,
                                                      AV_SAMPLE_FMT_NONE },
diff --git a/lib/ffmpeg/libavcodec/libopusenc.c b/lib/ffmpeg/libavcodec/libopusenc.c
index a170b711c..ec3acb5f9 100644
--- a/lib/ffmpeg/libavcodec/libopusenc.c
+++ b/lib/ffmpeg/libavcodec/libopusenc.c
@@ -362,7 +362,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
     // Check if subtraction resulted in an overflow
     if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) {
         av_free_packet(avpkt);
-        av_free(avpkt);
         return AVERROR(EINVAL);
     }
     if (discard_padding > 0) {
@@ -371,7 +370,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt,
                                                      10);
         if(!side_data) {
             av_free_packet(avpkt);
-            av_free(avpkt);
             return AVERROR(ENOMEM);
         }
         AV_WL32(side_data + 4, discard_padding);
diff --git a/lib/ffmpeg/libavcodec/libvorbisdec.c b/lib/ffmpeg/libavcodec/libvorbisdec.c
index 2b22e057e..97ad31b42 100644
--- a/lib/ffmpeg/libavcodec/libvorbisdec.c
+++ b/lib/ffmpeg/libavcodec/libvorbisdec.c
@@ -47,29 +47,40 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
     vorbis_comment_init(&context->vc) ;
 
     if(p[0] == 0 && p[1] == 30) {
+        int sizesum = 0;
         for(i = 0; i < 3; i++){
             hsizes[i] = bytestream_get_be16((const uint8_t **)&p);
+            sizesum += 2 + hsizes[i];
+            if (sizesum > avccontext->extradata_size) {
+                av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n");
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
+
             headers[i] = p;
             p += hsizes[i];
         }
     } else if(*p == 2) {
         unsigned int offset = 1;
+        unsigned int sizesum = 1;
         p++;
         for(i=0; i<2; i++) {
             hsizes[i] = 0;
-            while((*p == 0xFF) && (offset < avccontext->extradata_size)) {
+            while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) {
                 hsizes[i] += 0xFF;
                 offset++;
+                sizesum += 1 + 0xFF;
                 p++;
             }
-            if(offset >= avccontext->extradata_size - 1) {
+            hsizes[i] += *p;
+            offset++;
+            sizesum += 1 + *p;
+            if(sizesum > avccontext->extradata_size) {
                 av_log(avccontext, AV_LOG_ERROR,
                        "vorbis header sizes damaged\n");
                 ret = AVERROR_INVALIDDATA;
                 goto error;
             }
-            hsizes[i] += *p;
-            offset++;
             p++;
         }
         hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;
diff --git a/lib/ffmpeg/libavcodec/libvpxenc.c b/lib/ffmpeg/libavcodec/libvpxenc.c
index 992122c98..ccd2141e7 100644
--- a/lib/ffmpeg/libavcodec/libvpxenc.c
+++ b/lib/ffmpeg/libavcodec/libvpxenc.c
@@ -734,7 +734,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
                                                 cx_frame->sz_alpha + 8);
             if(!side_data) {
                 av_free_packet(pkt);
-                av_free(pkt);
                 return AVERROR(ENOMEM);
             }
             AV_WB64(side_data, 1);
diff --git a/lib/ffmpeg/libavcodec/libwebpenc_animencoder.c b/lib/ffmpeg/libavcodec/libwebpenc_animencoder.c
index 61ecae8a8..91bf64ca8 100644
--- a/lib/ffmpeg/libavcodec/libwebpenc_animencoder.c
+++ b/lib/ffmpeg/libavcodec/libwebpenc_animencoder.c
@@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx)
     int ret = ff_libwebp_encode_init_common(avctx);
     if (!ret) {
         LibWebPAnimContext *s = avctx->priv_data;
-        WebPAnimEncoderOptions enc_options = { 0 };
+        WebPAnimEncoderOptions enc_options = { { 0 } };
         WebPAnimEncoderOptionsInit(&enc_options);
         enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE;
         // TODO(urvang): Expose some options on command-line perhaps.
diff --git a/lib/ffmpeg/libavcodec/loco.c b/lib/ffmpeg/libavcodec/loco.c
index 9d0f14445..f9655c0bf 100644
--- a/lib/ffmpeg/libavcodec/loco.c
+++ b/lib/ffmpeg/libavcodec/loco.c
@@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val)
 
 static inline int loco_get_rice(RICEContext *r)
 {
-    int v;
+    unsigned v;
     if (r->run > 0) { /* we have zero run */
         r->run--;
         loco_update_rice_param(r, 0);
@@ -129,7 +129,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
                              int stride, const uint8_t *buf, int buf_size, int step)
 {
     RICEContext rc;
-    int val;
+    unsigned val;
     int ret;
     int i, j;
 
@@ -159,6 +159,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
     for (j = 1; j < height; j++) {
         /* restore left column */
         val = loco_get_rice(&rc);
+        if (val == INT_MIN)
+           return AVERROR_INVALIDDATA;
         data[0] = data[-stride] + val;
         /* restore all other pixels */
         for (i = 1; i < width; i++) {
@@ -293,6 +295,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
         avpriv_request_sample(avctx, "LOCO codec version %i", version);
     }
 
+    if (l->lossy > 65536U) {
+        av_log(avctx, AV_LOG_ERROR, "lossy %i is too large\n", l->lossy);
+        return AVERROR_INVALIDDATA;
+    }
+
     l->mode = AV_RL32(avctx->extradata + 4);
     switch (l->mode) {
     case LOCO_CYUY2:
diff --git a/lib/ffmpeg/libavcodec/lossless_audiodsp.c b/lib/ffmpeg/libavcodec/lossless_audiodsp.c
index 32f4c9e85..74838415f 100644
--- a/lib/ffmpeg/libavcodec/lossless_audiodsp.c
+++ b/lib/ffmpeg/libavcodec/lossless_audiodsp.c
@@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2,
                                               const int16_t *v3,
                                               int order, int mul)
 {
-    int res = 0;
+    unsigned res = 0;
 
     while (order--) {
         res   += *v1 * *v2++;
diff --git a/lib/ffmpeg/libavcodec/lpc.c b/lib/ffmpeg/libavcodec/lpc.c
index 5cda7797e..aaeb48079 100644
--- a/lib/ffmpeg/libavcodec/lpc.c
+++ b/lib/ffmpeg/libavcodec/lpc.c
@@ -184,7 +184,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len,
     compute_ref_coefs(autoc, order, ref, error);
     for (i = 0; i < order; i++)
         avg_err = (avg_err + error[i])/2.0f;
-    return signal/avg_err;
+    return avg_err ? signal/avg_err : NAN;
 }
 
 /**
diff --git a/lib/ffmpeg/libavcodec/lpc.h b/lib/ffmpeg/libavcodec/lpc.h
index 7e0ee3e17..224276ffb 100644
--- a/lib/ffmpeg/libavcodec/lpc.h
+++ b/lib/ffmpeg/libavcodec/lpc.h
@@ -140,7 +140,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
         gen0[i] = gen1[i] = autoc[i + 1];
 
     err    = autoc[0];
-    ref[0] = -gen1[0] / err;
+    ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
     err   +=  gen1[0] * ref[0];
     if (error)
         error[0] = err;
@@ -149,7 +149,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
             gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j];
             gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j];
         }
-        ref[i] = -gen1[0] / err;
+        ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1);
         err   +=  gen1[0] * ref[i];
         if (error)
             error[i] = err;
@@ -183,7 +183,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o
             for(j=0; j<i; j++)
                 r -= lpc_last[j] * autoc[i-j-1];
 
-            r /= err;
+            if (err)
+                r /= err;
             err *= FIXR(1.0) - (r * r);
         }
 
diff --git a/lib/ffmpeg/libavcodec/lsp.c b/lib/ffmpeg/libavcodec/lsp.c
index 17f59ea77..1a7e81871 100644
--- a/lib/ffmpeg/libavcodec/lsp.c
+++ b/lib/ffmpeg/libavcodec/lsp.c
@@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
     int i, j;
 
     f[0] = 0x400000;          // 1.0 in (3.22)
-    f[1] = -lsp[0] << 8;      // *2 and (0.15) -> (3.22)
+    f[1] = -lsp[0] * 256;     // *2 and (0.15) -> (3.22)
 
     for(i=2; i<=lp_half_order; i++)
     {
@@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
         for(j=i; j>1; j--)
             f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2];
 
-        f[1] -= lsp[2*i-2] << 8;
+        f[1] -= lsp[2*i-2] * 256;
     }
 }
 
diff --git a/lib/ffmpeg/libavcodec/mips/hevc_lpf_sao_msa.c b/lib/ffmpeg/libavcodec/mips/hevc_lpf_sao_msa.c
index da1db51ef..e1bfaa073 100644
--- a/lib/ffmpeg/libavcodec/mips/hevc_lpf_sao_msa.c
+++ b/lib/ffmpeg/libavcodec/mips/hevc_lpf_sao_msa.c
@@ -1970,7 +1970,7 @@ void ff_hevc_sao_edge_filter_8_msa(uint8_t *dst, uint8_t *src,
                                    int16_t *sao_offset_val,
                                    int eo, int width, int height)
 {
-    ptrdiff_t stride_src = (2 * 64 + 32) / sizeof(uint8_t);
+    ptrdiff_t stride_src = (2 * MAX_PB_SIZE + AV_INPUT_BUFFER_PADDING_SIZE) / sizeof(uint8_t);
 
     switch (eo) {
     case 0:
diff --git a/lib/ffmpeg/libavcodec/mjpegbdec.c b/lib/ffmpeg/libavcodec/mjpegbdec.c
index a858707d5..8583fcb4f 100644
--- a/lib/ffmpeg/libavcodec/mjpegbdec.c
+++ b/lib/ffmpeg/libavcodec/mjpegbdec.c
@@ -70,8 +70,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
 
     skip_bits(&hgb, 32); /* reserved zeros */
 
-    if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
-    {
+    if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) {
         av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
         return AVERROR_INVALIDDATA;
     }
@@ -85,19 +84,17 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
 
     dqt_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dqt is %d and size is %d\n");
     av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%"PRIx32"\n", dqt_offs);
-    if (dqt_offs)
-    {
+    if (dqt_offs) {
         init_get_bits(&s->gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8);
         s->start_code = DQT;
         if (ff_mjpeg_decode_dqt(s) < 0 &&
             (avctx->err_recognition & AV_EF_EXPLODE))
-          return AVERROR_INVALIDDATA;
+            return AVERROR_INVALIDDATA;
     }
 
     dht_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dht is %d and size is %d\n");
     av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%"PRIx32"\n", dht_offs);
-    if (dht_offs)
-    {
+    if (dht_offs) {
         init_get_bits(&s->gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8);
         s->start_code = DHT;
         ff_mjpeg_decode_dht(s);
@@ -105,8 +102,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
 
     sof_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n");
     av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%"PRIx32"\n", sof_offs);
-    if (sof_offs)
-    {
+    if (sof_offs) {
         init_get_bits(&s->gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8);
         s->start_code = SOF0;
         if (ff_mjpeg_decode_sof(s) < 0)
@@ -117,25 +113,23 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
     av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%"PRIx32"\n", sos_offs);
     sod_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n");
     av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%"PRIx32"\n", sod_offs);
-    if (sos_offs)
-    {
+    if (sos_offs) {
         init_get_bits(&s->gb, buf_ptr + sos_offs,
                       8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
         s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
         s->start_code = SOS;
         if (ff_mjpeg_decode_sos(s, NULL, 0, NULL) < 0 &&
             (avctx->err_recognition & AV_EF_EXPLODE))
-          return AVERROR_INVALIDDATA;
+            return AVERROR_INVALIDDATA;
     }
 
     if (s->interlaced) {
         s->bottom_field ^= 1;
         /* if not bottom field, do not output image yet */
-        if (s->bottom_field != s->interlace_polarity && second_field_offs)
-        {
+        if (s->bottom_field != s->interlace_polarity && second_field_offs) {
             buf_ptr = buf + second_field_offs;
             goto read_header;
-            }
+        }
     }
 
     //XXX FIXME factorize, this looks very similar to the EOI code
diff --git a/lib/ffmpeg/libavcodec/mjpegdec.c b/lib/ffmpeg/libavcodec/mjpegdec.c
index befbb0a25..7e118900c 100644
--- a/lib/ffmpeg/libavcodec/mjpegdec.c
+++ b/lib/ffmpeg/libavcodec/mjpegdec.c
@@ -306,6 +306,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
     if (av_image_check_size(width, height, 0, s->avctx))
         return AVERROR_INVALIDDATA;
+    if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL)
+        return AVERROR_INVALIDDATA;
 
     nb_components = get_bits(&s->gb, 8);
     if (nb_components <= 0 ||
@@ -592,6 +594,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
         av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird subsampling\n");
         return AVERROR_PATCHWELCOME;
     }
+    if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) {
+        avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling");
+        return AVERROR_PATCHWELCOME;
+    }
     if (s->ls) {
         memset(s->upscale_h, 0, sizeof(s->upscale_h));
         memset(s->upscale_v, 0, sizeof(s->upscale_v));
@@ -633,7 +639,9 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     }
 
     if ((s->rgb && !s->lossless && !s->ls) ||
-        (!s->rgb && s->ls && s->nb_components > 1)) {
+        (!s->rgb && s->ls && s->nb_components > 1) ||
+        (s->avctx->pix_fmt == AV_PIX_FMT_PAL8 && !s->ls)
+    ) {
         av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n");
         return AVERROR_PATCHWELCOME;
     }
@@ -977,6 +985,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
         for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
             int modified_predictor = predictor;
 
+            if (get_bits_left(&s->gb) < 1) {
+                av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n");
+                return AVERROR_INVALIDDATA;
+            }
+
             if (s->restart_interval && !s->restart_count){
                 s->restart_count = s->restart_interval;
                 resync_mb_x = mb_x;
@@ -1000,7 +1013,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
                     return -1;
 
                 left[i] = buffer[mb_x][i] =
-                    mask & (pred + (dc * (1 << point_transform)));
+                    mask & (pred + (unsigned)(dc * (1 << point_transform)));
             }
 
             if (s->restart_interval && !--s->restart_count) {
@@ -1114,25 +1127,25 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                             || v * mb_y + y >= s->height) {
                             // Nothing to do
                         } else if (bits<=8) {
-                        ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
-                        if(y==0 && toprow){
-                            if(x==0 && leftcol){
-                                pred= 1 << (bits - 1);
-                            }else{
-                                pred= ptr[-1];
-                            }
-                        }else{
-                            if(x==0 && leftcol){
-                                pred= ptr[-linesize];
+                            ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
+                            if(y==0 && toprow){
+                                if(x==0 && leftcol){
+                                    pred= 1 << (bits - 1);
+                                }else{
+                                    pred= ptr[-1];
+                                }
                             }else{
-                                PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor);
+                                if(x==0 && leftcol){
+                                    pred= ptr[-linesize];
+                                }else{
+                                    PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor);
+                                }
                             }
-                        }
 
-                        if (s->interlaced && s->bottom_field)
-                            ptr += linesize >> 1;
-                        pred &= mask;
-                        *ptr= pred + ((unsigned)dc << point_transform);
+                            if (s->interlaced && s->bottom_field)
+                                ptr += linesize >> 1;
+                            pred &= mask;
+                            *ptr= pred + ((unsigned)dc << point_transform);
                         }else{
                             ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
                             if(y==0 && toprow){
@@ -1407,6 +1420,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
                 else
                     ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0],
                                                    quant_matrix, ss, se, Al, &EOBRUN);
+
+                if (ret >= 0 && get_bits_left(&s->gb) < 0)
+                    ret = AVERROR_INVALIDDATA;
                 if (ret < 0) {
                     av_log(s->avctx, AV_LOG_ERROR,
                            "error y=%d x=%d\n", mb_y, mb_x);
@@ -2044,6 +2060,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int ret = 0;
     int is16bit;
 
+    s->buf_size = buf_size;
+
     av_dict_free(&s->exif_metadata);
     av_freep(&s->stereo3d);
     s->adobe_transform = -1;
diff --git a/lib/ffmpeg/libavcodec/mjpegdec.h b/lib/ffmpeg/libavcodec/mjpegdec.h
index fb811294a..6781c7c03 100644
--- a/lib/ffmpeg/libavcodec/mjpegdec.h
+++ b/lib/ffmpeg/libavcodec/mjpegdec.h
@@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext {
     AVClass *class;
     AVCodecContext *avctx;
     GetBitContext gb;
+    int buf_size;
 
     int start_code; /* current start code */
     int buffer_size;
diff --git a/lib/ffmpeg/libavcodec/mlpdec.c b/lib/ffmpeg/libavcodec/mlpdec.c
index b339d1189..ad7afd919 100644
--- a/lib/ffmpeg/libavcodec/mlpdec.c
+++ b/lib/ffmpeg/libavcodec/mlpdec.c
@@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
     uint8_t checksum;
     uint8_t lossless_check;
     int start_count = get_bits_count(gbp);
-    int min_channel, max_channel, max_matrix_channel;
+    int min_channel, max_channel, max_matrix_channel, noise_type;
     const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP
                                      ? MAX_MATRIX_CHANNEL_MLP
                                      : MAX_MATRIX_CHANNEL_TRUEHD;
@@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
         return AVERROR_INVALIDDATA;
     }
 
-    s->noise_type = get_bits1(gbp);
+    noise_type = get_bits1(gbp);
 
-    if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) {
+    if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) {
         av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n");
         return AVERROR_INVALIDDATA;
     }
@@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
 
     /* This should happen for TrueHD streams with >6 channels and MLP's noise
      * type. It is not yet known if this is allowed. */
-    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) {
+    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
         avpriv_request_sample(m->avctx,
                               "%d channels (more than the "
                               "maximum supported by the decoder)",
@@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
     s->min_channel        = min_channel;
     s->max_channel        = max_channel;
     s->max_matrix_channel = max_matrix_channel;
+    s->noise_type         = noise_type;
 
 #if FF_API_REQUEST_CHANNELS
 FF_DISABLE_DEPRECATION_WARNINGS
@@ -1181,7 +1182,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
         }
 
         if (length < header_size + substr_header_size) {
-            av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n");
+            av_log(m->avctx, AV_LOG_ERROR, "Insufficient data for headers\n");
             goto error;
         }
 
diff --git a/lib/ffmpeg/libavcodec/mlpdsp.c b/lib/ffmpeg/libavcodec/mlpdsp.c
index 32a4503b6..12bef3a72 100644
--- a/lib/ffmpeg/libavcodec/mlpdsp.c
+++ b/lib/ffmpeg/libavcodec/mlpdsp.c
@@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples,
 
         if (matrix_noise_shift) {
             index &= access_unit_size_pow2 - 1;
-            accum += noise_buffer[index] << (matrix_noise_shift + 7);
+            accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7));
             index += index2;
         }
 
diff --git a/lib/ffmpeg/libavcodec/motion_est_template.c b/lib/ffmpeg/libavcodec/motion_est_template.c
index 25bab9ddf..fa7d2327c 100644
--- a/lib/ffmpeg/libavcodec/motion_est_template.c
+++ b/lib/ffmpeg/libavcodec/motion_est_template.c
@@ -156,8 +156,8 @@ static int no_sub_motion_search(MpegEncContext * s,
                                   int src_index, int ref_index,
                                   int size, int h)
 {
-    (*mx_ptr)<<=1;
-    (*my_ptr)<<=1;
+    (*mx_ptr) *= 2;
+    (*my_ptr) *= 2;
     return dmin;
 }
 
diff --git a/lib/ffmpeg/libavcodec/motionpixels.c b/lib/ffmpeg/libavcodec/motionpixels.c
index a88b837b3..8750a4fa1 100644
--- a/lib/ffmpeg/libavcodec/motionpixels.c
+++ b/lib/ffmpeg/libavcodec/motionpixels.c
@@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb)
    return 0;
 }
 
-static int mp_gradient(MotionPixelsContext *mp, int component, int v)
+static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v)
 {
     int delta;
 
@@ -196,11 +196,13 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv
     *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color;
 }
 
-static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
+static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb)
 {
     int i;
 
     i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1);
+    if (i < 0)
+        return i;
     return mp->codes[i].delta;
 }
 
diff --git a/lib/ffmpeg/libavcodec/movtextdec.c b/lib/ffmpeg/libavcodec/movtextdec.c
index 2f3ef7d02..7d3dfae46 100644
--- a/lib/ffmpeg/libavcodec/movtextdec.c
+++ b/lib/ffmpeg/libavcodec/movtextdec.c
@@ -298,6 +298,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
         m->s_temp->style_start = AV_RB16(tsmb);
         tsmb += 2;
         m->s_temp->style_end = AV_RB16(tsmb);
+
+        if (   m->s_temp->style_end < m->s_temp->style_start
+            || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
+            av_freep(&m->s_temp);
+            mov_text_cleanup(m);
+            return AVERROR(ENOMEM);
+        }
+
         tsmb += 2;
         m->s_temp->style_fontID = AV_RB16(tsmb);
         tsmb += 2;
diff --git a/lib/ffmpeg/libavcodec/mp3_header_decompress_bsf.c b/lib/ffmpeg/libavcodec/mp3_header_decompress_bsf.c
index 95c0b5b76..cd0b1e12f 100644
--- a/lib/ffmpeg/libavcodec/mp3_header_decompress_bsf.c
+++ b/lib/ffmpeg/libavcodec/mp3_header_decompress_bsf.c
@@ -51,6 +51,10 @@ static int mp3_header_decompress(AVBitStreamFilterContext *bsfc, AVCodecContext
     lsf     = sample_rate < (24000+32000)/2;
     mpeg25  = sample_rate < (12000+16000)/2;
     sample_rate_index= (header>>10)&3;
+    if (sample_rate_index == 3) {
+        return AVERROR_INVALIDDATA;
+    }
+
     sample_rate= avpriv_mpa_freq_tab[sample_rate_index] >> (lsf + mpeg25); //in case sample rate is a little off
 
     for(bitrate_index=2; bitrate_index<30; bitrate_index++){
diff --git a/lib/ffmpeg/libavcodec/mpc.c b/lib/ffmpeg/libavcodec/mpc.c
index 7af30bd0e..9cd7fc5c2 100644
--- a/lib/ffmpeg/libavcodec/mpc.c
+++ b/lib/ffmpeg/libavcodec/mpc.c
@@ -76,17 +76,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out,
                 j = 0;
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF];
                 for(; j < 12; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF];
                 for(; j < 24; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF];
                 for(; j < 36; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
             }
         }
         if(bands[i].msf){
-            int t1, t2;
+            unsigned t1, t2;
             for(j = 0; j < SAMPLES_PER_BAND; j++){
                 t1 = c->sb_samples[0][j][i];
                 t2 = c->sb_samples[1][j][i];
diff --git a/lib/ffmpeg/libavcodec/mpc8.c b/lib/ffmpeg/libavcodec/mpc8.c
index 8894457c7..898cc0633 100644
--- a/lib/ffmpeg/libavcodec/mpc8.c
+++ b/lib/ffmpeg/libavcodec/mpc8.c
@@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n)
     do {
         n--;
         if (code >= C[n]) {
-            bits |= 1 << n;
+            bits |= 1U << n;
             code -= C[n];
             C -= 32;
             k--;
@@ -362,8 +362,9 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data,
                 for(j = 0; j < SAMPLES_PER_BAND; j += SAMPLES_PER_BAND / 2){
                     cnt = get_vlc2(gb, q1_vlc.table, MPC8_Q1_BITS, 2);
                     t = mpc8_get_mask(gb, 18, cnt);
-                    for(k = 0; k < SAMPLES_PER_BAND / 2; k++, t <<= 1)
-                        c->Q[ch][off + j + k] = (t & 0x20000) ? (get_bits1(gb) << 1) - 1 : 0;
+                    for(k = 0; k < SAMPLES_PER_BAND / 2; k++)
+                        c->Q[ch][off + j + k] = t & (1 << (SAMPLES_PER_BAND / 2 - k - 1))
+                                                ? (get_bits1(gb) << 1) - 1 : 0;
                 }
                 break;
             case 2:
diff --git a/lib/ffmpeg/libavcodec/mpeg12dec.c b/lib/ffmpeg/libavcodec/mpeg12dec.c
index 9872e6703..c0cbab655 100644
--- a/lib/ffmpeg/libavcodec/mpeg12dec.c
+++ b/lib/ffmpeg/libavcodec/mpeg12dec.c
@@ -308,7 +308,6 @@ static inline int mpeg1_decode_block_inter(MpegEncContext *s,
 }
 
 /**
- * Note: this function can read out of range and crash for corrupt streams.
  * Changing this would eat up any speed benefits it has.
  * Do not use "fast" flag if you need the code to be robust.
  */
@@ -475,7 +474,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s,
 }
 
 /**
- * Note: this function can read out of range and crash for corrupt streams.
  * Changing this would eat up any speed benefits it has.
  * Do not use "fast" flag if you need the code to be robust.
  */
@@ -626,7 +624,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s,
 }
 
 /**
- * Note: this function can read out of range and crash for corrupt streams.
  * Changing this would eat up any speed benefits it has.
  * Do not use "fast" flag if you need the code to be robust.
  */
@@ -654,7 +651,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s,
     dc = s->last_dc[component];
     dc += diff;
     s->last_dc[component] = dc;
-    block[0] = dc << (3 - s->intra_dc_precision);
+    block[0] = dc * (1 << (3 - s->intra_dc_precision));
     i = 0;
     if (s->intra_vlc_format)
         rl = &ff_rl_mpeg2;
@@ -1616,6 +1613,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
     s->mpeg_f_code[0][1] = get_bits(&s->gb, 4);
     s->mpeg_f_code[1][0] = get_bits(&s->gb, 4);
     s->mpeg_f_code[1][1] = get_bits(&s->gb, 4);
+    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
+    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
+    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
+    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];
     if (!s->pict_type && s1->mpeg_enc_ctx_allocated) {
         av_log(s->avctx, AV_LOG_ERROR,
                "Missing picture start code, guessing missing values\n");
@@ -1629,10 +1630,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1)
         s->current_picture.f->pict_type = s->pict_type;
         s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I;
     }
-    s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0];
-    s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1];
-    s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0];
-    s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1];
 
     s->intra_dc_precision         = get_bits(&s->gb, 2);
     s->picture_structure          = get_bits(&s->gb, 2);
@@ -2485,7 +2482,7 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture,
                     return ret;
                 else if (ret) {
                     // FIXME: merge with the stuff in mpeg_decode_slice
-                    if (s2->last_picture_ptr || s2->low_delay)
+                    if (s2->last_picture_ptr || s2->low_delay || s2->pict_type == AV_PICTURE_TYPE_B)
                         *got_output = 1;
                 }
             }
diff --git a/lib/ffmpeg/libavcodec/mpeg4videodec.c b/lib/ffmpeg/libavcodec/mpeg4videodec.c
index 6c6782bac..2129c4449 100644
--- a/lib/ffmpeg/libavcodec/mpeg4videodec.c
+++ b/lib/ffmpeg/libavcodec/mpeg4videodec.c
@@ -391,7 +391,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
                 llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
                 llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
                 llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
-                llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+                llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
                 llabs(sd[0]) >= INT_MAX ||
                 llabs(sd[1]) >= INT_MAX ||
                 llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
@@ -537,7 +537,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
         len >>= s->quarter_sample;
 
     if (s->real_sprite_warping_points == 1) {
-        if (ctx->divx_version == 500 && ctx->divx_build == 413)
+        if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample)
             sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
         else
             sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);
@@ -549,7 +549,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
             dy -= 1 << (shift + a + 1);
         else
             dx -= 1 << (shift + a + 1);
-        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16;
+        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U;
 
         sum = 0;
         for (y = 0; y < 16; y++) {
@@ -2242,9 +2242,6 @@ int ff_mpeg4_workaround_bugs(AVCodecContext *avctx)
 
         if (ctx->divx_version >= 0)
             s->workaround_bugs |= FF_BUG_HPEL_CHROMA;
-
-        if (ctx->num_sprite_warping_points > 1)
-            s->workaround_bugs |= FF_BUG_GMC_UNSUPPORTED;
     }
 
     if (s->workaround_bugs & FF_BUG_STD_QPEL) {
@@ -2269,7 +2266,6 @@ int ff_mpeg4_workaround_bugs(AVCodecContext *avctx)
                s->workaround_bugs, ctx->lavc_build, ctx->xvid_build,
                ctx->divx_version, ctx->divx_build, s->divx_packed ? "p" : "");
 
-    avctx->workaround_bugs = s->workaround_bugs;
     if (CONFIG_MPEG4_DECODER && ctx->xvid_build >= 0 &&
         s->codec_id == AV_CODEC_ID_MPEG4 &&
         avctx->idct_algo == FF_IDCT_AUTO) {
diff --git a/lib/ffmpeg/libavcodec/mpeg4videoenc.c b/lib/ffmpeg/libavcodec/mpeg4videoenc.c
index b3ad4f904..b8f648d7e 100644
--- a/lib/ffmpeg/libavcodec/mpeg4videoenc.c
+++ b/lib/ffmpeg/libavcodec/mpeg4videoenc.c
@@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64],
     memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6);
 
     for (n = 0; n < 6; n++) {
-        int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16;
+        int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16;
 
         st[n] = s->intra_scantable.permutated;
         if (dir[n]) {
@@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64],
         score -= get_block_rate(s, block[n], s->block_last_index[n],
                                 s->intra_scantable.permutated);
 
-        ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+        ac_val  = &s->ac_val[0][0][0] + s->block_index[n] * 16;
         ac_val1 = ac_val;
         if (dir[n]) {
             const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride;
@@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s)
 
 static void mpeg4_encode_gop_header(MpegEncContext *s)
 {
-    int hours, minutes, seconds;
+    int64_t hours, minutes, seconds;
     int64_t time;
 
     put_bits(&s->pb, 16, 0);
@@ -1335,6 +1335,8 @@ static av_cold int encode_init(AVCodecContext *avctx)
 
     if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
         s->avctx->extradata = av_malloc(1024);
+        if (!s->avctx->extradata)
+            return AVERROR(ENOMEM);
         init_put_bits(&s->pb, s->avctx->extradata, 1024);
 
         if (!(s->workaround_bugs & FF_BUG_MS))
diff --git a/lib/ffmpeg/libavcodec/mpegaudio_parser.c b/lib/ffmpeg/libavcodec/mpegaudio_parser.c
index b66e8b056..a512e08ce 100644
--- a/lib/ffmpeg/libavcodec/mpegaudio_parser.c
+++ b/lib/ffmpeg/libavcodec/mpegaudio_parser.c
@@ -98,7 +98,9 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
                     } else if (codec_id == AV_CODEC_ID_MP3ADU) {
                         avpriv_report_missing_feature(avctx,
                             "MP3ADU full parser");
-                        return 0; /* parsers must not return error codes */
+                        *poutbuf = NULL;
+                        *poutbuf_size = 0;
+                        return buf_size; /* parsers must not return error codes */
                     }
 
                     break;
diff --git a/lib/ffmpeg/libavcodec/mpegaudioenc_template.c b/lib/ffmpeg/libavcodec/mpegaudioenc_template.c
index ce93cc7c6..4a35cfccd 100644
--- a/lib/ffmpeg/libavcodec/mpegaudioenc_template.c
+++ b/lib/ffmpeg/libavcodec/mpegaudioenc_template.c
@@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s,
 
                                 /* normalize to P bits */
                                 if (shift < 0)
-                                    q1 = sample << (-shift);
+                                    q1 = sample * (1 << -shift);
                                 else
                                     q1 = sample >> shift;
                                 q1 = (q1 * mult) >> P;
diff --git a/lib/ffmpeg/libavcodec/mpegvideo.c b/lib/ffmpeg/libavcodec/mpegvideo.c
index 29d11c542..2deb9499f 100644
--- a/lib/ffmpeg/libavcodec/mpegvideo.c
+++ b/lib/ffmpeg/libavcodec/mpegvideo.c
@@ -1061,6 +1061,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s)
         (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0)
         goto fail;
 
+    /* set chroma shifts */
+    err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt,
+                                           &s->chroma_x_shift,
+                                           &s->chroma_y_shift);
+    if (err < 0)
+        return err;
+
     if ((err = init_context_frame(s)))
         goto fail;
 
diff --git a/lib/ffmpeg/libavcodec/msmpeg4dec.c b/lib/ffmpeg/libavcodec/msmpeg4dec.c
index f407910f2..ef46be201 100644
--- a/lib/ffmpeg/libavcodec/msmpeg4dec.c
+++ b/lib/ffmpeg/libavcodec/msmpeg4dec.c
@@ -410,6 +410,14 @@ int ff_msmpeg4_decode_picture_header(MpegEncContext * s)
 {
     int code;
 
+    // at minimum one bit per macroblock is required at least in a valid frame,
+    // we discard frames much smaller than this. Frames smaller than 1/8 of the
+    // smallest "black/skip" frame generally contain not much recoverable content
+    // while at the same time they have the highest computational requirements
+    // per byte
+    if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16))
+        return AVERROR_INVALIDDATA;
+
     if(s->msmpeg4_version==1){
         int start_code = get_bits_long(&s->gb, 32);
         if(start_code!=0x00000100){
diff --git a/lib/ffmpeg/libavcodec/msrle.c b/lib/ffmpeg/libavcodec/msrle.c
index 4032d0840..154c3df1f 100644
--- a/lib/ffmpeg/libavcodec/msrle.c
+++ b/lib/ffmpeg/libavcodec/msrle.c
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
     s->buf = buf;
     s->size = buf_size;
 
+    if (buf_size < 2) //Minimally a end of picture code should be there
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
         return ret;
 
diff --git a/lib/ffmpeg/libavcodec/mss1.c b/lib/ffmpeg/libavcodec/mss1.c
index a579d9d9a..84b7a3700 100644
--- a/lib/ffmpeg/libavcodec/mss1.c
+++ b/lib/ffmpeg/libavcodec/mss1.c
@@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c)
         c->low   <<= 1;
         c->high  <<= 1;
         c->high   |= 1;
+        if (get_bits_left(c->gbc.gb) < 1)
+            c->overread++;
         c->value  |= get_bits1(c->gbc.gb);
     }
 }
@@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb)
     c->low           = 0;
     c->high          = 0xFFFF;
     c->value         = get_bits(gb, 16);
+    c->overread      = 0;
     c->gbc.gb        = gb;
     c->get_model_sym = arith_get_model_sym;
     c->get_number    = arith_get_number;
diff --git a/lib/ffmpeg/libavcodec/mss12.c b/lib/ffmpeg/libavcodec/mss12.c
index 6b58aa295..d44761688 100644
--- a/lib/ffmpeg/libavcodec/mss12.c
+++ b/lib/ffmpeg/libavcodec/mss12.c
@@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx,
 {
     int i, val, pix;
 
+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;
     val = acoder->get_model_sym(acoder, &pctx->cache_model);
     if (val < pctx->num_syms) {
         if (any_ngb) {
@@ -305,6 +307,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic,
             else
                 p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                             i, j, width - i - 1);
+            if (p < 0)
+                return p;
             dst[i] = p;
 
             if (rgb_pic)
@@ -397,6 +401,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder,
                 else
                     p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                                 i, j, width - i - 1);
+                if (p < 0)
+                    return p;
                 dst[i] = p;
                 if (c->rgb_pic)
                     AV_WB24(rgb_dst + i * 3, c->pal[p]);
@@ -472,6 +478,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder,
         uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride;
 
         pix     = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0);
+        if (pix < 0)
+            return pix;
         rgb_pix = c->pal[pix];
         for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) {
             memset(dst, pix, width);
@@ -498,6 +506,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder,
 
     if (!mode) {
         mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0);
+        if (mode < 0)
+            return mode;
 
         if (c->avctx->err_recognition & AV_EF_EXPLODE &&
             ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 ||
@@ -529,6 +539,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder,
                          int x, int y, int width, int height)
 {
     int mode, pivot;
+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;
 
     mode = acoder->get_model_sym(acoder, &sc->split_mode);
 
diff --git a/lib/ffmpeg/libavcodec/mss12.h b/lib/ffmpeg/libavcodec/mss12.h
index f95316738..98029b2d0 100644
--- a/lib/ffmpeg/libavcodec/mss12.h
+++ b/lib/ffmpeg/libavcodec/mss12.h
@@ -47,6 +47,8 @@ typedef struct Model {
 
 typedef struct ArithCoder {
     int low, high, value;
+    int overread;
+#define MAX_OVERREAD 16
     union {
         GetBitContext *gb;
         GetByteContext *gB;
diff --git a/lib/ffmpeg/libavcodec/mss2.c b/lib/ffmpeg/libavcodec/mss2.c
index cf325470b..8a58474a2 100644
--- a/lib/ffmpeg/libavcodec/mss2.c
+++ b/lib/ffmpeg/libavcodec/mss2.c
@@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB)
     c->low           = 0;
     c->high          = 0xFFFFFF;
     c->value         = bytestream2_get_be24(gB);
+    c->overread      = 0;
     c->gbc.gB        = gB;
     c->get_model_sym = arith2_get_model_sym;
     c->get_number    = arith2_get_number;
diff --git a/lib/ffmpeg/libavcodec/mss3.c b/lib/ffmpeg/libavcodec/mss3.c
index 8344bfe8a..fa29fe626 100644
--- a/lib/ffmpeg/libavcodec/mss3.c
+++ b/lib/ffmpeg/libavcodec/mss3.c
@@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c)
             c->got_error = 1;
             c->low = 1;
         }
+        if (c->low > c->range) {
+            c->got_error = 1;
+            c->low = 1;
+        }
         if (c->range >= RAC_BOTTOM)
             return;
     }
diff --git a/lib/ffmpeg/libavcodec/mss4.c b/lib/ffmpeg/libavcodec/mss4.c
index 9639fc820..421658cd5 100644
--- a/lib/ffmpeg/libavcodec/mss4.c
+++ b/lib/ffmpeg/libavcodec/mss4.c
@@ -552,6 +552,11 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                "Empty frame found but it is not a skip frame.\n");
         return AVERROR_INVALIDDATA;
     }
+    mb_width  = FFALIGN(width,  16) >> 4;
+    mb_height = FFALIGN(height, 16) >> 4;
+
+    if (frame_type != SKIP_FRAME && 8*buf_size < 8*HEADER_SIZE + mb_width*mb_height)
+        return AVERROR_INVALIDDATA;
 
     if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
         return ret;
@@ -574,9 +579,6 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 
     if ((ret = init_get_bits8(&gb, buf + HEADER_SIZE, buf_size - HEADER_SIZE)) < 0)
         return ret;
-
-    mb_width  = FFALIGN(width,  16) >> 4;
-    mb_height = FFALIGN(height, 16) >> 4;
     dst[0] = c->pic->data[0];
     dst[1] = c->pic->data[1];
     dst[2] = c->pic->data[2];
diff --git a/lib/ffmpeg/libavcodec/msvideo1.c b/lib/ffmpeg/libavcodec/msvideo1.c
index c53ca826c..3e51e3cfe 100644
--- a/lib/ffmpeg/libavcodec/msvideo1.c
+++ b/lib/ffmpeg/libavcodec/msvideo1.c
@@ -63,6 +63,9 @@ static av_cold int msvideo1_decode_init(AVCodecContext *avctx)
 
     s->avctx = avctx;
 
+    if (avctx->width < 4 || avctx->height < 4)
+        return AVERROR_INVALIDDATA;
+
     /* figure out the colorspace based on the presence of a palette */
     if (s->avctx->bits_per_coded_sample == 8) {
         s->mode_8bit = 1;
diff --git a/lib/ffmpeg/libavcodec/mxpegdec.c b/lib/ffmpeg/libavcodec/mxpegdec.c
index 2e3ebe6e7..ea73bd4a1 100644
--- a/lib/ffmpeg/libavcodec/mxpegdec.c
+++ b/lib/ffmpeg/libavcodec/mxpegdec.c
@@ -195,10 +195,14 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
     int start_code;
     int ret;
 
+    if (avctx->skip_frame == AVDISCARD_ALL)
+        return AVERROR_PATCHWELCOME;
+
     buf_ptr = buf;
     buf_end = buf + buf_size;
     jpg->got_picture = 0;
     s->got_mxm_bitmask = 0;
+    s->got_sof_data = !!s->got_sof_data;
     while (buf_ptr < buf_end) {
         start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end,
                                           &unescaped_buf_ptr, &unescaped_buf_size);
@@ -241,19 +245,25 @@ static int mxpeg_decode_frame(AVCodecContext *avctx,
                     return ret;
                 break;
             case SOF0:
-                s->got_sof_data = 0;
+                if (s->got_sof_data > 1) {
+                    av_log(avctx, AV_LOG_ERROR,
+                           "Multiple SOF in a frame\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 ret = ff_mjpeg_decode_sof(jpg);
                 if (ret < 0) {
                     av_log(avctx, AV_LOG_ERROR,
                            "SOF data decode error\n");
+                    s->got_sof_data = 0;
                     return ret;
                 }
                 if (jpg->interlaced) {
                     av_log(avctx, AV_LOG_ERROR,
                            "Interlaced mode not supported in MxPEG\n");
+                    s->got_sof_data = 0;
                     return AVERROR(EINVAL);
                 }
-                s->got_sof_data = 1;
+                s->got_sof_data ++;
                 break;
             case SOS:
                 if (!s->got_sof_data) {
diff --git a/lib/ffmpeg/libavcodec/nuv.c b/lib/ffmpeg/libavcodec/nuv.c
index f3270cb19..d9f0162a6 100644
--- a/lib/ffmpeg/libavcodec/nuv.c
+++ b/lib/ffmpeg/libavcodec/nuv.c
@@ -123,15 +123,15 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height,
         get_quant_quality(c, quality);
     if (width != c->width || height != c->height) {
         // also reserve space for a possible additional header
-        int buf_size = height * width * 3 / 2
+        int64_t buf_size = height * (int64_t)width * 3 / 2
                      + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE)
                      + RTJPEG_HEADER_SIZE;
         if (buf_size > INT_MAX/8)
             return -1;
-        if ((ret = av_image_check_size(height, width, 0, avctx)) < 0)
+        if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
             return ret;
-        avctx->width  = c->width  = width;
-        avctx->height = c->height = height;
+        c->width  = width;
+        c->height = height;
         av_fast_malloc(&c->decomp_buf, &c->decomp_size,
                        buf_size);
         if (!c->decomp_buf) {
@@ -158,6 +158,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int orig_size      = buf_size;
     int keyframe, ret;
     int size_change = 0;
+    int minsize = 0;
     int result, init_frame = !avctx->frame_number;
     enum {
         NUV_UNCOMPRESSED  = '0',
@@ -195,6 +196,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     case NUV_RTJPEG_IN_LZO:
     case NUV_RTJPEG:
         keyframe = !buf[2];
+        if (c->width < 16 || c->height < 16) {
+            return AVERROR_INVALIDDATA;
+        }
         break;
     case NUV_COPY_LAST:
         keyframe = 0;
@@ -203,6 +207,24 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         keyframe = 1;
         break;
     }
+    switch (comptype) {
+    case NUV_UNCOMPRESSED:
+        minsize = c->width * c->height * 3 / 2;
+        break;
+    case NUV_RTJPEG:
+        minsize = c->width/16 * (c->height/16) * 6;
+        break;
+    case NUV_BLACK:
+    case NUV_COPY_LAST:
+    case NUV_LZO:
+    case NUV_RTJPEG_IN_LZO:
+        break;
+    default:
+        av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
+        return AVERROR_INVALIDDATA;
+    }
+    if (buf_size < minsize / 4)
+        return AVERROR_INVALIDDATA;
 retry:
     // skip rest of the frameheader.
     buf       = &buf[12];
@@ -288,9 +310,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     case NUV_COPY_LAST:
         /* nothing more to do here */
         break;
-    default:
-        av_log(avctx, AV_LOG_ERROR, "unknown compression\n");
-        return AVERROR_INVALIDDATA;
     }
 
     if ((result = av_frame_ref(picture, c->pic)) < 0)
diff --git a/lib/ffmpeg/libavcodec/opus_silk.c b/lib/ffmpeg/libavcodec/opus_silk.c
index 408e4bf43..6418743b6 100644
--- a/lib/ffmpeg/libavcodec/opus_silk.c
+++ b/lib/ffmpeg/libavcodec/opus_silk.c
@@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order)
 
     /* reconstruct A(z) */
     for (k = 0; k < order>>1; k++) {
-        lpc32[k]         = -p[k + 1] - p[k] - q[k + 1] + q[k];
-        lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k];
+        int32_t p_tmp = p[k + 1] + p[k];
+        int32_t q_tmp = q[k + 1] - q[k];
+        lpc32[k]         = -q_tmp - p_tmp;
+        lpc32[order-k-1] =  q_tmp - p_tmp;
     }
 
     /* limit the range of the LPC coefficients to each fit within an int16_t */
diff --git a/lib/ffmpeg/libavcodec/parser.c b/lib/ffmpeg/libavcodec/parser.c
index f5bfa249d..88e76014c 100644
--- a/lib/ffmpeg/libavcodec/parser.c
+++ b/lib/ffmpeg/libavcodec/parser.c
@@ -242,6 +242,9 @@ int ff_combine_frame(ParseContext *pc, int next,
     for (; pc->overread > 0; pc->overread--)
         pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
 
+    if (next > *buf_size)
+        return AVERROR(EINVAL);
+
     /* flush remaining if EOF */
     if (!*buf_size && next == END_NOT_FOUND)
         next = 0;
diff --git a/lib/ffmpeg/libavcodec/pcm.c b/lib/ffmpeg/libavcodec/pcm.c
index 2cb5a360d..6ae2de274 100644
--- a/lib/ffmpeg/libavcodec/pcm.c
+++ b/lib/ffmpeg/libavcodec/pcm.c
@@ -467,13 +467,13 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data,
             dst_int32_t = (int32_t *)frame->extended_data[c];
             for (i = 0; i < n; i++) {
                 // extract low 20 bits and expand to 32 bits
-                *dst_int32_t++ =  (src[2]         << 28) |
+                *dst_int32_t++ =  ((uint32_t)src[2]<<28) |
                                   (src[1]         << 20) |
                                   (src[0]         << 12) |
                                  ((src[2] & 0x0F) <<  8) |
                                    src[1];
                 // extract high 20 bits and expand to 32 bits
-                *dst_int32_t++ =  (src[4]         << 24) |
+                *dst_int32_t++ =  ((uint32_t)src[4]<<24) |
                                   (src[3]         << 16) |
                                  ((src[2] & 0xF0) <<  8) |
                                   (src[4]         <<  4) |
diff --git a/lib/ffmpeg/libavcodec/pgssubdec.c b/lib/ffmpeg/libavcodec/pgssubdec.c
index b549ff2bf..0877ac73e 100644
--- a/lib/ffmpeg/libavcodec/pgssubdec.c
+++ b/lib/ffmpeg/libavcodec/pgssubdec.c
@@ -662,6 +662,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size,
              */
             break;
         case DISPLAY_SEGMENT:
+            if (*data_size) {
+                av_log(avctx, AV_LOG_ERROR, "Duplicate display segment\n");
+                ret = AVERROR_INVALIDDATA;
+                break;
+            }
             ret = display_end_segment(avctx, data, buf, segment_length);
             if (ret >= 0)
                 *data_size = ret;
@@ -672,8 +677,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size,
             ret = AVERROR_INVALIDDATA;
             break;
         }
-        if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE))
+        if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) {
+            avsubtitle_free(data);
+            *data_size = 0;
             return ret;
+        }
 
         buf += segment_length;
     }
diff --git a/lib/ffmpeg/libavcodec/png.h b/lib/ffmpeg/libavcodec/png.h
index 948c2f714..e967fcf38 100644
--- a/lib/ffmpeg/libavcodec/png.h
+++ b/lib/ffmpeg/libavcodec/png.h
@@ -42,11 +42,6 @@
 #define PNG_FILTER_VALUE_PAETH 4
 #define PNG_FILTER_VALUE_MIXED 5
 
-#define PNG_IHDR      0x0001
-#define PNG_IDAT      0x0002
-#define PNG_ALLIMAGE  0x0004
-#define PNG_PLTE      0x0008
-
 #define NB_PASSES 7
 
