The following issues were found
libavcodec/msvideo1.c
4 issues
Line: 74
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->mode_8bit = 1;
avctx->pix_fmt = AV_PIX_FMT_PAL8;
if (avctx->extradata_size >= AVPALETTE_SIZE)
memcpy(s->pal, avctx->extradata, AVPALETTE_SIZE);
} else {
s->mode_8bit = 0;
avctx->pix_fmt = AV_PIX_FMT_RGB555;
}
Reported by FlawFinder.
Line: 102
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char byte_a, byte_b;
unsigned short flags;
int skip_blocks;
unsigned char colors[8];
unsigned char *pixels = s->frame->data[0];
int stride = s->frame->linesize[0];
stream_ptr = 0;
skip_blocks = 0;
Reported by FlawFinder.
Line: 156
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
flags = (byte_b << 8) | byte_a;
CHECK_STREAM_PTR(8);
memcpy(colors, &s->buf[stream_ptr], 8);
stream_ptr += 8;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++, flags >>= 1)
pixels[pixel_ptr++] =
Reported by FlawFinder.
Line: 184
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* make the palette available on the way out */
if (s->avctx->pix_fmt == AV_PIX_FMT_PAL8)
memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE);
}
static void msvideo1_decode_16bit(Msvideo1Context *s)
{
int block_ptr, pixel_ptr;
Reported by FlawFinder.
libavcodec/avuienc.c
4 issues
Line: 37
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(avctx->extradata = av_mallocz(144 + AV_INPUT_BUFFER_PADDING_SIZE)))
return AVERROR(ENOMEM);
avctx->extradata_size = 144;
memcpy(avctx->extradata, "\0\0\0\x18""APRGAPRG0001", 16);
if (avctx->field_order > AV_FIELD_PROGRESSIVE) {
avctx->extradata[19] = 2;
} else {
avctx->extradata[19] = 1;
}
Reported by FlawFinder.
Line: 43
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
avctx->extradata[19] = 1;
}
memcpy(avctx->extradata + 24, "\0\0\0\x78""ARESARES0001""\0\0\0\x98", 20);
AV_WB32(avctx->extradata + 44, avctx->width);
AV_WB32(avctx->extradata + 48, avctx->height);
memcpy(avctx->extradata + 52, "\0\0\0\x1\0\0\0\x20\0\0\0\x2", 12);
Reported by FlawFinder.
Line: 46
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(avctx->extradata + 24, "\0\0\0\x78""ARESARES0001""\0\0\0\x98", 20);
AV_WB32(avctx->extradata + 44, avctx->width);
AV_WB32(avctx->extradata + 48, avctx->height);
memcpy(avctx->extradata + 52, "\0\0\0\x1\0\0\0\x20\0\0\0\x2", 12);
return 0;
}
Reported by FlawFinder.
Line: 84
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(dst, 0, avctx->width * skip + 4 * i);
dst += avctx->width * skip + 4 * i;
for (j = 0; j < avctx->height; j += interlaced + 1) {
memcpy(dst, src, avctx->width * 2);
src += (interlaced + 1) * pic->linesize[0];
dst += avctx->width * 2;
}
}
Reported by FlawFinder.
libavformat/amr.c
4 issues
Line: 119
Column: 9
CWE codes:
120
20
static int amr_read_packet(AVFormatContext *s, AVPacket *pkt)
{
AVCodecParameters *par = s->streams[0]->codecpar;
int read, size = 0, toc, mode;
int64_t pos = avio_tell(s->pb);
AMRContext *amr = s->priv_data;
if (avio_feof(s->pb)) {
return AVERROR_EOF;
Reported by FlawFinder.
