Merge remote-tracking branch 'qatar/release/0.7' into release/0.8

* qatar/release/0.7: (96 commits)
  intfloat_readwrite: fix signed addition overflows
  smacker: validate channels and sample format.
  smacker: check buffer size before reading output size
  smacker: validate number of channels
  sipr: fix get_bits(0) calls
  motion_est: make MotionExtContext.map_generation unsigned
  4xm: prevent NULL dereference with invalid huffman table
  4xmdemux: prevent use of uninitialized memory
  4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers
  ptx: check for out of bound reads
  tiffdec: fix out of bound reads/writes
  eacmv: check for out of bound reads
  eacmv: fix potential pointer arithmetic overflows
  adpcm: fix out of bound reads due to integer overflow
  anm: prevent infinite loop
  avsdemux: check for out of bound writes
  avs: check for out of bound reads
  avsdemux: check for corrupted data
  mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions.
  vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly).
  ...

Conflicts:
	libavcodec/adpcm.c
	libavcodec/bink.c
	libavcodec/h264.c
	libavcodec/h264.h
	libavcodec/h264_cabac.c
	libavcodec/h264_cavlc.c
	libavcodec/motion_est_template.c
	libavcodec/mpegvideo.c
	libavcodec/nellymoserdec.c
	libavcodec/ptx.c
	libavcodec/svq3.c
	libavcodec/vaapi_vc1.c
	libavcodec/xan.c
	libavfilter/vf_scale.c
	libavformat/4xm.c
	libavformat/flvdec.c
	libavformat/mpeg.c
	tests/ref/fate/motionpixels

Merged-by: Michael Niedermayer <michaelni@gmx.at>

16 files changed, 78 insertions, 79 deletions

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index de7bc7a45b..8fa6d91082 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1360,11 +1360,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_EA:
-        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
-            src += buf_size;
-            break;
+        /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces,
+           each coding 28 stereo samples. */
+        if (buf_size < 12) {
+            av_log(avctx, AV_LOG_ERROR, "frame too small\n");
+            return AVERROR(EINVAL);
         }
         samples_in_chunk = AV_RL32(src);
+        if (samples_in_chunk / 28 > (buf_size - 12) / 30) {
+            av_log(avctx, AV_LOG_ERROR, "invalid frame\n");
+            return AVERROR(EINVAL);
+        }
         src += 4;
         current_left_sample   = (int16_t)bytestream_get_le16(&src);
         previous_left_sample  = (int16_t)bytestream_get_le16(&src);
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 63f17eb577..1508173a5d 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -457,8 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                     int start_bits, int has_sign)
 {
     int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
-    int16_t *dst_end =( int16_t*)b->data_end;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;
 
     CHECK_READ_VAL(gb, b, len);
     v = get_bits(gb, start_bits - has_sign);
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index c93c0ecec2..8e4b44a584 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -108,7 +108,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
     return 0;
 } //FIXME cleanup like check_intra_pred_mode
 
-static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
     MpegEncContext * const s = &h->s;
     static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
     static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -140,23 +143,6 @@ static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
     return mode;
 }
 
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 0);
-}
-
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
-{
-    return check_intra_pred_mode(h, mode, 1);
-}
-
-
 const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
     int i, si, di;
     uint8_t *dst;
@@ -2231,7 +2217,11 @@ static void implicit_weight_table(H264Context *h, int field){
     }
 
     if(field < 0){
-        cur_poc = s->current_picture_ptr->poc;
+        if (s->picture_structure == PICT_FRAME) {
+            cur_poc = s->current_picture_ptr->poc;
+        } else {
+            cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1];
+        }
     if(   h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF
        && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){
         h->use_weight= 0;
@@ -3761,7 +3751,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
                 case NAL_IDR_SLICE:
                 case NAL_SLICE:
                     init_get_bits(&hx->s.gb, ptr, bit_length);
-                    if(!get_ue_golomb(&hx->s.gb))
+                    if (!get_ue_golomb(&hx->s.gb))
                         nals_needed = nal_index;
             }
             continue;
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index f7948a5a5a..62a4ae2ad0 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -658,12 +658,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
 /**
  * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
  */
-int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
-
-/**
- * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);
 
