The following issues were found
libavcodec/vp9dsp_template.c
10 issues
Line: 816
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v[size - 2] = (top[size - 2] + top[size - 1] * 3 + 2) >> 2; \
\
for (j = 0; j < size; j++) { \
memcpy(dst + j*stride, v + j, (size - 1 - j) * sizeof(pixel)); \
memset_bpc(dst + j*stride + size - 1 - j, top[size - 1], j + 1); \
} \
}
def_diag_downleft(8)
Reported by FlawFinder.
Line: 864
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v[size ] = (top[-1] + top[0] * 2 + top[ 1] + 2) >> 2; \
\
for (j = 0; j < size; j++) \
memcpy(dst + j*stride, v + size - 1 - j, size * sizeof(pixel)); \
}
def_diag_downright(8)
def_diag_downright(16)
def_diag_downright(32)
Reported by FlawFinder.
Line: 919
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} \
\
for (j = 0; j < size / 2; j++) { \
memcpy(dst + j*2 *stride, ve + size/2 - 1 - j, size * sizeof(pixel)); \
memcpy(dst + (j*2 + 1)*stride, vo + size/2 - 1 - j, size * sizeof(pixel)); \
} \
}
def_vert_right(8)
Reported by FlawFinder.
Line: 920
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
\
for (j = 0; j < size / 2; j++) { \
memcpy(dst + j*2 *stride, ve + size/2 - 1 - j, size * sizeof(pixel)); \
memcpy(dst + (j*2 + 1)*stride, vo + size/2 - 1 - j, size * sizeof(pixel)); \
} \
}
def_vert_right(8)
def_vert_right(16)
Reported by FlawFinder.
Line: 972
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v[size*2 - 3] = (top[-1] + left[size - 1] * 2 + left[size - 2] + 2) >> 2; \
\
for (j = 0; j < size; j++) \
memcpy(dst + j*stride, v + size*2 - 2 - j*2, size * sizeof(pixel)); \
}
def_hor_down(8)
def_hor_down(16)
def_hor_down(32)
Reported by FlawFinder.
Line: 1018
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vo[size - 2] = (top[size - 2] + top[size - 1] * 3 + 2) >> 2; \
\
for (j = 0; j < size / 2; j++) { \
memcpy(dst + j*2 * stride, ve + j, (size - j - 1) * sizeof(pixel)); \
memset_bpc(dst + j*2 * stride + size - j - 1, top[size - 1], j + 1); \
memcpy(dst + (j*2 + 1) * stride, vo + j, (size - j - 1) * sizeof(pixel)); \
memset_bpc(dst + (j*2 + 1) * stride + size - j - 1, top[size - 1], j + 1); \
} \
}
Reported by FlawFinder.
Line: 1020
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < size / 2; j++) { \
memcpy(dst + j*2 * stride, ve + j, (size - j - 1) * sizeof(pixel)); \
memset_bpc(dst + j*2 * stride + size - j - 1, top[size - 1], j + 1); \
memcpy(dst + (j*2 + 1) * stride, vo + j, (size - j - 1) * sizeof(pixel)); \
memset_bpc(dst + (j*2 + 1) * stride + size - j - 1, top[size - 1], j + 1); \
} \
}
def_vert_left(8)
Reported by FlawFinder.
Line: 1064
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v[size*2 - 3] = (left[size - 2] + left[size - 1] * 3 + 2) >> 2; \
\
for (j = 0; j < size / 2; j++) \
memcpy(dst + j*stride, v + j*2, size * sizeof(pixel)); \
for (j = size / 2; j < size; j++) { \
memcpy(dst + j*stride, v + j*2, (size*2 - 2 - j*2) * sizeof(pixel)); \
memset_bpc(dst + j*stride + size*2 - 2 - j*2, left[size - 1], \
2 + j*2 - size); \
} \
Reported by FlawFinder.
Line: 1066
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < size / 2; j++) \
memcpy(dst + j*stride, v + j*2, size * sizeof(pixel)); \
for (j = size / 2; j < size; j++) { \
memcpy(dst + j*stride, v + j*2, (size*2 - 2 - j*2) * sizeof(pixel)); \
memset_bpc(dst + j*stride + size*2 - 2 - j*2, left[size - 1], \
2 + j*2 - size); \
} \
}
Reported by FlawFinder.
