The following issues were found
libavformat/rtspdec.c
25 issues
Line: 100
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *extracontent, uint16_t seq)
{
RTSPState *rt = s->priv_data;
char message[MAX_URL_SIZE];
int index = 0;
while (status_messages[index].code) {
if (status_messages[index].code == code) {
snprintf(message, sizeof(message), "RTSP/1.0 %d %s\r\n",
code, status_messages[index].message);
Reported by FlawFinder.
Line: 146
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *method)
{
RTSPState *rt = s->priv_data;
char rbuf[MAX_URL_SIZE];
int rbuflen, ret;
do {
ret = read_line(s, rbuf, sizeof(rbuf), &rbuflen);
if (ret)
return ret;
Reported by FlawFinder.
Line: 175
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
RTSPState *rt = s->priv_data;
RTSPMessageHeader request = { 0 };
char sdp[SDP_MAX_SIZE];
int ret;
ret = rtsp_read_request(s, &request, "ANNOUNCE");
if (ret)
return ret;
Reported by FlawFinder.
Line: 235
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
RTSPState *rt = s->priv_data;
RTSPMessageHeader request = { 0 };
int ret = 0;
char url[MAX_URL_SIZE];
RTSPStream *rtsp_st;
char responseheaders[MAX_URL_SIZE];
int localport = -1;
int transportidx = 0;
int streamid = 0;
Reported by FlawFinder.
Line: 237
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret = 0;
char url[MAX_URL_SIZE];
RTSPStream *rtsp_st;
char responseheaders[MAX_URL_SIZE];
int localport = -1;
int transportidx = 0;
int streamid = 0;
ret = rtsp_read_request(s, &request, "SETUP");
Reported by FlawFinder.
Line: 354
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
RTSPState *rt = s->priv_data;
RTSPMessageHeader request = { 0 };
int ret = 0;
char responseheaders[MAX_URL_SIZE];
ret = rtsp_read_request(s, &request, "RECORD");
if (ret)
return ret;
ret = check_sessionid(s, &request);
Reported by FlawFinder.
Line: 389
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(s, AV_LOG_ERROR, "Method string too long\n");
return AVERROR(EIO);
}
memcpy(method, line, linept - line);
method[linept - line] = '\0';
linept++;
if (!strcmp(method, "ANNOUNCE"))
*methodcode = ANNOUNCE;
else if (!strcmp(method, "OPTIONS"))
Reported by FlawFinder.
Line: 441
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(s, AV_LOG_ERROR, "uri string length exceeded buffer size\n");
return AVERROR(EIO);
}
memcpy(uri, linept, searchlinept - linept);
uri[searchlinept - linept] = '\0';
if (strcmp(rt->control_uri, uri)) {
char host[128], path[512], auth[128];
int port;
char ctl_host[128], ctl_path[512], ctl_auth[128];
Reported by FlawFinder.
Line: 444
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
memcpy(uri, linept, searchlinept - linept);
uri[searchlinept - linept] = '\0';
if (strcmp(rt->control_uri, uri)) {
char host[128], path[512], auth[128];
int port;
char ctl_host[128], ctl_path[512], ctl_auth[128];
int ctl_port;
av_url_split(NULL, 0, auth, sizeof(auth), host, sizeof(host), &port,
path, sizeof(path), uri);
Reported by FlawFinder.
Line: 446
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (strcmp(rt->control_uri, uri)) {
char host[128], path[512], auth[128];
int port;
char ctl_host[128], ctl_path[512], ctl_auth[128];
int ctl_port;
av_url_split(NULL, 0, auth, sizeof(auth), host, sizeof(host), &port,
path, sizeof(path), uri);
av_url_split(NULL, 0, ctl_auth, sizeof(ctl_auth), ctl_host,
sizeof(ctl_host), &ctl_port, ctl_path, sizeof(ctl_path),
Reported by FlawFinder.
libavformat/mpegtsenc.c
25 issues
Line: 140
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void mpegts_write_section(MpegTSSection *s, uint8_t *buf, int len)
{
unsigned int crc;
unsigned char packet[TS_PACKET_SIZE];
const unsigned char *buf_ptr;
unsigned char *q;
int first, b, len1, left;
crc = av_bswap32(av_crc(av_crc_get_table(AV_CRC_32_IEEE),
Reported by FlawFinder.