 #define PNGSIG 0x89504e470d0a1a0a
diff --git a/lib/ffmpeg/libavcodec/pngdec.c b/lib/ffmpeg/libavcodec/pngdec.c
index ac49954ad..4cace3d5a 100644
--- a/lib/ffmpeg/libavcodec/pngdec.c
+++ b/lib/ffmpeg/libavcodec/pngdec.c
@@ -34,6 +34,16 @@
 
 #include <zlib.h>
 
+enum PNGHeaderState {
+    PNG_IHDR = 1 << 0,
+    PNG_PLTE = 1 << 1,
+};
+
+enum PNGImageState {
+    PNG_IDAT     = 1 << 0,
+    PNG_ALLIMAGE = 1 << 1,
+};
+
 typedef struct PNGDecContext {
     PNGDSPContext dsp;
     AVCodecContext *avctx;
@@ -43,7 +53,8 @@ typedef struct PNGDecContext {
     ThreadFrame last_picture;
     ThreadFrame picture;
 
-    int state;
+    enum PNGHeaderState hdr_state;
+    enum PNGImageState pic_state;
     int width, height;
     int cur_w, cur_h;
     int last_w, last_h;
@@ -332,7 +343,7 @@ static void png_handle_row(PNGDecContext *s)
         }
         s->y++;
         if (s->y == s->cur_h) {
-            s->state |= PNG_ALLIMAGE;
+            s->pic_state |= PNG_ALLIMAGE;
             if (s->filter_type == PNG_FILTER_TYPE_LOCO) {
                 if (s->bit_depth == 16) {
                     deloco_rgb16((uint16_t *)ptr, s->row_size / 2,
@@ -367,7 +378,7 @@ static void png_handle_row(PNGDecContext *s)
                 memset(s->last_row, 0, s->row_size);
                 for (;;) {
                     if (s->pass == NB_PASSES - 1) {
-                        s->state |= PNG_ALLIMAGE;
+                        s->pic_state |= PNG_ALLIMAGE;
                         goto the_end;
                     } else {
                         s->pass++;
@@ -402,7 +413,7 @@ static int png_decode_idat(PNGDecContext *s, int length)
             return AVERROR_EXTERNAL;
         }
         if (s->zstream.avail_out == 0) {
-            if (!(s->state & PNG_ALLIMAGE)) {
+            if (!(s->pic_state & PNG_ALLIMAGE)) {
                 png_handle_row(s);
             }
             s->zstream.avail_out = s->crow_size;
@@ -539,12 +550,12 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
     if (length != 13)
         return AVERROR_INVALIDDATA;
 
-    if (s->state & PNG_IDAT) {
+    if (s->pic_state & PNG_IDAT) {
         av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n");
         return AVERROR_INVALIDDATA;
     }
 
-    if (s->state & PNG_IHDR) {
+    if (s->hdr_state & PNG_IHDR) {
         av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n");
         return AVERROR_INVALIDDATA;
     }
@@ -564,10 +575,14 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
     }
     s->color_type       = bytestream2_get_byte(&s->gb);
     s->compression_type = bytestream2_get_byte(&s->gb);
+    if (s->compression_type) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type);
+        goto error;
+    }
     s->filter_type      = bytestream2_get_byte(&s->gb);
     s->interlace_type   = bytestream2_get_byte(&s->gb);
     bytestream2_skip(&s->gb, 4); /* crc */
-    s->state |= PNG_IHDR;
+    s->hdr_state |= PNG_IHDR;
     if (avctx->debug & FF_DEBUG_PICT_INFO)
         av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d "
                 "compression_type=%d filter_type=%d interlace_type=%d\n",
@@ -583,7 +598,7 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
 
 static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s)
 {
-    if (s->state & PNG_IDAT) {
+    if (s->pic_state & PNG_IDAT) {
         av_log(avctx, AV_LOG_ERROR, "pHYs after IDAT\n");
         return AVERROR_INVALIDDATA;
     }
@@ -603,11 +618,11 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
     int ret;
     size_t byte_depth = s->bit_depth > 8 ? 2 : 1;
 
-    if (!(s->state & PNG_IHDR)) {
+    if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
         return AVERROR_INVALIDDATA;
     }
-    if (!(s->state & PNG_IDAT)) {
+    if (!(s->pic_state & PNG_IDAT)) {
         /* init image info */
         ret = ff_set_dimensions(avctx, s->width, s->height);
         if (ret < 0)
@@ -733,7 +748,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
         s->zstream.next_out  = s->crow_buf;
     }
 
-    s->state |= PNG_IDAT;
+    s->pic_state |= PNG_IDAT;
 
     /* set image to non-transparent bpp while decompressing */
     if (s->has_trns && s->color_type != PNG_COLOR_TYPE_PALETTE)
@@ -769,7 +784,7 @@ static int decode_plte_chunk(AVCodecContext *avctx, PNGDecContext *s,
     }
     for (; i < 256; i++)
         s->palette[i] = (0xFFU << 24);
-    s->state |= PNG_PLTE;
+    s->hdr_state |= PNG_PLTE;
     bytestream2_skip(&s->gb, 4);     /* crc */
 
     return 0;
@@ -780,18 +795,18 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
 {
     int v, i;
 
-    if (!(s->state & PNG_IHDR)) {
+    if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n");
         return AVERROR_INVALIDDATA;
     }
 
-    if (s->state & PNG_IDAT) {
+    if (s->pic_state & PNG_IDAT) {
         av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n");
         return AVERROR_INVALIDDATA;
     }
 
     if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
-        if (length > 256 || !(s->state & PNG_PLTE))
+        if (length > 256 || !(s->hdr_state & PNG_PLTE))
             return AVERROR_INVALIDDATA;
 
         for (i = 0; i < length; i++) {
@@ -905,11 +920,16 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
     if (length != 26)
         return AVERROR_INVALIDDATA;
 
-    if (!(s->state & PNG_IHDR)) {
+    if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "fctl before IHDR\n");
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->pic_state & PNG_IDAT) {
+        av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     s->last_w = s->cur_w;
     s->last_h = s->cur_h;
     s->last_x_offset = s->x_offset;
@@ -1112,13 +1132,13 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
         length = bytestream2_get_bytes_left(&s->gb);
         if (length <= 0) {
             if (CONFIG_APNG_DECODER && avctx->codec_id == AV_CODEC_ID_APNG && length == 0) {
-                if (!(s->state & PNG_IDAT))
+                if (!(s->pic_state & PNG_IDAT))
                     return 0;
                 else
                     goto exit_loop;
             }
             av_log(avctx, AV_LOG_ERROR, "%d bytes left\n", length);
-            if (   s->state & PNG_ALLIMAGE
+            if (   s->pic_state & PNG_ALLIMAGE
                 && avctx->strict_std_compliance <= FF_COMPLIANCE_NORMAL)
                 goto exit_loop;
             ret = AVERROR_INVALIDDATA;
@@ -1157,7 +1177,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
         case MKTAG('f', 'd', 'A', 'T'):
             if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG)
                 goto skip_tag;
-            if (!decode_next_dat) {
+            if (!decode_next_dat || length < 4) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
@@ -1189,9 +1209,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             bytestream2_skip(&s->gb, length + 4);
             break;
         case MKTAG('I', 'E', 'N', 'D'):
-            if (!(s->state & PNG_ALLIMAGE))
+            if (!(s->pic_state & PNG_ALLIMAGE))
                 av_log(avctx, AV_LOG_ERROR, "IEND without all image\n");
-            if (!(s->state & (PNG_ALLIMAGE|PNG_IDAT))) {
+            if (!(s->pic_state & (PNG_ALLIMAGE|PNG_IDAT))) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
@@ -1244,6 +1264,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             if (CONFIG_PNG_DECODER && avctx->codec_id != AV_CODEC_ID_APNG)
                 handle_p_frame_png(s, p);
             else if (CONFIG_APNG_DECODER &&
+                     s->previous_picture.f->width == p->width  &&
+                     s->previous_picture.f->height== p->height &&
+                     s->previous_picture.f->format== p->format &&
                      avctx->codec_id == AV_CODEC_ID_APNG &&
                      (ret = handle_p_frame_apng(avctx, s, p)) < 0)
                 goto fail;
@@ -1287,7 +1310,9 @@ static int decode_frame_png(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     }
 
-    s->y = s->state = s->has_trns = 0;
+    s->y = s->has_trns = 0;
+    s->hdr_state = 0;
+    s->pic_state = 0;
 
     /* init the zlib */
     s->zstream.zalloc = ff_png_zalloc;
@@ -1328,7 +1353,7 @@ static int decode_frame_apng(AVCodecContext *avctx,
     FFSWAP(ThreadFrame, s->picture, s->last_picture);
     p = s->picture.f;
 
-    if (!(s->state & PNG_IHDR)) {
+    if (!(s->hdr_state & PNG_IHDR)) {
         if (!avctx->extradata_size)
             return AVERROR_INVALIDDATA;
 
@@ -1348,14 +1373,14 @@ static int decode_frame_apng(AVCodecContext *avctx,
         goto end;
     }
     s->y = 0;
-    s->state &= ~(PNG_IDAT | PNG_ALLIMAGE);
+    s->pic_state = 0;
     bytestream2_init(&s->gb, avpkt->data, avpkt->size);
     if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
         goto end;
 
-    if (!(s->state & PNG_ALLIMAGE))
+    if (!(s->pic_state & PNG_ALLIMAGE))
         av_log(avctx, AV_LOG_WARNING, "Frame did not contain a complete image\n");
-    if (!(s->state & (PNG_ALLIMAGE|PNG_IDAT))) {
+    if (!(s->pic_state & (PNG_ALLIMAGE|PNG_IDAT))) {
         ret = AVERROR_INVALIDDATA;
         goto end;
     }
@@ -1403,7 +1428,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src)
 
         memcpy(pdst->palette, psrc->palette, sizeof(pdst->palette));
 
-        pdst->state |= psrc->state & (PNG_IHDR | PNG_PLTE);
+        pdst->hdr_state |= psrc->hdr_state;
 
         ff_thread_release_buffer(dst, &pdst->last_picture);
         if (psrc->last_picture.f->data[0] &&
diff --git a/lib/ffmpeg/libavcodec/pnm.c b/lib/ffmpeg/libavcodec/pnm.c
index 8b4a4ac29..947360021 100644
--- a/lib/ffmpeg/libavcodec/pnm.c
+++ b/lib/ffmpeg/libavcodec/pnm.c
@@ -108,6 +108,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
                 return AVERROR_INVALIDDATA;
             }
         }
+        if (!pnm_space(s->bytestream[-1]))
+            return AVERROR_INVALIDDATA;
+
         /* check that all tags are present */
         if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
             return AVERROR_INVALIDDATA;
@@ -187,6 +190,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
         }
     }else
         s->maxval=1;
+
+    if (!pnm_space(s->bytestream[-1]))
+        return AVERROR_INVALIDDATA;
+
     /* more check if YUV420 */
     if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) {
         if ((avctx->width & 1) != 0)
diff --git a/lib/ffmpeg/libavcodec/pnm_parser.c b/lib/ffmpeg/libavcodec/pnm_parser.c
index a5eb81f5f..1137da384 100644
--- a/lib/ffmpeg/libavcodec/pnm_parser.c
+++ b/lib/ffmpeg/libavcodec/pnm_parser.c
@@ -65,8 +65,10 @@ static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 #endif
         next = END_NOT_FOUND;
     } else {
-        next = pnmctx.bytestream - pnmctx.bytestream_start
-               + avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
+        int ret = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
+        next = pnmctx.bytestream - pnmctx.bytestream_start;
+        if (ret >= 0 && next + (uint64_t)ret <= INT_MAX)
+            next += ret;
         if (pnmctx.bytestream_start != buf)
             next -= pc->index;
         if (next > buf_size)
diff --git a/lib/ffmpeg/libavcodec/pnmdec.c b/lib/ffmpeg/libavcodec/pnmdec.c
index 4e2045d2b..95e7c4494 100644
--- a/lib/ffmpeg/libavcodec/pnmdec.c
+++ b/lib/ffmpeg/libavcodec/pnmdec.c
@@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                 init_put_bits(&pb, ptr, linesize);
                 for(j=0; j<avctx->width * components; j++){
                     unsigned int c=0;
-                    int v=0;
+                    unsigned v=0;
                     if(s->type < 4)
                     while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' ))
                         s->bytestream++;
@@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
             } else if (upgrade == 2) {
                 unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval;
                 for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                     ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                 }
             }
@@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                 return AVERROR_INVALIDDATA;
             for (i = 0; i < avctx->height; i++) {
                 for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                     ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15;
                 }
                 s->bytestream += n;
@@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
             h = avctx->height >> 1;
             for (i = 0; i < h; i++) {
                 for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                     ptr1[j] = (v * f + 16384) >> 15;
                 }
                 s->bytestream += n;
 
                 for (j = 0; j < n / 2; j++) {
-                    v = av_be2ne16(((uint16_t *)s->bytestream)[j]);
+                    v = AV_RB16(s->bytestream + 2*j);
                     ptr2[j] = (v * f + 16384) >> 15;
                 }
                 s->bytestream += n;
diff --git a/lib/ffmpeg/libavcodec/ptx.c b/lib/ffmpeg/libavcodec/ptx.c
index 42147f4af..19f9305cd 100644
--- a/lib/ffmpeg/libavcodec/ptx.c
+++ b/lib/ffmpeg/libavcodec/ptx.c
@@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 
     buf += offset;
 
+    if (buf_end - buf < w * bytes_per_pixel)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_set_dimensions(avctx, w, h)) < 0)
         return ret;
 
diff --git a/lib/ffmpeg/libavcodec/qdm2.c b/lib/ffmpeg/libavcodec/qdm2.c
index 0b6dcd682..338bab5eb 100644
--- a/lib/ffmpeg/libavcodec/qdm2.c
+++ b/lib/ffmpeg/libavcodec/qdm2.c
@@ -406,7 +406,12 @@ static int fix_coding_method_array(int sb, int channels,
             }
             for (k = 0; k < run; k++) {
                 if (j + k < 128) {
-                    if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) {
+                    int sbjk = sb + (j + k) / 64;
+                    if (sbjk > 29) {
+                        SAMPLES_NEEDED
+                        continue;
+                    }
+                    if (coding_method[ch][sbjk][(j + k) % 64] > coding_method[ch][sb][j]) {
                         if (k > 0) {
                             SAMPLES_NEEDED
                             //not debugged, almost never used
@@ -1282,6 +1287,10 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration,
             }
             offset += (n - 2);
         } else {
+            if (local_int_10 <= 2) {
+                av_log(NULL, AV_LOG_ERROR, "qdm2_fft_decode_tones() stuck\n");
+                return;
+            }
             offset += qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2);
             while (offset >= (local_int_10 - 1)) {
                 offset       += (1 - (local_int_10 - 1));
@@ -1323,6 +1332,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration,
         if (q->frequency_range > (local_int_14 + 1)) {
             int sub_packet = (local_int_20 + local_int_28);
 
+            if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs))
+                return;
+
             qdm2_fft_init_coefficient(q, sub_packet, offset, duration,
                                       channel, exp, phase);
             if (stereo)
@@ -1718,13 +1730,19 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     extradata += 4;
 
     s->checksum_size = AV_RB32(extradata);
-    if (s->checksum_size >= 1U << 28) {
-        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+    if (s->checksum_size >= 1U << 28 || !s->checksum_size) {
+        av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size);
         return AVERROR_INVALIDDATA;
     }
 
     s->fft_order = av_log2(s->fft_size) + 1;
 
+    // Fail on unknown fft order
+    if ((s->fft_order < 7) || (s->fft_order > 9)) {
+        avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order);
+        return AVERROR_PATCHWELCOME;
+    }
+
     // something like max decodable tones
     s->group_order = av_log2(s->group_size) + 1;
     s->frame_size = s->group_size / 16; // 16 iterations per super block
@@ -1735,6 +1753,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     s->sub_sampling = s->fft_order - 7;
     s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
 
+    if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) {
+        avpriv_request_sample(avctx, "large frames");
+        return AVERROR_PATCHWELCOME;
+    }
+
     switch ((s->sub_sampling * 2 + s->channels - 1)) {
         case 0: tmp = 40; break;
         case 1: tmp = 48; break;
@@ -1758,11 +1781,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     else
         s->coeff_per_sb_select = 2;
 
-    // Fail on unknown fft order
-    if ((s->fft_order < 7) || (s->fft_order > 9)) {
-        avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order);
-        return AVERROR_PATCHWELCOME;
-    }
     if (s->fft_size != (1 << (s->fft_order - 1))) {
         av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size);
         return AVERROR_INVALIDDATA;
diff --git a/lib/ffmpeg/libavcodec/qpeg.c b/lib/ffmpeg/libavcodec/qpeg.c
index 9bfecc3a3..74a6a0ee7 100644
--- a/lib/ffmpeg/libavcodec/qpeg.c
+++ b/lib/ffmpeg/libavcodec/qpeg.c
@@ -90,6 +90,8 @@ static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst,
                 }
             }
         } else {
+            if (bytestream2_get_bytes_left(&qctx->buffer) < copy)
+                copy = bytestream2_get_bytes_left(&qctx->buffer);
             for(i = 0; i < copy; i++) {
                 dst[filled++] = bytestream2_get_byte(&qctx->buffer);
                 if (filled >= width) {
diff --git a/lib/ffmpeg/libavcodec/qtrle.c b/lib/ffmpeg/libavcodec/qtrle.c
index a2f89039a..5b35a5ef2 100644
--- a/lib/ffmpeg/libavcodec/qtrle.c
+++ b/lib/ffmpeg/libavcodec/qtrle.c
@@ -132,6 +132,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr,
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1));
@@ -187,6 +189,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change)
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1));
@@ -236,6 +240,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2;
@@ -280,6 +286,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3;
@@ -327,6 +335,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4;
diff --git a/lib/ffmpeg/libavcodec/ra144.c b/lib/ffmpeg/libavcodec/ra144.c
index 67f0e8446..3393d7a87 100644
--- a/lib/ffmpeg/libavcodec/ra144.c
+++ b/lib/ffmpeg/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m,
 
     if (v[0]) {
         for (i=0; i < BLOCKSIZE; i++)
-            dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12;
+            dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12;
     } else {
         for (i=0; i < BLOCKSIZE; i++)
             dest[i] = (             s2[i]*v[1] + s3[i]*v[2]) >> 12;
@@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx)
         b = 0x1000000 / b;
         for (j=0; j <= i; j++) {
 #if CONFIG_FTRAPV
-            int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12);
+            int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12);
             if((int)(a*(unsigned)b) != a*(int64_t)b)
                 return 1;
 #endif
-            bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
+            bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12;
         }
 
         if ((unsigned) bp1[i] + 0x1000 > 0x1fff)
diff --git a/lib/ffmpeg/libavcodec/ralf.c b/lib/ffmpeg/libavcodec/ralf.c
index 8cd9f88dc..c38bdabfc 100644
--- a/lib/ffmpeg/libavcodec/ralf.c
+++ b/lib/ffmpeg/libavcodec/ralf.c
@@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits)
         val -= range;
     }
     if (bits)
-        val = (val << bits) | get_bits(gb, bits);
+        val = ((unsigned)val << bits) | get_bits(gb, bits);
     return val;
 }
 
@@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
     int *dst = ctx->channel_data[ch];
 
     ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2);
-    ctx->filter_bits   = (ctx->filter_params - 2) >> 6;
-    ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1;
+    if (ctx->filter_params > 1) {
+        ctx->filter_bits   = (ctx->filter_params - 2) >> 6;
+        ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1;
+    }
 
     if (ctx->filter_params == FILTER_RAW) {
         for (i = 0; i < length; i++)
@@ -262,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
             t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2);
             t = extend_code(gb, t, 21, add_bits);
             if (!cmode)
-                coeff -= 12 << add_bits;
-            coeff = t - coeff;
+                coeff -= 12U << add_bits;
+            coeff = (unsigned)t - coeff;
             ctx->filter[i] = coeff;
 
             cmode = coeff >> add_bits;
@@ -286,7 +288,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
             add_bits--;
         range    = 10;
         range2   = 21;
-        code_vlc = set->long_codes + code_params - 15;
+        code_vlc = set->long_codes + (code_params - 15);
     } else {
         add_bits = 0;
         range    = 6;
@@ -300,8 +302,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
         t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2);
         code1 = t / range2;
         code2 = t % range2;
-        dst[i]     = extend_code(gb, code1, range, 0) << add_bits;
-        dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits;
+        dst[i]     = extend_code(gb, code1, range, 0) * (1U << add_bits);
+        dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits);
         if (add_bits) {
             dst[i]     |= get_bits(gb, add_bits);
             dst[i + 1] |= get_bits(gb, add_bits);
@@ -323,12 +325,12 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits)
 
         acc = 0;
         for (j = 0; j < flen; j++)
-            acc += ctx->filter[j] * audio[i - j - 1];
+            acc += (unsigned)ctx->filter[j] * audio[i - j - 1];
         if (acc < 0) {
             acc = (acc + bias - 1) >> ctx->filter_bits;
             acc = FFMAX(acc, min_clip);
         } else {
-            acc = (acc + bias) >> ctx->filter_bits;
+            acc = ((unsigned)acc + bias) >> ctx->filter_bits;
             acc = FFMIN(acc, max_clip);
         }
         audio[i] += acc;
@@ -342,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb,
     int len, ch, ret;
     int dmode, mode[2], bits[2];
     int *ch0, *ch1;
-    int i, t, t2;
+    int i;
+    unsigned int t, t2;
 
     len = 12 - get_unary(gb, 0, 6);
 
@@ -406,9 +409,9 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb,
     case 4:
         for (i = 0; i < len; i++) {
             t  =   ch1[i] + ctx->bias[1];
-            t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1);
-            dst0[i] = (t2 + t) / 2;
-            dst1[i] = (t2 - t) / 2;
+            t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1);
+            dst0[i] = (int)(t2 + t) / 2;
+            dst1[i] = (int)(t2 - t) / 2;
         }
         break;
     }
@@ -479,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     init_get_bits(&gb, src + 2, table_size);
     ctx->num_blocks = 0;
     while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
         ctx->block_size[ctx->num_blocks] = get_bits(&gb, 15);
         if (get_bits1(&gb)) {
             ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
diff --git a/lib/ffmpeg/libavcodec/rl2.c b/lib/ffmpeg/libavcodec/rl2.c
index 6662979c5..2d336a61e 100644
--- a/lib/ffmpeg/libavcodec/rl2.c
+++ b/lib/ffmpeg/libavcodec/rl2.c
@@ -134,10 +134,15 @@ static av_cold int rl2_decode_init(AVCodecContext *avctx)
     Rl2Context *s = avctx->priv_data;
     int back_size;
     int i;
+    int ret;
 
     s->avctx       = avctx;
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
+    ret = ff_set_dimensions(avctx, 320, 200);
+    if (ret < 0)
+        return ret;
+
     /** parse extra data */
     if (!avctx->extradata || avctx->extradata_size < EXTRADATA1_SIZE) {
         av_log(avctx, AV_LOG_ERROR, "invalid extradata size\n");
diff --git a/lib/ffmpeg/libavcodec/rv10.c b/lib/ffmpeg/libavcodec/rv10.c
index b56bb5881..c8667f42a 100644
--- a/lib/ffmpeg/libavcodec/rv10.c
+++ b/lib/ffmpeg/libavcodec/rv10.c
@@ -388,9 +388,9 @@ static int rv20_decode_picture_header(RVDecContext *rv)
             // attempt to keep aspect during typical resolution switches
             if (!old_aspect.num)
                 old_aspect = (AVRational){1, 1};
-            if (2 * new_w * s->height == new_h * s->width)
+            if (2 * (int64_t)new_w * s->height == (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){2, 1});
-            if (new_w * s->height == 2 * new_h * s->width)
+            if ((int64_t)new_w * s->height == 2 * (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){1, 2});
 
             ret = ff_set_dimensions(s->avctx, new_w, new_h);
diff --git a/lib/ffmpeg/libavcodec/rv40dsp.c b/lib/ffmpeg/libavcodec/rv40dsp.c
index 95ba0a925..cdc61fc70 100644
--- a/lib/ffmpeg/libavcodec/rv40dsp.c
+++ b/lib/ffmpeg/libavcodec/rv40dsp.c
@@ -379,7 +379,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t
 \
     for (j = 0; j < size; j++) {\
         for (i = 0; i < size; i++)\
-            dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\
+            dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\
         src1 += stride;\
         src2 += stride;\
         dst  += stride;\
@@ -391,7 +391,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_
 \
     for (j = 0; j < size; j++) {\
         for (i = 0; i < size; i++)\
-            dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\
+            dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\
         src1 += stride;\
         src2 += stride;\
         dst  += stride;\
diff --git a/lib/ffmpeg/libavcodec/sanm.c b/lib/ffmpeg/libavcodec/sanm.c
index 065bf7aca..432e703ee 100644
--- a/lib/ffmpeg/libavcodec/sanm.c
+++ b/lib/ffmpeg/libavcodec/sanm.c
@@ -491,6 +491,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
 
     ctx->avctx   = avctx;
     ctx->version = !avctx->extradata_size;
+    // early sanity check before allocations to avoid need for deallocation code.
+    if (!ctx->version && avctx->extradata_size < 1026) {
+        av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     avctx->pix_fmt = ctx->version ? AV_PIX_FMT_RGB565 : AV_PIX_FMT_PAL8;
 
@@ -506,11 +511,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
     if (!ctx->version) {
         int i;
 
-        if (avctx->extradata_size < 1026) {
-            av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n");
-            return AVERROR_INVALIDDATA;
-        }
-
         ctx->subversion = AV_RL16(avctx->extradata);
         for (i = 0; i < PALETTE_SIZE; i++)
             ctx->pal[i] = 0xFFU << 24 | AV_RL32(avctx->extradata + 2 + i * 4);
diff --git a/lib/ffmpeg/libavcodec/sbrdsp_fixed.c b/lib/ffmpeg/libavcodec/sbrdsp_fixed.c
index 07ef12117..840cc7a0b 100644
--- a/lib/ffmpeg/libavcodec/sbrdsp_fixed.c
+++ b/lib/ffmpeg/libavcodec/sbrdsp_fixed.c
@@ -73,7 +73,7 @@ static void sbr_neg_odd_64_c(int *x)
 {
     int i;
     for (i = 1; i < 64; i += 2)
-        x[i] = -x[i];
+        x[i] = -(unsigned)x[i];
 }
 
 static void sbr_qmf_pre_shuffle_c(int *z)
diff --git a/lib/ffmpeg/libavcodec/shorten.c b/lib/ffmpeg/libavcodec/shorten.c
index e4bf2e003..33a99158f 100644
--- a/lib/ffmpeg/libavcodec/shorten.c
+++ b/lib/ffmpeg/libavcodec/shorten.c
@@ -306,22 +306,22 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel,
     /* subtract offset from previous samples to use in prediction */
     if (command == FN_QLPC && coffset)
         for (i = -pred_order; i < 0; i++)
-            s->decoded[channel][i] -= coffset;
+            s->decoded[channel][i] -= (unsigned)coffset;
 
     /* decode residual and do LPC prediction */
     init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset;
     for (i = 0; i < s->blocksize; i++) {
         sum = init_sum;
         for (j = 0; j < pred_order; j++)
-            sum += coeffs[j] * s->decoded[channel][i - j - 1];
+            sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
         s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) +
-                                 (sum >> qshift);
+                                 (unsigned)(sum >> qshift);
     }
 
     /* add offset to current samples */
     if (command == FN_QLPC && coffset)
         for (i = 0; i < s->blocksize; i++)
-            s->decoded[channel][i] += coffset;
+            s->decoded[channel][i] += (unsigned)coffset;
 
     return 0;
 }
@@ -374,9 +374,13 @@ static int read_header(ShortenContext *s)
             return AVERROR_INVALIDDATA;
         }
         s->nmean = get_uint(s, 0);
+        if (s->nmean > 32768U) {
+            av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean);
+            return AVERROR_INVALIDDATA;
+        }
 
         skip_bytes = get_uint(s, NSKIPSIZE);
-        if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) {
+        if ((unsigned)skip_bytes > FFMAX(get_bits_left(&s->gb), 0)/8) {
             av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes);
             return AVERROR_INVALIDDATA;
         }
@@ -514,6 +518,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
             switch (cmd) {
             case FN_VERBATIM:
                 len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE);
+                if (len < 0 || len > get_bits_left(&s->gb)) {
+                    av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n",
+                           len);
+                    return AVERROR_INVALIDDATA;
+                }
                 while (len--)
                     get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
                 break;
@@ -571,7 +580,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
             else {
                 int32_t sum = (s->version < 2) ? 0 : s->nmean / 2;
                 for (i = 0; i < s->nmean; i++)
-                    sum += s->offset[channel][i];
+                    sum += (unsigned)s->offset[channel][i];
                 coffset = sum / s->nmean;
                 if (s->version >= 2)
                     coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1;
@@ -589,7 +598,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
 
             /* update means with info from the current block */
             if (s->nmean > 0) {
-                int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
+                int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
                 for (i = 0; i < s->blocksize; i++)
                     sum += s->decoded[channel][i];
 
diff --git a/lib/ffmpeg/libavcodec/simple_idct.c b/lib/ffmpeg/libavcodec/simple_idct.c
index eeb627999..8957ef566 100644
--- a/lib/ffmpeg/libavcodec/simple_idct.c
+++ b/lib/ffmpeg/libavcodec/simple_idct.c
@@ -161,7 +161,8 @@ static inline void idct4col_add(uint8_t *dest, int line_size, const int16_t *col
 #define R_SHIFT 11
 static inline void idct4row(int16_t *row)
 {
-    int c0, c1, c2, c3, a0, a1, a2, a3;
+    unsigned c0, c1, c2, c3;
+    int a0, a1, a2, a3;
 
     a0 = row[0];
     a1 = row[1];
diff --git a/lib/ffmpeg/libavcodec/smacker.c b/lib/ffmpeg/libavcodec/smacker.c
index 8dc474c42..6eadf33d2 100644
--- a/lib/ffmpeg/libavcodec/smacker.c
+++ b/lib/ffmpeg/libavcodec/smacker.c
@@ -386,6 +386,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la
     int v;
 
     while(*table & SMK_NODE) {
+        if (get_bits_left(gb) < 1)
+            return AVERROR_INVALIDDATA;
         if(get_bits1(gb))
             table += (*table) & (~SMK_NODE);
         table++;
@@ -450,6 +452,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         uint16_t pix;
 
         type = smk_get_code(&gb, smk->type_tbl, smk->type_last);
+        if (type < 0)
+            return type;
         run = block_runs[(type >> 2) & 0x3F];
         switch(type & 3){
         case SMK_BLK_MONO:
@@ -475,6 +479,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         case SMK_BLK_FULL:
             mode = 0;
             if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes
+                if (get_bits_left(&gb) < 1)
+                    return AVERROR_INVALIDDATA;
                 if(get_bits1(&gb)) mode = 1;
                 else if(get_bits1(&gb)) mode = 2;
             }
@@ -531,7 +537,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             while(run-- && blk < blocks){
                 uint32_t col;
                 out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4;
-                col = mode * 0x01010101;
+                col = mode * 0x01010101U;
                 for(i = 0; i < 4; i++) {
                     *((uint32_t*)out) = col;
                     out += stride;
@@ -740,7 +746,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
                     return AVERROR_INVALIDDATA;
                 }
                 val |= h[3].values[res] << 8;
-                pred[1] += sign_extend(val, 16);
+                pred[1] += (unsigned)sign_extend(val, 16);
                 *samples++ = pred[1];
             } else {
                 if(vlc[0].table)
@@ -761,7 +767,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
                     return AVERROR_INVALIDDATA;
                 }
                 val |= h[1].values[res] << 8;
-                pred[0] += sign_extend(val, 16);
+                pred[0] += (unsigned)sign_extend(val, 16);
                 *samples++ = pred[0];
             }
         }
diff --git a/lib/ffmpeg/libavcodec/smc.c b/lib/ffmpeg/libavcodec/smc.c
index 18174fa57..66de691e2 100644
--- a/lib/ffmpeg/libavcodec/smc.c
+++ b/lib/ffmpeg/libavcodec/smc.c
@@ -437,6 +437,10 @@ static int smc_decode_frame(AVCodecContext *avctx,
     SmcContext *s = avctx->priv_data;
     const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
     int ret;
+    int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4);
+
+    if (total_blocks / 1024 > avpkt->size)
+        return AVERROR_INVALIDDATA;
 
     bytestream2_init(&s->gb, buf, buf_size);
 
diff --git a/lib/ffmpeg/libavcodec/snappy.c b/lib/ffmpeg/libavcodec/snappy.c
index 7900b0f97..f5c4c6578 100644
--- a/lib/ffmpeg/libavcodec/snappy.c
+++ b/lib/ffmpeg/libavcodec/snappy.c
@@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb)
 
     do {
         tmp = bytestream2_get_byte(gb);
+        if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX)
+            return AVERROR_INVALIDDATA;
         val |= (tmp & 127) << shift;
         shift += 7;
     } while (tmp & 128);
diff --git a/lib/ffmpeg/libavcodec/snowdec.c b/lib/ffmpeg/libavcodec/snowdec.c
index fc917e0c3..4e98d3f62 100644
--- a/lib/ffmpeg/libavcodec/snowdec.c
+++ b/lib/ffmpeg/libavcodec/snowdec.c
@@ -114,7 +114,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer
 static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){
     const int w= b->width;
     int y;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
     int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
     int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
     int new_index = 0;
@@ -205,8 +205,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){
                 return AVERROR_INVALIDDATA;
             }
             pred_mv(s, &mx, &my, ref, left, top, tr);
-            mx+= get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1);
-            my+= get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1);
+            mx+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1);
+            my+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1);
         }
         set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type);
     }else{
@@ -221,7 +221,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){
 
 static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){
     const int w= b->width;
-    const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16);
+    const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16);
     const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT);
     const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT;
     int x,y;
@@ -366,7 +366,10 @@ static int decode_header(SnowContext *s){
                 htaps = htaps*2 + 2;
                 p->htaps= htaps;
                 for(i= htaps/2; i; i--){
-                    p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1));
+                    unsigned hcoeff = get_symbol(&s->c, s->header_state, 0);
+                    if (hcoeff > 127)
+                        return AVERROR_INVALIDDATA;
+                    p->hcoeff[i]= hcoeff * (1-2*(i&1));
                     sum += p->hcoeff[i];
                 }
                 p->hcoeff[0]= 32-sum;
diff --git a/lib/ffmpeg/libavcodec/snowenc.c b/lib/ffmpeg/libavcodec/snowenc.c
index 6757971ce..a2b4dda93 100644
--- a/lib/ffmpeg/libavcodec/snowenc.c
+++ b/lib/ffmpeg/libavcodec/snowenc.c
@@ -302,7 +302,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){
     if(P_LEFT[1]     > (c->ymax<<shift)) P_LEFT[1]    = (c->ymax<<shift);
     if(P_TOP[0]      > (c->xmax<<shift)) P_TOP[0]     = (c->xmax<<shift);
     if(P_TOP[1]      > (c->ymax<<shift)) P_TOP[1]     = (c->ymax<<shift);
-    if(P_TOPRIGHT[0] < (c->xmin<<shift)) P_TOPRIGHT[0]= (c->xmin<<shift);
+    if(P_TOPRIGHT[0] < (c->xmin * (1<<shift))) P_TOPRIGHT[0]= (c->xmin * (1<<shift));
     if(P_TOPRIGHT[0] > (c->xmax<<shift)) P_TOPRIGHT[0]= (c->xmax<<shift); //due to pmx no clip
     if(P_TOPRIGHT[1] > (c->ymax<<shift)) P_TOPRIGHT[1]= (c->ymax<<shift);
 
@@ -1757,7 +1757,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
             }else{
                 for(y=0; y<h; y++){
                     for(x=0; x<w; x++){
-                        s->spatial_dwt_buffer[y*w + x]=s->spatial_idwt_buffer[y*w + x]<<ENCODER_EXTRA_BITS;
+                        s->spatial_dwt_buffer[y*w + x]= s->spatial_idwt_buffer[y*w + x] * (1 << ENCODER_EXTRA_BITS);
                     }
                 }
             }
diff --git a/lib/ffmpeg/libavcodec/sonic.c b/lib/ffmpeg/libavcodec/sonic.c
index 2e3ca79fd..7e4427f74 100644
--- a/lib/ffmpeg/libavcodec/sonic.c
+++ b/lib/ffmpeg/libavcodec/sonic.c
@@ -140,10 +140,13 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
     if(get_rac(c, state+0))
         return 0;
     else{
-        int i, e, a;
+        int i, e;
+        unsigned a;
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;
@@ -472,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
     for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--)
     {
         int k_value = *k_ptr, state_value = *state_ptr;
-        x -= shift_down(k_value * state_value, LATTICE_SHIFT);
-        state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT);
+        x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT);
+        state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT);
     }
 #else
     for (i = order-2; i >= 0; i--)
     {
-        x -= shift_down(k[i] * state[i], LATTICE_SHIFT);
+        x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT);
         state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT);
     }
 #endif
@@ -977,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx)
     av_freep(&s->int_samples);
     av_freep(&s->tap_quant);
     av_freep(&s->predictor_k);
-
-    for (i = 0; i < s->channels; i++)
-    {
+    for (i = 0; i < MAX_CHANNELS; i++) {
         av_freep(&s->predictor_state[i]);
         av_freep(&s->coded_samples[i]);
     }
@@ -1042,7 +1043,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
                 x += s->channels;
             }
 
-            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant);
+            s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant);
             x += s->channels;
         }
 
diff --git a/lib/ffmpeg/libavcodec/sunrast.c b/lib/ffmpeg/libavcodec/sunrast.c
index 0af5626e3..e1ec8a083 100644
--- a/lib/ffmpeg/libavcodec/sunrast.c
+++ b/lib/ffmpeg/libavcodec/sunrast.c
@@ -72,7 +72,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
 
     if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
         av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
-        return -1;
+        return AVERROR_PATCHWELCOME;
     }
 
     switch (depth) {
@@ -100,14 +100,18 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     if (ret < 0)
         return ret;
 
+    /* scanlines are aligned on 16 bit boundaries */
+    len  = (depth * w + 7) >> 3;
+    alen = len + (len & 1);
+
+    if (buf_end - buf < maplength + (len * h) * 3 / 256)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
         return ret;
 
     p->pict_type = AV_PICTURE_TYPE_I;
 
-    if (buf_end - buf < maplength)
-        return AVERROR_INVALIDDATA;
-
     if (depth > 8 && maplength) {
         av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n");
 
@@ -132,14 +136,10 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
             return AVERROR(ENOMEM);
         stride = (w + 15 >> 3) * depth;
     } else {
-    ptr    = p->data[0];
-    stride = p->linesize[0];
+        ptr    = p->data[0];
+        stride = p->linesize[0];
     }
 
-    /* scanlines are aligned on 16 bit boundaries */
-    len  = (depth * w + 7) >> 3;
-    alen = len + (len & 1);
-
     if (type == RT_BYTE_ENCODED) {
         int value, run;
         uint8_t *end = ptr + h * stride;
diff --git a/lib/ffmpeg/libavcodec/svq1dec.c b/lib/ffmpeg/libavcodec/svq1dec.c
index dca99fae4..0485245a8 100644
--- a/lib/ffmpeg/libavcodec/svq1dec.c
+++ b/lib/ffmpeg/libavcodec/svq1dec.c
@@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
         if (skip_1stop_8data_bits(bitbuf) < 0)
             return AVERROR_INVALIDDATA;
     }
+    if (get_bits_left(bitbuf) <= 0)
+        return AVERROR_INVALIDDATA;
 
     s->width  = width;
     s->height = height;
diff --git a/lib/ffmpeg/libavcodec/svq1enc.c b/lib/ffmpeg/libavcodec/svq1enc.c
index 1e1745e7b..e75f08ab5 100644
--- a/lib/ffmpeg/libavcodec/svq1enc.c
+++ b/lib/ffmpeg/libavcodec/svq1enc.c
@@ -496,9 +496,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx)
     SVQ1EncContext *const s = avctx->priv_data;
     int i;
 
-    av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
-           s->rd_total / (double)(avctx->width * avctx->height *
-                                  avctx->frame_number));
+    if (avctx->frame_number)
+        av_log(avctx, AV_LOG_DEBUG, "RD: %f\n",
+               s->rd_total / (double)(avctx->width * avctx->height *
+                                      avctx->frame_number));
 
     s->m.mb_type = NULL;
     ff_mpv_common_end(&s->m);
diff --git a/lib/ffmpeg/libavcodec/svq3.c b/lib/ffmpeg/libavcodec/svq3.c
index fdf2e00a9..50e6e1b0e 100644
--- a/lib/ffmpeg/libavcodec/svq3.c
+++ b/lib/ffmpeg/libavcodec/svq3.c
@@ -953,6 +953,7 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
         GetBitContext gb;
         int frame_size_code;
         int unk0, unk1, unk2, unk3, unk4;
+        int width,height;
 
         size = AV_RB32(&extradata[4]);
         if (size > extradata_end - extradata - 8) {
@@ -965,38 +966,41 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
         frame_size_code = get_bits(&gb, 3);
         switch (frame_size_code) {
         case 0:
-            avctx->width  = 160;
-            avctx->height = 120;
+            width  = 160;
+            height = 120;
             break;
         case 1:
-            avctx->width  = 128;
-            avctx->height =  96;
+            width  = 128;
+            height =  96;
             break;
         case 2:
-            avctx->width  = 176;
-            avctx->height = 144;
+            width  = 176;
+            height = 144;
             break;
         case 3:
-            avctx->width  = 352;
-            avctx->height = 288;
+            width  = 352;
+            height = 288;
             break;
         case 4:
-            avctx->width  = 704;
-            avctx->height = 576;
+            width  = 704;
+            height = 576;
             break;
         case 5:
-            avctx->width  = 240;
-            avctx->height = 180;
+            width  = 240;
+            height = 180;
             break;
         case 6:
-            avctx->width  = 320;
-            avctx->height = 240;
+            width  = 320;
+            height = 240;
             break;
         case 7:
-            avctx->width  = get_bits(&gb, 12);
-            avctx->height = get_bits(&gb, 12);
+            width  = get_bits(&gb, 12);
+            height = get_bits(&gb, 12);
             break;
         }
+        ret = ff_set_dimensions(avctx, width, height);
+        if (ret < 0)
+            goto fail;
 
         s->halfpel_flag  = get_bits1(&gb);
         s->thirdpel_flag = get_bits1(&gb);
diff --git a/lib/ffmpeg/libavcodec/tableprint_vlc.h b/lib/ffmpeg/libavcodec/tableprint_vlc.h
index 675251a83..b3ff36562 100644
--- a/lib/ffmpeg/libavcodec/tableprint_vlc.h
+++ b/lib/ffmpeg/libavcodec/tableprint_vlc.h
@@ -35,6 +35,8 @@
 #define av_freep(p) while(0)
 #define AVCODEC_AVCODEC_H
 #define AVCODEC_INTERNAL_H
+#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this
+#define avpriv_request_sample(...)
 #include "tableprint.h"
 #include "get_bits.h"
 #include "mathtables.c"
diff --git a/lib/ffmpeg/libavcodec/targa.c b/lib/ffmpeg/libavcodec/targa.c
index 215c0f51f..879b21d13 100644
--- a/lib/ffmpeg/libavcodec/targa.c
+++ b/lib/ffmpeg/libavcodec/targa.c
@@ -132,12 +132,6 @@ static int decode_frame(AVCodecContext *avctx,
     h         = bytestream2_get_le16(&s->gb);
     bpp       = bytestream2_get_byte(&s->gb);
 
-    if (bytestream2_get_bytes_left(&s->gb) <= idlen) {
-        av_log(avctx, AV_LOG_ERROR,
-                "Not enough data to read header\n");
-        return AVERROR_INVALIDDATA;
-    }
-
     flags     = bytestream2_get_byte(&s->gb);
 
     if (!pal && (first_clr || colors || csize)) {
@@ -146,6 +140,12 @@ static int decode_frame(AVCodecContext *avctx,
         first_clr = colors = csize = 0;
     }
 
+    if (bytestream2_get_bytes_left(&s->gb) < idlen + 2*colors) {
+        av_log(avctx, AV_LOG_ERROR,
+                "Not enough data to read header\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     // skip identifier if any
     bytestream2_skip(&s->gb, idlen);
 
diff --git a/lib/ffmpeg/libavcodec/tdsc.c b/lib/ffmpeg/libavcodec/tdsc.c
index 63cd44341..5ad4a0df3 100644
--- a/lib/ffmpeg/libavcodec/tdsc.c
+++ b/lib/ffmpeg/libavcodec/tdsc.c
@@ -387,7 +387,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
     for (i = 0; i < number_tiles; i++) {
         int tile_size;
         int tile_mode;
-        int x, y, w, h;
+        int x, y, x2, y2, w, h;
         int ret;
 
         if (bytestream2_get_bytes_left(&ctx->gbc) < 4 ||
@@ -405,20 +405,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles)
         bytestream2_skip(&ctx->gbc, 4); // unknown
         x = bytestream2_get_le32(&ctx->gbc);
         y = bytestream2_get_le32(&ctx->gbc);
-        w = bytestream2_get_le32(&ctx->gbc) - x;
-        h = bytestream2_get_le32(&ctx->gbc) - y;
+        x2 = bytestream2_get_le32(&ctx->gbc);
+        y2 = bytestream2_get_le32(&ctx->gbc);
 
-        if (x >= ctx->width || y >= ctx->height) {
+        if (x < 0 || y < 0 || x2 <= x || y2 <= y ||
+            x2 > ctx->width || y2 > ctx->height
+        ) {
             av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile position (%d.%d outside %dx%d).\n",
-                   x, y, ctx->width, ctx->height);
-            return AVERROR_INVALIDDATA;
-        }
-        if (x + w > ctx->width || y + h > ctx->height) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid tile size %dx%d\n", w, h);
+                   "Invalid tile position (%d.%d %d.%d outside %dx%d).\n",
+                   x, y, x2, y2, ctx->width, ctx->height);
             return AVERROR_INVALIDDATA;
         }
+        w = x2 - x;
+        h = y2 - y;
 
         ret = av_reallocp(&ctx->tilebuffer, tile_size);
         if (!ctx->tilebuffer)
diff --git a/lib/ffmpeg/libavcodec/tiff.c b/lib/ffmpeg/libavcodec/tiff.c
index fcfa32dc8..50fcd73bb 100644
--- a/lib/ffmpeg/libavcodec/tiff.c
+++ b/lib/ffmpeg/libavcodec/tiff.c
@@ -64,6 +64,7 @@ typedef struct TiffContext {
     int predictor;
     int fill_order;
     uint32_t res[4];
+    unsigned last_tag;
 
     int strips, rps, sstype;
     int sot;
@@ -789,6 +790,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
     if (ret < 0) {
         goto end;
     }
+    if (tag <= s->last_tag)
+        return AVERROR_INVALIDDATA;
+
+    // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS
+    if (tag != TIFF_STRIP_SIZE)
+        s->last_tag = tag;
 
     off = bytestream2_tell(&s->gb);
     if (count == 1) {
@@ -819,7 +826,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         s->height = value;
         break;
     case TIFF_BPP:
-        if (count > 4U) {
+        if (count > 4 || count <= 0) {
             av_log(s->avctx, AV_LOG_ERROR,
                    "This format is not supported (bpp=%d, %d components)\n",
                    value, count);
@@ -850,9 +857,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
                    "Samples per pixel requires a single value, many provided\n");
             return AVERROR_INVALIDDATA;
         }
-        if (value > 4U) {
+        if (value > 4 || value <= 0) {
             av_log(s->avctx, AV_LOG_ERROR,
-                   "Samples per pixel %d is too large\n", value);
+                   "Invalid samples per pixel %d\n", value);
             return AVERROR_INVALIDDATA;
         }
         if (s->bppcount == 1)
@@ -1221,6 +1228,7 @@ static int decode_frame(AVCodecContext *avctx,
     s->photometric = TIFF_PHOTOMETRIC_NONE;
     s->compr       = TIFF_RAW;
     s->fill_order  = 0;
+    s->last_tag    = 0;
     free_geotags(s);
 