Line: 1944
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int w, int h)
{
do {
memcpy(dst, src, w * sizeof(pixel));
dst += dst_stride;
src += src_stride;
} while (--h);
}
Reported by FlawFinder.
libavcodec/videotoolboxenc.c
10 issues
Line: 1638
CWE codes:
682
int zeros = 0;
int wrote_bytes;
uint8_t* dst_start;
uint8_t* dst_end = dst + dst_size;
const uint8_t* src_end = src + src_size;
int start_at = dst_offset > 2 ? dst_offset - 2 : 0;
int i;
for (i = start_at; i < dst_offset && i < dst_size; i++) {
if (!dst[i])
Reported by Cppcheck.
Line: 1643
CWE codes:
476
int start_at = dst_offset > 2 ? dst_offset - 2 : 0;
int i;
for (i = start_at; i < dst_offset && i < dst_size; i++) {
if (!dst[i])
zeros++;
else
zeros = 0;
}
Reported by Cppcheck.
Line: 534
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR_BUFFER_TOO_SMALL;
}
memcpy(dst + offset, start_code, sizeof(start_code));
offset += sizeof(start_code);
memcpy(dst + offset, ps, ps_size);
offset = next_offset;
}
Reported by FlawFinder.
Line: 537
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst + offset, start_code, sizeof(start_code));
offset += sizeof(start_code);
memcpy(dst + offset, ps, ps_size);
offset = next_offset;
}
if (status) {
av_log(avctx, AV_LOG_ERROR, "Error getting parameter set data: %d\n", status);
Reported by FlawFinder.
Line: 1813
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
//No SEI NAL unit - insert.
int wrote_bytes;
memcpy(dst_data, start_code, sizeof(start_code));
dst_data += sizeof(start_code);
remaining_dst_size -= sizeof(start_code);
*dst_data = H264_NAL_SEI;
dst_data++;
Reported by FlawFinder.
Line: 1856
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_box = dst_data + sizeof(start_code);
memcpy(dst_data, start_code, sizeof(start_code));
status = CMBlockBufferCopyDataBytes(block,
src_offset + length_code_size,
box_len,
dst_box);
Reported by FlawFinder.
Line: 2197
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rows = plane_rows[i];
if (dst_stride == src_stride) {
memcpy(dst_addr, src_addr, src_stride * rows);
} else {
copy_bytes = dst_stride < src_stride ? dst_stride : src_stride;
for (j = 0; j < rows; j++) {
memcpy(dst_addr + j * dst_stride, src_addr + j * src_stride, copy_bytes);
Reported by FlawFinder.
Line: 2202
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy_bytes = dst_stride < src_stride ? dst_stride : src_stride;
for (j = 0; j < rows; j++) {
memcpy(dst_addr + j * dst_stride, src_addr + j * src_stride, copy_bytes);
}
}
}
} else {
if (frame->data[1]) {
Reported by FlawFinder.
Line: 2224
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rows = plane_rows[0];
if (dst_stride == src_stride) {
memcpy(dst_addr, src_addr, src_stride * rows);
} else {
copy_bytes = dst_stride < src_stride ? dst_stride : src_stride;
for (j = 0; j < rows; j++) {
memcpy(dst_addr + j * dst_stride, src_addr + j * src_stride, copy_bytes);
Reported by FlawFinder.
Line: 2229
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy_bytes = dst_stride < src_stride ? dst_stride : src_stride;
for (j = 0; j < rows; j++) {
memcpy(dst_addr + j * dst_stride, src_addr + j * src_stride, copy_bytes);
}
}
}
status = CVPixelBufferUnlockBaseAddress(cv_img, 0);
Reported by FlawFinder.
libavcodec/flashsv2enc.c
10 issues
Line: 270
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int new_key_frame(FlashSV2Context * s)
{
int i;
memcpy(s->key_blocks, s->frame_blocks, s->blocks_size);
memcpy(s->key_frame, s->current_frame, s->frame_size);
for (i = 0; i < s->rows * s->cols; i++) {
s->key_blocks[i].enc += (s->keybuffer - s->encbuffer);
s->key_blocks[i].sl_begin = 0;
Reported by FlawFinder.
Line: 271
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int i;
memcpy(s->key_blocks, s->frame_blocks, s->blocks_size);
memcpy(s->key_frame, s->current_frame, s->frame_size);
for (i = 0; i < s->rows * s->cols; i++) {
s->key_blocks[i].enc += (s->keybuffer - s->encbuffer);
s->key_blocks[i].sl_begin = 0;
s->key_blocks[i].sl_end = 0;
Reported by FlawFinder.
