The following issues were found
libavcodec/zmbv.c
7 issues
Line: 126
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (my + j < 0 || my + j >= c->height) {
memset(out, 0, bw2);
} else if (mx >= 0 && mx + bw2 <= c->width){
memcpy(out, tprev, sizeof(*out) * bw2);
} else {
for (i = 0; i < bw2; i++) {
if (mx + i < 0 || mx + i >= c->width)
out[i] = 0;
else
Reported by FlawFinder.
Line: 200
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (my + j < 0 || my + j >= c->height) {
memset(out, 0, bw2 * 2);
} else if (mx >= 0 && mx + bw2 <= c->width){
memcpy(out, tprev, sizeof(*out) * bw2);
} else {
for (i = 0; i < bw2; i++) {
if (mx + i < 0 || mx + i >= c->width)
out[i] = 0;
else
Reported by FlawFinder.
Line: 279
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (my + j < 0 || my + j >= c->height) {
memset(out, 0, bw2 * 3);
} else if (mx >= 0 && mx + bw2 <= c->width){
memcpy(out, tprev, 3 * bw2);
} else {
for (i = 0; i < bw2; i++){
if (mx + i < 0 || mx + i >= c->width) {
out[i * 3 + 0] = 0;
out[i * 3 + 1] = 0;
Reported by FlawFinder.
Line: 362
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (my + j < 0 || my + j >= c->height) {
memset(out, 0, bw2 * 4);
} else if (mx >= 0 && mx + bw2 <= c->width){
memcpy(out, tprev, sizeof(*out) * bw2);
} else {
for (i = 0; i < bw2; i++){
if (mx + i < 0 || mx + i >= c->width)
out[i] = 0;
else
Reported by FlawFinder.
Line: 404
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* make the palette available on the way out */
if (c->fmt == ZMBV_FMT_8BPP) {
memcpy(c->pal, src, 768);
src += 768;
}
memcpy(c->cur, src, c->width * c->height * (c->bpp / 8));
return 0;
Reported by FlawFinder.
Line: 408
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src += 768;
}
memcpy(c->cur, src, c->width * c->height * (c->bpp / 8));
return 0;
}
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt)
{
Reported by FlawFinder.
Line: 536
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
return AVERROR_INVALIDDATA;
}
memcpy(c->decomp_buf, buf, len);
c->decomp_len = len;
} else { // ZLIB-compressed data
c->zstream.total_in = c->zstream.total_out = 0;
c->zstream.next_in = buf;
c->zstream.avail_in = len;
Reported by FlawFinder.
libavformat/nistspheredec.c
7 issues
Line: 50
Column: 5
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
ff_get_line(s->pb, buffer, sizeof(buffer));
ff_get_line(s->pb, buffer, sizeof(buffer));
sscanf(buffer, "%"SCNd32, &header_size);
if (header_size <= 0)
return AVERROR_INVALIDDATA;
while (!avio_feof(s->pb)) {
ff_get_line(s->pb, buffer, sizeof(buffer));
Reported by FlawFinder.
Line: 111
Column: 13
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
} else if (!memcmp(buffer, "sample_coding", 13)) {
sscanf(buffer, "%*s %*s %31s", coding);
} else if (!memcmp(buffer, "sample_count", 12)) {
sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
} else if (!memcmp(buffer, "sample_n_bytes", 14)) {
sscanf(buffer, "%*s %*s %d", &bps);
if (bps > INT16_MAX/8U)
return AVERROR_INVALIDDATA;
} else if (!memcmp(buffer, "sample_rate", 11)) {
Reported by FlawFinder.
Line: 37
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nist_read_header(AVFormatContext *s)
{
char buffer[256], coding[32] = "pcm", format[32] = "01";
int bps = 0, be = 0;
int32_t header_size = -1;
AVStream *st;
st = avformat_new_stream(s, NULL);
Reported by FlawFinder.
Line: 123
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX)
return AVERROR_INVALIDDATA;
} else {
char key[32], value[32];
if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) {
av_dict_set(&s->metadata, key, value, AV_DICT_APPEND);
} else {
av_log(s, AV_LOG_ERROR, "Failed to parse '%s' as metadata\n", buffer);
}
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX)
return AVERROR_INVALIDDATA;
} else if (!memcmp(buffer, "sample_byte_format", 18)) {
sscanf(buffer, "%*s %*s %31s", format);
if (!av_strcasecmp(format, "01")) {
be = 0;
} else if (!av_strcasecmp(format, "10")) {
be = 1;
Reported by FlawFinder.
