The following issues were found
libavformat/srtdec.c
4 issues
Line: 80
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
ei->x1 = ei->x2 = ei->y1 = ei->y2 = ei->duration = -1;
ei->pts = AV_NOPTS_VALUE;
ei->pos = -1;
if (sscanf(line, "%d:%d:%d%*1[,.]%d --> %d:%d:%d%*1[,.]%d"
"%*[ ]X1:%"PRId32" X2:%"PRId32" Y1:%"PRId32" Y2:%"PRId32,
&hh1, &mm1, &ss1, &ms1,
&hh2, &mm2, &ss2, &ms2,
&ei->x1, &ei->x2, &ei->y1, &ei->y2) >= 8) {
const int64_t start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1;
Reported by FlawFinder.
Line: 179
Column: 17
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strtol(line, &pline, 10) < 0 || line == pline)
av_bprintf(&buf, "%s\n", line);
else
strcpy(line_cache, line);
} else {
if (has_event_info) {
/* We have the information of previous event, append it to the
* queue. We insert the cached line if and only if the payload
* is empty and the cached line is not a standalone number. */
Reported by FlawFinder.
Line: 36
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int srt_probe(const AVProbeData *p)
{
int v;
char buf[64], *pbuf;
FFTextReader tr;
ff_text_init_buf(&tr, p->buf, p->buf_size);
while (ff_text_peek_r8(&tr) == '\r' || ff_text_peek_r8(&tr) == '\n')
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVBPrint buf;
AVStream *st = avformat_new_stream(s, NULL);
int res = 0;
char line[4096], line_cache[4096];
int has_event_info = 0;
struct event_info ei;
FFTextReader tr;
ff_text_init_avio(s, &tr, s->pb);
Reported by FlawFinder.
libavfilter/vf_scale_vulkan.c
4 issues
Line: 346
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
memcpy(&barriers[barrier_count++], &bar, sizeof(VkImageMemoryBarrier));
in->layout[i] = bar.newLayout;
in->access[i] = bar.dstAccessMask;
}
for (int i = 0; i < av_pix_fmt_count_planes(s->vkctx.output_format); i++) {
VkImageMemoryBarrier bar = {
.sType = VK_STRUCTURE_TYPE_IMAGE_MEMORY_BARRIER,
Reported by FlawFinder.
Line: 367
Column: 14
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
memcpy(&barriers[barrier_count++], &bar, sizeof(VkImageMemoryBarrier));
out->layout[i] = bar.newLayout;
out->access[i] = bar.dstAccessMask;
}
vkCmdPipelineBarrier(cmd_buf, VK_PIPELINE_STAGE_TOP_OF_PIPE_BIT,
VK_PIPELINE_STAGE_COMPUTE_SHADER_BIT, 0,
0, NULL, 0, NULL, barrier_count, barriers);
Reported by FlawFinder.
Line: 343
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.subresourceRange.layerCount = 1,
};
memcpy(&barriers[barrier_count++], &bar, sizeof(VkImageMemoryBarrier));
in->layout[i] = bar.newLayout;
in->access[i] = bar.dstAccessMask;
}
Reported by FlawFinder.
Line: 364
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.subresourceRange.layerCount = 1,
};
memcpy(&barriers[barrier_count++], &bar, sizeof(VkImageMemoryBarrier));
out->layout[i] = bar.newLayout;
out->access[i] = bar.dstAccessMask;
}
Reported by FlawFinder.
libavcodec/tableprint.h
4 issues
Line: 54
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf(" {\n");\
for (i = 0; i < len; i++) {\
write_##type##_array(data + i * len2, len2);\
printf(i == len - 1 ? " }\n" : " }, {\n");\
}\
}
/**
* @name Predefined functions for printing tables
Reported by FlawFinder.
