The following issues were found
libavcodec/g729dec.c
5 issues
Line: 380
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->lsp[0] = ctx->lsp_buf[0];
ctx->lsp[1] = ctx->lsp_buf[1];
memcpy(ctx->lsp[0], lsp_init, 10 * sizeof(int16_t));
ctx->exc = &ctx->exc_base[PITCH_DELAY_MAX+INTERPOL_LEN];
ctx->pitch_delay_int_prev = PITCH_DELAY_MIN;
Reported by FlawFinder.
Line: 640
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
( ctx->was_periodic && frame_erasure) ? 0 : ctx->past_gain_code[0],
1 << 13, 14, SUBFRAME_SIZE);
memcpy(synth, ctx->syn_filter_data, 10 * sizeof(int16_t));
if (ff_celp_lp_synthesis_filter(
synth+10,
&lp[i][1],
ctx->exc + i * SUBFRAME_SIZE,
Reported by FlawFinder.
Line: 685
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0x800);
}
/* Save data (without postfilter) for use in next subframe. */
memcpy(ctx->syn_filter_data, synth+SUBFRAME_SIZE, 10 * sizeof(int16_t));
/* Calculate gain of unfiltered signal for use in AGC. */
gain_before = 0;
for (j = 0; j < SUBFRAME_SIZE; j++)
gain_before += FFABS(synth[j+10]);
Reported by FlawFinder.
Line: 723
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->pitch_delay_int_prev = pitch_delay_int[i];
}
memcpy(synth+8, ctx->hpf_z, 2*sizeof(int16_t));
ff_acelp_high_pass_filter(
out_frame + i*SUBFRAME_SIZE,
ctx->hpf_f,
synth+10,
SUBFRAME_SIZE);
Reported by FlawFinder.
Line: 729
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->hpf_f,
synth+10,
SUBFRAME_SIZE);
memcpy(ctx->hpf_z, synth+8+SUBFRAME_SIZE, 2*sizeof(int16_t));
}
ctx->was_periodic = is_periodic;
/* Save signal for use in next frame. */
Reported by FlawFinder.
libavfilter/af_atempo.c
5 issues
Line: 454
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (na) {
uint8_t *a = atempo->buffer + atempo->tail * atempo->stride;
memcpy(a, src, na * atempo->stride);
src += na * atempo->stride;
atempo->position[0] += na;
atempo->size = FFMIN(atempo->size + na, atempo->ring);
Reported by FlawFinder.
Line: 469
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nb) {
uint8_t *b = atempo->buffer;
memcpy(b, src, nb * atempo->stride);
src += nb * atempo->stride;
atempo->position[0] += nb;
atempo->size = FFMIN(atempo->size + nb, atempo->ring);
Reported by FlawFinder.
Line: 565
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n1 = nsamples - zeros - n0;
if (n0) {
memcpy(dst, a + i0 * atempo->stride, n0 * atempo->stride);
dst += n0 * atempo->stride;
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
Reported by FlawFinder.
Line: 570
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
}
return 0;
}
Reported by FlawFinder.
Line: 971
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_size = dst_end - dst;
nbytes = FFMIN(src_size, dst_size);
memcpy(dst, src, nbytes);
dst += nbytes;
atempo->position[1] += (nbytes / atempo->stride);
// pass-back the updated destination buffer pointer:
Reported by FlawFinder.
libavfilter/af_afir.c
5 issues
Line: 141
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
block = (float *)seg->block->extended_data[ch] + seg->part_index[ch] * seg->block_size;
memset(block + seg->part_size, 0, sizeof(*block) * (seg->fft_length - seg->part_size));
memcpy(block, src, sizeof(*src) * seg->part_size);
av_rdft_calc(seg->rdft[ch], block);
block[2 * seg->part_size] = block[1];
block[1] = 0;
Reported by FlawFinder.
Line: 167
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = (float *)seg->buffer->extended_data[ch];
fir_fadd(s, buf, sum, seg->part_size);
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
memmove(src, src + s->min_part_size, (seg->input_size - s->min_part_size) * sizeof(*src));
Reported by FlawFinder.
Line: 296
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
float *mag, *phase, *delay, min = FLT_MAX, max = FLT_MIN;
float min_delay = FLT_MAX, max_delay = FLT_MIN;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int channel, i, x;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
Line: 581
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(block, 0, sizeof(*block) * seg->fft_length);
memcpy(block, time + toffset, size * sizeof(*block));
av_rdft_calc(seg->rdft[0], block);
coeff[coffset].re = block[0] * scale;
coeff[coffset].im = 0;
Reported by FlawFinder.
libavfilter/af_channelmap.c
5 issues
Line: 125
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ChannelMapContext *s = ctx->priv;
char *mapping, separator = '|';
int map_entries = 0;
char buf[256];
enum MappingMode mode;
uint64_t out_ch_mask = 0;
int i;
mapping = s->mapping_str;
Reported by FlawFinder.