     // Reset these offsets so we can tell if they were set this frame
diff --git a/lib/ffmpeg/libavcodec/truemotion1.c b/lib/ffmpeg/libavcodec/truemotion1.c
index fdbc2f93f..b63abbc18 100644
--- a/lib/ffmpeg/libavcodec/truemotion1.c
+++ b/lib/ffmpeg/libavcodec/truemotion1.c
@@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
     if (s->flags & FLAG_KEYFRAME) {
         /* no change bits specified for a keyframe; only index bytes */
         s->index_stream = s->mb_change_bits;
+        if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size)
+            return AVERROR_INVALIDDATA;
     } else {
         /* one change bit per 4x4 block */
         s->index_stream = s->mb_change_bits +
diff --git a/lib/ffmpeg/libavcodec/truemotion2.c b/lib/ffmpeg/libavcodec/truemotion2.c
index b77df57ba..5b9fa565f 100644
--- a/lib/ffmpeg/libavcodec/truemotion2.c
+++ b/lib/ffmpeg/libavcodec/truemotion2.c
@@ -63,6 +63,7 @@ typedef struct TM2Context {
     AVFrame *pic;
 
     GetBitContext gb;
+    int error;
     BswapDSPContext bdsp;
 
     uint8_t *buffer;
@@ -390,6 +391,7 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 {
     if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) {
         av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]);
+        ctx->error = 1;
         return 0;
     }
     if (type <= TM2_MOT) {
@@ -441,7 +443,7 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */
 static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last)
 {
-    int ct, d;
+    unsigned ct, d;
     int i, j;
 
     for (j = 0; j < 4; j++){
@@ -470,7 +472,7 @@ static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *C
     }
 }
 
-static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, int *deltas, int bx)
+static inline void tm2_low_chroma(int *data, int stride, int *clast, unsigned *CD, int *deltas, int bx)
 {
     int t;
     int l;
@@ -480,8 +482,8 @@ static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, in
         prev = clast[-3];
     else
         prev = 0;
-    t        = (CD[0] + CD[1]) >> 1;
-    l        = (prev - CD[0] - CD[1] + clast[1]) >> 1;
+    t        = (int)(CD[0] + CD[1]) >> 1;
+    l        = (int)(prev - CD[0] - CD[1] + clast[1]) >> 1;
     CD[1]    = CD[0] + CD[1] - t;
     CD[0]    = t;
     clast[0] = l;
@@ -558,15 +560,15 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int
     deltas[10] = GET_TOK(ctx, TM2_L_LO);
 
     if (bx > 0)
-        last[0] = (last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1;
+        last[0] = (int)((unsigned)last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1;
     else
-        last[0] = (last[1]  - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1;
-    last[2] = (last[1] + last[3]) >> 1;
+        last[0] = (int)((unsigned)last[1]  - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1;
+    last[2] = (int)((unsigned)last[1] + last[3]) >> 1;
 
-    t1 = ctx->D[0] + ctx->D[1];
+    t1 = ctx->D[0] + (unsigned)ctx->D[1];
     ctx->D[0] = t1 >> 1;
     ctx->D[1] = t1 - (t1 >> 1);
-    t2 = ctx->D[2] + ctx->D[3];
+    t2 = ctx->D[2] + (unsigned)ctx->D[3];
     ctx->D[2] = t2 >> 1;
     ctx->D[3] = t2 - (t2 >> 1);
 
@@ -577,7 +579,8 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int
 {
     int i;
     int ct;
-    int left, right, diff;
+    unsigned left, right;
+    int diff;
     int deltas[16];
     TM2_INIT_POINTERS();
 
@@ -595,7 +598,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int
     ct = ctx->D[0] + ctx->D[1] + ctx->D[2] + ctx->D[3];
 
     if (bx > 0)
-        left = last[-1] - ct;
+        left = last[-1] - (unsigned)ct;
     else
         left = 0;
 
@@ -606,7 +609,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int
     last[2] = right - (diff >> 2);
     last[3] = right;
     {
-        int tp = left;
+        unsigned tp = left;
 
         ctx->D[0] = (tp + (ct >> 2)) - left;
         left     += ctx->D[0];
@@ -657,14 +660,14 @@ static inline void tm2_still_block(TM2Context *ctx, AVFrame *pic, int bx, int by
 static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int by)
 {
     int i, j;
-    int d;
+    unsigned d;
     TM2_INIT_POINTERS_2();
 
     /* update chroma */
     for (j = 0; j < 2; j++) {
         for (i = 0; i < 2; i++) {
-            U[i] = Uo[i] + GET_TOK(ctx, TM2_UPD);
-            V[i] = Vo[i] + GET_TOK(ctx, TM2_UPD);
+            U[i] = Uo[i] + (unsigned)GET_TOK(ctx, TM2_UPD);
+            V[i] = Vo[i] + (unsigned)GET_TOK(ctx, TM2_UPD);
         }
         U  += Ustride;
         V  += Vstride;
@@ -677,15 +680,15 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b
     TM2_RECALC_BLOCK(V, Vstride, (clast + 2), (ctx->CD + 2));
 
     /* update deltas */
-    ctx->D[0] = Yo[3] - last[3];
-    ctx->D[1] = Yo[3 + oYstride] - Yo[3];
-    ctx->D[2] = Yo[3 + oYstride * 2] - Yo[3 + oYstride];
-    ctx->D[3] = Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2];
+    ctx->D[0] = (unsigned)Yo[3] - last[3];
+    ctx->D[1] = (unsigned)Yo[3 + oYstride] - Yo[3];
+    ctx->D[2] = (unsigned)Yo[3 + oYstride * 2] - Yo[3 + oYstride];
+    ctx->D[3] = (unsigned)Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2];
 
     for (j = 0; j < 4; j++) {
         d = last[3];
         for (i = 0; i < 4; i++) {
-            Y[i]    = Yo[i] + GET_TOK(ctx, TM2_UPD);
+            Y[i]    = Yo[i] + (unsigned)GET_TOK(ctx, TM2_UPD);
             last[i] = Y[i];
         }
         ctx->D[j] = last[3] - d;
@@ -740,10 +743,10 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b
     }
     /* calculate deltas */
     Y -= Ystride * 4;
-    ctx->D[0] = Y[3] - last[3];
-    ctx->D[1] = Y[3 + Ystride] - Y[3];
-    ctx->D[2] = Y[3 + Ystride * 2] - Y[3 + Ystride];
-    ctx->D[3] = Y[3 + Ystride * 3] - Y[3 + Ystride * 2];
+    ctx->D[0] = (unsigned)Y[3] - last[3];
+    ctx->D[1] = (unsigned)Y[3 + Ystride] - Y[3];
+    ctx->D[2] = (unsigned)Y[3 + Ystride * 2] - Y[3 + Ystride];
+    ctx->D[3] = (unsigned)Y[3 + Ystride * 3] - Y[3 + Ystride * 2];
     for (i = 0; i < 4; i++)
         last[i] = Y[i + Ystride * 3];
 }
@@ -801,6 +804,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p)
             default:
                 av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type);
             }
+            if (ctx->error)
+                return AVERROR_INVALIDDATA;
         }
     }
 
@@ -811,7 +816,7 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p)
     dst = p->data[0];
     for (j = 0; j < h; j++) {
         for (i = 0; i < w; i++) {
-            int y = Y[i], u = U[i >> 1], v = V[i >> 1];
+            unsigned y = Y[i], u = U[i >> 1], v = V[i >> 1];
             dst[3*i+0] = av_clip_uint8(y + v);
             dst[3*i+1] = av_clip_uint8(y);
             dst[3*i+2] = av_clip_uint8(y + u);
@@ -881,6 +886,8 @@ static int decode_frame(AVCodecContext *avctx,
     int offset           = TM2_HEADER_SIZE;
     int i, t, ret;
 
+    l->error = 0;
+
     av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size);
     if (!l->buffer) {
         av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");
diff --git a/lib/ffmpeg/libavcodec/tta.c b/lib/ffmpeg/libavcodec/tta.c
index 1e2e9c4ef..26800d7d2 100644
--- a/lib/ffmpeg/libavcodec/tta.c
+++ b/lib/ffmpeg/libavcodec/tta.c
@@ -225,7 +225,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     GetBitContext gb;
     int i, ret;
     int cur_chan = 0, framelen = s->frame_length;
-    int32_t *p;
+    uint32_t *p;
 
     if (avctx->err_recognition & AV_EF_CRCCHECK) {
         if (buf_size < 4 ||
@@ -259,7 +259,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     }
 
     i = 0;
-    for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) {
+    for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) {
         int32_t *predictor = &s->ch_ctx[cur_chan].predictor;
         TTAFilter *filter = &s->ch_ctx[cur_chan].filter;
         TTARice *rice = &s->ch_ctx[cur_chan].rice;
@@ -332,7 +332,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
             // decorrelate in case of multiple channels
             if (s->channels > 1) {
                 int32_t *r = p - 1;
-                for (*p += *r / 2; r > p - s->channels; r--)
+                for (*p += *r / 2; r > (int32_t*)p - s->channels; r--)
                     *r = *(r + 1) - *r;
             }
             cur_chan = 0;
@@ -356,13 +356,13 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     switch (s->bps) {
     case 1: {
         uint8_t *samples = (uint8_t *)frame->data[0];
-        for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++)
+        for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++)
             *samples++ = *p + 0x80;
         break;
         }
     case 2: {
         int16_t *samples = (int16_t *)frame->data[0];
-        for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++)
+        for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++)
             *samples++ = *p;
         break;
         }
@@ -370,7 +370,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
         // shift samples for 24-bit sample format
         int32_t *samples = (int32_t *)frame->data[0];
         for (i = 0; i < framelen * s->channels; i++)
-            *samples++ <<= 8;
+            *samples++ *= 256;
         // reset decode buffer
         s->decode_buffer = NULL;
         break;
diff --git a/lib/ffmpeg/libavcodec/ttadata.c b/lib/ffmpeg/libavcodec/ttadata.c
index bf793a4cc..aa9f418a7 100644
--- a/lib/ffmpeg/libavcodec/ttadata.c
+++ b/lib/ffmpeg/libavcodec/ttadata.c
@@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = {
     0x01000000, 0x02000000, 0x04000000, 0x08000000,
     0x10000000, 0x20000000, 0x40000000, 0x80000000,
     0x80000000, 0x80000000, 0x80000000, 0x80000000,
-    0x80000000, 0x80000000, 0x80000000, 0x80000000
+    0x80000000, 0x80000000, 0x80000000, 0x80000000,
+    0xFFFFFFFF
 };
 
 const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4;
diff --git a/lib/ffmpeg/libavcodec/twinvq.c b/lib/ffmpeg/libavcodec/twinvq.c
index 7b2e19e53..34ca1846b 100644
--- a/lib/ffmpeg/libavcodec/twinvq.c
+++ b/lib/ffmpeg/libavcodec/twinvq.c
@@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx)
 {
     int ret;
     TwinVQContext *tctx = avctx->priv_data;
+    int64_t frames_per_packet;
 
     tctx->avctx       = avctx;
     avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
 
     if (!avctx->block_align) {
         avctx->block_align = tctx->frame_size + 7 >> 3;
-    } else if (avctx->block_align * 8 < tctx->frame_size) {
-        av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n",
-               avctx->block_align * 8, tctx->frame_size);
+    }
+    frames_per_packet = avctx->block_align * 8LL / tctx->frame_size;
+    if (frames_per_packet <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n",
+               avctx->block_align * (int64_t)8, tctx->frame_size);
         return AVERROR_INVALIDDATA;
     }
-    tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size;
-    if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
-        av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n",
-               tctx->frames_per_packet);
+    if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
+        av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n",
+               frames_per_packet);
         return AVERROR_INVALIDDATA;
     }
+    tctx->frames_per_packet = frames_per_packet;
 
     tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT);
     if (!tctx->fdsp) {
diff --git a/lib/ffmpeg/libavcodec/twinvqdec.c b/lib/ffmpeg/libavcodec/twinvqdec.c
index 5f4dd350a..51b863507 100644
--- a/lib/ffmpeg/libavcodec/twinvqdec.c
+++ b/lib/ffmpeg/libavcodec/twinvqdec.c
@@ -404,7 +404,7 @@ static av_cold int twinvq_decode_init(AVCodecContext *avctx)
     tctx->frame_size     = avctx->bit_rate * tctx->mtab->size
                                            / avctx->sample_rate + 8;
     tctx->is_6kbps       = 0;
-    if (avctx->block_align && avctx->block_align * 8 / tctx->frame_size > 1) {
+    if (avctx->block_align && avctx->block_align * 8LL / tctx->frame_size > 1) {
         av_log(avctx, AV_LOG_ERROR,
                "VQF TwinVQ should have only one frame per packet\n");
         return AVERROR_INVALIDDATA;
diff --git a/lib/ffmpeg/libavcodec/txd.c b/lib/ffmpeg/libavcodec/txd.c
index 0c95faaf8..09c191a2c 100644
--- a/lib/ffmpeg/libavcodec/txd.c
+++ b/lib/ffmpeg/libavcodec/txd.c
@@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int i, j;
     int ret;
 
+    if (avpkt->size < 88)
+        return AVERROR_INVALIDDATA;
+
     ff_texturedsp_init(&dxtc);
 
     bytestream2_init(&gb, avpkt->data, avpkt->size);
diff --git a/lib/ffmpeg/libavcodec/unary.h b/lib/ffmpeg/libavcodec/unary.h
index 908dc9350..d57f9f70c 100644
--- a/lib/ffmpeg/libavcodec/unary.h
+++ b/lib/ffmpeg/libavcodec/unary.h
@@ -28,7 +28,20 @@
  * @param gb GetBitContext
  * @param[in] stop The bitstop value (unary code of 1's or 0's)
  * @param[in] len Maximum length
- * @return Unary length/index
+ * @return unary 0 based code index. This is also the length in bits of the
+ * code excluding the stop bit.
+ * (in case len=1)
+ * 1            0
+ * 0            1
+ * (in case len=2)
+ * 1            0
+ * 01           1
+ * 00           2
+ * (in case len=3)
+ * 1            0
+ * 01           1
+ * 001          2
+ * 000          3
  */
 static inline int get_unary(GetBitContext *gb, int stop, int len)
 {
diff --git a/lib/ffmpeg/libavcodec/utils.c b/lib/ffmpeg/libavcodec/utils.c
index 6f54f530a..4c470f13d 100644
--- a/lib/ffmpeg/libavcodec/utils.c
+++ b/lib/ffmpeg/libavcodec/utils.c
@@ -396,6 +396,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
             w_align = 8;
             h_align = 8;
         }
+        if (s->codec_id == AV_CODEC_ID_MJPEG   ||
+            s->codec_id == AV_CODEC_ID_MJPEGB  ||
+            s->codec_id == AV_CODEC_ID_LJPEG   ||
+            s->codec_id == AV_CODEC_ID_SMVJPEG ||
+            s->codec_id == AV_CODEC_ID_AMV     ||
+            s->codec_id == AV_CODEC_ID_SP5X    ||
+            s->codec_id == AV_CODEC_ID_JPEGLS) {
+            w_align =   8;
+            h_align = 2*8;
+        }
         break;
     case AV_PIX_FMT_BGR24:
         if ((s->codec_id == AV_CODEC_ID_MSZH) ||
@@ -420,7 +430,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
 
     *width  = FFALIGN(*width, w_align);
     *height = FFALIGN(*height, h_align);
-    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
+    if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+        s->codec_id == AV_CODEC_ID_VP5  || s->codec_id == AV_CODEC_ID_VP6 ||
+        s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
+    ) {
         // some of the optimized chroma MC reads one line too much
         // which is also done in mpeg decoders with lowres > 0
         *height += 2;
@@ -1466,6 +1479,16 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code
         ret = AVERROR(EINVAL);
         goto free_and_end;
     }
+    if (avctx->sample_rate < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n", avctx->sample_rate);
+        ret = AVERROR(EINVAL);
+        goto free_and_end;
+    }
+    if (avctx->block_align < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid block align: %d\n", avctx->block_align);
+        ret = AVERROR(EINVAL);
+        goto free_and_end;
+    }
 
     avctx->codec = codec;
     if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) &&
@@ -3460,8 +3483,11 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
 
         if (ch > 0) {
             /* calc from sample rate and channels */
-            if (id == AV_CODEC_ID_BINKAUDIO_DCT)
+            if (id == AV_CODEC_ID_BINKAUDIO_DCT) {
+                if (sr / 22050 > 22)
+                    return 0;
                 return (480 << (sr / 22050)) / ch;
+            }
         }
     }
 
@@ -3505,7 +3531,10 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
             case AV_CODEC_ID_ADPCM_AFC:
                 return frame_bytes / (9 * ch) * 16;
             case AV_CODEC_ID_ADPCM_DTK:
-                return frame_bytes / (16 * ch) * 28;
+                frame_bytes /= 16 * ch;
+                if (frame_bytes > INT_MAX / 28)
+                    return 0;
+                return frame_bytes * 28;
             case AV_CODEC_ID_ADPCM_4XM:
             case AV_CODEC_ID_ADPCM_IMA_ISS:
                 return (frame_bytes - 4 * ch) * 2 / ch;
diff --git a/lib/ffmpeg/libavcodec/utvideodec.c b/lib/ffmpeg/libavcodec/utvideodec.c
index 760d9e5a7..56aecd514 100644
--- a/lib/ffmpeg/libavcodec/utvideodec.c
+++ b/lib/ffmpeg/libavcodec/utvideodec.c
@@ -28,6 +28,7 @@
 #include <stdlib.h>
 
 #include "libavutil/intreadwrite.h"
+#include "libavutil/pixdesc.h"
 #include "avcodec.h"
 #include "bswapdsp.h"
 #include "bytestream.h"
@@ -108,7 +109,7 @@ static int decode_plane(UtvideoContext *c, int plane_no,
                 for (i = 0; i < width * step; i += step) {
                     pix = fsym;
                     if (use_pred) {
-                        prev += pix;
+                        prev += (unsigned)pix;
                         pix   = prev;
                     }
                     dest[i] = pix;
@@ -474,6 +475,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 static av_cold int decode_init(AVCodecContext *avctx)
 {
     UtvideoContext * const c = avctx->priv_data;
+    int h_shift, v_shift;
 
     c->avctx = avctx;
 
@@ -538,6 +540,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
+    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
+    if ((avctx->width  & ((1<<h_shift)-1)) ||
+        (avctx->height & ((1<<v_shift)-1))) {
+        avpriv_request_sample(avctx, "Odd dimensions");
+        return AVERROR_PATCHWELCOME;
+    }
+
     return 0;
 }
 
diff --git a/lib/ffmpeg/libavcodec/vb.c b/lib/ffmpeg/libavcodec/vb.c
index 021657f7d..d9c6b93a7 100644
--- a/lib/ffmpeg/libavcodec/vb.c
+++ b/lib/ffmpeg/libavcodec/vb.c
@@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset)
     blk2   = 0;
     for (blk = 0; blk < blocks; blk++) {
         if (!(blk & 3)) {
+            if (bytestream2_get_bytes_left(&g) < 1) {
+                av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n");
+                return AVERROR_INVALIDDATA;
+            }
             blocktypes = bytestream2_get_byte(&g);
         }
         switch (blocktypes & 0xC0) {
@@ -195,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     uint32_t size;
     int offset = 0;
 
+    if (avpkt->size < 2)
+        return AVERROR_INVALIDDATA;
+
     bytestream2_init(&c->stream, avpkt->data, avpkt->size);
 
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
diff --git a/lib/ffmpeg/libavcodec/vc1.c b/lib/ffmpeg/libavcodec/vc1.c
index 08e1f2c4c..01647237e 100644
--- a/lib/ffmpeg/libavcodec/vc1.c
+++ b/lib/ffmpeg/libavcodec/vc1.c
@@ -457,7 +457,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb)
             h = get_bits(gb, 8) + 1;
             v->s.avctx->sample_aspect_ratio = (AVRational){w, h};
         } else {
-            av_reduce(&v->s.avctx->sample_aspect_ratio.num,
+            if (v->s.avctx->width  > v->max_coded_width ||
+                v->s.avctx->height > v->max_coded_height) {
+                avpriv_request_sample(v->s.avctx, "Huge resolution");
+            } else
+                av_reduce(&v->s.avctx->sample_aspect_ratio.num,
                       &v->s.avctx->sample_aspect_ratio.den,
                       v->s.avctx->height * w,
                       v->s.avctx->width * h,
@@ -938,7 +942,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
         else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) {
             v->refdist = get_bits(gb, 2);
             if (v->refdist == 3)
-                v->refdist += get_unary(gb, 0, 16);
+                v->refdist += get_unary(gb, 0, 14);
+            if (v->refdist > 16)
+                return AVERROR_INVALIDDATA;
         }
         if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) {
             if (read_bfraction(v, gb) < 0)
@@ -1312,16 +1318,17 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
         break;
     }
 
-    if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) {
-        v->range_x <<= 1;
-        v->range_y <<= 1;
-    }
 
     /* AC Syntax */
     v->c_ac_table_index = decode012(gb);
     if (v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) {
         v->y_ac_table_index = decode012(gb);
     }
+    else if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) {
+        v->range_x <<= 1;
+        v->range_y <<= 1;
+    }
+
     /* DC Syntax */
     v->s.dc_table_index = get_bits1(gb);
     if ((v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI)
diff --git a/lib/ffmpeg/libavcodec/vc1_block.c b/lib/ffmpeg/libavcodec/vc1_block.c
index 255ba1da7..ad1f3d289 100644
--- a/lib/ffmpeg/libavcodec/vc1_block.c
+++ b/lib/ffmpeg/libavcodec/vc1_block.c
@@ -411,12 +411,12 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n,
     if (c_avail && (n != 1 && n != 3)) {
         q2 = s->current_picture.qscale_table[mb_pos - 1];
         if (q2 && q2 != q1)
-            c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
+            c = (int)((unsigned)c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
     }
     if (a_avail && (n != 2 && n != 3)) {
         q2 = s->current_picture.qscale_table[mb_pos - s->mb_stride];
         if (q2 && q2 != q1)
-            a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
+            a = (int)((unsigned)a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
     }
     if (a_avail && c_avail && (n != 3)) {
         int off = mb_pos;
@@ -426,7 +426,7 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n,
             off -= s->mb_stride;
         q2 = s->current_picture.qscale_table[off];
         if (q2 && q2 != q1)
-            b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
+            b = (int)((unsigned)b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18;
     }
 
     if (c_avail && (!a_avail || abs(a - b) <= abs(b - c))) {
@@ -489,13 +489,15 @@ static inline int vc1_coded_block_pred(MpegEncContext * s, int n,
  * @param codingset set of VLC to decode data
  * @see 8.1.3.4
  */
-static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip,
+static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip,
                                 int *value, int codingset)
 {
     GetBitContext *gb = &v->s.gb;
     int index, run, level, lst, sign;
 
     index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3);
+    if (index < 0)
+        return index;
     if (index != ff_vc1_ac_sizes[codingset] - 1) {
         run   = vc1_index_decode_table[codingset][index][0];
         level = vc1_index_decode_table[codingset][index][1];
@@ -505,6 +507,8 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip,
         int escape = decode210(gb);
         if (escape != 2) {
             index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3);
+            if (index >= ff_vc1_ac_sizes[codingset] - 1U)
+                return AVERROR_INVALIDDATA;
             run   = vc1_index_decode_table[codingset][index][0];
             level = vc1_index_decode_table[codingset][index][1];
             lst   = index >= vc1_last_decode_table[codingset];
@@ -541,6 +545,8 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip,
     *last  = lst;
     *skip  = run;
     *value = (level ^ -sign) + sign;
+
+    return 0;
 }
 
 /** Decode intra block in intra frames - should be faster than decode_intra_block
@@ -594,7 +600,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n,
         scale = s->c_dc_scale;
     block[0] = dcdiff * scale;
 
-    ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val  = s->ac_val[0][s->block_index[n]];
     ac_val2 = ac_val;
     if (dc_pred_dir) // left
         ac_val -= 16;
@@ -620,7 +626,9 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n,
             zz_table = v->zz_8x8[1];
 
         while (!last) {
-            vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            if (ret < 0)
+                return ret;
             i += skip;
             if (i > 63)
                 break;
@@ -745,7 +753,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
 
     scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0);
 
-    ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val  = s->ac_val[0][s->block_index[n]];
     ac_val2 = ac_val;
     if (dc_pred_dir) // left
         ac_val -= 16;
@@ -792,7 +800,9 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
         }
 
         while (!last) {
-            vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            if (ret < 0)
+                return ret;
             i += skip;
             if (i > 63)
                 break;
@@ -815,7 +825,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
                     return AVERROR_INVALIDDATA;
                 q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1;
                 for (k = 1; k < 8; k++)
-                    block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                    block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
             } else {
                 for (k = 1; k < 8; k++)
                     block[k << sh] += ac_val[k];
@@ -857,7 +867,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
                 if (q1 < 1)
                     return AVERROR_INVALIDDATA;
                 for (k = 1; k < 8; k++)
-                    ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                    ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
             }
             for (k = 1; k < 8; k++) {
                 block[k << sh] = ac_val2[k] * scale;
@@ -946,7 +956,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
     if (!a_avail) dc_pred_dir = 1;
     if (!c_avail) dc_pred_dir = 0;
     if (!a_avail && !c_avail) use_pred = 0;
-    ac_val = s->ac_val[0][0] + s->block_index[n] * 16;
+    ac_val = s->ac_val[0][s->block_index[n]];
     ac_val2 = ac_val;
 
     scale = mquant * 2 + v->halfpq;
@@ -972,7 +982,9 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
         int k;
 
         while (!last) {
-            vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset);
+            if (ret < 0)
+                return ret;
             i += skip;
             if (i > 63)
                 break;
@@ -1001,10 +1013,10 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
                     return AVERROR_INVALIDDATA;
                 if (dc_pred_dir) { // left
                     for (k = 1; k < 8; k++)
-                        block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        block[k << v->left_blk_sh] += (int)(ac_val[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                 } else { //top
                     for (k = 1; k < 8; k++)
-                        block[k << v->top_blk_sh] += (ac_val[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        block[k << v->top_blk_sh] += (int)(ac_val[k + 8] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                 }
             } else {
                 if (dc_pred_dir) { // left
@@ -1044,7 +1056,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
                     if (q1 < 1)
                         return AVERROR_INVALIDDATA;
                     for (k = 1; k < 8; k++)
-                        ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                 }
             }
         } else { // top
@@ -1056,7 +1068,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n,
                     if (q1 < 1)
                         return AVERROR_INVALIDDATA;
                     for (k = 1; k < 8; k++)
-                        ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                        ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
                 }
             }
         }
@@ -1135,7 +1147,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n,
         i    = 0;
         last = 0;
         while (!last) {
-            vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+            int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+            if (ret < 0)
+                return ret;
             i += skip;
             if (i > 63)
                 break;
@@ -1163,7 +1177,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n,
             i    = 0;
             off  = (j & 1) * 4 + (j & 2) * 16;
             while (!last) {
-                vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                if (ret < 0)
+                    return ret;
                 i += skip;
                 if (i > 15)
                     break;
@@ -1190,7 +1206,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n,
             i    = 0;
             off  = j * 32;
             while (!last) {
-                vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                if (ret < 0)
+                    return ret;
                 i += skip;
                 if (i > 31)
                     break;
@@ -1217,7 +1235,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n,
             i    = 0;
             off  = j * 4;
             while (!last) {
-                vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2);
+                if (ret < 0)
+                    return ret;
                 i += skip;
                 if (i > 31)
                     break;
@@ -1958,7 +1978,7 @@ static void vc1_decode_b_mb(VC1Context *v)
             v->vc1dsp.vc1_inv_trans_8x8(s->block[i]);
             if (v->rangeredfrm)
                 for (j = 0; j < 64; j++)
-                    s->block[i][j] <<= 1;
+                    s->block[i][j] *= 2;
             s->idsp.put_signed_pixels_clamped(s->block[i],
                                               s->dest[dst_idx] + off,
                                               i & 4 ? s->uvlinesize
diff --git a/lib/ffmpeg/libavcodec/vc1_pred.c b/lib/ffmpeg/libavcodec/vc1_pred.c
index 13134e5d8..8b4a3054a 100644
--- a/lib/ffmpeg/libavcodec/vc1_pred.c
+++ b/lib/ffmpeg/libavcodec/vc1_pred.c
@@ -178,7 +178,7 @@ static av_always_inline int scaleforsame(VC1Context *v, int i, int n /* MV */,
     brfd      = FFMIN(v->brfd, 3);
     scalesame = ff_vc1_b_field_mvpred_scales[0][brfd];
 
-    n = (n * scalesame >> 8) << hpel;
+    n = (n * scalesame >> 8) * (1 << hpel);
     return n;
 }
 
@@ -191,15 +191,16 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */,
     n >>= hpel;
     if (v->s.pict_type == AV_PICTURE_TYPE_B && !v->second_field && dir == 1) {
         if (dim)
-            n = scaleforopp_y(v, n, dir) << hpel;
+            n = scaleforopp_y(v, n, dir) * (1 << hpel);
         else
-            n = scaleforopp_x(v, n) << hpel;
+            n = scaleforopp_x(v, n)      * (1 << hpel);
         return n;
     }
     if (v->s.pict_type != AV_PICTURE_TYPE_B)
-        refdist = FFMIN(v->refdist, 3);
+        refdist = v->refdist;
     else
         refdist = dir ? v->brfd : v->frfd;
+    refdist = FFMIN(refdist, 3);
     scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist];
 
     n = (n * scaleopp >> 8) * (1 << hpel);
diff --git a/lib/ffmpeg/libavcodec/vc1dec.c b/lib/ffmpeg/libavcodec/vc1dec.c
index acd29bcd2..e786dce83 100644
--- a/lib/ffmpeg/libavcodec/vc1dec.c
+++ b/lib/ffmpeg/libavcodec/vc1dec.c
@@ -427,7 +427,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
     v->output_height = avctx->height;
 
     if (!avctx->extradata_size || !avctx->extradata)
-        return -1;
+        return AVERROR_INVALIDDATA;
     v->s.avctx = avctx;
 
     if ((ret = ff_vc1_init_common(v)) < 0)
@@ -446,6 +446,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
         if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0)
           return ret;
 
+        if (avctx->codec_id == AV_CODEC_ID_WMV3IMAGE && !v->res_sprite) {
+            avpriv_request_sample(avctx, "Non sprite WMV3IMAGE");
+            return AVERROR_PATCHWELCOME;
+        }
+
         count = avctx->extradata_size*8 - get_bits_count(&gb);
         if (count > 0) {
             av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n",
@@ -463,7 +468,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
 
         if (avctx->extradata_size < 16) {
             av_log(avctx, AV_LOG_ERROR, "Extradata size too small: %i\n", avctx->extradata_size);
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
 
         buf2  = av_mallocz(avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
@@ -499,7 +504,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
         av_free(buf2);
         if (!seq_initialized || !ep_initialized) {
             av_log(avctx, AV_LOG_ERROR, "Incomplete extradata\n");
-            return -1;
+            return AVERROR_INVALIDDATA;
         }
         v->res_sprite = (avctx->codec_id == AV_CODEC_ID_VC1IMAGE);
     }
@@ -567,14 +572,21 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
         if (v->sprite_width  > 1 << 14 ||
             v->sprite_height > 1 << 14 ||
             v->output_width  > 1 << 14 ||
-            v->output_height > 1 << 14) return -1;
+            v->output_height > 1 << 14) {
+            ret = AVERROR_INVALIDDATA;
+            goto error;
+        }
 
         if ((v->sprite_width&1) || (v->sprite_height&1)) {
             avpriv_request_sample(avctx, "odd sprites support");
-            return AVERROR_PATCHWELCOME;
+            ret = AVERROR_PATCHWELCOME;
+            goto error;
         }
     }
     return 0;
+error:
+    av_frame_free(&v->sprite_output_frame);
+    return ret;
 }
 
 /** Close a VC1/WMV3 decoder
@@ -853,7 +865,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
         ret = AVERROR_INVALIDDATA;
         goto err;
     }
-
+    if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE)
+        && v->field_mode) {
+        av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n");
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
     if ((s->mb_height >> v->field_mode) == 0) {
         av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n");
         ret = AVERROR_INVALIDDATA;
@@ -959,7 +976,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
 
         ff_mpeg_er_frame_start(s);
 
-        v->bits = buf_size * 8;
+        v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits);
         v->end_mb_x = s->mb_width;
         if (v->field_mode) {
             s->current_picture.f->linesize[0] <<= 1;
@@ -1031,8 +1048,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
                 continue;
             }
             ff_vc1_decode_blocks(v);
-            if (i != n_slices)
+            if (i != n_slices) {
                 s->gb = slices[i].gb;
+                v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits);
+            }
         }
         if (v->field_mode) {
             v->second_field = 0;
@@ -1054,7 +1073,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
             ret = AVERROR_INVALIDDATA;
             goto err;
         }
-        if (!v->field_mode)
+        if (   !v->field_mode
+            && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE
+            && avctx->codec_id != AV_CODEC_ID_VC1IMAGE)
             ff_er_frame_end(&s->er);
     }
 
@@ -1077,12 +1098,14 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
         if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) {
             if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0)
                 goto err;
-            ff_print_debug_info(s, s->current_picture_ptr, pict);
+            if (!v->field_mode)
+                ff_print_debug_info(s, s->current_picture_ptr, pict);
             *got_frame = 1;
         } else if (s->last_picture_ptr) {
             if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0)
                 goto err;
-            ff_print_debug_info(s, s->last_picture_ptr, pict);
+            if (!v->field_mode)
+                ff_print_debug_info(s, s->last_picture_ptr, pict);
             *got_frame = 1;
         }
     }
diff --git a/lib/ffmpeg/libavcodec/vc1dsp.c b/lib/ffmpeg/libavcodec/vc1dsp.c
index a16c8d512..441e2dc44 100644
--- a/lib/ffmpeg/libavcodec/vc1dsp.c
+++ b/lib/ffmpeg/libavcodec/vc1dsp.c
@@ -96,10 +96,10 @@ static void vc1_v_s_overlap_c(int16_t *top, int16_t *bottom)
         d1 = a - d;
         d2 = a - d + b - c;
 
-        top[48]   = ((a << 3) - d1 + rnd1) >> 3;
-        top[56]   = ((b << 3) - d2 + rnd2) >> 3;
-        bottom[0] = ((c << 3) + d2 + rnd1) >> 3;
-        bottom[8] = ((d << 3) + d1 + rnd2) >> 3;
+        top[48]   = ((a * 8) - d1 + rnd1) >> 3;
+        top[56]   = ((b * 8) - d2 + rnd2) >> 3;
+        bottom[0] = ((c * 8) + d2 + rnd1) >> 3;
+        bottom[8] = ((d * 8) + d1 + rnd2) >> 3;
 
         bottom++;
         top++;
@@ -122,10 +122,10 @@ static void vc1_h_s_overlap_c(int16_t *left, int16_t *right)
         d1 = a - d;
         d2 = a - d + b - c;
 
-        left[6]  = ((a << 3) - d1 + rnd1) >> 3;
-        left[7]  = ((b << 3) - d2 + rnd2) >> 3;
-        right[0] = ((c << 3) + d2 + rnd1) >> 3;
-        right[1] = ((d << 3) + d1 + rnd2) >> 3;
+        left[6]  = ((a * 8) - d1 + rnd1) >> 3;
+        left[7]  = ((b * 8) - d2 + rnd2) >> 3;
+        right[0] = ((c * 8) + d2 + rnd1) >> 3;
+        right[1] = ((d * 8) + d1 + rnd2) >> 3;
 
         right += 8;
         left  += 8;
diff --git a/lib/ffmpeg/libavcodec/videodsp_template.c b/lib/ffmpeg/libavcodec/videodsp_template.c
index 94c1b7188..55123a584 100644
--- a/lib/ffmpeg/libavcodec/videodsp_template.c
+++ b/lib/ffmpeg/libavcodec/videodsp_template.c
@@ -44,7 +44,8 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
         src_y = 1 - block_h;
     }
     if (src_x >= w) {
-        src  += (w - 1 - src_x) * sizeof(pixel);
+        // The subtracted expression has an unsigned type and must thus not be negative
+        src  -= (1 + src_x - w) * sizeof(pixel);
         src_x = w - 1;
     } else if (src_x <= -block_w) {
         src  += (1 - block_w - src_x) * sizeof(pixel);
diff --git a/lib/ffmpeg/libavcodec/vmdaudio.c b/lib/ffmpeg/libavcodec/vmdaudio.c
index e8c8a064c..dfbd49fd8 100644
--- a/lib/ffmpeg/libavcodec/vmdaudio.c
+++ b/lib/ffmpeg/libavcodec/vmdaudio.c
@@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx)
         av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n");
         return AVERROR(EINVAL);
     }
-    if (avctx->block_align < 1 || avctx->block_align % avctx->channels) {
+    if (avctx->block_align < 1 || avctx->block_align % avctx->channels ||
+        avctx->block_align > INT_MAX - avctx->channels
+    ) {
         av_log(avctx, AV_LOG_ERROR, "invalid block align\n");
         return AVERROR(EINVAL);
     }
@@ -179,6 +181,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data,
     /* drop incomplete chunks */
     buf_size     = audio_chunks * s->chunk_size;
 
+    if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align)
+        return AVERROR_INVALIDDATA;
+
     /* get output buffer */
     frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) /
                         avctx->channels;
diff --git a/lib/ffmpeg/libavcodec/vmnc.c b/lib/ffmpeg/libavcodec/vmnc.c
index dfabfd394..ccbc7632c 100644
--- a/lib/ffmpeg/libavcodec/vmnc.c
+++ b/lib/ffmpeg/libavcodec/vmnc.c
@@ -326,11 +326,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     uint8_t *outptr;
     int dx, dy, w, h, depth, enc, chunks, res, size_left, ret;
 
+    bytestream2_init(gb, buf, buf_size);
+    bytestream2_skip(gb, 2);
+    chunks = bytestream2_get_be16(gb);
+    if (12LL * chunks > bytestream2_get_bytes_left(gb))
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
         return ret;
 
-    bytestream2_init(gb, buf, buf_size);
-
     c->pic->key_frame = 0;
     c->pic->pict_type = AV_PICTURE_TYPE_P;
 
@@ -362,8 +366,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             }
         }
     }
-    bytestream2_skip(gb, 2);
-    chunks = bytestream2_get_be16(gb);
+
     while (chunks--) {
         if (bytestream2_get_bytes_left(gb) < 12) {
             av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n");
diff --git a/lib/ffmpeg/libavcodec/vorbisdec.c b/lib/ffmpeg/libavcodec/vorbisdec.c
index 225f1e941..d2f4fa2ed 100644
--- a/lib/ffmpeg/libavcodec/vorbisdec.c
+++ b/lib/ffmpeg/libavcodec/vorbisdec.c
@@ -1097,13 +1097,14 @@ static int vorbis_floor0_decode(vorbis_context *vc,
 {
     vorbis_floor0 *vf = &vfu->t0;
     float *lsp = vf->lsp;
-    unsigned amplitude, book_idx;
+    unsigned book_idx;
+    uint64_t amplitude;
     unsigned blockflag = vc->modes[vc->mode_number].blockflag;
 
     if (!vf->amplitude_bits)
         return 1;
 
-    amplitude = get_bits(&vc->gb, vf->amplitude_bits);
+    amplitude = get_bits64(&vc->gb, vf->amplitude_bits);
     if (amplitude > 0) {
         float last = 0;
         unsigned idx, lsp_len = 0;
@@ -1127,8 +1128,10 @@ static int vorbis_floor0_decode(vorbis_context *vc,
             ff_dlog(NULL, "floor0 dec: maximum depth: %d\n", codebook.maxdepth);
             /* read temp vector */
             vec_off = get_vlc2(&vc->gb, codebook.vlc.table,
-                               codebook.nb_bits, codebook.maxdepth)
-                      * codebook.dimensions;
+                               codebook.nb_bits, codebook.maxdepth);
+            if (vec_off < 0)
+                return AVERROR_INVALIDDATA;
+            vec_off *= codebook.dimensions;
             ff_dlog(NULL, "floor0 dec: vector offset: %d\n", vec_off);
             /* copy each vector component and add last to it */
             for (idx = 0; idx < codebook.dimensions; ++idx)
@@ -1179,9 +1182,12 @@ static int vorbis_floor0_decode(vorbis_context *vc,
                     q *= q;
                 }
 
+                if (p + q == 0.0)
+                    return AVERROR_INVALIDDATA;
+
                 /* calculate linear floor value */
                 q = exp((((amplitude*vf->amplitude_offset) /
-                          (((1 << vf->amplitude_bits) - 1) * sqrt(p + q)))
+                          (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q)))
                          - vf->amplitude_offset) * .11512925f);
 
                 /* fill vector */
@@ -1355,8 +1361,12 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
                 return AVERROR_INVALIDDATA;
             }
 
-            av_assert0(vr->classifications > 1); //needed for inverse[]
-
+            if (vr->classifications == 1) {
+                for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
+                    if (i < ptns_to_read)
+                        vr->classifs[p + i] = 0;
+                }
+            } else {
             for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
                 temp2 = (((uint64_t)temp) * inverse_class) >> 32;
 
@@ -1364,6 +1374,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
                     vr->classifs[p + i] = temp - temp2 * vr->classifications;
                 temp = temp2;
             }
+            }
         }
         p += ptns_to_read;
     }
@@ -1431,7 +1442,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                         int vqbook  = vr->books[vqclass][pass];
 
                         if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) {
-                            unsigned coffs;
+                            int coffs;
                             unsigned dim  = vc->codebooks[vqbook].dimensions;
                             unsigned step = FASTDIV(vr->partition_size << 1, dim << 1);
                             vorbis_codebook codebook = vc->codebooks[vqbook];
@@ -1440,14 +1451,20 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
 
                                 voffs = voffset+j*vlen;
                                 for (k = 0; k < step; ++k) {
-                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim;
+                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                    if (coffs < 0)
+                                        return coffs;
+                                    coffs *= dim;
                                     for (l = 0; l < dim; ++l)
                                         vec[voffs + k + l * step] += codebook.codevectors[coffs + l];
                                 }
                             } else if (vr_type == 1) {
                                 voffs = voffset + j * vlen;
                                 for (k = 0; k < step; ++k) {
-                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim;
+                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                    if (coffs < 0)
+                                        return coffs;
+                                    coffs *= dim;
                                     for (l = 0; l < dim; ++l, ++voffs) {
                                         vec[voffs]+=codebook.codevectors[coffs+l];
 
@@ -1460,13 +1477,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
 
                                 if (dim == 2) {
                                     for (k = 0; k < step; ++k) {
-                                        coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2;
+                                        coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                        if (coffs < 0)
+                                            return coffs;
+                                        coffs *= 2;
                                         vec[voffs + k       ] += codebook.codevectors[coffs    ];
                                         vec[voffs + k + vlen] += codebook.codevectors[coffs + 1];
                                     }
                                 } else if (dim == 4) {
                                     for (k = 0; k < step; ++k, voffs += 2) {
-                                        coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4;
+                                        coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                        if (coffs < 0)
+                                            return coffs;
+                                        coffs *= 4;
                                         vec[voffs           ] += codebook.codevectors[coffs    ];
                                         vec[voffs + 1       ] += codebook.codevectors[coffs + 2];
                                         vec[voffs + vlen    ] += codebook.codevectors[coffs + 1];
@@ -1474,7 +1497,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                                     }
                                 } else
                                 for (k = 0; k < step; ++k) {
-                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim;
+                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                    if (coffs < 0)
+                                        return coffs;
+                                    coffs *= dim;
                                     for (l = 0; l < dim; l += 2, voffs++) {
                                         vec[voffs       ] += codebook.codevectors[coffs + l    ];
                                         vec[voffs + vlen] += codebook.codevectors[coffs + l + 1];
@@ -1487,11 +1513,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
                                 }
 
                             } else if (vr_type == 2) {
-                                unsigned voffs_div = FASTDIV(voffset << 1, ch <<1);
+                                unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch);
                                 unsigned voffs_mod = voffset - voffs_div * ch;
 
                                 for (k = 0; k < step; ++k) {
-                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim;
+                                    coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
+                                    if (coffs < 0)
+                                        return coffs;
+                                    coffs *= dim;
                                     for (l = 0; l < dim; ++l) {
                                         vec[voffs_div + voffs_mod * vlen] +=
                                             codebook.codevectors[coffs + l];
diff --git a/lib/ffmpeg/libavcodec/vp3.c b/lib/ffmpeg/libavcodec/vp3.c
index bf56d942e..00b005551 100644
--- a/lib/ffmpeg/libavcodec/vp3.c
+++ b/lib/ffmpeg/libavcodec/vp3.c
@@ -2267,9 +2267,16 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
     int ret;
     AVRational fps, aspect;
 
+    if (get_bits_left(gb) < 206)
+        return AVERROR_INVALIDDATA;
+
     s->theora_header = 0;
     s->theora = get_bits_long(gb, 24);
     av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora);
+    if (!s->theora) {
+        s->theora = 1;
+        avpriv_request_sample(s->avctx, "theora 0");
+    }
 
     /* 3.2.0 aka alpha3 has the same frame orientation as original vp3
      * but previous versions have the image flipped relative to vp3 */
diff --git a/lib/ffmpeg/libavcodec/vp5.c b/lib/ffmpeg/libavcodec/vp5.c
index 7100bb455..c57c4a298 100644
--- a/lib/ffmpeg/libavcodec/vp5.c
+++ b/lib/ffmpeg/libavcodec/vp5.c
@@ -49,6 +49,8 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
     ff_vp56_init_dequant(s, vp56_rac_gets(c, 6));
     if (s->frames[VP56_FRAME_CURRENT]->key_frame)
     {
+        int render_x, render_y;
+
         vp56_rac_gets(c, 8);
         if(vp56_rac_gets(c, 5) > 5)
             return AVERROR_INVALIDDATA;
@@ -64,8 +66,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
                    cols << 4, rows << 4);
             return AVERROR_INVALIDDATA;
         }
-        vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
-        vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
+        render_y = vp56_rac_gets(c, 8);  /* number of displayed macroblock rows */
+        render_x = vp56_rac_gets(c, 8);  /* number of displayed macroblock cols */
+        if (render_x == 0 || render_x > cols ||
+            render_y == 0 || render_y > rows)
+            return AVERROR_INVALIDDATA;
         vp56_rac_gets(c, 2);
         if (!s->macroblocks || /* first frame */
             16*cols != s->avctx->coded_width ||
@@ -184,7 +189,7 @@ static int vp5_parse_coeff(VP56Context *s)
     int b, i, cg, idx, ctx, ctx_last;
     int pt = 0;    /* plane type (0 for Y, 1 for U or V) */
 
-    if (c->end <= c->buffer && c->bits >= 0) {
+    if (vpX_rac_is_end(c)) {
         av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n");
         return AVERROR_INVALIDDATA;
     }
diff --git a/lib/ffmpeg/libavcodec/vp56.c b/lib/ffmpeg/libavcodec/vp56.c
index bfc3d3bc7..bf88428f4 100644
--- a/lib/ffmpeg/libavcodec/vp56.c
+++ b/lib/ffmpeg/libavcodec/vp56.c
@@ -548,7 +548,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     VP56Context *s = avctx->priv_data;
     AVFrame *const p = s->frames[VP56_FRAME_CURRENT];
     int remaining_buf_size = avpkt->size;
-    int av_uninit(alpha_offset);
+    int alpha_offset = remaining_buf_size;
     int i, res;
     int ret;
 
@@ -561,7 +561,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             return AVERROR_INVALIDDATA;
     }
 
-    res = s->parse_header(s, buf, remaining_buf_size);
+    res = s->parse_header(s, buf, alpha_offset);
     if (res < 0)
         return res;
 
diff --git a/lib/ffmpeg/libavcodec/vp56.h b/lib/ffmpeg/libavcodec/vp56.h
index c049399df..2bae30f21 100644
--- a/lib/ffmpeg/libavcodec/vp56.h
+++ b/lib/ffmpeg/libavcodec/vp56.h
@@ -88,6 +88,7 @@ typedef struct VP56RangeCoder {
     const uint8_t *buffer;
     const uint8_t *end;
     unsigned int code_word;
+    int end_reached;
 } VP56RangeCoder;
 
 typedef struct VP56RefDc {
@@ -226,6 +227,16 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 extern const uint8_t ff_vp56_norm_shift[256];
 int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);
 
