The following issues were found
libavcodec/lcldec.c
9 issues
Line: 86
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (srcptr < srcptr_end && destptr < destptr_end) {
if (!(mask & maskbit)) {
memcpy(destptr, srcptr, 4);
destptr += 4;
srcptr += 4;
} else {
unsigned ofs = bytestream_get_le16(&srcptr);
unsigned cnt = (ofs >> 11) + 1;
Reported by FlawFinder.
Line: 110
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mask = *srcptr++;
while (!mask) {
if (destptr_end - destptr < 32 || srcptr_end - srcptr < 32) break;
memcpy(destptr, srcptr, 32);
destptr += 32;
srcptr += 32;
mask = *srcptr++;
}
maskbit = 0x80;
Reported by FlawFinder.
Line: 261
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (c->compression == COMP_ZLIB_NORMAL && c->imgtype == IMGTYPE_RGB24 &&
len == width * height * 3) {
if (c->flags & FLAG_PNGFILTER) {
memcpy(c->decomp_buf, buf, len);
encoded = c->decomp_buf;
} else {
break;
}
} else if (c->flags & FLAG_MULTITHREAD) {
Reported by FlawFinder.
Line: 396
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case IMGTYPE_YUV422:
for (row = 0; row < height; row++) {
for (col = 0; col < width - 3; col += 4) {
memcpy(y_out + col, encoded, 4);
encoded += 4;
u_out[ col >> 1 ] = *encoded++ + 128;
u_out[(col >> 1) + 1] = *encoded++ + 128;
v_out[ col >> 1 ] = *encoded++ + 128;
v_out[(col >> 1) + 1] = *encoded++ + 128;
Reported by FlawFinder.
Line: 412
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
linesize = len < FFALIGN(3 * width, 4) * height ? 3 * width : FFALIGN(3 * width, 4);
for (row = height - 1; row >= 0; row--) {
pixel_ptr = row * frame->linesize[0];
memcpy(outptr + pixel_ptr, encoded, 3 * width);
encoded += linesize;
}
break;
case IMGTYPE_YUV411:
for (row = 0; row < height; row++) {
Reported by FlawFinder.
Line: 419
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case IMGTYPE_YUV411:
for (row = 0; row < height; row++) {
for (col = 0; col < width - 3; col += 4) {
memcpy(y_out + col, encoded, 4);
encoded += 4;
u_out[col >> 2] = *encoded++ + 128;
v_out[col >> 2] = *encoded++ + 128;
}
y_out -= frame->linesize[0];
Reported by FlawFinder.
Line: 432
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case IMGTYPE_YUV211:
for (row = 0; row < height; row++) {
for (col = 0; col < width - 1; col += 2) {
memcpy(y_out + col, encoded, 2);
encoded += 2;
u_out[col >> 1] = *encoded++ + 128;
v_out[col >> 1] = *encoded++ + 128;
}
y_out -= frame->linesize[0];
Reported by FlawFinder.
Line: 447
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v_out = frame->data[2] + ((height >> 1) - 1) * frame->linesize[2];
for (row = 0; row < height - 1; row += 2) {
for (col = 0; col < width - 1; col += 2) {
memcpy(y_out + col, encoded, 2);
encoded += 2;
memcpy(y_out + col - frame->linesize[0], encoded, 2);
encoded += 2;
u_out[col >> 1] = *encoded++ + 128;
v_out[col >> 1] = *encoded++ + 128;
Reported by FlawFinder.
Line: 449
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (col = 0; col < width - 1; col += 2) {
memcpy(y_out + col, encoded, 2);
encoded += 2;
memcpy(y_out + col - frame->linesize[0], encoded, 2);
encoded += 2;
u_out[col >> 1] = *encoded++ + 128;
v_out[col >> 1] = *encoded++ + 128;
}
y_out -= frame->linesize[0] << 1;
Reported by FlawFinder.
libavcodec/vaapi_encode.c
9 issues
Line: 128
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t buffer_size = sizeof(header) + len;
av_assert0(buffer_size <= sizeof(buffer));
memcpy(buffer, &header, sizeof(header));
memcpy(buffer + sizeof(header), data, len);
return vaapi_encode_make_param_buffer(avctx, pic,
VAEncMiscParameterBufferType,
buffer, buffer_size);
Reported by FlawFinder.