Line: 88
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define WRITE_ARRAY_ALIGNED(prefix, align, type, name) \
do { \
const size_t array_size = FF_ARRAY_ELEMS(name); \
printf(prefix" DECLARE_ALIGNED("#align", " \
#type", "#name")[%"FMT"] = {\n", \
array_size); \
write_##type##_array(name, array_size); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
Line: 98
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define WRITE_ARRAY(prefix, type, name) \
do { \
const size_t array_size = FF_ARRAY_ELEMS(name); \
printf(prefix" "#type" "#name"[%"FMT"] = {\n", \
array_size); \
write_##type##_array(name, array_size); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
Line: 108
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
const size_t array_size1 = FF_ARRAY_ELEMS(name); \
const size_t array_size2 = FF_ARRAY_ELEMS(name[0]); \
printf(prefix" "#type" "#name"[%"FMT"][%"FMT"] = {\n", \
array_size1, array_size2 ); \
write_##type##_2d_array(name, array_size1, array_size2); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
libavfilter/vf_tonemap_opencl.c
4 issues
Line: 73
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
cl_mem util_mem;
} TonemapOpenCLContext;
static const char *const linearize_funcs[AVCOL_TRC_NB] = {
[AVCOL_TRC_SMPTE2084] = "eotf_st2084",
[AVCOL_TRC_ARIB_STD_B67] = "inverse_oetf_hlg",
};
static const char *const delinearize_funcs[AVCOL_TRC_NB] = {
Reported by FlawFinder.
Line: 78
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[AVCOL_TRC_ARIB_STD_B67] = "inverse_oetf_hlg",
};
static const char *const delinearize_funcs[AVCOL_TRC_NB] = {
[AVCOL_TRC_BT709] = "inverse_eotf_bt1886",
[AVCOL_TRC_BT2020_10] = "inverse_eotf_bt1886",
};
static const struct PrimaryCoefficients primaries_table[AVCOL_PRI_NB] = {
Reported by FlawFinder.
Line: 93
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[AVCOL_PRI_BT2020] = { 0.3127, 0.3290 },
};
static const char *const tonemap_func[TONEMAP_MAX] = {
[TONEMAP_NONE] = "direct",
[TONEMAP_LINEAR] = "linear",
[TONEMAP_GAMMA] = "gamma",
[TONEMAP_CLIP] = "clip",
[TONEMAP_REINHARD] = "reinhard",
Reported by FlawFinder.
Line: 127
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
cl_int cle;
int err;
AVBPrint header;
const char *opencl_sources[OPENCL_SOURCE_NB];
av_bprint_init(&header, 1024, AV_BPRINT_SIZE_AUTOMATIC);
switch(ctx->tonemap) {
case TONEMAP_GAMMA:
Reported by FlawFinder.
libavformat/amr.c
4 issues
Line: 119
Column: 9
CWE codes:
120
20
static int amr_read_packet(AVFormatContext *s, AVPacket *pkt)
{
AVCodecParameters *par = s->streams[0]->codecpar;
int read, size = 0, toc, mode;
int64_t pos = avio_tell(s->pb);
AMRContext *amr = s->priv_data;
if (avio_feof(s->pb)) {
return AVERROR_EOF;
Reported by FlawFinder.
Line: 152
Column: 9
CWE codes:
120
20
pkt->duration = par->codec_id == AV_CODEC_ID_AMR_NB ? 160 : 320;
read = avio_read(s->pb, pkt->data + 1, size - 1);
if (read != size - 1) {
if (read < 0)
return read;
return AVERROR(EIO);
}
Reported by FlawFinder.
libavcodec/mips/aacsbr_mips.c
4 issues
Line: 342
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sbr->reset) {
for (i = 0; i < h_SL; i++) {
memcpy(g_temp[i + 2*ch_data->t_env[0]], sbr->gain[0], m_max * sizeof(sbr->gain[0][0]));
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
Reported by FlawFinder.
Line: 343
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sbr->reset) {
for (i = 0; i < h_SL; i++) {
memcpy(g_temp[i + 2*ch_data->t_env[0]], sbr->gain[0], m_max * sizeof(sbr->gain[0][0]));
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
Reported by FlawFinder.
Line: 346
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
for (e = 0; e < ch_data->bs_num_env; e++) {
for (i = 2 * ch_data->t_env[e]; i < 2 * ch_data->t_env[e + 1]; i++) {
Reported by FlawFinder.
Line: 347
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
for (e = 0; e < ch_data->bs_num_env; e++) {
for (i = 2 * ch_data->t_env[e]; i < 2 * ch_data->t_env[e + 1]; i++) {
g_temp1 = g_temp[h_SL + i];
Reported by FlawFinder.
libavfilter/vf_removegrain.c
4 issues
Line: 545
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst = out->data[i] + y * out->linesize[i];
if (s->skip_even && !(y & 1)) {
memcpy(dst, src, s->planewidth[i]);
continue;
}
if (s->skip_odd && y & 1) {
memcpy(dst, src, s->planewidth[i]);
continue;
Reported by FlawFinder.
