The following issues were found
libavformat/sbgdec.c
3 issues
Line: 136
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int nb_block_tseq;
int nb_def_max, nb_synth_max, nb_tseq_max, nb_block_tseq_max;
int line_no;
char err_msg[128];
};
enum ws_interval_type {
WS_SINE = MKTAG('S','I','N','E'),
WS_NOISE = MKTAG('N','O','I','S'),
Reported by FlawFinder.
Line: 408
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tptr = av_malloc(oarg.e - oarg.s + 1);
if (!tptr)
return AVERROR(ENOMEM);
memcpy(tptr, oarg.s, oarg.e - oarg.s);
tptr[oarg.e - oarg.s] = 0;
av_free(p->scs.opt_mix);
p->scs.opt_mix = tptr;
break;
case 'q':
Reported by FlawFinder.
Line: 853
Column: 20
CWE codes:
126
lctx--;
if (lctx == 0) {
ctx = "the end of line";
lctx = strlen(ctx);
quote = "";
}
av_log(log, AV_LOG_ERROR, "Error line %d: %s near %s%.*s%s.\n",
sp.line_no, sp.err_msg, quote, lctx, ctx, quote);
}
Reported by FlawFinder.
libavcodec/imm5.c
3 issues
Line: 124
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avpkt->data += 24 - offset;
avpkt->size = new_size + offset;
memcpy(avpkt->data, IMM5_units[index].bits, IMM5_units[index].len);
if (codec_type == 2) {
memcpy(avpkt->data + off, IMM5_units[12].bits, IMM5_units[12].len);
} else {
memcpy(avpkt->data + off, IMM5_units[13].bits, IMM5_units[13].len);
}
Reported by FlawFinder.
Line: 126
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(avpkt->data, IMM5_units[index].bits, IMM5_units[index].len);
if (codec_type == 2) {
memcpy(avpkt->data + off, IMM5_units[12].bits, IMM5_units[12].len);
} else {
memcpy(avpkt->data + off, IMM5_units[13].bits, IMM5_units[13].len);
}
} else {
avpkt->data += 24;
Reported by FlawFinder.
Line: 128
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (codec_type == 2) {
memcpy(avpkt->data + off, IMM5_units[12].bits, IMM5_units[12].len);
} else {
memcpy(avpkt->data + off, IMM5_units[13].bits, IMM5_units[13].len);
}
} else {
avpkt->data += 24;
avpkt->size -= 24;
}
Reported by FlawFinder.
libavfilter/vf_deshake.c
3 issues
Line: 356
Column: 23
CWE codes:
362
}
if (deshake->filename)
deshake->fp = fopen(deshake->filename, "w");
if (deshake->fp)
fwrite("Ori x, Avg x, Fin x, Ori y, Avg y, Fin y, Ori angle, Avg angle, Fin angle, Ori zoom, Avg zoom, Fin zoom\n", 1, 104, deshake->fp);
// Quadword align left edge of box for MMX code, adjust width if necessary
// to keep right margin
Reported by FlawFinder.
Line: 416
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Transform t = {{0},0}, orig = {{0},0};
float matrix_y[9], matrix_uv[9];
float alpha = 2.0 / deshake->refcount;
char tmp[256];
int ret = 0;
const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(link->format);
const int chroma_width = AV_CEIL_RSHIFT(link->w, desc->log2_chroma_w);
const int chroma_height = AV_CEIL_RSHIFT(link->h, desc->log2_chroma_h);
int aligned;
Reported by FlawFinder.
