The following issues were found
libavcodec/bink.c
5 issues
Line: 280
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
merge(gb, out + t, in + t, size);
FFSWAP(uint8_t*, in, out);
}
memcpy(tree->syms, in, 16);
}
return 0;
}
/**
Reported by FlawFinder.
Line: 847
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t tmp[64];
int i;
for (i = 0; i < 8; i++)
memcpy(tmp + i*8, src + i*stride, 8);
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, tmp + i*8, 8);
}
static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
Reported by FlawFinder.
Line: 849
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 8; i++)
memcpy(tmp + i*8, src + i*stride, 8);
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, tmp + i*8, 8);
}
static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
int plane_idx, int is_key, int is_chroma)
{
Reported by FlawFinder.
Line: 987
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 8:
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, c->bundle[BINKB_SRC_COLORS].cur_ptr + i*8, 8);
c->bundle[BINKB_SRC_COLORS].cur_ptr += 64;
break;
default:
av_log(c->avctx, AV_LOG_ERROR, "Unknown block type %d\n", blk);
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
Line: 1238
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case RAW_BLOCK:
for (i = 0; i < 8; i++)
memcpy(dst + i*stride, c->bundle[BINK_SRC_COLORS].cur_ptr + i*8, 8);
c->bundle[BINK_SRC_COLORS].cur_ptr += 64;
break;
default:
av_log(c->avctx, AV_LOG_ERROR, "Unknown block type %d\n", blk);
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
libavfilter/af_atempo.c
5 issues
Line: 454
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (na) {
uint8_t *a = atempo->buffer + atempo->tail * atempo->stride;
memcpy(a, src, na * atempo->stride);
src += na * atempo->stride;
atempo->position[0] += na;
atempo->size = FFMIN(atempo->size + na, atempo->ring);
Reported by FlawFinder.
Line: 469
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nb) {
uint8_t *b = atempo->buffer;
memcpy(b, src, nb * atempo->stride);
src += nb * atempo->stride;
atempo->position[0] += nb;
atempo->size = FFMIN(atempo->size + nb, atempo->ring);
Reported by FlawFinder.
Line: 565
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n1 = nsamples - zeros - n0;
if (n0) {
memcpy(dst, a + i0 * atempo->stride, n0 * atempo->stride);
dst += n0 * atempo->stride;
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
Reported by FlawFinder.
Line: 570
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (n1) {
memcpy(dst, b + i1 * atempo->stride, n1 * atempo->stride);
}
return 0;
}
Reported by FlawFinder.
Line: 971
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_size = dst_end - dst;
nbytes = FFMIN(src_size, dst_size);
memcpy(dst, src, nbytes);
dst += nbytes;
atempo->position[1] += (nbytes / atempo->stride);
// pass-back the updated destination buffer pointer:
Reported by FlawFinder.
libavformat/srtp.c
5 issues
Line: 58
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t *out, int outlen)
{
uint8_t input[16] = { 0 };
memcpy(input, salt, 14);
// Key derivation rate assumed to be zero
input[14 - 7] ^= label;
memset(out, 0, outlen);
encrypt_counter(aes, input, out, outlen);
}
Reported by FlawFinder.
Line: 96
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->hmac = av_hmac_alloc(AV_HMAC_SHA1);
if (!s->aes || !s->hmac)
return AVERROR(ENOMEM);
memcpy(s->master_key, buf, 16);
memcpy(s->master_salt, buf + 16, 14);
// RFC 3711
av_aes_init(s->aes, s->master_key, 128, 0);
Reported by FlawFinder.
Line: 97
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!s->aes || !s->hmac)
return AVERROR(ENOMEM);
memcpy(s->master_key, buf, 16);
memcpy(s->master_salt, buf + 16, 14);
// RFC 3711
av_aes_init(s->aes, s->master_key, 128, 0);
derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));
Reported by FlawFinder.
Line: 259
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len + padding > outlen)
return 0;
memcpy(out, in, len);
buf = out;
if (rtcp) {
ssrc = AV_RB32(buf + 4);
index = s->rtcp_index++;
Reported by FlawFinder.
Line: 322
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
av_hmac_final(s->hmac, hmac, sizeof(hmac));
memcpy(buf + len, hmac, hmac_size);
len += hmac_size;
return buf + len - out;
}
Reported by FlawFinder.
libavformat/id3v2enc.c
5 issues
Line: 172
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVDictionaryEntry *mtag = NULL;
AVDictionary *dst = NULL;
const char *key, *value;
char year[5] = {0}, day_month[5] = {0};
int i;
while ((mtag = av_dict_get(*pm, "", mtag, AV_DICT_IGNORE_SUFFIX))) {
key = mtag->key;
if (!av_strcasecmp(key, "date")) {
Reported by FlawFinder.
Line: 262
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
uint8_t *dyn_buf;
AVIOContext *dyn_bc;
char name[123];
int len, ret;
if (s->nb_chapters == 0)
return 0;
Reported by FlawFinder.
Line: 297
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVChapter *ch = s->chapters[id];
uint8_t *dyn_buf;
AVIOContext *dyn_bc;
char name[123];
int len, start, end, ret;
if ((ret = avio_open_dyn_buf(&dyn_bc)) < 0)
return ret;
Reported by FlawFinder.