Line: 177
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len1 = TS_PACKET_SIZE - (q - packet);
if (len1 > len)
len1 = len;
memcpy(q, buf_ptr, len1);
q += len1;
/* add known padding data */
left = TS_PACKET_SIZE - (q - packet);
if (left > 0)
memset(q, 0xff, left);
Reported by FlawFinder.
Line: 221
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*q++ = 0xc1 | (version << 1); /* current_next_indicator = 1 */
*q++ = sec_num;
*q++ = last_sec_num;
memcpy(q, buf, len);
mpegts_write_section(s, section, tot_len);
return 0;
}
Reported by FlawFinder.
Line: 286
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void putbuf(uint8_t **q_ptr, const uint8_t *buf, size_t len)
{
memcpy(*q_ptr, buf, len);
*q_ptr += len;
}
static int put_arib_caption_descriptor(AVFormatContext *s, uint8_t **q_ptr,
AVCodecParameters *codecpar)
Reported by FlawFinder.
Line: 722
Column: 24
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (st->codecpar->extradata_size - extradata_copied >= 5) {
*q++ = st->codecpar->extradata[extradata_copied + 4]; /* subtitling_type */
memcpy(q, st->codecpar->extradata + extradata_copied, 4); /* composition_page_id and ancillary_page_id */
extradata_copied += 5;
q += 4;
} else {
/* subtitling_type:
* 0x10 - normal with no monitor aspect ratio criticality
Reported by FlawFinder.
Line: 732
Column: 28
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*q++ = (st->disposition & AV_DISPOSITION_HEARING_IMPAIRED) ? 0x20 : 0x10;
if ((st->codecpar->extradata_size == 4) && (extradata_copied == 0)) {
/* support of old 4-byte extradata format */
memcpy(q, st->codecpar->extradata, 4); /* composition_page_id and ancillary_page_id */
extradata_copied += 4;
q += 4;
} else {
put16(&q, 1); /* composition_page_id */
put16(&q, 1); /* ancillary_page_id */
Reported by FlawFinder.
Line: 760
Column: 24
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
language++;
if (st->codecpar->extradata_size - 1 > extradata_copied) {
memcpy(q, st->codecpar->extradata + extradata_copied, 2);
extradata_copied += 2;
q += 2;
} else {
/* The Teletext descriptor:
* teletext_type: This 5-bit field indicates the type of Teletext page indicated. (0x01 Initial Teletext page)
Reported by FlawFinder.
Line: 923
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(EINVAL);
buf[0] = str_len + 1;
buf[1] = 0x15;
memcpy(&buf[2], str, str_len);
return 0;
}
}
invalid:
/* Otherwise let's just encode the string as is! */
Reported by FlawFinder.
Line: 932
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (str_len > 255)
return AVERROR(EINVAL);
buf[0] = str_len;
memcpy(&buf[1], str, str_len);
return 0;
}
static int64_t get_pcr(const MpegTSWrite *ts)
{
Reported by FlawFinder.
Line: 969
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MpegTSWrite *ts = s->priv_data;
MpegTSService *service;
AVDictionaryEntry *title, *provider;
char default_service_name[32];
const char *service_name;
const char *provider_name;
title = av_dict_get(metadata, "service_name", NULL, 0);
if (!title)
Reported by FlawFinder.
libavformat/ftp.c
24 issues
Line: 149
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_status(FTPContext *s, char **line, const int response_codes[])
{
int err, i, dash = 0, result = 0, code_found = 0, linesize;
char buf[CONTROL_BUFFER_SIZE];
AVBPrint line_buffer;
if (line)
av_bprint_init(&line_buffer, 0, AV_BPRINT_SIZE_AUTOMATIC);
Reported by FlawFinder.
Line: 246
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_auth(FTPContext *s)
{
char buf[CONTROL_BUFFER_SIZE];
int err;
static const int user_codes[] = {331, 230, 0};
static const int pass_codes[] = {230, 0};
if (strpbrk(s->user, "\r\n"))
Reported by FlawFinder.
Line: 300
Column: 27
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
start += 3;
end[-1] = '\0';
s->server_data_port = atoi(start);
ff_dlog(s, "Server data port: %d\n", s->server_data_port);
av_free(res);
return 0;
Reported by FlawFinder.
Line: 343
Column: 27
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
/* parse port number */
start = av_strtok(NULL, ",", &end);
if (!start) goto fail;
s->server_data_port = atoi(start) * 256;
start = av_strtok(NULL, ",", &end);
if (!start) goto fail;
s->server_data_port += atoi(start);
ff_dlog(s, "Server data port: %d\n", s->server_data_port);
Reported by FlawFinder.
