fftools/ffmpeg_mux_init.c

@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
         int channels = 0;
         char *layout = NULL;
         char *sample_fmt = NULL;
+        const char *apad = NULL;
 
         MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
         if (channels) {
@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
 
         MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st);
 
-        MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
-        ost->apad = av_strdup(ost->apad);
+        MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
+        if (apad) {
+            ost->apad = av_strdup(apad);
+            if (!ost->apad)
+                return AVERROR(ENOMEM);
+        }
 
 #if FFMPEG_OPT_MAP_CHANNEL
         /* check for channel mapping for this audio stream */
@@ -1467,7 +1472,7 @@ static int map_auto_video(Muxer *mux, const OptionsContext *o)
 {
     AVFormatContext *oc = mux->fc;
     InputStream *best_ist = NULL;
-    int best_score = 0;
+    int64_t best_score = 0;
     int qcr;
 
     /* video: highest resolution */
@@ -1478,16 +1483,16 @@ static int map_auto_video(Muxer *mux, const OptionsContext *o)
     for (int j = 0; j < nb_input_files; j++) {
         InputFile *ifile = input_files[j];
         InputStream *file_best_ist = NULL;
-        int file_best_score = 0;
+        int64_t file_best_score = 0;
         for (int i = 0; i < ifile->nb_streams; i++) {
             InputStream *ist = ifile->streams[i];
-            int score;
+            int64_t score;
 
             if (ist->user_set_discard == AVDISCARD_ALL ||
                 ist->st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
                 continue;
 
-            score = ist->st->codecpar->width * ist->st->codecpar->height
+            score = ist->st->codecpar->width * (int64_t)ist->st->codecpar->height
                        + 100000000 * !!(ist->st->event_flags & AVSTREAM_EVENT_FLAG_NEW_PACKETS)
                        + 5000000*!!(ist->st->disposition & AV_DISPOSITION_DEFAULT);
             if((qcr!=MKTAG('A', 'P', 'I', 'C')) && (ist->st->disposition & AV_DISPOSITION_ATTACHED_PIC))

libavcodec/aacdec_template.c

@@ -454,6 +454,9 @@ static int output_configure(AACContext *ac,
     uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }};
     uint8_t type_counts[TYPE_END] = { 0 };
 
+    if (get_new_frame && !ac->frame)
+        return AVERROR_INVALIDDATA;
+
     if (ac->oc[1].layout_map != layout_map) {
         memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0]));
         ac->oc[1].layout_map_tags = tags;

libavcodec/aacenc_tns.c

@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
                       sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
     const int sfb_len = sfb_end - sfb_start;
     const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
+    const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
 
     if (coef_len <= 0 || sfb_len <= 0) {
         sce->tns.present = 0;
@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
     }
 
     for (w = 0; w < sce->ics.num_windows; w++) {
-        float en[2] = {0.0f, 0.0f};
-        int oc_start = 0, os_start = 0;
+        float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+        int oc_start = 0;
         int coef_start = sce->ics.swb_offset[sfb_start];
 
-        for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
-            FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
-            if (g > sfb_start + (sfb_len/2))
-                en[1] += band->energy;
-            else
-                en[0] += band->energy;
+        if (n_filt == 2) {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2))
+                        en[1] += band->energy; /* End */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[2] = en[0];
+        } else {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+                        en[2] += band->energy; /* End */
+                    else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+                        en[1] += band->energy; /* Middle */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[3] = en[0];
         }
 
         /* LPC */
@@ -198,15 +213,14 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
         if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH)
             continue;
 
-        tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+        tns->n_filt[w] = n_filt;
         for (g = 0; g < tns->n_filt[w]; g++) {
-            tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
-            tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
-            tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
+            tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+            tns->order[w][g] = order/tns->n_filt[w];
+            tns->length[w][g] = sfb_len/tns->n_filt[w];
             quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
                             tns->order[w][g], c_bits);
             oc_start += tns->order[w][g];
-            os_start += tns->length[w][g];
         }
         count++;
     }

libavcodec/dxv.c

@@ -1147,6 +1147,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
         ctx->tex_rat = 1;
         break;
     }
+    if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+        return AVERROR_INVALIDDATA;
 
     ctx->slice_count = av_clip(avctx->thread_count, 1,
                                avctx->coded_height / FFMAX(ctx->texture_block_h,

