The following issues were found
fftools/ffprobe.c
19 issues
Line: 313
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
AVClass* avc = ptr ? *(AVClass **) ptr : NULL;
va_list vl2;
char line[1024];
static int print_prefix = 1;
void *new_log_buffer;
va_copy(vl2, vl);
av_log_default_callback(ptr, level, fmt, vl);
Reported by FlawFinder.
Line: 798
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void writer_print_time(WriterContext *wctx, const char *key,
int64_t ts, const AVRational *time_base, int is_duration)
{
char buf[128];
if ((!is_duration && ts == AV_NOPTS_VALUE) || (is_duration && ts == 0)) {
writer_print_string(wctx, key, "N/A", PRINT_STRING_OPT);
} else {
double d = ts * av_q2d(*time_base);
Reported by FlawFinder.
Line: 852
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void writer_print_data_hash(WriterContext *wctx, const char *name,
uint8_t *data, int size)
{
char *p, buf[AV_HASH_MAX_SIZE * 2 + 64] = { 0 };
if (!hash)
return;
av_hash_init(hash);
av_hash_update(hash, data, size);
Reported by FlawFinder.
Line: 965
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void default_print_section_header(WriterContext *wctx)
{
DefaultContext *def = wctx->priv;
char buf[32];
const struct section *section = wctx->section[wctx->level];
const struct section *parent_section = wctx->level ?
wctx->section[wctx->level-1] : NULL;
av_bprint_clear(&wctx->section_pbuf[wctx->level]);
Reported by FlawFinder.
Line: 991
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
DefaultContext *def = wctx->priv;
const struct section *section = wctx->section[wctx->level];
char buf[32];
if (def->noprint_wrappers || def->nested_section[wctx->level])
return;
if (!(section->flags & (SECTION_FLAG_IS_WRAPPER|SECTION_FLAG_IS_ARRAY)))
Reported by FlawFinder.
Line: 2160
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx)
{
char val_str[128];
AVStream *st = ifile->streams[pkt->stream_index].st;
AVBPrint pbuf;
const char *s;
av_bprint_init(&pbuf, 1, AV_BPRINT_SIZE_UNLIMITED);
Reported by FlawFinder.
Line: 2238
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVFormatContext *fmt_ctx)
{
AVBPrint pbuf;
char val_str[128];
const char *s;
int i;
av_bprint_init(&pbuf, 1, AV_BPRINT_SIZE_UNLIMITED);
Reported by FlawFinder.
Line: 2325
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
writer_print_integers(w, "displaymatrix", sd->data, 9, " %11d", 3, 4, 1);
print_int("rotation", av_display_rotation_get((int32_t *)sd->data));
} else if (sd->type == AV_FRAME_DATA_GOP_TIMECODE && sd->size >= 8) {
char tcbuf[AV_TIMECODE_STR_SIZE];
av_timecode_make_mpeg_tc_string(tcbuf, *(int64_t *)(sd->data));
print_str("timecode", tcbuf);
} else if (sd->type == AV_FRAME_DATA_S12M_TIMECODE && sd->size == 16) {
uint32_t *tc = (uint32_t*)sd->data;
int m = FFMIN(tc[0],3);
Reported by FlawFinder.
Line: 2333
Column: 21
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int m = FFMIN(tc[0],3);
writer_print_section_header(w, SECTION_ID_FRAME_SIDE_DATA_TIMECODE_LIST);
for (int j = 1; j <= m ; j++) {
char tcbuf[AV_TIMECODE_STR_SIZE];
av_timecode_make_smpte_tc_string2(tcbuf, stream->avg_frame_rate, tc[j], 0, 0);
writer_print_section_header(w, SECTION_ID_FRAME_SIDE_DATA_TIMECODE);
print_str("value", tcbuf);
writer_print_section_footer(w);
}
Reported by FlawFinder.
Line: 2603
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVStream *stream = ist->st;
AVCodecParameters *par;
AVCodecContext *dec_ctx;
char val_str[128];
const char *s;
AVRational sar, dar;
AVBPrint pbuf;
const AVCodecDescriptor *cd;
int ret = 0;
Reported by FlawFinder.
libavformat/rtsp.h
19 issues
Line: 118
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mode_record;
struct sockaddr_storage destination; /**< destination IP address */
char source[INET6_ADDRSTRLEN + 1]; /**< source IP address */
/** data/packet transport protocol; e.g. RTP or RDT */
enum RTSPTransport transport;
/** network layer transport protocol; e.g. TCP or UDP uni-/multicast */
Reported by FlawFinder.