+/**
+ * vp5689 returns 1 if the end of the stream has been reached, 0 otherwise.
+ */
+static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c)
+{
+    if (c->end <= c->buffer && c->bits >= 0)
+        c->end_reached ++;
+    return c->end_reached > 10;
+}
+
 static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
 {
     int shift = ff_vp56_norm_shift[c->high];
diff --git a/lib/ffmpeg/libavcodec/vp56rac.c b/lib/ffmpeg/libavcodec/vp56rac.c
index e70302bf8..64fb6a99b 100644
--- a/lib/ffmpeg/libavcodec/vp56rac.c
+++ b/lib/ffmpeg/libavcodec/vp56rac.c
@@ -43,6 +43,7 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si
     c->bits = -16;
     c->buffer = buf;
     c->end = buf + buf_size;
+    c->end_reached = 0;
     if (buf_size < 1)
         return AVERROR_INVALIDDATA;
     c->code_word = bytestream_get_be24(&c->buffer);
diff --git a/lib/ffmpeg/libavcodec/vp6.c b/lib/ffmpeg/libavcodec/vp6.c
index 4afd67b3a..ef48b885f 100644
--- a/lib/ffmpeg/libavcodec/vp6.c
+++ b/lib/ffmpeg/libavcodec/vp6.c
@@ -460,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s)
     int b, i, cg, idx, ctx;
     int pt = 0;    /* plane type (0 for Y, 1 for U or V) */
 
-    if (c->end <= c->buffer && c->bits >= 0) {
+    if (vpX_rac_is_end(c)) {
         av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n");
         return AVERROR_INVALIDDATA;
     }
diff --git a/lib/ffmpeg/libavcodec/vp8.c b/lib/ffmpeg/libavcodec/vp8.c
index 3adecba2f..8a3f3e4f1 100644
--- a/lib/ffmpeg/libavcodec/vp8.c
+++ b/lib/ffmpeg/libavcodec/vp8.c
@@ -605,7 +605,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
             s->fade_present = vp8_rac_get(c);
     }
 
-    if (c->end <= c->buffer && c->bits >= 0)
+    if (vpX_rac_is_end(c))
         return AVERROR_INVALIDDATA;
     /* E. Fading information for previous frame */
     if (s->fade_present && vp8_rac_get(c)) {
@@ -2300,7 +2300,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
         curframe->tf.f->data[2] +  8 * mb_y * s->uvlinesize
     };
 
-    if (c->end <= c->buffer && c->bits >= 0)
+    if (vpX_rac_is_end(c))
          return AVERROR_INVALIDDATA;
 
     if (mb_y == 0)
@@ -2331,7 +2331,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
     s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN;
 
     for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) {
-        if (c->end <= c->buffer && c->bits >= 0)
+        if (vpX_rac_is_end(c))
             return AVERROR_INVALIDDATA;
         // Wait for previous thread to read mb_x+2, and reach mb_y-1.
         if (prev_td != td) {
diff --git a/lib/ffmpeg/libavcodec/vp9dsp_template.c b/lib/ffmpeg/libavcodec/vp9dsp_template.c
index 5a8578a89..82e9e33f0 100644
--- a/lib/ffmpeg/libavcodec/vp9dsp_template.c
+++ b/lib/ffmpeg/libavcodec/vp9dsp_template.c
@@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \
             for (j = 0; j < sz; j++) \
                 dst[j * stride] = av_clip_pixel(dst[j * stride] + \
                                                 (bits ? \
-                                                 (t + (1 << (bits - 1))) >> bits : \
+                                                 (int)(t + (1U << (bits - 1))) >> bits : \
                                                  t)); \
             dst++; \
         } \
@@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \
         for (j = 0; j < sz; j++) \
             dst[j * stride] = av_clip_pixel(dst[j * stride] + \
                                             (bits ? \
-                                             (out[j] + (1 << (bits - 1))) >> bits : \
+                                             (int)(out[j] + (1U << (bits - 1))) >> bits : \
                                              out[j])); \
         dst++; \
     } \
@@ -1260,25 +1260,25 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride,
     t6 = (t2a - t6a + (1 << 13)) >> 14;
     t7 = (t3a - t7a + (1 << 13)) >> 14;
 
-    t4a = 15137 * t4 +  6270 * t5;
-    t5a =  6270 * t4 - 15137 * t5;
-    t6a = 15137 * t7 -  6270 * t6;
-    t7a =  6270 * t7 + 15137 * t6;
+    t4a = 15137U * t4 +  6270U * t5;
+    t5a =  6270U * t4 - 15137U * t5;
+    t6a = 15137U * t7 -  6270U * t6;
+    t7a =  6270U * t7 + 15137U * t6;
 
     out[0] =   t0 + t2;
     out[7] = -(t1 + t3);
     t2     =   t0 - t2;
     t3     =   t1 - t3;
 
-    out[1] = -((t4a + t6a + (1 << 13)) >> 14);
-    out[6] =   (t5a + t7a + (1 << 13)) >> 14;
-    t6     =   (t4a - t6a + (1 << 13)) >> 14;
-    t7     =   (t5a - t7a + (1 << 13)) >> 14;
+    out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14);
+    out[6] =   (dctint)((1U << 13) + t5a + t7a) >> 14;
+    t6     =   (dctint)((1U << 13) + t4a - t6a) >> 14;
+    t7     =   (dctint)((1U << 13) + t5a - t7a) >> 14;
 
-    out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14);
-    out[4] =   ((t2 - t3) * 11585 + (1 << 13)) >> 14;
-    out[2] =   ((t6 + t7) * 11585 + (1 << 13)) >> 14;
-    out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14);
+    out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14);
+    out[4] =   (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14;
+    out[2] =   (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14;
+    out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14);
 }
 
 itxfm_wrap(8, 5)
@@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
     dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a;
     dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a;
 
-    t0a  = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14;
-    t1a  = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14;
-    t2a  = (IN(4)  *  6270 - IN(12) * 15137 + (1 << 13)) >> 14;
-    t3a  = (IN(4)  * 15137 + IN(12) *  6270 + (1 << 13)) >> 14;
-    t4a  = (IN(2)  *  3196 - IN(14) * 16069 + (1 << 13)) >> 14;
-    t7a  = (IN(2)  * 16069 + IN(14) *  3196 + (1 << 13)) >> 14;
-    t5a  = (IN(10) * 13623 - IN(6)  *  9102 + (1 << 13)) >> 14;
-    t6a  = (IN(10) *  9102 + IN(6)  * 13623 + (1 << 13)) >> 14;
-    t8a  = (IN(1)  *  1606 - IN(15) * 16305 + (1 << 13)) >> 14;
-    t15a = (IN(1)  * 16305 + IN(15) *  1606 + (1 << 13)) >> 14;
-    t9a  = (IN(9)  * 12665 - IN(7)  * 10394 + (1 << 13)) >> 14;
-    t14a = (IN(9)  * 10394 + IN(7)  * 12665 + (1 << 13)) >> 14;
-    t10a = (IN(5)  *  7723 - IN(11) * 14449 + (1 << 13)) >> 14;
-    t13a = (IN(5)  * 14449 + IN(11) *  7723 + (1 << 13)) >> 14;
-    t11a = (IN(13) * 15679 - IN(3)  *  4756 + (1 << 13)) >> 14;
-    t12a = (IN(13) *  4756 + IN(3)  * 15679 + (1 << 13)) >> 14;
+    t0a  = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14;
+    t1a  = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14;
+    t2a  = (dctint)(IN(4)  *  6270U - IN(12) * 15137U + (1 << 13)) >> 14;
+    t3a  = (dctint)(IN(4)  * 15137U + IN(12) *  6270U + (1 << 13)) >> 14;
+    t4a  = (dctint)(IN(2)  *  3196U - IN(14) * 16069U + (1 << 13)) >> 14;
+    t7a  = (dctint)(IN(2)  * 16069U + IN(14) *  3196U + (1 << 13)) >> 14;
+    t5a  = (dctint)(IN(10) * 13623U - IN(6)  *  9102U + (1 << 13)) >> 14;
+    t6a  = (dctint)(IN(10) *  9102U + IN(6)  * 13623U + (1 << 13)) >> 14;
+    t8a  = (dctint)(IN(1)  *  1606U - IN(15) * 16305U + (1 << 13)) >> 14;
+    t15a = (dctint)(IN(1)  * 16305U + IN(15) *  1606U + (1 << 13)) >> 14;
+    t9a  = (dctint)(IN(9)  * 12665U - IN(7)  * 10394U + (1 << 13)) >> 14;
+    t14a = (dctint)(IN(9)  * 10394U + IN(7)  * 12665U + (1 << 13)) >> 14;
+    t10a = (dctint)(IN(5)  *  7723U - IN(11) * 14449U + (1 << 13)) >> 14;
+    t13a = (dctint)(IN(5)  * 14449U + IN(11) *  7723U + (1 << 13)) >> 14;
+    t11a = (dctint)(IN(13) * 15679U - IN(3)  *  4756U + (1 << 13)) >> 14;
+    t12a = (dctint)(IN(13) *  4756U + IN(3)  * 15679U + (1 << 13)) >> 14;
 
     t0  = t0a  + t3a;
     t1  = t1a  + t2a;
@@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
     t14 = t15a - t14a;
     t15 = t15a + t14a;
 
-    t5a  = ((t6 - t5) * 11585 + (1 << 13)) >> 14;
-    t6a  = ((t6 + t5) * 11585 + (1 << 13)) >> 14;
-    t9a  = (  t14 *  6270 - t9  * 15137  + (1 << 13)) >> 14;
-    t14a = (  t14 * 15137 + t9  *  6270  + (1 << 13)) >> 14;
-    t10a = (-(t13 * 15137 + t10 *  6270) + (1 << 13)) >> 14;
-    t13a = (  t13 *  6270 - t10 * 15137  + (1 << 13)) >> 14;
+    t5a  = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14;
+    t6a  = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14;
+    t9a  = (dctint)(  t14 *  6270U - t9  * 15137U  + (1 << 13)) >> 14;
+    t14a = (dctint)(  t14 * 15137U + t9  *  6270U  + (1 << 13)) >> 14;
+    t10a = (dctint)(-(t13 * 15137U + t10 *  6270U) + (1 << 13)) >> 14;
+    t13a = (dctint)(  t13 *  6270U - t10 * 15137U  + (1 << 13)) >> 14;
 
     t0a  = t0   + t7;
     t1a  = t1   + t6a;
@@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride,
     t14  = t14a + t13a;
     t15a = t15  + t12;
 
-    t10a = ((t13  - t10)  * 11585 + (1 << 13)) >> 14;
-    t13a = ((t13  + t10)  * 11585 + (1 << 13)) >> 14;
-    t11  = ((t12a - t11a) * 11585 + (1 << 13)) >> 14;
-    t12  = ((t12a + t11a) * 11585 + (1 << 13)) >> 14;
+    t10a = (dctint)((t13  - t10)  * 11585U + (1 << 13)) >> 14;
+    t13a = (dctint)((t13  + t10)  * 11585U + (1 << 13)) >> 14;
+    t11  = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14;
+    t12  = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14;
 
     out[ 0] = t0a + t15a;
     out[ 1] = t1a + t14;
@@ -1378,48 +1378,48 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride,
     dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a;
     dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a;
 
-    t0  = IN(15) * 16364 + IN(0)  *   804;
-    t1  = IN(15) *   804 - IN(0)  * 16364;
-    t2  = IN(13) * 15893 + IN(2)  *  3981;
-    t3  = IN(13) *  3981 - IN(2)  * 15893;
-    t4  = IN(11) * 14811 + IN(4)  *  7005;
-    t5  = IN(11) *  7005 - IN(4)  * 14811;
-    t6  = IN(9)  * 13160 + IN(6)  *  9760;
-    t7  = IN(9)  *  9760 - IN(6)  * 13160;
-    t8  = IN(7)  * 11003 + IN(8)  * 12140;
-    t9  = IN(7)  * 12140 - IN(8)  * 11003;
-    t10 = IN(5)  *  8423 + IN(10) * 14053;
-    t11 = IN(5)  * 14053 - IN(10) *  8423;
-    t12 = IN(3)  *  5520 + IN(12) * 15426;
-    t13 = IN(3)  * 15426 - IN(12) *  5520;
-    t14 = IN(1)  *  2404 + IN(14) * 16207;
-    t15 = IN(1)  * 16207 - IN(14) *  2404;
-
-    t0a  = (t0 + t8  + (1 << 13)) >> 14;
-    t1a  = (t1 + t9  + (1 << 13)) >> 14;
-    t2a  = (t2 + t10 + (1 << 13)) >> 14;
-    t3a  = (t3 + t11 + (1 << 13)) >> 14;
-    t4a  = (t4 + t12 + (1 << 13)) >> 14;
-    t5a  = (t5 + t13 + (1 << 13)) >> 14;
-    t6a  = (t6 + t14 + (1 << 13)) >> 14;
-    t7a  = (t7 + t15 + (1 << 13)) >> 14;
-    t8a  = (t0 - t8  + (1 << 13)) >> 14;
-    t9a  = (t1 - t9  + (1 << 13)) >> 14;
-    t10a = (t2 - t10 + (1 << 13)) >> 14;
-    t11a = (t3 - t11 + (1 << 13)) >> 14;
-    t12a = (t4 - t12 + (1 << 13)) >> 14;
-    t13a = (t5 - t13 + (1 << 13)) >> 14;
-    t14a = (t6 - t14 + (1 << 13)) >> 14;
-    t15a = (t7 - t15 + (1 << 13)) >> 14;
-
-    t8   = t8a  * 16069 + t9a  *  3196;
-    t9   = t8a  *  3196 - t9a  * 16069;
-    t10  = t10a *  9102 + t11a * 13623;
-    t11  = t10a * 13623 - t11a *  9102;
-    t12  = t13a * 16069 - t12a *  3196;
-    t13  = t13a *  3196 + t12a * 16069;
-    t14  = t15a *  9102 - t14a * 13623;
-    t15  = t15a * 13623 + t14a *  9102;
+    t0  = IN(15) * 16364U + IN(0)  *   804U;
+    t1  = IN(15) *   804U - IN(0)  * 16364U;
+    t2  = IN(13) * 15893U + IN(2)  *  3981U;
+    t3  = IN(13) *  3981U - IN(2)  * 15893U;
+    t4  = IN(11) * 14811U + IN(4)  *  7005U;
+    t5  = IN(11) *  7005U - IN(4)  * 14811U;
+    t6  = IN(9)  * 13160U + IN(6)  *  9760U;
+    t7  = IN(9)  *  9760U - IN(6)  * 13160U;
+    t8  = IN(7)  * 11003U + IN(8)  * 12140U;
+    t9  = IN(7)  * 12140U - IN(8)  * 11003U;
+    t10 = IN(5)  *  8423U + IN(10) * 14053U;
+    t11 = IN(5)  * 14053U - IN(10) *  8423U;
+    t12 = IN(3)  *  5520U + IN(12) * 15426U;
+    t13 = IN(3)  * 15426U - IN(12) *  5520U;
+    t14 = IN(1)  *  2404U + IN(14) * 16207U;
+    t15 = IN(1)  * 16207U - IN(14) *  2404U;
+
+    t0a  = (dctint)((1U << 13) + t0 + t8 ) >> 14;
+    t1a  = (dctint)((1U << 13) + t1 + t9 ) >> 14;
+    t2a  = (dctint)((1U << 13) + t2 + t10) >> 14;
+    t3a  = (dctint)((1U << 13) + t3 + t11) >> 14;
+    t4a  = (dctint)((1U << 13) + t4 + t12) >> 14;
+    t5a  = (dctint)((1U << 13) + t5 + t13) >> 14;
+    t6a  = (dctint)((1U << 13) + t6 + t14) >> 14;
+    t7a  = (dctint)((1U << 13) + t7 + t15) >> 14;
+    t8a  = (dctint)((1U << 13) + t0 - t8 ) >> 14;
+    t9a  = (dctint)((1U << 13) + t1 - t9 ) >> 14;
+    t10a = (dctint)((1U << 13) + t2 - t10) >> 14;
+    t11a = (dctint)((1U << 13) + t3 - t11) >> 14;
+    t12a = (dctint)((1U << 13) + t4 - t12) >> 14;
+    t13a = (dctint)((1U << 13) + t5 - t13) >> 14;
+    t14a = (dctint)((1U << 13) + t6 - t14) >> 14;
+    t15a = (dctint)((1U << 13) + t7 - t15) >> 14;
+
+    t8   = t8a  * 16069U + t9a  *  3196U;
+    t9   = t8a  *  3196U - t9a  * 16069U;
+    t10  = t10a *  9102U + t11a * 13623U;
+    t11  = t10a * 13623U - t11a *  9102U;
+    t12  = t13a * 16069U - t12a *  3196U;
+    t13  = t13a *  3196U + t12a * 16069U;
+    t14  = t15a *  9102U - t14a * 13623U;
+    t15  = t15a * 13623U + t14a *  9102U;
 
     t0   = t0a + t4a;
     t1   = t1a + t5a;
@@ -1429,49 +1429,49 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride,
     t5   = t1a - t5a;
     t6   = t2a - t6a;
     t7   = t3a - t7a;
-    t8a  = (t8  + t12 + (1 << 13)) >> 14;
-    t9a  = (t9  + t13 + (1 << 13)) >> 14;
-    t10a = (t10 + t14 + (1 << 13)) >> 14;
-    t11a = (t11 + t15 + (1 << 13)) >> 14;
-    t12a = (t8  - t12 + (1 << 13)) >> 14;
-    t13a = (t9  - t13 + (1 << 13)) >> 14;
-    t14a = (t10 - t14 + (1 << 13)) >> 14;
-    t15a = (t11 - t15 + (1 << 13)) >> 14;
-
-    t4a  = t4 * 15137 + t5 *  6270;
-    t5a  = t4 *  6270 - t5 * 15137;
-    t6a  = t7 * 15137 - t6 *  6270;
-    t7a  = t7 *  6270 + t6 * 15137;
-    t12  = t12a * 15137 + t13a *  6270;
-    t13  = t12a *  6270 - t13a * 15137;
-    t14  = t15a * 15137 - t14a *  6270;
-    t15  = t15a *  6270 + t14a * 15137;
+    t8a  = (dctint)((1U << 13) + t8  + t12) >> 14;
+    t9a  = (dctint)((1U << 13) + t9  + t13) >> 14;
+    t10a = (dctint)((1U << 13) + t10 + t14) >> 14;
+    t11a = (dctint)((1U << 13) + t11 + t15) >> 14;
+    t12a = (dctint)((1U << 13) + t8  - t12) >> 14;
+    t13a = (dctint)((1U << 13) + t9  - t13) >> 14;
+    t14a = (dctint)((1U << 13) + t10 - t14) >> 14;
+    t15a = (dctint)((1U << 13) + t11 - t15) >> 14;
+
+    t4a  = t4 * 15137U + t5 *  6270U;
+    t5a  = t4 *  6270U - t5 * 15137U;
+    t6a  = t7 * 15137U - t6 *  6270U;
+    t7a  = t7 *  6270U + t6 * 15137U;
+    t12  = t12a * 15137U + t13a *  6270U;
+    t13  = t12a *  6270U - t13a * 15137U;
+    t14  = t15a * 15137U - t14a *  6270U;
+    t15  = t15a *  6270U + t14a * 15137U;
 
     out[ 0] =   t0 + t2;
     out[15] = -(t1 + t3);
     t2a     =   t0 - t2;
     t3a     =   t1 - t3;
-    out[ 3] = -((t4a + t6a + (1 << 13)) >> 14);
-    out[12] =   (t5a + t7a + (1 << 13)) >> 14;
-    t6      =   (t4a - t6a + (1 << 13)) >> 14;
-    t7      =   (t5a - t7a + (1 << 13)) >> 14;
+    out[ 3] = -((dctint)((1U << 13) + t4a + t6a) >> 14);
+    out[12] =   (dctint)((1U << 13) + t5a + t7a) >> 14;
+    t6      =   (dctint)((1U << 13) + t4a - t6a) >> 14;
+    t7      =   (dctint)((1U << 13) + t5a - t7a) >> 14;
     out[ 1] = -(t8a + t10a);
     out[14] =   t9a + t11a;
     t10     =   t8a - t10a;
     t11     =   t9a - t11a;
-    out[ 2] =   (t12 + t14 + (1 << 13)) >> 14;
-    out[13] = -((t13 + t15 + (1 << 13)) >> 14);
-    t14a    =   (t12 - t14 + (1 << 13)) >> 14;
-    t15a    =   (t13 - t15 + (1 << 13)) >> 14;
+    out[ 2] =   (dctint)((1U << 13) + t12 + t14) >> 14;
+    out[13] = -((dctint)((1U << 13) + t13 + t15) >> 14);
+    t14a    =   (dctint)((1U << 13) + t12 - t14) >> 14;
+    t15a    =   (dctint)((1U << 13) + t13 - t15) >> 14;
 
-    out[ 7] = ((t2a  + t3a)  * -11585 + (1 << 13)) >> 14;
-    out[ 8] = ((t2a  - t3a)  *  11585 + (1 << 13)) >> 14;
-    out[ 4] = ((t7   + t6)   *  11585 + (1 << 13)) >> 14;
-    out[11] = ((t7   - t6)   *  11585 + (1 << 13)) >> 14;
-    out[ 6] = ((t11  + t10)  *  11585 + (1 << 13)) >> 14;
-    out[ 9] = ((t11  - t10)  *  11585 + (1 << 13)) >> 14;
-    out[ 5] = ((t14a + t15a) * -11585 + (1 << 13)) >> 14;
-    out[10] = ((t14a - t15a) *  11585 + (1 << 13)) >> 14;
+    out[ 7] = (dctint)(-(t2a  + t3a)  * 11585U  + (1 << 13)) >> 14;
+    out[ 8] = (dctint)( (t2a  - t3a)  * 11585U  + (1 << 13)) >> 14;
+    out[ 4] = (dctint)( (t7   + t6)   * 11585U  + (1 << 13)) >> 14;
+    out[11] = (dctint)( (t7   - t6)   * 11585U  + (1 << 13)) >> 14;
+    out[ 6] = (dctint)( (t11  + t10)  * 11585U  + (1 << 13)) >> 14;
+    out[ 9] = (dctint)( (t11  - t10)  * 11585U  + (1 << 13)) >> 14;
+    out[ 5] = (dctint)(-(t14a + t15a) * 11585U  + (1 << 13)) >> 14;
+    out[10] = (dctint)( (t14a - t15a) * 11585U  + (1 << 13)) >> 14;
 }
 
 itxfm_wrap(16, 6)
@@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6)
 static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
                                        dctcoef *out, int pass)
 {
-    dctint t0a  = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14;
-    dctint t1a  = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14;
-    dctint t2a  = (IN( 8) *  6270 - IN(24) * 15137 + (1 << 13)) >> 14;
-    dctint t3a  = (IN( 8) * 15137 + IN(24) *  6270 + (1 << 13)) >> 14;
-    dctint t4a  = (IN( 4) *  3196 - IN(28) * 16069 + (1 << 13)) >> 14;
-    dctint t7a  = (IN( 4) * 16069 + IN(28) *  3196 + (1 << 13)) >> 14;
-    dctint t5a  = (IN(20) * 13623 - IN(12) *  9102 + (1 << 13)) >> 14;
-    dctint t6a  = (IN(20) *  9102 + IN(12) * 13623 + (1 << 13)) >> 14;
-    dctint t8a  = (IN( 2) *  1606 - IN(30) * 16305 + (1 << 13)) >> 14;
-    dctint t15a = (IN( 2) * 16305 + IN(30) *  1606 + (1 << 13)) >> 14;
-    dctint t9a  = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14;
-    dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14;
-    dctint t10a = (IN(10) *  7723 - IN(22) * 14449 + (1 << 13)) >> 14;
-    dctint t13a = (IN(10) * 14449 + IN(22) *  7723 + (1 << 13)) >> 14;
-    dctint t11a = (IN(26) * 15679 - IN( 6) *  4756 + (1 << 13)) >> 14;
-    dctint t12a = (IN(26) *  4756 + IN( 6) * 15679 + (1 << 13)) >> 14;
-    dctint t16a = (IN( 1) *   804 - IN(31) * 16364 + (1 << 13)) >> 14;
-    dctint t31a = (IN( 1) * 16364 + IN(31) *   804 + (1 << 13)) >> 14;
-    dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14;
-    dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14;
-    dctint t18a = (IN( 9) *  7005 - IN(23) * 14811 + (1 << 13)) >> 14;
-    dctint t29a = (IN( 9) * 14811 + IN(23) *  7005 + (1 << 13)) >> 14;
-    dctint t19a = (IN(25) * 15426 - IN( 7) *  5520 + (1 << 13)) >> 14;
-    dctint t28a = (IN(25) *  5520 + IN( 7) * 15426 + (1 << 13)) >> 14;
-    dctint t20a = (IN( 5) *  3981 - IN(27) * 15893 + (1 << 13)) >> 14;
-    dctint t27a = (IN( 5) * 15893 + IN(27) *  3981 + (1 << 13)) >> 14;
-    dctint t21a = (IN(21) * 14053 - IN(11) *  8423 + (1 << 13)) >> 14;
-    dctint t26a = (IN(21) *  8423 + IN(11) * 14053 + (1 << 13)) >> 14;
-    dctint t22a = (IN(13) *  9760 - IN(19) * 13160 + (1 << 13)) >> 14;
-    dctint t25a = (IN(13) * 13160 + IN(19) *  9760 + (1 << 13)) >> 14;
-    dctint t23a = (IN(29) * 16207 - IN( 3) *  2404 + (1 << 13)) >> 14;
-    dctint t24a = (IN(29) *  2404 + IN( 3) * 16207 + (1 << 13)) >> 14;
+    dctint t0a  = (dctint)((IN(0) + IN(16)) * 11585U         + (1 << 13)) >> 14;
+    dctint t1a  = (dctint)((IN(0) - IN(16)) * 11585U         + (1 << 13)) >> 14;
+    dctint t2a  = (dctint)(IN( 8) *  6270U - IN(24) * 15137U + (1 << 13)) >> 14;
+    dctint t3a  = (dctint)(IN( 8) * 15137U + IN(24) *  6270U + (1 << 13)) >> 14;
+    dctint t4a  = (dctint)(IN( 4) *  3196U - IN(28) * 16069U + (1 << 13)) >> 14;
+    dctint t7a  = (dctint)(IN( 4) * 16069U + IN(28) *  3196U + (1 << 13)) >> 14;
+    dctint t5a  = (dctint)(IN(20) * 13623U - IN(12) *  9102U + (1 << 13)) >> 14;
+    dctint t6a  = (dctint)(IN(20) *  9102U + IN(12) * 13623U + (1 << 13)) >> 14;
+    dctint t8a  = (dctint)(IN( 2) *  1606U - IN(30) * 16305U + (1 << 13)) >> 14;
+    dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) *  1606U + (1 << 13)) >> 14;
+    dctint t9a  = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14;
+    dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14;
+    dctint t10a = (dctint)(IN(10) *  7723U - IN(22) * 14449U + (1 << 13)) >> 14;
+    dctint t13a = (dctint)(IN(10) * 14449U + IN(22) *  7723U + (1 << 13)) >> 14;
+    dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) *  4756U + (1 << 13)) >> 14;
+    dctint t12a = (dctint)(IN(26) *  4756U + IN( 6) * 15679U + (1 << 13)) >> 14;
+    dctint t16a = (dctint)(IN( 1) *   804U - IN(31) * 16364U + (1 << 13)) >> 14;
+    dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) *   804U + (1 << 13)) >> 14;
+    dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14;
+    dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14;
+    dctint t18a = (dctint)(IN( 9) *  7005U - IN(23) * 14811U + (1 << 13)) >> 14;
+    dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) *  7005U + (1 << 13)) >> 14;
+    dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) *  5520U + (1 << 13)) >> 14;
+    dctint t28a = (dctint)(IN(25) *  5520U + IN( 7) * 15426U + (1 << 13)) >> 14;
+    dctint t20a = (dctint)(IN( 5) *  3981U - IN(27) * 15893U + (1 << 13)) >> 14;
+    dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) *  3981U + (1 << 13)) >> 14;
+    dctint t21a = (dctint)(IN(21) * 14053U - IN(11) *  8423U + (1 << 13)) >> 14;
+    dctint t26a = (dctint)(IN(21) *  8423U + IN(11) * 14053U + (1 << 13)) >> 14;
+    dctint t22a = (dctint)(IN(13) *  9760U - IN(19) * 13160U + (1 << 13)) >> 14;
+    dctint t25a = (dctint)(IN(13) * 13160U + IN(19) *  9760U + (1 << 13)) >> 14;
+    dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) *  2404U + (1 << 13)) >> 14;
+    dctint t24a = (dctint)(IN(29) *  2404U + IN( 3) * 16207U + (1 << 13)) >> 14;
 
     dctint t0  = t0a  + t3a;
     dctint t1  = t1a  + t2a;
@@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
     dctint t30 = t31a - t30a;
     dctint t31 = t31a + t30a;
 
-    t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14;
-    t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14;
-    t9a  = (  t14 *  6270 - t9  * 15137  + (1 << 13)) >> 14;
-    t14a = (  t14 * 15137 + t9  *  6270  + (1 << 13)) >> 14;
-    t10a = (-(t13 * 15137 + t10 *  6270) + (1 << 13)) >> 14;
-    t13a = (  t13 *  6270 - t10 * 15137  + (1 << 13)) >> 14;
-    t17a = (  t30 *  3196 - t17 * 16069  + (1 << 13)) >> 14;
-    t30a = (  t30 * 16069 + t17 *  3196  + (1 << 13)) >> 14;
-    t18a = (-(t29 * 16069 + t18 *  3196) + (1 << 13)) >> 14;
-    t29a = (  t29 *  3196 - t18 * 16069  + (1 << 13)) >> 14;
-    t21a = (  t26 * 13623 - t21 *  9102  + (1 << 13)) >> 14;
-    t26a = (  t26 *  9102 + t21 * 13623  + (1 << 13)) >> 14;
-    t22a = (-(t25 *  9102 + t22 * 13623) + (1 << 13)) >> 14;
-    t25a = (  t25 * 13623 - t22 *  9102  + (1 << 13)) >> 14;
+    t5a  = (dctint)((t6 - t5) * 11585U             + (1 << 13)) >> 14;
+    t6a  = (dctint)((t6 + t5) * 11585U             + (1 << 13)) >> 14;
+    t9a  = (dctint)(  t14 *  6270U - t9  * 15137U  + (1 << 13)) >> 14;
+    t14a = (dctint)(  t14 * 15137U + t9  *  6270U  + (1 << 13)) >> 14;
+    t10a = (dctint)(-(t13 * 15137U + t10 *  6270U) + (1 << 13)) >> 14;
+    t13a = (dctint)(  t13 *  6270U - t10 * 15137U  + (1 << 13)) >> 14;
+    t17a = (dctint)(  t30 *  3196U - t17 * 16069U  + (1 << 13)) >> 14;
+    t30a = (dctint)(  t30 * 16069U + t17 *  3196U  + (1 << 13)) >> 14;
+    t18a = (dctint)(-(t29 * 16069U + t18 *  3196U) + (1 << 13)) >> 14;
+    t29a = (dctint)(  t29 *  3196U - t18 * 16069U  + (1 << 13)) >> 14;
+    t21a = (dctint)(  t26 * 13623U - t21 *  9102U  + (1 << 13)) >> 14;
+    t26a = (dctint)(  t26 *  9102U + t21 * 13623U  + (1 << 13)) >> 14;
+    t22a = (dctint)(-(t25 *  9102U + t22 * 13623U) + (1 << 13)) >> 14;
+    t25a = (dctint)(  t25 * 13623U - t22 *  9102U  + (1 << 13)) >> 14;
 
     t0a  = t0   + t7;
     t1a  = t1   + t6a;
@@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
     t30  = t30a + t29a;
     t31a = t31  + t28;
 
-    t10a = ((t13  - t10)  * 11585 + (1 << 13)) >> 14;
-    t13a = ((t13  + t10)  * 11585 + (1 << 13)) >> 14;
-    t11  = ((t12a - t11a) * 11585 + (1 << 13)) >> 14;
-    t12  = ((t12a + t11a) * 11585 + (1 << 13)) >> 14;
-    t18a = (  t29  *  6270 - t18  * 15137  + (1 << 13)) >> 14;
-    t29a = (  t29  * 15137 + t18  *  6270  + (1 << 13)) >> 14;
-    t19  = (  t28a *  6270 - t19a * 15137  + (1 << 13)) >> 14;
-    t28  = (  t28a * 15137 + t19a *  6270  + (1 << 13)) >> 14;
-    t20  = (-(t27a * 15137 + t20a *  6270) + (1 << 13)) >> 14;
-    t27  = (  t27a *  6270 - t20a * 15137  + (1 << 13)) >> 14;
-    t21a = (-(t26  * 15137 + t21  *  6270) + (1 << 13)) >> 14;
-    t26a = (  t26  *  6270 - t21  * 15137  + (1 << 13)) >> 14;
+    t10a = (dctint)((t13  - t10)  * 11585U           + (1 << 13)) >> 14;
+    t13a = (dctint)((t13  + t10)  * 11585U           + (1 << 13)) >> 14;
+    t11  = (dctint)((t12a - t11a) * 11585U           + (1 << 13)) >> 14;
+    t12  = (dctint)((t12a + t11a) * 11585U           + (1 << 13)) >> 14;
+    t18a = (dctint)(  t29  *  6270U - t18  * 15137U  + (1 << 13)) >> 14;
+    t29a = (dctint)(  t29  * 15137U + t18  *  6270U  + (1 << 13)) >> 14;
+    t19  = (dctint)(  t28a *  6270U - t19a * 15137U  + (1 << 13)) >> 14;
+    t28  = (dctint)(  t28a * 15137U + t19a *  6270U  + (1 << 13)) >> 14;
+    t20  = (dctint)(-(t27a * 15137U + t20a *  6270U) + (1 << 13)) >> 14;
+    t27  = (dctint)(  t27a *  6270U - t20a * 15137U  + (1 << 13)) >> 14;
+    t21a = (dctint)(-(t26  * 15137U + t21  *  6270U) + (1 << 13)) >> 14;
+    t26a = (dctint)(  t26  *  6270U - t21  * 15137U  + (1 << 13)) >> 14;
 
     t0   = t0a + t15a;
     t1   = t1a + t14;
@@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride,
     t30a = t30  + t25;
     t31  = t31a + t24a;
 
-    t20  = ((t27a - t20a) * 11585 + (1 << 13)) >> 14;
-    t27  = ((t27a + t20a) * 11585 + (1 << 13)) >> 14;
-    t21a = ((t26  - t21 ) * 11585 + (1 << 13)) >> 14;
-    t26a = ((t26  + t21 ) * 11585 + (1 << 13)) >> 14;
-    t22  = ((t25a - t22a) * 11585 + (1 << 13)) >> 14;
-    t25  = ((t25a + t22a) * 11585 + (1 << 13)) >> 14;
-    t23a = ((t24  - t23 ) * 11585 + (1 << 13)) >> 14;
-    t24a = ((t24  + t23 ) * 11585 + (1 << 13)) >> 14;
+    t20  = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14;
+    t27  = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14;
+    t21a = (dctint)((t26  - t21 ) * 11585U + (1 << 13)) >> 14;
+    t26a = (dctint)((t26  + t21 ) * 11585U + (1 << 13)) >> 14;
+    t22  = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14;
+    t25  = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14;
+    t23a = (dctint)((t24  - t23 ) * 11585U + (1 << 13)) >> 14;
+    t24a = (dctint)((t24  + t23 ) * 11585U + (1 << 13)) >> 14;
 
     out[ 0] = t0   + t31;
     out[ 1] = t1   + t30a;
diff --git a/lib/ffmpeg/libavcodec/vqavideo.c b/lib/ffmpeg/libavcodec/vqavideo.c
index 3ed9652d3..0e42cbb25 100644
--- a/lib/ffmpeg/libavcodec/vqavideo.c
+++ b/lib/ffmpeg/libavcodec/vqavideo.c
@@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
     }
     s->width = AV_RL16(&s->avctx->extradata[6]);
     s->height = AV_RL16(&s->avctx->extradata[8]);
-    if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) {
+    if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) {
         s->width= s->height= 0;
         return ret;
     }
diff --git a/lib/ffmpeg/libavcodec/wavpack.c b/lib/ffmpeg/libavcodec/wavpack.c
index 50b5db55f..3748ac89c 100644
--- a/lib/ffmpeg/libavcodec/wavpack.c
+++ b/lib/ffmpeg/libavcodec/wavpack.c
@@ -85,7 +85,7 @@ typedef struct WavpackContext {
 
 #define LEVEL_DECAY(a)  (((a) + 0x80) >> 8)
 
-static av_always_inline int get_tail(GetBitContext *gb, int k)
+static av_always_inline unsigned get_tail(GetBitContext *gb, int k)
 {
     int p, e, res;
 
diff --git a/lib/ffmpeg/libavcodec/wavpack.h b/lib/ffmpeg/libavcodec/wavpack.h
index c71006112..7fd366a73 100644
--- a/lib/ffmpeg/libavcodec/wavpack.h
+++ b/lib/ffmpeg/libavcodec/wavpack.h
@@ -99,8 +99,8 @@ typedef struct WvChannel {
 
 // macros for manipulating median values
 #define GET_MED(n) ((c->median[n] >> 4) + 1)
-#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2
-#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n))    ) / (128 >> (n))) * 5
+#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U
+#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n))    ) / (128 >> (n))) * 5U
 
 // macros for applying weight
 #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \
diff --git a/lib/ffmpeg/libavcodec/webp.c b/lib/ffmpeg/libavcodec/webp.c
index 1b3b68c12..ead8ef521 100644
--- a/lib/ffmpeg/libavcodec/webp.c
+++ b/lib/ffmpeg/libavcodec/webp.c
@@ -664,6 +664,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
     while (y < img->frame->height) {
         int v;
 
+        if (get_bits_left(&s->gb) < 0)
+            return AVERROR_INVALIDDATA;
+
         hg = get_huffman_group(s, img, x, y);
         v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb);
         if (v < NUM_LITERAL_CODES) {
diff --git a/lib/ffmpeg/libavcodec/wma.h b/lib/ffmpeg/libavcodec/wma.h
index 4aad713fa..3126df7eb 100644
--- a/lib/ffmpeg/libavcodec/wma.h
+++ b/lib/ffmpeg/libavcodec/wma.h
@@ -123,6 +123,7 @@ typedef struct WMACodecContext {
     uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */
     int last_bitoffset;
     int last_superframe_len;
+    int exponents_initialized[MAX_CHANNELS];
     float noise_table[NOISE_TAB_SIZE];
     int noise_index;
     float noise_mult; /* XXX: suppress that and integrate it in the noise array */
diff --git a/lib/ffmpeg/libavcodec/wmadec.c b/lib/ffmpeg/libavcodec/wmadec.c
index e814007ea..745e29b34 100644
--- a/lib/ffmpeg/libavcodec/wmadec.c
+++ b/lib/ffmpeg/libavcodec/wmadec.c
@@ -584,10 +584,16 @@ static int wma_decode_block(WMACodecContext *s)
                     decode_exp_lsp(s, ch);
                 }
                 s->exponents_bsize[ch] = bsize;
+                s->exponents_initialized[ch] = 1;
             }
         }
     }
 
+    for (ch = 0; ch < s->avctx->channels; ch++) {
+        if (s->channel_coded[ch] && !s->exponents_initialized[ch])
+            return AVERROR_INVALIDDATA;
+    }
+
     /* parse spectral coefficients : just RLE encoding */
     for (ch = 0; ch < s->avctx->channels; ch++) {
         if (s->channel_coded[ch]) {
diff --git a/lib/ffmpeg/libavcodec/wmalosslessdec.c b/lib/ffmpeg/libavcodec/wmalosslessdec.c
index 601ea3c93..9243e6dec 100644
--- a/lib/ffmpeg/libavcodec/wmalosslessdec.c
+++ b/lib/ffmpeg/libavcodec/wmalosslessdec.c
@@ -163,7 +163,7 @@ typedef struct WmallDecodeCtx {
     int transient_pos[WMALL_MAX_CHANNELS];
     int seekable_tile;
 
-    int ave_sum[WMALL_MAX_CHANNELS];
+    unsigned ave_sum[WMALL_MAX_CHANNELS];
 
     int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE];
 
@@ -185,11 +185,21 @@ static av_cold int decode_init(AVCodecContext *avctx)
     unsigned int channel_mask;
     int i, log2_max_num_subframes;
 
-    if (!avctx->block_align) {
-        av_log(avctx, AV_LOG_ERROR, "block_align is not set\n");
+    if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) {
+        av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n");
         return AVERROR(EINVAL);
     }
 
+    if (avctx->channels < 0) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n",
+               avctx->channels);
+        return AVERROR_INVALIDDATA;
+    } else if (avctx->channels > WMALL_MAX_CHANNELS) {
+        avpriv_request_sample(avctx,
+                              "More than %d channels", WMALL_MAX_CHANNELS);
+        return AVERROR_PATCHWELCOME;
+    }
+
     s->avctx = avctx;
     ff_llauddsp_init(&s->dsp);
     init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
@@ -263,16 +273,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
                 ++s->lfe_channel;
     }
 
-    if (s->num_channels < 0) {
-        av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n",
-               s->num_channels);
-        return AVERROR_INVALIDDATA;
-    } else if (s->num_channels > WMALL_MAX_CHANNELS) {
-        avpriv_request_sample(avctx,
-                              "More than %d channels", WMALL_MAX_CHANNELS);
-        return AVERROR_PATCHWELCOME;
-    }
-
     s->frame = av_frame_alloc();
     if (!s->frame)
         return AVERROR(ENOMEM);
@@ -625,7 +625,7 @@ static void mclms_update(WmallDecodeCtx *s, int icoef, int *pred)
     int range        = 1 << (s->bits_per_sample - 1);
 
     for (ich = 0; ich < num_channels; ich++) {
-        pred_error = s->channel_residues[ich][icoef] - pred[ich];
+        pred_error = s->channel_residues[ich][icoef] - (unsigned)pred[ich];
         if (pred_error > 0) {
             for (i = 0; i < order * num_channels; i++)
                 s->mclms_coeffs[i + ich * order * num_channels] +=
@@ -675,9 +675,9 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred)
         for (i = 0; i < ich; i++)
             pred[ich] += s->channel_residues[i][icoef] *
                          s->mclms_coeffs_cur[i + num_channels * ich];
-        pred[ich] += 1 << s->mclms_scaling - 1;
+        pred[ich] += (1U << s->mclms_scaling) >> 1;
         pred[ich] >>= s->mclms_scaling;
-        s->channel_residues[ich][icoef] += pred[ich];
+        s->channel_residues[ich][icoef] += (unsigned)pred[ich];
     }
 }
 
@@ -784,8 +784,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size)
     else if (s->is_channel_coded[0] || s->is_channel_coded[1]) {
         int icoef;
         for (icoef = 0; icoef < tile_size; icoef++) {
-            s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1;
-            s->channel_residues[1][icoef] += s->channel_residues[0][icoef];
+            s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1);
+            s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef];
         }
     }
 }
@@ -803,22 +803,25 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size)
             pred = 0;
             for (j = 0; j < order; j++) {
                 if (i <= j)
-                    pred += filter_coeffs[j] * prevvalues[j - i];
+                    pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i];
                 else
-                    pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
+                    pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
             }
             pred >>= scaling;
-            s->channel_residues[ich][i] += pred;
+            s->channel_residues[ich][i] += (unsigned)pred;
         }
         for (i = order; i < tile_size; i++) {
             pred = 0;
             for (j = 0; j < order; j++)
                 pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
             pred >>= scaling;
-            s->channel_residues[ich][i] += pred;
+            s->channel_residues[ich][i] += (unsigned)pred;
         }
-        for (j = 0; j < order; j++)
-            prevvalues[j] = s->channel_residues[ich][tile_size - j - 1];
+        for (j = order - 1; j >= 0; j--)
+            if (tile_size <= j) {
+                prevvalues[j] = prevvalues[j - tile_size];
+            }else
+                prevvalues[j] = s->channel_residues[ich][tile_size - j - 1];
     }
 }
 
@@ -919,6 +922,8 @@ static int decode_subframe(WmallDecodeCtx *s)
             s->do_lpc = 0;
     }
 
+    if (get_bits_left(&s->gb) < 1)
+        return AVERROR_INVALIDDATA;
 
     if (get_bits1(&s->gb))
         padding_zeroes = get_bits(&s->gb, 5);
@@ -1129,6 +1134,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len,
     if (len <= 0 || buflen > MAX_FRAMESIZE) {
         avpriv_request_sample(s->avctx, "Too small input buffer");
         s->packet_loss = 1;
+        s->num_saved_bits = 0;
         return;
     }
 
@@ -1237,7 +1243,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
             (frame_size = show_bits(gb, s->log2_frame_size)) &&
             frame_size <= remaining_bits(s, gb)) {
             save_bits(s, gb, frame_size, 0);
-            s->packet_done = !decode_frame(s);
+
+            if (!s->packet_loss)
+                s->packet_done = !decode_frame(s);
         } else if (!s->len_prefix
                    && s->num_saved_bits > get_bits_count(&s->gb)) {
             /* when the frames do not have a length prefix, we don't know the
diff --git a/lib/ffmpeg/libavcodec/wmaprodec.c b/lib/ffmpeg/libavcodec/wmaprodec.c
index 6f5a1706e..9f74914b2 100644
--- a/lib/ffmpeg/libavcodec/wmaprodec.c
+++ b/lib/ffmpeg/libavcodec/wmaprodec.c
@@ -471,7 +471,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     for (i = 0; i < WMAPRO_BLOCK_SIZES; i++)
         ff_mdct_init(&s->mdct_ctx[i], WMAPRO_BLOCK_MIN_BITS+1+i, 1,
                      1.0 / (1 << (WMAPRO_BLOCK_MIN_BITS + i - 1))
-                     / (1 << (s->bits_per_sample - 1)));
+                     / (1ll << (s->bits_per_sample - 1)));
 
     /** init MDCT windows: simple sine window */
     for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) {
@@ -1488,9 +1488,9 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len,
         s->frame_offset = get_bits_count(gb) & 7;
         s->num_saved_bits = s->frame_offset;
         init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE);
-    }
-
-    buflen = (put_bits_count(&s->pb) + len + 8) >> 3;
+        buflen = (s->num_saved_bits      + len + 7) >> 3;
+    } else
+        buflen = (put_bits_count(&s->pb) + len + 7) >> 3;
 
     if (len <= 0 || buflen > MAX_FRAMESIZE) {
         avpriv_request_sample(s->avctx, "Too small input buffer");
@@ -1548,6 +1548,7 @@ static int decode_packet(AVCodecContext *avctx, void *data,
         if (buf_size < avctx->block_align) {
             av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n",
                    buf_size, avctx->block_align);
+            s->packet_loss = 1;
             return AVERROR_INVALIDDATA;
         }
 
@@ -1606,6 +1607,12 @@ static int decode_packet(AVCodecContext *avctx, void *data,
 
     } else {
         int frame_size;
+
+        if (avpkt->size < s->next_packet_start) {
+            s->packet_loss = 1;
+            return AVERROR_INVALIDDATA;
+        }
+
         s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
         init_get_bits(gb, avpkt->data, s->buf_bit_size);
         skip_bits(gb, s->packet_offset);
diff --git a/lib/ffmpeg/libavcodec/wmavoice.c b/lib/ffmpeg/libavcodec/wmavoice.c
index 029dfdd8b..1ab93bb19 100644
--- a/lib/ffmpeg/libavcodec/wmavoice.c
+++ b/lib/ffmpeg/libavcodec/wmavoice.c
@@ -405,6 +405,9 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
         return AVERROR_INVALIDDATA;
     }
 
+    if (ctx->sample_rate >= INT_MAX / (256 * 37))
+        return AVERROR_INVALIDDATA;
+
     s->min_pitch_val    = ((ctx->sample_rate << 8)      /  400 + 50) >> 8;
     s->max_pitch_val    = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8;
     pitch_range         = s->max_pitch_val - s->min_pitch_val;
@@ -604,12 +607,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs,
     for (n = 0; n <= 64; n++) {
         float pwr;
 