Line: 152
Column: 9
CWE codes:
120
20
pkt->duration = par->codec_id == AV_CODEC_ID_AMR_NB ? 160 : 320;
read = avio_read(s->pb, pkt->data + 1, size - 1);
if (read != size - 1) {
if (read < 0)
return read;
return AVERROR(EIO);
}
Reported by FlawFinder.
libavformat/srtdec.c
4 issues
Line: 80
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
ei->x1 = ei->x2 = ei->y1 = ei->y2 = ei->duration = -1;
ei->pts = AV_NOPTS_VALUE;
ei->pos = -1;
if (sscanf(line, "%d:%d:%d%*1[,.]%d --> %d:%d:%d%*1[,.]%d"
"%*[ ]X1:%"PRId32" X2:%"PRId32" Y1:%"PRId32" Y2:%"PRId32,
&hh1, &mm1, &ss1, &ms1,
&hh2, &mm2, &ss2, &ms2,
&ei->x1, &ei->x2, &ei->y1, &ei->y2) >= 8) {
const int64_t start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1;
Reported by FlawFinder.
Line: 179
Column: 17
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strtol(line, &pline, 10) < 0 || line == pline)
av_bprintf(&buf, "%s\n", line);
else
strcpy(line_cache, line);
} else {
if (has_event_info) {
/* We have the information of previous event, append it to the
* queue. We insert the cached line if and only if the payload
* is empty and the cached line is not a standalone number. */
Reported by FlawFinder.
Line: 36
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int srt_probe(const AVProbeData *p)
{
int v;
char buf[64], *pbuf;
FFTextReader tr;
ff_text_init_buf(&tr, p->buf, p->buf_size);
while (ff_text_peek_r8(&tr) == '\r' || ff_text_peek_r8(&tr) == '\n')
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVBPrint buf;
AVStream *st = avformat_new_stream(s, NULL);
int res = 0;
char line[4096], line_cache[4096];
int has_event_info = 0;
struct event_info ei;
FFTextReader tr;
ff_text_init_avio(s, &tr, s->pb);
Reported by FlawFinder.
libavcodec/encode.c
4 issues
Line: 434
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
if (avctx->codec->sample_fmts[i] == AV_SAMPLE_FMT_NONE) {
char buf[128];
snprintf(buf, sizeof(buf), "%d", avctx->sample_fmt);
av_log(avctx, AV_LOG_ERROR, "Specified sample format %s is invalid or not supported\n",
(char *)av_x_if_null(av_get_sample_fmt_name(avctx->sample_fmt), buf));
return AVERROR(EINVAL);
}
Reported by FlawFinder.
Line: 446
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (avctx->pix_fmt == avctx->codec->pix_fmts[i])
break;
if (avctx->codec->pix_fmts[i] == AV_PIX_FMT_NONE) {
char buf[128];
snprintf(buf, sizeof(buf), "%d", avctx->pix_fmt);
av_log(avctx, AV_LOG_ERROR, "Specified pixel format %s is invalid or not supported\n",
(char *)av_x_if_null(av_get_pix_fmt_name(avctx->pix_fmt), buf));
return AVERROR(EINVAL);
}
Reported by FlawFinder.
Line: 482
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (avctx->channel_layout == avctx->codec->channel_layouts[i])
break;
if (avctx->codec->channel_layouts[i] == 0) {
char buf[512];
av_get_channel_layout_string(buf, sizeof(buf), -1, avctx->channel_layout);
av_log(avctx, AV_LOG_ERROR, "Specified channel layout '%s' is not supported\n", buf);
return AVERROR(EINVAL);
}
}
Reported by FlawFinder.
Line: 492
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (avctx->channel_layout && avctx->channels) {
int channels = av_get_channel_layout_nb_channels(avctx->channel_layout);
if (channels != avctx->channels) {
char buf[512];
av_get_channel_layout_string(buf, sizeof(buf), -1, avctx->channel_layout);
av_log(avctx, AV_LOG_ERROR,
"Channel layout '%s' with %d channels does not match number of specified channels %d\n",
buf, channels, avctx->channels);
return AVERROR(EINVAL);
Reported by FlawFinder.
libavcodec/vp3.c
4 issues
Line: 1695
Column: 27
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* from other INTRA blocks. There are 2 golden frame coding types;
* blocks encoding in these modes can only predict from other blocks
* that were encoded with these 1 of these 2 modes. */
static const unsigned char compatible_frame[9] = {
1, /* MODE_INTER_NO_MV */
0, /* MODE_INTRA */
1, /* MODE_INTER_PLUS_MV */
1, /* MODE_INTER_LAST_MV */
1, /* MODE_INTER_PRIOR_MV */
Reported by FlawFinder.
