The following issues were found
libavcodec/vp3.c
4 issues
Line: 1695
Column: 27
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* from other INTRA blocks. There are 2 golden frame coding types;
* blocks encoding in these modes can only predict from other blocks
* that were encoded with these 1 of these 2 modes. */
static const unsigned char compatible_frame[9] = {
1, /* MODE_INTER_NO_MV */
0, /* MODE_INTRA */
1, /* MODE_INTER_PLUS_MV */
1, /* MODE_INTER_LAST_MV */
1, /* MODE_INTER_PRIOR_MV */
Reported by FlawFinder.
Line: 2058
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = 0; i < 9; i++)
memcpy(temp + i*stride, loop + (i + 1) * loop_stride + 1, 9);
return 1;
}
#endif
Reported by FlawFinder.
Line: 3041
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
plj = (plane + 2) % 3;
}
s->qr_count[inter][plane] = s->qr_count[qtj][plj];
memcpy(s->qr_size[inter][plane], s->qr_size[qtj][plj],
sizeof(s->qr_size[0][0]));
memcpy(s->qr_base[inter][plane], s->qr_base[qtj][plj],
sizeof(s->qr_base[0][0]));
} else {
int qri = 0;
Reported by FlawFinder.
Line: 3043
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->qr_count[inter][plane] = s->qr_count[qtj][plj];
memcpy(s->qr_size[inter][plane], s->qr_size[qtj][plj],
sizeof(s->qr_size[0][0]));
memcpy(s->qr_base[inter][plane], s->qr_base[qtj][plj],
sizeof(s->qr_base[0][0]));
} else {
int qri = 0;
int qi = 0;
Reported by FlawFinder.
libavformat/tls_schannel.c
4 issues
Line: 203
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
}
memcpy(inbuf[0].pvBuffer, c->enc_buf, c->enc_buf_offset);
/* output buffers */
init_sec_buffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
init_sec_buffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
init_sec_buffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
Reported by FlawFinder.
Line: 463
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy decrypted data to buffer */
size = inbuf[1].cbBuffer;
if (size) {
memcpy(c->dec_buf + c->dec_buf_offset, inbuf[1].pvBuffer, size);
c->dec_buf_offset += size;
}
}
if (inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
if (c->enc_buf_offset > inbuf[3].cbBuffer) {
Reported by FlawFinder.
Line: 514
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cleanup:
size = FFMIN(len, c->dec_buf_offset);
if (size) {
memcpy(buf, c->dec_buf, size);
memmove(c->dec_buf, c->dec_buf + size, c->dec_buf_offset - size);
c->dec_buf_offset -= size;
return size;
}
Reported by FlawFinder.
Line: 561
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
init_sec_buffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
init_sec_buffer_desc(&outbuf_desc, outbuf, 4);
memcpy(outbuf[1].pvBuffer, buf, len);
sspi_ret = EncryptMessage(&c->ctxt_handle, 0, &outbuf_desc, 0);
if (sspi_ret == SEC_E_OK) {
len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
ret = ffurl_write(s->tcp, data, len);
Reported by FlawFinder.
libavformat/srtdec.c
4 issues
Line: 80
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
ei->x1 = ei->x2 = ei->y1 = ei->y2 = ei->duration = -1;
ei->pts = AV_NOPTS_VALUE;
ei->pos = -1;
if (sscanf(line, "%d:%d:%d%*1[,.]%d --> %d:%d:%d%*1[,.]%d"
"%*[ ]X1:%"PRId32" X2:%"PRId32" Y1:%"PRId32" Y2:%"PRId32,
&hh1, &mm1, &ss1, &ms1,
&hh2, &mm2, &ss2, &ms2,
&ei->x1, &ei->x2, &ei->y1, &ei->y2) >= 8) {
const int64_t start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1;
Reported by FlawFinder.
Line: 179
Column: 17
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strtol(line, &pline, 10) < 0 || line == pline)
av_bprintf(&buf, "%s\n", line);
else
strcpy(line_cache, line);
} else {
if (has_event_info) {
/* We have the information of previous event, append it to the
* queue. We insert the cached line if and only if the payload
* is empty and the cached line is not a standalone number. */
Reported by FlawFinder.
Line: 36
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int srt_probe(const AVProbeData *p)
{
int v;
char buf[64], *pbuf;
FFTextReader tr;
ff_text_init_buf(&tr, p->buf, p->buf_size);
while (ff_text_peek_r8(&tr) == '\r' || ff_text_peek_r8(&tr) == '\n')
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVBPrint buf;
AVStream *st = avformat_new_stream(s, NULL);
int res = 0;
char line[4096], line_cache[4096];
int has_event_info = 0;
struct event_info ei;
FFTextReader tr;
ff_text_init_avio(s, &tr, s->pb);
Reported by FlawFinder.
libavformat/subtitles.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_len = sub->size;
if (av_grow_packet(sub, len) < 0)
return NULL;
memcpy(sub->data + old_len, event, len);
} else {
/* new event */
if (q->nb_subs >= INT_MAX/sizeof(*q->subs) - 1)
return NULL;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subs[q->nb_subs++] = sub;
sub->flags |= AV_PKT_FLAG_KEY;
sub->pts = sub->dts = 0;
memcpy(sub->data, event, len);
}
return sub;
}
static int cmp_pkt_sub_ts_pos(const void *a, const void *b)
Reported by FlawFinder.
