The following issues were found
libswresample/resample.c
7 issues
Line: 357
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
if (build_filter(c, (void*)c->filter_bank, factor, c->filter_length, c->filter_alloc, phase_count, 1<<c->filter_shift, filter_type, kaiser_beta))
goto error;
memcpy(c->filter_bank + (c->filter_alloc*phase_count+1)*c->felem_size, c->filter_bank, (c->filter_alloc-1)*c->felem_size);
memcpy(c->filter_bank + (c->filter_alloc*phase_count )*c->felem_size, c->filter_bank + (c->filter_alloc - 1)*c->felem_size, c->felem_size);
}
c->compensation_distance= 0;
if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
Reported by FlawFinder.
Line: 358
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (build_filter(c, (void*)c->filter_bank, factor, c->filter_length, c->filter_alloc, phase_count, 1<<c->filter_shift, filter_type, kaiser_beta))
goto error;
memcpy(c->filter_bank + (c->filter_alloc*phase_count+1)*c->felem_size, c->filter_bank, (c->filter_alloc-1)*c->felem_size);
memcpy(c->filter_bank + (c->filter_alloc*phase_count )*c->felem_size, c->filter_bank + (c->filter_alloc - 1)*c->felem_size, c->felem_size);
}
c->compensation_distance= 0;
if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2))
goto error;
Reported by FlawFinder.
Line: 406
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_freep(&new_filter_bank);
return ret;
}
memcpy(new_filter_bank + (c->filter_alloc*phase_count+1)*c->felem_size, new_filter_bank, (c->filter_alloc-1)*c->felem_size);
memcpy(new_filter_bank + (c->filter_alloc*phase_count )*c->felem_size, new_filter_bank + (c->filter_alloc - 1)*c->felem_size, c->felem_size);
if (!av_reduce(&new_src_incr, &new_dst_incr, c->src_incr,
c->dst_incr * (int64_t)(phase_count/c->phase_count), INT32_MAX/2))
{
Reported by FlawFinder.
Line: 407
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(new_filter_bank + (c->filter_alloc*phase_count+1)*c->felem_size, new_filter_bank, (c->filter_alloc-1)*c->felem_size);
memcpy(new_filter_bank + (c->filter_alloc*phase_count )*c->felem_size, new_filter_bank + (c->filter_alloc - 1)*c->felem_size, c->felem_size);
if (!av_reduce(&new_src_incr, &new_dst_incr, c->src_incr,
c->dst_incr * (int64_t)(phase_count/c->phase_count), INT32_MAX/2))
{
av_freep(&new_filter_bank);
Reported by FlawFinder.
Line: 558
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_assert0(a->planar);
for(i=0; i<a->ch_count; i++){
for(j=0; j<reflection; j++){
memcpy(a->ch[i] + (s->in_buffer_index+s->in_buffer_count+j )*a->bps,
a->ch[i] + (s->in_buffer_index+s->in_buffer_count-j-1)*a->bps, a->bps);
}
}
s->in_buffer_count += reflection;
return 0;
Reported by FlawFinder.
Line: 581
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// copy
for (n = *out_sz; n < num; n++) {
for (ch = 0; ch < src->ch_count; ch++) {
memcpy(dst->ch[ch] + ((c->filter_length + n) * c->felem_size),
src->ch[ch] + ((n - *out_sz) * c->felem_size), c->felem_size);
}
}
// if not enough data is in, return and wait for more
Reported by FlawFinder.
Line: 596
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// else invert
for (n = 1; n <= c->filter_length; n++) {
for (ch = 0; ch < src->ch_count; ch++) {
memcpy(dst->ch[ch] + ((c->filter_length - n) * c->felem_size),
dst->ch[ch] + ((c->filter_length + n) * c->felem_size),
c->felem_size);
}
}
Reported by FlawFinder.
libavformat/wtvdec.c
7 issues
Line: 483
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return;
}
} else if (type == 3 && length == 4) {
strcpy(buf, avio_rl32(pb) ? "true" : "false");
} else if (type == 4 && length == 8) {
int64_t num = avio_rl64(pb);
if (!strcmp(key, "WM/EncodingTime") ||
!strcmp(key, "WM/MediaOriginalBroadcastDateTime")) {
if (filetime_to_iso8601(buf, buf_size, num) < 0) {
Reported by FlawFinder.