Line: 2058
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = 0; i < 9; i++)
memcpy(temp + i*stride, loop + (i + 1) * loop_stride + 1, 9);
return 1;
}
#endif
Reported by FlawFinder.
Line: 3041
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
plj = (plane + 2) % 3;
}
s->qr_count[inter][plane] = s->qr_count[qtj][plj];
memcpy(s->qr_size[inter][plane], s->qr_size[qtj][plj],
sizeof(s->qr_size[0][0]));
memcpy(s->qr_base[inter][plane], s->qr_base[qtj][plj],
sizeof(s->qr_base[0][0]));
} else {
int qri = 0;
Reported by FlawFinder.
Line: 3043
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->qr_count[inter][plane] = s->qr_count[qtj][plj];
memcpy(s->qr_size[inter][plane], s->qr_size[qtj][plj],
sizeof(s->qr_size[0][0]));
memcpy(s->qr_base[inter][plane], s->qr_base[qtj][plj],
sizeof(s->qr_base[0][0]));
} else {
int qri = 0;
int qi = 0;
Reported by FlawFinder.
libavformat/subtitles.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_len = sub->size;
if (av_grow_packet(sub, len) < 0)
return NULL;
memcpy(sub->data + old_len, event, len);
} else {
/* new event */
if (q->nb_subs >= INT_MAX/sizeof(*q->subs) - 1)
return NULL;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subs[q->nb_subs++] = sub;
sub->flags |= AV_PKT_FLAG_KEY;
sub->pts = sub->dts = 0;
memcpy(sub->data, event, len);
}
return sub;
}
static int cmp_pkt_sub_ts_pos(const void *a, const void *b)
Reported by FlawFinder.
Line: 387
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_subtitles_read_text_chunk(FFTextReader *tr, AVBPrint *buf)
{
char eol_buf[5], last_was_cr = 0;
int n = 0, i = 0, nb_eol = 0;
av_bprint_clear(buf);
for (;;) {
Reported by FlawFinder.
Line: 363
Column: 24
CWE codes:
126
const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
{
int in_quotes = 0;
const size_t len = strlen(attr);
while (*s) {
while (*s) {
if (!in_quotes && av_isspace(*s))
break;
Reported by FlawFinder.
libavformat/tls_schannel.c
4 issues
Line: 203
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
}
memcpy(inbuf[0].pvBuffer, c->enc_buf, c->enc_buf_offset);
/* output buffers */
init_sec_buffer(&outbuf[0], SECBUFFER_TOKEN, NULL, 0);
init_sec_buffer(&outbuf[1], SECBUFFER_ALERT, NULL, 0);
init_sec_buffer(&outbuf[2], SECBUFFER_EMPTY, NULL, 0);
Reported by FlawFinder.
Line: 463
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy decrypted data to buffer */
size = inbuf[1].cbBuffer;
if (size) {
memcpy(c->dec_buf + c->dec_buf_offset, inbuf[1].pvBuffer, size);
c->dec_buf_offset += size;
}
}
if (inbuf[3].BufferType == SECBUFFER_EXTRA && inbuf[3].cbBuffer > 0) {
if (c->enc_buf_offset > inbuf[3].cbBuffer) {
Reported by FlawFinder.
Line: 514
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cleanup:
size = FFMIN(len, c->dec_buf_offset);
if (size) {
memcpy(buf, c->dec_buf, size);
memmove(c->dec_buf, c->dec_buf + size, c->dec_buf_offset - size);
c->dec_buf_offset -= size;
return size;
}
Reported by FlawFinder.