Line: 129
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_assert0(buffer_size <= sizeof(buffer));
memcpy(buffer, &header, sizeof(header));
memcpy(buffer + sizeof(header), data, len);
return vaapi_encode_make_param_buffer(avctx, pic,
VAEncMiscParameterBufferType,
buffer, buffer_size);
}
Reported by FlawFinder.
Line: 256
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
VAAPIEncodeSlice *slice;
VAStatus vas;
int err, i;
char data[MAX_PARAM_BUFFER_SIZE];
size_t bit_len;
av_unused AVFrameSideData *sd;
av_log(avctx, AV_LOG_DEBUG, "Issuing encode for pic %"PRId64"/%"PRId64" "
"as type %s.\n", pic->display_order, pic->encode_order,
Reported by FlawFinder.
Line: 309
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pic->codec_picture_params = av_malloc(ctx->codec->picture_params_size);
if (!pic->codec_picture_params)
goto fail;
memcpy(pic->codec_picture_params, ctx->codec_picture_params,
ctx->codec->picture_params_size);
} else {
av_assert0(!ctx->codec_picture_params);
}
Reported by FlawFinder.
Line: 663
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(avctx, AV_LOG_DEBUG, "Output buffer: %u bytes "
"(status %08x).\n", buf->size, buf->status);
memcpy(ptr, buf->buf, buf->size);
ptr += buf->size;
}
if (pic->type == PICTURE_TYPE_IDR)
pkt->flags |= AV_PKT_FLAG_KEY;
Reported by FlawFinder.
Line: 1508
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fr_num, fr_den;
VAConfigAttrib rc_attr = { VAConfigAttribRateControl };
VAStatus vas;
char supported_rc_modes_string[64];
vas = vaGetConfigAttributes(ctx->hwctx->display,
ctx->va_profile, ctx->va_entrypoint,
&rc_attr, 1);
if (vas != VA_STATUS_SUCCESS) {
Reported by FlawFinder.
Line: 1522
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
av_log(avctx, AV_LOG_VERBOSE, "Driver does not report any "
"supported rate control modes: assuming CQP only.\n");
supported_va_rc_modes = VA_RC_CQP;
strcpy(supported_rc_modes_string, "unknown");
} else {
char *str = supported_rc_modes_string;
size_t len = sizeof(supported_rc_modes_string);
int i, first = 1, res;
Reported by FlawFinder.
Line: 2503
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (ctx->va_packed_headers & VA_ENC_PACKED_HEADER_SEQUENCE &&
ctx->codec->write_sequence_header &&
avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
char data[MAX_PARAM_BUFFER_SIZE];
size_t bit_len = 8 * sizeof(data);
err = ctx->codec->write_sequence_header(avctx, data, &bit_len);
if (err < 0) {
av_log(avctx, AV_LOG_ERROR, "Failed to write sequence header "
Reported by FlawFinder.
Line: 2519
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = AVERROR(ENOMEM);
goto fail;
}
memcpy(avctx->extradata, data, avctx->extradata_size);
}
}
return 0;
Reported by FlawFinder.
libavformat/rtpdec_hevc.c
9 issues
Line: 57
Column: 33
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
/* profile-space: 0-3 */
/* profile-id: 0-31 */
if (!strcmp(attr, "profile-id")) {
hevc_data->profile_id = atoi(value);
av_log(s, AV_LOG_TRACE, "SDP: found profile-id: %d\n", hevc_data->profile_id);
}
/* tier-flag: 0-1 */
/* level-id: 0-255 */
Reported by FlawFinder.
Line: 107
Column: 13
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
value MUST be greater than 0.
*/
if (!strcmp(attr, "sprop-max-don-diff")) {
if (atoi(value) > 0)
hevc_data->using_donl_field = 1;
av_log(s, AV_LOG_TRACE, "Found sprop-max-don-diff in SDP, DON field usage is: %d\n",
hevc_data->using_donl_field);
}
Reported by FlawFinder.
Line: 115
Column: 13
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
/* sprop-depack-buf-nalus: 0-32767 */
if (!strcmp(attr, "sprop-depack-buf-nalus")) {
if (atoi(value) > 0)
hevc_data->using_donl_field = 1;
av_log(s, AV_LOG_TRACE, "Found sprop-depack-buf-nalus in SDP, DON field usage is: %d\n",
hevc_data->using_donl_field);
}
Reported by FlawFinder.