Line: 118
Column: 30
CWE codes:
126
return ret;
// owner + null byte.
avio_write(dyn_buf, key, strlen(key) + 1);
while (*data) {
if (av_strstart(data, "\\x", &data)) {
if (data[0] && data[1] && av_isxdigit(data[0]) && av_isxdigit(data[1])) {
char digits[] = {data[0], data[1], 0};
Reported by FlawFinder.
Line: 158
Column: 29
CWE codes:
126
uint32_t tag;
int i;
if (t->key[0] != 'T' || strlen(t->key) != 4)
return -1;
tag = AV_RB32(t->key);
for (i = 0; *table[i]; i++)
if (tag == AV_RB32(table[i]))
return id3v2_put_ttag(id3, pb, t->value, NULL, tag, enc);
Reported by FlawFinder.
libavcodec/opusenc_psy.c
5 issues
Line: 42
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
float *Y_orig = f->block[1].coeffs + (ff_celt_freq_bands[band] << f->size);
OPUS_RC_CHECKPOINT_SPAWN(rc);
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
Reported by FlawFinder.
Line: 44
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(X, X_orig, band_size*sizeof(float));
if (Y)
memcpy(Y, Y_orig, band_size*sizeof(float));
f->remaining2 = ((f->framebits << 3) - f->anticollapse_needed) - opus_rc_tell_frac(rc) - 1;
if (band <= f->coded_bands - 1) {
int curr_balance = f->remaining / FFMIN(3, f->coded_bands - band);
b = av_clip_uintp2(FFMIN(f->remaining2 + 1, f->pulses[band] + curr_balance), 14);
Reported by FlawFinder.
Line: 91
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i <= FFMIN(lap_size, index); i++) {
const int offset = i*120;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index - i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < lap_size; i++) {
const int offset = i*120 + lap_size;
AVFrame *cur = ff_bufqueue_peek(s->bufqueue, index + i);
memcpy(&s->scratch[offset], cur->extended_data[ch], cur->nb_samples*sizeof(float));
}
s->dsp->vector_fmul(s->scratch, s->scratch, s->window[s->bsize_analysis],
(OPUS_BLOCK_SIZE(s->bsize_analysis) << 1));
Reported by FlawFinder.
Line: 450
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
f->tf_select = score[0] < score[1];
memcpy(f->tf_change, config[f->tf_select], sizeof(int)*CELT_MAX_BANDS);
return 0;
}
int ff_opus_psy_celt_frame_process(OpusPsyContext *s, CeltFrame *f, int index)
Reported by FlawFinder.
libavfilter/af_aiir.c
5 issues
Line: 857
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
biquad_process(impulse, resp, length - 1,
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 858
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 980
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!temp0 || !temp1)
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
Reported by FlawFinder.
Line: 981
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
for (int n = 0; n < iir->nb_ab[1]; n++)
Reported by FlawFinder.
Line: 1148
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double *mag, *phase, *temp, *delay, min = DBL_MAX, max = -DBL_MAX;
double min_delay = DBL_MAX, max_delay = -DBL_MAX, min_phase, max_phase;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int ch, i;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
libavdevice/vfwcap.c
5 issues
Line: 204
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pktl_next->pkt.pts = vdhdr->dwTimeCaptured;
memcpy(pktl_next->pkt.data, vdhdr->lpData, vdhdr->dwBytesUsed);
for(ppktl = &ctx->pktl ; *ppktl ; ppktl = &(*ppktl)->next);
*ppktl = pktl_next;
ctx->curbufsize += vdhdr->dwBytesUsed;
Reported by FlawFinder.
Line: 262
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
Reported by FlawFinder.
Line: 263
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!strcmp(s->url, "list")) {
for (devnum = 0; devnum <= 9; devnum++) {
char driver_name[256];
char driver_ver[256];
ret = capGetDriverDescription(devnum,
driver_name, sizeof(driver_name),
driver_ver, sizeof(driver_ver));
if (ret) {
av_log(s, AV_LOG_INFO, "Driver %d\n", devnum);
Reported by FlawFinder.
Line: 283
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
/* If atoi fails, devnum==0 and the default device is used */
devnum = atoi(s->url);
ret = SendMessage(ctx->hwnd, WM_CAP_DRIVER_CONNECT, devnum, 0);
if(!ret) {
av_log(s, AV_LOG_ERROR, "Could not connect to device.\n");
DestroyWindow(ctx->hwnd);
Reported by FlawFinder.
Line: 406
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
par->extradata = av_malloc(9 + AV_INPUT_BUFFER_PADDING_SIZE);
if (par->extradata) {
par->extradata_size = 9;
memcpy(par->extradata, "BottomUp", 9);
}
}
}
av_freep(&bi);
Reported by FlawFinder.
libavfilter/af_afir.c
5 issues
Line: 141
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
block = (float *)seg->block->extended_data[ch] + seg->part_index[ch] * seg->block_size;
memset(block + seg->part_size, 0, sizeof(*block) * (seg->fft_length - seg->part_size));
memcpy(block, src, sizeof(*src) * seg->part_size);
av_rdft_calc(seg->rdft[ch], block);
block[2 * seg->part_size] = block[1];
block[1] = 0;
Reported by FlawFinder.