Line: 151
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** the "Session:" field. This value is initially set by the server and
* should be re-transmitted by the client in every RTSP command. */
char session_id[512];
/** the "Location:" field. This value is used to handle redirection.
*/
char location[4096];
Reported by FlawFinder.
Line: 155
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** the "Location:" field. This value is used to handle redirection.
*/
char location[4096];
/** the "RealChallenge1:" field from the server */
char real_challenge[64];
/** the "Server: field, which can be used to identify some special-case
Reported by FlawFinder.
Line: 158
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char location[4096];
/** the "RealChallenge1:" field from the server */
char real_challenge[64];
/** the "Server: field, which can be used to identify some special-case
* servers that are not 100% standards-compliant. We use this to identify
* Windows Media Server, which has a value "WMServer/v.e.r.sion", where
* version is a sequence of digits (e.g. 9.0.0.3372). Helix/Real servers
Reported by FlawFinder.
Line: 167
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* use something like "Helix [..] Server Version v.e.r.sion (platform)
* (RealServer compatible)" or "RealServer Version v.e.r.sion (platform)",
* where platform is the output of $uname -msr | sed 's/ /-/g'. */
char server[64];
/** The "timeout" comes as part of the server response to the "SETUP"
* command, in the "Session: <xyz>[;timeout=<value>]" line. It is the
* time, in seconds, that the server will go without traffic over the
* RTSP/TCP connection before it closes the connection. To prevent
Reported by FlawFinder.
Line: 185
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** The "reason" is meant to specify better the meaning of the error code
* returned
*/
char reason[256];
/**
* Content type header
*/
char content_type[64];
Reported by FlawFinder.
Line: 190
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/**
* Content type header
*/
char content_type[64];
/**
* SAT>IP com.ses.streamID header
*/
char stream_id[64];
Reported by FlawFinder.
Line: 195
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/**
* SAT>IP com.ses.streamID header
*/
char stream_id[64];
} RTSPMessageHeader;
/**
* Client state, i.e. whether we are currently receiving data (PLAYING) or
* setup-but-not-receiving (PAUSED). State can be changed in applications
Reported by FlawFinder.
Line: 254
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** copy of RTSPMessageHeader->session_id, i.e. the server-provided session
* identifier that the client should re-transmit in each RTSP command */
char session_id[512];
/** copy of RTSPMessageHeader->timeout, i.e. the time (in seconds) that
* the server will go without traffic on the RTSP/TCP line before it
* closes the connection. */
int timeout;
Reported by FlawFinder.
Line: 279
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum RTSPServerType server_type;
/** the "RealChallenge1:" field from the server */
char real_challenge[64];
/** plaintext authorization line (username:password) */
char auth[128];
/** authentication state */
Reported by FlawFinder.
fftools/ffmpeg_opt.c
19 issues
Line: 3217
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
av_log(NULL, AV_LOG_ERROR, "Unknown channel layout: %s\n", arg);
return AVERROR(EINVAL);
}
snprintf(layout_str, sizeof(layout_str), "%"PRIu64, layout);
ret = opt_default_new(o, opt, layout_str);
if (ret < 0)
return ret;
/* set 'ac' option based on channel layout */
Reported by FlawFinder.
Line: 1405
Column: 29
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
{
int i, ret = -1;
char filename[1000];
const char *base[3] = { getenv("AVCONV_DATADIR"),
getenv("HOME"),
AVCONV_DATADIR,
};
for (i = 0; i < FF_ARRAY_ELEMS(base) && ret < 0; i++) {
Reported by FlawFinder.
Line: 1406
Column: 29
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
int i, ret = -1;
char filename[1000];
const char *base[3] = { getenv("AVCONV_DATADIR"),
getenv("HOME"),
AVCONV_DATADIR,
};
for (i = 0; i < FF_ARRAY_ELEMS(base) && ret < 0; i++) {
if (!base[i])
Reported by FlawFinder.