libavcodec/exr.c

@@ -173,6 +173,9 @@ typedef struct EXRContext {
 
     int is_luma;/* 1 if there is an Y plane */
 
+#define M(chr) (1<<chr - 'A')
+    int has_channel; ///< combination of flags representing the channel codes A-Z
+
     GetByteContext gb;
     const uint8_t *buf;
     int buf_size;
@@ -739,12 +742,12 @@ static int pxr24_uncompress(const EXRContext *s, const uint8_t *src,
                 break;
             case EXR_UINT:
                 ptr[0] = in;
-                ptr[1] = ptr[0] + s->xdelta;
-                ptr[2] = ptr[1] + s->xdelta;
-                ptr[3] = ptr[2] + s->xdelta;
-                in     = ptr[3] + s->xdelta;
+                ptr[1] = ptr[0] + td->xsize;
+                ptr[2] = ptr[1] + td->xsize;
+                ptr[3] = ptr[2] + td->xsize;
+                in     = ptr[3] + td->xsize;
 
-                for (j = 0; j < s->xdelta; ++j) {
+                for (j = 0; j < td->xsize; ++j) {
                     uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                     (*(ptr[1]++) << 16) |
                     (*(ptr[2]++) << 8 ) |
@@ -986,8 +989,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     int64_t version, lo_usize, lo_size;
     int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
     int64_t ac_count, dc_count, ac_compression;
-    const int dc_w = td->xsize >> 3;
-    const int dc_h = td->ysize >> 3;
+    const int dc_w = (td->xsize + 7) >> 3;
+    const int dc_h = (td->ysize + 7) >> 3;
     GetByteContext gb, agb;
     int skip, ret;
     int have_rle = 0;
@@ -999,6 +1002,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     if (version != 2)
         return AVERROR_INVALIDDATA;
 
+    if (s->nb_channels < 3) {
+        avpriv_request_sample(s->avctx, "Gray DWA");
+        return AVERROR_PATCHWELCOME;
+    }
+
     lo_usize = AV_RL64(src + 8);
     lo_size = AV_RL64(src + 16);
     ac_size = AV_RL64(src + 24);
@@ -1015,11 +1023,20 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     )
         return AVERROR_INVALIDDATA;
 
+    if (ac_size <= 0) {
+        avpriv_request_sample(s->avctx, "Zero ac_size");
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((uint64_t)rle_raw_size > INT_MAX) {
         avpriv_request_sample(s->avctx, "Too big rle_raw_size");
         return AVERROR_INVALIDDATA;
     }
 
+    if (td->xsize % 8 || td->ysize % 8) {
+        avpriv_request_sample(s->avctx, "odd dimensions DWA");
+    }
+
     bytestream2_init(&gb, src + 88, compressed_size - 88);
     skip = bytestream2_get_le16(&gb);
     if (skip < 2)
@@ -1580,6 +1597,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
     s->is_tile            = 0;
     s->is_multipart       = 0;
     s->is_luma            = 0;
+    s->has_channel        = 0;
     s->current_part       = 0;
 
     if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1683,23 +1701,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                 }
 
                 if (layer_match) { /* only search channel if the layer match is valid */
+                    if (strlen(ch_gb.buffer) == 1) {
+                        int ch_chr = av_toupper(*ch_gb.buffer);
+                        if (ch_chr >= 'A' && ch_chr <= 'Z')
+                            s->has_channel |= M(ch_chr);
+                        av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+                    }
+
                     if (!av_strcasecmp(ch_gb.buffer, "R") ||
                         !av_strcasecmp(ch_gb.buffer, "X") ||
                         !av_strcasecmp(ch_gb.buffer, "U")) {
                         channel_index = 0;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "G") ||
                                !av_strcasecmp(ch_gb.buffer, "V")) {
                         channel_index = 1;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
                         channel_index = 1;
-                        s->is_luma = 1;
                     } else if (!av_strcasecmp(ch_gb.buffer, "B") ||
                                !av_strcasecmp(ch_gb.buffer, "Z") ||
                                !av_strcasecmp(ch_gb.buffer, "W")) {
                         channel_index = 2;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "A")) {
                         channel_index = 3;
                     } else {
@@ -1775,6 +1796,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                     s->current_channel_offset += 4;
                 }
             }
+            if        (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('Y')                  ) & ~s->has_channel) &&
+                       !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X') + M('Z')) &  s->has_channel)) {
+                s->is_luma = 1;
+            } else {
+                avpriv_request_sample(s->avctx, "Uncommon channel combination");
+                ret = AVERROR(AVERROR_PATCHWELCOME);
+                goto fail;
+            }
 