Line: 279
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->key_blocks[i].sl_end = 0;
s->key_blocks[i].data = 0;
}
memcpy(s->keybuffer, s->encbuffer, s->frame_size);
return 0;
}
static int write_palette(FlashSV2Context * s, uint8_t * buf, int buf_size)
Reported by FlawFinder.
Line: 353
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[buf_pos++] = (b->row);
}
memcpy(buf + buf_pos, b->data, b->data_size);
buf_pos += b->data_size;
return buf_pos;
}
Reported by FlawFinder.
Line: 405
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i;
uint8_t *ptr = b->enc;
for (i = 0; i < b->start; i++)
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->sl_begin = ptr + i * b->width * 3;
for (; i < b->start + b->len; i++)
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->sl_end = ptr + i * b->width * 3;
for (; i < b->height; i++)
Reported by FlawFinder.
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->sl_begin = ptr + i * b->width * 3;
for (; i < b->start + b->len; i++)
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->sl_end = ptr + i * b->width * 3;
for (; i < b->height; i++)
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->enc_size = ptr + i * b->width * 3 - b->enc;
return b->enc_size;
Reported by FlawFinder.
Line: 411
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->sl_end = ptr + i * b->width * 3;
for (; i < b->height; i++)
memcpy(ptr + i * b->width * 3, src + i * stride, b->width * 3);
b->enc_size = ptr + i * b->width * 3 - b->enc;
return b->enc_size;
}
static inline unsigned pixel_color15(const uint8_t * src)
Reported by FlawFinder.
Line: 521
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int generate_default_palette(Palette * palette)
{
memcpy(palette->colors, default_screen_video_v2_palette,
sizeof(default_screen_video_v2_palette));
return update_palette_index(palette);
}
Reported by FlawFinder.
Line: 588
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf_size < b->data_size) {
b->data_size = buf_size;
memcpy(b->data, buf, buf_size);
b->flags |= ZLIB_PRIME_COMPRESS_PREVIOUS;
}
}
} else {
b->data_size = 0;
Reported by FlawFinder.
Line: 603
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (memcmp(src, frame, b->width * 3) != 0) {
b->dirty = 1;
memcpy(frame, src, b->width * 3);
#ifndef FLASHSV2_DUMB
s->diff_lines++;
#endif
}
if (memcmp(src, key, b->width * 3) != 0) {
Reported by FlawFinder.
libavformat/udp.c
10 issues
Line: 204
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (addr->sa_family == AF_INET6) {
struct ipv6_mreq mreq6;
memcpy(&mreq6.ipv6mr_multiaddr, &(((struct sockaddr_in6 *)addr)->sin6_addr), sizeof(struct in6_addr));
//TODO: Interface index should be looked up from local_addr
mreq6.ipv6mr_interface = 0;
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_ADD_MEMBERSHIP, &mreq6, sizeof(mreq6)) < 0) {
ff_log_net_error(NULL, AV_LOG_ERROR, "setsockopt(IPV6_ADD_MEMBERSHIP)");
return ff_neterrno();
Reported by FlawFinder.
Line: 237
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (addr->sa_family == AF_INET6) {
struct ipv6_mreq mreq6;
memcpy(&mreq6.ipv6mr_multiaddr, &(((struct sockaddr_in6 *)addr)->sin6_addr), sizeof(struct in6_addr));
//TODO: Interface index should be looked up from local_addr
mreq6.ipv6mr_interface = 0;
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq6, sizeof(mreq6)) < 0) {
ff_log_net_error(NULL, AV_LOG_ERROR, "setsockopt(IPV6_DROP_MEMBERSHIP)");
return -1;
Reported by FlawFinder.
Line: 268
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
//TODO: Interface index should be looked up from local_addr
mreqs.gsr_interface = 0;
memcpy(&mreqs.gsr_group, addr, addr_len);
memcpy(&mreqs.gsr_source, &sources[i], sizeof(*sources));
if (setsockopt(sockfd, level,
include ? MCAST_JOIN_SOURCE_GROUP : MCAST_BLOCK_SOURCE,
(const void *)&mreqs, sizeof(mreqs)) < 0) {
Reported by FlawFinder.
Line: 269
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
//TODO: Interface index should be looked up from local_addr
mreqs.gsr_interface = 0;
memcpy(&mreqs.gsr_group, addr, addr_len);
memcpy(&mreqs.gsr_source, &sources[i], sizeof(*sources));
if (setsockopt(sockfd, level,
include ? MCAST_JOIN_SOURCE_GROUP : MCAST_BLOCK_SOURCE,
(const void *)&mreqs, sizeof(mreqs)) < 0) {
if (include)
Reported by FlawFinder.