Line: 486
Column: 24
CWE codes:
126
// Write statistics to file
if (deshake->fp) {
snprintf(tmp, 256, "%f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f\n", orig.vec.x, deshake->avg.vec.x, t.vec.x, orig.vec.y, deshake->avg.vec.y, t.vec.y, orig.angle, deshake->avg.angle, t.angle, orig.zoom, deshake->avg.zoom, t.zoom);
fwrite(tmp, 1, strlen(tmp), deshake->fp);
}
// Turn relative current frame motion into absolute by adding it to the
// last absolute motion
t.vec.x += deshake->last.vec.x;
Reported by FlawFinder.
libavformat/rtspenc.c
3 issues
Line: 52
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
char *sdp;
AVFormatContext sdp_ctx, *ctx_array[1];
char url[MAX_URL_SIZE];
if (s->start_time_realtime == 0 || s->start_time_realtime == AV_NOPTS_VALUE)
s->start_time_realtime = av_gettime();
/* Announce the stream */
Reported by FlawFinder.
Line: 114
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
RTSPState *rt = s->priv_data;
RTSPMessageHeader reply1, *reply = &reply1;
char cmd[MAX_URL_SIZE];
snprintf(cmd, sizeof(cmd),
"Range: npt=0.000-\r\n");
ff_rtsp_send_cmd(s, "RECORD", rt->control_uri, cmd, reply, NULL);
if (reply->status_code != RTSP_STATUS_OK)
Reported by FlawFinder.
Line: 85
Column: 53
CWE codes:
126
av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sdp);
ff_rtsp_send_cmd_with_content(s, "ANNOUNCE", rt->control_uri,
"Content-Type: application/sdp\r\n",
reply, NULL, sdp, strlen(sdp));
av_free(sdp);
if (reply->status_code != RTSP_STATUS_OK)
return ff_rtsp_averror(reply->status_code, AVERROR_INVALIDDATA);
/* Set up the RTSPStreams for each AVStream */
Reported by FlawFinder.
libavformat/sapdec.c
3 issues
Line: 65
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sap_read_header(AVFormatContext *s)
{
struct SAPState *sap = s->priv_data;
char host[1024], path[1024], url[1024];
uint8_t recvbuf[RTP_MAX_PACKET_LENGTH];
const AVInputFormat *infmt;
int port;
int ret, i;
Reported by FlawFinder.
Line: 133
Column: 20
CWE codes:
126
}
#define MIME "application/sdp"
if (strcmp(&recvbuf[pos], MIME) == 0) {
pos += strlen(MIME) + 1;
} else if (strncmp(&recvbuf[pos], "v=0\r\n", 5) == 0) {
// Direct SDP without a mime type
} else {
av_log(s, AV_LOG_WARNING, "Unsupported mime type %s\n",
&recvbuf[pos]);
Reported by FlawFinder.
Line: 151
Column: 47
CWE codes:
126
}
av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sap->sdp);
ffio_init_context(&sap->sdp_pb, sap->sdp, strlen(sap->sdp), 0, NULL, NULL,
NULL, NULL);
infmt = av_find_input_format("sdp");
if (!infmt)
goto fail;
Reported by FlawFinder.
libavcodec/cdgraphics.c
3 issues
Line: 178
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in += in_tl_x + in_tl_y * stride;
out += out_tl_x + out_tl_y * stride;
for (y = 0; y < h; y++)
memcpy(out + y * stride, in + y * stride, w);
}
static void cdg_fill_rect_preset(int tl_x, int tl_y, uint8_t *out,
int color, int w, int h, int stride)
{
Reported by FlawFinder.
Line: 237
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!hinc && !vinc)
return;
memcpy(new_frame->data[1], cc->frame->data[1], CDG_PALETTE_SIZE * 4);
for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++)
memcpy(out + FFMAX(0, hinc) + stride * y,
in + FFMAX(0, hinc) - hinc + (y - vinc) * stride,
FFMIN(stride + hinc, stride));
Reported by FlawFinder.
Line: 240
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(new_frame->data[1], cc->frame->data[1], CDG_PALETTE_SIZE * 4);
for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++)
memcpy(out + FFMAX(0, hinc) + stride * y,
in + FFMAX(0, hinc) - hinc + (y - vinc) * stride,
FFMIN(stride + hinc, stride));
if (vinc > 0)
cdg_fill_wrapper(0, 0, out,
Reported by FlawFinder.
libavformat/rtpenc_h264_hevc.c
3 issues
Line: 94
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
AV_WB16(s->buf_ptr, size);
s->buf_ptr += 2;
memcpy(s->buf_ptr, buf, size);
s->buf_ptr += size;
s->buffered_nals++;
} else {
flush_buffered(s1, 0);
ff_rtp_send_data(s1, buf, size, last);
Reported by FlawFinder.