Line: 307
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ch;
uint8_t *source_planes[MAX_CH];
memcpy(source_planes, buf->extended_data,
nch_in * sizeof(source_planes[0]));
if (nch_out > nch_in) {
if (nch_out > FF_ARRAY_ELEMS(buf->data)) {
uint8_t **new_extended_data =
Reported by FlawFinder.
Line: 336
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (buf->data != buf->extended_data)
memcpy(buf->data, buf->extended_data,
FFMIN(FF_ARRAY_ELEMS(buf->data), nch_out) * sizeof(buf->data[0]));
buf->channel_layout = outlink->channel_layout;
buf->channels = outlink->channels;
Reported by FlawFinder.
Line: 352
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int nb_channels = inlink->channels;
int i, err = 0;
const char *channel_name;
char layout_name[256];
for (i = 0; i < s->nch; i++) {
struct ChannelMap *m = &s->map[i];
if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) {
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
126
next = split(*map, delim);
if (!next && delim == '-')
return AVERROR(EINVAL);
len = strlen(*map);
sscanf(*map, "%d%n", ch, &n);
if (n != len)
return AVERROR(EINVAL);
if (*ch < 0 || *ch > max_ch)
return AVERROR(EINVAL);
Reported by FlawFinder.
libavcodec/opusenc_psy.c
5 issues
Line: 42
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
float *Y_orig = f->block[1].coeffs + (ff_celt_freq_bands[band] << f->size);
OPUS_RC_CHECKPOINT_SPAWN(rc);
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
Reported by FlawFinder.
Line: 44
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
int curr_balance = f->remaining / FFMIN(3, f->coded_bands - band);
b = av_clip_uintp2(FFMIN(f->remaining2 + 1, f->pulses[band] + curr_balance), 14);
Reported by FlawFinder.
Line: 91
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i <= FFMIN(lap_size, index); i++) {
const int offset = i*120;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index - i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
s->dsp->vector_fmul(s->scratch, s->scratch, s->window[s->bsize_analysis],
(OPUS_BLOCK_SIZE(s->bsize_analysis) << 1));
Reported by FlawFinder.
Line: 450
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
f->tf_select = score[0] < score[1];
memcpy(f->tf_change, config[f->tf_select], sizeof(int)*CELT_MAX_BANDS);
return 0;
}
int ff_opus_psy_celt_frame_process(OpusPsyContext *s, CeltFrame *f, int index)
Reported by FlawFinder.
libavcodec/opusenc.c
5 issues
Line: 131
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CeltBlock *b = &f->block[ch];
const void *input = cur->extended_data[ch];
size_t bps = av_get_bytes_per_sample(cur->format);
memcpy(b->overlap, input, bps*cur->nb_samples);
}
av_frame_free(&cur);
for (int sf = 0; sf < subframes; sf++) {
Reported by FlawFinder.
Line: 148
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const size_t bps = av_get_bytes_per_sample(cur->format);
const size_t left = (subframesize - cur->nb_samples)*bps;
const size_t len = FFMIN(subframesize, cur->nb_samples)*bps;
memcpy(&b->samples[sf*subframesize], input, len);
memset(&b->samples[cur->nb_samples], 0, left);
}
/* Last frame isn't popped off and freed yet - we need it for overlap */
if (sf != (subframes - 1))
Reported by FlawFinder.
Line: 219
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Overlap */
s->dsp->vector_fmul(temp, b->overlap, ff_celt_window, 128);
memcpy(win + lap_dst, temp, CELT_OVERLAP*sizeof(float));
/* Samples, flat top window */
memcpy(&win[lap_dst + CELT_OVERLAP], b->samples, rwin*sizeof(float));
/* Samples, windowed */
Reported by FlawFinder.
Line: 222
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(win + lap_dst, temp, CELT_OVERLAP*sizeof(float));
/* Samples, flat top window */
memcpy(&win[lap_dst + CELT_OVERLAP], b->samples, rwin*sizeof(float));
/* Samples, windowed */
s->dsp->vector_fmul_reverse(temp, b->samples + rwin,
ff_celt_window - 8, 128);
memcpy(win + lap_dst + blk_len, temp, CELT_OVERLAP*sizeof(float));
Reported by FlawFinder.
Line: 227
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Samples, windowed */
s->dsp->vector_fmul_reverse(temp, b->samples + rwin,
ff_celt_window - 8, 128);
memcpy(win + lap_dst + blk_len, temp, CELT_OVERLAP*sizeof(float));
s->mdct[f->size]->mdct(s->mdct[f->size], b->coeffs, win, 1);
}
}
Reported by FlawFinder.
libavdevice/vfwcap.c
5 issues
Line: 204
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pktl_next->pkt.pts = vdhdr->dwTimeCaptured;
memcpy(pktl_next->pkt.data, vdhdr->lpData, vdhdr->dwBytesUsed);
for(ppktl = &ctx->pktl ; *ppktl ; ppktl = &(*ppktl)->next);
*ppktl = pktl_next;
ctx->curbufsize += vdhdr->dwBytesUsed;
Reported by FlawFinder.