Line: 327
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res0 = ff_ip_resolve_host(h, hostname, port, SOCK_DGRAM, AF_UNSPEC, 0);
if (!res0) return AVERROR(EIO);
memcpy(addr, res0->ai_addr, res0->ai_addrlen);
addr_len = res0->ai_addrlen;
freeaddrinfo(res0);
return addr_len;
}
Reported by FlawFinder.
Line: 361
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (udp_fd < 0)
goto fail;
memcpy(addr, res->ai_addr, res->ai_addrlen);
*addr_len = res->ai_addrlen;
freeaddrinfo(res0);
return udp_fd;
Reported by FlawFinder.
Line: 378
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int udp_port(struct sockaddr_storage *addr, int addr_len)
{
char sbuf[sizeof(int)*3+1];
int error;
if ((error = getnameinfo((struct sockaddr *)addr, addr_len, NULL, 0, sbuf, sizeof(sbuf), NI_NUMERICSERV)) != 0) {
av_log(NULL, AV_LOG_ERROR, "getnameinfo: %s\n", gai_strerror(error));
return -1;
Reported by FlawFinder.
Line: 409
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ff_udp_set_remote_url(URLContext *h, const char *uri)
{
UDPContext *s = h->priv_data;
char hostname[256], buf[10];
int port;
const char *p;
av_url_split(NULL, 0, NULL, 0, hostname, sizeof(hostname), &port, NULL, 0, uri);
Reported by FlawFinder.
Line: 626
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* return non zero if error */
static int udp_open(URLContext *h, const char *uri, int flags)
{
char hostname[1024], localaddr[1024] = "";
int port, udp_fd = -1, tmp, bind_ret = -1, dscp = -1;
UDPContext *s = h->priv_data;
int is_output;
const char *p;
char buf[256];
Reported by FlawFinder.
Line: 631
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
UDPContext *s = h->priv_data;
int is_output;
const char *p;
char buf[256];
struct sockaddr_storage my_addr;
socklen_t len;
int ret;
h->is_streamed = 1;
Reported by FlawFinder.
libavcodec/mpegaudioenc_template.c
10 issues
Line: 60
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short samples_buf[MPA_MAX_CHANNELS][SAMPLES_BUF_SIZE]; /* buffer for filter */
int samples_offset[MPA_MAX_CHANNELS]; /* offset in samples_buf */
int sb_samples[MPA_MAX_CHANNELS][3][12][SBLIMIT];
unsigned char scale_factors[MPA_MAX_CHANNELS][SBLIMIT][3]; /* scale factors */
/* code to group 3 scale factors */
unsigned char scale_code[MPA_MAX_CHANNELS][SBLIMIT];
int sblimit; /* number of used subbands */
const unsigned char *alloc_table;
int16_t filter_bank[512];
Reported by FlawFinder.
Line: 62
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int sb_samples[MPA_MAX_CHANNELS][3][12][SBLIMIT];
unsigned char scale_factors[MPA_MAX_CHANNELS][SBLIMIT][3]; /* scale factors */
/* code to group 3 scale factors */
unsigned char scale_code[MPA_MAX_CHANNELS][SBLIMIT];
int sblimit; /* number of used subbands */
const unsigned char *alloc_table;
int16_t filter_bank[512];
int scale_factor_table[64];
unsigned char scale_diff_table[128];
Reported by FlawFinder.
Line: 67
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *alloc_table;
int16_t filter_bank[512];
int scale_factor_table[64];
unsigned char scale_diff_table[128];
#if USE_FLOATS
float scale_factor_inv_table[64];
#else
int8_t scale_factor_shift[64];
unsigned short scale_factor_mult[64];
Reported by FlawFinder.
Line: 378
Column: 44
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static void compute_scale_factors(MpegAudioContext *s,
unsigned char scale_code[SBLIMIT],
unsigned char scale_factors[SBLIMIT][3],
int sb_samples[3][12][SBLIMIT],
int sblimit)
{
int *p, vmax, v, n, i, j, k, code;
Reported by FlawFinder.
Line: 379
Column: 44
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void compute_scale_factors(MpegAudioContext *s,
unsigned char scale_code[SBLIMIT],
unsigned char scale_factors[SBLIMIT][3],
int sb_samples[3][12][SBLIMIT],
int sblimit)
{
int *p, vmax, v, n, i, j, k, code;
int index, d1, d2;
Reported by FlawFinder.
