The following issues were found
libavcodec/tiffenc.c
4 issues
Line: 190
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case TIFF_RAW:
if (check_size(s, n))
return AVERROR(EINVAL);
memcpy(dst, src, n);
return n;
case TIFF_PACKBITS:
return ff_rle_encode(dst, s->buf_size - (*s->buf - s->buf_start),
src, 1, n, 2, 0xff, -1, 0);
case TIFF_LZW:
Reported by FlawFinder.
Line: 395
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < s->rps; j++) {
if (is_yuv) {
pack_yuv(s, p, s->yuv_line, j);
memcpy(zbuf + zn, s->yuv_line, bytes_per_row);
j += s->subsampling[1] - 1;
} else
memcpy(zbuf + j * bytes_per_row,
p->data[0] + j * p->linesize[0], bytes_per_row);
zn += bytes_per_row;
Reported by FlawFinder.
Line: 398
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(zbuf + zn, s->yuv_line, bytes_per_row);
j += s->subsampling[1] - 1;
} else
memcpy(zbuf + j * bytes_per_row,
p->data[0] + j * p->linesize[0], bytes_per_row);
zn += bytes_per_row;
}
ret = encode_strip(s, zbuf, ptr, zn, s->compr);
av_free(zbuf);
Reported by FlawFinder.
Line: 484
Column: 19
CWE codes:
126
if (!(avctx->flags & AV_CODEC_FLAG_BITEXACT))
ADD_ENTRY(s, TIFF_SOFTWARE_NAME, TIFF_STRING,
strlen(LIBAVCODEC_IDENT) + 1, LIBAVCODEC_IDENT);
if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
uint16_t pal[256 * 3];
for (i = 0; i < 256; i++) {
uint32_t rgb = *(uint32_t *) (p->data[1] + i * 4);
Reported by FlawFinder.
libavfilter/vf_vectorscope.c
4 issues
Line: 965
Column: 79
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
}
static void draw_ihtext(AVFrame *out, int x, int y, float o1, float o2, const char *txt, const uint8_t color[4])
{
const uint8_t *font;
int font_height;
int i, plane;
Reported by FlawFinder.
Line: 990
Column: 81
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static void draw_ihtext16(AVFrame *out, int x, int y, float o1, float o2, const char *txt, const uint16_t color[4])
{
const uint8_t *font;
int font_height;
int i, plane;
Reported by FlawFinder.
Line: 1016
Column: 78
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static void draw_htext(AVFrame *out, int x, int y, float o1, float o2, const char *txt, const uint8_t color[4])
{
const uint8_t *font;
int font_height;
int i, plane;
Reported by FlawFinder.
Line: 1042
Column: 80
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static void draw_htext16(AVFrame *out, int x, int y, float o1, float o2, const char *txt, const uint16_t color[4])
{
const uint8_t *font;
int font_height;
int i, plane;
Reported by FlawFinder.
libavcodec/mips/aacsbr_mips.c
4 issues
Line: 342
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sbr->reset) {
for (i = 0; i < h_SL; i++) {
memcpy(g_temp[i + 2*ch_data->t_env[0]], sbr->gain[0], m_max * sizeof(sbr->gain[0][0]));
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
Reported by FlawFinder.
Line: 343
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sbr->reset) {
for (i = 0; i < h_SL; i++) {
memcpy(g_temp[i + 2*ch_data->t_env[0]], sbr->gain[0], m_max * sizeof(sbr->gain[0][0]));
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
Reported by FlawFinder.
Line: 346
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(q_temp[i + 2*ch_data->t_env[0]], sbr->q_m[0], m_max * sizeof(sbr->q_m[0][0]));
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
for (e = 0; e < ch_data->bs_num_env; e++) {
for (i = 2 * ch_data->t_env[e]; i < 2 * ch_data->t_env[e + 1]; i++) {
Reported by FlawFinder.
Line: 347
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else if (h_SL) {
memcpy(g_temp[2*ch_data->t_env[0]], g_temp[2*ch_data->t_env_num_env_old], 4*sizeof(g_temp[0]));
memcpy(q_temp[2*ch_data->t_env[0]], q_temp[2*ch_data->t_env_num_env_old], 4*sizeof(q_temp[0]));
}
for (e = 0; e < ch_data->bs_num_env; e++) {
for (i = 2 * ch_data->t_env[e]; i < 2 * ch_data->t_env[e + 1]; i++) {
g_temp1 = g_temp[h_SL + i];
Reported by FlawFinder.
libavformat/subtitles.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_len = sub->size;
if (av_grow_packet(sub, len) < 0)
return NULL;
memcpy(sub->data + old_len, event, len);
} else {
/* new event */
if (q->nb_subs >= INT_MAX/sizeof(*q->subs) - 1)
return NULL;
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subs[q->nb_subs++] = sub;
sub->flags |= AV_PKT_FLAG_KEY;
sub->pts = sub->dts = 0;
memcpy(sub->data, event, len);
}
return sub;
}
static int cmp_pkt_sub_ts_pos(const void *a, const void *b)
Reported by FlawFinder.