-        idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1);
+        idx = lrint((max - lpcs[n]) * irange - 1);
+        idx = FFMAX(0, idx);
         pwr = wmavoice_denoise_power_table[s->denoise_strength][idx];
         lpcs[n] = angle_mul * pwr;
 
         /* 70.57 =~ 1/log10(1.0331663) */
-        idx = (pwr * gain_mul - 0.0295) * 70.570526123;
+        idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2);
+
         if (idx > 127) { // fall back if index falls outside table range
             coeffs[n] = wmavoice_energy_table[127] *
                         powf(1.0331663, idx - 127);
@@ -1494,7 +1499,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
 
         /* "pitch-diff-per-sample" for calculation of pitch per sample */
         s->pitch_diff_sh16 =
-            ((cur_pitch_val - s->last_pitch_val) << 16) / MAX_FRAMESIZE;
+            (cur_pitch_val - s->last_pitch_val) * (1 << 16) / MAX_FRAMESIZE;
     }
 
     /* Global gain (if silence) and pitch-adaptive window coordinates */
@@ -1889,6 +1894,9 @@ static int parse_packet_header(WMAVoiceContext *s)
     skip_bits(gb, 4);          // packet sequence number
     s->has_residual_lsps = get_bits1(gb);
     do {
+        if (get_bits_left(gb) < 6 + s->spillover_bitsize)
+            return AVERROR_INVALIDDATA;
+
         res = get_bits(gb, 6); // number of superframes per packet
                                // (minus first one if there is spillover)
         if (get_bits_left(gb) < 6 * (res == 0x3F) + s->spillover_bitsize)
diff --git a/lib/ffmpeg/libavcodec/wmv2dec.c b/lib/ffmpeg/libavcodec/wmv2dec.c
index 98df38150..22fcd0388 100644
--- a/lib/ffmpeg/libavcodec/wmv2dec.c
+++ b/lib/ffmpeg/libavcodec/wmv2dec.c
@@ -166,6 +166,14 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s)
             }
 
             s->dc_table_index = get_bits1(&s->gb);
+
+            // at minimum one bit per macroblock is required at least in a valid frame,
+            // we discard frames much smaller than this. Frames smaller than 1/8 of the
+            // smallest "black/skip" frame generally contain not much recoverable content
+            // while at the same time they have the highest computational requirements
+            // per byte
+            if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16))
+                return AVERROR_INVALIDDATA;
         }
         s->inter_intra_pred = 0;
         s->no_rounding      = 1;
diff --git a/lib/ffmpeg/libavcodec/xvididct.c b/lib/ffmpeg/libavcodec/xvididct.c
index 1f96ccc35..54cf548b5 100644
--- a/lib/ffmpeg/libavcodec/xvididct.c
+++ b/lib/ffmpeg/libavcodec/xvididct.c
@@ -115,24 +115,24 @@ static int idct_row(short *in, const int *const tab, int rnd)
         in[6] = a1;
     } else {
         const int k  = c4 * in[0] + rnd;
-        const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
-        const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
-        const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
-        const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6];
-
-        const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7];
-        const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7];
-        const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7];
-        const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7];
-
-        in[0] = (a0 + b0) >> ROW_SHIFT;
-        in[1] = (a1 + b1) >> ROW_SHIFT;
-        in[2] = (a2 + b2) >> ROW_SHIFT;
-        in[3] = (a3 + b3) >> ROW_SHIFT;
-        in[4] = (a3 - b3) >> ROW_SHIFT;
-        in[5] = (a2 - b2) >> ROW_SHIFT;
-        in[6] = (a1 - b1) >> ROW_SHIFT;
-        in[7] = (a0 - b0) >> ROW_SHIFT;
+        const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6];
+        const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6];
+        const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6];
+        const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6];
+
+        const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7];
+        const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7];
+        const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7];
+        const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7];
+
+        in[0] = (int)(a0 + b0) >> ROW_SHIFT;
+        in[1] = (int)(a1 + b1) >> ROW_SHIFT;
+        in[2] = (int)(a2 + b2) >> ROW_SHIFT;
+        in[3] = (int)(a3 + b3) >> ROW_SHIFT;
+        in[4] = (int)(a3 - b3) >> ROW_SHIFT;
+        in[5] = (int)(a2 - b2) >> ROW_SHIFT;
+        in[6] = (int)(a1 - b1) >> ROW_SHIFT;
+        in[7] = (int)(a0 - b0) >> ROW_SHIFT;
     }
     return 1;
 }
@@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd)
 #define TAN3  0xAB0E
 #define SQRT2 0x5A82
 
-#define MULT(c, x, n)  (((c) * (x)) >> (n))
+#define MULT(c, x, n)  ((unsigned)((int)((c) * (unsigned)(x)) >> (n)))
 // 12b version => #define MULT(c,x, n)  ((((c) >> 3) * (x)) >> ((n) - 3))
 // 12b zero-testing version:
 
diff --git a/lib/ffmpeg/libavcodec/xwddec.c b/lib/ffmpeg/libavcodec/xwddec.c
index 8b0845fc0..25c64e0e1 100644
--- a/lib/ffmpeg/libavcodec/xwddec.c
+++ b/lib/ffmpeg/libavcodec/xwddec.c
@@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
     uint32_t pixformat, pixdepth, bunit, bitorder, bpad;
     uint32_t rgb[3];
     uint8_t *ptr;
+    int width, height;
     GetByteContext gb;
 
     if (buf_size < XWD_HEADER_SIZE)
@@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
 
     pixformat     = bytestream2_get_be32u(&gb);
     pixdepth      = bytestream2_get_be32u(&gb);
-    avctx->width  = bytestream2_get_be32u(&gb);
-    avctx->height = bytestream2_get_be32u(&gb);
+    width         = bytestream2_get_be32u(&gb);
+    height        = bytestream2_get_be32u(&gb);
     xoffset       = bytestream2_get_be32u(&gb);
     be            = bytestream2_get_be32u(&gb);
     bunit         = bytestream2_get_be32u(&gb);
@@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
     ncolors       = bytestream2_get_be32u(&gb);
     bytestream2_skipu(&gb, header_size - (XWD_HEADER_SIZE - 20));
 
+    if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
+        return ret;
+
     av_log(avctx, AV_LOG_DEBUG,
            "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n",
            pixformat, pixdepth, bunit, bitorder, bpad);
diff --git a/lib/ffmpeg/libavcodec/zmbv.c b/lib/ffmpeg/libavcodec/zmbv.c
index 39a08db0e..41525cc08 100644
--- a/lib/ffmpeg/libavcodec/zmbv.c
+++ b/lib/ffmpeg/libavcodec/zmbv.c
@@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
     int zret = Z_OK; // Zlib return code
     int len = buf_size;
     int hi_ver, lo_ver, ret;
+    int expected_size;
 
     /* parse header */
     if (len < 1)
@@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
         memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8));
         c->decode_intra= decode_intra;
     }
+    if (c->flags & ZMBV_KEYFRAME) {
+        expected_size = avctx->width * avctx->height * (c->bpp / 8);
+    } else {
+        expected_size = (c->bx * c->by * 2 + 3) & ~3;
+    }
+    if (avctx->pix_fmt == AV_PIX_FMT_PAL8 &&
+        (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME)))
+        expected_size += 768;
 
     if (!c->decode_intra) {
         av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n");
@@ -519,6 +528,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
             return AVERROR_INVALIDDATA;
         }
         memcpy(c->decomp_buf, buf, len);
+        c->decomp_len = len;
     } else { // ZLIB-compressed data
         c->zstream.total_in = c->zstream.total_out = 0;
         c->zstream.next_in = (uint8_t*)buf;
@@ -532,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
         }
         c->decomp_len = c->zstream.total_out;
     }
+    if (expected_size > c->decomp_len ||
+        (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) {
+        av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size);
+        return AVERROR_INVALIDDATA;
+    }
     if (c->flags & ZMBV_KEYFRAME) {
         frame->key_frame = 1;
         frame->pict_type = AV_PICTURE_TYPE_I;
diff --git a/lib/ffmpeg/libavfilter/af_silenceremove.c b/lib/ffmpeg/libavfilter/af_silenceremove.c
index cd1e0384d..edfcd2cc7 100644
--- a/lib/ffmpeg/libavfilter/af_silenceremove.c
+++ b/lib/ffmpeg/libavfilter/af_silenceremove.c
@@ -122,8 +122,17 @@ static int config_input(AVFilterLink *inlink)
 
     s->start_duration = av_rescale(s->start_duration, inlink->sample_rate,
                                    AV_TIME_BASE);
+    if (s->start_duration < 0) {
+        av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n");
+        s->start_duration = -s->start_duration;
+    }
+
     s->stop_duration  = av_rescale(s->stop_duration, inlink->sample_rate,
                                    AV_TIME_BASE);
+    if (s->stop_duration < 0) {
+        av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n");
+        s->stop_duration = -s->stop_duration;
+    }
 
     s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1),
                                        sizeof(*s->start_holdoff) *
diff --git a/lib/ffmpeg/libavfilter/vf_aspect.c b/lib/ffmpeg/libavfilter/vf_aspect.c
index bf3082485..81a7e263d 100644
--- a/lib/ffmpeg/libavfilter/vf_aspect.c
+++ b/lib/ffmpeg/libavfilter/vf_aspect.c
@@ -104,7 +104,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame)
 static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h)
 {
     if (sar.num && sar.den) {
-        av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX);
+        av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX);
     } else {
         av_reduce(&dar->num, &dar->den, w, h, INT_MAX);
     }
diff --git a/lib/ffmpeg/libavfilter/vf_find_rect.c b/lib/ffmpeg/libavfilter/vf_find_rect.c
index cb79f4a4c..236a0428b 100644
--- a/lib/ffmpeg/libavfilter/vf_find_rect.c
+++ b/lib/ffmpeg/libavfilter/vf_find_rect.c
@@ -22,7 +22,6 @@
  * @todo switch to dualinput
  */
 
-#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/opt.h"
 #include "internal.h"
@@ -159,7 +158,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax,
 
     if (pass + 1 <= maxpass) {
         int sub_x, sub_y;
-        search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0);
+        search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0);
         xmin = FFMAX(xmin, 2*sub_x - 4);
         xmax = FFMIN(xmax, 2*sub_x + 4);
         ymin = FFMAX(ymin, 2*sub_y - 4);
@@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax,
     for (y = ymin; y <= ymax; y++) {
         for (x = xmin; x <= xmax; x++) {
             float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y);
-            av_assert0(score != 0);
             if (score < best_score) {
                 best_score = score;
                 *best_x = x;
@@ -198,7 +196,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
                         FFMIN(foc->xmax, foc->last_x + 8),
                         FFMAX(foc->ymin, foc->last_y - 8),
                         FFMIN(foc->ymax, foc->last_y + 8),
-                        &best_x, &best_y, 1.0);
+                        &best_x, &best_y, 2.0);
 
     best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax,
                         &best_x, &best_y, best_score);
diff --git a/lib/ffmpeg/libavfilter/vf_geq.c b/lib/ffmpeg/libavfilter/vf_geq.c
index 40e71e05d..d647e8eb8 100644
--- a/lib/ffmpeg/libavfilter/vf_geq.c
+++ b/lib/ffmpeg/libavfilter/vf_geq.c
@@ -81,8 +81,8 @@ static inline double getpix(void *priv, double x, double y, int plane)
     if (!src)
         return 0;
 
-    xi = x = av_clipf(x, 0, w - 2);
-    yi = y = av_clipf(y, 0, h - 2);
+    xi = x = av_clipd(x, 0, w - 2);
+    yi = y = av_clipd(y, 0, h - 2);
 
     x -= xi;
     y -= yi;
diff --git a/lib/ffmpeg/libavfilter/vf_scale.c b/lib/ffmpeg/libavfilter/vf_scale.c
index 8780be4ba..1c07c89d0 100644
--- a/lib/ffmpeg/libavfilter/vf_scale.c
+++ b/lib/ffmpeg/libavfilter/vf_scale.c
@@ -466,8 +466,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s
         int vsub= ((i+1)&2) ? scale->vsub : 0;
          in_stride[i] = cur_pic->linesize[i] * mul;
         out_stride[i] = out_buf->linesize[i] * mul;
-         in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i];
-        out[i] = out_buf->data[i] +            field  * out_buf->linesize[i];
+         in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]);
+        out[i] = FF_PTR_ADD(out_buf->data[i],            field  * out_buf->linesize[i]);
     }
     if(scale->input_is_pal)
          in[1] = cur_pic->data[1];
diff --git a/lib/ffmpeg/libavfilter/vf_yadif.c b/lib/ffmpeg/libavfilter/vf_yadif.c
index b32f38b57..db99914a4 100644
--- a/lib/ffmpeg/libavfilter/vf_yadif.c
+++ b/lib/ffmpeg/libavfilter/vf_yadif.c
@@ -120,20 +120,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
     int x;
     uint8_t *prev2 = parity ? prev : cur ;
     uint8_t *next2 = parity ? cur  : next;
+    int offset = FFMAX(w - (MAX_ALIGN-1), 3);
 
     /* Only edge pixels need to be processed here.  A constant value of false
      * for is_not_edge should let the compiler ignore the whole branch. */
-    FILTER(0, 3, 0)
+    FILTER(0, FFMIN(3, w), 0)
 
-    dst  = (uint8_t*)dst1  + w - (MAX_ALIGN-1);
-    prev = (uint8_t*)prev1 + w - (MAX_ALIGN-1);
-    cur  = (uint8_t*)cur1  + w - (MAX_ALIGN-1);
-    next = (uint8_t*)next1 + w - (MAX_ALIGN-1);
+    dst  = (uint8_t*)dst1  + offset;
+    prev = (uint8_t*)prev1 + offset;
+    cur  = (uint8_t*)cur1  + offset;
+    next = (uint8_t*)next1 + offset;
     prev2 = (uint8_t*)(parity ? prev : cur);
     next2 = (uint8_t*)(parity ? cur  : next);
 
-    FILTER(w - (MAX_ALIGN-1), w - 3, 1)
-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
 }
 
 
@@ -165,20 +167,22 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
     int x;
     uint16_t *prev2 = parity ? prev : cur ;
     uint16_t *next2 = parity ? cur  : next;
+    int offset = FFMAX(w - (MAX_ALIGN/2-1), 3);
     mrefs /= 2;
     prefs /= 2;
 
-    FILTER(0, 3, 0)
+    FILTER(0,  FFMIN(3, w), 0)
 
-    dst   = (uint16_t*)dst1  + w - (MAX_ALIGN/2-1);
-    prev  = (uint16_t*)prev1 + w - (MAX_ALIGN/2-1);
-    cur   = (uint16_t*)cur1  + w - (MAX_ALIGN/2-1);
-    next  = (uint16_t*)next1 + w - (MAX_ALIGN/2-1);
+    dst   = (uint16_t*)dst1  + offset;
+    prev  = (uint16_t*)prev1 + offset;
+    cur   = (uint16_t*)cur1  + offset;
+    next  = (uint16_t*)next1 + offset;
     prev2 = (uint16_t*)(parity ? prev : cur);
     next2 = (uint16_t*)(parity ? cur  : next);
 
-    FILTER(w - (MAX_ALIGN/2-1), w - 3, 1)
-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
 }
 
 static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
diff --git a/lib/ffmpeg/libavformat/4xm.c b/lib/ffmpeg/libavformat/4xm.c
index 260e08096..bee5066f5 100644
--- a/lib/ffmpeg/libavformat/4xm.c
+++ b/lib/ffmpeg/libavformat/4xm.c
@@ -58,8 +58,10 @@
 #define GET_LIST_HEADER() \
     fourcc_tag = avio_rl32(pb); \
     size       = avio_rl32(pb); \
-    if (fourcc_tag != LIST_TAG) \
-        return AVERROR_INVALIDDATA; \
+    if (fourcc_tag != LIST_TAG) { \
+        ret = AVERROR_INVALIDDATA; \
+        goto fail; \
+    } \
     fourcc_tag = avio_rl32(pb);
 
 typedef struct AudioTrack {
@@ -201,12 +203,13 @@ static int fourxm_read_header(AVFormatContext *s)
     unsigned int size;
     int header_size;
     FourxmDemuxContext *fourxm = s->priv_data;
-    unsigned char *header;
+    unsigned char *header = NULL;
     int i, ret;
 
     fourxm->track_count = 0;
     fourxm->tracks      = NULL;
     fourxm->fps         = (AVRational){1,1};
+    fourxm->video_stream_index = -1;
 
     /* skip the first 3 32-bit numbers */
     avio_skip(pb, 12);
@@ -286,7 +289,7 @@ static int fourxm_read_packet(AVFormatContext *s,
     unsigned int track_number;
     int packet_read = 0;
     unsigned char header[8];
-    int audio_frame_count;
+    int64_t audio_frame_count;
 
     while (!packet_read) {
         if ((ret = avio_read(s->pb, header, 8)) < 0)
@@ -312,6 +315,8 @@ static int fourxm_read_packet(AVFormatContext *s,
         case cfr2_TAG:
             /* allocate 8 more bytes than 'size' to account for fourcc
              * and size */
+            if (fourxm->video_stream_index < 0)
+                return AVERROR_INVALIDDATA;
             if (size + 8 < size || av_new_packet(pkt, size + 8))
                 return AVERROR(EIO);
             pkt->stream_index = fourxm->video_stream_index;
diff --git a/lib/ffmpeg/libavformat/Makefile b/lib/ffmpeg/libavformat/Makefile
index 466da516a..f598e9caf 100644
--- a/lib/ffmpeg/libavformat/Makefile
+++ b/lib/ffmpeg/libavformat/Makefile
@@ -547,11 +547,11 @@ SLIBOBJS-$(HAVE_GNU_WINDRES)             += avformatres.o
 SKIPHEADERS-$(CONFIG_FFRTMPCRYPT_PROTOCOL) += rtmpdh.h
 SKIPHEADERS-$(CONFIG_NETWORK)            += network.h rtsp.h
 
-TESTPROGS = async                                                       \
-            seek                                                        \
+TESTPROGS = seek                                                        \
             srtp                                                        \
             url                                                         \
 
+TESTPROGS-$(CONFIG_ASYNC_PROTOCOL)       += async
 TESTPROGS-$(CONFIG_NETWORK)              += noproxy
 TESTPROGS-$(CONFIG_FFRTMPCRYPT_PROTOCOL) += rtmpdh
 
diff --git a/lib/ffmpeg/libavformat/aadec.c b/lib/ffmpeg/libavformat/aadec.c
index ba700d516..654fabbf3 100644
--- a/lib/ffmpeg/libavformat/aadec.c
+++ b/lib/ffmpeg/libavformat/aadec.c
@@ -78,13 +78,14 @@ static int aa_read_header(AVFormatContext *s)
     AADemuxContext *c = s->priv_data;
     AVIOContext *pb = s->pb;
     AVStream *st;
+    int ret;
 
     /* parse .aa header */
     avio_skip(pb, 4); // file size
     avio_skip(pb, 4); // magic string
     toc_size = avio_rb32(pb); // TOC size
     avio_skip(pb, 4); // unidentified integer
-    if (toc_size > MAX_TOC_ENTRIES)
+    if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
         return AVERROR_INVALIDDATA;
     for (i = 0; i < toc_size; i++) { // read TOC
         avio_skip(pb, 4); // TOC entry index
@@ -121,7 +122,10 @@ static int aa_read_header(AVFormatContext *s)
         }
         if (!strcmp(key, "HeaderKey")) { // this looks like "1234567890 1234567890 1234567890 1234567890"
             av_log(s, AV_LOG_DEBUG, "HeaderKey is <%s>\n", val);
-            sscanf(val, "%u%u%u%u", &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]);
+            ret = sscanf(val, "%u%u%u%u", &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]);
+            if (ret != 4)
+                return AVERROR_INVALIDDATA;
+
             for (idx = 0; idx < 4; idx++) {
                 AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE!
             }
diff --git a/lib/ffmpeg/libavformat/adtsenc.c b/lib/ffmpeg/libavformat/adtsenc.c
index 7448ec794..42901e234 100644
--- a/lib/ffmpeg/libavformat/adtsenc.c
+++ b/lib/ffmpeg/libavformat/adtsenc.c
@@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui
     GetBitContext gb;
     PutBitContext pb;
     MPEG4AudioConfig m4ac;
-    int off;
+    int off, ret;
 
-    init_get_bits(&gb, buf, size * 8);
+    ret = init_get_bits8(&gb, buf, size);
+    if (ret < 0)
+        return ret;
     off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1);
     if (off < 0)
         return off;
diff --git a/lib/ffmpeg/libavformat/aiffdec.c b/lib/ffmpeg/libavformat/aiffdec.c
index f26951dcf..d10c4aa58 100644
--- a/lib/ffmpeg/libavformat/aiffdec.c
+++ b/lib/ffmpeg/libavformat/aiffdec.c
@@ -102,6 +102,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
     int sample_rate;
     unsigned int num_frames;
 
+    if (size == INT_MAX)
+        return AVERROR_INVALIDDATA;
+
     if (size & 1)
         size++;
     codec->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -277,6 +280,8 @@ static int aiff_read_header(AVFormatContext *s)
             get_meta(s, "comment"  , size);
             break;
         case MKTAG('S', 'S', 'N', 'D'):     /* Sampled sound chunk */
+            if (size < 8)
+                return AVERROR_INVALIDDATA;
             aiff->data_end = avio_tell(pb) + size;
             offset = avio_rb32(pb);      /* Offset of sound data */
             avio_rb32(pb);               /* BlockSize... don't care */
diff --git a/lib/ffmpeg/libavformat/amr.c b/lib/ffmpeg/libavformat/amr.c
index 8f44de1b3..e07b71c4e 100644
--- a/lib/ffmpeg/libavformat/amr.c
+++ b/lib/ffmpeg/libavformat/amr.c
@@ -83,13 +83,15 @@ static int amr_read_header(AVFormatContext *s)
     AVStream *st;
     uint8_t header[9];
 
-    avio_read(pb, header, 6);
+    if (avio_read(pb, header, 6) != 6)
+        return AVERROR_INVALIDDATA;
 
     st = avformat_new_stream(s, NULL);
     if (!st)
         return AVERROR(ENOMEM);
     if (memcmp(header, AMR_header, 6)) {
-        avio_read(pb, header + 6, 3);
+        if (avio_read(pb, header + 6, 3) != 3)
+            return AVERROR_INVALIDDATA;
         if (memcmp(header, AMRWB_header, 9)) {
             return -1;
         }
diff --git a/lib/ffmpeg/libavformat/asfdec_f.c b/lib/ffmpeg/libavformat/asfdec_f.c
index 8f5f691a7..df6a2b968 100644
--- a/lib/ffmpeg/libavformat/asfdec_f.c
+++ b/lib/ffmpeg/libavformat/asfdec_f.c
@@ -319,8 +319,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
     int64_t off = avio_tell(s->pb);
 #define LEN 22
 
-    if ((unsigned)len >= (UINT_MAX - LEN) / 2)
-        return;
+    av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
 
     if (!asf->export_xmp && !strncmp(key, "xmp", 3))
         goto finish;
@@ -423,7 +422,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
     if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming...
         int64_t fsize = avio_size(pb);
         if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 ||
-            20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size))
+            FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20)
             st->duration = asf->hdr.play_time /
                        (10000000 / 1000) - start_time;
     }
@@ -606,6 +605,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
         ff_get_guid(pb, &g);
         size = avio_rl16(pb);
         ext_len = avio_rl32(pb);
+        if (ext_len < 0)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, ext_len);
         if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
             ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -710,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
         value_type = avio_rl16(pb); /* value_type */
         value_len  = avio_rl32(pb);
 
+        if (value_len < 0 || value_len > UINT16_MAX)
+            return AVERROR_INVALIDDATA;
+
         name_len_utf8 = 2*name_len_utf16 + 1;
         name          = av_malloc(name_len_utf8);
         if (!name)
@@ -765,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
         avio_rl32(pb);             // send time
         avio_rl32(pb);             // flags
         name_len = avio_rl32(pb);  // name length
+        if ((unsigned)name_len > INT_MAX / 2)
+            return AVERROR_INVALIDDATA;
         if ((ret = avio_get_str16le(pb, name_len * 2, name,
                                     sizeof(name))) < name_len)
             avio_skip(pb, name_len - ret);
@@ -855,11 +861,20 @@ static int asf_read_header(AVFormatContext *s)
                         return ret;
                     av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size);
                     av_free_packet(&pkt);
+
                     len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                     get_tag(s, "ASF_Protection_Type", -1, len, 32);
+
                     len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                     get_tag(s, "ASF_Key_ID", -1, len, 32);
+
                     len= avio_rl32(pb);
+                    if (len > UINT16_MAX)
+                        return AVERROR_INVALIDDATA;
                     get_tag(s, "ASF_License_URL", -1, len, 32);
                 } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) {
                     av_log(s, AV_LOG_WARNING,
diff --git a/lib/ffmpeg/libavformat/asfdec_o.c b/lib/ffmpeg/libavformat/asfdec_o.c
index d8c4869cc..4755fef5a 100644
--- a/lib/ffmpeg/libavformat/asfdec_o.c
+++ b/lib/ffmpeg/libavformat/asfdec_o.c
@@ -246,6 +246,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g)
         avio_skip(pb, 4); // flags
         len = avio_rl32(pb);
 
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
+
         if ((ret = avio_get_str16le(pb, len, name,
                                     sizeof(name))) < len)
             avio_skip(pb, len - ret);
@@ -1672,6 +1675,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t
     ff_asf_guid guid;
     int ret;
 
+    if (offset > INT64_MAX - size)
+        return AVERROR_INVALIDDATA;
+
     while (avio_tell(pb) <= offset + size) {
         if (avio_tell(pb) == asf->offset)
             break;
diff --git a/lib/ffmpeg/libavformat/avidec.c b/lib/ffmpeg/libavformat/avidec.c
index 223ddd053..a74d90892 100644
--- a/lib/ffmpeg/libavformat/avidec.c
+++ b/lib/ffmpeg/libavformat/avidec.c
@@ -130,7 +130,7 @@ static inline int get_duration(AVIStream *ast, int len)
     if (ast->sample_size)
         return len;
     else if (ast->dshow_block_align)
-        return (len + ast->dshow_block_align - 1) / ast->dshow_block_align;
+        return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align;
     else
         return 1;
 }
@@ -240,7 +240,7 @@ static int read_braindead_odml_indx(AVFormatContext *s, int frame_num)
             avio_rl32(pb);       /* size */
             duration = avio_rl32(pb);
 
-            if (avio_feof(pb))
+            if (avio_feof(pb) || offset > INT64_MAX - 8)
                 return AVERROR_INVALIDDATA;
 
             pos = avio_tell(pb);
@@ -442,7 +442,7 @@ static int calculate_bitrate(AVFormatContext *s)
         maxpos = FFMAX(maxpos, st->index_entries[j-1].pos);
         lensum += len;
     }
-    if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file
+    if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file
         return 0;
     if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch
         return 0;
@@ -665,7 +665,7 @@ static int avi_read_header(AVFormatContext *s)
             st->start_time = 0;
             avio_rl32(pb); /* buffer size */
             avio_rl32(pb); /* quality */
-            if (ast->cum_len*ast->scale/ast->rate > 3600) {
+            if (ast->cum_len > 3600LL * ast->rate / ast->scale) {
                 av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n");
                 ast->cum_len = 0;
             }
@@ -1233,7 +1233,7 @@ static int avi_sync(AVFormatContext *s, int exit_early)
                 AVStream *st1   = s->streams[1];
                 AVIStream *ast1 = st1->priv_data;
                 // workaround for broken small-file-bug402.avi
-                if (   d[2] == 'w' && d[3] == 'b'
+                if (ast1 && d[2] == 'w' && d[3] == 'b'
                    && n == 0
                    && st ->codec->codec_type == AVMEDIA_TYPE_VIDEO
                    && st1->codec->codec_type == AVMEDIA_TYPE_AUDIO
@@ -1395,6 +1395,7 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (avi->stream_index >= 0) {
         AVStream *st   = s->streams[avi->stream_index];
         AVIStream *ast = st->priv_data;
+        int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux;
         int size, err;
 
         if (get_subtitle_pkt(s, st, pkt))
@@ -1417,7 +1418,7 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
             return err;
         size = err;
 
-        if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) {
+        if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) {
             uint8_t *pal;
             pal = av_packet_new_side_data(pkt,
                                           AV_PKT_DATA_PALETTE,
@@ -1431,7 +1432,7 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
             }
         }
 
-        if (CONFIG_DV_DEMUXER && avi->dv_demux) {
+        if (dv_demux) {
             AVBufferRef *avbuf = pkt->buf;
 #if FF_API_DESTRUCT_PACKET
 FF_DISABLE_DEPRECATION_WARNINGS
@@ -1521,11 +1522,12 @@ FF_ENABLE_DEPRECATION_WARNINGS
         if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) {
             int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q);
 
-            if (avi->dts_max - dts > 2*AV_TIME_BASE) {
+            if (avi->dts_max < dts) {
+                avi->dts_max = dts;
+            } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) {
                 avi->non_interleaved= 1;
                 av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n");
-            }else if (avi->dts_max < dts)
-                avi->dts_max = dts;
+            }
         }
 
         return 0;
@@ -1734,7 +1736,10 @@ static int avi_load_index(AVFormatContext *s)
         size = avio_rl32(pb);
         if (avio_feof(pb))
             break;
-        next = avio_tell(pb) + size + (size & 1);
+        next = avio_tell(pb);
+        if (next < 0 || next > INT64_MAX - size - (size & 1))
+            break;
+        next += size + (size & 1LL);
 
         av_log(s, AV_LOG_TRACE, "tag=%c%c%c%c size=0x%x\n",
                  tag        & 0xff,
diff --git a/lib/ffmpeg/libavformat/avs.c b/lib/ffmpeg/libavformat/avs.c
index b699dbf9b..d1811ab1e 100644
--- a/lib/ffmpeg/libavformat/avs.c
+++ b/lib/ffmpeg/libavformat/avs.c
@@ -123,7 +123,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt,
 static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt)
 {
     AvsFormat *avs = s->priv_data;
-    int ret, size;
+    int ret;
+    int64_t size;
 
     size = avio_tell(s->pb);
     ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size);
diff --git a/lib/ffmpeg/libavformat/bethsoftvid.c b/lib/ffmpeg/libavformat/bethsoftvid.c
index 40a425271..473939963 100644
--- a/lib/ffmpeg/libavformat/bethsoftvid.c
+++ b/lib/ffmpeg/libavformat/bethsoftvid.c
@@ -28,6 +28,7 @@
  */
 
 #include "libavutil/channel_layout.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"
 #include "avformat.h"
 #include "internal.h"
@@ -71,6 +72,7 @@ static int vid_read_header(AVFormatContext *s)
 {
     BVID_DemuxContext *vid = s->priv_data;
     AVIOContext *pb = s->pb;
+    int ret;
 
     /* load main header. Contents:
     *    bytes: 'V' 'I' 'D'
@@ -83,6 +85,10 @@ static int vid_read_header(AVFormatContext *s)
     vid->bethsoft_global_delay = avio_rl16(pb);
     avio_rl16(pb);
 
+    ret = av_image_check_size(vid->width, vid->height, 0, s);
+    if (ret < 0)
+        return ret;
+
     // wait until the first packet to create each stream
     vid->video_index = -1;
     vid->audio_index = -1;
diff --git a/lib/ffmpeg/libavformat/bfi.c b/lib/ffmpeg/libavformat/bfi.c
index cc7f4948c..0ca10bc89 100644
--- a/lib/ffmpeg/libavformat/bfi.c
+++ b/lib/ffmpeg/libavformat/bfi.c
@@ -69,7 +69,12 @@ static int bfi_read_header(AVFormatContext * s)
     /* Set the total number of frames. */
     avio_skip(pb, 8);
     chunk_header           = avio_rl32(pb);
+    if (chunk_header < 3)
+        return AVERROR_INVALIDDATA;
+
     bfi->nframes           = avio_rl32(pb);
+    if (bfi->nframes < 0)
+        return AVERROR_INVALIDDATA;
     avio_rl32(pb);
     avio_rl32(pb);
     avio_rl32(pb);
diff --git a/lib/ffmpeg/libavformat/bintext.c b/lib/ffmpeg/libavformat/bintext.c
index 217ea4924..58ff33533 100644
--- a/lib/ffmpeg/libavformat/bintext.c
+++ b/lib/ffmpeg/libavformat/bintext.c
@@ -242,6 +242,8 @@ static int adf_read_header(AVFormatContext *s)
         bin->fsize = avio_size(pb) - 1 - 192 - 4096;
         st->codec->width = 80<<3;
         ff_sauce_read(s, &bin->fsize, &got_width, 0);
+        if (st->codec->width < 8)
+            return AVERROR_INVALIDDATA;
         if (!bin->width)
             calculate_height(st->codec, bin->fsize);
         avio_seek(pb, 1 + 192 + 4096, SEEK_SET);
@@ -293,6 +295,8 @@ static int idf_read_header(AVFormatContext *s)
 
     bin->fsize = avio_size(pb) - 12 - 4096 - 48;
     ff_sauce_read(s, &bin->fsize, &got_width, 0);
+    if (st->codec->width < 8)
+        return AVERROR_INVALIDDATA;
     if (!bin->width)
         calculate_height(st->codec, bin->fsize);
     avio_seek(pb, 12, SEEK_SET);
diff --git a/lib/ffmpeg/libavformat/cafdec.c b/lib/ffmpeg/libavformat/cafdec.c
index bfbbb0262..68cfc68ce 100644
--- a/lib/ffmpeg/libavformat/cafdec.c
+++ b/lib/ffmpeg/libavformat/cafdec.c
@@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s)
     st->codec->channels    = avio_rb32(pb);
     st->codec->bits_per_coded_sample = avio_rb32(pb);
 
+    if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0)
+        return AVERROR_INVALIDDATA;
+
     /* calculate bit rate for constant size packets */
     if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) {
         st->codec->bit_rate = (uint64_t)st->codec->sample_rate * (uint64_t)caf->bytes_per_packet * 8
@@ -183,6 +186,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
     CafContext *caf   = s->priv_data;
     int64_t pos = 0, ccount, num_packets;
     int i;
+    int ret;
 
     ccount = avio_tell(pb);
 
@@ -194,11 +198,20 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
     st->nb_frames += avio_rb32(pb); /* priming frames */
     st->nb_frames += avio_rb32(pb); /* remainder frames */
 
-    st->duration = 0;
-    for (i = 0; i < num_packets; i++) {
-        av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME);
-        pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb);
-        st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb);
+    if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) {
+        st->duration = caf->frames_per_packet * num_packets;
+        pos          = caf-> bytes_per_packet * num_packets;
+    } else {
+        st->duration = 0;
+        for (i = 0; i < num_packets; i++) {
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
+            ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME);
+            if (ret < 0)
+                return ret;
+            pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb);
+            st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb);
+        }
     }
 
     if (avio_tell(pb) - ccount > size) {
diff --git a/lib/ffmpeg/libavformat/cdg.c b/lib/ffmpeg/libavformat/cdg.c
index baf37d4c6..103ef9984 100644
--- a/lib/ffmpeg/libavformat/cdg.c
+++ b/lib/ffmpeg/libavformat/cdg.c
@@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s)
     if (ret < 0) {
         av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n");
     } else
-        vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300);
+        vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300);
 
     return 0;
 }
diff --git a/lib/ffmpeg/libavformat/cdxl.c b/lib/ffmpeg/libavformat/cdxl.c
index f198bf50f..807de9e37 100644
--- a/lib/ffmpeg/libavformat/cdxl.c
+++ b/lib/ffmpeg/libavformat/cdxl.c
@@ -130,7 +130,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
-    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+    if (cdxl->header[19] == 0 ||
+        FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
         return AVERROR_INVALIDDATA;
     image_size   = FFALIGN(width, 16) * height * cdxl->header[19] / 8;
     video_size   = palette_size + image_size;
diff --git a/lib/ffmpeg/libavformat/cinedec.c b/lib/ffmpeg/libavformat/cinedec.c
index 1497842cf..b00bb55ab 100644
--- a/lib/ffmpeg/libavformat/cinedec.c
+++ b/lib/ffmpeg/libavformat/cinedec.c
@@ -284,7 +284,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
     AVIOContext *pb = avctx->pb;
     int n, size, ret;
 
-    if (cine->pts >= st->duration)
+    if (cine->pts >= st->nb_index_entries)
         return AVERROR_EOF;
 
     avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET);
diff --git a/lib/ffmpeg/libavformat/concatdec.c b/lib/ffmpeg/libavformat/concatdec.c
index 2b403f3fa..96b258963 100644
--- a/lib/ffmpeg/libavformat/concatdec.c
+++ b/lib/ffmpeg/libavformat/concatdec.c
@@ -109,7 +109,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
     ConcatFile *file;
     char *url = NULL;
     const char *proto;
-    size_t url_len, proto_len;
+    const char *ptr;
+    size_t url_len;
     int ret;
 
     if (cat->safe > 0 && !safe_filename(filename)) {
@@ -118,9 +119,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
     }
 
     proto = avio_find_protocol_name(filename);
-    proto_len = proto ? strlen(proto) : 0;
-    if (!memcmp(filename, proto, proto_len) &&
-        (filename[proto_len] == ':' || filename[proto_len] == ',')) {
+    if (proto && av_strstart(filename, proto, &ptr) &&
+        (*ptr == ':' || *ptr == ',')) {
         url = filename;
         filename = NULL;
     } else {
diff --git a/lib/ffmpeg/libavformat/dsicin.c b/lib/ffmpeg/libavformat/dsicin.c
index 4b5a934ca..25a1d675c 100644
--- a/lib/ffmpeg/libavformat/dsicin.c
+++ b/lib/ffmpeg/libavformat/dsicin.c
@@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt)
     CinDemuxContext *cin = s->priv_data;
     AVIOContext *pb = s->pb;
     CinFrameHeader *hdr = &cin->frame_header;
-    int rc, palette_type, pkt_size;
+    int rc, palette_type;
+    int64_t pkt_size;
     int ret;
 
     if (cin->audio_buffer_size == 0) {
@@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt)
         }
 
         /* palette and video packet */
-        pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size;
+        pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size;
+        if (pkt_size + 4 > INT_MAX)
+            return AVERROR_INVALIDDATA;
 
         pkt_size = ffio_limit(pb, pkt_size);
 
diff --git a/lib/ffmpeg/libavformat/dxa.c b/lib/ffmpeg/libavformat/dxa.c
index 228e6fdca..c43bfdee5 100644
--- a/lib/ffmpeg/libavformat/dxa.c
+++ b/lib/ffmpeg/libavformat/dxa.c
@@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s)
     if(fps > 0){
         den = 1000;
         num = fps;
-    }else if (fps < 0){
+    }else if (fps < 0 && fps > INT_MIN){
         den = 100000;
         num = -fps;
     }else{
@@ -143,7 +143,7 @@ static int dxa_read_header(AVFormatContext *s)
     c->readvid = !c->has_sound;
     c->vidpos  = avio_tell(pb);
     s->start_time = 0;
-    s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den;
+    s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den);
     av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames);
 
     return 0;
diff --git a/lib/ffmpeg/libavformat/electronicarts.c b/lib/ffmpeg/libavformat/electronicarts.c
index 5d21d49c4..7bcbebe1a 100644
--- a/lib/ffmpeg/libavformat/electronicarts.c
+++ b/lib/ffmpeg/libavformat/electronicarts.c
@@ -525,20 +525,17 @@ static int ea_read_header(AVFormatContext *s)
         if (ea->num_channels <= 0 || ea->num_channels > 2) {
             av_log(s, AV_LOG_WARNING,
                    "Unsupported number of channels: %d\n", ea->num_channels);
-            ea->audio_codec = 0;
-            return 1;
+            goto no_audio;
         }
         if (ea->sample_rate <= 0) {
             av_log(s, AV_LOG_ERROR,
                    "Unsupported sample rate: %d\n", ea->sample_rate);
-            ea->audio_codec = 0;
-            return 1;
+            goto no_audio;
         }
         if (ea->bytes <= 0) {
             av_log(s, AV_LOG_ERROR,
                    "Invalid number of bytes per sample: %d\n", ea->bytes);
-            ea->audio_codec = AV_CODEC_ID_NONE;
-            return 1;
+            goto no_audio;
         }
 
         /* initialize the audio decoder stream */
@@ -559,8 +556,13 @@ static int ea_read_header(AVFormatContext *s)
                                            st->codec->bits_per_coded_sample;
         ea->audio_stream_index           = st->index;
         st->start_time                   = 0;
+        return 1;
     }
+no_audio:
+    ea->audio_codec = AV_CODEC_ID_NONE;
 
+    if (!ea->video.codec)
+        return AVERROR_INVALIDDATA;
     return 1;
 }
 
@@ -695,6 +697,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt)
                 ret = av_get_packet(pb, pkt, chunk_size);
             if (ret < 0) {
                 packet_read = 1;
+                partial_packet = 0;
                 break;
             }
             partial_packet = chunk_type == MVIh_TAG;
diff --git a/lib/ffmpeg/libavformat/flvdec.c b/lib/ffmpeg/libavformat/flvdec.c
index 36a179722..0a5c0e2d0 100644
--- a/lib/ffmpeg/libavformat/flvdec.c
+++ b/lib/ffmpeg/libavformat/flvdec.c
@@ -39,6 +39,8 @@
 
 #define VALIDATE_INDEX_TS_THRESH 2500
 
+#define MAX_DEPTH 16      ///< arbitrary limit to prevent unbounded recursion
+
 typedef struct FLVContext {
     const AVClass *class; ///< Class for private options.
     int trust_metadata;   ///< configure streams according onMetaData
@@ -285,13 +287,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream,
 
 static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize)
 {
+    int ret;
     int length = avio_rb16(ioc);
     if (length >= buffsize) {
         avio_skip(ioc, length);
         return -1;
     }
 
-    avio_read(ioc, buffer, length);
+    ret = avio_read(ioc, buffer, length);
+    if (ret < 0)
+        return ret;
+    if (ret < length)
+        return AVERROR_INVALIDDATA;
 
     buffer[length] = '\0';
 
@@ -348,9 +355,13 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc,
         }
 
         for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) {
+            double d;
             if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER)
                 goto invalid;
-            current_array[0][i] = av_int2double(avio_rb64(ioc));
+            d = av_int2double(avio_rb64(ioc));
+            if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
+                goto invalid;
+            current_array[0][i] = d;
         }
         if (times && filepositions) {
             // All done, exiting at a position allowing amf_parse_object
@@ -393,8 +404,13 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream,
     char str_val[1024];
     double num_val;
 
+    if (depth > MAX_DEPTH)
+        return AVERROR_PATCHWELCOME;
+
     num_val  = 0;
     ioc      = s->pb;
+    if (avio_feof(ioc))
+        return AVERROR_EOF;
     amf_type = avio_r8(ioc);
 
     switch (amf_type) {
@@ -678,10 +694,16 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos)
     }
 }
 
-static int amf_skip_tag(AVIOContext *pb, AMFDataType type)
+static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth)
 {
     int nb = -1, ret, parse_name = 1;
 
+    if (depth > MAX_DEPTH)
+        return AVERROR_PATCHWELCOME;
+
+    if (avio_feof(pb))
+        return AVERROR_EOF;
+
     switch (type) {
     case AMF_DATA_TYPE_NUMBER:
         avio_skip(pb, 8);
@@ -696,6 +718,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type)
         parse_name = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
         nb = avio_rb32(pb);
+        if (nb < 0)
+            return AVERROR_INVALIDDATA;
     case AMF_DATA_TYPE_OBJECT:
         while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) {
             if (parse_name) {
@@ -706,7 +730,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type)
                 }
                 avio_skip(pb, size);
             }
-            if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0)
+            if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0)
                 return ret;
         }
         break;
@@ -750,7 +774,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt,
             else
                 break;
         } else {
-            if ((ret = amf_skip_tag(pb, type)) < 0)
+            if ((ret = amf_skip_tag(pb, type, 0)) < 0)
                 goto skip;
         }
     }
diff --git a/lib/ffmpeg/libavformat/flvenc.c b/lib/ffmpeg/libavformat/flvenc.c
index e217ba8a8..9e732fcf9 100644
--- a/lib/ffmpeg/libavformat/flvenc.c
+++ b/lib/ffmpeg/libavformat/flvenc.c
@@ -514,6 +514,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt)
     uint8_t *data = NULL;
     int flags = -1, flags_size, ret;
 
+    if (enc->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) {
+        av_log(s, AV_LOG_WARNING, "Empty audio Packet\n");
+        return AVERROR(EINVAL);
+    }
+
     if (enc->codec_id == AV_CODEC_ID_VP6F || enc->codec_id == AV_CODEC_ID_VP6A ||
         enc->codec_id == AV_CODEC_ID_VP6  || enc->codec_id == AV_CODEC_ID_AAC)
         flags_size = 2;
diff --git a/lib/ffmpeg/libavformat/ftp.c b/lib/ffmpeg/libavformat/ftp.c
index dcb588dac..55c274352 100644
--- a/lib/ffmpeg/libavformat/ftp.c
+++ b/lib/ffmpeg/libavformat/ftp.c
@@ -386,7 +386,7 @@ static int ftp_file_size(FTPContext *s)
     static const int size_codes[] = {213, 0};
 
     snprintf(command, sizeof(command), "SIZE %s\r\n", s->path);
-    if (ftp_send_command(s, command, size_codes, &res) == 213 && res) {
+    if (ftp_send_command(s, command, size_codes, &res) == 213 && res && strlen(res) > 4) {
         s->filesize = strtoll(&res[4], NULL, 10);
     } else {
         s->filesize = -1;
@@ -941,6 +941,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next)
             continue;
         }
         fact = av_strtok(fact, "=", &value);
+        if (!fact)
+            continue;
         if (!av_strcasecmp(fact, "type")) {
             if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir"))
                 return 1;
diff --git a/lib/ffmpeg/libavformat/gxf.c b/lib/ffmpeg/libavformat/gxf.c
index d9b629d7d..60aee01f9 100644
--- a/lib/ffmpeg/libavformat/gxf.c
+++ b/lib/ffmpeg/libavformat/gxf.c
@@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si
 static void gxf_read_index(AVFormatContext *s, int pkt_len) {
     AVIOContext *pb = s->pb;
     AVStream *st;
-    uint32_t fields_per_map = avio_rl32(pb);
-    uint32_t map_cnt = avio_rl32(pb);
+    uint32_t fields_per_map, map_cnt;
     int i;
+    if (pkt_len < 8)
+        return;
+    fields_per_map = avio_rl32(pb);
+    map_cnt = avio_rl32(pb);
     pkt_len -= 8;
     if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) {
         avio_skip(pb, pkt_len);
diff --git a/lib/ffmpeg/libavformat/hevc.c b/lib/ffmpeg/libavformat/hevc.c
index 7c294ef8a..4c7ffc331 100644
--- a/lib/ffmpeg/libavformat/hevc.c
+++ b/lib/ffmpeg/libavformat/hevc.c
@@ -668,6 +668,8 @@ static uint8_t *nal_unit_extract_rbsp(const uint8_t *src, uint32_t src_len,
     while (i < src_len)
         dst[len++] = src[i++];
 
+    memset(dst + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
+
     *dst_len = len;
     return dst;
 }
diff --git a/lib/ffmpeg/libavformat/hls.c b/lib/ffmpeg/libavformat/hls.c
index bccaf67fa..803331eab 100644
--- a/lib/ffmpeg/libavformat/hls.c
+++ b/lib/ffmpeg/libavformat/hls.c
@@ -806,8 +806,6 @@ static int parse_playlist(HLSContext *c, const char *url,
                     ret = AVERROR(ENOMEM);
                     goto fail;
                 }
-                seg->duration = duration;
-                seg->key_type = key_type;
                 if (has_iv) {
                     memcpy(seg->iv, iv, sizeof(iv));
                 } else {
@@ -837,6 +835,11 @@ static int parse_playlist(HLSContext *c, const char *url,
                     goto fail;
                 }
 
+                if (duration < 0.001 * AV_TIME_BASE) {
+                    duration = 0.001 * AV_TIME_BASE;
+                }
+                seg->duration = duration;
+                seg->key_type = key_type;
                 dynarray_add(&pls->segments, &pls->n_segments, seg);
                 is_segment = 0;
 