 void ff_h264_write_back_intra_pred_mode(H264Context *h);
 void ff_h264_hl_decode_mb(H264Context *h);
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 7aaecf3c2e..55152d772d 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -2003,14 +2003,14 @@ decode_intra_mb:
             ff_h264_write_back_intra_pred_mode(h);
             if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
         } else {
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
             if( h->intra16x16_pred_mode < 0 ) return -1;
         }
         if(decode_chroma){
             h->chroma_pred_mode_table[mb_xy] =
             pred_mode                        = decode_cabac_mb_chroma_pre_mode( h );
 
-            pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
+            pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
             if( pred_mode < 0 ) return -1;
             h->chroma_pred_mode= pred_mode;
         } else {
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 92cae7fa93..0d076c3575 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){
 }
 
 static av_cold void init_cavlc_level_tab(void){
-    int suffix_length, mask;
+    int suffix_length;
     unsigned int i;
 
     for(suffix_length=0; suffix_length<7; suffix_length++){
         for(i=0; i<(1<<LEVEL_TAB_BITS); i++){
             int prefix= LEVEL_TAB_BITS - av_log2(2*i);
-            int level_code= (prefix<<suffix_length) + (i>>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<<suffix_length);
 
-            mask= -(level_code&1);
-            level_code= (((2+level_code)>>1) ^ mask) - mask;
             if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){
+                int level_code = (prefix << suffix_length) +
+                    (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length);
+                int mask = -(level_code&1);
+                level_code = (((2 + level_code) >> 1) ^ mask) - mask;
                 cavlc_level_tab[suffix_length][i][0]= level_code;
                 cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length;
             }else if(prefix + 1 <= LEVEL_TAB_BITS){
@@ -735,12 +736,12 @@ decode_intra_mb:
             if( ff_h264_check_intra4x4_pred_mode(h) < 0)
                 return -1;
         }else{
-            h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
+            h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
             if(h->intra16x16_pred_mode < 0)
                 return -1;
         }
         if(decode_chroma){
-            pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
+            pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
             if(pred_mode < 0)
                 return -1;
             h->chroma_pred_mode= pred_mode;
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 680db1e5a6..65d856a98a 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -485,6 +485,7 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
     unsigned int pps_id= get_ue_golomb(&s->gb);
     PPS *pps;
     const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8);
+    int bits_left;
 
     if(pps_id >= MAX_PPS_COUNT) {
         av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
@@ -561,7 +562,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
     memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4));
     memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8));
 
-    if(get_bits_count(&s->gb) < bit_length){
+    bits_left = bit_length - get_bits_count(&s->gb);
+    if (bits_left && (bits_left > 8 ||
+                      show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) {
         pps->transform_8x8_mode= get_bits1(&s->gb);
         decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
         pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset
diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index 02e804d88f..82979a540c 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -52,7 +52,7 @@ static inline int sad_hpel_motion_search(MpegEncContext * s,
                                   int src_index, int ref_index,
                                   int size, int h);
 
-static inline int update_map_generation(MotionEstContext *c)
+static inline unsigned update_map_generation(MotionEstContext *c)
 {
     c->map_generation+= 1<<(ME_MAP_MV_BITS*2);
     if(c->map_generation==0){
diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c
index 3ff001bc82..dd1a6de1b3 100644
--- a/libavcodec/motion_est_template.c
+++ b/libavcodec/motion_est_template.c
@@ -158,9 +158,8 @@ static int hpel_motion_search(MpegEncContext * s,
         const int b= score_map[(index+(1<<ME_MAP_SHIFT))&(ME_MAP_SIZE-1)]
                      + (mv_penalty[bx   - pred_x] + mv_penalty[by+2 - pred_y])*c->penalty_factor;
 