Line: 155
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hevc_data->pps_size + hevc_data->sei_size;
if ((ret = ff_alloc_extradata(par, par->extradata_size)) >= 0) {
int pos = 0;
memcpy(par->extradata + pos, hevc_data->vps, hevc_data->vps_size);
pos += hevc_data->vps_size;
memcpy(par->extradata + pos, hevc_data->sps, hevc_data->sps_size);
pos += hevc_data->sps_size;
memcpy(par->extradata + pos, hevc_data->pps, hevc_data->pps_size);
pos += hevc_data->pps_size;
Reported by FlawFinder.
Line: 157
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int pos = 0;
memcpy(par->extradata + pos, hevc_data->vps, hevc_data->vps_size);
pos += hevc_data->vps_size;
memcpy(par->extradata + pos, hevc_data->sps, hevc_data->sps_size);
pos += hevc_data->sps_size;
memcpy(par->extradata + pos, hevc_data->pps, hevc_data->pps_size);
pos += hevc_data->pps_size;
memcpy(par->extradata + pos, hevc_data->sei, hevc_data->sei_size);
}
Reported by FlawFinder.
Line: 159
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += hevc_data->vps_size;
memcpy(par->extradata + pos, hevc_data->sps, hevc_data->sps_size);
pos += hevc_data->sps_size;
memcpy(par->extradata + pos, hevc_data->pps, hevc_data->pps_size);
pos += hevc_data->pps_size;
memcpy(par->extradata + pos, hevc_data->sei, hevc_data->sei_size);
}
av_freep(&hevc_data->vps);
Reported by FlawFinder.
Line: 161
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += hevc_data->sps_size;
memcpy(par->extradata + pos, hevc_data->pps, hevc_data->pps_size);
pos += hevc_data->pps_size;
memcpy(par->extradata + pos, hevc_data->sei, hevc_data->sei_size);
}
av_freep(&hevc_data->vps);
av_freep(&hevc_data->sps);
av_freep(&hevc_data->pps);
Reported by FlawFinder.
Line: 248
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((res = av_new_packet(pkt, sizeof(start_sequence) + len)) < 0)
return res;
/* A/V packet: copy start sequence */
memcpy(pkt->data, start_sequence, sizeof(start_sequence));
/* A/V packet: copy NAL unit data */
memcpy(pkt->data + sizeof(start_sequence), buf, len);
break;
/* aggregated packet (AP) - with two or more NAL units */
Reported by FlawFinder.
Line: 250
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* A/V packet: copy start sequence */
memcpy(pkt->data, start_sequence, sizeof(start_sequence));
/* A/V packet: copy NAL unit data */
memcpy(pkt->data + sizeof(start_sequence), buf, len);
break;
/* aggregated packet (AP) - with two or more NAL units */
case 48:
/* pass the HEVC payload header */
Reported by FlawFinder.
libavcodec/dxva2_vc1.c
9 issues
Line: 222
CWE codes:
908
}
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
unsigned position, size;
Reported by Cppcheck.
Line: 223
CWE codes:
908
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
unsigned position, size;
slice = &ctx_pic->slice[i];
Reported by Cppcheck.
Line: 224
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
unsigned position, size;
slice = &ctx_pic->slice[i];
position = slice->dwSliceDataLocation;
Reported by Cppcheck.
Line: 224
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
unsigned position, size;
slice = &ctx_pic->slice[i];
position = slice->dwSliceDataLocation;
Reported by Cppcheck.
Line: 235
CWE codes:
908
av_log(avctx, AV_LOG_ERROR, "Failed to build bitstream");
break;
}
slice->dwSliceDataLocation = current - dxva_data;
if (i < ctx_pic->slice_count - 1)
slice->wNumberMBsInSlice =
slice[1].wNumberMBsInSlice - slice[0].wNumberMBsInSlice;
else
Reported by Cppcheck.
Line: 259
CWE codes:
908
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
current += padding;
slice->dwSliceBitsInBuffer += padding * 8;
}
Reported by Cppcheck.
Line: 303
CWE codes:
908
#endif
return ff_dxva2_commit_buffer(avctx, ctx, sc,
type,
ctx_pic->slice,
ctx_pic->slice_count * sizeof(*ctx_pic->slice),
mb_count);
}
Reported by Cppcheck.
