The following issues were found
libavfilter/af_aiir.c
5 issues
Line: 857
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
biquad_process(impulse, resp, length - 1,
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 858
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1., 0., 0., biquad->a[1], biquad->a[2]);
memcpy(M + n * 2 * (length - 1), resp, sizeof(*resp) * (length - 1));
memcpy(M + n * 2 * (length - 1) + length, resp, sizeof(*resp) * (length - 2));
memset(resp, 0, length * sizeof(*resp));
}
solve(M, &y[1], length - 1, &impulse[1], resp, W);
Reported by FlawFinder.
Line: 980
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!temp0 || !temp1)
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
Reported by FlawFinder.
Line: 981
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto next;
memcpy(temp0, iir->ab[0], iir->nb_ab[0] * sizeof(*temp0));
memcpy(temp1, iir->ab[1], iir->nb_ab[1] * sizeof(*temp1));
for (int n = 0; n < iir->nb_ab[0]; n++)
iir->ab[0][n] = coef_sf2zf(temp0, iir->nb_ab[0] - 1, n);
for (int n = 0; n < iir->nb_ab[1]; n++)
Reported by FlawFinder.
Line: 1148
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double *mag, *phase, *temp, *delay, min = DBL_MAX, max = -DBL_MAX;
double min_delay = DBL_MAX, max_delay = -DBL_MAX, min_phase, max_phase;
int prev_ymag = -1, prev_yphase = -1, prev_ydelay = -1;
char text[32];
int ch, i;
memset(out->data[0], 0, s->h * out->linesize[0]);
phase = av_malloc_array(s->w, sizeof(*phase));
Reported by FlawFinder.
libavformat/tls.c
5 issues
Line: 92
Column: 50
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (!c->host && !(c->host = av_strdup(c->underlying_host)))
return AVERROR(ENOMEM);
proxy_path = c->http_proxy ? c->http_proxy : getenv("http_proxy");
use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), c->underlying_host) &&
proxy_path && av_strstart(proxy_path, "http://", NULL);
if (use_proxy) {
char proxy_host[200], proxy_auth[200], dest[200];
Reported by FlawFinder.
Line: 93
Column: 41
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
return AVERROR(ENOMEM);
proxy_path = c->http_proxy ? c->http_proxy : getenv("http_proxy");
use_proxy = !ff_http_match_no_proxy(getenv("no_proxy"), c->underlying_host) &&
proxy_path && av_strstart(proxy_path, "http://", NULL);
if (use_proxy) {
char proxy_host[200], proxy_auth[200], dest[200];
int proxy_port;
Reported by FlawFinder.
Line: 34
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_options(TLSShared *c, const char *uri)
{
char buf[1024];
const char *p = strchr(uri, '?');
if (!p)
return;
if (!c->ca_file && av_find_info_tag(buf, sizeof(buf), "cafile", p))
Reported by FlawFinder.
Line: 60
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int port;
const char *p;
char buf[200], opts[50] = "";
struct addrinfo hints = { 0 }, *ai = NULL;
const char *proxy_path;
int use_proxy;
set_options(c, uri);
Reported by FlawFinder.
Line: 97
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
proxy_path && av_strstart(proxy_path, "http://", NULL);
if (use_proxy) {
char proxy_host[200], proxy_auth[200], dest[200];
int proxy_port;
av_url_split(NULL, 0, proxy_auth, sizeof(proxy_auth),
proxy_host, sizeof(proxy_host), &proxy_port, NULL, 0,
proxy_path);
ff_url_join(dest, sizeof(dest), NULL, NULL, c->underlying_host, port, NULL);
Reported by FlawFinder.
libavcodec/libtheoraenc.c
5 issues
Line: 85
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avc_context->extradata_size = newsize;
AV_WB16(avc_context->extradata + (*offset), packet->bytes);
*offset += 2;
memcpy(avc_context->extradata + (*offset), packet->packet, packet->bytes);
(*offset) += packet->bytes;
return 0;
}
static int get_stats(AVCodecContext *avctx, int eos)
Reported by FlawFinder.