Line: 346
Column: 28
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
s->server_data_port = atoi(start) * 256;
start = av_strtok(NULL, ",", &end);
if (!start) goto fail;
s->server_data_port += atoi(start);
ff_dlog(s, "Server data port: %d\n", s->server_data_port);
av_free(res);
return 0;
Reported by FlawFinder.
Line: 398
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_file_size(FTPContext *s)
{
char command[CONTROL_BUFFER_SIZE];
char *res = NULL;
static const int size_codes[] = {213, 0};
snprintf(command, sizeof(command), "SIZE %s\r\n", s->path);
if (ftp_send_command(s, command, size_codes, &res) == 213 && res && strlen(res) > 4) {
Reported by FlawFinder.
Line: 417
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_retrieve(FTPContext *s)
{
char command[CONTROL_BUFFER_SIZE];
static const int retr_codes[] = {150, 125, 0};
int resp_code;
snprintf(command, sizeof(command), "RETR %s\r\n", s->path);
resp_code = ftp_send_command(s, command, retr_codes, NULL);
Reported by FlawFinder.
Line: 433
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_store(FTPContext *s)
{
char command[CONTROL_BUFFER_SIZE];
static const int stor_codes[] = {150, 125, 0};
int resp_code;
snprintf(command, sizeof(command), "STOR %s\r\n", s->path);
resp_code = ftp_send_command(s, command, stor_codes, NULL);
Reported by FlawFinder.
Line: 460
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_restart(FTPContext *s, int64_t pos)
{
char command[CONTROL_BUFFER_SIZE];
static const int rest_codes[] = {350, 0};
snprintf(command, sizeof(command), "REST %"PRId64"\r\n", pos);
if (ftp_send_command(s, command, rest_codes, NULL) != 350)
return AVERROR(EIO);
Reported by FlawFinder.
Line: 473
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftp_set_dir(FTPContext *s)
{
static const int cwd_codes[] = {250, 550, 0}; /* 550 is incorrect code */
char command[MAX_URL_SIZE];
snprintf(command, sizeof(command), "CWD %s\r\n", s->path);
if (ftp_send_command(s, command, cwd_codes, NULL) != 250)
return AVERROR(EIO);
return 0;
Reported by FlawFinder.
libavcodec/mathops.h
23 issues
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
Line: 141
CWE codes:
758
#ifndef zero_extend
static inline av_const unsigned zero_extend(unsigned val, unsigned bits)
{
return (val << ((8 * sizeof(int)) - bits)) >> ((8 * sizeof(int)) - bits);
}
#endif
#ifndef COPY3_IF_LT
#define COPY3_IF_LT(x, y, a, b, c, d)\
Reported by Cppcheck.
libavcodec/on2avc.c
23 issues
Line: 99
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (w = 0; w < c->num_windows; w++) {
if (!c->grouping[w]) {
memcpy(c->ms_info + band_off,
c->ms_info + band_off - c->num_bands,
c->num_bands * sizeof(*c->ms_info));
band_off += c->num_bands;
continue;
}
Reported by FlawFinder.
Line: 148
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (w = 0; w < c->num_windows; w++) {
if (!c->grouping[w]) {
memcpy(c->band_scales + band_off,
c->band_scales + band_off - c->num_bands,
c->num_bands * sizeof(*c->band_scales));
band_off += c->num_bands;
continue;
}
Reported by FlawFinder.
Line: 467
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void wtf_end_512(On2AVCContext *c, float *out, float *src,
float *tmp0, float *tmp1)
{
memcpy(src, tmp0, 384 * sizeof(*tmp0));
memcpy(tmp0 + 384, src + 384, 128 * sizeof(*tmp0));
zero_head_and_tail(src, 128, 16, 4);
zero_head_and_tail(src + 128, 128, 16, 4);
zero_head_and_tail(src + 256, 128, 13, 7);
Reported by FlawFinder.
Line: 468
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
float *tmp0, float *tmp1)
{
memcpy(src, tmp0, 384 * sizeof(*tmp0));
memcpy(tmp0 + 384, src + 384, 128 * sizeof(*tmp0));
zero_head_and_tail(src, 128, 16, 4);
zero_head_and_tail(src + 128, 128, 16, 4);
zero_head_and_tail(src + 256, 128, 13, 7);
zero_head_and_tail(src + 384, 128, 15, 5);
Reported by FlawFinder.