Line: 506
Column: 13
CWE codes:
134
Suggestion:
Use a constant for the format specification
} else if (!strcmp(key, "WM/WMRVBitrate"))
snprintf(buf, buf_size, "%f", av_int2double(num));
else
snprintf(buf, buf_size, "%"PRIi64, num);
} else if (type == 5 && length == 2) {
snprintf(buf, buf_size, "%u", avio_rl16(pb));
} else if (type == 6 && length == 16) {
ff_asf_guid guid;
avio_read(pb, guid, 16);
Reported by FlawFinder.
Line: 512
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
} else if (type == 6 && length == 16) {
ff_asf_guid guid;
avio_read(pb, guid, 16);
snprintf(buf, buf_size, PRI_PRETTY_GUID, ARG_PRETTY_GUID(guid));
} else if (type == 2 && !strcmp(key, "WM/Picture")) {
get_attachment(s, pb, length);
av_freep(&buf);
return;
} else {
Reported by FlawFinder.
Line: 433
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length)
{
char mime[1024];
char description[1024];
unsigned int filesize;
AVStream *st;
int64_t pos = avio_tell(pb);
Reported by FlawFinder.
Line: 434
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length)
{
char mime[1024];
char description[1024];
unsigned int filesize;
AVStream *st;
int64_t pos = avio_tell(pb);
avio_get_str16le(pb, INT_MAX, mime, sizeof(mime));
Reported by FlawFinder.
Line: 536
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ff_asf_guid guid;
int length, type;
while(!avio_feof(pb)) {
char key[1024];
ff_get_guid(pb, &guid);
type = avio_rl32(pb);
length = avio_rl32(pb);
if (!length)
break;
Reported by FlawFinder.
Line: 478
Column: 14
CWE codes:
126
snprintf(buf, buf_size, "%u", avio_rl32(pb));
} else if (type == 1) {
avio_get_str16le(pb, length, buf, buf_size);
if (!strlen(buf)) {
av_free(buf);
return;
}
} else if (type == 3 && length == 4) {
strcpy(buf, avio_rl32(pb) ? "true" : "false");
Reported by FlawFinder.
libavformat/yuv4mpegdec.c
7 issues
Line: 35
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int yuv4_read_header(AVFormatContext *s)
{
char header[MAX_YUV4_HEADER + 10]; // Include headroom for
// the longest option
char *tokstart, *tokend, *header_end;
int i;
AVIOContext *pb = s->pb;
int width = -1, height = -1, raten = 0,
Reported by FlawFinder.
Line: 84
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const struct {
#define MAX_PIX_FMT_LENGTH 8
char name[MAX_PIX_FMT_LENGTH + 1];
#undef MAX_PIX_FMT_LENGTH
enum AVPixelFormat pix_fmt;
enum AVChromaLocation chroma_loc;
} pix_fmt_array[] = {
{ "420jpeg", AV_PIX_FMT_YUV420P, AVCHROMA_LOC_CENTER },
Reported by FlawFinder.
Line: 171
Column: 21
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (strncmp("YSCSS=", tokstart, 6) == 0) {
static const struct {
#define MAX_PIX_FMT_LENGTH 8
char name[MAX_PIX_FMT_LENGTH + 1];
#undef MAX_PIX_FMT_LENGTH
enum AVPixelFormat pix_fmt;
} pix_fmt_array[] = {
{ "420JPEG", AV_PIX_FMT_YUV420P },
{ "420MPEG2", AV_PIX_FMT_YUV420P },
Reported by FlawFinder.
Line: 267
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt)
{
int i;
char header[MAX_FRAME_HEADER+1];
int ret;
int64_t off = avio_tell(s->pb);
for (i = 0; i < MAX_FRAME_HEADER; i++) {
header[i] = avio_r8(s->pb);
Reported by FlawFinder.