             /* Check if all channels are set with an offset or if the channels
              * are causing an overflow  */

libavcodec/g723_1.h

@@ -108,7 +108,7 @@ typedef struct HFParam {
  * Optimized fixed codebook excitation parameters
  */
 typedef struct FCBParam {
-    int min_err;
+    int64_t min_err;
     int amp_index;
     int grid_index;
     int dirac_train;

libavcodec/g723_1enc.c

@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t *impulse_resp,
     int pulse_cnt = pulses[index];
     int i;
 
-    optim.min_err = 1 << 30;
+    optim.min_err = 1LL << 31;
     get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
 
     if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {

libavcodec/librsvgdec.c

@@ -90,8 +90,6 @@ static int librsvg_decode_frame(AVCodecContext *avctx, AVFrame *frame,
         goto end;
 
     avctx->pix_fmt = AV_PIX_FMT_RGB32;
-    viewport.width = dimensions.width;
-    viewport.height = dimensions.height;
 
     ret = ff_get_buffer(avctx, frame, 0);
     if (ret < 0)
@@ -116,6 +114,8 @@ static int librsvg_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     cairo_restore(crender);
 
 #if LIBRSVG_MAJOR_VERSION > 2 || LIBRSVG_MAJOR_VERSION == 2 && LIBRSVG_MINOR_VERSION >= 52
+    viewport.width = dimensions.width;
+    viewport.height = dimensions.height;
     gret = rsvg_handle_render_document(handle, crender, &viewport, &error);
 #else
     cairo_scale(crender, dimensions.width / (double)unscaled_dimensions.width,

libavcodec/mjpegdec.c

@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
     if (av_image_check_size(width, height, 0, s->avctx) < 0)
         return AVERROR_INVALIDDATA;
+
+    // A valid frame requires at least 1 bit for DC + 1 bit for AC for each 8x8 block.
     if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL)
         return AVERROR_INVALIDDATA;
 

libavcodec/osq.c

@@ -389,7 +389,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame *frame)
             int32_t *src = s->decode_buffer[ch] + OFFSET;
 
             for (int n = 0; n < nb_samples; n++)
-                dst[n] = av_clip_uint8(src[n] + 0x80);
+                dst[n] = av_clip_uint8(src[n] + 0x80ll);
         }
         break;
     case AV_SAMPLE_FMT_S16P:

libavcodec/sanm.c

@@ -973,6 +973,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
     }
     bytestream2_skip(&ctx->gb, 4);
 
+    if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) > ctx->avctx->height) {
+        avpriv_request_sample(ctx->avctx, "overly large frame\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     switch (codec) {
     case 1:
     case 3:

libavcodec/utvideodec.c

@@ -456,7 +456,7 @@ static void restore_median_planar_il(UtvideoContext *c, uint8_t *src, ptrdiff_t
         // second line - first element has top prediction, the rest uses median
         C        = bsrc[-stride2];
         bsrc[0] += C;
-        A        = bsrc[0];
+        A = B    = bsrc[0];
         for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need align 16) */
             B        = bsrc[i - stride2];
             bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
@@ -584,7 +584,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
     int buf_size = avpkt->size;
     UtvideoContext *c = avctx->priv_data;
     int i, j;
-    const uint8_t *plane_start[5];
+    const uint8_t *plane_start[5] = {NULL};
     int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
     int ret;
     GetByteContext gb;

libavcodec/vlc.c

@@ -456,7 +456,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
     if (ret < 0)
         return ret;
 
-    multi->table = av_malloc(sizeof(*multi->table) << nb_bits);
+    multi->table = av_mallocz(sizeof(*multi->table) << nb_bits);
     if (!multi->table)
         goto fail;
 

libavfilter/vf_drawtext.c

@@ -938,7 +938,7 @@ static av_cold int init(AVFilterContext *ctx)
             av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use text_source only\n");
             av_free(s->text);
         }
-        s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+        s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
                              (AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
         if (!s->text)
             return AVERROR(ENOMEM);
@@ -1669,8 +1669,7 @@ static int measure_text(AVFilterContext *ctx, TextMetrics *metrics)
 {
     DrawTextContext *s = ctx->priv;
     char *text = s->expanded_text.str;
-    char *textdup = NULL, *start = NULL;
-    int num_chars = 0;
+    char *textdup = NULL;
     int width64 = 0, w64 = 0;
     int cur_min_y64 = 0, first_max_y64 = -32000;
     int first_min_x64 = 32000, last_max_x64 = -32000;
@@ -1680,7 +1679,7 @@ static int measure_text(AVFilterContext *ctx, TextMetrics *metrics)
     Glyph *glyph = NULL;
 
     int i, tab_idx = 0, last_tab_idx = 0, line_offset = 0;
-    char* p;
+    uint8_t *start, *p;
     int ret = 0;
 