Line: 262
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
Reported by FlawFinder.
Line: 263
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
av_log(s, AV_LOG_INFO, "Driver %d\n", devnum);
Reported by FlawFinder.
Line: 283
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
/* If atoi fails, devnum==0 and the default device is used */
devnum = atoi(s->url);
ret = SendMessage(ctx->hwnd, WM_CAP_DRIVER_CONNECT, devnum, 0);
if(!ret) {
av_log(s, AV_LOG_ERROR, "Could not connect to device.\n");
DestroyWindow(ctx->hwnd);
Reported by FlawFinder.
Line: 406
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
par->extradata = av_malloc(9 + AV_INPUT_BUFFER_PADDING_SIZE);
if (par->extradata) {
par->extradata_size = 9;
memcpy(par->extradata, "BottomUp", 9);
}
}
}
av_freep(&bi);
Reported by FlawFinder.
libavfilter/af_aiir.c
5 issues
Line: 857
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
biquad_process(impulse, resp, length - 1,
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 858
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 980
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!temp0 || !temp1)
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
Reported by FlawFinder.
Line: 981
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
for (int n = 0; n < iir->nb_ab[1]; n++)
Reported by FlawFinder.
Line: 1148
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double *mag, *phase, *temp, *delay, min = DBL_MAX, max = -DBL_MAX;
double min_delay = DBL_MAX, max_delay = -DBL_MAX, min_phase, max_phase;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int ch, i;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
libavcodec/opus_celt.c
5 issues
Line: 213
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
celt_postfilter_apply_transition(block, block->buf + 1024);
block->pf_period_old = block->pf_period;
memcpy(block->pf_gains_old, block->pf_gains, sizeof(block->pf_gains));
block->pf_period = block->pf_period_new;
memcpy(block->pf_gains, block->pf_gains_new, sizeof(block->pf_gains));
if (len > CELT_OVERLAP) {
Reported by FlawFinder.
Line: 227
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
filter_len);
block->pf_period_old = block->pf_period;
memcpy(block->pf_gains_old, block->pf_gains, sizeof(block->pf_gains));
}
memmove(block->buf, block->buf + len, (1024 + CELT_OVERLAP / 2) * sizeof(float));
}
Reported by FlawFinder.
Line: 422
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f->dsp->vector_fmac_scalar(f->block[0].coeffs, f->block[1].coeffs, 1.0, FFALIGN(frame_size, 16));
downmix = 1;
} else if (f->output_channels > f->channels)
memcpy(f->block[1].coeffs, f->block[0].coeffs, frame_size * sizeof(float));
if (f->silence) {
for (i = 0; i < 2; i++) {
CeltBlock *block = &f->block[i];
Reported by FlawFinder.
Line: 462
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (channels == 1)
memcpy(f->block[1].energy, f->block[0].energy, sizeof(f->block[0].energy));
for (i = 0; i < 2; i++ ) {
CeltBlock *block = &f->block[i];
if (!f->transient) {
Reported by FlawFinder.
Line: 468
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CeltBlock *block = &f->block[i];
if (!f->transient) {
memcpy(block->prev_energy[1], block->prev_energy[0], sizeof(block->prev_energy[0]));
memcpy(block->prev_energy[0], block->energy, sizeof(block->prev_energy[0]));
} else {
for (j = 0; j < CELT_MAX_BANDS; j++)
block->prev_energy[0][j] = FFMIN(block->prev_energy[0][j], block->energy[j]);
}
Reported by FlawFinder.
libavcodec/bink.c
5 issues
Line: 280
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
merge(gb, out + t, in + t, size);
FFSWAP(uint8_t*, in, out);
}
memcpy(tree->syms, in, 16);
}
return 0;
}
/**
Reported by FlawFinder.
Line: 847
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t tmp[64];
int i;
for (i = 0; i < 8; i++)
memcpy(tmp + i*8, src + i*stride, 8);
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, tmp + i*8, 8);
}
static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
Reported by FlawFinder.
Line: 849
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 8; i++)
memcpy(tmp + i*8, src + i*stride, 8);
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, tmp + i*8, 8);
}
static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
int plane_idx, int is_key, int is_chroma)
{
Reported by FlawFinder.
Line: 987
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 8:
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, c->bundle[BINKB_SRC_COLORS].cur_ptr + i*8, 8);
c->bundle[BINKB_SRC_COLORS].cur_ptr += 64;
break;
default:
av_log(c->avctx, AV_LOG_ERROR, "Unknown block type %d\n", blk);
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
Line: 1238
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case RAW_BLOCK:
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, c->bundle[BINK_SRC_COLORS].cur_ptr + i*8, 8);
c->bundle[BINK_SRC_COLORS].cur_ptr += 64;
break;
default:
av_log(c->avctx, AV_LOG_ERROR, "Unknown block type %d\n", blk);
return AVERROR_INVALIDDATA;
Reported by FlawFinder.