Line: 61
Column: 36
CWE codes:
126
av_log(s, AV_LOG_ERROR, "Header too large.\n");
return AVERROR(EINVAL);
}
if (strncmp(header, Y4M_MAGIC, strlen(Y4M_MAGIC))) {
av_log(s, AV_LOG_ERROR, "Invalid magic number for yuv4mpeg.\n");
return AVERROR(EINVAL);
}
header_end = &header[i + 1]; // Include space
Reported by FlawFinder.
Line: 67
Column: 29
CWE codes:
126
}
header_end = &header[i + 1]; // Include space
for (tokstart = &header[strlen(Y4M_MAGIC) + 1];
tokstart < header_end; tokstart++) {
if (*tokstart == 0x20)
continue;
switch (*tokstart++) {
case 'W': // Width. Required.
Reported by FlawFinder.
Line: 285
Column: 42
CWE codes:
126
else if (i == MAX_FRAME_HEADER)
return AVERROR_INVALIDDATA;
if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC)))
return AVERROR_INVALIDDATA;
ret = av_get_packet(s->pb, pkt, s->packet_size - Y4M_FRAME_MAGIC_LEN);
if (ret < 0)
return ret;
Reported by FlawFinder.
libavcodec/ffv1dec.c
7 issues
Line: 137
CWE codes:
786
sample[0] = sample[1];
sample[1] = temp;
sample[1][-1] = sample[0][0];
sample[0][w] = sample[0][w - 1];
if (s->avctx->bits_per_raw_sample <= 8) {
int ret = decode_line(s, w, sample, plane_index, 8);
if (ret < 0)
Reported by Cppcheck.
Line: 273
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_free(pdst->state);
av_free(pdst->vlc_state);
memcpy(pdst, psrc, sizeof(*pdst));
pdst->state = NULL;
pdst->vlc_state = NULL;
if (fssrc->ac) {
pdst->state = av_malloc_array(CONTEXT_SIZE, psrc->context_count);
Reported by FlawFinder.
Line: 279
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fssrc->ac) {
pdst->state = av_malloc_array(CONTEXT_SIZE, psrc->context_count);
memcpy(pdst->state, psrc->state, CONTEXT_SIZE * psrc->context_count);
} else {
pdst->vlc_state = av_malloc_array(sizeof(*pdst->vlc_state), psrc->context_count);
memcpy(pdst->vlc_state, psrc->vlc_state, sizeof(*pdst->vlc_state) * psrc->context_count);
}
}
Reported by FlawFinder.
Line: 282
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pdst->state, psrc->state, CONTEXT_SIZE * psrc->context_count);
} else {
pdst->vlc_state = av_malloc_array(sizeof(*pdst->vlc_state), psrc->context_count);
memcpy(pdst->vlc_state, psrc->vlc_state, sizeof(*pdst->vlc_state) * psrc->context_count);
}
}
}
fs->slice_rct_by_coef = 1;
Reported by FlawFinder.
Line: 1023
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ThreadFrame picture = fdst->picture, last_picture = fdst->last_picture;
uint8_t (*initial_states[MAX_QUANT_TABLES])[32];
struct FFV1Context *slice_context[MAX_SLICES];
memcpy(initial_states, fdst->initial_states, sizeof(fdst->initial_states));
memcpy(slice_context, fdst->slice_context , sizeof(fdst->slice_context));
memcpy(fdst, fsrc, sizeof(*fdst));
memcpy(fdst->initial_states, initial_states, sizeof(fdst->initial_states));
memcpy(fdst->slice_context, slice_context , sizeof(fdst->slice_context));
Reported by FlawFinder.
Line: 1024
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t (*initial_states[MAX_QUANT_TABLES])[32];
struct FFV1Context *slice_context[MAX_SLICES];
memcpy(initial_states, fdst->initial_states, sizeof(fdst->initial_states));
memcpy(slice_context, fdst->slice_context , sizeof(fdst->slice_context));
memcpy(fdst, fsrc, sizeof(*fdst));
memcpy(fdst->initial_states, initial_states, sizeof(fdst->initial_states));
memcpy(fdst->slice_context, slice_context , sizeof(fdst->slice_context));
fdst->picture = picture;
Reported by FlawFinder.