Line: 246
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* write the appropriate frame, field or slice start code */
if (start_code_size) {
memcpy(current, start_code, start_code_size);
if (i == 0 && v->second_field)
current[3] = 0x0c;
else if (i > 0)
current[3] = 0x0b;
Reported by FlawFinder.
Line: 256
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slice->dwSliceBitsInBuffer += start_code_size * 8;
}
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
Reported by FlawFinder.
libavcodec/dxva2_hevc.c
9 issues
Line: 276
CWE codes:
908
}
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
Reported by Cppcheck.
Line: 277
CWE codes:
908
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
Reported by Cppcheck.
Line: 278
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
unsigned position, size;
Reported by Cppcheck.
Line: 278
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
static const uint8_t start_code[] = { 0, 0, 1 };
static const unsigned start_code_size = sizeof(start_code);
unsigned position, size;
Reported by Cppcheck.
Line: 294
CWE codes:
908
break;
}
slice->BSNALunitDataLocation = current - dxva_data;
slice->SliceBytesInBuffer = start_code_size + size;
memcpy(current, start_code, start_code_size);
current += start_code_size;
Reported by Cppcheck.
Line: 303
CWE codes:
908
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
current += padding;
slice->SliceBytesInBuffer += padding;
Reported by Cppcheck.
Line: 351
CWE codes:
908
av_assert0(((current - dxva_data) & 127) == 0);
return ff_dxva2_commit_buffer(avctx, ctx, sc,
type,
slice_data, slice_size, 0);
}
static int dxva2_hevc_start_frame(AVCodecContext *avctx,
Reported by Cppcheck.
Line: 297
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slice->BSNALunitDataLocation = current - dxva_data;
slice->SliceBytesInBuffer = start_code_size + size;
memcpy(current, start_code, start_code_size);
current += start_code_size;
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
Reported by FlawFinder.
Line: 300
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(current, start_code, start_code_size);
current += start_code_size;
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
padding = FFMIN(128 - ((current - dxva_data) & 127), end - current);
if (slice && padding > 0) {
memset(current, 0, padding);
Reported by FlawFinder.
libavutil/log.c
9 issues
Line: 385
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
fprintf(stderr, " Last message repeated %d times\n", count);
count = 0;
}
strcpy(prev, line);
sanitize(part[0].str);
colored_fputs(type[0], 0, part[0].str);
sanitize(part[1].str);
colored_fputs(type[1], 0, part[1].str);
sanitize(part[2].str);
Reported by FlawFinder.
Line: 150
Column: 18
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static void check_color_terminal(void)
{
char *term = getenv("TERM");
#if defined(_WIN32) && HAVE_SETCONSOLETEXTATTRIBUTE && HAVE_GETSTDHANDLE
CONSOLE_SCREEN_BUFFER_INFO con_info;
DWORD dummy;
con = GetStdHandle(STD_ERROR_HANDLE);
Reported by FlawFinder.
Line: 165
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
#endif
if (getenv("AV_LOG_FORCE_NOCOLOR")) {
use_color = 0;
} else if (getenv("AV_LOG_FORCE_COLOR")) {
use_color = 1;
} else {
#if defined(_WIN32) && HAVE_SETCONSOLETEXTATTRIBUTE && HAVE_GETSTDHANDLE
Reported by FlawFinder.
Line: 167
Column: 16
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (getenv("AV_LOG_FORCE_NOCOLOR")) {
use_color = 0;
} else if (getenv("AV_LOG_FORCE_COLOR")) {
use_color = 1;
} else {
#if defined(_WIN32) && HAVE_SETCONSOLETEXTATTRIBUTE && HAVE_GETSTDHANDLE
use_color = (con != INVALID_HANDLE_VALUE);
#elif HAVE_ISATTY
Reported by FlawFinder.
Line: 179
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
#endif
}
if (getenv("AV_LOG_FORCE_256COLOR") || term && strstr(term, "256color"))
use_color *= 256;
}
static void ansi_fputs(int level, int tint, const char *str, int local_use_color)
{
Reported by FlawFinder.
Line: 292
Column: 54
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static void format_line(void *avcl, int level, const char *fmt, va_list vl,
AVBPrint part[4], int *print_prefix, int type[2])
{
AVClass* avc = avcl ? *(AVClass **) avcl : NULL;
av_bprint_init(part+0, 0, AV_BPRINT_SIZE_AUTOMATIC);
av_bprint_init(part+1, 0, AV_BPRINT_SIZE_AUTOMATIC);
Reported by FlawFinder.