Line: 512
Column: 45
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
smaller than other encoders :-) */
static void compute_bit_allocation(MpegAudioContext *s,
short smr1[MPA_MAX_CHANNELS][SBLIMIT],
unsigned char bit_alloc[MPA_MAX_CHANNELS][SBLIMIT],
int *padding)
{
int i, ch, b, max_smr, max_ch, max_sb, current_frame_size, max_frame_size;
int incr;
short smr[MPA_MAX_CHANNELS][SBLIMIT];
Reported by FlawFinder.
Line: 518
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, ch, b, max_smr, max_ch, max_sb, current_frame_size, max_frame_size;
int incr;
short smr[MPA_MAX_CHANNELS][SBLIMIT];
unsigned char subband_status[MPA_MAX_CHANNELS][SBLIMIT];
const unsigned char *alloc;
memcpy(smr, smr1, s->nb_channels * sizeof(short) * SBLIMIT);
memset(subband_status, SB_NOTALLOCATED, s->nb_channels * SBLIMIT);
memset(bit_alloc, 0, s->nb_channels * SBLIMIT);
Reported by FlawFinder.
Line: 521
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char subband_status[MPA_MAX_CHANNELS][SBLIMIT];
const unsigned char *alloc;
memcpy(smr, smr1, s->nb_channels * sizeof(short) * SBLIMIT);
memset(subband_status, SB_NOTALLOCATED, s->nb_channels * SBLIMIT);
memset(bit_alloc, 0, s->nb_channels * SBLIMIT);
/* compute frame size and padding */
max_frame_size = s->frame_size;
Reported by FlawFinder.
Line: 607
Column: 35
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* compared to other encoders :-)
*/
static void encode_frame(MpegAudioContext *s,
unsigned char bit_alloc[MPA_MAX_CHANNELS][SBLIMIT],
int padding)
{
int i, j, k, l, bit_alloc_bits, b, ch;
unsigned char *sf;
int q[3];
Reported by FlawFinder.
Line: 748
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MpegAudioContext *s = avctx->priv_data;
const int16_t *samples = (const int16_t *)frame->data[0];
short smr[MPA_MAX_CHANNELS][SBLIMIT];
unsigned char bit_alloc[MPA_MAX_CHANNELS][SBLIMIT];
int padding, i, ret;
for(i=0;i<s->nb_channels;i++) {
filter(s, i, samples + i, s->nb_channels);
}
Reported by FlawFinder.
libavformat/tests/seek.c
10 issues
Line: 32
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "libavformat/avformat.h"
static char buffer[20];
static const char *ret_str(int v)
{
switch (v) {
case AVERROR_EOF: return "-EOF";
Reported by FlawFinder.
Line: 47
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static void ts_str(char buffer[60], int64_t ts, AVRational base)
{
if (ts == AV_NOPTS_VALUE) {
strcpy(buffer, " NOPTS ");
return;
}
Reported by FlawFinder.
Line: 50
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
static void ts_str(char buffer[60], int64_t ts, AVRational base)
{
if (ts == AV_NOPTS_VALUE) {
strcpy(buffer, " NOPTS ");
return;
}
ts= av_rescale_q(ts, base, (AVRational){1, 1000000});
snprintf(buffer, 60, "%c%"PRId64".%06"PRId64"", ts<0 ? '-' : ' ', FFABS(ts)/1000000, FFABS(ts)%1000000);
}
Reported by FlawFinder.
Line: 72
Column: 25
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
for(i=2; i<argc; i+=2){
if (!strcmp(argv[i], "-seekforw")){
seekfirst = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-seekback")){
seekfirst = atoi(argv[i+1]);
firstback = 1;
} else if(!strcmp(argv[i], "-frames")){
frame_count = atoi(argv[i+1]);
Reported by FlawFinder.
Line: 74
Column: 25
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!strcmp(argv[i], "-seekforw")){
seekfirst = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-seekback")){
seekfirst = atoi(argv[i+1]);
firstback = 1;
} else if(!strcmp(argv[i], "-frames")){
frame_count = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-duration")){
duration = atoi(argv[i+1]);
Reported by FlawFinder.