-#if 1
-        int key;
-        int map_generation= c->map_generation;
+        unsigned key;
+        unsigned map_generation= c->map_generation;
 #ifndef NDEBUG
         uint32_t *map= c->map;
 #endif
@@ -172,7 +171,6 @@ static int hpel_motion_search(MpegEncContext * s,
         assert(map[(index+1)&(ME_MAP_SIZE-1)] == key);
         key= ((my)<<ME_MAP_MV_BITS) + (mx-1) + map_generation;
         assert(map[(index-1)&(ME_MAP_SIZE-1)] == key);
-#endif
         if(t<=b){
             CHECK_HALF_MV(0, 1, mx  ,my-1)
             if(l<=r){
@@ -280,7 +278,7 @@ static int qpel_motion_search(MpegEncContext * s,
     const int mx = *mx_ptr;
     const int my = *my_ptr;
     const int penalty_factor= c->sub_penalty_factor;
-    const int map_generation= c->map_generation;
+    const unsigned map_generation = c->map_generation;
     const int subpel_quality= c->avctx->me_subpel_quality;
     uint32_t *map= c->map;
     me_cmp_func cmpf, chroma_cmpf;
@@ -497,7 +495,7 @@ static int qpel_motion_search(MpegEncContext * s,
 
 #define CHECK_MV(x,y)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
     const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
     assert((x) >= xmin);\
     assert((x) <= xmax);\
@@ -525,7 +523,7 @@ static int qpel_motion_search(MpegEncContext * s,
 
 #define CHECK_MV_DIR(x,y,new_dir)\
 {\
-    const int key= ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
+    const unsigned key = ((y)<<ME_MAP_MV_BITS) + (x) + map_generation;\
     const int index= (((y)<<ME_MAP_SHIFT) + (x))&(ME_MAP_SIZE-1);\
 /*printf("check_mv_dir %d %d %d\n", x, y, new_dir);*/\
     if(map[index]!=key){\
@@ -563,13 +561,13 @@ static av_always_inline int small_diamond_search(MpegEncContext * s, int *best,
     int next_dir=-1;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
 
     cmpf= s->dsp.me_cmp[size];
     chroma_cmpf= s->dsp.me_cmp[size+1];
 
     { /* ensure that the best point is in the MAP as h/qpel refinement needs it */
-        const int key= (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
+        const unsigned key = (best[1]<<ME_MAP_MV_BITS) + best[0] + map_generation;
         const int index= ((best[1]<<ME_MAP_SHIFT) + best[0])&(ME_MAP_SIZE-1);
         if(map[index]!=key){ //this will be executed only very rarey
             score_map[index]= cmp(s, best[0], best[1], 0, 0, size, h, ref_index, src_index, cmpf, chroma_cmpf, flags);
@@ -605,7 +603,7 @@ static int funny_diamond_search(MpegEncContext * s, int *best, int dmin,
     int dia_size;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
 
     cmpf= s->dsp.me_cmp[size];
     chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -646,7 +644,7 @@ static int hex_search(MpegEncContext * s, int *best, int dmin,
     me_cmp_func cmpf, chroma_cmpf;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
     int x,y,d;
     const int dec= dia_size & (dia_size-1);
 
@@ -680,7 +678,7 @@ static int l2s_dia_search(MpegEncContext * s, int *best, int dmin,
     me_cmp_func cmpf, chroma_cmpf;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
     int x,y,i,d;
     int dia_size= c->dia_size&0xFF;
     const int dec= dia_size & (dia_size-1);
@@ -718,7 +716,7 @@ static int umh_search(MpegEncContext * s, int *best, int dmin,
     me_cmp_func cmpf, chroma_cmpf;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
     int x,y,x2,y2, i, j, d;
     const int dia_size= c->dia_size&0xFE;
     static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2},
@@ -765,7 +763,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,
     me_cmp_func cmpf, chroma_cmpf;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
     int x,y, d;
     const int dia_size= c->dia_size&0xFF;
 