Line: 494
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pretwiddle(&tmp0[256], tmp1, 512, 84, 4, 13, 7, ff_on2avc_tabs_20_84_3);
pretwiddle(&tmp0[384], tmp1, 512, 84, 4, 15, 5, ff_on2avc_tabs_20_84_4);
memcpy(src, tmp1, 512 * sizeof(float));
}
static void wtf_end_1024(On2AVCContext *c, float *out, float *src,
float *tmp0, float *tmp1)
{
Reported by FlawFinder.
Line: 500
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void wtf_end_1024(On2AVCContext *c, float *out, float *src,
float *tmp0, float *tmp1)
{
memcpy(src, tmp0, 768 * sizeof(*tmp0));
memcpy(tmp0 + 768, src + 768, 256 * sizeof(*tmp0));
zero_head_and_tail(src, 256, 16, 4);
zero_head_and_tail(src + 256, 256, 16, 4);
zero_head_and_tail(src + 512, 256, 13, 7);
Reported by FlawFinder.
Line: 501
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
float *tmp0, float *tmp1)
{
memcpy(src, tmp0, 768 * sizeof(*tmp0));
memcpy(tmp0 + 768, src + 768, 256 * sizeof(*tmp0));
zero_head_and_tail(src, 256, 16, 4);
zero_head_and_tail(src + 256, 256, 16, 4);
zero_head_and_tail(src + 512, 256, 13, 7);
zero_head_and_tail(src + 768, 256, 15, 5);
Reported by FlawFinder.
Line: 527
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pretwiddle(&tmp0[512], tmp1, 1024, 84, 4, 13, 7, ff_on2avc_tabs_20_84_3);
pretwiddle(&tmp0[768], tmp1, 1024, 84, 4, 15, 5, ff_on2avc_tabs_20_84_4);
memcpy(src, tmp1, 1024 * sizeof(float));
}
static void wtf_40(On2AVCContext *c, float *out, float *src, int size)
{
float *tmp0 = c->temp, *tmp1 = c->temp + 1024;
Reported by FlawFinder.
Line: 724
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(out, saved, 448 * sizeof(float));
c->fdsp->vector_fmul_window(wout, saved + 448, buf, c->short_win, 64);
memcpy(wout + 128, buf + 64, 448 * sizeof(float));
memcpy(saved, buf + 512, 448 * sizeof(float));
memcpy(saved + 448, buf + 7*128 + 64, 64 * sizeof(float));
}
Reported by FlawFinder.
Line: 726
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(out, saved, 448 * sizeof(float));
c->fdsp->vector_fmul_window(wout, saved + 448, buf, c->short_win, 64);
memcpy(wout + 128, buf + 64, 448 * sizeof(float));
memcpy(saved, buf + 512, 448 * sizeof(float));
memcpy(saved + 448, buf + 7*128 + 64, 64 * sizeof(float));
}
return 0;
Reported by FlawFinder.
libavcodec/ilbcdec.c
23 issues
Line: 450
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (s->mode == 30) {
lsp_interpolate2polydec(lp, (*s).lsfdeqold, lsfdeq, lsf_weight_30ms[0], length);
memcpy(syntdenum, lp, lp_length * 2);
bw_expand(weightdenum, lp, kLpcChirpSyntDenum, lp_length);
pos = lp_length;
for (i = 1; i < 6; i++) {
lsp_interpolate2polydec(lp, lsfdeq, lsfdeq2,
Reported by FlawFinder.
Line: 458
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lsp_interpolate2polydec(lp, lsfdeq, lsfdeq2,
lsf_weight_30ms[i],
length);
memcpy(syntdenum + pos, lp, lp_length * 2);
bw_expand(weightdenum + pos, lp, kLpcChirpSyntDenum, lp_length);
pos += lp_length;
}
} else {
pos = 0;
Reported by FlawFinder.
Line: 467
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < s->nsub; i++) {
lsp_interpolate2polydec(lp, s->lsfdeqold, lsfdeq,
lsf_weight_20ms[i], length);
memcpy(syntdenum + pos, lp, lp_length * 2);
bw_expand(weightdenum + pos, lp, kLpcChirpSyntDenum, lp_length);
pos += lp_length;
}
}
Reported by FlawFinder.