Line: 102
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define WARN_MULTIPLE_OPT_USAGE(name, type, so, st)\
{\
char namestr[128] = "";\
const char *spec = so->specifier && so->specifier[0] ? so->specifier : "";\
for (i = 0; opt_name_##name[i]; i++)\
av_strlcatf(namestr, sizeof(namestr), "-%s%s", opt_name_##name[i], opt_name_##name[i+1] ? (opt_name_##name[i+2] ? ", " : " or ") : "");\
av_log(NULL, AV_LOG_WARNING, "Multiple %s options specified for stream %d, only the last option '-%s%s%s "SPECIFIER_OPT_FMT_##type"' will be used.\n",\
namestr, st->index, opt_name_##name[0], spec[0] ? ":" : "", spec, so->u.type);\
Reported by FlawFinder.
Line: 744
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int opt_recording_timestamp(void *optctx, const char *opt, const char *arg)
{
OptionsContext *o = optctx;
char buf[128];
int64_t recording_timestamp = parse_time_or_die(opt, arg, 0) / 1E6;
struct tm time = *gmtime((time_t*)&recording_timestamp);
if (!strftime(buf, sizeof(buf), "creation_time=%Y-%m-%dT%H:%M:%S%z", &time))
return -1;
parse_option(o, "metadata", buf, options);
Reported by FlawFinder.
Line: 1404
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_preset_file_2(const char *preset_name, const char *codec_name, AVIOContext **s)
{
int i, ret = -1;
char filename[1000];
const char *base[3] = { getenv("AVCONV_DATADIR"),
getenv("HOME"),
AVCONV_DATADIR,
};
Reported by FlawFinder.
Line: 1405
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, ret = -1;
char filename[1000];
const char *base[3] = { getenv("AVCONV_DATADIR"),
getenv("HOME"),
AVCONV_DATADIR,
};
for (i = 0; i < FF_ARRAY_ELEMS(base) && ret < 0; i++) {
Reported by FlawFinder.
Line: 1653
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
int i;
const char *p = str;
for (i = 0;; i++) {
dest[i] = atoi(p);
if (i == 63)
break;
p = strchr(p, ',');
if (!p) {
av_log(NULL, AV_LOG_FATAL, "Syntax error in matrix \"%s\" at coeff %d\n", str, i);
Reported by FlawFinder.
Line: 1883
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
exit_program(1);
if (do_pass) {
char logfilename[1024];
FILE *f;
snprintf(logfilename, sizeof(logfilename), "%s-%d.log",
ost->logfile_prefix ? ost->logfile_prefix :
DEFAULT_PASS_LOGFILENAME_PREFIX,
Reported by FlawFinder.
Line: 2079
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
OptionsContext *o = optctx;
int idx;
char *p;
char idx_str[16];
av_strlcpy(idx_str, arg, sizeof(idx_str));
p = strchr(idx_str, ':');
if (!p) {
av_log(NULL, AV_LOG_FATAL,
Reported by FlawFinder.
libavutil/opt.c
19 issues
Line: 1565
CWE codes:
908
{
int ret, count = 0;
const char *dummy_shorthand = NULL;
char *av_uninit(parsed_key), *av_uninit(value);
const char *key;
if (!opts)
return 0;
if (!shorthand)
Reported by Cppcheck.
Line: 1565
CWE codes:
908
{
int ret, count = 0;
const char *dummy_shorthand = NULL;
char *av_uninit(parsed_key), *av_uninit(value);
const char *key;
if (!opts)
return 0;
if (!shorthand)
Reported by Cppcheck.
Line: 807
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret = snprintf(buf, sizeof(buf), "%d", *(int *)dst);
break;
case AV_OPT_TYPE_INT64:
ret = snprintf(buf, sizeof(buf), "%"PRId64, *(int64_t *)dst);
break;
case AV_OPT_TYPE_UINT64:
ret = snprintf(buf, sizeof(buf), "%"PRIu64, *(uint64_t *)dst);
break;
case AV_OPT_TYPE_FLOAT:
Reported by FlawFinder.
Line: 810
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret = snprintf(buf, sizeof(buf), "%"PRId64, *(int64_t *)dst);
break;
case AV_OPT_TYPE_UINT64:
ret = snprintf(buf, sizeof(buf), "%"PRIu64, *(uint64_t *)dst);
break;
case AV_OPT_TYPE_FLOAT:
ret = snprintf(buf, sizeof(buf), "%f", *(float *)dst);
break;
case AV_OPT_TYPE_DOUBLE:
Reported by FlawFinder.