@@ -794,7 +792,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin,
 
 #define SAB_CHECK_MV(ax,ay)\
 {\
-    const int key= ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
+    const unsigned key = ((ay)<<ME_MAP_MV_BITS) + (ax) + map_generation;\
     const int index= (((ay)<<ME_MAP_SHIFT) + (ax))&(ME_MAP_SIZE-1);\
 /*printf("sab check %d %d\n", ax, ay);*/\
     if(map[index]!=key){\
@@ -833,7 +831,7 @@ static int sab_diamond_search(MpegEncContext * s, int *best, int dmin,
     int i, j;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
 
     cmpf= s->dsp.me_cmp[size];
     chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -918,7 +916,7 @@ static int var_diamond_search(MpegEncContext * s, int *best, int dmin,
     int dia_size;
     LOAD_COMMON
     LOAD_COMMON2
-    int map_generation= c->map_generation;
+    unsigned map_generation = c->map_generation;
 
     cmpf= s->dsp.me_cmp[size];
     chroma_cmpf= s->dsp.me_cmp[size+1];
@@ -1010,7 +1008,7 @@ static av_always_inline int epzs_motion_search_internal(MpegEncContext * s, int
     int d;                   ///< the score (cmp + penalty) of any given mv
     int dmin;                /*!< the best value of d, i.e. the score
                                corresponding to the mv stored in best[]. */
-    int map_generation;
+    unsigned map_generation;
     int penalty_factor;
     const int ref_mv_stride= s->mb_stride; //pass as arg  FIXME
     const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME
@@ -1138,7 +1136,7 @@ static int epzs_motion_search4(MpegEncContext * s,
     MotionEstContext * const c= &s->me;
     int best[2]={0, 0};
     int d, dmin;
-    int map_generation;
+    unsigned map_generation;
     const int penalty_factor= c->penalty_factor;
     const int size=1;
     const int h=8;
@@ -1198,7 +1196,7 @@ static int epzs_motion_search2(MpegEncContext * s,
     MotionEstContext * const c= &s->me;
     int best[2]={0, 0};
     int d, dmin;
-    int map_generation;
+    unsigned map_generation;
     const int penalty_factor= c->penalty_factor;
     const int size=0; //FIXME pass as arg
     const int h=8;
diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c
index 41344562b2..3c8229575a 100644
--- a/libavcodec/mpeg12enc.c
+++ b/libavcodec/mpeg12enc.c
@@ -27,6 +27,7 @@
 
 #include "avcodec.h"
 #include "dsputil.h"
+#include "mathops.h"
 #include "mpegvideo.h"
 
 #include "mpeg12.h"
@@ -681,8 +682,7 @@ static void mpeg1_encode_motion(MpegEncContext *s, int val, int f_or_b_code)
         int bit_size = f_or_b_code - 1;
         int range = 1 << bit_size;
         /* modulo encoding */
-        int l= INT_BIT - 5 - bit_size;
-        val= (val<<l)>>l;
+        val = sign_extend(val, 5 + bit_size);
 
         if (val >= 0) {
             val--;
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 9c47c15a51..016d8ca58f 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){
     int i;
 
     // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
-    FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
-    s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
+    FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+
 
      //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
     FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad,  (s->width+64)*4*16*2*sizeof(uint8_t), fail)
@@ -405,7 +405,7 @@ fail:
 static void free_duplicate_context(MpegEncContext *s){
     if(s==NULL) return;
 
