The following issues were found
libavcodec/proresenc_kostya.c
5 issues
Line: 303
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bh = FFMIN(h - y, 16);
for (j = 0; j < bh; j++) {
memcpy(emu_buf + j * 16,
(const uint8_t*)src + j * linesize,
bw * sizeof(*src));
pix = emu_buf[j * 16 + bw - 1];
for (k = bw; k < mb_width; k++)
emu_buf[j * 16 + k] = pix;
Reported by FlawFinder.
Line: 311
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
emu_buf[j * 16 + k] = pix;
}
for (; j < 16; j++)
memcpy(emu_buf + j * 16,
emu_buf + (bh - 1) * 16,
mb_width * sizeof(*emu_buf));
}
if (!is_chroma) {
ctx->fdct(&ctx->fdsp, esrc, elinesize, blocks);
Reported by FlawFinder.
Line: 355
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy_w = FFMIN(w - x, slice_width);
copy_h = FFMIN(h - y, 16);
for (i = 0; i < copy_h; i++) {
memcpy(blocks, src, copy_w * sizeof(*src));
if (abits == 8)
for (j = 0; j < copy_w; j++)
blocks[j] >>= 2;
else
for (j = 0; j < copy_w; j++)
Reported by FlawFinder.
Line: 368
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src += linesize >> 1;
}
for (; i < 16; i++) {
memcpy(blocks, blocks - slice_width, slice_width * sizeof(*blocks));
blocks += slice_width;
}
}
/**
Reported by FlawFinder.
Line: 1248
Column: 9
CWE codes:
126
ctx->quant_chroma_mat = prores_quant_matrices[ctx->quant_sel];
}
if (strlen(ctx->vendor) != 4) {
av_log(avctx, AV_LOG_ERROR, "vendor ID should be 4 bytes\n");
return AVERROR_INVALIDDATA;
}
ctx->force_quant = avctx->global_quality / FF_QP2LAMBDA;
Reported by FlawFinder.
libavcodec/h264_ps.c
5 issues
Line: 259
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i, last = 8, next = 8;
const uint8_t *scan = size == 16 ? ff_zigzag_scan : ff_zigzag_direct;
if (!get_bits1(gb)) /* matrix not written, we use the predicted one */
memcpy(factors, fallback_list, size * sizeof(uint8_t));
else
for (i = 0; i < size; i++) {
if (next) {
int v = get_se_golomb(gb);
if (v < -128 || v > 127) {
Reported by FlawFinder.
Line: 271
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
next = (last + v) & 0xff;
}
if (!i && !next) { /* matrix not written, we use the preset one */
memcpy(factors, jvt_list, size * sizeof(uint8_t));
break;
}
last = factors[scan[i]] = next ? next : last;
}
return 0;
Reported by FlawFinder.
Line: 353
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(avctx, AV_LOG_DEBUG, "Truncating likely oversized SPS\n");
sps->data_size = sizeof(sps->data);
}
memcpy(sps->data, gb->buffer, sps->data_size);
profile_idc = get_bits(gb, 8);
constraint_set_flags |= get_bits1(gb) << 0; // constraint_set0_flag
constraint_set_flags |= get_bits1(gb) << 1; // constraint_set1_flag
constraint_set_flags |= get_bits1(gb) << 2; // constraint_set2_flag
Reported by FlawFinder.
Line: 607
Column: 22
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sps->sar.den = 1;
if (avctx->debug & FF_DEBUG_PICT_INFO) {
static const char csp[4][5] = { "Gray", "420", "422", "444" };
av_log(avctx, AV_LOG_DEBUG,
"sps:%u profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%u/%u/%u/%u %s %s %"PRId32"/%"PRId32" b%d reo:%d\n",
sps_id, sps->profile_idc, sps->level_idc,
sps->poc_type,
sps->ref_frame_count,
Reported by FlawFinder.
Line: 782
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pps->data_size, sizeof(pps->data));
pps->data_size = sizeof(pps->data);
}
memcpy(pps->data, gb->buffer, pps->data_size);
pps->sps_id = get_ue_golomb_31(gb);
if ((unsigned)pps->sps_id >= MAX_SPS_COUNT ||
!ps->sps_list[pps->sps_id]) {
av_log(avctx, AV_LOG_ERROR, "sps_id %u out of range\n", pps->sps_id);
Reported by FlawFinder.
libavfilter/af_aiir.c
5 issues
Line: 857
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
biquad_process(impulse, resp, length - 1,
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 858
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 980
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!temp0 || !temp1)
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
Reported by FlawFinder.
Line: 981
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
for (int n = 0; n < iir->nb_ab[1]; n++)
Reported by FlawFinder.
Line: 1148
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double *mag, *phase, *temp, *delay, min = DBL_MAX, max = -DBL_MAX;
double min_delay = DBL_MAX, max_delay = -DBL_MAX, min_phase, max_phase;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int ch, i;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
libavfilter/af_atempo.c
5 issues
Line: 454
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (na) {
uint8_t *a = atempo->buffer + atempo->tail * atempo->stride;
memcpy(a, src, na * atempo->stride);
src += na * atempo->stride;
atempo->position[0] += na;
atempo->size = FFMIN(atempo->size + na, atempo->ring);
Reported by FlawFinder.