Line: 387
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_subtitles_read_text_chunk(FFTextReader *tr, AVBPrint *buf)
{
char eol_buf[5], last_was_cr = 0;
int n = 0, i = 0, nb_eol = 0;
av_bprint_clear(buf);
for (;;) {
Reported by FlawFinder.
Line: 363
Column: 24
CWE codes:
126
const char *ff_smil_get_attr_ptr(const char *s, const char *attr)
{
int in_quotes = 0;
const size_t len = strlen(attr);
while (*s) {
while (*s) {
if (!in_quotes && av_isspace(*s))
break;
Reported by FlawFinder.
libavcodec/tableprint.h
4 issues
Line: 54
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf(" {\n");\
for (i = 0; i < len; i++) {\
write_##type##_array(data + i * len2, len2);\
printf(i == len - 1 ? " }\n" : " }, {\n");\
}\
}
/**
* @name Predefined functions for printing tables
Reported by FlawFinder.
Line: 88
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define WRITE_ARRAY_ALIGNED(prefix, align, type, name) \
do { \
const size_t array_size = FF_ARRAY_ELEMS(name); \
printf(prefix" DECLARE_ALIGNED("#align", " \
#type", "#name")[%"FMT"] = {\n", \
array_size); \
write_##type##_array(name, array_size); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
Line: 98
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define WRITE_ARRAY(prefix, type, name) \
do { \
const size_t array_size = FF_ARRAY_ELEMS(name); \
printf(prefix" "#type" "#name"[%"FMT"] = {\n", \
array_size); \
write_##type##_array(name, array_size); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
Line: 108
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
const size_t array_size1 = FF_ARRAY_ELEMS(name); \
const size_t array_size2 = FF_ARRAY_ELEMS(name[0]); \
printf(prefix" "#type" "#name"[%"FMT"][%"FMT"] = {\n", \
array_size1, array_size2 ); \
write_##type##_2d_array(name, array_size1, array_size2); \
printf("};\n"); \
} while(0)
Reported by FlawFinder.
libavfilter/vf_removegrain.c
4 issues
Line: 545
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst = out->data[i] + y * out->linesize[i];
if (s->skip_even && !(y & 1)) {
memcpy(dst, src, s->planewidth[i]);
continue;
}
if (s->skip_odd && y & 1) {
memcpy(dst, src, s->planewidth[i]);
continue;
Reported by FlawFinder.
Line: 549
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
if (s->skip_odd && y & 1) {
memcpy(dst, src, s->planewidth[i]);
continue;
}
*dst++ = *src++;
Reported by FlawFinder.
Line: 615
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
memcpy(dst, src, s->planewidth[i]);
td.in = in; td.out = out; td.plane = i;
ff_filter_execute(ctx, filter_slice, &td, NULL,
FFMIN(s->planeheight[i], ff_filter_get_nb_threads(ctx)));
Reported by FlawFinder.
Line: 623
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = in->data[i] + (s->planeheight[i] - 1) * in->linesize[i];
dst = out->data[i] + (s->planeheight[i] - 1) * out->linesize[i];
memcpy(dst, src, s->planewidth[i]);
}
av_frame_free(&in);
return ff_filter_frame(outlink, out);
}
Reported by FlawFinder.
libavformat/smjpegenc.c
4 issues
Line: 52
Column: 23
CWE codes:
126
ff_standardize_creation_time(s);
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
Reported by FlawFinder.
Line: 52
Column: 40
CWE codes:
126
ff_standardize_creation_time(s);
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
Reported by FlawFinder.
Line: 53
Column: 32
CWE codes:
126
while ((t = av_dict_get(s->metadata, "", t, AV_DICT_IGNORE_SUFFIX))) {
avio_wl32(pb, SMJPEG_TXT);
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
for (n = 0; n < s->nb_streams; n++) {
Reported by FlawFinder.