Line: 350
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static int print_prefix = 1;
static int count;
static char prev[LINE_SZ];
AVBPrint part[4];
char line[LINE_SZ];
static int is_atty;
int type[2];
unsigned tint = 0;
Reported by FlawFinder.
Line: 352
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int count;
static char prev[LINE_SZ];
AVBPrint part[4];
char line[LINE_SZ];
static int is_atty;
int type[2];
unsigned tint = 0;
if (level >= 0) {
Reported by FlawFinder.
Line: 375
Column: 23
CWE codes:
126
#endif
if (print_prefix && (flags & AV_LOG_SKIP_REPEATED) && !strcmp(line, prev) &&
*line && line[strlen(line) - 1] != '\r'){
count++;
if (is_atty == 1)
fprintf(stderr, " Last message repeated %d times\r", count);
goto end;
}
Reported by FlawFinder.
libavcodec/avpacket.c
9 issues
Line: 157
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!pkt->buf)
return AVERROR(ENOMEM);
if (pkt->size > 0)
memcpy(pkt->buf->data, pkt->data, pkt->size);
pkt->data = pkt->buf->data;
}
pkt->size += grow_by;
memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
Reported by FlawFinder.
Line: 320
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const size_t len = strlen(str) + 1;
if (pass)
memcpy(data + total_length, str, len);
else if (len > SIZE_MAX - total_length)
return NULL;
total_length += len;
}
}
Reported by FlawFinder.
Line: 411
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_packet_free_side_data(dst);
return AVERROR(ENOMEM);
}
memcpy(dst_data, src_data, size);
}
return 0;
}
Reported by FlawFinder.
Line: 441
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
av_assert1(!src->size || src->data);
if (src->size)
memcpy(dst->buf->data, src->data, src->size);
dst->data = dst->buf->data;
} else {
dst->buf = av_buffer_ref(src->buf);
if (!dst->buf) {
Reported by FlawFinder.
Line: 492
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
av_assert1(!pkt->size || pkt->data);
if (pkt->size)
memcpy(pkt->buf->data, pkt->data, pkt->size);
pkt->data = pkt->buf->data;
return 0;
}
Reported by FlawFinder.
Line: 512
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
av_assert1(!pkt->size || pkt->data);
if (pkt->size)
memcpy(buf->data, pkt->data, pkt->size);
av_buffer_unref(&pkt->buf);
pkt->buf = buf;
pkt->data = buf->data;
Reported by FlawFinder.
Line: 317
Column: 36
CWE codes:
126
while ((t = av_dict_get(dict, "", t, AV_DICT_IGNORE_SUFFIX))) {
for (int i = 0; i < 2; i++) {
const char *str = i ? t->value : t->key;
const size_t len = strlen(str) + 1;
if (pass)
memcpy(data + total_length, str, len);
else if (len > SIZE_MAX - total_length)
return NULL;
Reported by FlawFinder.
Line: 350
Column: 37
CWE codes:
126
return AVERROR_INVALIDDATA;
while (data < end) {
const uint8_t *key = data;
const uint8_t *val = data + strlen(key) + 1;
if (val >= end || !*key)
return AVERROR_INVALIDDATA;
ret = av_dict_set(dict, key, val, 0);
Reported by FlawFinder.
Line: 358
Column: 22
CWE codes:
126
ret = av_dict_set(dict, key, val, 0);
if (ret < 0)
return ret;
data = val + strlen(val) + 1;
}
return 0;
}
Reported by FlawFinder.
libavformat/file.c
9 issues
Line: 145
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
#if HAVE_ACCESS && defined(R_OK)
if (access(filename, F_OK) < 0)
return AVERROR(errno);
if (mask&AVIO_FLAG_READ)
if (access(filename, R_OK) >= 0)
ret |= AVIO_FLAG_READ;
if (mask&AVIO_FLAG_WRITE)
Reported by FlawFinder.
Line: 148
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access(filename, F_OK) < 0)
return AVERROR(errno);
if (mask&AVIO_FLAG_READ)
if (access(filename, R_OK) >= 0)
ret |= AVIO_FLAG_READ;
if (mask&AVIO_FLAG_WRITE)
if (access(filename, W_OK) >= 0)
ret |= AVIO_FLAG_WRITE;
#else
Reported by FlawFinder.