Line: 1026
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(initial_states, fdst->initial_states, sizeof(fdst->initial_states));
memcpy(slice_context, fdst->slice_context , sizeof(fdst->slice_context));
memcpy(fdst, fsrc, sizeof(*fdst));
memcpy(fdst->initial_states, initial_states, sizeof(fdst->initial_states));
memcpy(fdst->slice_context, slice_context , sizeof(fdst->slice_context));
fdst->picture = picture;
fdst->last_picture = last_picture;
for (i = 0; i<fdst->num_h_slices * fdst->num_v_slices; i++) {
Reported by FlawFinder.
libavcodec/exr.c
7 issues
Line: 667
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if HAVE_BIGENDIAN
s->bbdsp.bswap16_buf(out, in, td->xsize * pixel_half_size);
#else
memcpy(out, in, td->xsize * 2 * pixel_half_size);
#endif
out += td->xsize * pixel_half_size;
}
}
Reported by FlawFinder.
Line: 876
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (y = 0; y < td->ysize; y++) {
index_out = target_channel_offset * td->xsize + y * td->channel_line_size;
memcpy(&td->uncompressed_data[index_out], sr, td->xsize * 4);
sr += td->xsize * 4;
}
target_channel_offset += 4;
stay_to_uncompress -= td->ysize * td->xsize * 4;
Reported by FlawFinder.
Line: 1524
Column: 23
CWE codes:
126
if (bytestream2_get_bytes_left(gb) >= minimum_length &&
!strcmp(gb->buffer, value_name)) {
// found value_name, jump to value_type (null terminated strings)
gb->buffer += strlen(value_name) + 1;
if (!strcmp(gb->buffer, value_type)) {
gb->buffer += strlen(value_type) + 1;
var_size = bytestream2_get_le32(gb);
// don't go read past boundaries
if (var_size > bytestream2_get_bytes_left(gb))
Reported by FlawFinder.
Line: 1526
Column: 27
CWE codes:
126
// found value_name, jump to value_type (null terminated strings)
gb->buffer += strlen(value_name) + 1;
if (!strcmp(gb->buffer, value_type)) {
gb->buffer += strlen(value_type) + 1;
var_size = bytestream2_get_le32(gb);
// don't go read past boundaries
if (var_size > bytestream2_get_bytes_left(gb))
var_size = 0;
} else {
Reported by FlawFinder.
Line: 1533
Column: 27
CWE codes:
126
var_size = 0;
} else {
// value_type not found, reset the buffer
gb->buffer -= strlen(value_name) + 1;
av_log(s->avctx, AV_LOG_WARNING,
"Unknown data type %s for header variable %s.\n",
value_type, value_name);
}
}
Reported by FlawFinder.
Line: 1659
Column: 57
CWE codes:
126
int xsub, ysub;
if (strcmp(s->layer, "") != 0) {
if (strncmp(ch_gb.buffer, s->layer, strlen(s->layer)) == 0) {
layer_match = 1;
av_log(s->avctx, AV_LOG_INFO,
"Channel match layer : %s.\n", ch_gb.buffer);
ch_gb.buffer += strlen(s->layer);
if (*ch_gb.buffer == '.')
Reported by FlawFinder.
Line: 1663
Column: 41
CWE codes:
126
layer_match = 1;
av_log(s->avctx, AV_LOG_INFO,
"Channel match layer : %s.\n", ch_gb.buffer);
ch_gb.buffer += strlen(s->layer);
if (*ch_gb.buffer == '.')
ch_gb.buffer++; /* skip dot if not given */
} else {
layer_match = 0;
av_log(s->avctx, AV_LOG_INFO,
Reported by FlawFinder.
libavformat/sierravmd.c
7 issues
Line: 44
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int frame_size;
int64_t frame_offset;
int64_t pts;
unsigned char frame_record[BYTES_PER_FRAME_RECORD];
} vmd_frame;
typedef struct VmdDemuxContext {
int video_stream_index;
int audio_stream_index;
Reported by FlawFinder.