Line: 874
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
break;
case AV_OPT_TYPE_CHANNEL_LAYOUT:
i64 = *(int64_t *)dst;
ret = snprintf(buf, sizeof(buf), "0x%"PRIx64, i64);
break;
case AV_OPT_TYPE_DICT:
if (!*(AVDictionary **)dst && (search_flags & AV_OPT_ALLOW_NULL)) {
*out_val = NULL;
return 0;
Reported by FlawFinder.
Line: 245
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (;;) {
int i = 0;
char buf[256];
int cmd = 0;
double d;
int64_t intnum = 1;
if (o->type == AV_OPT_TYPE_FLAGS) {
Reported by FlawFinder.
Line: 262
Column: 19
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int res;
int ci = 0;
double const_values[64];
const char * const_names[64];
int search_flags = (o->flags & AV_OPT_FLAG_CHILD_CONSTS) ? AV_OPT_SEARCH_CHILDREN : 0;
const AVOption *o_named = av_opt_find(target_obj, i ? buf : val, o->unit, 0, search_flags);
if (o_named && o_named->type == AV_OPT_TYPE_CONST)
d = DEFAULT_NUMVAL(o_named);
else {
Reported by FlawFinder.
Line: 626
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*dst = ptr;
*lendst = len;
if (len)
memcpy(ptr, val, len);
return 0;
}
int av_opt_set_image_size(void *obj, const char *name, int w, int h, int search_flags)
Reported by FlawFinder.
Line: 1127
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *get_opt_flags_string(void *obj, const char *unit, int64_t value)
{
const AVOption *opt = NULL;
char flags[512];
flags[0] = 0;
if (!unit)
return NULL;
while ((opt = av_opt_next(obj, opt))) {
Reported by FlawFinder.
Line: 1297
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
break;
}
case AV_OPT_TYPE_DURATION: {
char buf[25];
format_duration(buf, sizeof(buf), opt->default_val.i64);
av_log(av_log_obj, AV_LOG_INFO, "%s", buf);
break;
}
case AV_OPT_TYPE_INT:
Reported by FlawFinder.
libavformat/aviobuf.c
18 issues
Line: 880
return ret;\
}\
GET_STR16(le, avio_rl16)
GET_STR16(be, avio_rb16)
#undef GET_STR16
uint64_t avio_rb64(AVIOContext *s)
Reported by Cppcheck.
Line: 224
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
while (size > 0) {
int len = FFMIN(s->buf_end - s->buf_ptr, size);
memcpy(s->buf_ptr, buf, len);
s->buf_ptr += len;
if (s->buf_ptr >= s->buf_end)
flush_buffer(s);
Reported by FlawFinder.
Line: 652
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
} else {
memcpy(buf, s->buf_ptr, len);
buf += len;
s->buf_ptr += len;
size -= len;
}
}
Reported by FlawFinder.
Line: 708
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (len > size)
len = size;
memcpy(buf, s->buf_ptr, len);
s->buf_ptr += len;
if (!len) {
if (s->error) return s->error;
if (avio_feof(s)) return AVERROR_EOF;
}
Reported by FlawFinder.
Line: 801
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int len, end;
int64_t read = 0;
char tmp[1024];
char c;
do {
len = 0;
do {
Reported by FlawFinder.
Line: 1005
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buffer)
return AVERROR(ENOMEM);
update_checksum(s);
memcpy(buffer, s->buf_ptr, filled);
av_free(s->buffer);
s->buffer = buffer;
s->buffer_size = buf_size;
}
s->buf_ptr = s->buffer;
Reported by FlawFinder.
Line: 1049
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_size = s->write_flag ? (s->buf_ptr - s->buffer) : (s->buf_end - s->buf_ptr);
if (data_size > 0)
memcpy(buffer, s->write_flag ? s->buffer : s->buf_ptr, data_size);
av_free(s->buffer);
s->buffer = buffer;
s->orig_buffer_size = buf_size;
s->buffer_size = buf_size;
s->buf_ptr = s->write_flag ? (s->buffer + data_size) : s->buffer;
Reported by FlawFinder.