Line: 151
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access(filename, R_OK) >= 0)
ret |= AVIO_FLAG_READ;
if (mask&AVIO_FLAG_WRITE)
if (access(filename, W_OK) >= 0)
ret |= AVIO_FLAG_WRITE;
#else
struct stat st;
# ifndef _WIN32
ret = stat(filename, &st);
Reported by FlawFinder.
Line: 211
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static int file_open(URLContext *h, const char *filename, int flags)
{
FileContext *c = h->priv_data;
int access;
int fd;
struct stat st;
av_strstart(filename, "file:", &filename);
Reported by FlawFinder.
Line: 220
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (flags & AVIO_FLAG_WRITE && flags & AVIO_FLAG_READ) {
access = O_CREAT | O_RDWR;
if (c->trunc)
access |= O_TRUNC;
} else if (flags & AVIO_FLAG_WRITE) {
access = O_CREAT | O_WRONLY;
if (c->trunc)
access |= O_TRUNC;
} else {
Reported by FlawFinder.
Line: 224
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
} else if (flags & AVIO_FLAG_WRITE) {
access = O_CREAT | O_WRONLY;
if (c->trunc)
access |= O_TRUNC;
} else {
access = O_RDONLY;
}
#ifdef O_BINARY
access |= O_BINARY;
Reported by FlawFinder.
Line: 229
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access = O_RDONLY;
}
#ifdef O_BINARY
access |= O_BINARY;
#endif
fd = avpriv_open(filename, access, 0666);
if (fd == -1)
return AVERROR(errno);
c->fd = fd;
Reported by FlawFinder.
Line: 231
Column: 32
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#ifdef O_BINARY
access |= O_BINARY;
#endif
fd = avpriv_open(filename, access, 0666);
if (fd == -1)
return AVERROR(errno);
c->fd = fd;
h->is_streamed = !fstat(fd, &st) && S_ISFIFO(st.st_mode);
Reported by FlawFinder.
Line: 114
Column: 11
CWE codes:
120
20
FileContext *c = h->priv_data;
int ret;
size = FFMIN(size, c->blocksize);
ret = read(c->fd, buf, size);
if (ret == 0 && c->follow)
return AVERROR(EAGAIN);
if (ret == 0)
return AVERROR_EOF;
return (ret == -1) ? AVERROR(errno) : ret;
Reported by FlawFinder.
libavformat/ty.c
9 issues
Line: 414
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ty->cur_chunk_pos += VIDEO_PES_LENGTH + es_offset1;
if ((ret = av_new_packet(pkt, size)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, size);
ty->cur_chunk_pos += size;
pkt->stream_index = 0;
got_packet = 1;
} else {
ff_dlog(s, "video rec type 0x%02x has short PES"
Reported by FlawFinder.
Line: 438
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!got_packet) {
if ((ret = av_new_packet(pkt, rec_size)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, rec_size);
ty->cur_chunk_pos += rec_size;
pkt->stream_index = 0;
got_packet = 1;
}
Reported by FlawFinder.
Line: 491
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
/* copy the partial pes header we found */
memcpy(ty->pes_buffer, pkt->data + offset, rec_len - offset);
ty->pes_buf_cnt = rec_len - offset;
if (offset > 0) {
/* PES Header was found, but not complete, so trim the end of this record */
pkt->size -= rec_len - offset;
Reported by FlawFinder.
Line: 532
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* do we have enough data to complete? */
if (need >= rec_size) {
/* don't have complete PES hdr; save what we have and return */
memcpy(ty->pes_buffer + ty->pes_buf_cnt, ty->chunk + ty->cur_chunk_pos, rec_size);
ty->cur_chunk_pos += rec_size;
ty->pes_buf_cnt += rec_size;
return 0;
}
Reported by FlawFinder.
Line: 539
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* we have enough; reconstruct this frame with the new hdr */
memcpy(ty->pes_buffer + ty->pes_buf_cnt, ty->chunk + ty->cur_chunk_pos, need);
ty->cur_chunk_pos += need;
/* get the PTS out of this PES header (MPEG or AC3) */
if (ty->audio_type == TIVO_AUDIO_MPEG) {
es_offset1 = find_es_header(ty_MPEGAudioPacket,
ty->pes_buffer, 5);
Reported by FlawFinder.