     // Count the lines and the tab characters
@@ -1733,7 +1732,7 @@ continue_on_failed2:
             TextLine *cur_line = &s->lines[line_count];
             HarfbuzzData *hb = &cur_line->hb_data;
             cur_line->cluster_offset = line_offset;
-            ret = shape_text_hb(s, hb, start, num_chars);
+            ret = shape_text_hb(s, hb, start, p - start);
             if (ret != 0) {
                 goto done;
             }
@@ -1791,14 +1790,12 @@ continue_on_failed2:
             if (w64 > width64) {
                 width64 = w64;
             }
-            num_chars = -1;
             start = p;
             ++line_count;
             line_offset = i + 1;
         }
 
         if (code == 0) break;
-        ++num_chars;
     }
 
     metrics->line_height64 = s->face->size->metrics.height;

libavformat/avidec.c

@@ -1700,7 +1700,7 @@ static int check_stream_max_drift(AVFormatContext *s)
     int *idx = av_calloc(s->nb_streams, sizeof(*idx));
     if (!idx)
         return AVERROR(ENOMEM);
-    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
         int64_t max_dts = INT64_MIN / 2;
         int64_t min_dts = INT64_MAX / 2;
         int64_t max_buffer = 0;

libavformat/aviobuf.c

@@ -355,7 +355,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
         ctx->seek_count++;
         if (!s->write_flag)
             s->buf_end = s->buffer;
-        s->buf_ptr = s->buf_ptr_max = s->buffer;
+        s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
         s->pos = offset;
     }
     s->eof_reached = 0;

libavformat/http.c

@@ -1788,7 +1788,7 @@ static int store_icy(URLContext *h, int size)
             ret = http_read_stream_all(h, data, len);
             if (ret < 0)
                 return ret;
-            data[len + 1] = 0;
+            data[len] = 0;
             if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
                 return ret;
             update_metadata(h, data);

libavformat/lrcdec.c

@@ -91,7 +91,7 @@ static int64_t read_ts(const char *p, int64_t *start)
     if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
         return 0;
     }
-    *start = (mm * 60 + ss) * AV_TIME_BASE;
+    *start = llrint((mm * 60 + ss) * AV_TIME_BASE);
     if (prefix[1] == '-') {
         *start = - *start;
     }

libavformat/rtmpproto.c

@@ -162,6 +162,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt);
 static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
 static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
 
+static size_t zstrlen(const char *c)
+{
+    if(c)
+        return strlen(c);
+    return 0;
+}
+
 static int add_tracked_method(RTMPContext *rt, const char *name, int id)
 {
     int err;
@@ -326,7 +333,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
     int ret;
 
     if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
-                                     0, 4096 + APP_MAX_LENGTH)) < 0)
+                                     0, 4096 + APP_MAX_LENGTH
+                                     + strlen(rt->auth_params) + strlen(rt->flashver)
+                                     + zstrlen(rt->enhanced_codecs)/5*7
+                                     + zstrlen(rt->swfurl)
+                                     + zstrlen(rt->swfverify)
+                                     + zstrlen(rt->tcurl)
+                                     + zstrlen(rt->auth_params)
+                                     + zstrlen(rt->pageurl)
+                                     + zstrlen(rt->conn)*3
+                                     )) < 0)
         return ret;
 
     p = pkt.data;
@@ -1899,7 +1915,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
 
     if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
                                      RTMP_PT_INVOKE, 0,
-                                     RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+                                     RTMP_PKTDATA_DEFAULT_SIZE
+                                     + strlen(status) + strlen(description)
+                                     + zstrlen(details))) < 0) {
         av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
         return ret;
     }
@@ -2832,6 +2850,12 @@ reconnect:
                     "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
         }
     }
+    if (   strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+        || strlen(rt->tcurl   ) >    TCURL_MAX_LENGTH
+    ) {
+        ret = AVERROR(EINVAL);
+        goto fail;
+    }
 
     rt->receive_report_size = 1048576;
     rt->bytes_read = 0;

libavformat/rtpdec_rfc4175.c

@@ -23,7 +23,9 @@
 
 #include "avio_internal.h"
 #include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
 