Line: 1106
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOMEM);
if (new_size > buf_size) {
memcpy(buf + buf_size, s->buffer + overlap, buffer_size - overlap);
buf_size = new_size;
}
av_free(s->buffer);
s->buf_ptr = s->buffer = buf;
Reported by FlawFinder.
Line: 1236
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int avio_read_to_bprint(AVIOContext *h, AVBPrint *pb, size_t max_size)
{
int ret;
char buf[1024];
while (max_size) {
ret = avio_read(h, buf, FFMIN(max_size, sizeof(buf)));
if (ret == AVERROR_EOF)
return 0;
if (ret <= 0)
Reported by FlawFinder.
Line: 1302
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
d->allocated_size = new_allocated_size;
}
memcpy(d->buffer + d->pos, buf, buf_size);
d->pos = new_size;
if (d->pos > d->size)
d->size = d->pos;
return buf_size;
}
Reported by FlawFinder.
libavfilter/vf_datascope.c
18 issues
Line: 213
Column: 17
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &reverse, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
pp++;
}
}
}
Reported by FlawFinder.
Line: 256
Column: 17
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &color, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
pp++;
}
}
}
Reported by FlawFinder.
Line: 298
Column: 17
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &s->white, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
pp++;
}
}
}
Reported by FlawFinder.
Line: 192
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int D = ((s->chars - s->dformat) >> 2) + s->dformat * 2;
const int W = (outlink->w - xoff) / (C * 10);
const int H = (outlink->h - yoff) / (PP * 12);
const char *format[4] = {"%02X\n", "%04X\n", "%03d\n", "%05d\n"};
const int slice_start = (W * jobnr) / nb_jobs;
const int slice_end = (W * (jobnr+1)) / nb_jobs;
int x, y, p;
for (y = 0; y < H && (y + s->y < inlink->h); y++) {
Reported by FlawFinder.
Line: 209
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
xoff + x * C * 10, yoff + y * PP * 12, C * 10, PP * 12);
for (p = 0; p < P; p++) {
char text[256];
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &reverse, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
Reported by FlawFinder.
Line: 239
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int D = ((s->chars - s->dformat) >> 2) + s->dformat * 2;
const int W = (outlink->w - xoff) / (C * 10);
const int H = (outlink->h - yoff) / (PP * 12);
const char *format[4] = {"%02X\n", "%04X\n", "%03d\n", "%05d\n"};
const int slice_start = (W * jobnr) / nb_jobs;
const int slice_end = (W * (jobnr+1)) / nb_jobs;
int x, y, p;
for (y = 0; y < H && (y + s->y < inlink->h); y++) {
Reported by FlawFinder.
Line: 252
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s->pick_color(&s->draw, &color, in, x + s->x, y + s->y, value);
for (p = 0; p < P; p++) {
char text[256];
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &color, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
Reported by FlawFinder.
Line: 282
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int D = ((s->chars - s->dformat) >> 2) + s->dformat * 2;
const int W = (outlink->w - xoff) / (C * 10);
const int H = (outlink->h - yoff) / (PP * 12);
const char *format[4] = {"%02X\n", "%04X\n", "%03d\n", "%05d\n"};
const int slice_start = (W * jobnr) / nb_jobs;
const int slice_end = (W * (jobnr+1)) / nb_jobs;
int x, y, p;
for (y = 0; y < H && (y + s->y < inlink->h); y++) {
Reported by FlawFinder.
Line: 294
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s->pick_color(&s->draw, &color, in, x + s->x, y + s->y, value);
for (p = 0; p < P; p++) {
char text[256];
if (!(s->components & (1 << p)))
continue;
snprintf(text, sizeof(text), format[D], value[p]);
draw_text(&s->draw, out, &s->white, xoff + x * C * 10 + 2, yoff + y * PP * 12 + pp * 10 + 2, text, 0);
Reported by FlawFinder.
Line: 340
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int C = s->chars;
int Y = outlink->h / (PP * 12);
int X = outlink->w / (C * 10);
char text[256] = { 0 };
int x, y;
snprintf(text, sizeof(text), "%d", s->y + Y);
ymaxlen = strlen(text);
ymaxlen *= 10;
Reported by FlawFinder.
libavformat/httpauth.c
18 issues
Line: 144
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DigestParams *digest = &state->digest_params;
int len;
uint32_t cnonce_buf[2];
char cnonce[17];
char nc[9];
int i;
char A1hash[33], A2hash[33], response[33];
struct AVMD5 *md5ctx;
uint8_t hash[16];
Reported by FlawFinder.