Line: 109
Column: 13
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
return AVERROR_PATCHWELCOME;
}
} else if (!memcmp(buffer, "sample_coding", 13)) {
sscanf(buffer, "%*s %*s %31s", coding);
} else if (!memcmp(buffer, "sample_count", 12)) {
sscanf(buffer, "%*s %*s %"SCNd64, &st->duration);
} else if (!memcmp(buffer, "sample_n_bytes", 14)) {
sscanf(buffer, "%*s %*s %d", &bps);
if (bps > INT16_MAX/8U)
Reported by FlawFinder.
Line: 124
Column: 17
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
return AVERROR_INVALIDDATA;
} else {
char key[32], value[32];
if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) {
av_dict_set(&s->metadata, key, value, AV_DICT_APPEND);
} else {
av_log(s, AV_LOG_ERROR, "Failed to parse '%s' as metadata\n", buffer);
}
}
Reported by FlawFinder.
libavcodec/jpeg2000dec.c
7 issues
Line: 588
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp.init = 1;
for (compno = 0; compno < s->ncomponents; compno++)
if (!(properties[compno] & HAD_COC))
memcpy(c + compno, &tmp, sizeof(tmp));
return 0;
}
/* Get coding parameters for a component in the whole image or a
* particular tile. */
Reported by FlawFinder.
Line: 719
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
for (compno = 0; compno < s->ncomponents; compno++)
if (!(properties[compno] & HAD_QCC))
memcpy(q + compno, &tmp, sizeof(tmp));
return 0;
}
/* Get quantization parameters for a component in the whole image
* on in a particular tile. */
Reported by FlawFinder.
Line: 797
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for POC\n");
return AVERROR_INVALIDDATA;
}
memcpy(p->poc + p->nb_poc, tmp.poc, tmp.nb_poc * sizeof(tmp.poc[0]));
p->nb_poc += tmp.nb_poc;
}
p->is_default = 0;
Reported by FlawFinder.
Line: 852
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
Jpeg2000Tile *tile = s->tile + s->curtileno;
/* copy defaults */
memcpy(tile->codsty, s->codsty, s->ncomponents * sizeof(Jpeg2000CodingStyle));
memcpy(tile->qntsty, s->qntsty, s->ncomponents * sizeof(Jpeg2000QuantStyle));
memcpy(&tile->poc , &s->poc , sizeof(tile->poc));
tile->poc.is_default = 1;
}
Reported by FlawFinder.
Line: 853
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy defaults */
memcpy(tile->codsty, s->codsty, s->ncomponents * sizeof(Jpeg2000CodingStyle));
memcpy(tile->qntsty, s->qntsty, s->ncomponents * sizeof(Jpeg2000QuantStyle));
memcpy(&tile->poc , &s->poc , sizeof(tile->poc));
tile->poc.is_default = 1;
}
return 0;
Reported by FlawFinder.
Line: 990
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else
return AVERROR(ENOMEM);
memset(&tile->packed_headers_stream, 0, sizeof(tile->packed_headers_stream));
memcpy(tile->packed_headers + tile->packed_headers_size,
s->g.buffer, n - 3);
tile->packed_headers_size += n - 3;
bytestream2_skip(&s->g, n - 3);
return 0;
Reported by FlawFinder.
Line: 2545
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*got_frame = 1;
if (s->avctx->pix_fmt == AV_PIX_FMT_PAL8)
memcpy(picture->data[1], s->palette, 256 * sizeof(uint32_t));
if (s->sar.num && s->sar.den)
avctx->sample_aspect_ratio = s->sar;
s->sar.num = s->sar.den = 0;
return bytestream2_tell(&s->g);
Reported by FlawFinder.
libavutil/parseutils.c
7 issues
Line: 143
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ "ntsc-film", { 24000, 1001 } },
};
static const char *months[12] = {
"january", "february", "march", "april", "may", "june", "july", "august",
"september", "october", "november", "december"
};
int av_parse_video_size(int *width_ptr, int *height_ptr, const char *str)
Reported by FlawFinder.