Line: 61
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int64_t audio_sample_counter;
int skiphdr;
unsigned char vmd_header[VMD_HEADER_SIZE];
} VmdDemuxContext;
static int vmd_probe(const AVProbeData *p)
{
int w, h, sample_rate;
Reported by FlawFinder.
Line: 97
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int width, height;
unsigned int total_frames;
int64_t current_audio_pts = 0;
unsigned char chunk[BYTES_PER_FRAME_RECORD];
int num, den;
int sound_buffers;
/* fetch the main header, including the 2 header length bytes */
avio_seek(pb, 0, SEEK_SET);
Reported by FlawFinder.
Line: 131
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if ((ret = ff_alloc_extradata(vst->codecpar, VMD_HEADER_SIZE)) < 0)
return ret;
memcpy(vst->codecpar->extradata, vmd->vmd_header, VMD_HEADER_SIZE);
}
/* if sample rate is 0, assume no audio */
vmd->sample_rate = AV_RL16(&vmd->vmd_header[804]);
if (vmd->sample_rate) {
Reported by FlawFinder.
Line: 232
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vmd->frame_table[total_frames].frame_offset = current_offset;
vmd->frame_table[total_frames].stream_index = vmd->audio_stream_index;
vmd->frame_table[total_frames].frame_size = size;
memcpy(vmd->frame_table[total_frames].frame_record, chunk, BYTES_PER_FRAME_RECORD);
vmd->frame_table[total_frames].pts = current_audio_pts;
total_frames++;
if(!current_audio_pts)
current_audio_pts += sound_buffers - 1;
else
Reported by FlawFinder.
Line: 246
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vmd->frame_table[total_frames].frame_offset = current_offset;
vmd->frame_table[total_frames].stream_index = vmd->video_stream_index;
vmd->frame_table[total_frames].frame_size = size;
memcpy(vmd->frame_table[total_frames].frame_record, chunk, BYTES_PER_FRAME_RECORD);
vmd->frame_table[total_frames].pts = i;
total_frames++;
break;
}
current_offset += size;
Reported by FlawFinder.
Line: 286
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
pkt->pos= avio_tell(pb);
memcpy(pkt->data, frame->frame_record, BYTES_PER_FRAME_RECORD);
if(vmd->is_indeo3 && frame->frame_record[0] == 0x02)
ret = avio_read(pb, pkt->data, frame->frame_size);
else
ret = avio_read(pb, pkt->data + BYTES_PER_FRAME_RECORD,
frame->frame_size);
Reported by FlawFinder.
libavformat/smoothstreamingenc.c
7 issues
Line: 43
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "libavutil/intreadwrite.h"
typedef struct Fragment {
char file[1024];
char infofile[1024];
int64_t start_time, duration;
int n;
int64_t start_pos, size;
} Fragment;
Reported by FlawFinder.
Line: 44
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct Fragment {
char file[1024];
char infofile[1024];
int64_t start_time, duration;
int n;
int64_t start_pos, size;
} Fragment;
Reported by FlawFinder.
Line: 52
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct OutputStream {
AVFormatContext *ctx;
char dirname[1024];
uint8_t iobuf[32768];
URLContext *out; // Current output stream where all output is written
URLContext *out2; // Auxiliary output stream where all output is also written
URLContext *tail_out; // The actual main output stream, if we're currently seeked back to write elsewhere
int64_t tail_pos, cur_pos, cur_start_pos;
Reported by FlawFinder.
Line: 210
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
SmoothStreamingContext *c = s->priv_data;
AVIOContext *out;
char filename[1024], temp_filename[1024];
int ret, i, video_chunks = 0, audio_chunks = 0, video_streams = 0, audio_streams = 0;
int64_t duration = 0;
snprintf(filename, sizeof(filename), "%s/Manifest", s->url);
snprintf(temp_filename, sizeof(temp_filename), "%s/Manifest.tmp", s->url);
Reported by FlawFinder.