Line: 561
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if ((ret = av_new_packet(pkt, rec_size - need)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, rec_size - need);
ty->cur_chunk_pos += rec_size - need;
pkt->stream_index = 1;
/* S2 DTivo has AC3 packets with 2 padding bytes at end. This is
* not allowed in the AC3 spec and will cause problems. So here
Reported by FlawFinder.
Line: 583
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (subrec_type == 0x03) {
if ((ret = av_new_packet(pkt, rec_size)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, rec_size);
ty->cur_chunk_pos += rec_size;
pkt->stream_index = 1;
/* MPEG Audio with PES Header, either SA or DTiVo */
/* ================================================ */
es_offset1 = find_es_header(ty_MPEGAudioPacket, pkt->data, 5);
Reported by FlawFinder.
Line: 614
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* ================================================ */
if ((ret = av_new_packet(pkt, rec_size)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, rec_size);
ty->cur_chunk_pos += rec_size;
pkt->stream_index = 1;
pkt->pts = ty->last_audio_pts;
} else if (subrec_type == 0x09) {
if ((ret = av_new_packet(pkt, rec_size)) < 0)
Reported by FlawFinder.
Line: 621
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (subrec_type == 0x09) {
if ((ret = av_new_packet(pkt, rec_size)) < 0)
return ret;
memcpy(pkt->data, ty->chunk + ty->cur_chunk_pos, rec_size);
ty->cur_chunk_pos += rec_size ;
pkt->stream_index = 1;
/* DTiVo AC3 Audio Data with PES Header */
/* ================================================ */
Reported by FlawFinder.
libavformat/ffmetadec.c
9 issues
Line: 110
Column: 11
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
if (sscanf(line, "TIMEBASE=%d/%d", &tb.num, &tb.den))
get_line(s->pb, line, sizeof(line));
ret = sscanf(line, "START=%"SCNd64, &start);
if (ret <= 0) {
av_log(s, AV_LOG_ERROR, "Expected chapter start timestamp, found %s.\n", line);
start = (s->nb_chapters && s->chapters[s->nb_chapters - 1]->end != AV_NOPTS_VALUE) ?
s->chapters[s->nb_chapters - 1]->end : 0;
} else
Reported by FlawFinder.
Line: 118
Column: 11
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
} else
get_line(s->pb, line, sizeof(line));
ret = sscanf(line, "END=%"SCNd64, &end);
if (ret <= 0) {
av_log(s, AV_LOG_ERROR, "Expected chapter end timestamp, found %s.\n", line);
end = AV_NOPTS_VALUE;
}
Reported by FlawFinder.
Line: 40
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int len, end;
int64_t read = 0;
char tmp[1024];
char c;
char prev = ' ';
do {
len = 0;
Reported by FlawFinder.
Line: 31
Column: 35
CWE codes:
126
static int probe(const AVProbeData *p)
{
if(!memcmp(p->buf, ID_STRING, strlen(ID_STRING)))
return AVPROBE_SCORE_MAX;
return 0;
}
static int64_t read_line_to_bprint_escaped(AVIOContext *s, AVBPrint *bp)
Reported by FlawFinder.
Line: 165
Column: 35
CWE codes:
126
if (!(key = unescape(line, p - line)))
return AVERROR(ENOMEM);
if (!(value = unescape(p + 1, strlen(p + 1)))) {
av_free(key);
return AVERROR(ENOMEM);
}
av_dict_set(m, key, value, AV_DICT_DONT_STRDUP_KEY | AV_DICT_DONT_STRDUP_VAL);
Reported by FlawFinder.
Line: 184
Column: 40
CWE codes:
126
while(!avio_feof(s->pb)) {
get_bprint_line(s->pb, &bp);
if (!memcmp(bp.str, ID_STREAM, strlen(ID_STREAM))) {
AVStream *st = avformat_new_stream(s, NULL);
if (!st)
goto nomem;
Reported by FlawFinder.
Line: 194
Column: 48
CWE codes:
126
st->codecpar->codec_id = AV_CODEC_ID_FFMETADATA;
m = &st->metadata;
} else if (!memcmp(bp.str, ID_CHAPTER, strlen(ID_CHAPTER))) {
AVChapter *ch = read_chapter(s);
if (!ch)
goto nomem;
Reported by FlawFinder.