Line: 561
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
init_sec_buffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0);
init_sec_buffer_desc(&outbuf_desc, outbuf, 4);
memcpy(outbuf[1].pvBuffer, buf, len);
sspi_ret = EncryptMessage(&c->ctxt_handle, 0, &outbuf_desc, 0);
if (sspi_ret == SEC_E_OK) {
len = outbuf[0].cbBuffer + outbuf[1].cbBuffer + outbuf[2].cbBuffer;
ret = ffurl_write(s->tcp, data, len);
Reported by FlawFinder.
libavcodec/tiffenc.c
4 issues
Line: 190
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case TIFF_RAW:
if (check_size(s, n))
return AVERROR(EINVAL);
memcpy(dst, src, n);
return n;
case TIFF_PACKBITS:
return ff_rle_encode(dst, s->buf_size - (*s->buf - s->buf_start),
src, 1, n, 2, 0xff, -1, 0);
case TIFF_LZW:
Reported by FlawFinder.
Line: 395
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < s->rps; j++) {
if (is_yuv) {
pack_yuv(s, p, s->yuv_line, j);
memcpy(zbuf + zn, s->yuv_line, bytes_per_row);
j += s->subsampling[1] - 1;
} else
memcpy(zbuf + j * bytes_per_row,
p->data[0] + j * p->linesize[0], bytes_per_row);
zn += bytes_per_row;
Reported by FlawFinder.
Line: 398
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(zbuf + zn, s->yuv_line, bytes_per_row);
j += s->subsampling[1] - 1;
} else
memcpy(zbuf + j * bytes_per_row,
p->data[0] + j * p->linesize[0], bytes_per_row);
zn += bytes_per_row;
}
ret = encode_strip(s, zbuf, ptr, zn, s->compr);
av_free(zbuf);
Reported by FlawFinder.
Line: 484
Column: 19
CWE codes:
126
if (!(avctx->flags & AV_CODEC_FLAG_BITEXACT))
ADD_ENTRY(s, TIFF_SOFTWARE_NAME, TIFF_STRING,
strlen(LIBAVCODEC_IDENT) + 1, LIBAVCODEC_IDENT);
if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
uint16_t pal[256 * 3];
for (i = 0; i < 256; i++) {
uint32_t rgb = *(uint32_t *) (p->data[1] + i * 4);
Reported by FlawFinder.
libavcodec/truemotion1.c
4 issues
Line: 155
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (delta_table_index > 3)
return;
memcpy(s->ydt, ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->cdt, cdts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_ydt, fat_ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_cdt, fat_cdts[delta_table_index], 8 * sizeof(int16_t));
/* Y skinny deltas need to be halved for some reason; maybe the
Reported by FlawFinder.
Line: 156
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
memcpy(s->ydt, ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->cdt, cdts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_ydt, fat_ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_cdt, fat_cdts[delta_table_index], 8 * sizeof(int16_t));
/* Y skinny deltas need to be halved for some reason; maybe the
* skinny Y deltas should be modified */
Reported by FlawFinder.
Line: 157
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(s->ydt, ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->cdt, cdts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_ydt, fat_ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_cdt, fat_cdts[delta_table_index], 8 * sizeof(int16_t));
/* Y skinny deltas need to be halved for some reason; maybe the
* skinny Y deltas should be modified */
for (i = 0; i < 8; i++)
Reported by FlawFinder.
Line: 158
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(s->ydt, ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->cdt, cdts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_ydt, fat_ydts[delta_table_index], 8 * sizeof(int16_t));
memcpy(s->fat_cdt, fat_cdts[delta_table_index], 8 * sizeof(int16_t));
/* Y skinny deltas need to be halved for some reason; maybe the
* skinny Y deltas should be modified */
for (i = 0; i < 8; i++)
{
Reported by FlawFinder.