Line: 469
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nb) {
uint8_t *b = atempo->buffer;
memcpy(b, src, nb * atempo->stride);
src += nb * atempo->stride;
atempo->position[0] += nb;
atempo->size = FFMIN(atempo->size + nb, atempo->ring);
Reported by FlawFinder.
Line: 565
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n1 = nsamples - zeros - n0;
if (n0) {
memcpy(dst, a + i0 * atempo->stride, n0 * atempo->stride);
dst += n0 * atempo->stride;
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
Reported by FlawFinder.
Line: 570
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
}
return 0;
}
Reported by FlawFinder.
Line: 971
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_size = dst_end - dst;
nbytes = FFMIN(src_size, dst_size);
memcpy(dst, src, nbytes);
dst += nbytes;
atempo->position[1] += (nbytes / atempo->stride);
// pass-back the updated destination buffer pointer:
Reported by FlawFinder.
libavfilter/af_channelmap.c
5 issues
Line: 125
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ChannelMapContext *s = ctx->priv;
char *mapping, separator = '|';
int map_entries = 0;
char buf[256];
enum MappingMode mode;
uint64_t out_ch_mask = 0;
int i;
mapping = s->mapping_str;
Reported by FlawFinder.
Line: 307
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ch;
uint8_t *source_planes[MAX_CH];
memcpy(source_planes, buf->extended_data,
nch_in * sizeof(source_planes[0]));
if (nch_out > nch_in) {
if (nch_out > FF_ARRAY_ELEMS(buf->data)) {
uint8_t **new_extended_data =
Reported by FlawFinder.
Line: 336
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (buf->data != buf->extended_data)
memcpy(buf->data, buf->extended_data,
FFMIN(FF_ARRAY_ELEMS(buf->data), nch_out) * sizeof(buf->data[0]));
buf->channel_layout = outlink->channel_layout;
buf->channels = outlink->channels;
Reported by FlawFinder.
Line: 352
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int nb_channels = inlink->channels;
int i, err = 0;
const char *channel_name;
char layout_name[256];
for (i = 0; i < s->nch; i++) {
struct ChannelMap *m = &s->map[i];
if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) {
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
126
next = split(*map, delim);
if (!next && delim == '-')
return AVERROR(EINVAL);
len = strlen(*map);
sscanf(*map, "%d%n", ch, &n);
if (n != len)
return AVERROR(EINVAL);
if (*ch < 0 || *ch > max_ch)
return AVERROR(EINVAL);
Reported by FlawFinder.
libavfilter/af_afir.c
5 issues
Line: 141
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
block = (float *)seg->block->extended_data[ch] + seg->part_index[ch] * seg->block_size;
memset(block + seg->part_size, 0, sizeof(*block) * (seg->fft_length - seg->part_size));
memcpy(block, src, sizeof(*src) * seg->part_size);
av_rdft_calc(seg->rdft[ch], block);
block[2 * seg->part_size] = block[1];
block[1] = 0;
Reported by FlawFinder.
Line: 167
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = (float *)seg->buffer->extended_data[ch];
fir_fadd(s, buf, sum, seg->part_size);
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
memmove(src, src + s->min_part_size, (seg->input_size - s->min_part_size) * sizeof(*src));
Reported by FlawFinder.
Line: 296
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
float *mag, *phase, *delay, min = FLT_MAX, max = FLT_MIN;
float min_delay = FLT_MAX, max_delay = FLT_MIN;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int channel, i, x;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
Line: 581
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(block, 0, sizeof(*block) * seg->fft_length);
memcpy(block, time + toffset, size * sizeof(*block));
av_rdft_calc(seg->rdft[0], block);
coeff[coffset].re = block[0] * scale;
coeff[coffset].im = 0;
Reported by FlawFinder.
libavcodec/opusenc_psy.c
5 issues
Line: 42
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
float *Y_orig = f->block[1].coeffs + (ff_celt_freq_bands[band] << f->size);
OPUS_RC_CHECKPOINT_SPAWN(rc);
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
Reported by FlawFinder.
Line: 44
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
int curr_balance = f->remaining / FFMIN(3, f->coded_bands - band);
b = av_clip_uintp2(FFMIN(f->remaining2 + 1, f->pulses[band] + curr_balance), 14);
Reported by FlawFinder.
Line: 91
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i <= FFMIN(lap_size, index); i++) {
const int offset = i*120;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index - i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
s->dsp->vector_fmul(s->scratch, s->scratch, s->window[s->bsize_analysis],
(OPUS_BLOCK_SIZE(s->bsize_analysis) << 1));
Reported by FlawFinder.