-    av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL;
+    av_freep(&s->edge_emu_buffer);
     av_freep(&s->me.scratchpad);
     s->me.temp=
     s->rd_scratchpad=
@@ -422,7 +422,6 @@ static void free_duplicate_context(MpegEncContext *s){
 
 static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){
 #define COPY(a) bak->a= src->a
-    COPY(allocated_edge_emu_buffer);
     COPY(edge_emu_buffer);
     COPY(me.scratchpad);
     COPY(me.temp);
diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h
index 1b8483f9d5..b7205fa968 100644
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -153,7 +153,7 @@ typedef struct MotionEstContext{
     int best_bits;
     uint32_t *map;                     ///< map to avoid duplicate evaluations
     uint32_t *score_map;               ///< map to store the scores
-    int map_generation;
+    unsigned map_generation;
     int pre_penalty_factor;
     int penalty_factor;                /*!< an estimate of the bits required to
                                         code a given mv value, e.g. (1,0) takes
@@ -317,8 +317,7 @@ typedef struct MpegEncContext {
     uint8_t *mbintra_table;       ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding
     uint8_t *cbp_table;           ///< used to store cbp, ac_pred for partitioned decoding
     uint8_t *pred_dir_table;      ///< used to store pred_dir for partitioned decoding
-    uint8_t *allocated_edge_emu_buffer;
-    uint8_t *edge_emu_buffer;     ///< points into the middle of allocated_edge_emu_buffer
+    uint8_t *edge_emu_buffer;     ///< temporary buffer for if MVs point to out-of-frame data
     uint8_t *rd_scratchpad;       ///< scratchpad for rate distortion mb decision
     uint8_t *obmc_scratchpad;
     uint8_t *b_scratchpad;        ///< scratchpad used for writing into write only buffers
diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c
index d85483dbf4..387a6cf465 100644
--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -157,19 +157,26 @@ static int decode_tag(AVCodecContext * avctx,
     int buf_size = avpkt->size;
     NellyMoserDecodeContext *s = avctx->priv_data;
     int data_max = *data_size;
-    int blocks, i;
+    int blocks, i, block_size;
     int16_t* samples;
-    *data_size = 0;
     samples = (int16_t*)data;
 
-    if (buf_size < avctx->block_align)
+    if (buf_size < avctx->block_align) {
+        *data_size = 0;
         return buf_size;
+    }
 
     if (buf_size % 64) {
         av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+        *data_size = 0;
         return buf_size;
     }
-    blocks = buf_size / 64;
+    block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+    blocks     = FFMIN(buf_size / 64, *data_size / block_size);
+    if (blocks <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
     /* Normal numbers of blocks for sample rates:
      *  8000 Hz - 1
      * 11025 Hz - 2
@@ -183,8 +190,8 @@ static int decode_tag(AVCodecContext * avctx,
             return i > 0 ? i * NELLY_BLOCK_LEN : -1;
         nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
         s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
-        *data_size += NELLY_SAMPLES*sizeof(int16_t);
     }
+    *data_size = blocks * block_size;
 
     return buf_size;
 }
diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c
index 756dbcd58b..14a4972a7a 100644
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -60,7 +60,6 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
 
     avctx->pix_fmt = PIX_FMT_RGB555;
 
-
     if (buf_end - buf < offset)
         return AVERROR_INVALIDDATA;
     if (offset != 0x2c)
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 812ac962f2..2deb16ad3c 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
         dir = i_mb_type_info[mb_type - 8].pred_mode;
         dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;
 
-        if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
+        if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
             av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
             return -1;
         }
@@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
     s->current_picture.mb_type[mb_xy] = mb_type;
 
     if (IS_INTRA(mb_type)) {
-        h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
+        h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1);
     }
 
     return 0;
diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index fe9eece61a..17b994bd81 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -555,8 +555,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
         }
         buf_size = buf_end - buf;
     }
-    if (s->palettes_count <= 0)
+    if (s->palettes_count <= 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "No palette found\n");
         return AVERROR_INVALIDDATA;
+    }
 
     if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
         av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");