Line: 77
Column: 27
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
seekfirst = atoi(argv[i+1]);
firstback = 1;
} else if(!strcmp(argv[i], "-frames")){
frame_count = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-duration")){
duration = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-fastseek")) {
if (atoi(argv[i+1])) {
ic->flags |= AVFMT_FLAG_FAST_SEEK;
Reported by FlawFinder.
Line: 79
Column: 24
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
} else if(!strcmp(argv[i], "-frames")){
frame_count = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-duration")){
duration = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-fastseek")) {
if (atoi(argv[i+1])) {
ic->flags |= AVFMT_FLAG_FAST_SEEK;
}
} else if(argv[i][0] == '-' && argv[i+1]) {
Reported by FlawFinder.
Line: 81
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
} else if(!strcmp(argv[i], "-duration")){
duration = atoi(argv[i+1]);
} else if(!strcmp(argv[i], "-fastseek")) {
if (atoi(argv[i+1])) {
ic->flags |= AVFMT_FLAG_FAST_SEEK;
}
} else if(argv[i][0] == '-' && argv[i+1]) {
av_dict_set(&format_opts, argv[i] + 1, argv[i+1], 0);
} else {
Reported by FlawFinder.
Line: 122
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for(i=0; ; i++){
AVPacket pkt = { 0 };
AVStream *av_uninit(st);
char ts_buf[60];
if(ret>=0){
for(j=0; j<frame_count; j++) {
ret= av_read_frame(ic, &pkt);
if(ret>=0){
Reported by FlawFinder.
Line: 128
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for(j=0; j<frame_count; j++) {
ret= av_read_frame(ic, &pkt);
if(ret>=0){
char dts_buf[60];
st= ic->streams[pkt.stream_index];
ts_str(dts_buf, pkt.dts, st->time_base);
ts_str(ts_buf, pkt.pts, st->time_base);
printf("ret:%-10s st:%2d flags:%d dts:%s pts:%s pos:%7" PRId64 " size:%6d", ret_str(ret), pkt.stream_index, pkt.flags, dts_buf, ts_buf, pkt.pos, pkt.size);
av_packet_unref(&pkt);
Reported by FlawFinder.
tests/checkasm/aacpsdsp.c
10 issues
Line: 60
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
randomize((INTFLOAT *)src, BUF_SIZE * 2);
randomize(dst0, BUF_SIZE);
memcpy(dst1, dst0, BUF_SIZE * sizeof(INTFLOAT));
call_ref(dst0, src, BUF_SIZE);
call_new(dst1, src, BUF_SIZE);
if (!float_near_abs_eps_array(dst0, dst1, EPS, BUF_SIZE))
fail();
bench_new(dst1, src, BUF_SIZE);
Reported by FlawFinder.
Line: 102
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
randomize((INTFLOAT *)filter, N * 8 * 2);
randomize((INTFLOAT *)dst0, BUF_SIZE * 2);
memcpy(dst1, dst0, BUF_SIZE * 2 * sizeof(INTFLOAT));
call_ref(dst0, in, filter, STRIDE, N);
call_new(dst1, in, filter, STRIDE, N);
if (!float_near_abs_eps_array((float *)dst0, (float *)dst1, EPS, BUF_SIZE * 2))
Reported by FlawFinder.
Line: 123
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
randomize((INTFLOAT *)out0, 91 * 32 * 2);
randomize((INTFLOAT *)in, 2 * 38 * 64);
memcpy(out1, out0, 91 * 32 * 2 * sizeof(INTFLOAT));
/* len is hardcoded to 32 as that's the only value used in
libavcodec. asm functions are likely to be optimized
hardcoding this value in their loops and could fail with
anything else.
Reported by FlawFinder.
Line: 160
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
randomize((INTFLOAT *)in, 91 * 32 * 2);
randomize((INTFLOAT *)out0, 2 * 38 * 64);
memcpy(out1, out0, 2 * 38 * 64 * sizeof(INTFLOAT));
/* len is hardcoded to 32 as that's the only value used in
libavcodec. asm functions are likely to be optimized
hardcoding this value in their loops and could fail with
anything else.
Reported by FlawFinder.
Line: 206
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 2; i++) {
if (check_func(psdsp->stereo_interpolate[i], "ps_stereo_interpolate%s", i ? "_ipdopd" : "")) {
memcpy(l0, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r0, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
randomize((INTFLOAT *)h, 2 * 4);
Reported by FlawFinder.