Line: 357
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int av_parse_color(uint8_t *rgba_color, const char *color_string, int slen,
void *log_ctx)
{
char *tail, color_string2[128];
const ColorEntry *entry;
int len, hex_offset = 0;
if (color_string[0] == '#') {
hex_offset = 1;
Reported by FlawFinder.
Line: 407
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(log_ctx, AV_LOG_ERROR, "Cannot find color '%s'\n", color_string2);
return AVERROR(EINVAL);
}
memcpy(rgba_color, entry->rgb_color, 3);
}
if (tail) {
double alpha;
const char *alpha_string = tail;
Reported by FlawFinder.
Line: 754
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int av_find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
{
const char *p;
char tag[128], *q;
p = info;
if (*p == '?')
p++;
for(;;) {
Reported by FlawFinder.
Line: 367
Column: 16
CWE codes:
126
hex_offset = 2;
if (slen < 0)
slen = strlen(color_string);
av_strlcpy(color_string2, color_string + hex_offset,
FFMIN(slen-hex_offset+1, sizeof(color_string2)));
if ((tail = strchr(color_string2, ALPHA_SEP)))
*tail++ = 0;
len = strlen(color_string2);
Reported by FlawFinder.
Line: 372
Column: 11
CWE codes:
126
FFMIN(slen-hex_offset+1, sizeof(color_string2)));
if ((tail = strchr(color_string2, ALPHA_SEP)))
*tail++ = 0;
len = strlen(color_string2);
rgba_color[3] = 255;
if (!av_strcasecmp(color_string2, "random") || !av_strcasecmp(color_string2, "bikeshed")) {
int rgba = av_get_random_seed();
rgba_color[0] = rgba >> 24;
Reported by FlawFinder.
Line: 479
Column: 23
CWE codes:
126
for (; i < 12; i++) {
if (!av_strncasecmp(*pp, months[i], 3)) {
const char *mo_full = months[i] + 3;
int len = strlen(mo_full);
*pp += 3;
if (len > 0 && !av_strncasecmp(*pp, mo_full, len))
*pp += len;
return i;
}
Reported by FlawFinder.
libavformat/wtvdec.c
7 issues
Line: 483
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return;
}
} else if (type == 3 && length == 4) {
strcpy(buf, avio_rl32(pb) ? "true" : "false");
} else if (type == 4 && length == 8) {
int64_t num = avio_rl64(pb);
if (!strcmp(key, "WM/EncodingTime") ||
!strcmp(key, "WM/MediaOriginalBroadcastDateTime")) {
if (filetime_to_iso8601(buf, buf_size, num) < 0) {
Reported by FlawFinder.
Line: 506
Column: 13
CWE codes:
134
Suggestion:
Use a constant for the format specification
} else if (!strcmp(key, "WM/WMRVBitrate"))
snprintf(buf, buf_size, "%f", av_int2double(num));
else
snprintf(buf, buf_size, "%"PRIi64, num);
} else if (type == 5 && length == 2) {
snprintf(buf, buf_size, "%u", avio_rl16(pb));
} else if (type == 6 && length == 16) {
ff_asf_guid guid;
avio_read(pb, guid, 16);
Reported by FlawFinder.
Line: 512
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
} else if (type == 6 && length == 16) {
ff_asf_guid guid;
avio_read(pb, guid, 16);
snprintf(buf, buf_size, PRI_PRETTY_GUID, ARG_PRETTY_GUID(guid));
} else if (type == 2 && !strcmp(key, "WM/Picture")) {
get_attachment(s, pb, length);
av_freep(&buf);
return;
} else {
Reported by FlawFinder.
Line: 433
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length)
{
char mime[1024];
char description[1024];
unsigned int filesize;
AVStream *st;
int64_t pos = avio_tell(pb);
Reported by FlawFinder.
Line: 434
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length)
{
char mime[1024];
char description[1024];
unsigned int filesize;
AVStream *st;
int64_t pos = avio_tell(pb);
avio_get_str16le(pb, INT_MAX, mime, sizeof(mime));
Reported by FlawFinder.
Line: 536
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ff_asf_guid guid;
int length, type;
while(!avio_feof(pb)) {
char key[1024];
ff_get_guid(pb, &guid);
type = avio_rl32(pb);
length = avio_rl32(pb);
if (!length)
break;
Reported by FlawFinder.