Line: 504
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < s->nb_streams; i++) {
OutputStream *os = &c->streams[i];
char filename[1024], target_filename[1024], header_filename[1024], curr_dirname[1024];
int64_t size;
int64_t start_ts, duration, moof_size;
if (!os->packets_written)
continue;
Reported by FlawFinder.
Line: 536
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(s, AV_LOG_DEBUG, "calculated bitrate: %"PRId64"\n", bitrate);
s->streams[i]->codecpar->bit_rate = bitrate;
memcpy(curr_dirname, os->dirname, sizeof(os->dirname));
snprintf(os->dirname, sizeof(os->dirname), "%s/QualityLevels(%"PRId64")", s->url, s->streams[i]->codecpar->bit_rate);
snprintf(filename, sizeof(filename), "%s/temp", os->dirname);
// rename the tmp folder back to the correct name since we now have the bitrate
if ((ret = ff_rename((const char*)curr_dirname, os->dirname, s)) < 0)
Reported by FlawFinder.
Line: 612
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ism_flush(s, 1);
if (c->remove_at_exit) {
char filename[1024];
snprintf(filename, sizeof(filename), "%s/Manifest", s->url);
unlink(filename);
rmdir(s->url);
}
Reported by FlawFinder.
libavcodec/dxva2_mpeg2.c
7 issues
Line: 186
CWE codes:
908
}
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
DXVA_SliceInfo *slice = &ctx_pic->slice[i];
Reported by Cppcheck.
Line: 187
CWE codes:
908
#endif
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
DXVA_SliceInfo *slice = &ctx_pic->slice[i];
unsigned position = slice->dwSliceDataLocation;
Reported by Cppcheck.
Line: 188
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
DXVA_SliceInfo *slice = &ctx_pic->slice[i];
unsigned position = slice->dwSliceDataLocation;
unsigned size = slice->dwSliceBitsInBuffer / 8;
Reported by Cppcheck.
Line: 188
CWE codes:
908
dxva_data = dxva_data_ptr;
current = dxva_data;
end = dxva_data + dxva_size;
for (i = 0; i < ctx_pic->slice_count; i++) {
DXVA_SliceInfo *slice = &ctx_pic->slice[i];
unsigned position = slice->dwSliceDataLocation;
unsigned size = slice->dwSliceBitsInBuffer / 8;
Reported by Cppcheck.
Line: 198
CWE codes:
908
av_log(avctx, AV_LOG_ERROR, "Failed to build bitstream");
break;
}
slice->dwSliceDataLocation = current - dxva_data;
if (i < ctx_pic->slice_count - 1)
slice->wNumberMBsInSlice =
slice[1].wNumberMBsInSlice - slice[0].wNumberMBsInSlice;
else
Reported by Cppcheck.
Line: 247
CWE codes:
908
#endif
return ff_dxva2_commit_buffer(avctx, ctx, sc,
type,
ctx_pic->slice,
ctx_pic->slice_count * sizeof(*ctx_pic->slice),
mb_count);
}
Reported by Cppcheck.
Line: 207
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slice->wNumberMBsInSlice =
mb_count - slice[0].wNumberMBsInSlice;
memcpy(current, &ctx_pic->bitstream[position], size);
current += size;
}
#if CONFIG_D3D11VA
if (ff_dxva2_is_d3d11(avctx))
if (FAILED(ID3D11VideoContext_ReleaseDecoderBuffer(D3D11VA_CONTEXT(ctx)->video_context, D3D11VA_CONTEXT(ctx)->decoder, type)))
Reported by FlawFinder.
libavformat/sctp.c
7 issues
Line: 80
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int recvb;
struct iovec iov;
char incmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
struct msghdr inmsg = { 0 };
struct cmsghdr *cmsg = NULL;
iov.iov_base = msg;
iov.iov_len = len;
Reported by FlawFinder.
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy sinfo. */
if (cmsg)
memcpy(sinfo, CMSG_DATA(cmsg), sizeof(struct sctp_sndrcvinfo));
return recvb;
}
static int ff_sctp_send(int s, const void *msg, size_t len,
Reported by FlawFinder.