Line: 387
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_subtitles_read_text_chunk(FFTextReader *tr, AVBPrint *buf)
{
char eol_buf[5], last_was_cr = 0;
int n = 0, i = 0, nb_eol = 0;
av_bprint_clear(buf);
for (;;) {
Reported by FlawFinder.
Line: 363
Column: 24
CWE codes:
126
const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
{
int in_quotes = 0;
const size_t len = strlen(attr);
while (*s) {
while (*s) {
if (!in_quotes && av_isspace(*s))
break;
Reported by FlawFinder.
libavcodec/bmvvideo.c
4 issues
Line: 171
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (forward) {
if (source + src_len - src < len)
return AVERROR_INVALIDDATA;
memcpy(dst, src, len);
dst += len;
src += len;
} else {
if (src - source < len)
return AVERROR_INVALIDDATA;
Reported by FlawFinder.
Line: 179
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR_INVALIDDATA;
dst -= len;
src -= len;
memcpy(dst, src, len);
}
break;
case 3:
val = forward ? dst[-1] : dst[1];
if (forward) {
Reported by FlawFinder.
Line: 253
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR_INVALIDDATA;
}
memcpy(frame->data[1], c->pal, AVPALETTE_SIZE);
frame->palette_has_changed = type & BMV_PALETTE;
outptr = frame->data[0];
srcptr = c->frame;
Reported by FlawFinder.
Line: 260
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
srcptr = c->frame;
for (i = 0; i < avctx->height; i++) {
memcpy(outptr, srcptr, avctx->width);
srcptr += avctx->width;
outptr += frame->linesize[0];
}
*got_frame = 1;
Reported by FlawFinder.
libavcodec/flashsv.c
4 issues
Line: 228
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Flash Screen Video stores the image upside down, so copy
* lines to destination in reverse order. */
for (k = 1; k <= s->diff_height; k++) {
memcpy(s->frame->data[0] + x_pos * 3 +
(s->image_height - y_pos - k) * s->frame->linesize[0],
line, width * 3);
/* advance source pointer to next line */
line += width * 3;
}
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int err;
if ((err = av_reallocp(&s->keyframedata, avpkt->size)) < 0)
return err;
memcpy(s->keyframedata, avpkt->data, avpkt->size);
}
if(s->ver == 2 && !s->blocks)
s->blocks = av_mallocz((v_blocks + !!v_part) * (h_blocks + !!h_part) *
sizeof(s->blocks[0]));
Reported by FlawFinder.
Line: 468
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (k = 0; k < cur_blk_height; k++) {
int x = off - k * s->frame->linesize[0] + x_pos * 3;
memcpy(s->frame->data[0] + x, s->keyframe + x,
cur_blk_width * 3);
}
}
/* skip unchanged blocks, which have size 0 */
Reported by FlawFinder.
Line: 492
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOMEM);
}
}
memcpy(s->keyframe, s->frame->data[0],
s->frame->linesize[0] * avctx->height);
}
if ((ret = av_frame_ref(data, s->frame)) < 0)
return ret;
Reported by FlawFinder.
libavcodec/flacenc.c
4 issues
Line: 156
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_bits(&pb, 24, (s->sample_count & 0xFFFFFF000LL) >> 12);
put_bits(&pb, 12, s->sample_count & 0x000000FFFLL);
flush_put_bits(&pb);
memcpy(&header[18], s->md5sum, 16);
}
/**
* Set blocksize based on samplerate.
Reported by FlawFinder.
Line: 817
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* VERBATIM */
if (frame->verbatim_only || n < 5) {
sub->type = sub->type_code = FLAC_SUBFRAME_VERBATIM;
memcpy(res, smp, n * sizeof(int32_t));
return subframe_count_exact(s, sub, 0);
}
min_order = s->options.min_prediction_order;
max_order = s->options.max_prediction_order;
Reported by FlawFinder.
Line: 962
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
score = find_subframe_rice_params(s, sub, opt_order);
if (score < best_score) {
best_score = score;
memcpy(coefs[opt_order-1], lpc_try, sizeof(*coefs));
improved=1;
}
}
} while(improved);
}
Reported by FlawFinder.