Line: 55
Column: 34
CWE codes:
126
avio_wb32(pb, strlen(t->key) + strlen(t->value) + 3);
avio_write(pb, t->key, strlen(t->key));
avio_write(pb, " = ", 3);
avio_write(pb, t->value, strlen(t->value));
}
for (n = 0; n < s->nb_streams; n++) {
AVStream *st = s->streams[n];
AVCodecParameters *par = st->codecpar;
Reported by FlawFinder.
libavcodec/libxavs2.c
4 issues
Line: 31
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "libavutil/avstring.h"
#define xavs2_opt_set2(name, format, ...) do{ \
char opt_str[16] = {0}; \
int err; \
av_strlcatf(opt_str, sizeof(opt_str), format, __VA_ARGS__); \
err = cae->api->opt_set2(cae->param, name, opt_str); \
if (err < 0) {\
av_log(avctx, AV_LOG_WARNING, "Invalid value for %s: %s\n", name, opt_str);\
Reported by FlawFinder.
Line: 161
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p_buffer = frame->data[plane];
stride = pic->img.i_width[plane] * pic->img.in_sample_size;
for (hIdx = 0; hIdx < pic->img.i_lines[plane]; hIdx++) {
memcpy(p_plane, p_buffer, stride);
p_plane += pic->img.i_stride[plane];
p_buffer += frame->linesize[plane];
}
}
}
Reported by FlawFinder.
Line: 187
Column: 38
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (pic.img.in_sample_size == pic.img.enc_sample_size) {
xavs2_copy_frame(&pic, frame);
} else {
const int shift_in = atoi(cae->api->opt_get(cae->param, "SampleShift"));
xavs2_copy_frame_with_shift(&pic, frame, shift_in);
}
break;
case AV_PIX_FMT_YUV420P10:
if (pic.img.in_sample_size == pic.img.enc_sample_size) {
Reported by FlawFinder.
Line: 232
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkt->flags |= AV_PKT_FLAG_KEY;
}
memcpy(pkt->data, cae->packet.stream, cae->packet.len);
cae->api->encoder_packet_unref(cae->encoder, &cae->packet);
*got_packet = 1;
} else {
Reported by FlawFinder.
libavformat/srtdec.c
4 issues
Line: 80
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
ei->x1 = ei->x2 = ei->y1 = ei->y2 = ei->duration = -1;
ei->pts = AV_NOPTS_VALUE;
ei->pos = -1;
if (sscanf(line, "%d:%d:%d%*1[,.]%d --> %d:%d:%d%*1[,.]%d"
"%*[ ]X1:%"PRId32" X2:%"PRId32" Y1:%"PRId32" Y2:%"PRId32,
&hh1, &mm1, &ss1, &ms1,
&hh2, &mm2, &ss2, &ms2,
&ei->x1, &ei->x2, &ei->y1, &ei->y2) >= 8) {
const int64_t start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1;
Reported by FlawFinder.
Line: 179
Column: 17
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strtol(line, &pline, 10) < 0 || line == pline)
av_bprintf(&buf, "%s\n", line);
else
strcpy(line_cache, line);
} else {
if (has_event_info) {
/* We have the information of previous event, append it to the
* queue. We insert the cached line if and only if the payload
* is empty and the cached line is not a standalone number. */
Reported by FlawFinder.
Line: 36
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int srt_probe(const AVProbeData *p)
{
int v;
char buf[64], *pbuf;
FFTextReader tr;
ff_text_init_buf(&tr, p->buf, p->buf_size);
while (ff_text_peek_r8(&tr) == '\r' || ff_text_peek_r8(&tr) == '\n')
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVBPrint buf;
AVStream *st = avformat_new_stream(s, NULL);
int res = 0;
char line[4096], line_cache[4096];
int has_event_info = 0;
struct event_info ei;
FFTextReader tr;
ff_text_init_avio(s, &tr, s->pb);
Reported by FlawFinder.
libavfilter/vf_fieldorder.c
4 issues
Line: 122
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* penultimate line from that field. */
for (line = 0; line < h; line++) {
if (1 + line < frame->height) {
memcpy(dst, src + src_line_step, line_size);
} else {
memcpy(dst, src - 2 * src_line_step, line_size);
}
dst += dst_line_step;
src += src_line_step;
Reported by FlawFinder.
Line: 124
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (1 + line < frame->height) {
memcpy(dst, src + src_line_step, line_size);
} else {
memcpy(dst, src - 2 * src_line_step, line_size);
}
dst += dst_line_step;
src += src_line_step;
}
} else {
Reported by FlawFinder.
Line: 139
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src += (h - 1) * src_line_step;
for (line = h - 1; line >= 0 ; line--) {
if (line > 0) {
memcpy(dst, src - src_line_step, line_size);
} else {
memcpy(dst, src + 2 * src_line_step, line_size);
}
dst -= dst_line_step;
src -= src_line_step;
Reported by FlawFinder.
Line: 141
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (line > 0) {
memcpy(dst, src - src_line_step, line_size);
} else {
memcpy(dst, src + 2 * src_line_step, line_size);
}
dst -= dst_line_step;
src -= src_line_step;
}
}
Reported by FlawFinder.