Line: 549
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
if (s->skip_odd && y & 1) {
memcpy(dst, src, s->planewidth[i]);
continue;
}
*dst++ = *src++;
Reported by FlawFinder.
Line: 615
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
memcpy(dst, src, s->planewidth[i]);
td.in = in; td.out = out; td.plane = i;
ff_filter_execute(ctx, filter_slice, &td, NULL,
FFMIN(s->planeheight[i], ff_filter_get_nb_threads(ctx)));
Reported by FlawFinder.
Line: 623
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = in->data[i] + (s->planeheight[i] - 1) * in->linesize[i];
dst = out->data[i] + (s->planeheight[i] - 1) * out->linesize[i];
memcpy(dst, src, s->planewidth[i]);
}
av_frame_free(&in);
return ff_filter_frame(outlink, out);
}
Reported by FlawFinder.
libavformat/smjpegenc.c
4 issues
Line: 52
Column: 23
CWE codes:
126
ff_standardize_creation_time(s);
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
Reported by FlawFinder.
Line: 52
Column: 40
CWE codes:
126
ff_standardize_creation_time(s);
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
Reported by FlawFinder.
Line: 53
Column: 32
CWE codes:
126
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
for (n = 0; n < s->nb_streams; n++) {
Reported by FlawFinder.
Line: 55
Column: 34
CWE codes:
126
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
for (n = 0; n < s->nb_streams; n++) {
AVStream *st = s->streams[n];
AVCodecParameters *par = st->codecpar;
Reported by FlawFinder.
libavformat/subtitles.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_len = sub->size;
if (av_grow_packet(sub, len) < 0)
return NULL;
memcpy(sub->data + old_len, event, len);
} else {
/* new event */
if (q->nb_subs >= INT_MAX/sizeof(*q->subs) - 1)
return NULL;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subs[q->nb_subs++] = sub;
sub->flags |= AV_PKT_FLAG_KEY;
sub->pts = sub->dts = 0;
memcpy(sub->data, event, len);
}
return sub;
}
static int cmp_pkt_sub_ts_pos(const void *a, const void *b)
Reported by FlawFinder.
Line: 387
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_subtitles_read_text_chunk(FFTextReader *tr, AVBPrint *buf)
{
char eol_buf[5], last_was_cr = 0;
int n = 0, i = 0, nb_eol = 0;
av_bprint_clear(buf);
for (;;) {
Reported by FlawFinder.
Line: 363
Column: 24
CWE codes:
126
const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
{
int in_quotes = 0;
const size_t len = strlen(attr);
while (*s) {
while (*s) {
if (!in_quotes && av_isspace(*s))
break;
Reported by FlawFinder.
libavcodec/libxavs2.c
4 issues
Line: 31
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "libavutil/avstring.h"
#define xavs2_opt_set2(name, format, ...) do{ \
char opt_str[16] = {0}; \
int err; \
av_strlcatf(opt_str, sizeof(opt_str), format, __VA_ARGS__); \
err = cae->api->opt_set2(cae->param, name, opt_str); \
if (err < 0) {\
av_log(avctx, AV_LOG_WARNING, "Invalid value for %s: %s\n", name, opt_str);\
Reported by FlawFinder.
Line: 161
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p_buffer = frame->data[plane];
stride = pic->img.i_width[plane] * pic->img.in_sample_size;
for (hIdx = 0; hIdx < pic->img.i_lines[plane]; hIdx++) {
memcpy(p_plane, p_buffer, stride);
p_plane += pic->img.i_stride[plane];
p_buffer += frame->linesize[plane];
}
}
}
Reported by FlawFinder.
Line: 187
Column: 38
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (pic.img.in_sample_size == pic.img.enc_sample_size) {
xavs2_copy_frame(&pic, frame);
} else {
const int shift_in = atoi(cae->api->opt_get(cae->param, "SampleShift"));
xavs2_copy_frame_with_shift(&pic, frame, shift_in);
}
break;
case AV_PIX_FMT_YUV420P10:
if (pic.img.in_sample_size == pic.img.enc_sample_size) {
Reported by FlawFinder.
Line: 232
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkt->flags |= AV_PKT_FLAG_KEY;
}
memcpy(pkt->data, cae->packet.stream, cae->packet.len);
cae->api->encoder_packet_unref(cae->encoder, &cae->packet);
*got_packet = 1;
} else {
Reported by FlawFinder.