Line: 207
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 2; i++) {
if (check_func(psdsp->stereo_interpolate[i], "ps_stereo_interpolate%s", i ? "_ipdopd" : "")) {
memcpy(l0, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r0, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
randomize((INTFLOAT *)h, 2 * 4);
randomize((INTFLOAT *)h_step, 2 * 4);
Reported by FlawFinder.
Line: 208
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (check_func(psdsp->stereo_interpolate[i], "ps_stereo_interpolate%s", i ? "_ipdopd" : "")) {
memcpy(l0, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r0, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
randomize((INTFLOAT *)h, 2 * 4);
randomize((INTFLOAT *)h_step, 2 * 4);
// Clear the least significant 14 bits of h_step, to avoid
Reported by FlawFinder.
Line: 209
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(l0, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r0, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
randomize((INTFLOAT *)h, 2 * 4);
randomize((INTFLOAT *)h_step, 2 * 4);
// Clear the least significant 14 bits of h_step, to avoid
// divergence when accumulating h_step BUF_SIZE times into
Reported by FlawFinder.
Line: 227
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!float_near_abs_eps_array((float *)r0, (float *)r1, EPS, BUF_SIZE * 2))
fail();
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
bench_new(l1, r1, h, h_step, BUF_SIZE);
}
}
}
Reported by FlawFinder.
Line: 228
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fail();
memcpy(l1, l, BUF_SIZE * 2 * sizeof(INTFLOAT));
memcpy(r1, r, BUF_SIZE * 2 * sizeof(INTFLOAT));
bench_new(l1, r1, h, h_step, BUF_SIZE);
}
}
}
Reported by FlawFinder.
libavformat/avienc.c
9 issues
Line: 47
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
typedef struct AVIIentry {
char tag[4];
unsigned int flags;
unsigned int pos;
unsigned int len;
} AVIIentry;
Reported by FlawFinder.
Line: 132
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (tag)
memcpy(idx->cluster[cl][id].tag, tag, 4);
else
memset(idx->cluster[cl][id].tag, 0, 4);
idx->cluster[cl][id].flags = flags;
idx->cluster[cl][id].pos = avio_tell(pb) - avi->movi_list;
idx->cluster[cl][id].len = size;
Reported by FlawFinder.
Line: 239
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVStream *st = s->streams[stream_index];
AVCodecParameters *par = st->codecpar;
AVIStream *avist = st->priv_data;
unsigned char tag[5];
int j;
/* Starting to lay out AVI OpenDML master index.
* We want to make it JUNK entry for now, since we'd
* like to get away without making AVI an OpenDML one
Reported by FlawFinder.
Line: 636
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
AVIOContext *pb = s->pb;
AVIContext *avi = s->priv_data;
char tag[5];
char ix_tag[] = "ix00";
int i, j;
av_assert0(pb->seekable & AVIO_SEEKABLE_NORMAL);
Reported by FlawFinder.
Line: 696
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVIContext *avi = s->priv_data;
int64_t idx_chunk;
int i;
char tag[5];
if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
AVIStream *avist;
AVIIentry *ie = 0, *tie;
int empty, stream_id = -1;
Reported by FlawFinder.
Line: 817
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avio_wl32(pb, v & 0xffffff);
}
avio_seek(pb, cur_offset, SEEK_SET);
memcpy(avist->old_palette, avist->palette, pal_size * 4);
avist->pal_offset = 0;
}
if (memcmp(avist->palette, avist->old_palette, pal_size * 4)) {
unsigned char tag[5];
avi_stream2fourcc(tag, stream_index, par->codec_type);
Reported by FlawFinder.
Line: 821
Column: 30
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
avist->pal_offset = 0;
}
if (memcmp(avist->palette, avist->old_palette, pal_size * 4)) {
unsigned char tag[5];
avi_stream2fourcc(tag, stream_index, par->codec_type);
tag[2] = 'p'; tag[3] = 'c';
if (s->pb->seekable & AVIO_SEEKABLE_NORMAL) {
if (avist->strh_flags_offset) {
int64_t cur_offset = avio_tell(pb);
Reported by FlawFinder.
Line: 846
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avio_wb32(pb, v<<8);
}
ff_end_tag(pb, pc_tag);
memcpy(avist->old_palette, avist->palette, pal_size * 4);
}
}
}
if (reshuffle_ret) {
ret = avi_write_packet_internal(s, pkt);
Reported by FlawFinder.