@@ -127,7 +129,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream *stream,
         data->width = atoi(value);
     else if (!strncmp(attr, "height", 6))
         data->height = atoi(value);
-    else if (!strncmp(attr, "sampling", 8))
+    else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
         data->sampling = av_strdup(value);
     else if (!strncmp(attr, "depth", 5))
         data->depth = atoi(value);
@@ -171,30 +173,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream *stream,
 }
 
 static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
-                                  PayloadContext *data, const char *line)
+                                  PayloadContext *data_arg, const char *line)
 {
     const char *p;
 
     if (st_index < 0)
         return 0;
 
+    av_assert0(!data_arg->sampling);
+
     if (av_strstart(line, "fmtp:", &p)) {
         AVStream *stream = s->streams[st_index];
+        PayloadContext data0 = *data_arg, *data = &data0;
         int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
 
-        if (ret < 0)
-            return ret;
+        if (!data->sampling || !data->depth || !data->width || !data->height)
+            ret =  AVERROR(EINVAL);
 
+        if (ret < 0)
+            goto fail;
 
-        if (!data->sampling || !data->depth || !data->width || !data->height)
-            return AVERROR(EINVAL);
+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            goto fail;
 
         stream->codecpar->width = data->width;
         stream->codecpar->height = data->height;
 
         ret = rfc4175_parse_format(stream, data);
         av_freep(&data->sampling);
-
+        if (ret >= 0)
+            *data_arg = *data;
+fail:
+        av_freep(&data->sampling);
         return ret;
     }
 
@@ -295,6 +306,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
         if (data->interlaced)
             line = 2 * line + field;
 
+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
         /* prevent ill-formed packets to write after buffer's end */
         copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
         if (copy_offset + length > data->frame_size || !data->frame)

libavformat/rtpenc_h264_hevc.c

@@ -195,6 +195,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const uint8_t *buf1, int size)
             r1 = ff_avc_mp4_find_startcode(r, end, s->nal_length_size);
             if (!r1)
                 r1 = end;
+            // Check that the last is not truncated
+            if (r1 - r < s->nal_length_size)
+                break;
             r += s->nal_length_size;
         } else {
             while (!*(r++));

libavformat/sctp.c

@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf, int size)
     }
 
     if (s->max_streams) {
+        if (size < 2)
+            return AVERROR(EINVAL);
+
         /*StreamId is introduced as a 2byte code into the stream*/
         struct sctp_sndrcvinfo info = { 0 };
         info.sinfo_stream           = AV_RB16(buf);

libavutil/common.h

@@ -468,13 +468,13 @@ static av_always_inline av_const int av_parity_c(uint32_t v)
  * to prevent undefined results.
  */
 #define GET_UTF8(val, GET_BYTE, ERROR)\
-    val= (GET_BYTE);\
+    val= (uint8_t)(GET_BYTE);\
     {\
         uint32_t top = (val & 128) >> 1;\
         if ((val & 0xc0) == 0x80 || val >= 0xFE)\
             {ERROR}\
         while (val & top) {\
-            unsigned int tmp = (GET_BYTE) - 128;\
+            unsigned int tmp = (uint8_t)(GET_BYTE) - 128;\
             if(tmp>>6)\
                 {ERROR}\
             val= (val<<6) + tmp;\
@@ -493,11 +493,11 @@ static av_always_inline av_const int av_parity_c(uint32_t v)
  *                  typically a goto statement.
  */
 #define GET_UTF16(val, GET_16BIT, ERROR)\
-    val = (GET_16BIT);\
+    val = (uint16_t)(GET_16BIT);\
     {\
         unsigned int hi = val - 0xD800;\
         if (hi < 0x800) {\
-            val = (GET_16BIT) - 0xDC00;\
+            val = (uint16_t)(GET_16BIT) - 0xDC00;\
             if (val > 0x3FFU || hi > 0x3FFU)\
                 {ERROR}\
             val += (hi<<10) + 0x10000;\

libswscale/output.c

@@ -965,7 +965,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         int A = 0xffff;
 
         for (j = 0; j < lumFilterSize; j++)
-            Y += lumSrc[j][i] * lumFilter[j];
+            Y += lumSrc[j][i] * (unsigned)lumFilter[j];
 
         Y >>= 15;
         Y += (1<<3) + 0x8000;
@@ -974,7 +974,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         if (hasAlpha) {
             A = -0x40000000 + (1<<14);
             for (j = 0; j < lumFilterSize; j++)
-                A += alpSrc[j][i] * lumFilter[j];
+                A += alpSrc[j][i] * (unsigned)lumFilter[j];
 
             A >>= 15;
             A += 0x8000;