Line: 474
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (s->mode == 30) {
memcpy(s->lsfdeqold, lsfdeq2, length * 2);
} else {
memcpy(s->lsfdeqold, lsfdeq, length * 2);
}
}
Reported by FlawFinder.
Line: 476
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (s->mode == 30) {
memcpy(s->lsfdeqold, lsfdeq2, length * 2);
} else {
memcpy(s->lsfdeqold, lsfdeq, length * 2);
}
}
static void filter_mafq12(int16_t *in_ptr, int16_t *out_ptr,
int16_t *B, int16_t B_length,
Reported by FlawFinder.
Line: 638
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int interpolation_length = FFMIN(4, index);
int16_t ilow = index - interpolation_length;
memcpy(cbVec, buffer - index, index * 2);
vector_multiplication(&cbVec[ilow], buffer - index - interpolation_length, alpha, interpolation_length, 15);
vector_rmultiplication(cbVecTmp, buffer - interpolation_length, &alpha[interpolation_length - 1], interpolation_length, 15);
add_vector_and_shift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, interpolation_length, 0);
Reported by FlawFinder.
Line: 644
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vector_rmultiplication(cbVecTmp, buffer - interpolation_length, &alpha[interpolation_length - 1], interpolation_length, 15);
add_vector_and_shift(&cbVec[ilow], &cbVec[ilow], cbVecTmp, interpolation_length, 0);
memcpy(cbVec + index, buffer - index, FFMIN(SUBL - index, index) * sizeof(*cbVec));
}
static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector */
int16_t * mem, /* (i) Codebook buffer */
int16_t index, /* (i) Codebook index */
Reported by FlawFinder.
Line: 672
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
k = index + cbveclen;
/* get vector */
memcpy(cbvec, mem + lMem - k, cbveclen * 2);
} else if (index < base_size) {
/* Calculate lag */
k = (int16_t) SPL_MUL_16_16(2, (index - (lMem - cbveclen + 1))) + cbveclen;
Reported by FlawFinder.
Line: 791
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (encbits->state_first) { /* put adaptive part in the end */
/* setup memory */
memset(mem, 0, (int16_t) (CB_MEML - s->state_short_len) * 2);
memcpy(mem + CB_MEML - s->state_short_len, decresidual + start_pos, s->state_short_len * 2);
/* construct decoded vector */
construct_vector(&decresidual[start_pos + s->state_short_len], encbits->cb_index, encbits->gain_index, mem + CB_MEML - ST_MEM_L_TBL, ST_MEM_L_TBL, (int16_t) diff);
Reported by FlawFinder.
Line: 819
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (Nfor > 0) {
/* setup memory */
memset(mem, 0, (CB_MEML - STATE_LEN) * 2);
memcpy(mem + CB_MEML - STATE_LEN, decresidual + (encbits->start - 1) * SUBL, STATE_LEN * 2);
/* loop over subframes to encode */
for (subframe = 0; subframe < Nfor; subframe++) {
/* construct decoded vector */
construct_vector(&decresidual[(encbits->start + 1 + subframe) * SUBL], encbits->cb_index + subcount * CB_NSTAGES, encbits->gain_index + subcount * CB_NSTAGES, mem, MEM_LF_TBL, SUBL);
Reported by FlawFinder.
libavfilter/vf_fillborders.c
21 issues
Line: 102
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].top; y++) {
memcpy(ptr + y * linesize,
ptr + s->borders[p].top * linesize, s->planewidth[p]);
}
for (y = s->planeheight[p] - s->borders[p].bottom; y < s->planeheight[p]; y++) {
memcpy(ptr + y * linesize,
Reported by FlawFinder.
Line: 107
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = s->planeheight[p] - s->borders[p].bottom; y < s->planeheight[p]; y++) {
memcpy(ptr + y * linesize,
ptr + (s->planeheight[p] - s->borders[p].bottom - 1) * linesize,
s->planewidth[p]);
}
}
}
Reported by FlawFinder.
Line: 134
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].top; y++) {
memcpy(ptr + y * linesize,
ptr + s->borders[p].top * linesize, s->planewidth[p] * 2);
}
for (y = s->planeheight[p] - s->borders[p].bottom; y < s->planeheight[p]; y++) {
memcpy(ptr + y * linesize,
Reported by FlawFinder.