Line: 108
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tmp)
return AVERROR(ENOMEM);
h->stats = tmp;
memcpy(h->stats + h->stats_offset, buf, bytes);
h->stats_offset += bytes;
} else {
int b64_size = AV_BASE64_SIZE(h->stats_offset);
// libtheora generates a summary header at the end
memcpy(h->stats, buf, bytes);
Reported by FlawFinder.
Line: 113
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
int b64_size = AV_BASE64_SIZE(h->stats_offset);
// libtheora generates a summary header at the end
memcpy(h->stats, buf, bytes);
avctx->stats_out = av_malloc(b64_size);
if (!avctx->stats_out)
return AVERROR(ENOMEM);
av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset);
}
Reported by FlawFinder.
Line: 345
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy ogg_packet content out to buffer */
if ((ret = ff_get_encode_buffer(avc_context, pkt, o_packet.bytes, 0)) < 0)
return ret;
memcpy(pkt->data, o_packet.packet, o_packet.bytes);
// HACK: assumes no encoder delay, this is true until libtheora becomes
// multithreaded (which will be disabled unless explicitly requested)
pkt->pts = pkt->dts = frame->pts;
if (!(o_packet.granulepos & h->keyframe_mask))
Reported by FlawFinder.
Line: 138
Column: 25
CWE codes:
126
av_log(avctx, AV_LOG_ERROR, "No statsfile for second pass\n");
return AVERROR(EINVAL);
}
h->stats_size = strlen(avctx->stats_in) * 3/4;
h->stats = av_malloc(h->stats_size);
if (!h->stats) {
h->stats_size = 0;
return AVERROR(ENOMEM);
}
Reported by FlawFinder.
libavcodec/omx.c
5 issues
Line: 91
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static av_cold void *dlsym_prefixed(void *handle, const char *symbol, const char *prefix)
{
char buf[50];
snprintf(buf, sizeof(buf), "%s%s", prefix ? prefix : "", symbol);
return dlsym(handle, buf);
}
static av_cold int omx_try_load(OMXContext *s, void *logctx,
Reported by FlawFinder.
Line: 197
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVCodecContext *avctx;
char component_name[OMX_MAX_STRINGNAME_SIZE];
OMX_VERSIONTYPE version;
OMX_HANDLETYPE handle;
int in_port, out_port;
OMX_COLOR_FORMATTYPE color_format;
int stride, plane_size;
Reported by FlawFinder.
Line: 690
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avctx->extradata_size = 0;
goto fail;
}
memcpy(avctx->extradata + avctx->extradata_size, buffer->pBuffer + buffer->nOffset, buffer->nFilledLen);
avctx->extradata_size += buffer->nFilledLen;
memset(avctx->extradata + avctx->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
}
err = OMX_FillThisBuffer(s->handle, buffer);
if (err != OMX_ErrorNone) {
Reported by FlawFinder.
Line: 862
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avctx->extradata_size = 0;
goto end;
}
memcpy(avctx->extradata + avctx->extradata_size, buffer->pBuffer + buffer->nOffset, buffer->nFilledLen);
avctx->extradata_size += buffer->nFilledLen;
memset(avctx->extradata + avctx->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
} else {
int newsize = s->output_buf_size + buffer->nFilledLen + AV_INPUT_BUFFER_PADDING_SIZE;
if ((ret = av_reallocp(&s->output_buf, newsize)) < 0) {
Reported by FlawFinder.
Line: 871
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->output_buf_size = 0;
goto end;
}
memcpy(s->output_buf + s->output_buf_size, buffer->pBuffer + buffer->nOffset, buffer->nFilledLen);
s->output_buf_size += buffer->nFilledLen;
if (buffer->nFlags & OMX_BUFFERFLAG_ENDOFFRAME) {
memset(s->output_buf + s->output_buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
if ((ret = av_packet_from_data(pkt, s->output_buf, s->output_buf_size)) < 0) {
av_freep(&s->output_buf);
Reported by FlawFinder.
libavformat/ipmovie.c
5 issues
Line: 173
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE,
AVPALETTE_SIZE);
if (pal) {
memcpy(pal, s->palette, AVPALETTE_SIZE);
s->has_palette = 0;
}
}
if (s->changed) {
Reported by FlawFinder.