Line: 478
Column: 14
CWE codes:
126
snprintf(buf, buf_size, "%u", avio_rl32(pb));
} else if (type == 1) {
avio_get_str16le(pb, length, buf, buf_size);
if (!strlen(buf)) {
av_free(buf);
return;
}
} else if (type == 3 && length == 4) {
strcpy(buf, avio_rl32(pb) ? "true" : "false");
Reported by FlawFinder.
libavformat/yuv4mpegdec.c
7 issues
Line: 35
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int yuv4_read_header(AVFormatContext *s)
{
char header[MAX_YUV4_HEADER + 10]; // Include headroom for
// the longest option
char *tokstart, *tokend, *header_end;
int i;
AVIOContext *pb = s->pb;
int width = -1, height = -1, raten = 0,
Reported by FlawFinder.
Line: 84
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const struct {
#define MAX_PIX_FMT_LENGTH 8
char name[MAX_PIX_FMT_LENGTH + 1];
#undef MAX_PIX_FMT_LENGTH
enum AVPixelFormat pix_fmt;
enum AVChromaLocation chroma_loc;
} pix_fmt_array[] = {
{ "420jpeg", AV_PIX_FMT_YUV420P, AVCHROMA_LOC_CENTER },
Reported by FlawFinder.
Line: 171
Column: 21
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (strncmp("YSCSS=", tokstart, 6) == 0) {
static const struct {
#define MAX_PIX_FMT_LENGTH 8
char name[MAX_PIX_FMT_LENGTH + 1];
#undef MAX_PIX_FMT_LENGTH
enum AVPixelFormat pix_fmt;
} pix_fmt_array[] = {
{ "420JPEG", AV_PIX_FMT_YUV420P },
{ "420MPEG2", AV_PIX_FMT_YUV420P },
Reported by FlawFinder.
Line: 267
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt)
{
int i;
char header[MAX_FRAME_HEADER+1];
int ret;
int64_t off = avio_tell(s->pb);
for (i = 0; i < MAX_FRAME_HEADER; i++) {
header[i] = avio_r8(s->pb);
Reported by FlawFinder.
Line: 61
Column: 36
CWE codes:
126
av_log(s, AV_LOG_ERROR, "Header too large.\n");
return AVERROR(EINVAL);
}
if (strncmp(header, Y4M_MAGIC, strlen(Y4M_MAGIC))) {
av_log(s, AV_LOG_ERROR, "Invalid magic number for yuv4mpeg.\n");
return AVERROR(EINVAL);
}
header_end = &header[i + 1]; // Include space
Reported by FlawFinder.
Line: 67
Column: 29
CWE codes:
126
}
header_end = &header[i + 1]; // Include space
for (tokstart = &header[strlen(Y4M_MAGIC) + 1];
tokstart < header_end; tokstart++) {
if (*tokstart == 0x20)
continue;
switch (*tokstart++) {
case 'W': // Width. Required.
Reported by FlawFinder.
Line: 285
Column: 42
CWE codes:
126
else if (i == MAX_FRAME_HEADER)
return AVERROR_INVALIDDATA;
if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC)))
return AVERROR_INVALIDDATA;
ret = av_get_packet(s->pb, pkt, s->packet_size - Y4M_FRAME_MAGIC_LEN);
if (ret < 0)
return ret;
Reported by FlawFinder.
libavformat/sierravmd.c
7 issues
Line: 44
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int frame_size;
int64_t frame_offset;
int64_t pts;
unsigned char frame_record[BYTES_PER_FRAME_RECORD];
} vmd_frame;
typedef struct VmdDemuxContext {
int video_stream_index;
int audio_stream_index;
Reported by FlawFinder.
Line: 61
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int64_t audio_sample_counter;
int skiphdr;
unsigned char vmd_header[VMD_HEADER_SIZE];
} VmdDemuxContext;
static int vmd_probe(const AVProbeData *p)
{
int w, h, sample_rate;
Reported by FlawFinder.
Line: 97
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int width, height;
unsigned int total_frames;
int64_t current_audio_pts = 0;
unsigned char chunk[BYTES_PER_FRAME_RECORD];
int num, den;
int sound_buffers;
/* fetch the main header, including the 2 header length bytes */
avio_seek(pb, 0, SEEK_SET);
Reported by FlawFinder.