Line: 139
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = s->planeheight[p] - s->borders[p].bottom; y < s->planeheight[p]; y++) {
memcpy(ptr + y * linesize,
ptr + (s->planeheight[p] - s->borders[p].bottom - 1) * linesize,
s->planewidth[p] * 2);
}
}
}
Reported by FlawFinder.
Line: 166
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].top; y++) {
memcpy(ptr + y * linesize,
ptr + (s->borders[p].top * 2 - 1 - y) * linesize,
s->planewidth[p]);
}
for (y = 0; y < s->borders[p].bottom; y++) {
Reported by FlawFinder.
Line: 172
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].bottom; y++) {
memcpy(ptr + (s->planeheight[p] - s->borders[p].bottom + y) * linesize,
ptr + (s->planeheight[p] - s->borders[p].bottom - 1 - y) * linesize,
s->planewidth[p]);
}
}
}
Reported by FlawFinder.
Line: 199
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].top; y++) {
memcpy(ptr + y * linesize,
ptr + (s->borders[p].top * 2 - 1 - y) * linesize,
s->planewidth[p] * 2);
}
for (y = 0; y < s->borders[p].bottom; y++) {
Reported by FlawFinder.
Line: 205
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].bottom; y++) {
memcpy(ptr + (s->planeheight[p] - s->borders[p].bottom + y) * linesize,
ptr + (s->planeheight[p] - s->borders[p].bottom - 1 - y) * linesize,
s->planewidth[p] * 2);
}
}
}
Reported by FlawFinder.
Line: 290
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].top; y++) {
memcpy(ptr + y * linesize,
ptr + (s->borders[p].top * 2 - y) * linesize,
s->planewidth[p]);
}
for (y = 0; y < s->borders[p].bottom; y++) {
Reported by FlawFinder.
Line: 296
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (y = 0; y < s->borders[p].bottom; y++) {
memcpy(ptr + (s->planeheight[p] - s->borders[p].bottom + y) * linesize,
ptr + (s->planeheight[p] - s->borders[p].bottom - 2 - y) * linesize,
s->planewidth[p]);
}
}
}
Reported by FlawFinder.
libavcodec/snowenc.c
21 issues
Line: 361
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pc= s->c;
pc.bytestream_start=
pc.bytestream= p_buffer; //FIXME end/start? and at the other stoo
memcpy(p_state, s->block_state, sizeof(s->block_state));
if(level!=s->block_max_depth)
put_rac(&pc, &p_state[4 + s_context], 1);
put_rac(&pc, &p_state[1 + left->type + top->type], 0);
if(s->ref_frames > 1)
Reported by FlawFinder.
Line: 393
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ic= s->c;
ic.bytestream_start=
ic.bytestream= i_buffer; //FIXME end/start? and at the other stoo
memcpy(i_state, s->block_state, sizeof(s->block_state));
if(level!=s->block_max_depth)
put_rac(&ic, &i_state[4 + s_context], 1);
put_rac(&ic, &i_state[1 + left->type + top->type], 1);
put_symbol(&ic, &i_state[32], l-pl , 1);
if (s->nb_planes > 2) {
Reported by FlawFinder.
Line: 433
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(iscore < score){
pred_mv(s, &pmx, &pmy, 0, left, top, tr);
memcpy(pbbak, i_buffer, i_len);
s->c= ic;
s->c.bytestream_start= pbbak_start;
s->c.bytestream= pbbak + i_len;
set_blocks(s, level, x, y, l, cb, cr, pmx, pmy, 0, BLOCK_INTRA);
memcpy(s->block_state, i_state, sizeof(s->block_state));
Reported by FlawFinder.
Line: 441
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(s->block_state, i_state, sizeof(s->block_state));
return iscore;
}else{
memcpy(pbbak, p_buffer, p_len);
s->c= pc;
s->c.bytestream_start= pbbak_start;
s->c.bytestream= pbbak + p_len;
set_blocks(s, level, x, y, pl, pcb, pcr, mx, my, best_ref, 0);
memcpy(s->block_state, p_state, sizeof(s->block_state));
Reported by FlawFinder.
Line: 664
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
y0 = block_h;
for(y=y0; y<y1; y++)
memcpy(dst + sx+x0 + (sy+y)*ref_stride, cur + x0 + y*ref_stride, x1-x0);
}
if(block_w==16){
/* FIXME rearrange dsputil to fit 32x32 cmp functions */
/* FIXME check alignment of the cmp wavelet vs the encoding wavelet */
Reported by FlawFinder.