Line: 167
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = (float *)seg->buffer->extended_data[ch];
fir_fadd(s, buf, sum, seg->part_size);
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, buf, seg->part_size * sizeof(*dst));
buf = (float *)seg->buffer->extended_data[ch];
memcpy(buf, sum + seg->part_size, seg->part_size * sizeof(*buf));
seg->part_index[ch] = (seg->part_index[ch] + 1) % seg->nb_partitions;
memmove(src, src + s->min_part_size, (seg->input_size - s->min_part_size) * sizeof(*src));
Reported by FlawFinder.
Line: 296
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
float *mag, *phase, *delay, min = FLT_MAX, max = FLT_MIN;
float min_delay = FLT_MAX, max_delay = FLT_MIN;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int channel, i, x;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
Line: 581
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(block, 0, sizeof(*block) * seg->fft_length);
memcpy(block, time + toffset, size * sizeof(*block));
av_rdft_calc(seg->rdft[0], block);
coeff[coffset].re = block[0] * scale;
coeff[coffset].im = 0;
Reported by FlawFinder.
libavcodec/av1dec.c
5 issues
Line: 262
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
if (film_grain->update_grain) {
memcpy(dst, film_grain, sizeof(*dst));
return;
}
src = &s->ref[film_grain->film_grain_params_ref_idx].film_grain;
Reported by FlawFinder.
Line: 268
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = &s->ref[film_grain->film_grain_params_ref_idx].film_grain;
memcpy(dst, src, sizeof(*dst));
dst->grain_seed = film_grain->grain_seed;
}
static int init_tile_data(AV1DecContext *s)
Reported by FlawFinder.
Line: 512
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst->spatial_id = src->spatial_id;
dst->temporal_id = src->temporal_id;
memcpy(dst->gm_type,
src->gm_type,
AV1_NUM_REF_FRAMES * sizeof(uint8_t));
memcpy(dst->gm_params,
src->gm_params,
AV1_NUM_REF_FRAMES * 6 * sizeof(int32_t));
Reported by FlawFinder.
Line: 515
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst->gm_type,
src->gm_type,
AV1_NUM_REF_FRAMES * sizeof(uint8_t));
memcpy(dst->gm_params,
src->gm_params,
AV1_NUM_REF_FRAMES * 6 * sizeof(int32_t));
memcpy(dst->skip_mode_frame_idx,
src->skip_mode_frame_idx,
2 * sizeof(uint8_t));
Reported by FlawFinder.
Line: 518
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst->gm_params,
src->gm_params,
AV1_NUM_REF_FRAMES * 6 * sizeof(int32_t));
memcpy(dst->skip_mode_frame_idx,
src->skip_mode_frame_idx,
2 * sizeof(uint8_t));
memcpy(&dst->film_grain,
&src->film_grain,
sizeof(dst->film_grain));
Reported by FlawFinder.
libavcodec/opus_celt.c
5 issues
Line: 213
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
celt_postfilter_apply_transition(block, block->buf + 1024);
block->pf_period_old = block->pf_period;
memcpy(block->pf_gains_old, block->pf_gains, sizeof(block->pf_gains));
block->pf_period = block->pf_period_new;
memcpy(block->pf_gains, block->pf_gains_new, sizeof(block->pf_gains));
if (len > CELT_OVERLAP) {
Reported by FlawFinder.
Line: 227
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
filter_len);
block->pf_period_old = block->pf_period;
memcpy(block->pf_gains_old, block->pf_gains, sizeof(block->pf_gains));
}
memmove(block->buf, block->buf + len, (1024 + CELT_OVERLAP / 2) * sizeof(float));
}
Reported by FlawFinder.
Line: 422
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f->dsp->vector_fmac_scalar(f->block[0].coeffs, f->block[1].coeffs, 1.0, FFALIGN(frame_size, 16));
downmix = 1;
} else if (f->output_channels > f->channels)
memcpy(f->block[1].coeffs, f->block[0].coeffs, frame_size * sizeof(float));
if (f->silence) {
for (i = 0; i < 2; i++) {
CeltBlock *block = &f->block[i];
Reported by FlawFinder.
Line: 462
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (channels == 1)
memcpy(f->block[1].energy, f->block[0].energy, sizeof(f->block[0].energy));
for (i = 0; i < 2; i++ ) {
CeltBlock *block = &f->block[i];
if (!f->transient) {
Reported by FlawFinder.
Line: 468
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CeltBlock *block = &f->block[i];
if (!f->transient) {
memcpy(block->prev_energy[1], block->prev_energy[0], sizeof(block->prev_energy[0]));
memcpy(block->prev_energy[0], block->energy, sizeof(block->prev_energy[0]));
} else {
for (j = 0; j < CELT_MAX_BANDS; j++)
block->prev_energy[0][j] = FFMIN(block->prev_energy[0][j], block->energy[j]);
}
Reported by FlawFinder.