Line: 145
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int len;
uint32_t cnonce_buf[2];
char cnonce[17];
char nc[9];
int i;
char A1hash[33], A2hash[33], response[33];
struct AVMD5 *md5ctx;
uint8_t hash[16];
char *authstr;
Reported by FlawFinder.
Line: 147
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char cnonce[17];
char nc[9];
int i;
char A1hash[33], A2hash[33], response[33];
struct AVMD5 *md5ctx;
uint8_t hash[16];
char *authstr;
digest->nc++;
Reported by FlawFinder.
Line: 80
Column: 23
CWE codes:
126
static void choose_qop(char *qop, int size)
{
char *ptr = strstr(qop, "auth");
char *end = ptr + strlen("auth");
if (ptr && (!*end || av_isspace(*end) || *end == ',') &&
(ptr == qop || av_isspace(ptr[-1]) || ptr[-1] == ',')) {
av_strlcpy(qop, "auth", size);
} else {
Reported by FlawFinder.
Line: 131
Column: 36
CWE codes:
126
const char* str = va_arg(vl, const char*);
if (!str)
break;
av_md5_update(md5ctx, str, strlen(str));
}
va_end(vl);
}
/* Generate a digest reply, according to RFC 2617. */
Reported by FlawFinder.
Line: 211
Column: 53
CWE codes:
126
return NULL;
}
len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
strlen(uri) + strlen(response) + strlen(digest->algorithm) +
strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
strlen(nc) + 150;
authstr = av_malloc(len);
Reported by FlawFinder.
Line: 211
Column: 30
CWE codes:
126
return NULL;
}
len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
strlen(uri) + strlen(response) + strlen(digest->algorithm) +
strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
strlen(nc) + 150;
authstr = av_malloc(len);
Reported by FlawFinder.
Line: 211
Column: 11
CWE codes:
126
return NULL;
}
len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
strlen(uri) + strlen(response) + strlen(digest->algorithm) +
strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
strlen(nc) + 150;
authstr = av_malloc(len);
Reported by FlawFinder.
Line: 212
Column: 15
CWE codes:
126
}
len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
strlen(uri) + strlen(response) + strlen(digest->algorithm) +
strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
strlen(nc) + 150;
authstr = av_malloc(len);
if (!authstr)
Reported by FlawFinder.
Line: 212
Column: 48
CWE codes:
126
}
len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
strlen(uri) + strlen(response) + strlen(digest->algorithm) +
strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
strlen(nc) + 150;
authstr = av_malloc(len);
if (!authstr)
Reported by FlawFinder.
libavformat/rtpdec_h264.c
18 issues
Line: 71
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
PayloadContext *h264_data,
const char *value)
{
char buffer[3];
// 6 characters=3 bytes, in hex.
uint8_t profile_idc;
uint8_t profile_iop;
uint8_t level_idc;
Reported by FlawFinder.
Line: 100
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint8_t **data_ptr, int *size_ptr,
const char *value)
{
char base64packet[1024];
uint8_t decoded_packet[1024];
int packet_size;
while (*value) {
char *dst = base64packet;
Reported by FlawFinder.
Line: 130
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
*data_ptr = dest;
memcpy(dest + *size_ptr, start_sequence,
sizeof(start_sequence));
memcpy(dest + *size_ptr + sizeof(start_sequence),
decoded_packet, packet_size);
memset(dest + *size_ptr + sizeof(start_sequence) +
packet_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
Reported by FlawFinder.
Line: 132
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dest + *size_ptr, start_sequence,
sizeof(start_sequence));
memcpy(dest + *size_ptr + sizeof(start_sequence),
decoded_packet, packet_size);
memset(dest + *size_ptr + sizeof(start_sequence) +
packet_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
*size_ptr += sizeof(start_sequence) + packet_size;
Reported by FlawFinder.
Line: 152
Column: 65
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
AVCodecParameters *par = stream->codecpar;
if (!strcmp(attr, "packetization-mode")) {
av_log(s, AV_LOG_DEBUG, "RTP Packetization Mode: %d\n", atoi(value));
h264_data->packetization_mode = atoi(value);
/*
* Packetization Mode:
* 0 or not present: Single NAL mode (Only nals from 1-23 are allowed)
* 1: Non-interleaved Mode: 1-23, 24 (STAP-A), 28 (FU-A) are allowed.