Line: 276
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int process_ipmovie_chunk(IPMVEContext *s, AVIOContext *pb,
AVPacket *pkt)
{
unsigned char chunk_preamble[CHUNK_PREAMBLE_SIZE];
int chunk_type;
int chunk_size;
unsigned char opcode_preamble[OPCODE_PREAMBLE_SIZE];
unsigned char opcode_type;
unsigned char opcode_version;
Reported by FlawFinder.
Line: 279
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char chunk_preamble[CHUNK_PREAMBLE_SIZE];
int chunk_type;
int chunk_size;
unsigned char opcode_preamble[OPCODE_PREAMBLE_SIZE];
unsigned char opcode_type;
unsigned char opcode_version;
int opcode_size;
unsigned char scratch[1024];
int i, j;
Reported by FlawFinder.
Line: 283
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char opcode_type;
unsigned char opcode_version;
int opcode_size;
unsigned char scratch[1024];
int i, j;
int first_color, last_color;
int audio_flags;
unsigned char r, g, b;
unsigned int width, height;
Reported by FlawFinder.
Line: 612
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
IPMVEContext *ipmovie = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *st;
unsigned char chunk_preamble[CHUNK_PREAMBLE_SIZE];
int chunk_type, i;
uint8_t signature_buffer[sizeof(signature)];
ipmovie->avf = s;
Reported by FlawFinder.
libavformat/flacenc.c
4 issues
Line: 252
Column: 13
CWE codes:
134
Suggestion:
Use a constant for the format specification
"already present, this muxer will not overwrite it.\n");
} else {
uint8_t buf[32];
snprintf(buf, sizeof(buf), "0x%"PRIx64, par->channel_layout);
av_dict_set(&s->metadata, "WAVEFORMATEXTENSIBLE_CHANNEL_MASK", buf, 0);
}
}
return 0;
Reported by FlawFinder.
Line: 290
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
streaminfo = av_packet_get_side_data(pkt, AV_PKT_DATA_NEW_EXTRADATA,
&streaminfo_size);
if (streaminfo && streaminfo_size == FLAC_STREAMINFO_SIZE) {
memcpy(c->streaminfo, streaminfo, FLAC_STREAMINFO_SIZE);
c->updated_streaminfo = 1;
}
if (pkt->size)
avio_write(s->pb, pkt->data, pkt->size);
Reported by FlawFinder.
Line: 106
Column: 15
CWE codes:
126
"write an attached picture.\n", st->index);
return AVERROR(EINVAL);
}
mimelen = strlen(mimetype);
/* get the picture type */
e = av_dict_get(st->metadata, "comment", NULL, 0);
for (i = 0; e && i < FF_ARRAY_ELEMS(ff_id3v2_picture_types); i++) {
if (!av_strcasecmp(e->value, ff_id3v2_picture_types[i])) {
Reported by FlawFinder.
Line: 134
Column: 15
CWE codes:
126
/* get the description */
if ((e = av_dict_get(st->metadata, "title", NULL, 0)))
desc = e->value;
desclen = strlen(desc);
blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size;
if (blocklen >= 1<<24) {
av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", blocklen, 1<<24);
return AVERROR(EINVAL);
Reported by FlawFinder.
libavcodec/wmadec.c
4 issues
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->fdsp->vector_fmul_add(out + n, in + n, s->windows[bsize],
out + n, block_len);
memcpy(out + n + block_len, in + n + block_len, n * sizeof(float));
}
out += s->block_len;
in += s->block_len;
Reported by FlawFinder.
Line: 425
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n = (s->block_len - block_len) / 2;
bsize = s->frame_len_bits - s->next_block_len_bits;
memcpy(out, in, n * sizeof(float));
s->fdsp->vector_fmul_reverse(out + n, in + n, s->windows[bsize],
block_len);
memset(out + n + block_len, 0, n * sizeof(float));
Reported by FlawFinder.