Line: 131
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if ((ret = ff_alloc_extradata(vst->codecpar, VMD_HEADER_SIZE)) < 0)
return ret;
memcpy(vst->codecpar->extradata, vmd->vmd_header, VMD_HEADER_SIZE);
}
/* if sample rate is 0, assume no audio */
vmd->sample_rate = AV_RL16(&vmd->vmd_header[804]);
if (vmd->sample_rate) {
Reported by FlawFinder.
Line: 232
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vmd->frame_table[total_frames].frame_offset = current_offset;
vmd->frame_table[total_frames].stream_index = vmd->audio_stream_index;
vmd->frame_table[total_frames].frame_size = size;
memcpy(vmd->frame_table[total_frames].frame_record, chunk, BYTES_PER_FRAME_RECORD);
vmd->frame_table[total_frames].pts = current_audio_pts;
total_frames++;
if(!current_audio_pts)
current_audio_pts += sound_buffers - 1;
else
Reported by FlawFinder.
Line: 246
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vmd->frame_table[total_frames].frame_offset = current_offset;
vmd->frame_table[total_frames].stream_index = vmd->video_stream_index;
vmd->frame_table[total_frames].frame_size = size;
memcpy(vmd->frame_table[total_frames].frame_record, chunk, BYTES_PER_FRAME_RECORD);
vmd->frame_table[total_frames].pts = i;
total_frames++;
break;
}
current_offset += size;
Reported by FlawFinder.
Line: 286
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
pkt->pos= avio_tell(pb);
memcpy(pkt->data, frame->frame_record, BYTES_PER_FRAME_RECORD);
if(vmd->is_indeo3 && frame->frame_record[0] == 0x02)
ret = avio_read(pb, pkt->data, frame->frame_size);
else
ret = avio_read(pb, pkt->data + BYTES_PER_FRAME_RECORD,
frame->frame_size);
Reported by FlawFinder.
libavformat/smoothstreamingenc.c
7 issues
Line: 43
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "libavutil/intreadwrite.h"
typedef struct Fragment {
char file[1024];
char infofile[1024];
int64_t start_time, duration;
int n;
int64_t start_pos, size;
} Fragment;
Reported by FlawFinder.
Line: 44
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct Fragment {
char file[1024];
char infofile[1024];
int64_t start_time, duration;
int n;
int64_t start_pos, size;
} Fragment;
Reported by FlawFinder.
Line: 52
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct OutputStream {
AVFormatContext *ctx;
char dirname[1024];
uint8_t iobuf[32768];
URLContext *out; // Current output stream where all output is written
URLContext *out2; // Auxiliary output stream where all output is also written
URLContext *tail_out; // The actual main output stream, if we're currently seeked back to write elsewhere
int64_t tail_pos, cur_pos, cur_start_pos;
Reported by FlawFinder.
Line: 210
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
SmoothStreamingContext *c = s->priv_data;
AVIOContext *out;
char filename[1024], temp_filename[1024];
int ret, i, video_chunks = 0, audio_chunks = 0, video_streams = 0, audio_streams = 0;
int64_t duration = 0;
snprintf(filename, sizeof(filename), "%s/Manifest", s->url);
snprintf(temp_filename, sizeof(temp_filename), "%s/Manifest.tmp", s->url);
Reported by FlawFinder.
Line: 504
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < s->nb_streams; i++) {
OutputStream *os = &c->streams[i];
char filename[1024], target_filename[1024], header_filename[1024], curr_dirname[1024];
int64_t size;
int64_t start_ts, duration, moof_size;
if (!os->packets_written)
continue;
Reported by FlawFinder.
Line: 536
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(s, AV_LOG_DEBUG, "calculated bitrate: %"PRId64"\n", bitrate);
s->streams[i]->codecpar->bit_rate = bitrate;
memcpy(curr_dirname, os->dirname, sizeof(os->dirname));
snprintf(os->dirname, sizeof(os->dirname), "%s/QualityLevels(%"PRId64")", s->url, s->streams[i]->codecpar->bit_rate);
snprintf(filename, sizeof(filename), "%s/temp", os->dirname);
// rename the tmp folder back to the correct name since we now have the bitrate
if ((ret = ff_rename((const char*)curr_dirname, os->dirname, s)) < 0)
Reported by FlawFinder.