@@ -1603,6 +1606,7 @@ static int hls_read_header(AVFormatContext *s)
     for (i = 0; i < c->n_playlists; i++) {
         struct playlist *pls = c->playlists[i];
         AVInputFormat *in_fmt = NULL;
+        char *url;
 
         if (!(pls->ctx = avformat_alloc_context())) {
             ret = AVERROR(ENOMEM);
@@ -1627,8 +1631,9 @@ static int hls_read_header(AVFormatContext *s)
         ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls,
                           read_data, NULL, NULL);
         pls->pb.seekable = 0;
-        ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url,
-                                    NULL, 0, 0);
+        url = av_strdup(pls->segments[0]->url);
+        ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0);
+        av_free(url);
         if (ret < 0) {
             /* Free the ctx - it isn't initialized properly at this point,
              * so avformat_close_input shouldn't be called. If
diff --git a/lib/ffmpeg/libavformat/http.c b/lib/ffmpeg/libavformat/http.c
index 7686c9274..769da5d17 100644
--- a/lib/ffmpeg/libavformat/http.c
+++ b/lib/ffmpeg/libavformat/http.c
@@ -513,7 +513,11 @@ static int http_accept(URLContext *s, URLContext **c)
         goto fail;
     cc->hd = cl;
     cc->is_multi_client = 1;
+    return 0;
 fail:
+    if (c) {
+        ffurl_closep(c);
+    }
     return ret;
 }
 
@@ -740,7 +744,7 @@ static int process_line(URLContext *h, char *line, int line_count,
             while (av_isspace(*p))
                 p++;
             resource = p;
-            while (!av_isspace(*p))
+            while (*p && !av_isspace(*p))
                 p++;
             *(p++) = '\0';
             av_log(h, AV_LOG_TRACE, "Requested resource: %s\n", resource);
diff --git a/lib/ffmpeg/libavformat/icodec.c b/lib/ffmpeg/libavformat/icodec.c
index 040e454c5..9320862b9 100644
--- a/lib/ffmpeg/libavformat/icodec.c
+++ b/lib/ffmpeg/libavformat/icodec.c
@@ -58,6 +58,9 @@ static int read_header(AVFormatContext *s)
     avio_skip(pb, 4);
     ico->nb_images = avio_rl16(pb);
 
+    if (!ico->nb_images)
+        return AVERROR_INVALIDDATA;
+
     ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage));
     if (!ico->images)
         return AVERROR(ENOMEM);
@@ -67,7 +70,7 @@ static int read_header(AVFormatContext *s)
         int tmp;
 
         if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0)
-            break;
+            return AVERROR_INVALIDDATA;
 
         st = avformat_new_stream(s, NULL);
         if (!st)
@@ -90,7 +93,7 @@ static int read_header(AVFormatContext *s)
         ico->images[i].offset = avio_rl32(pb);
 
         if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0)
-            break;
+            return AVERROR_INVALIDDATA;
 
         codec = avio_rl32(pb);
         switch (codec) {
@@ -124,12 +127,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
     IcoDemuxContext *ico = s->priv_data;
     IcoImage *image;
     AVIOContext *pb = s->pb;
-    AVStream *st = s->streams[0];
+    AVStream *st;
     int ret;
 
     if (ico->current_image >= ico->nb_images)
         return AVERROR(EIO);
 
+    st = s->streams[0];
+
     image = &ico->images[ico->current_image];
 
     if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0)
diff --git a/lib/ffmpeg/libavformat/id3v2.c b/lib/ffmpeg/libavformat/id3v2.c
index addf937af..2a0d89214 100644
--- a/lib/ffmpeg/libavformat/id3v2.c
+++ b/lib/ffmpeg/libavformat/id3v2.c
@@ -547,7 +547,7 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen,
                       int isv34)
 {
     int enc, pic_type;
-    char mimetype[64];
+    char mimetype[64] = {0};
     const CodecMime *mime     = ff_id3v2_mime_tags;
     enum AVCodecID id         = AV_CODEC_ID_NONE;
     ID3v2ExtraMetaAPIC *apic  = NULL;
@@ -567,9 +567,14 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen,
 
     /* mimetype */
     if (isv34) {
-        taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype));
+        int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype));
+        if (ret < 0 || ret >= taglen)
+            goto fail;
+        taglen -= ret;
     } else {
-        avio_read(pb, mimetype, 3);
+        if (avio_read(pb, mimetype, 3) < 0)
+            goto fail;
+
         mimetype[3] = 0;
         taglen    -= 3;
     }
@@ -771,7 +776,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
     int isv34, unsync;
     unsigned tlen;
     char tag[5];
-    int64_t next, end = avio_tell(pb) + len;
+    int64_t next, end = avio_tell(pb);
     int taghdrlen;
     const char *reason = NULL;
     AVIOContext pb_local;
@@ -782,6 +787,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
     unsigned char *uncompressed_buffer = NULL;
     av_unused int uncompressed_buffer_size = 0;
 
+    if (end > INT64_MAX - len - 10)
+        return;
+    end += len;
+
     av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len);
 
     switch (version) {
@@ -945,6 +954,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
 
                     av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen);
 
+                    if (tlen <= 0)
+                        goto seek;
+
                     av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen);
                     if (!uncompressed_buffer) {
                         av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen);
diff --git a/lib/ffmpeg/libavformat/iff.c b/lib/ffmpeg/libavformat/iff.c
index 8ea3b38ac..4f6bc3edd 100644
--- a/lib/ffmpeg/libavformat/iff.c
+++ b/lib/ffmpeg/libavformat/iff.c
@@ -215,6 +215,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof)
         uint64_t orig_pos = avio_tell(pb);
         const char * metadata_tag = NULL;
 
+        if (size >= INT64_MAX)
+            return AVERROR_INVALIDDATA;
+
         switch(tag) {
         case MKTAG('D','I','A','R'): metadata_tag = "artist"; break;
         case MKTAG('D','I','T','I'): metadata_tag = "title";  break;
@@ -248,6 +251,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof)
         uint64_t size     = avio_rb64(pb);
         uint64_t orig_pos = avio_tell(pb);
 
+        if (size >= INT64_MAX)
+            return AVERROR_INVALIDDATA;
+
         switch(tag) {
         case MKTAG('A','B','S','S'):
             if (size < 8)
@@ -384,6 +390,9 @@ static int iff_read_header(AVFormatContext *s)
         data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb);
         orig_pos = avio_tell(pb);
 
+        if (data_size >= INT64_MAX)
+            return AVERROR_INVALIDDATA;
+
         switch(chunk_id) {
         case ID_VHDR:
             st->codec->codec_type = AVMEDIA_TYPE_AUDIO;
diff --git a/lib/ffmpeg/libavformat/isom.h b/lib/ffmpeg/libavformat/isom.h
index 61a2b4fec..b1fcf02f6 100644
--- a/lib/ffmpeg/libavformat/isom.h
+++ b/lib/ffmpeg/libavformat/isom.h
@@ -76,6 +76,7 @@ typedef struct MOVAtom {
 struct MOVParseTableEntry;
 
 typedef struct MOVFragment {
+    int found_tfhd;
     unsigned track_id;
     uint64_t base_data_offset;
     uint64_t moof_offset;
diff --git a/lib/ffmpeg/libavformat/jacosubdec.c b/lib/ffmpeg/libavformat/jacosubdec.c
index 63895d7ef..0dd046d21 100644
--- a/lib/ffmpeg/libavformat/jacosubdec.c
+++ b/lib/ffmpeg/libavformat/jacosubdec.c
@@ -135,22 +135,29 @@ static int get_shift(int timeres, const char *buf)
 {
     int sign = 1;
     int a = 0, b = 0, c = 0, d = 0;
+    int64_t ret;
 #define SSEP "%*1[.:]"
     int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
 #undef SSEP
 
+    if (a == INT_MIN)
+        return 0;
+
     if (*buf == '-' || a < 0) {
         sign = -1;
         a = FFABS(a);
     }
 
+    ret = 0;
     switch (n) {
-    case 4: return sign * ((a*3600 + b*60 + c) * timeres + d);
-    case 3: return sign * ((         a*60 + b) * timeres + c);
-    case 2: return sign * ((                a) * timeres + b);
+    case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d);
+    case 3: ret = sign * ((         (int64_t)a*60 + b) * timeres + c);
+    case 2: ret = sign * ((                (int64_t)a) * timeres + b);
     }
+    if ((int)ret != ret)
+        ret = 0;
 
-    return 0;
+    return ret;
 }
 
 static int jacosub_read_header(AVFormatContext *s)
diff --git a/lib/ffmpeg/libavformat/lrcdec.c b/lib/ffmpeg/libavformat/lrcdec.c
index 33f2cd90e..db7090850 100644
--- a/lib/ffmpeg/libavformat/lrcdec.c
+++ b/lib/ffmpeg/libavformat/lrcdec.c
@@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s)
                    sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) {
                     av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0);
                 }
+                lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4);
+
                 *comma_offset = ':';
                 *right_bracket_offset = ']';
             }
@@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s)
 
             while((ts_stroffset_incr = read_ts(line.str + ts_stroffset,
                                                &ts_start)) != 0) {
+                ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4);
                 ts_stroffset += ts_stroffset_incr;
                 sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength,
                                                 line.len - ts_strlength, 0);
diff --git a/lib/ffmpeg/libavformat/lvfdec.c b/lib/ffmpeg/libavformat/lvfdec.c
index 81aec599b..c5f283b9e 100644
--- a/lib/ffmpeg/libavformat/lvfdec.c
+++ b/lib/ffmpeg/libavformat/lvfdec.c
@@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt)
     unsigned size, flags, timestamp, id;
     int64_t pos;
     int ret, is_video = 0;
+    int stream_index;
 
     pos = avio_tell(s->pb);
     while (!avio_feof(s->pb)) {
@@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt)
         case MKTAG('0', '1', 'w', 'b'):
             if (size < 8)
                 return AVERROR_INVALIDDATA;
+            stream_index = is_video ? 0 : 1;
+            if (stream_index >= s->nb_streams)
+                return AVERROR_INVALIDDATA;
             timestamp = avio_rl32(s->pb);
             flags = avio_rl32(s->pb);
             ret = av_get_packet(s->pb, pkt, size - 8);
             if (flags & (1 << 12))
                 pkt->flags |= AV_PKT_FLAG_KEY;
-            pkt->stream_index = is_video ? 0 : 1;
+            pkt->stream_index = stream_index;
             pkt->pts          = timestamp;
             pkt->pos          = pos;
             return ret;
diff --git a/lib/ffmpeg/libavformat/matroskadec.c b/lib/ffmpeg/libavformat/matroskadec.c
index 0ab5caf65..4492e76e8 100644
--- a/lib/ffmpeg/libavformat/matroskadec.c
+++ b/lib/ffmpeg/libavformat/matroskadec.c
@@ -585,7 +585,7 @@ static const EbmlSyntax matroska_segments[] = {
 };
 
 static const EbmlSyntax matroska_blockmore[] = {
-    { MATROSKA_ID_BLOCKADDID,      EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) },
+    { MATROSKA_ID_BLOCKADDID,      EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } },
     { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN,  0, offsetof(MatroskaBlock,additional) },
     { 0 }
 };
@@ -1684,6 +1684,15 @@ static int matroska_parse_tracks(AVFormatContext *s)
         if (!track->codec_id)
             continue;
 
+        if (   track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A'
+            || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V'
+            || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S'
+            || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S'
+        ) {
+            av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n");
+            continue;
+        }
+
         if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX ||
             isnan(track->audio.samplerate)) {
             av_log(matroska->ctx, AV_LOG_WARNING,
@@ -2033,8 +2042,9 @@ static int matroska_parse_tracks(AVFormatContext *s)
                 st->need_parsing = AVSTREAM_PARSE_HEADERS;
 
             if (track->default_duration) {
+                int div = track->default_duration <= INT64_MAX ? 1 : 2;
                 av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
-                          1000000000, track->default_duration, 30000);
+                          1000000000 / div, track->default_duration / div, 30000);
 #if FF_API_R_FRAME_RATE
                 if (   st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL
                     && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL)
diff --git a/lib/ffmpeg/libavformat/microdvddec.c b/lib/ffmpeg/libavformat/microdvddec.c
index a3839051a..f7d173801 100644
--- a/lib/ffmpeg/libavformat/microdvddec.c
+++ b/lib/ffmpeg/libavformat/microdvddec.c
@@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf)
     return AV_NOPTS_VALUE;
 }
 
-static int get_duration(const char *buf)
+static int64_t get_duration(const char *buf)
 {
     int frame_start, frame_end;
 
     if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2)
-        return frame_end - frame_start;
+        return frame_end - (int64_t)frame_start;
     return -1;
 }
 
@@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s)
         int64_t pos = avio_tell(s->pb);
         int len = ff_get_line(s->pb, line_buf, sizeof(line_buf));
         char *line = line_buf;
+        int64_t pts;
 
         if (!strncmp(line, bom, 3))
             line += 3;
@@ -134,11 +135,14 @@ static int microdvd_read_header(AVFormatContext *s)
         SKIP_FRAME_ID;
         if (!*p)
             continue;
+        pts = get_pts(line);
+        if (pts == AV_NOPTS_VALUE)
+            continue;
         sub = ff_subtitles_queue_insert(&microdvd->q, p, strlen(p), 0);
         if (!sub)
             return AVERROR(ENOMEM);
         sub->pos = pos;
-        sub->pts = get_pts(line);
+        sub->pts = pts;
         sub->duration = get_duration(line);
     }
     ff_subtitles_queue_finalize(&microdvd->q);
diff --git a/lib/ffmpeg/libavformat/mlvdec.c b/lib/ffmpeg/libavformat/mlvdec.c
index 4b3bdc1ec..0ed0cb11a 100644
--- a/lib/ffmpeg/libavformat/mlvdec.c
+++ b/lib/ffmpeg/libavformat/mlvdec.c
@@ -76,7 +76,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
     return 0;
 }
 
-static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size)
+static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size)
 {
     char * value = av_malloc(size + 1);
     if (!value) {
@@ -384,10 +384,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
 {
     MlvContext *mlv = avctx->priv_data;
     AVIOContext *pb;
-    AVStream *st = avctx->streams[mlv->stream_index];
+    AVStream *st;
     int index, ret;
     unsigned int size, space;
 
+    if (!avctx->nb_streams)
+        return AVERROR_EOF;
+
+    st = avctx->streams[mlv->stream_index];
     if (mlv->pts >= st->duration)
         return AVERROR_EOF;
 
diff --git a/lib/ffmpeg/libavformat/mm.c b/lib/ffmpeg/libavformat/mm.c
index 81ae1a510..814b9e7f6 100644
--- a/lib/ffmpeg/libavformat/mm.c
+++ b/lib/ffmpeg/libavformat/mm.c
@@ -174,6 +174,8 @@ static int read_packet(AVFormatContext *s,
             return 0;
 
         case MM_TYPE_AUDIO :
+            if (s->nb_streams < 2)
+                return AVERROR_INVALIDDATA;
             if (av_get_packet(s->pb, pkt, length)<0)
                 return AVERROR(ENOMEM);
             pkt->stream_index = 1;
diff --git a/lib/ffmpeg/libavformat/mms.c b/lib/ffmpeg/libavformat/mms.c
index 807aadef0..9f675f2dd 100644
--- a/lib/ffmpeg/libavformat/mms.c
+++ b/lib/ffmpeg/libavformat/mms.c
@@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms)
                 }
             }
         } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) {
-            flags     = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
-            stream_id = flags & 0x7F;
-            //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
-            //we can calcuate the packet size by stream_num.
-            //Please see function send_stream_selection_request().
-            if (mms->stream_num < MMS_MAX_STREAMS &&
-                    46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
-                mms->streams = av_fast_realloc(mms->streams,
-                                   &mms->nb_streams_allocated,
-                                   (mms->stream_num + 1) * sizeof(MMSStream));
-                if (!mms->streams)
-                    return AVERROR(ENOMEM);
-                mms->streams[mms->stream_num].id = stream_id;
-                mms->stream_num++;
-            } else {
-                av_log(NULL, AV_LOG_ERROR,
-                       "Corrupt stream (too many A/V streams)\n");
-                return AVERROR_INVALIDDATA;
+            if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) {
+                flags     = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
+                stream_id = flags & 0x7F;
+                //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
+                //we can calcuate the packet size by stream_num.
+                //Please see function send_stream_selection_request().
+                if (mms->stream_num < MMS_MAX_STREAMS &&
+                        46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
+                    mms->streams = av_fast_realloc(mms->streams,
+                                       &mms->nb_streams_allocated,
+                                       (mms->stream_num + 1) * sizeof(MMSStream));
+                    if (!mms->streams)
+                        return AVERROR(ENOMEM);
+                    mms->streams[mms->stream_num].id = stream_id;
+                    mms->stream_num++;
+                } else {
+                    av_log(NULL, AV_LOG_ERROR,
+                           "Corrupt stream (too many A/V streams)\n");
+                    return AVERROR_INVALIDDATA;
+                }
             }
         } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
             if (end - p >= 88) {
@@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
             }
         } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
             chunksize = 46; // see references [2] section 3.4. This should be set 46.
+            if (chunksize > end - p) {
+                av_log(NULL, AV_LOG_ERROR,
+                    "Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+                    chunksize);
+                return AVERROR_INVALIDDATA;
+            }
         }
         p += chunksize;
     }
diff --git a/lib/ffmpeg/libavformat/mov.c b/lib/ffmpeg/libavformat/mov.c
index 5363d4530..52359b055 100644
--- a/lib/ffmpeg/libavformat/mov.c
+++ b/lib/ffmpeg/libavformat/mov.c
@@ -356,7 +356,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (c->itunes_metadata && atom.size > 8) {
         int data_size = avio_rb32(pb);
         int tag = avio_rl32(pb);
-        if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) {
+        if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) {
             data_type = avio_rb32(pb); // type
             avio_rb32(pb); // unknown
             str_size = data_size - 16;
@@ -839,6 +839,7 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     sha = av_sha_alloc();
     if (!sha)
         return AVERROR(ENOMEM);
+    av_free(c->aes_decrypt);
     c->aes_decrypt = av_aes_alloc();
     if (!c->aes_decrypt) {
         ret = AVERROR(ENOMEM);
@@ -951,7 +952,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0);
 
     comp_brand_size = atom.size - 8;
-    if (comp_brand_size < 0)
+    if (comp_brand_size < 0 || comp_brand_size == INT_MAX)
         return AVERROR_INVALIDDATA;
     comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */
     if (!comp_brands_str)
@@ -990,6 +991,9 @@ static int mov_read_moov(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
 static int mov_read_moof(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 {
+    // Set by mov_read_tfhd(). mov_read_trun() will reject files missing tfhd.
+    c->fragment.found_tfhd = 0;
+
     if (!c->has_looked_for_mfra && c->use_mfra_for > 0) {
         c->has_looked_for_mfra = 1;
         if (pb->seekable) {
@@ -1587,8 +1591,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (!entries)
         return 0;
 
-    if (sc->chunk_offsets)
-        av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n");
+    if (sc->chunk_offsets) {
+        av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n");
+        return 0;
+    }
     av_free(sc->chunk_offsets);
     sc->chunk_count = 0;
     sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets));
@@ -2213,8 +2219,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (!entries)
         return 0;
-    if (sc->stsc_data)
-        av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n");
+    if (sc->stsc_data) {
+        av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n");
+        return 0;
+    }
     av_free(sc->stsc_data);
     sc->stsc_count = 0;
     sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data));
@@ -2228,6 +2236,29 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     }
 
     sc->stsc_count = i;
+    for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+        int64_t first_min = i + 1;
+        if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) ||
+            (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
+            sc->stsc_data[i].first < first_min ||
+            sc->stsc_data[i].count < 1 ||
+            sc->stsc_data[i].id < 1) {
+            av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id);
+            if (i+1 >= sc->stsc_count) {
+                sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min);
+                if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first)
+                    sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX);
+                sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1);
+                sc->stsc_data[i].id    = FFMAX(sc->stsc_data[i].id, 1);
+                continue;
+            }
+            av_assert0(sc->stsc_data[i+1].first >= 2);
+            // We replace this entry by the next valid
+            sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
+            sc->stsc_data[i].count = sc->stsc_data[i+1].count;
+            sc->stsc_data[i].id    = sc->stsc_data[i+1].id;
+        }
+    }
 
     if (pb->eof_reached)
         return AVERROR_EOF;
@@ -2390,6 +2421,10 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     for (i = 0; i < entries && !pb->eof_reached; i++) {
         sc->sample_sizes[i] = get_bits_long(&gb, field_size);
+        if (sc->sample_sizes[i] < 0) {
+            av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]);
+            return AVERROR_INVALIDDATA;
+        }
         sc->data_size += sc->sample_sizes[i];
     }
 
@@ -2454,14 +2489,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             && total_sample_count > 100
             && sample_duration/10 > duration / total_sample_count)
             sample_duration = duration / total_sample_count;
-        duration+=(int64_t)sample_duration*sample_count;
+        duration+=(int64_t)sample_duration*(uint64_t)sample_count;
         total_sample_count+=sample_count;
     }
 
     sc->stts_count = i;
 
-    sc->duration_for_fps  += duration;
-    sc->nb_frames_for_fps += total_sample_count;
+    if (duration > 0 &&
+        duration <= INT64_MAX - sc->duration_for_fps &&
+        total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+    ) {
+        sc->duration_for_fps  += duration;
+        sc->nb_frames_for_fps += total_sample_count;
+    }
 
     if (pb->eof_reached)
         return AVERROR_EOF;
@@ -2763,6 +2803,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
     } else {
         unsigned chunk_samples, total = 0;
 
+        if (!sc->chunk_count)
+            return;
+
         // compute total chunk count
         for (i = 0; i < sc->stsc_count; i++) {
             unsigned count, chunk_count;
@@ -2988,7 +3031,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     st = avformat_new_stream(c->fc, NULL);
     if (!st) return AVERROR(ENOMEM);
-    st->id = c->fc->nb_streams;
+    st->id = -1;
     sc = av_mallocz(sizeof(MOVStreamContext));
     if (!sc) return AVERROR(ENOMEM);
 
@@ -3006,6 +3049,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
                st->index);
         return 0;
     }
+    if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
+        av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n",
+               st->index);
+        return AVERROR_INVALIDDATA;
+    }
 
     fix_timescale(c, sc);
 
@@ -3229,6 +3277,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     st = c->fc->streams[c->fc->nb_streams-1];
     sc = st->priv_data;
 
+    // Each stream (trak) should have exactly 1 tkhd. This catches bad files and
+    // avoids corrupting AVStreams mapped to an earlier tkhd.
+    if (st->id != -1)
+        return AVERROR_INVALIDDATA;
+
     version = avio_r8(pb);
     flags = avio_rb24(pb);
     st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0;
@@ -3341,6 +3394,7 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         av_log(c->fc, AV_LOG_ERROR, "could not find corresponding trex\n");
         return AVERROR_INVALIDDATA;
     }
+    c->fragment.found_tfhd = 1;
 
     frag->base_data_offset = flags & MOV_TFHD_BASE_DATA_OFFSET ?
                              avio_rb64(pb) : flags & MOV_TFHD_DEFAULT_BASE_IS_MOOF ?
@@ -3459,6 +3513,11 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     unsigned entries, first_sample_flags = frag->flags;
     int flags, distance, i, found_keyframe = 0, err;
 
+    if (!frag->found_tfhd) {
+        av_log(c->fc, AV_LOG_ERROR, "trun track id unknown, no tfhd was found\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     for (i = 0; i < c->fc->nb_streams; i++) {
         if (c->fc->streams[i]->id == frag->track_id) {
             st = c->fc->streams[i];
@@ -3562,8 +3621,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         dts += sample_duration;
         offset += sample_size;
         sc->data_size += sample_size;
-        sc->duration_for_fps += sample_duration;
-        sc->nb_frames_for_fps ++;
+
+        if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+            1 <= INT64_MAX - sc->nb_frames_for_fps
+        ) {
+            sc->duration_for_fps += sample_duration;
+            sc->nb_frames_for_fps ++;
+        }
     }
 
     if (pb->eof_reached)
@@ -3991,13 +4055,14 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             if (a.type == MKTAG('f','r','e','e') &&
                 a.size >= 8 &&
                 c->moov_retry) {
-                uint8_t buf[8];
-                uint32_t *type = (uint32_t *)buf + 1;
-                if (avio_read(pb, buf, 8) != 8)
-                    return AVERROR_INVALIDDATA;
+                uint32_t type;
+                avio_skip(pb, 4);
+                type = avio_rl32(pb);
+                if (avio_feof(pb))
+                    break;
                 avio_seek(pb, -8, SEEK_CUR);
-                if (*type == MKTAG('m','v','h','d') ||
-                    *type == MKTAG('c','m','o','v')) {
+                if (type == MKTAG('m','v','h','d') ||
+                    type == MKTAG('c','m','o','v')) {
                     av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free atom.\n");
                     a.type = MKTAG('m','o','o','v');
                 }
@@ -4316,10 +4381,9 @@ static int mov_read_close(AVFormatContext *s)
         av_freep(&sc->display_matrix);
     }
 
-    if (mov->dv_demux) {
-        avformat_free_context(mov->dv_fctx);
-        mov->dv_fctx = NULL;
-    }
+    av_freep(&mov->dv_demux);
+    avformat_free_context(mov->dv_fctx);
+    mov->dv_fctx = NULL;
 
     av_freep(&mov->trex_data);
     av_freep(&mov->bitrates);
@@ -4654,8 +4718,8 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st)
             if (!sample || (!s->pb->seekable && current_sample->pos < sample->pos) ||
                 (s->pb->seekable &&
                  ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb &&
-                 ((FFABS(best_dts - dts) <= 4*AV_TIME_BASE && current_sample->pos < sample->pos) ||
-                  (FFABS(best_dts - dts) > 4*AV_TIME_BASE && dts < best_dts)))))) {
+                 ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) ||
+                  (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) {
                 sample = current_sample;
                 best_dts = dts;
                 *st = avst;
@@ -4760,6 +4824,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
             sc->current_sample -= should_retry(sc->pb, ret);
             return ret;
         }
+#if CONFIG_DV_DEMUXER
+        if (mov->dv_demux && sc->dv_audio_container) {
+            AVBufferRef *buf = pkt->buf;
+            ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos);
+            pkt->buf = buf;
+            av_packet_unref(pkt);
+            if (ret < 0)
+                return ret;
+            ret = avpriv_dv_get_packet(mov->dv_demux, pkt);
+            if (ret < 0)
+                return ret;
+        }
+#endif
         if (sc->has_palette) {
             uint8_t *pal;
 
@@ -4771,16 +4848,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
                 sc->has_palette = 0;
             }
         }
-#if CONFIG_DV_DEMUXER
-        if (mov->dv_demux && sc->dv_audio_container) {
-            avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos);
-            av_freep(&pkt->data);
-            pkt->size = 0;
-            ret = avpriv_dv_get_packet(mov->dv_demux, pkt);
-            if (ret < 0)
-                return ret;
-        }
-#endif
     }
 
     pkt->stream_index = sc->ffindex;
@@ -4799,7 +4866,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
     } else {
         int64_t next_dts = (sc->current_sample < st->nb_index_entries) ?
             st->index_entries[sc->current_sample].timestamp : st->duration;
-        pkt->duration = next_dts - pkt->dts;
+
+        if (next_dts >= pkt->dts)
+            pkt->duration = next_dts - pkt->dts;
         pkt->pts = pkt->dts;
     }
     if (st->discard == AVDISCARD_ALL)
diff --git a/lib/ffmpeg/libavformat/movenc.c b/lib/ffmpeg/libavformat/movenc.c
index e4acf5df3..301d3fe4c 100644
--- a/lib/ffmpeg/libavformat/movenc.c
+++ b/lib/ffmpeg/libavformat/movenc.c
@@ -374,6 +374,11 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track)
                 info->ec3_done = 1;
                 goto concatenate;
             }
+        } else {
+            if (hdr->substreamid != 0) {
+                avpriv_request_sample(mov->fc, "Multiple non EAC3 independent substreams");
+                return AVERROR_PATCHWELCOME;
+            }
         }
 
         /* fill the info needed for the "dec3" atom */
@@ -4379,6 +4384,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
     else
         samples_in_chunk = 1;
 
+    if (samples_in_chunk < 1) {
+        av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     /* copy extradata if it exists */
     if (trk->vos_len == 0 && enc->extradata_size > 0 &&
         !TAG_IS_AVCI(trk->tag) &&
@@ -4448,11 +4458,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (trk->entry >= trk->cluster_capacity) {
         unsigned new_capacity = 2 * (trk->entry + MOV_INDEX_CLUSTER_SIZE);
-        if (av_reallocp_array(&trk->cluster, new_capacity,
-                              sizeof(*trk->cluster))) {
+        void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster));
+        if (!cluster) {
             ret = AVERROR(ENOMEM);
             goto err;
         }
+        trk->cluster          = cluster;
         trk->cluster_capacity = new_capacity;
     }
 
diff --git a/lib/ffmpeg/libavformat/mp3enc.c b/lib/ffmpeg/libavformat/mp3enc.c
index d4b6af020..0cd1e096d 100644
--- a/lib/ffmpeg/libavformat/mp3enc.c
+++ b/lib/ffmpeg/libavformat/mp3enc.c
@@ -380,6 +380,7 @@ static void mp3_update_xing(AVFormatContext *s)
     uint16_t tag_crc;
     uint8_t *toc;
     int i, rg_size;
+    int64_t old_pos = avio_tell(s->pb);
 
     /* replace "Xing" identification string with "Info" for CBR files. */
     if (!mp3->has_variable_bitrate)
@@ -428,7 +429,7 @@ static void mp3_update_xing(AVFormatContext *s)
 
     avio_seek(s->pb,  mp3->xing_frame_offset, SEEK_SET);
     avio_write(s->pb, mp3->xing_frame, mp3->xing_frame_size);
-    avio_seek(s->pb, 0, SEEK_END);
+    avio_seek(s->pb, old_pos, SEEK_SET);
 }
 
 static int mp3_write_trailer(struct AVFormatContext *s)
diff --git a/lib/ffmpeg/libavformat/mpc8.c b/lib/ffmpeg/libavformat/mpc8.c
index bf597b88a..2cfde2a61 100644
--- a/lib/ffmpeg/libavformat/mpc8.c
+++ b/lib/ffmpeg/libavformat/mpc8.c
@@ -177,6 +177,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME);
     }
     for(; i < size; i++){
+        if (get_bits_left(&gb) < 13) {
+            av_free(buf);
+            return;
+        }
         t = get_unary(&gb, 1, 33) << 12;
         t += get_bits(&gb, 12);
         if(t & 1)
@@ -196,8 +200,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in
 
     switch(tag){
     case TAG_SEEKTBLOFF:
-        pos = avio_tell(pb) + size;
+        pos = avio_tell(pb);
         off = ffio_read_varlen(pb);
+        if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+            return;
+        pos += size;
         mpc8_parse_seektable(s, chunk_pos + off);
         avio_seek(pb, pos, SEEK_SET);
         break;
@@ -287,7 +294,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt)
             return AVERROR_EOF;
 
         mpc8_get_chunk_header(s->pb, &tag, &size);
-        if (size < 0)
+        if (size < 0 || size > INT_MAX)
             return -1;
         if(tag == TAG_AUDIOPACKET){
             if(av_get_packet(s->pb, pkt, size) < 0)
diff --git a/lib/ffmpeg/libavformat/mpeg.c b/lib/ffmpeg/libavformat/mpeg.c
index fe02af8fe..56b10a32e 100644
--- a/lib/ffmpeg/libavformat/mpeg.c
+++ b/lib/ffmpeg/libavformat/mpeg.c
@@ -106,7 +106,7 @@ static int mpegps_probe(AVProbeData *p)
 
     if (sys > invalid && sys * 9 <= pspack * 10)
         return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2
-                                                     : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than mp3
+                                                     : AVPROBE_SCORE_EXTENSION / 2 + (audio + vid + pspack > 1); // 1 more than mp3
     if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9)
         return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2
                           : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg
@@ -159,9 +159,12 @@ static int mpegps_read_header(AVFormatContext *s)
 static int64_t get_pts(AVIOContext *pb, int c)
 {
     uint8_t buf[5];
+    int ret;
 
     buf[0] = c < 0 ? avio_r8(pb) : c;
-    avio_read(pb, buf + 1, 4);
+    ret = avio_read(pb, buf + 1, 4);
+    if (ret < 4)
+        return AV_NOPTS_VALUE;
 
     return ff_parse_pes_pts(buf);
 }
diff --git a/lib/ffmpeg/libavformat/mpegenc.c b/lib/ffmpeg/libavformat/mpegenc.c
index b3ee2a09b..9061a643a 100644
--- a/lib/ffmpeg/libavformat/mpegenc.c
+++ b/lib/ffmpeg/libavformat/mpegenc.c
@@ -1155,7 +1155,7 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt)
     if (s->is_dvd) {
         // min VOBU length 0.4 seconds (mpucoder)
         if (is_iframe &&
-            (s->packet_number == 0 ||
+            (s->packet_number == 0 || pts != AV_NOPTS_VALUE &&
              (pts - stream->vobu_start_pts >= 36000))) {
             stream->bytes_to_iframe = av_fifo_size(stream->fifo);
             stream->align_iframe    = 1;
diff --git a/lib/ffmpeg/libavformat/mpegts.c b/lib/ffmpeg/libavformat/mpegts.c
index f3aba949b..a1929cef1 100644
--- a/lib/ffmpeg/libavformat/mpegts.c
+++ b/lib/ffmpeg/libavformat/mpegts.c
@@ -91,7 +91,6 @@ struct MpegTSFilter {
     int es_id;
     int last_cc; /* last cc code (-1 if first packet) */
     int64_t last_pcr;
-    int last_version; /* last version of data on this pid */
     enum MpegTSFilterType type;
     union {
         MpegTSPESFilter pes_filter;
@@ -132,7 +131,7 @@ struct MpegTSContext {
     int fix_teletext_pts;
 
     int64_t cur_pcr;    /**< used to estimate the exact PCR */
-    int pcr_incr;       /**< used to estimate the exact PCR */
+    int64_t pcr_incr;   /**< used to estimate the exact PCR */
 
     /* data needed to handle file based ts */
     /** stop parsing loop */
@@ -460,7 +459,6 @@ static MpegTSFilter *mpegts_open_filter(MpegTSContext *ts, unsigned int pid,
     filter->es_id   = -1;
     filter->last_cc = -1;
     filter->last_pcr= -1;
-    filter->last_version = -1;
 
     return filter;
 }
@@ -587,7 +585,6 @@ typedef struct SectionHeader {
     uint8_t tid;
     uint16_t id;
     uint8_t version;
-    uint8_t current;
     uint8_t sec_num;
     uint8_t last_sec_num;
 } SectionHeader;
@@ -670,7 +667,6 @@ static int parse_section_header(SectionHeader *h,
     val = get8(pp, p_end);
     if (val < 0)
         return val;
-    h->current = val & 0x1;
     h->version = (val >> 1) & 0x1f;
     val = get8(pp, p_end);
     if (val < 0)
@@ -760,8 +756,6 @@ static const StreamType DESC_types[] = {
     { 0x7b, AVMEDIA_TYPE_AUDIO,    AV_CODEC_ID_DTS          },
     { 0x56, AVMEDIA_TYPE_SUBTITLE, AV_CODEC_ID_DVB_TELETEXT },
     { 0x59, AVMEDIA_TYPE_SUBTITLE, AV_CODEC_ID_DVB_SUBTITLE }, /* subtitling descriptor */
-    { 0x45, AVMEDIA_TYPE_DATA,         AV_CODEC_ID_VBI_DATA }, /* VBI Data descriptor */
-    { 0x46, AVMEDIA_TYPE_DATA,     AV_CODEC_ID_VBI_TELETEXT }, /* VBI Teletext descriptor */
     { 0 },
 };
 
@@ -868,10 +862,6 @@ static void reset_pes_packet_state(PESContext *pes)
 
 static void new_pes_packet(PESContext *pes, AVPacket *pkt)
 {
-    if(pkt->data) {
-      av_log(pes->stream, AV_LOG_ERROR, "ignoring previously allocated packet on stream %d\n", pkt->stream_index);
-      av_free_packet(pkt);
-    }
     av_init_packet(pkt);
 
     pkt->buf  = pes->buffer;
@@ -1030,7 +1020,7 @@ static int mpegts_push_data(MpegTSFilter *filter,
                         goto skip;
 
                     /* stream not present in PMT */
-                    if (ts->auto_guess && !pes->st) {
+                    if (!pes->st) {
                         if (ts->skip_changes)
                             goto skip;
 
@@ -2031,12 +2021,6 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
         return;
     if (ts->skip_changes)
         return;
-    if (!h->current)
-        return;
-    if (h->version == filter->last_version)
-        return;
-    filter->last_version = h->version;
-    av_dlog(ts->stream, "version=%d\n", filter->last_version);
 
     if (skip_identical(h, tssf))
         return;
@@ -2180,13 +2164,12 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low,
                      const uint8_t *packet);
 
 /* handle one TS packet */
-static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
+static int handle_packet(MpegTSContext *ts, const uint8_t *packet, int64_t pos)
 {
     MpegTSFilter *tss;
     int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity,
         has_adaptation, has_payload;
     const uint8_t *p, *p_end;
-    int64_t pos;
 
     pid = AV_RB16(packet + 1) & 0x1fff;
     if (pid && discard_pid(ts, pid))
@@ -2243,7 +2226,6 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
     if (p >= p_end || !has_payload)
         return 0;
 
-    pos = avio_tell(ts->stream->pb);
     if (pos >= 0) {
         av_assert0(pos >= TS_PACKET_SIZE);
         ts->pos47_full = pos - TS_PACKET_SIZE;
@@ -2446,7 +2428,7 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets)
         ret = read_packet(s, packet, ts->raw_packet_size, &data);
         if (ret != 0)
             break;
-        ret = handle_packet(ts, data);
+        ret = handle_packet(ts, data, avio_tell(s->pb));
         finished_reading_packet(s, ts->raw_packet_size);
         if (ret != 0)
             break;
@@ -2526,44 +2508,6 @@ static void seek_back(AVFormatContext *s, AVIOContext *pb, int64_t pos) {
         av_log(s, pb->seekable ? AV_LOG_ERROR : AV_LOG_INFO, "Unable to seek back to the start\n");
 }
 
-static int parse_timestamp(int64_t *ts, const uint8_t *buf)
-{
-    int afc, flags;
-    const uint8_t *p;
-
-    if(!(buf[1] & 0x40)) /* must be a start packet */
-        return -1;
-
-    afc = (buf[3] >> 4) & 3;
-    p = buf + 4;
-    if (afc == 0 || afc == 2) /* invalid or only adaption field */
-        return -1;
-    if (afc == 3)
-        p += p[0] + 1;
-    if (p >= buf + TS_PACKET_SIZE)
-        return -1;
-
-    if (p[0] != 0x00 || p[1] != 0x00 || p[2] != 0x01)  /* packet_start_code_prefix */
-        return -1;
-
-    flags = p[3] | 0x100; /* stream type */
-    if (!((flags >= 0x1c0 && flags <= 0x1df) ||
-          (flags >= 0x1e0 && flags <= 0x1ef) ||
-          (flags == 0x1bd) || (flags == 0x1fd)))
-        return -1;
-
-    flags = p[7];
-    if ((flags & 0xc0) == 0x80) {
-        *ts = ff_parse_pes_pts(p+9);
-        return 0;
-    } else if ((flags & 0xc0) == 0xc0) {
-        *ts = ff_parse_pes_pts(p+9+5);
-        return 0;
-    }
-    return -1;
-}
-
-
 static int mpegts_read_header(AVFormatContext *s)
 {
     MpegTSContext *ts = s->priv_data;
@@ -2666,7 +2610,7 @@ static int mpegts_read_header(AVFormatContext *s)
         s->bit_rate  = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr;
         st->codec->bit_rate = s->bit_rate;
         st->start_time      = ts->cur_pcr;
-        av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n",
+        av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n",
                 st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr);
     }
 
@@ -2694,7 +2638,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt)
         return ret;
     }
     if (data != pkt->data)
-        memcpy(pkt->data, data, ts->raw_packet_size);
+        memcpy(pkt->data, data, TS_PACKET_SIZE);
     finished_reading_packet(s, ts->raw_packet_size);
     if (ts->mpeg2ts_compute_pcr) {
         /* compute exact PCR for each packet */
@@ -2731,8 +2675,6 @@ static int mpegts_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     pkt->size = -1;
     ts->pkt = pkt;
-    ts->pkt->data = NULL;
-
     ret = handle_packets(ts, 0);
     if (ret < 0) {
         av_free_packet(ts->pkt);
@@ -2780,7 +2722,6 @@ static av_unused int64_t mpegts_get_pcr(AVFormatContext *s, int stream_index,
     uint8_t buf[TS_PACKET_SIZE];
     int pcr_l, pcr_pid =
         ((PESContext *)s->streams[stream_index]->priv_data)->pcr_pid;
-    int pid = ((PESContext*)s->streams[stream_index]->priv_data)->pid;
     int pos47 = ts->pos47_full % ts->raw_packet_size;
     pos =
         ((*ppos + ts->raw_packet_size - 1 - pos47) / ts->raw_packet_size) *
@@ -2802,11 +2743,6 @@ static av_unused int64_t mpegts_get_pcr(AVFormatContext *s, int stream_index,
             *ppos = pos;
             return timestamp;
         }
-        if ((pid < 0 || (AV_RB16(buf + 1) & 0x1fff) == pid) &&
-            parse_timestamp(&timestamp, buf) == 0) {
-            *ppos = pos;
-            return timestamp;
-        }
         pos += ts->raw_packet_size;
     }
 
@@ -2882,7 +2818,7 @@ int avpriv_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt,
             buf++;
             len--;
         } else {
-            handle_packet(ts, buf);
+            handle_packet(ts, buf, len1 - len + TS_PACKET_SIZE);
             buf += TS_PACKET_SIZE;
             len -= TS_PACKET_SIZE;
             if (ts->stop_parse == 1)
@@ -2906,7 +2842,7 @@ AVInputFormat ff_mpegts_demuxer = {
     .read_header    = mpegts_read_header,
     .read_packet    = mpegts_read_packet,
     .read_close     = mpegts_read_close,
-    .read_timestamp = mpegts_get_pcr,
+    .read_timestamp = mpegts_get_dts,
     .flags          = AVFMT_SHOW_IDS | AVFMT_TS_DISCONT,
     .priv_class     = &mpegts_class,
 };
@@ -2918,7 +2854,7 @@ AVInputFormat ff_mpegtsraw_demuxer = {
     .read_header    = mpegts_read_header,
     .read_packet    = mpegts_raw_read_packet,
     .read_close     = mpegts_read_close,
-    .read_timestamp = mpegts_get_pcr,
+    .read_timestamp = mpegts_get_dts,
     .flags          = AVFMT_SHOW_IDS | AVFMT_TS_DISCONT,
     .priv_class     = &mpegtsraw_class,
 };
diff --git a/lib/ffmpeg/libavformat/mpl2dec.c b/lib/ffmpeg/libavformat/mpl2dec.c
index 260b7be0e..8805e1e69 100644
--- a/lib/ffmpeg/libavformat/mpl2dec.c
+++ b/lib/ffmpeg/libavformat/mpl2dec.c
@@ -50,7 +50,7 @@ static int mpl2_probe(AVProbeData *p)
     return AVPROBE_SCORE_MAX;
 }
 
-static int read_ts(char **line, int64_t *pts_start, int *duration)
+static int read_ts(char **line, int64_t *pts_start, int64_t *duration)
 {
     char c;
     int len;
@@ -64,7 +64,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration)
     }
     if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n",
                pts_start, &end, &c, &len) >= 3) {
-        *duration = end - *pts_start;
+        if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) {
+            *duration = -1;
+        } else
+            *duration = end - *pts_start;
         *line += len - 1;
         return 0;
     }
@@ -89,7 +92,7 @@ static int mpl2_read_header(AVFormatContext *s)
         const int64_t pos = avio_tell(s->pb);
         int len = ff_get_line(s->pb, line, sizeof(line));
         int64_t pts_start;
-        int duration;
+        int64_t duration;
 
         if (!len)
             break;
diff --git a/lib/ffmpeg/libavformat/mpsubdec.c b/lib/ffmpeg/libavformat/mpsubdec.c
index 7c26d4f42..ecd85338a 100644
--- a/lib/ffmpeg/libavformat/mpsubdec.c
+++ b/lib/ffmpeg/libavformat/mpsubdec.c
@@ -106,6 +106,9 @@ static int mpsub_read_header(AVFormatContext *s)
     ff_subtitles_queue_finalize(&mpsub->q);
 
 end:
+    if (res < 0)
+        ff_subtitles_queue_clean(&mpsub->q);
+
     av_bprint_finalize(&buf, NULL);
     return res;
 }
diff --git a/lib/ffmpeg/libavformat/mvdec.c b/lib/ffmpeg/libavformat/mvdec.c
index e3feda668..3b59f7ee1 100644
--- a/lib/ffmpeg/libavformat/mvdec.c
+++ b/lib/ffmpeg/libavformat/mvdec.c
@@ -258,6 +258,8 @@ static void read_index(AVIOContext *pb, AVStream *st)
         uint32_t pos  = avio_rb32(pb);
         uint32_t size = avio_rb32(pb);
         avio_skip(pb, 8);
+        if (avio_feof(pb))
+            return ;
         av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME);
         if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO) {
             timestamp += size / (st->codec->channels * 2);
@@ -351,6 +353,12 @@ static int mv_read_header(AVFormatContext *avctx)
         if ((ret = read_table(avctx, NULL, parse_global_var)) < 0)
             return ret;
 
+        if (mv->nb_audio_tracks < 0  || mv->nb_video_tracks < 0 ||
+           (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) {
+            av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         if (mv->nb_audio_tracks > 1) {
             avpriv_request_sample(avctx, "Multiple audio streams support");
             return AVERROR_PATCHWELCOME;
diff --git a/lib/ffmpeg/libavformat/mvi.c b/lib/ffmpeg/libavformat/mvi.c
index a7cfcb9a7..ffc6099a3 100644
--- a/lib/ffmpeg/libavformat/mvi.c
+++ b/lib/ffmpeg/libavformat/mvi.c
@@ -119,9 +119,15 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         mvi->video_frame_size = (mvi->get_int)(pb);
         if (mvi->audio_size_left == 0)
             return AVERROR(EIO);
+        if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+            mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+            return AVERROR_INVALIDDATA;
+
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;
+        if ((int64_t)count << MVI_FRAC_BITS > INT_MAX)
+            return AVERROR_INVALIDDATA;
         if ((ret = av_get_packet(pb, pkt, count)) < 0)
             return ret;
         pkt->stream_index = MVI_AUDIO_STREAM_INDEX;
diff --git a/lib/ffmpeg/libavformat/mxfdec.c b/lib/ffmpeg/libavformat/mxfdec.c
index 5abb76d0b..f3e955600 100644
--- a/lib/ffmpeg/libavformat/mxfdec.c
+++ b/lib/ffmpeg/libavformat/mxfdec.c
@@ -303,9 +303,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx)
     MXFIndexTableSegment *seg;
     switch ((*ctx)->type) {
     case Descriptor:
-        av_freep(&((MXFDescriptor *)*ctx)->extradata);
-        break;
     case MultipleDescriptor:
+        av_freep(&((MXFDescriptor *)*ctx)->extradata);
         av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs);
         break;
     case Sequence:
@@ -404,6 +403,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt,
     data_ptr = pkt->data;
     end_ptr = pkt->data + length;
     buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */
+
+    if (st->codec->channels > 8)
+        return AVERROR_INVALIDDATA;
+
     for (; end_ptr - buf_ptr >= st->codec->channels * 4; ) {
         for (i = 0; i < st->codec->channels; i++) {
             uint32_t sample = bytestream_get_le32(&buf_ptr);
@@ -457,7 +460,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv
         return AVERROR_INVALIDDATA;
     // enc. code
     size = klv_decode_ber_length(pb);
-    if (size < 32 || size - 32 < orig_size)
+    if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size)
         return AVERROR_INVALIDDATA;
     avio_read(pb, ivec, 16);
     avio_read(pb, tmpbuf, 16);
@@ -2312,8 +2315,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
         int ret;
         int tag = avio_rb16(pb);
         int size = avio_rb16(pb); /* KLV specified by 0x53 */
-        uint64_t next = avio_tell(pb) + size;
+        int64_t next = avio_tell(pb);
         UID uid = {0};
+        if (next < 0 || next > INT64_MAX - size)
+            return next < 0 ? next : AVERROR_INVALIDDATA;
+        next += size;
 
         av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size);
         if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */
@@ -3104,6 +3110,7 @@ static int mxf_read_close(AVFormatContext *s)
     for (i = 0; i < mxf->metadata_sets_count; i++) {
         mxf_free_metadataset(mxf->metadata_sets + i, 1);
     }
+    mxf->metadata_sets_count = 0;
     av_freep(&mxf->partitions);
     av_freep(&mxf->metadata_sets);
     av_freep(&mxf->aesc);
diff --git a/lib/ffmpeg/libavformat/nsvdec.c b/lib/ffmpeg/libavformat/nsvdec.c
index c6c359234..b427585eb 100644
--- a/lib/ffmpeg/libavformat/nsvdec.c
+++ b/lib/ffmpeg/libavformat/nsvdec.c
@@ -177,6 +177,7 @@ typedef struct NSVContext {
     AVRational framerate;
     uint32_t *nsvs_timestamps;
     //DVDemuxContext* dv_demux;
+    int nsvf;
 } NSVContext;
 
 static const AVCodecTag nsv_codec_video_tags[] = {
@@ -211,6 +212,7 @@ static const AVCodecTag nsv_codec_audio_tags[] = {
 