Line: 1344
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avctx->extradata_size);
if (!side_data)
return AVERROR(ENOMEM);
memcpy(side_data, avctx->extradata, avctx->extradata_size);
avpkt->pts = s->next_pts;
*got_packet_ptr = 1;
s->flushed = 1;
Reported by FlawFinder.
libavcodec/vb.c
4 issues
Line: 120
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 0x00: //skip
for (y = 0; y < 4; y++)
if (check_line(prev + y*width, pstart, pend))
memcpy(cur + y*width, prev + y*width, 4);
else
memset(cur + y*width, 0, 4);
break;
case 0x40:
t = bytestream2_get_byte(&g);
Reported by FlawFinder.
Line: 139
Column: 25
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
t = x + y*width;
for (y = 0; y < 4; y++)
if (check_line(prev + t + y*width, pstart, pend))
memcpy(cur + y*width, prev + t + y*width, 4);
else
memset(cur + y*width, 0, 4);
}
break;
case 0x80: // fill
Reported by FlawFinder.
Line: 235
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vb_decode_palette(c, size);
}
memcpy(frame->data[1], c->pal, AVPALETTE_SIZE);
frame->palette_has_changed = flags & VB_HAS_PALETTE;
outptr = frame->data[0];
srcptr = c->frame;
Reported by FlawFinder.
Line: 242
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
srcptr = c->frame;
for (i = 0; i < avctx->height; i++) {
memcpy(outptr, srcptr, avctx->width);
srcptr += avctx->width;
outptr += frame->linesize[0];
}
FFSWAP(uint8_t*, c->frame, c->prev_frame);
Reported by FlawFinder.
libavformat/cafdec.c
4 issues
Line: 162
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avio_skip(pb, size - ALAC_PREAMBLE - ALAC_HEADER);
} else {
AV_WB32(st->codecpar->extradata, 36);
memcpy(&st->codecpar->extradata[4], "alac", 4);
AV_WB32(&st->codecpar->extradata[8], 0);
memcpy(&st->codecpar->extradata[12], preamble, 12);
if (avio_read(pb, &st->codecpar->extradata[24], ALAC_NEW_KUKI - 12) != ALAC_NEW_KUKI - 12) {
av_log(s, AV_LOG_ERROR, "failed to read new kuki header\n");
av_freep(&st->codecpar->extradata);
Reported by FlawFinder.
Line: 164
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
AV_WB32(st->codecpar->extradata, 36);
memcpy(&st->codecpar->extradata[4], "alac", 4);
AV_WB32(&st->codecpar->extradata[8], 0);
memcpy(&st->codecpar->extradata[12], preamble, 12);
if (avio_read(pb, &st->codecpar->extradata[24], ALAC_NEW_KUKI - 12) != ALAC_NEW_KUKI - 12) {
av_log(s, AV_LOG_ERROR, "failed to read new kuki header\n");
av_freep(&st->codecpar->extradata);
return AVERROR_INVALIDDATA;
}
Reported by FlawFinder.
Line: 240
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int i;
unsigned int nb_entries = avio_rb32(pb);
for (i = 0; i < nb_entries && !avio_feof(pb); i++) {
char key[32];
char value[1024];
avio_get_str(pb, INT_MAX, key, sizeof(key));
avio_get_str(pb, INT_MAX, value, sizeof(value));
av_dict_set(&s->metadata, key, value, 0);
}
Reported by FlawFinder.
Line: 241
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int nb_entries = avio_rb32(pb);
for (i = 0; i < nb_entries && !avio_feof(pb); i++) {
char key[32];
char value[1024];
avio_get_str(pb, INT_MAX, key, sizeof(key));
avio_get_str(pb, INT_MAX, value, sizeof(value));
av_dict_set(&s->metadata, key, value, 0);
}
}
Reported by FlawFinder.
ffbuild/bin2c.c
4 issues
Line: 42
CWE codes:
775
output = fopen(argv[2], "wb");
if (!output)
return -1;
if (argc == 4) {
name = argv[3];
} else {
size_t arglen = strlen(argv[1]);
Reported by Cppcheck.
Line: 36
Column: 13
CWE codes:
362
if (argc < 3 || argc > 4)
return 1;
input = fopen(argv[1], "rb");
if (!input)
return -1;
output = fopen(argv[2], "wb");
if (!output)
Reported by FlawFinder.
Line: 40
Column: 14
CWE codes:
362
if (!input)
return -1;
output = fopen(argv[2], "wb");
if (!output)
return -1;
if (argc == 4) {
name = argv[3];
Reported by FlawFinder.
Line: 47
Column: 25
CWE codes:
126
if (argc == 4) {
name = argv[3];
} else {
size_t arglen = strlen(argv[1]);
name = argv[1];
for (int i = 0; i < arglen; i++) {
if (argv[1][i] == '.')
argv[1][i] = '_';
Reported by FlawFinder.