Line: 612
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ism_flush(s, 1);
if (c->remove_at_exit) {
char filename[1024];
snprintf(filename, sizeof(filename), "%s/Manifest", s->url);
unlink(filename);
rmdir(s->url);
}
Reported by FlawFinder.
libavfilter/dnn/dnn_backend_native_layer_pad.c
7 issues
Line: 134
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
+ (h + params->paddings[1][0]) * new_wc_stride
+ (w + params->paddings[2][0]) * new_c_stride
+ params->paddings[3][0];
memcpy(dst, src, channel * sizeof(float));
}
}
}
// handle the first dimension
Reported by FlawFinder.
Line: 152
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else {
int buddy = before_get_buddy(n, before_paddings, params->mode);
float *src = output + buddy * new_hwc_stride;
memcpy(dst, src, new_hwc_stride * sizeof(float));
}
}
for (int n = 0; n < after_paddings; n++) {
int given = number + before_paddings + n;
float *dst = output + given * new_hwc_stride;
Reported by FlawFinder.
Line: 165
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int buddy = after_get_buddy(given, number + before_paddings, params->mode);
float *src = output + buddy * new_hwc_stride;
memcpy(dst, src, new_hwc_stride * sizeof(float));
}
}
// handle the second dimension
before_paddings = params->paddings[1][0];
Reported by FlawFinder.
Line: 183
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int buddy = before_get_buddy(h, before_paddings, params->mode);
float *src = start + buddy * new_wc_stride;
memcpy(dst, src, new_wc_stride * sizeof(float));
}
}
for (int h = 0; h < after_paddings; h++) {
int given = height + before_paddings + h;
float *dst = start + given * new_wc_stride;
Reported by FlawFinder.
Line: 196
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int buddy = after_get_buddy(given, height + before_paddings, params->mode);
float *src = start + buddy * new_wc_stride;
memcpy(dst, src, new_wc_stride * sizeof(float));
}
}
}
// handle the third dimension
Reported by FlawFinder.
Line: 216
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int buddy = before_get_buddy(w, before_paddings, params->mode);
float *src = start + buddy * new_c_stride;
memcpy(dst, src, new_c_stride * sizeof(float));
}
}
for (int w = 0; w < after_paddings; w++) {
int given = width + before_paddings + w;
float *dst = start + given * new_c_stride;
Reported by FlawFinder.
Line: 229
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int buddy = after_get_buddy(given, width + before_paddings, params->mode);
float *src = start + buddy * new_c_stride;
memcpy(dst, src, new_c_stride * sizeof(float));
}
}
}
}
Reported by FlawFinder.
libavformat/sctp.c
7 issues
Line: 80
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int recvb;
struct iovec iov;
char incmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
struct msghdr inmsg = { 0 };
struct cmsghdr *cmsg = NULL;
iov.iov_base = msg;
iov.iov_len = len;
Reported by FlawFinder.
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy sinfo. */
if (cmsg)
memcpy(sinfo, CMSG_DATA(cmsg), sizeof(struct sctp_sndrcvinfo));
return recvb;
}
static int ff_sctp_send(int s, const void *msg, size_t len,
Reported by FlawFinder.
Line: 131
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
outmsg.msg_controllen = 0;
if (sinfo) {
char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
struct cmsghdr *cmsg;
outmsg.msg_control = outcmsg;
outmsg.msg_controllen = sizeof(outcmsg);
outmsg.msg_flags = 0;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
outmsg.msg_controllen = cmsg->cmsg_len;
memcpy(CMSG_DATA(cmsg), sinfo, sizeof(struct sctp_sndrcvinfo));
}
return sendmsg(s, &outmsg, flags | MSG_NOSIGNAL);
}
Reported by FlawFinder.
Line: 188
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fd = -1;
SCTPContext *s = h->priv_data;
const char *p;
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
Reported by FlawFinder.
Line: 190
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *p;
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
&port, path, sizeof(path), uri);
if (strcmp(proto, "sctp"))
Reported by FlawFinder.
Line: 191
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
&port, path, sizeof(path), uri);
if (strcmp(proto, "sctp"))
return AVERROR(EINVAL);
Reported by FlawFinder.