Line: 865
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int avi_write_packet_internal(AVFormatContext *s, AVPacket *pkt)
{
unsigned char tag[5];
unsigned int flags = 0;
const int stream_index = pkt->stream_index;
int size = pkt->size;
AVIContext *avi = s->priv_data;
AVIOContext *pb = s->pb;
Reported by FlawFinder.
libavcodec/dxva2_hevc.c
9 issues
Line: 276
CWE codes:
908
}
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
Reported by Cppcheck.
Line: 277
CWE codes:
908
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
Reported by Cppcheck.
Line: 278
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
unsigned position, size;
Reported by Cppcheck.
Line: 278
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
unsigned position, size;
Reported by Cppcheck.
Line: 294
CWE codes:
908
break;
}
slice->BSNALunitDataLocation = current - dxva_data;
slice->SliceBytesInBuffer = start_code_size + size;
memcpy(current, start_code, start_code_size);
current += start_code_size;
Reported by Cppcheck.
Line: 303
CWE codes:
908
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
current += padding;
slice->SliceBytesInBuffer += padding;
Reported by Cppcheck.
Line: 351
CWE codes:
908
av_assert0(((current - dxva_data) & 127) == 0);
return ff_dxva2_commit_buffer(avctx, ctx, sc,
type,
slice_data, slice_size, 0);
}
static int dxva2_hevc_start_frame(AVCodecContext *avctx,
Reported by Cppcheck.
Line: 297
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slice->BSNALunitDataLocation = current - dxva_data;
slice->SliceBytesInBuffer = start_code_size + size;
memcpy(current, start_code, start_code_size);
current += start_code_size;
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
Reported by FlawFinder.
Line: 300
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(current, start_code, start_code_size);
current += start_code_size;
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
Reported by FlawFinder.
libavcodec/cbs_vp9.c
9 issues
Line: 49
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
value = sign ? -(int32_t)magnitude : magnitude;
if (ctx->trace_enable) {
char bits[33];
int i;
for (i = 0; i < width; i++)
bits[i] = magnitude >> (width - i - 1) & 1 ? '1' : '0';
bits[i] = sign ? '1' : '0';
bits[i + 1] = 0;
Reported by FlawFinder.
Line: 78
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
magnitude = sign ? -value : value;
if (ctx->trace_enable) {
char bits[33];
int i;
for (i = 0; i < width; i++)
bits[i] = magnitude >> (width - i - 1) & 1 ? '1' : '0';
bits[i] = sign ? '1' : '0';
bits[i + 1] = 0;
Reported by FlawFinder.
Line: 101
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
uint32_t value;
int position, i;
char bits[8];
av_assert0(range_min <= range_max && range_max - range_min < sizeof(bits) - 1);
if (ctx->trace_enable)
position = get_bits_count(gbc);
Reported by FlawFinder.
Line: 153
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return AVERROR(ENOSPC);
if (ctx->trace_enable) {
char bits[8];
int i;
for (i = 0; i < len; i++) {
if (range_min + i == value)
bits[i] = '0';
else
Reported by FlawFinder.
Line: 195
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
value |= get_bits(gbc, 8) << b;
if (ctx->trace_enable) {
char bits[33];
int i;
for (b = 0; b < width; b += 8)
for (i = 0; i < 8; i++)
bits[b + i] = value >> (b + i) & 1 ? '1' : '0';
bits[b] = 0;
Reported by FlawFinder.
Line: 222
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return AVERROR(ENOSPC);
if (ctx->trace_enable) {
char bits[33];
int i;
for (b = 0; b < width; b += 8)
for (i = 0; i < 8; i++)
bits[b + i] = value >> (b + i) & 1 ? '1' : '0';
bits[b] = 0;
Reported by FlawFinder.
Line: 540
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOSPC);
flush_put_bits(pbc);
memcpy(put_bits_ptr(pbc), frame->data, frame->data_size);
skip_put_bytes(pbc, frame->data_size);
}
return 0;
}
Reported by FlawFinder.
Line: 610
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos = 0;
for (i = 0; i < frag->nb_units; i++) {
av_assert0(size - pos > frag->units[i].data_size);
memcpy(data + pos, frag->units[i].data,
frag->units[i].data_size);
pos += frag->units[i].data_size;
}
av_assert0(size - pos == 2 + frag->nb_units * size_len);
Reported by FlawFinder.
Line: 265
Column: 19
CWE codes:
120
20
xs(width, name, current->name, subs, __VA_ARGS__)
#define READ
#define READWRITE read
#define RWContext GetBitContext
#define xf(width, name, var, subs, ...) do { \
uint32_t value; \
CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \
Reported by FlawFinder.