Line: 131
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
outmsg.msg_controllen = 0;
if (sinfo) {
char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
struct cmsghdr *cmsg;
outmsg.msg_control = outcmsg;
outmsg.msg_controllen = sizeof(outcmsg);
outmsg.msg_flags = 0;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
outmsg.msg_controllen = cmsg->cmsg_len;
memcpy(CMSG_DATA(cmsg), sinfo, sizeof(struct sctp_sndrcvinfo));
}
return sendmsg(s, &outmsg, flags | MSG_NOSIGNAL);
}
Reported by FlawFinder.
Line: 188
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fd = -1;
SCTPContext *s = h->priv_data;
const char *p;
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
Reported by FlawFinder.
Line: 190
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *p;
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
&port, path, sizeof(path), uri);
if (strcmp(proto, "sctp"))
Reported by FlawFinder.
Line: 191
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buf[256];
int ret;
char hostname[1024], proto[1024], path[1024];
char portstr[10];
av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname),
&port, path, sizeof(path), uri);
if (strcmp(proto, "sctp"))
return AVERROR(EINVAL);
Reported by FlawFinder.
libavcodec/dvdsubdec.c
7 issues
Line: 488
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!bitmap)
return 1;
for(y = 0; y < h; y++) {
memcpy(bitmap + w * y, s->rects[0]->data[0] + x1 + (y1 + y) * s->rects[0]->linesize[0], w);
}
av_freep(&s->rects[0]->data[0]);
s->rects[0]->data[0] = bitmap;
s->rects[0]->linesize[0] = w;
s->rects[0]->w = w;
Reported by FlawFinder.
Line: 511
Column: 9
CWE codes:
362
int back[3] = {0, 255, 0}; /* green background */
FILE *f;
f = fopen(filename, "w");
if (!f) {
perror(filename);
return;
}
fprintf(f, "P6\n"
Reported by FlawFinder.
Line: 545
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->buf_size = 0;
return AVERROR_INVALIDDATA;
}
memcpy(ctx->buf + ctx->buf_size, buf, buf_size);
ctx->buf_size += buf_size;
return 0;
}
static int dvdsub_decode(AVCodecContext *avctx,
Reported by FlawFinder.
Line: 594
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#if defined(DEBUG)
{
char ppm_name[32];
snprintf(ppm_name, sizeof(ppm_name), "/tmp/%05d.ppm", ctx->sub_id++);
ff_dlog(NULL, "start=%d ms end =%d ms\n",
sub->start_display_time,
sub->end_display_time);
Reported by FlawFinder.
Line: 613
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int parse_ifo_palette(DVDSubContext *ctx, char *p)
{
FILE *ifo;
char ifostr[12];
uint32_t sp_pgci, pgci, off_pgc, pgc;
uint8_t r, g, b, yuv[65], *buf;
int i, y, cb, cr, r_add, g_add, b_add;
int ret = 0;
const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP;
Reported by FlawFinder.
Line: 621
Column: 16
CWE codes:
362
const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP;
ctx->has_palette = 0;
if ((ifo = fopen(p, "r")) == NULL) {
av_log(ctx, AV_LOG_WARNING, "Unable to open IFO file \"%s\": %s\n", p, av_err2str(AVERROR(errno)));
return AVERROR_EOF;
}
if (fread(ifostr, 12, 1, ifo) != 1 || memcmp(ifostr, "DVDVIDEO-VTS", 12)) {
av_log(ctx, AV_LOG_WARNING, "\"%s\" is not a proper IFO file\n", p);
Reported by FlawFinder.
Line: 682
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dataorig = data = av_malloc(avctx->extradata_size+1);
if (!data)
return AVERROR(ENOMEM);
memcpy(data, avctx->extradata, avctx->extradata_size);
data[avctx->extradata_size] = '\0';
for(;;) {
int pos = strcspn(data, "\n\r");
if (pos==0 && *data==0)
Reported by FlawFinder.