Reported by FlawFinder.
Line: 153
Column: 41
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!strcmp(attr, "packetization-mode")) {
av_log(s, AV_LOG_DEBUG, "RTP Packetization Mode: %d\n", atoi(value));
h264_data->packetization_mode = atoi(value);
/*
* Packetization Mode:
* 0 or not present: Single NAL mode (Only nals from 1-23 are allowed)
* 1: Non-interleaved Mode: 1-23, 24 (STAP-A), 28 (FU-A) are allowed.
* 2: Interleaved Mode: 25 (STAP-B), 26 (MTAP16), 27 (MTAP24), 28 (FU-A),
Reported by FlawFinder.
Line: 186
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ff_h264_parse_framesize(AVCodecParameters *par, const char *p)
{
char buf1[50];
char *dst = buf1;
// remove the protocol identifier
while (*p && *p == ' ')
p++; // strip spaces.
Reported by FlawFinder.
Line: 202
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
// a='framesize:96 320-240'
// set our parameters
par->width = atoi(buf1);
par->height = atoi(p + 1); // skip the -
}
int ff_h264_handle_aggregated_packet(AVFormatContext *ctx, PayloadContext *data, AVPacket *pkt,
const uint8_t *buf, int len,
Reported by FlawFinder.
Line: 203
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
// a='framesize:96 320-240'
// set our parameters
par->width = atoi(buf1);
par->height = atoi(p + 1); // skip the -
}
int ff_h264_handle_aggregated_packet(AVFormatContext *ctx, PayloadContext *data, AVPacket *pkt,
const uint8_t *buf, int len,
int skip_between, int *nal_counters,
Reported by FlawFinder.
Line: 234
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
total_length += sizeof(start_sequence) + nal_size;
} else {
// copying
memcpy(dst, start_sequence, sizeof(start_sequence));
dst += sizeof(start_sequence);
memcpy(dst, src, nal_size);
if (nal_counters)
nal_counters[(*src) & nal_mask]++;
dst += nal_size;
Reported by FlawFinder.
libavutil/mem.c
18 issues
Line: 202
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOMEM);
}
memcpy(ptr, &val, sizeof(val));
return 0;
}
void *av_malloc_array(size_t nmemb, size_t size)
{
Reported by FlawFinder.
Line: 236
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&val, ptr, sizeof(val));
val = av_realloc_f(val, nmemb, size);
memcpy(ptr, &val, sizeof(val));
if (!val && nmemb && size)
return AVERROR(ENOMEM);
return 0;
}
Reported by FlawFinder.
Line: 257
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *val;
memcpy(&val, arg, sizeof(val));
memcpy(arg, &(void *){ NULL }, sizeof(val));
av_free(val);
}
void *av_mallocz(size_t size)
{
Reported by FlawFinder.
Line: 284
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t len = strlen(s) + 1;
ptr = av_realloc(NULL, len);
if (ptr)
memcpy(ptr, s, len);
}
return ptr;
}
char *av_strndup(const char *s, size_t len)
Reported by FlawFinder.
Line: 304
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ret)
return NULL;
memcpy(ret, s, len);
ret[len] = 0;
return ret;
}
void *av_memdup(const void *p, size_t size)
Reported by FlawFinder.
Line: 315
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p) {
ptr = av_malloc(size);
if (ptr)
memcpy(ptr, p, size);
}
return ptr;
}
int av_dynarray_add_nofree(void *tab_ptr, int *nb_ptr, void *elem)
Reported by FlawFinder.
Line: 327
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FF_DYNARRAY_ADD(INT_MAX, sizeof(*tab), tab, *nb_ptr, {
tab[*nb_ptr] = elem;
memcpy(tab_ptr, &tab, sizeof(tab));
}, {
return AVERROR(ENOMEM);
});
return 0;
}
Reported by FlawFinder.
Line: 341
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FF_DYNARRAY_ADD(INT_MAX, sizeof(*tab), tab, *nb_ptr, {
tab[*nb_ptr] = elem;
memcpy(tab_ptr, &tab, sizeof(tab));
}, {
*nb_ptr = 0;
av_freep(tab_ptr);
});
}
Reported by FlawFinder.