Line: 450
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
f->tf_select = score[0] < score[1];
memcpy(f->tf_change, config[f->tf_select], sizeof(int)*CELT_MAX_BANDS);
return 0;
}
int ff_opus_psy_celt_frame_process(OpusPsyContext *s, CeltFrame *f, int index)
Reported by FlawFinder.
libavcodec/gdv.c
5 issues
Line: 152
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int y = h - j - 1;
uint8_t *dst1 = dst + PREAMBLE_SIZE + y * w;
uint8_t *src1 = dst + PREAMBLE_SIZE + (y>>1) * w;
memcpy(dst1, src1, w);
}
}
if (scale_h && scale_v) {
for (y = 0; y < (h>>1); y++) {
Reported by FlawFinder.
Line: 166
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (y = 0; y < (h>>1); y++) {
uint8_t *dst1 = dst + PREAMBLE_SIZE + y * w;
uint8_t *src1 = dst + PREAMBLE_SIZE + y*2 * w;
memcpy(dst1, src1, w);
}
} else if (scale_v) {
for (y = 0; y < h; y++) {
uint8_t *dst1 = dst + PREAMBLE_SIZE + y * w;
scaledown(dst1, dst1, w>>1);
Reported by FlawFinder.
Line: 519
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
memcpy(frame->data[1], gdv->pal, AVPALETTE_SIZE);
dst = frame->data[0];
if (!gdv->scale_v && !gdv->scale_h) {
int sidx = PREAMBLE_SIZE, didx = 0;
int y;
Reported by FlawFinder.
Line: 527
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int y;
for (y = 0; y < avctx->height; y++) {
memcpy(dst + didx, gdv->frame + sidx, avctx->width);
sidx += avctx->width;
didx += frame->linesize[0];
}
} else {
int sidx = PREAMBLE_SIZE, didx = 0;
Reported by FlawFinder.
Line: 537
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (y = 0; y < avctx->height; y++) {
if (!gdv->scale_v) {
memcpy(dst + didx, gdv->frame + sidx, avctx->width);
} else {
uint8_t *dst2 = dst + didx;
uint8_t *src2 = gdv->frame + sidx;
scaleup(dst2, src2, avctx->width);
Reported by FlawFinder.
libavdevice/vfwcap.c
5 issues
Line: 204
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pktl_next->pkt.pts = vdhdr->dwTimeCaptured;
memcpy(pktl_next->pkt.data, vdhdr->lpData, vdhdr->dwBytesUsed);
for(ppktl = &ctx->pktl ; *ppktl ; ppktl = &(*ppktl)->next);
*ppktl = pktl_next;
ctx->curbufsize += vdhdr->dwBytesUsed;
Reported by FlawFinder.
Line: 262
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
Reported by FlawFinder.
Line: 263
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
av_log(s, AV_LOG_INFO, "Driver %d\n", devnum);
Reported by FlawFinder.
Line: 283
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
/* If atoi fails, devnum==0 and the default device is used */
devnum = atoi(s->url);
ret = SendMessage(ctx->hwnd, WM_CAP_DRIVER_CONNECT, devnum, 0);
if(!ret) {
av_log(s, AV_LOG_ERROR, "Could not connect to device.\n");
DestroyWindow(ctx->hwnd);
Reported by FlawFinder.
Line: 406
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
par->extradata = av_malloc(9 + AV_INPUT_BUFFER_PADDING_SIZE);
if (par->extradata) {
par->extradata_size = 9;
memcpy(par->extradata, "BottomUp", 9);
}
}
}
av_freep(&bi);
Reported by FlawFinder.
libavfilter/vf_identity.c
5 issues
Line: 46
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int is_msad;
uint8_t rgba_map[4];
int max[4];
char comps[4];
int nb_components;
int nb_threads;
int planewidth[4];
int planeheight[4];
uint64_t **scores;
Reported by FlawFinder.
Line: 155
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_meta(AVFilterContext *ctx,
AVDictionary **metadata, const char *key, char comp, float d)
{
char value[128];
snprintf(value, sizeof(value), "%f", d);
if (comp) {
char key2[128];
snprintf(key2, sizeof(key2), "lavfi.%s.%s%s%c",
ctx->filter->name, ctx->filter->name, key, comp);
Reported by FlawFinder.
Line: 158
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char value[128];
snprintf(value, sizeof(value), "%f", d);
if (comp) {
char key2[128];
snprintf(key2, sizeof(key2), "lavfi.%s.%s%s%c",
ctx->filter->name, ctx->filter->name, key, comp);
av_dict_set(metadata, key2, value, 0);
} else {
char key2[128];
Reported by FlawFinder.
Line: 163
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ctx->filter->name, ctx->filter->name, key, comp);
av_dict_set(metadata, key2, value, 0);
} else {
char key2[128];
snprintf(key2, sizeof(key2), "lavfi.%s.%s%s",
ctx->filter->name, ctx->filter->name, key);
av_dict_set(metadata, key2, value, 0);
}
}
Reported by FlawFinder.
Line: 362
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
IdentityContext *s = ctx->priv;
if (s->nb_frames > 0) {
char buf[256];
buf[0] = 0;
for (int j = 0; j < s->nb_components; j++) {
int c = s->is_rgb ? s->rgba_map[j] : j;
av_strlcatf(buf, sizeof(buf), " %c:%f", s->comps[j], s->score_comp[c] / s->nb_frames);
Reported by FlawFinder.