 //static int nsv_load_index(AVFormatContext *s);
 static int nsv_read_chunk(AVFormatContext *s, int fill_header);
+static int nsv_read_close(AVFormatContext *s);
 
 #define print_tag(str, tag, size)       \
     av_log(NULL, AV_LOG_TRACE, "%s: tag=%c%c%c%c\n", \
@@ -280,6 +282,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 
     nsv->state = NSV_UNSYNC; /* in case we fail */
 
+    if (nsv->nsvf) {
+        av_log(s, AV_LOG_TRACE, "Multiple NSVf\n");
+        return 0;
+    }
+    nsv->nsvf = 1;
+
     size = avio_rl32(pb);
     if (size < 28)
         return -1;
@@ -506,25 +514,32 @@ static int nsv_read_header(AVFormatContext *s)
     nsv->ahead[0].data = nsv->ahead[1].data = NULL;
 
     for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) {
-        if (nsv_resync(s) < 0)
-            return -1;
+        err = nsv_resync(s);
+        if (err < 0)
+            goto fail;
         if (nsv->state == NSV_FOUND_NSVF) {
             err = nsv_parse_NSVf_header(s);
             if (err < 0)
-                return err;
+                goto fail;
         }
             /* we need the first NSVs also... */
         if (nsv->state == NSV_FOUND_NSVS) {
             err = nsv_parse_NSVs_header(s);
             if (err < 0)
-                return err;
+                goto fail;
             break; /* we just want the first one */
         }
     }
-    if (s->nb_streams < 1) /* no luck so far */
-        return -1;
+    if (s->nb_streams < 1) { /* no luck so far */
+        err = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
     /* now read the first chunk, so we can attempt to decode more info */
     err = nsv_read_chunk(s, 1);
+fail:
+    if (err < 0)
+        nsv_read_close(s);
 
     av_log(s, AV_LOG_TRACE, "parsed header\n");
     return err;
diff --git a/lib/ffmpeg/libavformat/nutdec.c b/lib/ffmpeg/libavformat/nutdec.c
index bfa2bade2..6f8a9350a 100644
--- a/lib/ffmpeg/libavformat/nutdec.c
+++ b/lib/ffmpeg/libavformat/nutdec.c
@@ -229,13 +229,13 @@ static int decode_main_header(NUTContext *nut)
 {
     AVFormatContext *s = nut->avf;
     AVIOContext *bc    = s->pb;
-    uint64_t tmp, end;
+    uint64_t tmp, end, length;
     unsigned int stream_count;
     int i, j, count, ret;
     int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx;
 
-    end  = get_packetheader(nut, bc, 1, MAIN_STARTCODE);
-    end += avio_tell(bc);
+    length = get_packetheader(nut, bc, 1, MAIN_STARTCODE);
+    end = length + avio_tell(bc);
 
     nut->version = ffio_read_varlen(bc);
     if (nut->version < NUT_MIN_VERSION &&
@@ -255,7 +255,7 @@ static int decode_main_header(NUTContext *nut)
         nut->max_distance = 65536;
     }
 
-    GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational));
+    GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2);
     nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational));
     if (!nut->time_base)
         return AVERROR(ENOMEM);
@@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
         if (tmp_fields > 5)
             count = ffio_read_varlen(bc);
         else
-            count = tmp_mul - tmp_size;
+            count = tmp_mul - (unsigned)tmp_size;
         if (tmp_fields > 6)
             get_s(bc);
         if (tmp_fields > 7)
@@ -319,6 +319,11 @@ static int decode_main_header(NUTContext *nut)
             ret = AVERROR_INVALIDDATA;
             goto fail;
         }
+        if (tmp_size < 0 || tmp_size > INT_MAX - count) {
+            av_log(s, AV_LOG_ERROR, "illegal size\n");
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
 
         for (j = 0; j < count; j++, i++) {
             if (i == 'N') {
diff --git a/lib/ffmpeg/libavformat/nutenc.c b/lib/ffmpeg/libavformat/nutenc.c
index 49d62bfbe..e5eb82504 100644
--- a/lib/ffmpeg/libavformat/nutenc.c
+++ b/lib/ffmpeg/libavformat/nutenc.c
@@ -798,11 +798,12 @@ static int get_needed_flags(NUTContext *nut, StreamContext *nus, FrameCode *fc,
         flags |= FLAG_CHECKSUM;
     if (FFABS(pkt->pts - nus->last_pts) > nus->max_pts_distance)
         flags |= FLAG_CHECKSUM;
-    if (pkt->size < nut->header_len[fc->header_idx] ||
-        (pkt->size > 4096 && fc->header_idx)        ||
-        memcmp(pkt->data, nut->header[fc->header_idx],
-               nut->header_len[fc->header_idx]))
-        flags |= FLAG_HEADER_IDX;
+    if (fc->header_idx)
+        if (pkt->size < nut->header_len[fc->header_idx] ||
+            pkt->size > 4096                            ||
+            memcmp(pkt->data, nut->header    [fc->header_idx],
+                              nut->header_len[fc->header_idx]))
+            flags |= FLAG_HEADER_IDX;
 
     return flags | (fc->flags & FLAG_CODED);
 }
@@ -1181,7 +1182,7 @@ static int nut_write_trailer(AVFormatContext *s)
 
     ret = avio_open_dyn_buf(&dyn_bc);
     if (ret >= 0 && nut->sp_count) {
-        av_assert1(nut->write_index);
+        av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written
         write_index(nut, dyn_bc);
         put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE);
     }
diff --git a/lib/ffmpeg/libavformat/oggdec.c b/lib/ffmpeg/libavformat/oggdec.c
index 18248b772..91357dc92 100644
--- a/lib/ffmpeg/libavformat/oggdec.c
+++ b/lib/ffmpeg/libavformat/oggdec.c
@@ -196,7 +196,8 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs)
         uint8_t magic[8];
         int64_t pos = avio_tell(s->pb);
         avio_skip(s->pb, nsegs);
-        avio_read(s->pb, magic, sizeof(magic));
+        if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic))
+            return AVERROR_INVALIDDATA;
         avio_seek(s->pb, pos, SEEK_SET);
         codec = ogg_find_codec(magic, sizeof(magic));
         if (!codec) {
@@ -368,6 +369,9 @@ static int ogg_read_page(AVFormatContext *s, int *sid)
     avio_skip(bc, 8); /* seq, crc */
     nsegs  = avio_r8(bc);
 
+    if (avio_feof(bc))
+        return AVERROR_EOF;
+
     idx = ogg_find_stream(ogg, serial);
     if (idx < 0) {
         if (data_packets_seen(ogg))
diff --git a/lib/ffmpeg/libavformat/oggparseogm.c b/lib/ffmpeg/libavformat/oggparseogm.c
index ae8c3c850..573fb99dd 100644
--- a/lib/ffmpeg/libavformat/oggparseogm.c
+++ b/lib/ffmpeg/libavformat/oggparseogm.c
@@ -170,11 +170,14 @@ ogm_packet(AVFormatContext *s, int idx)
         os->pflags |= AV_PKT_FLAG_KEY;
 
     lb = ((*p & 2) << 1) | ((*p >> 6) & 3);
+    if (os->psize < lb + 1)
+        return AVERROR_INVALIDDATA;
+
     os->pstart += lb + 1;
     os->psize -= lb + 1;
 
     while (lb--)
-        os->pduration += p[lb+1] << (lb*8);
+        os->pduration += (uint64_t)p[lb+1] << (lb*8);
 
     return 0;
 }
diff --git a/lib/ffmpeg/libavformat/oggparsetheora.c b/lib/ffmpeg/libavformat/oggparsetheora.c
index e92d4c517..9adc19710 100644
--- a/lib/ffmpeg/libavformat/oggparsetheora.c
+++ b/lib/ffmpeg/libavformat/oggparsetheora.c
@@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx)
 
     if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) {
         int seg;
+        int64_t pts;
 
         duration = 1;
         for (seg = os->segp; seg < os->nsegs; seg++) {
@@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx)
                 duration ++;
         }
 
-        os->lastpts = os->lastdts   = theora_gptopts(s, idx, os->granule, NULL) - duration;
+        pts = theora_gptopts(s, idx, os->granule, NULL);
+        if (pts != AV_NOPTS_VALUE)
+            pts -= duration;
+        os->lastpts = os->lastdts = pts;
         if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
             s->streams[idx]->start_time = os->lastpts;
             if (s->streams[idx]->duration)
diff --git a/lib/ffmpeg/libavformat/oggparsevorbis.c b/lib/ffmpeg/libavformat/oggparsevorbis.c
index 59e7b7552..5ca3b9eee 100644
--- a/lib/ffmpeg/libavformat/oggparsevorbis.c
+++ b/lib/ffmpeg/libavformat/oggparsevorbis.c
@@ -228,6 +228,10 @@ static int fixup_vorbis_headers(AVFormatContext *as,
 
     len = priv->len[0] + priv->len[1] + priv->len[2];
     buf_len = len + len / 255 + 64;
+
+    if (*buf)
+        return AVERROR_INVALIDDATA;
+
     ptr = *buf = av_realloc(NULL, buf_len);
     if (!ptr)
         return AVERROR(ENOMEM);
diff --git a/lib/ffmpeg/libavformat/paf.c b/lib/ffmpeg/libavformat/paf.c
index 4fc5006f4..8b3e239b8 100644
--- a/lib/ffmpeg/libavformat/paf.c
+++ b/lib/ffmpeg/libavformat/paf.c
@@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s)
     return 0;
 }
 
-static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count)
+static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count)
 {
     int i;
 
-    for (i = 0; i < count; i++)
+    for (i = 0; i < count; i++) {
+        if (avio_feof(s->pb))
+            return AVERROR_INVALIDDATA;
         table[i] = avio_rl32(s->pb);
+    }
 
     avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count));
+    return 0;
 }
 
 static int read_header(AVFormatContext *s)
@@ -132,6 +136,10 @@ static int read_header(AVFormatContext *s)
     p->start_offset   = avio_rl32(pb);
     p->max_video_blks = avio_rl32(pb);
     p->max_audio_blks = avio_rl32(pb);
+
+    if (avio_feof(pb))
+        return AVERROR_INVALIDDATA;
+
     if (p->buffer_size    < 175  ||
         p->max_audio_blks < 2    ||
         p->max_video_blks < 1    ||
@@ -171,9 +179,15 @@ static int read_header(AVFormatContext *s)
 
     avio_seek(pb, p->buffer_size, SEEK_SET);
 
-    read_table(s, p->blocks_count_table,  p->nb_frames);
-    read_table(s, p->frames_offset_table, p->nb_frames);
-    read_table(s, p->blocks_offset_table, p->frame_blks);
+    ret = read_table(s, p->blocks_count_table,  p->nb_frames);
+    if (ret < 0)
+        goto fail;
+    ret = read_table(s, p->frames_offset_table, p->nb_frames);
+    if (ret < 0)
+        goto fail;
+    ret = read_table(s, p->blocks_offset_table, p->frame_blks);
+    if (ret < 0)
+        goto fail;
 
     p->got_audio = 0;
     p->current_frame = 0;
diff --git a/lib/ffmpeg/libavformat/pjsdec.c b/lib/ffmpeg/libavformat/pjsdec.c
index 5129b70e5..1c0f75395 100644
--- a/lib/ffmpeg/libavformat/pjsdec.c
+++ b/lib/ffmpeg/libavformat/pjsdec.c
@@ -55,6 +55,8 @@ static int64_t read_ts(char **line, int *duration)
     if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) {
         *line += strcspn(*line, "\"");
         *line += !!**line;
+        if (end < start || end - (uint64_t)start > INT_MAX)
+            return AV_NOPTS_VALUE;
         *duration = end - start;
         return start;
     }
diff --git a/lib/ffmpeg/libavformat/pva.c b/lib/ffmpeg/libavformat/pva.c
index 900ad6133..9714fb186 100644
--- a/lib/ffmpeg/libavformat/pva.c
+++ b/lib/ffmpeg/libavformat/pva.c
@@ -134,6 +134,10 @@ static int read_part_of_packet(AVFormatContext *s, int64_t *pts,
             pes_flags              = avio_rb16(pb);
             pes_header_data_length = avio_r8(pb);
 
+            if (avio_feof(pb)) {
+                return AVERROR_EOF;
+            }
+
             if (pes_signal != 1 || pes_header_data_length == 0) {
                 pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, "
                                           "trying to recover\n");
diff --git a/lib/ffmpeg/libavformat/qcp.c b/lib/ffmpeg/libavformat/qcp.c
index ad4a8ae79..3ffcd24fd 100644
--- a/lib/ffmpeg/libavformat/qcp.c
+++ b/lib/ffmpeg/libavformat/qcp.c
@@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s)
     QCPContext    *c  = s->priv_data;
     AVStream      *st = avformat_new_stream(s, NULL);
     uint8_t       buf[16];
-    int           i, nb_rates;
+    int           i;
+    unsigned      nb_rates;
 
     if (!st)
         return AVERROR(ENOMEM);
diff --git a/lib/ffmpeg/libavformat/rawenc.c b/lib/ffmpeg/libavformat/rawenc.c
index d65c7c790..d8cdd94e7 100644
--- a/lib/ffmpeg/libavformat/rawenc.c
+++ b/lib/ffmpeg/libavformat/rawenc.c
@@ -36,6 +36,18 @@ static int force_one_stream(AVFormatContext *s)
                s->oformat->name);
         return AVERROR(EINVAL);
     }
+    if (   s->oformat->audio_codec != AV_CODEC_ID_NONE
+        && s->streams[0]->codec->codec_type != AVMEDIA_TYPE_AUDIO) {
+        av_log(s, AV_LOG_ERROR, "%s files have exactly one audio stream\n",
+               s->oformat->name);
+        return AVERROR(EINVAL);
+    }
+    if (   s->oformat->video_codec != AV_CODEC_ID_NONE
+        && s->streams[0]->codec->codec_type != AVMEDIA_TYPE_VIDEO) {
+        av_log(s, AV_LOG_ERROR, "%s files have exactly one video stream\n",
+               s->oformat->name);
+        return AVERROR(EINVAL);
+    }
     return 0;
 }
 
diff --git a/lib/ffmpeg/libavformat/realtextdec.c b/lib/ffmpeg/libavformat/realtextdec.c
index fff85d6ba..659956d48 100644
--- a/lib/ffmpeg/libavformat/realtextdec.c
+++ b/lib/ffmpeg/libavformat/realtextdec.c
@@ -107,10 +107,11 @@ static int realtext_read_header(AVFormatContext *s)
             if (!merge) {
                 const char *begin = ff_smil_get_attr_ptr(buf.str, "begin");
                 const char *end   = ff_smil_get_attr_ptr(buf.str, "end");
+                int64_t endi = end ? read_ts(end) : 0;
 
                 sub->pos      = pos;
                 sub->pts      = begin ? read_ts(begin) : 0;
-                sub->duration = end ? (read_ts(end) - sub->pts) : duration;
+                sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration;
             }
         }
         av_bprint_clear(&buf);
@@ -119,6 +120,8 @@ static int realtext_read_header(AVFormatContext *s)
 
 end:
     av_bprint_finalize(&buf, NULL);
+    if (res < 0)
+        ff_subtitles_queue_clean(&rt->q);
     return res;
 }
 
diff --git a/lib/ffmpeg/libavformat/rmdec.c b/lib/ffmpeg/libavformat/rmdec.c
index 09889f6ef..5802f0ff0 100644
--- a/lib/ffmpeg/libavformat/rmdec.c
+++ b/lib/ffmpeg/libavformat/rmdec.c
@@ -167,7 +167,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         avio_rb16(pb); /* version2 */
         avio_rb32(pb); /* header size */
         flavor= avio_rb16(pb); /* add codec info / flavor */
-        ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */
+        coded_framesize = avio_rb32(pb); /* coded frame size */
+        if (coded_framesize < 0)
+            return AVERROR_INVALIDDATA;
+        ast->coded_framesize = coded_framesize;
+
         avio_rb32(pb); /* ??? */
         bytes_per_minute = avio_rb32(pb);
         if (version == 4) {
@@ -220,7 +224,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
                 if (version == 5)
                     avio_r8(pb);
                 codecdata_length = avio_rb32(pb);
-                if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
+                if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){
                     av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
                     return -1;
                 }
@@ -250,7 +254,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
             if (version == 5)
                 avio_r8(pb);
             codecdata_length = avio_rb32(pb);
-            if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
+            if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){
                 av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
                 return -1;
             }
@@ -265,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         case DEINT_ID_INT4:
             if (ast->coded_framesize > ast->audio_framesize ||
                 sub_packet_h <= 1 ||
-                ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
+                ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
                 return AVERROR_INVALIDDATA;
-            if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) {
+            if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) {
                 avpriv_request_sample(s, "mismatching interleaver parameters");
                 return AVERROR_INVALIDDATA;
             }
@@ -453,6 +457,8 @@ static int rm_read_index(AVFormatContext *s)
         }
 
         for (n = 0; n < n_pkts; n++) {
+            if (avio_feof(pb))
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 2);
             pts = avio_rb32(pb);
             pos = avio_rb32(pb);
@@ -690,21 +696,23 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre
             state= (state<<8) + avio_r8(pb);
 
             if(state == MKBETAG('I', 'N', 'D', 'X')){
-                int n_pkts, expected_len;
+                int n_pkts;
+                int64_t expected_len;
                 len = avio_rb32(pb);
                 avio_skip(pb, 2);
                 n_pkts = avio_rb32(pb);
-                expected_len = 20 + n_pkts * 14;
-                if (len == 20)
+                expected_len = 20 + n_pkts * 14LL;
+
+                if (len == 20 && expected_len <= INT_MAX)
                     /* some files don't add index entries to chunk size... */
                     len = expected_len;
                 else if (len != expected_len)
                     av_log(s, AV_LOG_WARNING,
-                           "Index size %d (%d pkts) is wrong, should be %d.\n",
+                           "Index size %d (%d pkts) is wrong, should be %"PRId64".\n",
                            len, n_pkts, expected_len);
-                len -= 14; // we already read part of the index header
-                if(len<0)
+                if(len < 14)
                     continue;
+                len -= 14; // we already read part of the index header
                 goto skip;
             } else if (state == MKBETAG('D','A','T','A')) {
                 av_log(s, AV_LOG_WARNING,
@@ -1008,8 +1016,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt)
 {
     RMDemuxContext *rm = s->priv_data;
     AVStream *st = NULL; // init to silence compiler warning
-    int i, len, res, seq = 1;
-    int64_t timestamp, pos;
+    int i, res, seq = 1;
+    int64_t timestamp, pos, len;
     int flags;
 
     for (;;) {
@@ -1028,7 +1036,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt)
                 ast = st->priv_data;
                 timestamp = AV_NOPTS_VALUE;
                 len = !ast->audio_framesize ? RAW_PACKET_SIZE :
-                    ast->coded_framesize * ast->sub_packet_h / 2;
+                    ast->coded_framesize * (int64_t)ast->sub_packet_h / 2;
+                if (len > INT_MAX)
+                    return AVERROR_INVALIDDATA;
                 flags = (seq++ == 1) ? 2 : 0;
                 pos = avio_tell(s->pb);
             } else {
diff --git a/lib/ffmpeg/libavformat/rpl.c b/lib/ffmpeg/libavformat/rpl.c
index 04cb917ae..635cd6782 100644
--- a/lib/ffmpeg/libavformat/rpl.c
+++ b/lib/ffmpeg/libavformat/rpl.c
@@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error)
         // Truncate any numerator too large to fit into an int64_t
         if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10)
             break;
-        num  = 10 * num + *line - '0';
+        num  = 10 * num + (*line - '0');
         den *= 10;
     }
     if (!num)
@@ -230,6 +230,9 @@ static int rpl_read_header(AVFormatContext *s)
             error |= read_line(pb, line, sizeof(line));
     }
 
+    if (s->nb_streams == 0)
+        return AVERROR_INVALIDDATA;
+
     rpl->frames_per_chunk = read_line_and_int(pb, &error);  // video frames per chunk
     if (rpl->frames_per_chunk > 1 && vst->codec->codec_tag != 124)
         av_log(s, AV_LOG_WARNING,
@@ -304,7 +307,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt)
 
         avio_skip(pb, 4); /* flags */
         frame_size = avio_rl32(pb);
-        if (avio_seek(pb, -8, SEEK_CUR) < 0)
+        if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size)
             return AVERROR(EIO);
 
         ret = av_get_packet(pb, pkt, frame_size);
diff --git a/lib/ffmpeg/libavformat/rtsp.c b/lib/ffmpeg/libavformat/rtsp.c
index 3522783fc..05b026a30 100644
--- a/lib/ffmpeg/libavformat/rtsp.c
+++ b/lib/ffmpeg/libavformat/rtsp.c
@@ -439,7 +439,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
         } else if (!strcmp(st_type, "text")) {
             codec_type = AVMEDIA_TYPE_SUBTITLE;
         }
-        if (codec_type == AVMEDIA_TYPE_UNKNOWN || !(rt->media_type_mask & (1 << codec_type))) {
+        if (codec_type == AVMEDIA_TYPE_UNKNOWN ||
+            !(rt->media_type_mask & (1 << codec_type)) ||
+            rt->nb_rtsp_streams >= s->max_streams
+        ) {
             s1->skip_media = 1;
             return;
         }
@@ -1643,7 +1646,7 @@ int ff_rtsp_connect(AVFormatContext *s)
     char tcpname[1024], cmd[2048], auth[128];
     const char *lower_rtsp_proto = "tcp";
     int port, err, tcp_fd;
-    RTSPMessageHeader reply1 = {0}, *reply = &reply1;
+    RTSPMessageHeader reply1, *reply = &reply1;
     int lower_transport_mask = 0;
     int default_port = RTSP_DEFAULT_PORT;
     char real_challenge[64] = "";
@@ -1672,6 +1675,7 @@ int ff_rtsp_connect(AVFormatContext *s)
     rt->lower_transport_mask &= (1 << RTSP_LOWER_TRANSPORT_NB) - 1;
 
 redirect:
+    memset(&reply1, 0, sizeof(reply1));
     /* extract hostname and port */
     av_url_split(proto, sizeof(proto), auth, sizeof(auth),
                  host, sizeof(host), &port, path, sizeof(path), s->filename);
diff --git a/lib/ffmpeg/libavformat/samidec.c b/lib/ffmpeg/libavformat/samidec.c
index 948e1ed8b..c4ecbac3e 100644
--- a/lib/ffmpeg/libavformat/samidec.c
+++ b/lib/ffmpeg/libavformat/samidec.c
@@ -89,6 +89,11 @@ static int sami_read_header(AVFormatContext *s)
                 const char *p = ff_smil_get_attr_ptr(buf.str, "Start");
                 sub->pos      = pos;
                 sub->pts      = p ? strtol(p, NULL, 10) : 0;
+                if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) {
+                    res = AVERROR_PATCHWELCOME;
+                    goto end;
+                }
+
                 sub->duration = -1;
             }
         }
diff --git a/lib/ffmpeg/libavformat/sbgdec.c b/lib/ffmpeg/libavformat/sbgdec.c
index 659dfc81f..afd89e6a9 100644
--- a/lib/ffmpeg/libavformat/sbgdec.c
+++ b/lib/ffmpeg/libavformat/sbgdec.c
@@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime)
     char *end;
     int hours, minutes;
     double seconds = 0;
+    int64_t ts = 0;
 
     if (*cur < '0' || *cur > '9')
         return 0;
@@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime)
         seconds = strtod(cur + 1, &end);
         if (end > cur + 1)
             cur = end;
+        ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2);
     }
-    *rtime = (hours * 3600 + minutes * 60 + seconds) * AV_TIME_BASE;
+    *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts;
     return cur - str;
 }
 
@@ -1279,6 +1281,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate,
         ev1 = &s->events[i];
         ev2 = &s->events[(i + 1) % s->nb_events];
         ev1->ts_int   = ev1->ts;
+
+        if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period)
+            return AVERROR_INVALIDDATA;
+
         ev1->ts_trans = ev1->fade.slide ? ev1->ts
                                         : ev2->ts + (ev1 < ev2 ? 0 : period);
     }
@@ -1411,6 +1417,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf)
     if (r < 0)
         goto fail;
 
+    if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) {
+        r = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
     st = avformat_new_stream(avf, NULL);
     if (!st)
         return AVERROR(ENOMEM);
diff --git a/lib/ffmpeg/libavformat/segafilm.c b/lib/ffmpeg/libavformat/segafilm.c
index 44fa683a7..cec384918 100644
--- a/lib/ffmpeg/libavformat/segafilm.c
+++ b/lib/ffmpeg/libavformat/segafilm.c
@@ -143,6 +143,9 @@ static int film_read_header(AVFormatContext *s)
         film->video_type = AV_CODEC_ID_NONE;
     }
 
+    if (!film->video_type && !film->audio_type)
+        return AVERROR_INVALIDDATA;
+
     /* initialize the decoder streams */
     if (film->video_type) {
         st = avformat_new_stream(s, NULL);
diff --git a/lib/ffmpeg/libavformat/siff.c b/lib/ffmpeg/libavformat/siff.c
index b6ea39059..40eed8d70 100644
--- a/lib/ffmpeg/libavformat/siff.c
+++ b/lib/ffmpeg/libavformat/siff.c
@@ -200,6 +200,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt)
         if (c->curstrm == -1) {
             c->pktsize = avio_rl32(s->pb) - 4;
             c->flags   = avio_rl16(s->pb);
+            if (c->flags & VB_HAS_AUDIO && !c->has_audio)
+                return AVERROR_INVALIDDATA;
             c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0;
             if (c->gmcsize)
                 avio_read(s->pb, c->gmc, c->gmcsize);
diff --git a/lib/ffmpeg/libavformat/smjpegdec.c b/lib/ffmpeg/libavformat/smjpegdec.c
index 99ca2ff8c..cf8d6e722 100644
--- a/lib/ffmpeg/libavformat/smjpegdec.c
+++ b/lib/ffmpeg/libavformat/smjpegdec.c
@@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s)
     uint32_t version, htype, hlength, duration;
     char *comment;
 
+    sc->audio_stream_index =
+    sc->video_stream_index = -1;
+
     avio_skip(pb, 8); // magic
     version = avio_rb32(pb);
     if (version)
@@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt)
     dtype = avio_rl32(s->pb);
     switch (dtype) {
     case SMJPEG_SNDD:
+        if (sc->audio_stream_index < 0)
+            return AVERROR_INVALIDDATA;
         timestamp = avio_rb32(s->pb);
         size = avio_rb32(s->pb);
         ret = av_get_packet(s->pb, pkt, size);
@@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt)
         pkt->pos = pos;
         break;
     case SMJPEG_VIDD:
+        if (sc->video_stream_index < 0)
+            return AVERROR_INVALIDDATA;
         timestamp = avio_rb32(s->pb);
         size = avio_rb32(s->pb);
         ret = av_get_packet(s->pb, pkt, size);
diff --git a/lib/ffmpeg/libavformat/subtitles.c b/lib/ffmpeg/libavformat/subtitles.c
index 5bdbc8dc5..d1a495cbd 100644
--- a/lib/ffmpeg/libavformat/subtitles.c
+++ b/lib/ffmpeg/libavformat/subtitles.c
@@ -170,6 +170,9 @@ void ff_subtitles_queue_finalize(FFDemuxSubtitlesQueue *q)
 {
     int i;
 
+    if (!q->nb_subs)
+        return;
+
     qsort(q->subs, q->nb_subs, sizeof(*q->subs),
           q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos
                                      : cmp_pkt_sub_pos_ts);
diff --git a/lib/ffmpeg/libavformat/subviewerdec.c b/lib/ffmpeg/libavformat/subviewerdec.c
index f1b0fdf0a..d5dd1aafa 100644
--- a/lib/ffmpeg/libavformat/subviewerdec.c
+++ b/lib/ffmpeg/libavformat/subviewerdec.c
@@ -132,6 +132,10 @@ static int subviewer_read_header(AVFormatContext *s)
             new_event = 1;
             pos = avio_tell(s->pb);
         } else if (*line) {
+            if (pts_start == AV_NOPTS_VALUE) {
+                res = AVERROR_INVALIDDATA;
+                goto end;
+            }
             if (!new_event) {
                 sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1);
                 if (!sub) {
diff --git a/lib/ffmpeg/libavformat/tcp.c b/lib/ffmpeg/libavformat/tcp.c
index da7ef1edf..bee349ecd 100644
--- a/lib/ffmpeg/libavformat/tcp.c
+++ b/lib/ffmpeg/libavformat/tcp.c
@@ -69,8 +69,6 @@ static int tcp_open(URLContext *h, const char *uri, int flags)
     int ret;
     char hostname[1024],proto[1024],path[1024];
     char portstr[10];
-    size_t len;
-    char *c;
     s->open_timeout = 5000000;
 
     av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
@@ -106,17 +104,6 @@ static int tcp_open(URLContext *h, const char *uri, int flags)
     snprintf(portstr, sizeof(portstr), "%d", port);
     if (s->listen)
         hints.ai_flags |= AI_PASSIVE;
-    len = strlen(hostname);
-    if (len > 12 && !strcmp(hostname + len - 12, ".plex.direct")) {
-        for (c = hostname; *c; c++) {
-            if (*c == '-') {
-                *c = '.';
-            } else if (*c == '.') {
-                *c = '\0';
-                break;
-            }
-        }
-    }
     if (!hostname[0])
         ret = getaddrinfo(NULL, portstr, &hints, &ai);
     else
diff --git a/lib/ffmpeg/libavformat/tedcaptionsdec.c b/lib/ffmpeg/libavformat/tedcaptionsdec.c
index d6020d9e3..3a3b23863 100644
--- a/lib/ffmpeg/libavformat/tedcaptionsdec.c
+++ b/lib/ffmpeg/libavformat/tedcaptionsdec.c
@@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result)
     if ((unsigned)*cur_byte - '0' > 9)
         return AVERROR_INVALIDDATA;
     while (BETWEEN(*cur_byte, '0', '9')) {
+        if (val > INT_MAX/10 - (*cur_byte - '0'))
+            return AVERROR_INVALIDDATA;
         val = val * 10 + (*cur_byte - '0');
         next_byte(pb, cur_byte);
     }
diff --git a/lib/ffmpeg/libavformat/thp.c b/lib/ffmpeg/libavformat/thp.c
index 727fb5095..efe88b6f4 100644
--- a/lib/ffmpeg/libavformat/thp.c
+++ b/lib/ffmpeg/libavformat/thp.c
@@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s)
                            avio_rb32(pb); /* Max samples.  */
 
     thp->fps             = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX);
+    if (thp->fps.den <= 0 || thp->fps.num < 0)
+        return AVERROR_INVALIDDATA;
     thp->framecnt        = avio_rb32(pb);
     thp->first_framesz   = avio_rb32(pb);
     pb->maxsize          = avio_rb32(pb);
@@ -93,6 +95,9 @@ static int thp_read_header(AVFormatContext *s)
     avio_seek (pb, thp->compoff, SEEK_SET);
     thp->compcount       = avio_rb32(pb);
 
+    if (thp->compcount > FF_ARRAY_ELEMS(thp->components))
+        return AVERROR_INVALIDDATA;
+
     /* Read the list of component types.  */
     avio_read(pb, thp->components, 16);
 
@@ -143,6 +148,9 @@ static int thp_read_header(AVFormatContext *s)
         }
     }
 
+    if (!thp->vst)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
diff --git a/lib/ffmpeg/libavformat/tls_openssl.c b/lib/ffmpeg/libavformat/tls_openssl.c
index 38d42fbd8..636d4ee91 100644
--- a/lib/ffmpeg/libavformat/tls_openssl.c
+++ b/lib/ffmpeg/libavformat/tls_openssl.c
@@ -208,13 +208,12 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;
 
-    p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
+    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
     if (!p->ctx) {
         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
-    SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
diff --git a/lib/ffmpeg/libavformat/tta.c b/lib/ffmpeg/libavformat/tta.c
index 7566939d4..21c098461 100644
--- a/lib/ffmpeg/libavformat/tta.c
+++ b/lib/ffmpeg/libavformat/tta.c
@@ -124,7 +124,9 @@ static int tta_read_header(AVFormatContext *s)
     for (i = 0; i < c->totalframes; i++) {
         uint32_t size = avio_rl32(s->pb);
         int r;
-        if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0,
+        if (avio_feof(s->pb))
+            return AVERROR_INVALIDDATA;
+        if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0,
                                     AVINDEX_KEYFRAME)) < 0)
             return r;
         framepos += size;
diff --git a/lib/ffmpeg/libavformat/utils.c b/lib/ffmpeg/libavformat/utils.c
index 8873ae0c5..a737f2a4b 100644
--- a/lib/ffmpeg/libavformat/utils.c
+++ b/lib/ffmpeg/libavformat/utils.c
@@ -181,13 +181,16 @@ int av_format_get_probe_score(const AVFormatContext *s)
 int ffio_limit(AVIOContext *s, int size)
 {
     if (s->maxsize>= 0) {
-        int64_t remaining= s->maxsize - avio_tell(s);
+        int64_t pos = avio_tell(s);
+        int64_t remaining= s->maxsize - pos;
         if (remaining < size) {
             int64_t newsize = avio_size(s);
             if (!s->maxsize || s->maxsize<newsize)
                 s->maxsize = newsize - !newsize;
-            remaining= s->maxsize - avio_tell(s);
-            remaining= FFMAX(remaining, 0);
+            if (pos > s->maxsize && s->maxsize >= 0)
+                s->maxsize = AVERROR(EIO);
+            if (s->maxsize >= 0)
+                remaining = s->maxsize - pos;
         }
 
         if (s->maxsize>= 0 && remaining+1 < size) {
@@ -894,6 +897,8 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index,
     if (st->first_dts != AV_NOPTS_VALUE ||
         dts           == AV_NOPTS_VALUE ||
         st->cur_dts   == AV_NOPTS_VALUE ||
+        st->cur_dts < INT_MIN + RELATIVE_TS_BASE ||
+        dts  < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) ||
         is_relative(dts))
         return;
 
@@ -1040,7 +1045,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st,
         presentation_delayed = 1;
 
     if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE &&
-        st->pts_wrap_bits < 63 &&
+        st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) &&
         pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) {
         if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) {
             pkt->dts -= 1LL << st->pts_wrap_bits;
@@ -1113,7 +1118,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st,
 
             /* This is tricky: the dts must be incremented by the duration
              * of the frame we are displaying, i.e. the last I- or P-frame. */
-            if (st->last_IP_duration == 0)
+            if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX)
                 st->last_IP_duration = pkt->duration;
             if (pkt->dts != AV_NOPTS_VALUE)
                 st->cur_dts = pkt->dts + st->last_IP_duration;
@@ -1125,7 +1130,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st,
                 next_pts != AV_NOPTS_VALUE)
                 pkt->pts = next_dts;
 
-            st->last_IP_duration = pkt->duration;
+            if ((uint64_t)pkt->duration <= INT32_MAX)
+                st->last_IP_duration = pkt->duration;
             st->last_IP_pts      = pkt->pts;
             /* Cannot compute PTS if not present (we can compute it only
              * by knowing the future. */
@@ -1330,8 +1336,6 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt)
         if (ret < 0) {
             if (ret == AVERROR(EAGAIN))
                 return ret;
-            if (ret == AVERROR(EIO))
-                return ret;
             /* flush the parsers */
             for (i = 0; i < s->nb_streams; i++) {
                 st = s->streams[i];
@@ -1503,10 +1507,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt)
 
             if (next_pkt->dts != AV_NOPTS_VALUE) {
                 int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits;
-                av_assert2(wrap_bits <= 64);
                 // last dts seen for this stream. if any of packets following
                 // current one had no dts, we will set this to AV_NOPTS_VALUE.
                 int64_t last_dts = next_pkt->dts;
+                av_assert2(wrap_bits <= 64);
                 while (pktl && next_pkt->pts == AV_NOPTS_VALUE) {
                     if (pktl->pkt.stream_index == next_pkt->stream_index &&
                         av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) {
@@ -1796,6 +1800,8 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance)
     //We could use URLProtocol flags here but as many user applications do not use URLProtocols this would be unreliable
     const char *proto = avio_find_protocol_name(s->filename);
 
+    av_assert0(time_tolerance >= 0);
+
     if (!proto) {
         av_log(s, AV_LOG_INFO,
                "Protocol name not provided, cannot determine if input is local or "
@@ -1823,7 +1829,7 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance)
                 for (; i2 < st2->nb_index_entries; i2++) {
                     AVIndexEntry *e2 = &st2->index_entries[i2];
                     int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q);
-                    if (e2_pts - e1_pts < time_tolerance)
+                    if (e2_pts < e1_pts || e2_pts - (uint64_t)e1_pts < time_tolerance)
                         continue;
                     pos_delta = FFMAX(pos_delta, e1->pos - e2->pos);
                     break;
@@ -2444,7 +2450,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic)
                 st      = ic->streams[i];
                 if (   st->time_base.num <= INT64_MAX / ic->bit_rate
                     && st->duration == AV_NOPTS_VALUE) {
-                    duration = av_rescale(8 * filesize, st->time_base.den,
+                    duration = av_rescale(filesize, 8LL * st->time_base.den,
                                           ic->bit_rate *
                                           (int64_t) st->time_base.num);
                     st->duration = duration;
@@ -2461,41 +2467,6 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic)
 #define DURATION_MAX_READ_SIZE 250000LL
 #define DURATION_MAX_RETRY 6
 
-static void av_estimate_timings_from_pts2(AVFormatContext *ic, int64_t old_offset)
-{
-    AVStream *st;
-    int i, step= 1024;
-    int64_t ts, pos;
-
-    for(i=0;i<ic->nb_streams;i++) {
-        st = ic->streams[i];
-
-        pos = 0;
-        ts = ic->iformat->read_timestamp(ic, i, &pos, DURATION_MAX_READ_SIZE);
-        if (ts == AV_NOPTS_VALUE)
-            continue;
-        if (st->start_time > ts || st->start_time == AV_NOPTS_VALUE)
-            st->start_time = ts;
-
-        pos = avio_size(ic->pb) - 1;
-        do {
-            pos -= step;
-            ts = ic->iformat->read_timestamp(ic, i, &pos, pos + step);
-            step += step;
-        } while (ts == AV_NOPTS_VALUE && pos >= step && step < DURATION_MAX_READ_SIZE);
-
-        if (ts == AV_NOPTS_VALUE)
-            continue;
-
-        if (st->duration < ts - st->start_time || st->duration == AV_NOPTS_VALUE)
-            st->duration = ts - st->start_time;
-    }
-
-    fill_all_stream_timings(ic);
-
-    avio_seek(ic->pb, old_offset, SEEK_SET);
-}
-
 /* only usable for MPEG-PS streams */
 static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset)
 {
@@ -2646,10 +2617,6 @@ static void estimate_timings(AVFormatContext *ic, int64_t old_offset)
          * the components */
         fill_all_stream_timings(ic);
         ic->duration_estimation_method = AVFMT_DURATION_FROM_STREAM;
-    } else if (ic->iformat->read_timestamp && 
-        file_size && ic->pb->seekable) {
-        /* get accurate estimate from the PTSes */
-        av_estimate_timings_from_pts2(ic, old_offset);
     } else {
         /* less precise: use bitrate info */
         estimate_timings_from_bit_rate(ic);
@@ -3041,8 +3008,10 @@ int ff_rfps_add_frame(AVFormatContext *ic, AVStream *st, int64_t ts)
                 }
             }
         }
-        st->info->duration_count++;
-        st->info->rfps_duration_sum += duration;
+        if (st->info->rfps_duration_sum <= INT64_MAX - duration) {
+            st->info->duration_count++;
+            st->info->rfps_duration_sum += duration;
+        }
 
         if (st->info->duration_count % 10 == 0) {
             int n = st->info->duration_count;
@@ -3366,8 +3335,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
              * sequence, we treat it as a discontinuity. */
             if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
                 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
-                (pkt->dts - st->info->fps_last_dts) / 1000 >
-                (st->info->fps_last_dts     - st->info->fps_first_dts) /
+                (pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 >
+                (st->info->fps_last_dts     - (uint64_t)st->info->fps_first_dts) /
                 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
                 av_log(ic, AV_LOG_WARNING,
                        "DTS discontinuity in stream %d: packet %d with DTS "
@@ -3971,8 +3940,11 @@ int av_get_frame_filename(char *buf, int buf_size, const char *path, int number)
         if (c == '%') {
             do {
                 nd = 0;
-                while (av_isdigit(*p))
+                while (av_isdigit(*p)) {
+                    if (nd >= INT_MAX / 10 - 255)
+                        goto fail;
                     nd = nd * 10 + *p++ - '0';
+                }
                 c = *p++;
             } while (av_isdigit(c));
 
diff --git a/lib/ffmpeg/libavformat/vqf.c b/lib/ffmpeg/libavformat/vqf.c
index 29c726dae..af9c1e754 100644
--- a/lib/ffmpeg/libavformat/vqf.c
+++ b/lib/ffmpeg/libavformat/vqf.c
@@ -129,6 +129,9 @@ static int vqf_read_header(AVFormatContext *s)
 
         switch(chunk_tag){
         case MKTAG('C','O','M','M'):
+            if (len < 12)
+                return AVERROR_INVALIDDATA;
+
             avio_read(s->pb, comm_chunk, 12);
             st->codec->channels = AV_RB32(comm_chunk    ) + 1;
             read_bitrate        = AV_RB32(comm_chunk + 4);
diff --git a/lib/ffmpeg/libavformat/wavdec.c b/lib/ffmpeg/libavformat/wavdec.c
index 443a79c74..44ad00f05 100644
--- a/lib/ffmpeg/libavformat/wavdec.c
+++ b/lib/ffmpeg/libavformat/wavdec.c
@@ -152,9 +152,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key,
     char temp[257];
     int ret;
 
-    av_assert0(length <= sizeof(temp));
-    if ((ret = avio_read(s->pb, temp, length)) < 0)
-        return ret;
+    av_assert0(length < sizeof(temp));
+    if ((ret = avio_read(s->pb, temp, length)) != length)
+        return ret < 0 ? ret : AVERROR_INVALIDDATA;
 
     temp[length] = 0;
 
@@ -223,8 +223,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size)
         if (!(coding_history = av_malloc(size + 1)))
             return AVERROR(ENOMEM);
 
-        if ((ret = avio_read(s->pb, coding_history, size)) < 0)
-            return ret;
+        if ((ret = avio_read(s->pb, coding_history, size)) != size) {
+            av_free(coding_history);
+            return ret < 0 ? ret : AVERROR_INVALIDDATA;
+        }
 
         coding_history[size] = 0;
         if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history,
@@ -390,6 +392,8 @@ static int wav_read_header(AVFormatContext *s)
             wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3;
             avio_rl24(pb);
             wav->smv_block_size = avio_rl24(pb);
+            if (!wav->smv_block_size)
+                return AVERROR_INVALIDDATA;
             avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb));
             vst->duration = avio_rl24(pb);
             avio_rl24(pb);
@@ -486,7 +490,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16])
     while (!avio_feof(pb)) {
         avio_read(pb, guid, 16);
         size = avio_rl64(pb);
-        if (size <= 24)
+        if (size <= 24 || size > INT64_MAX - 8)
             return AVERROR_INVALIDDATA;
         if (!memcmp(guid, guid1, 16))
             return size;
@@ -538,7 +542,7 @@ static int wav_read_packet(AVFormatContext *s, AVPacket *pkt)
         if (wav->smv_last_stream) {
             uint64_t old_pos = avio_tell(s->pb);
             uint64_t new_pos = wav->smv_data_ofs +
-                wav->smv_block * wav->smv_block_size;
+                wav->smv_block * (int64_t)wav->smv_block_size;
             if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) {
                 ret = AVERROR_EOF;
                 goto smv_out;
@@ -733,6 +737,7 @@ static int w64_read_header(AVFormatContext *s)
         } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) {
             int64_t start, end, cur;
             uint32_t count, chunk_size, i;
+            int64_t filesize  = avio_size(s->pb);
 
             start = avio_tell(pb);
             end = start + FFALIGN(size, INT64_C(8)) - 24;
@@ -747,7 +752,7 @@ static int w64_read_header(AVFormatContext *s)
                 chunk_key[4] = 0;
                 avio_read(pb, chunk_key, 4);
                 chunk_size = avio_rl32(pb);
-                if (chunk_size == UINT32_MAX)
+                if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize))
                     return AVERROR_INVALIDDATA;
 
                 value = av_mallocz(chunk_size + 1);
@@ -755,6 +760,10 @@ static int w64_read_header(AVFormatContext *s)
                     return AVERROR(ENOMEM);
 
                 ret = avio_get_str16le(pb, chunk_size, value, chunk_size);
+                if (ret < 0) {
+                    av_free(value);
+                    return ret;
+                }
                 avio_skip(pb, chunk_size - ret);
 
                 av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL);
diff --git a/lib/ffmpeg/libavformat/wc3movie.c b/lib/ffmpeg/libavformat/wc3movie.c
index 7bd09e3f1..0e08a541d 100644
--- a/lib/ffmpeg/libavformat/wc3movie.c
+++ b/lib/ffmpeg/libavformat/wc3movie.c
@@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext {
 
 } Wc3DemuxContext;
 
+static int wc3_read_close(AVFormatContext *s)
+{
+    Wc3DemuxContext *wc3 = s->priv_data;
+
+    if (wc3->vpkt.size > 0)
+        av_free_packet(&wc3->vpkt);
+
+    return 0;
+}
+
 static int wc3_probe(AVProbeData *p)
 {
     if (p->buf_size < 12)
@@ -290,16 +300,6 @@ static int wc3_read_packet(AVFormatContext *s,
     return ret;
 }
 
-static int wc3_read_close(AVFormatContext *s)
-{
-    Wc3DemuxContext *wc3 = s->priv_data;
-
-    if (wc3->vpkt.size > 0)
-        av_free_packet(&wc3->vpkt);
-
-    return 0;
-}
-
 AVInputFormat ff_wc3_demuxer = {
     .name           = "wc3movie",
     .long_name      = NULL_IF_CONFIG_SMALL("Wing Commander III movie"),
diff --git a/lib/ffmpeg/libavformat/webm_chunk.c b/lib/ffmpeg/libavformat/webm_chunk.c
index 3dfef4bb0..67db01e19 100644
--- a/lib/ffmpeg/libavformat/webm_chunk.c
+++ b/lib/ffmpeg/libavformat/webm_chunk.c
@@ -82,7 +82,7 @@ static int chunk_mux_init(AVFormatContext *s)
     return 0;
 }
 