Line: 738
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
//FIXME find a cleaner/simpler way to skip the outside stuff
for(y2= y; y2<0; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, block_w);
for(y2= h; y2<y+block_h; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, block_w);
if(x<0){
for(y2= y; y2<y+block_h; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, -x);
Reported by FlawFinder.
Line: 740
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for(y2= y; y2<0; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, block_w);
for(y2= h; y2<y+block_h; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, block_w);
if(x<0){
for(y2= y; y2<y+block_h; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, -x);
}
if(x+block_w > w){
Reported by FlawFinder.
Line: 743
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, block_w);
if(x<0){
for(y2= y; y2<y+block_h; y2++)
memcpy(dst + x + y2*ref_stride, src + x + y2*ref_stride, -x);
}
if(x+block_w > w){
for(y2= y; y2<y+block_h; y2++)
memcpy(dst + w + y2*ref_stride, src + w + y2*ref_stride, x+block_w - w);
}
Reported by FlawFinder.
Line: 747
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if(x+block_w > w){
for(y2= y; y2<y+block_h; y2++)
memcpy(dst + w + y2*ref_stride, src + w + y2*ref_stride, x+block_w - w);
}
av_assert1(block_w== 8 || block_w==16);
distortion += s->mecc.me_cmp[block_w==8](&s->m, src + x + y*ref_stride, dst + x + y*ref_stride, ref_stride, block_h);
}
Reported by FlawFinder.
Line: 1002
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
RangeCoder r = s->c;
uint8_t state[sizeof(s->block_state)];
memcpy(state, s->block_state, sizeof(s->block_state));
for(mb_y= 0; mb_y<s->b_height; mb_y++)
for(mb_x= 0; mb_x<s->b_width; mb_x++)
encode_q_branch(s, 0, mb_x, mb_y);
s->c = r;
memcpy(s->block_state, state, sizeof(s->block_state));
Reported by FlawFinder.
fftools/ffmpeg.c
20 issues
Line: 708
Column: 13
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (fmt) {
va_start(va, fmt);
vsnprintf(buf, sizeof(buf), fmt, va);
va_end(va);
av_log(NULL, AV_LOG_INFO,
"bench: %8" PRIu64 " user %8" PRIu64 " sys %8" PRIu64 " real %s \n",
t.user_usec - current_time.user_usec,
t.sys_usec - current_time.sys_usec,
Reported by FlawFinder.
Line: 275
CWE codes:
476
dst = frame->data [0];
dst_linesize = frame->linesize[0];
for (i = 0; i < num_rects; i++)
sub2video_copy_rect(dst, dst_linesize, frame->width, frame->height, sub->rects[i]);
sub2video_push_ref(ist, pts);
ist->sub2video.end_pts = end_pts;
ist->sub2video.initialize = 0;
}
Reported by Cppcheck.
Line: 704
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (do_benchmark_all) {
BenchmarkTimeStamps t = get_benchmark_time_stamps();
va_list va;
char buf[1024];
if (fmt) {
va_start(va, fmt);
vsnprintf(buf, sizeof(buf), fmt, va);
va_end(va);
Reported by FlawFinder.
Line: 987
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int fatal)
{
int ret = AVERROR_BUG;
char error[1024] = {0};
if (ost->initialized)
return 0;
ret = init_output_stream(ost, frame, error, sizeof(error));
Reported by FlawFinder.
Line: 1454
Column: 23
CWE codes:
362
/* this is executed just the first time do_video_stats is called */
if (!vstats_file) {
vstats_file = fopen(vstats_filename, "w");
if (!vstats_file) {
perror("fopen");
exit_program(1);
}
}
Reported by FlawFinder.
Line: 1791
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double error, error_sum = 0;
double scale, scale_sum = 0;
double p;
char type[3] = { 'Y','U','V' };
av_bprintf(&buf, "PSNR=");
for (j = 0; j < 3; j++) {
if (is_last_report) {
error = enc->error[j];
scale = enc->width * enc->height * 255.0 * 255.0 * frame_number;
Reported by FlawFinder.
Line: 2137
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVCodecContext *dec = ist->dec_ctx;
if (!dec->channel_layout) {
char layout_name[256];
if (dec->channels > ist->guess_layout_max)
return 0;
dec->channel_layout = av_get_default_channel_layout(dec->channels);
if (!dec->channel_layout)
Reported by FlawFinder.