Line: 356
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FF_DYNARRAY_ADD(INT_MAX, elem_size, *tab_ptr, *nb_ptr, {
tab_elem_data = (uint8_t *)*tab_ptr + (*nb_ptr) * elem_size;
if (elem_data)
memcpy(tab_elem_data, elem_data, elem_size);
else if (CONFIG_MEMORY_POISONING)
memset(tab_elem_data, FF_MEMORY_POISON, elem_size);
}, {
av_freep(tab_ptr);
*nb_ptr = 0;
Reported by FlawFinder.
Line: 470
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cnt >= 16) {
int blocklen = back;
while (cnt > blocklen) {
memcpy(dst, src, blocklen);
dst += blocklen;
cnt -= blocklen;
blocklen <<= 1;
}
memcpy(dst, src, cnt);
Reported by FlawFinder.
libavformat/rtmppkt.c
17 issues
Line: 596
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const uint8_t *data_end)
{
unsigned int size, nb = -1;
char buf[1024];
AMFDataType type;
int parse_key = 1;
if (data >= data_end)
return;
Reported by FlawFinder.
Line: 617
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = bytestream_get_be32(&data);
}
size = FFMIN(size, sizeof(buf) - 1);
memcpy(buf, data, size);
buf[size] = 0;
av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf);
return;
case AMF_DATA_TYPE_NULL:
av_log(ctx, AV_LOG_DEBUG, " NULL\n");
Reported by FlawFinder.
Line: 640
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data++;
break;
}
memcpy(buf, data, size);
buf[size] = 0;
if (size >= data_end - data)
return;
data += size;
av_log(ctx, AV_LOG_DEBUG, " %s: ", buf);
Reported by FlawFinder.
Line: 46
Column: 30
CWE codes:
126
void ff_amf_write_string(uint8_t **dst, const char *str)
{
bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
bytestream_put_be16(dst, strlen(str));
bytestream_put_buffer(dst, str, strlen(str));
}
void ff_amf_write_string2(uint8_t **dst, const char *str1, const char *str2)
{
Reported by FlawFinder.
Line: 47
Column: 37
CWE codes:
126
{
bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
bytestream_put_be16(dst, strlen(str));
bytestream_put_buffer(dst, str, strlen(str));
}
void ff_amf_write_string2(uint8_t **dst, const char *str1, const char *str2)
{
int len1 = 0, len2 = 0;
Reported by FlawFinder.
Line: 54
Column: 16
CWE codes:
126
{
int len1 = 0, len2 = 0;
if (str1)
len1 = strlen(str1);
if (str2)
len2 = strlen(str2);
bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
bytestream_put_be16(dst, len1 + len2);
bytestream_put_buffer(dst, str1, len1);
Reported by FlawFinder.
Line: 56
Column: 16
CWE codes:
126
if (str1)
len1 = strlen(str1);
if (str2)
len2 = strlen(str2);
bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
bytestream_put_be16(dst, len1 + len2);
bytestream_put_buffer(dst, str1, len1);
bytestream_put_buffer(dst, str2, len2);
}
Reported by FlawFinder.
Line: 75
Column: 30
CWE codes:
126
void ff_amf_write_field_name(uint8_t **dst, const char *str)
{
bytestream_put_be16(dst, strlen(str));
bytestream_put_buffer(dst, str, strlen(str));
}
void ff_amf_write_object_end(uint8_t **dst)
{
Reported by FlawFinder.
Line: 76
Column: 37
CWE codes:
126
void ff_amf_write_field_name(uint8_t **dst, const char *str)
{
bytestream_put_be16(dst, strlen(str));
bytestream_put_buffer(dst, str, strlen(str));
}
void ff_amf_write_object_end(uint8_t **dst)
{
/* first two bytes are field name length = 0,
Reported by FlawFinder.
Line: 89
Column: 14
CWE codes:
120
20
int ff_amf_read_number(GetByteContext *bc, double *val)
{
uint64_t read;
if (bytestream2_get_byte(bc) != AMF_DATA_TYPE_NUMBER)
return AVERROR_INVALIDDATA;
read = bytestream2_get_be64(bc);
*val = av_int2double(read);
return 0;
Reported by FlawFinder.