-static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename)
+static int get_chunk_filename(AVFormatContext *s, int is_header, char filename[MAX_FILENAME_SIZE])
 {
     WebMChunkContext *wc = s->priv_data;
     AVFormatContext *oc = wc->avf;
@@ -90,10 +90,15 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename)
         return AVERROR(EINVAL);
     }
     if (is_header) {
+        int len;
         if (!wc->header_filename) {
             return AVERROR(EINVAL);
         }
-        av_strlcpy(filename, wc->header_filename, strlen(wc->header_filename) + 1);
+        len = av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE);
+        if (len >= MAX_FILENAME_SIZE) {
+            av_log(oc, AV_LOG_ERROR, "Header filename too long\n");
+            return AVERROR(EINVAL);
+        }
     } else {
         if (av_get_frame_filename(filename, MAX_FILENAME_SIZE,
                                   s->filename, wc->chunk_index - 1) < 0) {
diff --git a/lib/ffmpeg/libavformat/webmdashenc.c b/lib/ffmpeg/libavformat/webmdashenc.c
index 7c7156b35..9832e68a9 100644
--- a/lib/ffmpeg/libavformat/webmdashenc.c
+++ b/lib/ffmpeg/libavformat/webmdashenc.c
@@ -439,6 +439,7 @@ static int parse_adaptation_sets(AVFormatContext *s)
             continue;
         else if (state == new_set && !strncmp(p, "id=", 3)) {
             void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1));
+            const char *comma;
             if (mem == NULL)
                 return AVERROR(ENOMEM);
             w->as = mem;
@@ -447,6 +448,11 @@ static int parse_adaptation_sets(AVFormatContext *s)
             w->as[w->nb_as - 1].streams = NULL;
             p += 3; // consume "id="
             q = w->as[w->nb_as - 1].id;
+            comma = strchr(p, ',');
+            if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) {
+                av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n");
+                return AVERROR(EINVAL);
+            }
             while (*p != ',') *q++ = *p++;
             *q = 0;
             p++;
diff --git a/lib/ffmpeg/libavformat/wtvdec.c b/lib/ffmpeg/libavformat/wtvdec.c
index b329b7cc0..fcce54f03 100644
--- a/lib/ffmpeg/libavformat/wtvdec.c
+++ b/lib/ffmpeg/libavformat/wtvdec.c
@@ -151,7 +151,7 @@ static int read_ints(AVIOContext *pb, uint32_t *data, int count)
  * @param depth         File allocation table depth
  * @return NULL on error
  */
-static AVIOContext * wtvfile_open_sector(int first_sector, uint64_t length, int depth, AVFormatContext *s)
+static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int depth, AVFormatContext *s)
 {
     AVIOContext *pb;
     WtvFile *wf;
@@ -276,6 +276,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
                    "bad filename length, remaining directory entries ignored\n");
             break;
         }
+        if (dir_length == 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "bad dir length, remaining directory entries ignored\n");
+            break;
+        }
         if (48 + (int64_t)name_size > buf_end - buf) {
             av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
             break;
@@ -660,6 +665,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid,
         avio_skip(pb, size - 32);
         ff_get_guid(pb, &actual_subtype);
         ff_get_guid(pb, &actual_formattype);
+        if (avio_feof(pb))
+            return NULL;
         avio_seek(pb, -size, SEEK_CUR);
 
         st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32);
@@ -794,7 +801,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
 
         ff_get_guid(pb, &g);
         len = avio_rl32(pb);
-        if (len < 32) {
+        if (len < 32 || len > INT_MAX - 7) {
             int ret;
             if (avio_feof(pb))
                 return AVERROR_EOF;
@@ -817,6 +824,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
+                if (size < 0 || size > INT_MAX - 92 - consumed)
+                    return AVERROR_INVALIDDATA;
                 parse_media_type(s, 0, sid, mediatype, subtype, formattype, size);
                 consumed += 92 + size;
             }
@@ -831,6 +840,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
+                if (size < 0 || size > INT_MAX - 76 - consumed)
+                    return AVERROR_INVALIDDATA;
                 parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size);
                 consumed += 76 + size;
             }
@@ -961,7 +972,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
 static int read_header(AVFormatContext *s)
 {
     WtvContext *wtv = s->priv_data;
-    int root_sector, root_size;
+    unsigned root_sector;
+    int root_size;
     uint8_t root[WTV_SECTOR_SIZE];
     AVIOContext *pb;
     int64_t timeline_pos;
@@ -1028,23 +1040,21 @@ static int read_header(AVFormatContext *s)
                 pb = wtvfile_open(s, root, root_size, ff_timeline_table_0_entries_Events_le16);
                 if (pb) {
                     int i;
-                    AVIndexEntry *e = wtv->index_entries;
-                    AVIndexEntry *e_end = wtv->index_entries + wtv->nb_index_entries - 1;
-                    uint64_t last_position = 0;
                     while (1) {
                         uint64_t frame_nb = avio_rl64(pb);
                         uint64_t position = avio_rl64(pb);
-                        while (frame_nb > e->size && e <= e_end) {
-                           e->pos = last_position;
-                           e++;
-                        }
                         if (avio_feof(pb))
                             break;
-                        last_position = position;
+                        for (i = wtv->nb_index_entries - 1; i >= 0; i--) {
+                            AVIndexEntry *e = wtv->index_entries + i;
+                            if (frame_nb > e->size)
+                                break;
+                            if (position > e->pos)
+                                e->pos = position;
+                        }
                     }
-                    e_end->pos = last_position;
                     wtvfile_close(pb);
-                    st->duration = e_end->timestamp;
+                    st->duration = wtv->index_entries[wtv->nb_index_entries - 1].timestamp;
                 }
             }
         }
diff --git a/lib/ffmpeg/libavformat/wvdec.c b/lib/ffmpeg/libavformat/wvdec.c
index 96a631fcf..23caa438c 100644
--- a/lib/ffmpeg/libavformat/wvdec.c
+++ b/lib/ffmpeg/libavformat/wvdec.c
@@ -40,6 +40,7 @@ enum WV_FLAGS {
     WV_HBAL   = 0x0400,
     WV_MCINIT = 0x0800,
     WV_MCEND  = 0x1000,
+    WV_DSD    = 0x80000000,
 };
 
 static const int wv_rates[16] = {
@@ -97,6 +98,11 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb)
         return ret;
     }
 
+    if (wc->header.flags & WV_DSD) {
+        avpriv_report_missing_feature(ctx, "WV DSD");
+        return AVERROR_PATCHWELCOME;
+    }
+
     if (wc->header.version < 0x402 || wc->header.version > 0x410) {
         av_log(ctx, AV_LOG_ERROR, "Unsupported version %03X\n", wc->header.version);
         return AVERROR_PATCHWELCOME;
diff --git a/lib/ffmpeg/libavformat/xmv.c b/lib/ffmpeg/libavformat/xmv.c
index 14d007a3e..bd5962cb9 100644
--- a/lib/ffmpeg/libavformat/xmv.c
+++ b/lib/ffmpeg/libavformat/xmv.c
@@ -77,7 +77,7 @@ typedef struct XMVAudioPacket {
     uint16_t channels;        ///< Number of channels.
     uint32_t sample_rate;     ///< Sampling rate.
     uint16_t bits_per_sample; ///< Bits per compressed sample.
-    uint32_t bit_rate;        ///< Bits of compressed data per second.
+    uint64_t bit_rate;        ///< Bits of compressed data per second.
     uint16_t flags;           ///< Flags
     unsigned block_align;     ///< Bytes per compressed block.
     uint16_t block_samples;   ///< Decompressed samples per compressed block.
@@ -198,7 +198,7 @@ static int xmv_read_header(AVFormatContext *s)
         packet->bits_per_sample = avio_rl16(pb);
         packet->flags           = avio_rl16(pb);
 
-        packet->bit_rate      = packet->bits_per_sample *
+        packet->bit_rate      = (uint64_t)packet->bits_per_sample *
                                 packet->sample_rate *
                                 packet->channels;
         packet->block_align   = XMV_BLOCK_ALIGN_SIZE * packet->channels;
diff --git a/lib/ffmpeg/libavformat/xwma.c b/lib/ffmpeg/libavformat/xwma.c
index 9edad7d75..3e62a805a 100644
--- a/lib/ffmpeg/libavformat/xwma.c
+++ b/lib/ffmpeg/libavformat/xwma.c
@@ -178,6 +178,10 @@ static int xwma_read_header(AVFormatContext *s)
             }
 
             for (i = 0; i < dpds_table_size; ++i) {
+                if (avio_feof(pb)) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                 dpds_table[i] = avio_rl32(pb);
                 size -= 4;
             }
diff --git a/lib/ffmpeg/libavutil/avstring.c b/lib/ffmpeg/libavutil/avstring.c
index 24d1bb98e..bd44399cd 100644
--- a/lib/ffmpeg/libavutil/avstring.c
+++ b/lib/ffmpeg/libavutil/avstring.c
@@ -222,12 +222,13 @@ int av_strcasecmp(const char *a, const char *b)
 
 int av_strncasecmp(const char *a, const char *b, size_t n)
 {
-    const char *end = a + n;
     uint8_t c1, c2;
+    if (n <= 0)
+        return 0;
     do {
         c1 = av_tolower(*a++);
         c2 = av_tolower(*b++);
-    } while (a < end && c1 && c1 == c2);
+    } while (--n && c1 && c1 == c2);
     return c1 - c2;
 }
 
diff --git a/lib/ffmpeg/libavutil/common.h b/lib/ffmpeg/libavutil/common.h
index 81f5fedf2..ed2710681 100644
--- a/lib/ffmpeg/libavutil/common.h
+++ b/lib/ffmpeg/libavutil/common.h
@@ -232,7 +232,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p)
  */
 static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p)
 {
-    if (a & ~((1<<p) - 1)) return -a >> 31 & ((1<<p) - 1);
+    if (a & ~((1<<p) - 1)) return (~a) >> 31 & ((1<<p) - 1);
     else                   return  a;
 }
 
@@ -311,7 +311,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double
  */
 static av_always_inline av_const int av_ceil_log2_c(int x)
 {
-    return av_log2((x - 1) << 1);
+    return av_log2((x - 1U) << 1);
 }
 
 /**
diff --git a/lib/ffmpeg/libavutil/eval.c b/lib/ffmpeg/libavutil/eval.c
index 7642b919c..d72d18bda 100644
--- a/lib/ffmpeg/libavutil/eval.c
+++ b/lib/ffmpeg/libavutil/eval.c
@@ -284,7 +284,7 @@ static double eval_expr(Parser *p, AVExpr *e)
             double d = eval_expr(p, e->param[0]);
             double d2 = eval_expr(p, e->param[1]);
             switch (e->type) {
-                case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2);
+                case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2);
                 case e_gcd: return e->value * av_gcd(d,d2);
                 case e_max: return e->value * (d >  d2 ?   d : d2);
                 case e_min: return e->value * (d <  d2 ?   d : d2);
diff --git a/lib/ffmpeg/libavutil/fixed_dsp.c b/lib/ffmpeg/libavutil/fixed_dsp.c
index c2f270d45..b4c168177 100644
--- a/lib/ffmpeg/libavutil/fixed_dsp.c
+++ b/lib/ffmpeg/libavutil/fixed_dsp.c
@@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len)
     return (int)(p >> 31);
 }
 
-static void butterflies_fixed_c(int *v1, int *v2, int len)
+static void butterflies_fixed_c(int *v1s, int *v2, int len)
 {
     int i;
+    unsigned int *v1 = v1s;
 
     for (i = 0; i < len; i++){
         int t = v1[i] - v2[i];
diff --git a/lib/ffmpeg/libavutil/integer.c b/lib/ffmpeg/libavutil/integer.c
index 6d6855fa1..ba4aa778c 100644
--- a/lib/ffmpeg/libavutil/integer.c
+++ b/lib/ffmpeg/libavutil/integer.c
@@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){
 
         if(a.v[i])
             for(j=i; j<AV_INTEGER_SIZE && j-i<=nb; j++){
-                carry= (carry>>16) + out.v[j] + a.v[i]*b.v[j-i];
+                carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i];
                 out.v[j]= carry;
             }
     }
diff --git a/lib/ffmpeg/libavutil/internal.h b/lib/ffmpeg/libavutil/internal.h
index d84b47366..5ff2e4ca5 100644
--- a/lib/ffmpeg/libavutil/internal.h
+++ b/lib/ffmpeg/libavutil/internal.h
@@ -165,6 +165,8 @@
     }\
 }
 
+#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr))
+
 #include "libm.h"
 
 /**
diff --git a/lib/ffmpeg/libavutil/lfg.h b/lib/ffmpeg/libavutil/lfg.h
index ec90562cf..afd6f4ab8 100644
--- a/lib/ffmpeg/libavutil/lfg.h
+++ b/lib/ffmpeg/libavutil/lfg.h
@@ -36,8 +36,9 @@ void av_lfg_init(AVLFG *c, unsigned int seed);
  * it may be good enough and faster for your specific use case.
  */
 static inline unsigned int av_lfg_get(AVLFG *c){
-    c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
-    return c->state[c->index++ & 63];
+    unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
+    c->index += 1U;
+    return a;
 }
 
 /**
@@ -48,7 +49,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){
 static inline unsigned int av_mlfg_get(AVLFG *c){
     unsigned int a= c->state[(c->index-55) & 63];
     unsigned int b= c->state[(c->index-24) & 63];
-    return c->state[c->index++ & 63] = 2*a*b+a+b;
+    a = c->state[c->index & 63] = 2*a*b+a+b;
+    c->index += 1U;
+    return a;
 }
 
 /**
diff --git a/lib/ffmpeg/libavutil/mem.c b/lib/ffmpeg/libavutil/mem.c
index 323b18311..4a9bb963d 100644
--- a/lib/ffmpeg/libavutil/mem.c
+++ b/lib/ffmpeg/libavutil/mem.c
@@ -415,6 +415,18 @@ static void fill32(uint8_t *dst, int len)
 {
     uint32_t v = AV_RN32(dst - 4);
 
+#if HAVE_FAST_64BIT
+    uint64_t v2= v + ((uint64_t)v<<32);
+    while (len >= 32) {
+        AV_WN64(dst   , v2);
+        AV_WN64(dst+ 8, v2);
+        AV_WN64(dst+16, v2);
+        AV_WN64(dst+24, v2);
+        dst += 32;
+        len -= 32;
+    }
+#endif
+
     while (len >= 4) {
         AV_WN32(dst, v);
         dst += 4;
diff --git a/lib/ffmpeg/libavutil/pixfmt.h b/lib/ffmpeg/libavutil/pixfmt.h
index 029c911d4..025f96be8 100644
--- a/lib/ffmpeg/libavutil/pixfmt.h
+++ b/lib/ffmpeg/libavutil/pixfmt.h
@@ -43,6 +43,10 @@
  * This is stored as BGRA on little-endian CPU architectures and ARGB on
  * big-endian CPUs.
  *
+ * @note
+ * If the resolution is not a multiple of the chroma subsampling factor
+ * then the chroma plane resolution must be rounded up.
+ *
  * @par
  * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized
  * image data is stored in AVFrame.data[0]. The palette is transported in
diff --git a/lib/ffmpeg/libavutil/timecode.c b/lib/ffmpeg/libavutil/timecode.c
index bf463ed51..6efd86ab6 100644
--- a/lib/ffmpeg/libavutil/timecode.c
+++ b/lib/ffmpeg/libavutil/timecode.c
@@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps)
     d = framenum / frames_per_10mins;
     m = framenum % frames_per_10mins;
 
-    return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10));
+    return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10));
 }
 
 uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum)
@@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum)
     }
     ff = framenum % fps;
     ss = framenum / fps        % 60;
-    mm = framenum / (fps*60)   % 60;
-    hh = framenum / (fps*3600);
+    mm = framenum / (fps*60LL) % 60;
+    hh = framenum / (fps*3600LL);
     if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX)
         hh = hh % 24;
     snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d",
diff --git a/lib/ffmpeg/libpostproc/postprocess_template.c b/lib/ffmpeg/libpostproc/postprocess_template.c
index b01be58de..81842806e 100644
--- a/lib/ffmpeg/libpostproc/postprocess_template.c
+++ b/lib/ffmpeg/libpostproc/postprocess_template.c
@@ -1184,10 +1184,10 @@ FIND_MIN_MAX((%0, %1, 8))
 #endif
         "movq %%mm6, %%mm0                      \n\t" // max
         "psubb %%mm7, %%mm6                     \n\t" // max - min
-        "push %4                              \n\t"
-        "movd %%mm6, %k4                        \n\t"
-        "cmpb "MANGLE(deringThreshold)", %b4    \n\t"
-        "pop %4                               \n\t"
+        "push %%"REG_a"                      \n\t"
+        "movd %%mm6, %%eax                      \n\t"
+        "cmpb "MANGLE(deringThreshold)", %%al   \n\t"
+        "pop %%"REG_a"                       \n\t"
         " jb 1f                                 \n\t"
         PAVGB(%%mm0, %%mm7)                           // a=(max + min)/2
         "punpcklbw %%mm7, %%mm7                 \n\t"
diff --git a/lib/ffmpeg/libswresample/arm/audio_convert_neon.S b/lib/ffmpeg/libswresample/arm/audio_convert_neon.S
index 1f88316dd..085d50aaf 100644
--- a/lib/ffmpeg/libswresample/arm/audio_convert_neon.S
+++ b/lib/ffmpeg/libswresample/arm/audio_convert_neon.S
@@ -22,6 +22,7 @@
 #include "libavutil/arm/asm.S"
 
 function swri_oldapi_conv_flt_to_s16_neon, export=1
+.L_swri_oldapi_conv_flt_to_s16_neon:
         subs            r2,  r2,  #8
         vld1.32         {q0},     [r1,:128]!
         vcvt.s32.f32    q8,  q0,  #31
@@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1
 endfunc
 
 function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1
+.L_swri_oldapi_conv_fltp_to_s16_2ch_neon:
         ldm             r1,  {r1, r3}
         subs            r2,  r2,  #8
         vld1.32         {q0},     [r1,:128]!
@@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1
         cmp             r3,  #2
         itt             lt
         ldrlt           r1,  [r1]
-        blt             X(swri_oldapi_conv_flt_to_s16_neon)
-        beq             X(swri_oldapi_conv_fltp_to_s16_2ch_neon)
+        blt             .L_swri_oldapi_conv_flt_to_s16_neon
+        beq             .L_swri_oldapi_conv_fltp_to_s16_2ch_neon
 
         push            {r4-r8, lr}
         cmp             r3,  #4
diff --git a/lib/ffmpeg/libswresample/swresample.c b/lib/ffmpeg/libswresample/swresample.c
index 8e238998e..54180e220 100644
--- a/lib/ffmpeg/libswresample/swresample.c
+++ b/lib/ffmpeg/libswresample/swresample.c
@@ -316,7 +316,7 @@ av_cold int swr_init(struct SwrContext *s){
 
 av_assert0(s->used_ch_count);
 av_assert0(s->out.ch_count);
-    s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
+    s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
 
     s->in_buffer= s->in;
     s->silence  = s->in;
@@ -667,7 +667,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co
                             s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1);
                     if(out_count != len1)
                         for(ch=0; ch<preout->ch_count; ch++)
-                            s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1);
+                            s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1);
                 } else {
                     for(ch=0; ch<preout->ch_count; ch++)
                         s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count);
diff --git a/lib/ffmpeg/libswscale/input.c b/lib/ffmpeg/libswscale/input.c
index 11dc24005..a0a2e71d9 100644
--- a/lib/ffmpeg/libswscale/input.c
+++ b/lib/ffmpeg/libswscale/input.c
@@ -286,8 +286,8 @@ static av_always_inline void rgb16_32ToUV_c_template(int16_t *dstU,
                                                      int gsh, int bsh, int S,
                                                      int32_t *rgb2yuv)
 {
-    const int ru       = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh,
-              rv       = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh;
+    const int ru       = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh),
+              rv       = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh);
     const unsigned rnd = (256u<<((S)-1)) + (1<<(S-7));
     int i;
 
@@ -314,8 +314,8 @@ static av_always_inline void rgb16_32ToUV_half_c_template(int16_t *dstU,
                                                           int gsh, int bsh, int S,
                                                           int32_t *rgb2yuv)
 {
-    const int ru       = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh,
-              rv       = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh,
+    const int ru       = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh),
+              rv       = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh),
               maskgx   = ~(maskr | maskb);
     const unsigned rnd = (256U<<(S)) + (1<<(S-6));
     int i;
diff --git a/lib/ffmpeg/libswscale/output.c b/lib/ffmpeg/libswscale/output.c
index 31e10237d..50eb7c3fe 100644
--- a/lib/ffmpeg/libswscale/output.c
+++ b/lib/ffmpeg/libswscale/output.c
@@ -1531,9 +1531,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c,
     Y -= c->yuv2rgb_y_offset;
     Y *= c->yuv2rgb_y_coeff;
     Y += 1 << 21;
-    R = Y + V*c->yuv2rgb_v2r_coeff;
-    G = Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff;
-    B = Y +                          U*c->yuv2rgb_u2b_coeff;
+    R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff;
+    G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff;
+    B = (unsigned)Y +                          U*c->yuv2rgb_u2b_coeff;
     if ((R | G | B) & 0xC0000000) {
         R = av_clip_uintp2(R, 30);
         G = av_clip_uintp2(G, 30);
@@ -1771,7 +1771,7 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0,
     if (uvalpha < 2048) {
         int A = 0; //init to silence warning
         for (i = 0; i < dstW; i++) {
-            int Y = buf0[i] << 2;
+            int Y = buf0[i] * 4;
             int U = (ubuf0[i] - (128<<7)) * 4;
             int V = (vbuf0[i] - (128<<7)) * 4;
 
@@ -1788,9 +1788,9 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0,
         const int16_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1];
         int A = 0; //init to silence warning
         for (i = 0; i < dstW; i++) {
-            int Y = buf0[i] << 2;
-            int U = (ubuf0[i] + ubuf1[i] - (128<<8)) << 1;
-            int V = (vbuf0[i] + vbuf1[i] - (128<<8)) << 1;
+            int Y = buf0[i] * 4;
+            int U = (ubuf0[i] + ubuf1[i] - (128<<8)) * 2;
+            int V = (vbuf0[i] + vbuf1[i] - (128<<8)) * 2;
 
             if (hasAlpha) {
                 A = (abuf0[i] + 64) >> 7;
diff --git a/lib/ffmpeg/libswscale/slice.c b/lib/ffmpeg/libswscale/slice.c
index 38e12e33e..7b92eced4 100644
--- a/lib/ffmpeg/libswscale/slice.c
+++ b/lib/ffmpeg/libswscale/slice.c
@@ -243,7 +243,10 @@ int ff_init_filters(SwsContext * c)
     if (!c->desc)
         return AVERROR(ENOMEM);
     c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice);
-
+    if (!c->slice) {
+        res = AVERROR(ENOMEM);
+        goto cleanup;
+    }
 
     res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0);
     if (res < 0) goto cleanup;
diff --git a/lib/ffmpeg/libswscale/swscale-test.c b/lib/ffmpeg/libswscale/swscale-test.c
index 45e25a378..856e5cb34 100644
--- a/lib/ffmpeg/libswscale/swscale-test.c
+++ b/lib/ffmpeg/libswscale/swscale-test.c
@@ -297,10 +297,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp,
     while (fgets(buf, sizeof(buf), fp)) {
         struct Results r;
         enum AVPixelFormat srcFormat;
-        char srcStr[12];
+        char srcStr[13];
         int srcW = 0, srcH = 0;
         enum AVPixelFormat dstFormat;
-        char dstStr[12];
+        char dstStr[13];
         int dstW = 0, dstH = 0;
         int flags;
         int ret;
diff --git a/lib/ffmpeg/libswscale/swscale.c b/lib/ffmpeg/libswscale/swscale.c
index c766b042f..18974e475 100644
--- a/lib/ffmpeg/libswscale/swscale.c
+++ b/lib/ffmpeg/libswscale/swscale.c
@@ -413,8 +413,8 @@ static int swscale(SwsContext *c, const uint8_t *src[],
         srcStride[2] =
         srcStride[3] = srcStride[0];
     }
-    srcStride[1] <<= c->vChrDrop;
-    srcStride[2] <<= c->vChrDrop;
+    srcStride[1] *= 1 << c->vChrDrop;
+    srcStride[2] *= 1 << c->vChrDrop;
 
     DEBUG_BUFFERS("swscale() %p[%d] %p[%d] %p[%d] %p[%d] -> %p[%d] %p[%d] %p[%d] %p[%d]\n",
                   src[0], srcStride[0], src[1], srcStride[1],
diff --git a/lib/ffmpeg/libswscale/yuv2rgb.c b/lib/ffmpeg/libswscale/yuv2rgb.c
index e81f3f6f3..ba8fd7b64 100644
--- a/lib/ffmpeg/libswscale/yuv2rgb.c
+++ b/lib/ffmpeg/libswscale/yuv2rgb.c
@@ -124,10 +124,11 @@ const int *sws_getCoefficients(int colorspace)
             srcStride[2] *= 2;                                              \
         }                                                                   \
         for (y = 0; y < srcSliceH; y += 2) {                                \
+            int yd = y + srcSliceY;                                         \
             dst_type *dst_1 =                                               \
-                (dst_type *)(dst[0] + (y + srcSliceY)     * dstStride[0]);  \
+                (dst_type *)(dst[0] + (yd)     * dstStride[0]);             \
             dst_type *dst_2 =                                               \
-                (dst_type *)(dst[0] + (y + srcSliceY + 1) * dstStride[0]);  \
+                (dst_type *)(dst[0] + (yd + 1) * dstStride[0]);             \
             dst_type av_unused *r, *g, *b;                                  \
             const uint8_t *py_1 = src[0] +  y       * srcStride[0];         \
             const uint8_t *py_2 = py_1   +            srcStride[0];         \
@@ -476,8 +477,8 @@ CLOSEYUV2RGBFUNC(8)
 
 // r, g, b, dst_1, dst_2
 YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0)
-    const uint8_t *d32 = ff_dither_8x8_32[y & 7];
-    const uint8_t *d64 = ff_dither_8x8_73[y & 7];
+    const uint8_t *d32 = ff_dither_8x8_32[yd & 7];
+    const uint8_t *d64 = ff_dither_8x8_73[yd & 7];
 
 #define PUTRGB8(dst, src, i, o)                     \
     Y              = src[2 * i];                    \
@@ -506,8 +507,8 @@ YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0)
     PUTRGB8(dst_1, py_1, 3, 6);
 
 ENDYUV2RGBLINE(8, 0)
-    const uint8_t *d32 = ff_dither_8x8_32[y & 7];
-    const uint8_t *d64 = ff_dither_8x8_73[y & 7];
+    const uint8_t *d32 = ff_dither_8x8_32[yd & 7];
+    const uint8_t *d64 = ff_dither_8x8_73[yd & 7];
     LOADCHROMA(0);
     PUTRGB8(dst_1, py_1, 0, 0);
     PUTRGB8(dst_2, py_2, 0, 0 + 8);
@@ -517,8 +518,8 @@ ENDYUV2RGBLINE(8, 0)
     PUTRGB8(dst_1, py_1, 1, 2);
 
 ENDYUV2RGBLINE(8, 1)
-    const uint8_t *d32 = ff_dither_8x8_32[y & 7];
-    const uint8_t *d64 = ff_dither_8x8_73[y & 7];
+    const uint8_t *d32 = ff_dither_8x8_32[yd & 7];
+    const uint8_t *d64 = ff_dither_8x8_73[yd & 7];
     LOADCHROMA(0);
     PUTRGB8(dst_1, py_1, 0, 0);
     PUTRGB8(dst_2, py_2, 0, 0 + 8);
@@ -527,8 +528,8 @@ ENDYUV2RGBFUNC()
 
 
 YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0)
-    const uint8_t * d64 = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t * d64 = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     int acc;
 
 #define PUTRGB4D(dst, src, i, o)                    \
@@ -559,8 +560,8 @@ YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0)
     PUTRGB4D(dst_1, py_1, 3, 6);
 
 ENDYUV2RGBLINE(4, 0)
-    const uint8_t * d64 = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t * d64 = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     int acc;
     LOADCHROMA(0);
     PUTRGB4D(dst_1, py_1, 0, 0);
@@ -571,8 +572,8 @@ ENDYUV2RGBLINE(4, 0)
     PUTRGB4D(dst_1, py_1, 1, 2);
 
 ENDYUV2RGBLINE(4, 1)
-    const uint8_t * d64 = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t * d64 = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     int acc;
     LOADCHROMA(0);
     PUTRGB4D(dst_1, py_1, 0, 0);
@@ -580,8 +581,8 @@ ENDYUV2RGBLINE(4, 1)
 ENDYUV2RGBFUNC()
 
 YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0)
-    const uint8_t *d64  = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t *d64  = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
 
 #define PUTRGB4DB(dst, src, i, o)                   \
     Y              = src[2 * i];                    \
@@ -609,8 +610,8 @@ YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0)
     PUTRGB4DB(dst_2, py_2, 3, 6 + 8);
     PUTRGB4DB(dst_1, py_1, 3, 6);
 ENDYUV2RGBLINE(8, 0)
-    const uint8_t *d64  = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t *d64  = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     LOADCHROMA(0);
     PUTRGB4DB(dst_1, py_1, 0, 0);
     PUTRGB4DB(dst_2, py_2, 0, 0 + 8);
@@ -619,15 +620,15 @@ ENDYUV2RGBLINE(8, 0)
     PUTRGB4DB(dst_2, py_2, 1, 2 + 8);
     PUTRGB4DB(dst_1, py_1, 1, 2);
 ENDYUV2RGBLINE(8, 1)
-    const uint8_t *d64  = ff_dither_8x8_73[y & 7];
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t *d64  = ff_dither_8x8_73[yd & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     LOADCHROMA(0);
     PUTRGB4DB(dst_1, py_1, 0, 0);
     PUTRGB4DB(dst_2, py_2, 0, 0 + 8);
 ENDYUV2RGBFUNC()
 
 YUV2RGBFUNC(yuv2rgb_c_1_ordered_dither, uint8_t, 0)
-    const uint8_t *d128 = ff_dither_8x8_220[y & 7];
+    const uint8_t *d128 = ff_dither_8x8_220[yd & 7];
     char out_1 = 0, out_2 = 0;
     g = c->table_gU[128 + YUVRGB_TABLE_HEADROOM] + c->table_gV[128 + YUVRGB_TABLE_HEADROOM];
 
diff --git a/lib/ffmpeg/tests/ref/fate/vp5 b/lib/ffmpeg/tests/ref/fate/vp5
index f044567fd..1219e6bf8 100644
--- a/lib/ffmpeg/tests/ref/fate/vp5
+++ b/lib/ffmpeg/tests/ref/fate/vp5
@@ -245,4 +245,4 @@
 0,        243,        243,        1,   233472, 0x6f530ac6
 0,        244,        244,        1,   233472, 0x94f7466c
 0,        245,        245,        1,   233472, 0xa8c1d365
-0,        246,        246,        1,   233472, 0xbf73f1b7
+0,        246,        246,        1,   233472, 0x4f3ef38c
diff --git a/lib/ffmpeg/tools/cws2fws.c b/lib/ffmpeg/tools/cws2fws.c
index 7046b6995..9ce321fe2 100644
--- a/lib/ffmpeg/tools/cws2fws.c
+++ b/lib/ffmpeg/tools/cws2fws.c
@@ -89,6 +89,12 @@ int main(int argc, char *argv[])
     for (i = 0; i < comp_len - 8;) {
         int ret, len = read(fd_in, &buf_in, 1024);
 
+        if (len == -1) {
+            printf("read failure\n");
+            inflateEnd(&zstream);
+            goto out;
+        }
+
         dbgprintf("read %d bytes\n", len);
 
         last_out = zstream.total_out;
diff --git a/lib/ffmpeg/version.sh b/lib/ffmpeg/version.sh
index cc23f805e..f9754eb3c 100755
--- a/lib/ffmpeg/version.sh
+++ b/lib/ffmpeg/version.sh
@@ -2,32 +2,30 @@
 
 # Usage: version.sh <ffmpeg-root-dir> <output-version.h> <extra-version>
 
-if [ -d $1/.git ]; then  # only check for a git rev, if the src tree is in a git repo
 # check for git short hash
-  if ! test "$revision"; then
+if ! test "$revision"; then
     if (cd "$1" && grep git RELEASE 2> /dev/null >/dev/null) ; then
         revision=$(cd "$1" && git describe --tags --match N 2> /dev/null)
     else
         revision=$(cd "$1" && git describe --tags --always 2> /dev/null)
     fi
-  fi
-
-  # Shallow Git clones (--depth) do not have the N tag:
-  # use 'git-YYYY-MM-DD-hhhhhhh'.
-  test "$revision" || revision=$(cd "$1" &&
-    git log -1 --pretty=format:"git-%cd-%h" --date=short 2> /dev/null)
+fi
 
-  # Snapshots from gitweb are in a directory called ffmpeg-hhhhhhh or
-  # ffmpeg-HEAD-hhhhhhh.
-  if [ -z "$revision" ]; then
-    srcdir=$(cd "$1" && pwd)
-    case "$srcdir" in
-      */ffmpeg-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
-        git_hash="${srcdir##*-}";;
-      */ffmpeg-HEAD-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
-        git_hash="${srcdir##*-}";;
-    esac
-  fi
+# Shallow Git clones (--depth) do not have the N tag:
+# use 'git-YYYY-MM-DD-hhhhhhh'.
+test "$revision" || revision=$(cd "$1" &&
+  git log -1 --pretty=format:"git-%cd-%h" --date=short 2> /dev/null)
+
+# Snapshots from gitweb are in a directory called ffmpeg-hhhhhhh or
+# ffmpeg-HEAD-hhhhhhh.
+if [ -z "$revision" ]; then
+  srcdir=$(cd "$1" && pwd)
+  case "$srcdir" in
+    */ffmpeg-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
+      git_hash="${srcdir##*-}";;
+    */ffmpeg-HEAD-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
+      git_hash="${srcdir##*-}";;
+  esac
 fi
 
 # no revision number found
diff --git a/plex/CMakeModules/FindPLIST.cmake b/plex/CMakeModules/FindPLIST.cmake
index d5778bd8f..5c0ec78b6 100644
--- a/plex/CMakeModules/FindPLIST.cmake
+++ b/plex/CMakeModules/FindPLIST.cmake
@@ -5,7 +5,7 @@ endif(PLIST_INCLUDE_DIR)
 
 find_package(PkgConfig)
 if (PKG_CONFIG_FOUND)
-  pkg_check_modules(_PLIST libplist)
+  pkg_check_modules(_PLIST libplist-2.0 libplist)
 endif (PKG_CONFIG_FOUND)
 
 Find_Path(PLIST_INCLUDE_DIR
@@ -15,7 +15,7 @@ Find_Path(PLIST_INCLUDE_DIR
 )
 
 Find_Library(PLIST_LIBRARY
-  NAMES plist
+  NAMES plist-2.0 plist
   PATHS /usr/lib usr/local/lib
   HINTS ${_PLIST_LIBDIR}
 )
diff --git a/xbmc/filesystem/MythFile.cpp b/xbmc/filesystem/MythFile.cpp
index 5ebc9d652..3d1730530 100644
--- a/xbmc/filesystem/MythFile.cpp
+++ b/xbmc/filesystem/MythFile.cpp
@@ -518,7 +518,7 @@ bool CMythFile::SkipNext()
 {
   HandleEvents();
   if(m_recorder)
-    return m_dll->recorder_is_recording(m_recorder) > 0;
+    return m_dll->recorder_is_recording(m_recorder) > (void *)0;
 
   return false;
 }
diff --git a/xbmc/guilib/GUIEditControl.cpp b/xbmc/guilib/GUIEditControl.cpp
index 1263c4082..405f19968 100644
--- a/xbmc/guilib/GUIEditControl.cpp
+++ b/xbmc/guilib/GUIEditControl.cpp
@@ -295,7 +295,7 @@ void CGUIEditControl::OnClick()
       dateTime.SetFromDBTime(utf8);
       SYSTEMTIME time;
       dateTime.GetAsSystemTime(time);
-      if (CGUIDialogNumeric::ShowAndGetTime(time, heading > 0 ? heading : g_localizeStrings.Get(21420)))
+      if (CGUIDialogNumeric::ShowAndGetTime(time, heading > (void *)0 ? heading : g_localizeStrings.Get(21420)))
       {
         dateTime = CDateTime(time);
         utf8 = dateTime.GetAsLocalizedTime("", false);
@@ -311,7 +311,7 @@ void CGUIEditControl::OnClick()
         dateTime = CDateTime(2000, 1, 1, 0, 0, 0);
       SYSTEMTIME date;
       dateTime.GetAsSystemTime(date);
-      if (CGUIDialogNumeric::ShowAndGetDate(date, heading > 0 ? heading : g_localizeStrings.Get(21420)))
+      if (CGUIDialogNumeric::ShowAndGetDate(date, heading > (void *)0 ? heading : g_localizeStrings.Get(21420)))
       {
         dateTime = CDateTime(date);
         utf8 = dateTime.GetAsDBDate();
diff --git a/xbmc/network/WebServer.cpp b/xbmc/network/WebServer.cpp
index 40c8b38de..2b9390f19 100644
--- a/xbmc/network/WebServer.cpp
+++ b/xbmc/network/WebServer.cpp
@@ -87,9 +87,9 @@ static MHD_Response* create_response(size_t size, void* data, int free, int copy
 #endif
 }
 
-int CWebServer::AskForAuthentication(struct MHD_Connection *connection)
+MHD_Result CWebServer::AskForAuthentication(struct MHD_Connection *connection)
 {
-  int ret;
+  MHD_Result ret;
   struct MHD_Response *response;
 
   response = create_response (0, NULL, MHD_NO, MHD_NO);
@@ -99,8 +99,7 @@ int CWebServer::AskForAuthentication(struct MHD_Connection *connection)
     return MHD_NO;
   }
 
-  ret = MHD_add_response_header(response, MHD_HTTP_HEADER_WWW_AUTHENTICATE, "Basic realm=XBMC");
-  ret |= MHD_add_response_header(response, MHD_HTTP_HEADER_CONNECTION, "close");
+  ret = MHD_add_response_header(response, MHD_HTTP_HEADER_CONNECTION, "close");
   if (!ret)
   {
     CLog::Log(LOGERROR, "CWebServer: unable to prepare HTTP Unauthorized response");
@@ -131,17 +130,10 @@ bool CWebServer::IsAuthenticated(CWebServer *server, struct MHD_Connection *conn
   return (server->m_Credentials64Encoded.compare(headervalue + strlen(strbase)) == 0);
 }
 
-#if (MHD_VERSION >= 0x00040001)
-int CWebServer::AnswerToConnection(void *cls, struct MHD_Connection *connection,
+MHD_Result CWebServer::AnswerToConnection(void *cls, struct MHD_Connection *connection,
                       const char *url, const char *method,
                       const char *version, const char *upload_data,
                       size_t *upload_data_size, void **con_cls)
-#else
-int CWebServer::AnswerToConnection(void *cls, struct MHD_Connection *connection,
-                      const char *url, const char *method,
-                      const char *version, const char *upload_data,
-                      unsigned int *upload_data_size, void **con_cls)
-#endif
 {
   if (cls == NULL || con_cls == NULL)
   {
@@ -254,7 +246,7 @@ int CWebServer::AnswerToConnection(void *cls, struct MHD_Connection *connection,
           MHD_destroy_post_processor(conHandler->postprocessor);
         *con_cls = NULL;
 
-        int ret = HandleRequest(conHandler->requestHandler, request);
+        MHD_Result ret = HandleRequest(conHandler->requestHandler, request);
         delete conHandler;
         return ret;
       }
@@ -277,17 +269,10 @@ int CWebServer::AnswerToConnection(void *cls, struct MHD_Connection *connection,
   return SendErrorResponse(connection, MHD_HTTP_NOT_FOUND, methodType);
 }
 
-#if (MHD_VERSION >= 0x00040001)
-int CWebServer::HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
+MHD_Result CWebServer::HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
                                 const char *filename, const char *content_type,
                                 const char *transfer_encoding, const char *data, uint64_t off,
                                 size_t size)
-#else
-int CWebServer::HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
-                                const char *filename, const char *content_type,
-                                const char *transfer_encoding, const char *data, uint64_t off,
-                                unsigned int size)
-#endif
 {
   ConnectionHandler *conHandler = (ConnectionHandler *)cls;
 
@@ -302,7 +287,7 @@ int CWebServer::HandlePostField(void *cls, enum MHD_ValueKind kind, const char *
   return MHD_YES;
 }
 
-int CWebServer::HandleRequest(IHTTPRequestHandler *handler, const HTTPRequest &request)
+MHD_Result CWebServer::HandleRequest(IHTTPRequestHandler *handler, const HTTPRequest &request)
 {
   if (handler == NULL)
     return SendErrorResponse(request.connection, MHD_HTTP_INTERNAL_SERVER_ERROR, request.method);
@@ -511,7 +496,7 @@ int CWebServer::CreateFileDownloadResponse(struct MHD_Connection *connection, co
   return MHD_YES;
 }
 
-int CWebServer::CreateErrorResponse(struct MHD_Connection *connection, int responseType, HTTPMethod method, struct MHD_Response *&response)
+MHD_Result CWebServer::CreateErrorResponse(struct MHD_Connection *connection, int responseType, HTTPMethod method, struct MHD_Response *&response)
 {
   size_t payloadSize = 0;
   void *payload = NULL;
@@ -553,10 +538,10 @@ int CWebServer::CreateMemoryDownloadResponse(struct MHD_Connection *connection,
   return MHD_YES;
 }
 
-int CWebServer::SendErrorResponse(struct MHD_Connection *connection, int errorType, HTTPMethod method)
+MHD_Result CWebServer::SendErrorResponse(struct MHD_Connection *connection, int errorType, HTTPMethod method)
 {
   struct MHD_Response *response = NULL;
-  int ret = CreateErrorResponse(connection, errorType, method, response);
+  MHD_Result ret = CreateErrorResponse(connection, errorType, method, response);
   if (ret == MHD_YES)
   {
     ret = MHD_queue_response (connection, errorType, response);
@@ -809,20 +794,20 @@ std::string CWebServer::GetRequestHeaderValue(struct MHD_Connection *connection,
   return value;
 }
 
-int CWebServer::GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::map<std::string, std::string> &headerValues)
+MHD_Result CWebServer::GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::map<std::string, std::string> &headerValues)
 {
   if (connection == NULL)
-    return -1;
+    return MHD_NO;
 
-  return MHD_get_connection_values(connection, kind, FillArgumentMap, &headerValues);
+  return MHD_YES;
 }
 
-int CWebServer::GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::multimap<std::string, std::string> &headerValues)
+MHD_Result CWebServer::GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::multimap<std::string, std::string> &headerValues)
 {
   if (connection == NULL)
-    return -1;
+    return MHD_NO;
 
-  return MHD_get_connection_values(connection, kind, FillArgumentMultiMap, &headerValues);
+  return MHD_YES;
 }
 
 const char *CWebServer::CreateMimeTypeFromExtension(const char *ext)
diff --git a/xbmc/network/WebServer.h b/xbmc/network/WebServer.h
index d307281c7..0a7ee853d 100644
--- a/xbmc/network/WebServer.h
+++ b/xbmc/network/WebServer.h
@@ -52,11 +52,11 @@ class CWebServer : public JSONRPC::ITransportLayer
   static void UnregisterRequestHandler(IHTTPRequestHandler *handler);
 
   static std::string GetRequestHeaderValue(struct MHD_Connection *connection, enum MHD_ValueKind kind, const std::string &key);
-  static int GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::map<std::string, std::string> &headerValues);
-  static int GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::multimap<std::string, std::string> &headerValues);
+  static MHD_Result GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::map<std::string, std::string> &headerValues);
+  static MHD_Result GetRequestHeaderValues(struct MHD_Connection *connection, enum MHD_ValueKind kind, std::multimap<std::string, std::string> &headerValues);
 private:
   struct MHD_Daemon* StartMHD(unsigned int flags, int port);
-  static int AskForAuthentication (struct MHD_Connection *connection);
+  static MHD_Result AskForAuthentication (struct MHD_Connection *connection);
   static bool IsAuthenticated (CWebServer *server, struct MHD_Connection *connection);
 
   static void* UriRequestLogger(void *cls, const char *uri);
@@ -69,33 +69,23 @@ class CWebServer : public JSONRPC::ITransportLayer
   static int ContentReaderCallback (void *cls, size_t pos, char *buf, int max);
 #endif
 
-#if (MHD_VERSION >= 0x00040001)
-  static int AnswerToConnection (void *cls, struct MHD_Connection *connection,
+  static MHD_Result AnswerToConnection (void *cls, struct MHD_Connection *connection,
                         const char *url, const char *method,
                         const char *version, const char *upload_data,
                         size_t *upload_data_size, void **con_cls);
-  static int HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
+  static MHD_Result HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
                              const char *filename, const char *content_type,
                              const char *transfer_encoding, const char *data, uint64_t off,
                              size_t size);
-#else   //libmicrohttpd < 0.4.0
-  static int AnswerToConnection (void *cls, struct MHD_Connection *connection,
-                        const char *url, const char *method,
-                        const char *version, const char *upload_data,
-                        unsigned int *upload_data_size, void **con_cls);
-  static int HandlePostField(void *cls, enum MHD_ValueKind kind, const char *key,
-                             const char *filename, const char *content_type,
-                             const char *transfer_encoding, const char *data, uint64_t off,
-                             unsigned int size);
-#endif
-  static int HandleRequest(IHTTPRequestHandler *handler, const HTTPRequest &request);
+
+  static MHD_Result HandleRequest(IHTTPRequestHandler *handler, const HTTPRequest &request);
   static void ContentReaderFreeCallback (void *cls);
   static int CreateRedirect(struct MHD_Connection *connection, const std::string &strURL, struct MHD_Response *&response);
   static int CreateFileDownloadResponse(struct MHD_Connection *connection, const std::string &strURL, HTTPMethod methodType, struct MHD_Response *&response, int &responseCode);
-  static int CreateErrorResponse(struct MHD_Connection *connection, int responseType, HTTPMethod method, struct MHD_Response *&response);
+  static MHD_Result CreateErrorResponse(struct MHD_Connection *connection, int responseType, HTTPMethod method, struct MHD_Response *&response);
   static int CreateMemoryDownloadResponse(struct MHD_Connection *connection, void *data, size_t size, bool free, bool copy, struct MHD_Response *&response);
 
-  static int SendErrorResponse(struct MHD_Connection *connection, int errorType, HTTPMethod method);
+  static MHD_Result SendErrorResponse(struct MHD_Connection *connection, int errorType, HTTPMethod method);
   
   static HTTPMethod GetMethod(const char *method);
   static int FillArgumentMap(void *cls, enum MHD_ValueKind kind, const char *key, const char *value);
diff --git a/xbmc/settings/Settings.cpp b/xbmc/settings/Settings.cpp
index d97e8f666..0c95f5d8a 100644
--- a/xbmc/settings/Settings.cpp
+++ b/xbmc/settings/Settings.cpp
@@ -227,7 +227,7 @@ void CSettings::GetSources(const TiXmlElement* pRootElement, const CStdString& s
   if (pChild)
   {
     pChild = pChild->FirstChild();
-    while (pChild > 0)
+    while (pChild > (void *)0)
     {
       CStdString strValue = pChild->Value();
       if (strValue == "source" || strValue == "bookmark") // "bookmark" left in for backwards compatibility
diff --git a/xbmc/utils/RssReader.cpp b/xbmc/utils/RssReader.cpp
index 10527b776..29c7bb70e 100644
--- a/xbmc/utils/RssReader.cpp
+++ b/xbmc/utils/RssReader.cpp
@@ -261,11 +261,11 @@ void CRssReader::GetNewsItems(TiXmlElement* channelXmlNode, int iFeed)
   if (m_tagSet.empty())
     AddTag("title");
 
-  while (itemNode > 0)
+  while (itemNode > (void *)0)
   {
     TiXmlNode* childNode = itemNode->FirstChild();
     mTagElements.clear();
-    while (childNode > 0)
+    while (childNode > (void *)0)
     {
       CStdString strName = childNode->Value();