Line: 2817
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_sdp(void)
{
char sdp[16384];
int i;
int j;
AVIOContext *sdp_pb;
AVFormatContext **avc;
Reported by FlawFinder.
Line: 3192
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_data = av_stream_new_side_data(ost->st, sd_src->type, sd_src->size);
if (!dst_data)
return AVERROR(ENOMEM);
memcpy(dst_data, sd_src->data, sd_src->size);
}
}
if (ost->rotate_overridden) {
uint8_t *sd = av_stream_new_side_data(ost->st, AV_PKT_DATA_DISPLAYMATRIX,
Reported by FlawFinder.
Line: 3569
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ost->enc_ctx->subtitle_header = av_mallocz(dec->subtitle_header_size + 1);
if (!ost->enc_ctx->subtitle_header)
return AVERROR(ENOMEM);
memcpy(ost->enc_ctx->subtitle_header, dec->subtitle_header, dec->subtitle_header_size);
ost->enc_ctx->subtitle_header_size = dec->subtitle_header_size;
}
if (!av_dict_get(ost->encoder_opts, "threads", NULL, 0))
av_dict_set(&ost->encoder_opts, "threads", "auto", 0);
if (ost->enc->type == AVMEDIA_TYPE_AUDIO &&
Reported by FlawFinder.
libavformat/dashdec.c
20 issues
Line: 1057
Column: 42
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (rep->fragment_duration > 0 && !rep->fragment_timescale)
rep->fragment_timescale = 1;
rep->bandwidth = rep_bandwidth_val ? atoi(rep_bandwidth_val) : 0;
rep->framerate = av_make_q(0, 0);
if (type == AVMEDIA_TYPE_VIDEO) {
char *rep_framerate_val = xmlGetProp(representation_node, "frameRate");
if (rep_framerate_val) {
ret = av_parse_video_rate(&rep->framerate, rep_framerate_val);
Reported by FlawFinder.
Line: 1808
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (v->init_sec_buf_read_offset < v->init_sec_data_len) {
/* Push init section out first before first actual fragment */
int copy_size = FFMIN(v->init_sec_data_len - v->init_sec_buf_read_offset, buf_size);
memcpy(buf, v->init_sec_buf, copy_size);
v->init_sec_buf_read_offset += copy_size;
ret = copy_size;
goto end;
}
Reported by FlawFinder.
Line: 1990
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_data = av_stream_new_side_data(st, sd_src->type, sd_src->size);
if (!dst_data)
return AVERROR(ENOMEM);
memcpy(dst_data, sd_src->data, sd_src->size);
}
}
return 0;
fail:
Reported by FlawFinder.
Line: 2033
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_log(rep_dest->ctx, AV_LOG_WARNING, "Cannot alloc memory for init_sec_buf\n");
return AVERROR(ENOMEM);
}
memcpy(rep_dest->init_sec_buf, rep_src->init_sec_buf, rep_src->init_sec_data_len);
rep_dest->init_sec_buf_size = rep_src->init_sec_buf_size;
rep_dest->init_sec_data_len = rep_src->init_sec_data_len;
rep_dest->cur_timestamp = rep_src->cur_timestamp;
return 0;
Reported by FlawFinder.
Line: 435
Column: 62
CWE codes:
126
} else
return AVERROR_INVALIDDATA;
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
;
else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
Line: 435
Column: 35
CWE codes:
126
} else
return AVERROR_INVALIDDATA;
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
;
else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
Line: 437
Column: 80
CWE codes:
126
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
;
else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
return AVERROR_INVALIDDATA;
av_freep(pb);
Reported by FlawFinder.
Line: 437
Column: 111
CWE codes:
126
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
;
else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
return AVERROR_INVALIDDATA;
av_freep(pb);
Reported by FlawFinder.
Line: 719
Column: 28
CWE codes:
126
int updated = 0;
int size = 0;
int i;
int tmp_max_url_size = strlen(url);
for (i = n_baseurl_nodes-1; i >= 0 ; i--) {
text = xmlNodeGetContent(baseurl_nodes[i]);
if (!text)
continue;
Reported by FlawFinder.
Line: 725
Column: 29
CWE codes:
126
text = xmlNodeGetContent(baseurl_nodes[i]);
if (!text)
continue;
tmp_max_url_size += strlen(text);
if (ishttp(text)) {
xmlFree(text);
break;
}
xmlFree(text);
Reported by FlawFinder.