Line: 799
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (ch = 0; ch < s->avctx->channels; ch++) {
/* copy current block to output */
memcpy(samples[ch] + samples_offset, s->frame_out[ch],
s->frame_len * sizeof(*s->frame_out[ch]));
/* prepare for next block */
memmove(&s->frame_out[ch][0], &s->frame_out[ch][s->frame_len],
s->frame_len * sizeof(*s->frame_out[ch]));
Reported by FlawFinder.
Line: 947
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
}
s->last_superframe_len = len;
memcpy(s->last_superframe, buf + pos, len);
} else {
/* single frame decode */
if (wma_decode_frame(s, samples, samples_offset) < 0)
goto fail;
samples_offset += s->frame_len;
Reported by FlawFinder.
libavcodec/wmalosslessdec.c
4 issues
Line: 654
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (s->mclms_recent == 0) {
memcpy(&s->mclms_prevvalues[order * num_channels],
s->mclms_prevvalues,
sizeof(int32_t) * order * num_channels);
memcpy(&s->mclms_updates[order * num_channels],
s->mclms_updates,
sizeof(int32_t) * order * num_channels);
Reported by FlawFinder.
Line: 657
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&s->mclms_prevvalues[order * num_channels],
s->mclms_prevvalues,
sizeof(int32_t) * order * num_channels);
memcpy(&s->mclms_updates[order * num_channels],
s->mclms_updates,
sizeof(int32_t) * order * num_channels);
s->mclms_recent = num_channels * order;
}
}
Reported by FlawFinder.
Line: 741
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (recent) \
recent--; \
else { \
memcpy(prev + order, prev, (bits/8) * order); \
memcpy(s->cdlms[ich][ilms].lms_updates + order, \
s->cdlms[ich][ilms].lms_updates, \
sizeof(*s->cdlms[ich][ilms].lms_updates) * order); \
recent = order - 1; \
} \
Reported by FlawFinder.
Line: 742
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
recent--; \
else { \
memcpy(prev + order, prev, (bits/8) * order); \
memcpy(s->cdlms[ich][ilms].lms_updates + order, \
s->cdlms[ich][ilms].lms_updates, \
sizeof(*s->cdlms[ich][ilms].lms_updates) * order); \
recent = order - 1; \
} \
\
Reported by FlawFinder.
libavcodec/wavpack.c
4 issues
Line: 574
CWE codes:
476
memset(dst_left, 0x69, s->samples * 4);
if (dst_r)
memset(dst_right, 0x69, s->samples * 4);
}
return 0;
}
Reported by Cppcheck.
Line: 735
CWE codes:
476
memset(dst_left, 0x69, s->samples * 4);
if (dst_r)
memset(dst_right, 0x69, s->samples * 4);
}
return 0;
}
Reported by Cppcheck.
Line: 767
CWE codes:
476
memset(dst_left, 0x69, s->samples * 4);
if (dst_r)
memset(dst_right, 0x69, s->samples * 4);
}
return 0;
}
Reported by Cppcheck.
Line: 1602
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
if (s->stereo)
memcpy(samples_r, samples_l, bpp * s->samples);
}
return 0;
}
Reported by FlawFinder.
libavformat/subtitles.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_len = sub->size;
if (av_grow_packet(sub, len) < 0)
return NULL;
memcpy(sub->data + old_len, event, len);
} else {
/* new event */
if (q->nb_subs >= INT_MAX/sizeof(*q->subs) - 1)
return NULL;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subs[q->nb_subs++] = sub;
sub->flags |= AV_PKT_FLAG_KEY;
sub->pts = sub->dts = 0;
memcpy(sub->data, event, len);
}
return sub;
}
static int cmp_pkt_sub_ts_pos(const void *a, const void *b)
Reported by FlawFinder.
Line: 387
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_subtitles_read_text_chunk(FFTextReader *tr, AVBPrint *buf)
{
char eol_buf[5], last_was_cr = 0;
int n = 0, i = 0, nb_eol = 0;
av_bprint_clear(buf);
for (;;) {
Reported by FlawFinder.
Line: 363
Column: 24
CWE codes:
126
const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
{
int in_quotes = 0;
const size_t len = strlen(attr);
while (*s) {
while (*s) {
if (!in_quotes && av_isspace(*s))
break;
Reported by FlawFinder.