Line: 168
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
while (size + header_size > s->max_payload_size) {
memcpy(&s->buf[header_size], buf, s->max_payload_size - header_size);
ff_rtp_send_data(s1, s->buf, s->max_payload_size, 0);
buf += s->max_payload_size - header_size;
size -= s->max_payload_size - header_size;
s->buf[flag_byte] &= ~(1 << 7);
}
Reported by FlawFinder.
Line: 175
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->buf[flag_byte] &= ~(1 << 7);
}
s->buf[flag_byte] |= 1 << 6;
memcpy(&s->buf[header_size], buf, size);
ff_rtp_send_data(s1, s->buf, size + header_size, last);
}
}
void ff_rtp_send_h264_hevc(AVFormatContext *s1, const uint8_t *buf1, int size)
Reported by FlawFinder.
libavcodec/hevcdec.c
3 issues
Line: 2646
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res = AVERROR(ENOMEM);
goto error;
}
memcpy(s->sList[i], s, sizeof(HEVCContext));
s->sList[i]->HEVClc = s->HEVClcList[i];
}
offset = (lc->gb.index >> 3);
Reported by FlawFinder.
Line: 2688
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i < s->threads_number; i++) {
s->sList[i]->HEVClc->first_qp_group = 1;
s->sList[i]->HEVClc->qp_y = s->sList[0]->HEVClc->qp_y;
memcpy(s->sList[i], s, sizeof(HEVCContext));
s->sList[i]->HEVClc = s->HEVClcList[i];
}
atomic_store(&s->wpp_err, 0);
ff_reset_entries(s->avctx);
Reported by FlawFinder.
Line: 2860
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (s->sei.timecode.present) {
uint32_t *tc_sd;
char tcbuf[AV_TIMECODE_STR_SIZE];
AVFrameSideData *tcside = av_frame_new_side_data(out, AV_FRAME_DATA_S12M_TIMECODE,
sizeof(uint32_t) * 4);
if (!tcside)
return AVERROR(ENOMEM);
Reported by FlawFinder.
libavformat/rtpdec_mpa_robust.c
3 issues
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pkt->stream_index = st->index;
memcpy(pkt->data, buf, adu_size);
data->split_pos += header_size + adu_size;
if (data->split_pos == data->split_buf_size) {
av_freep(&data->split_buf);
Reported by FlawFinder.
Line: 129
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pkt->stream_index = st->index;
memcpy(pkt->data, buf, adu_size);
buf += adu_size;
len -= adu_size;
if (len) {
data->split_buf_size = len;
Reported by FlawFinder.
Line: 142
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av_packet_unref(pkt);
return AVERROR(ENOMEM);
}
memcpy(data->split_buf, buf, data->split_buf_size);
return 1;
}
return 0;
} else if (!continuation) { /* && adu_size > len */
/* First fragment */
Reported by FlawFinder.
libavcodec/cbs_mpeg2.c
3 issues
Line: 329
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// memcpy can be used to improve performance.
// This is the normal case.
flush_put_bits(pbc);
memcpy(put_bits_ptr(pbc), pos, rest);
skip_put_bytes(pbc, rest);
} else {
// If not, we have to copy manually:
for (; rest > 3; rest -= 4, pos += 4)
put_bits32(pbc, AV_RB32(pos));
Reported by FlawFinder.
Line: 381
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data[dp++] = 0;
data[dp++] = 1;
memcpy(data + dp, unit->data, unit->data_size);
dp += unit->data_size;
}
av_assert0(dp == size);
Reported by FlawFinder.
Line: 65
Column: 19
CWE codes:
120
20
#define READ
#define READWRITE read
#define RWContext GetBitContext
#define xuia(width, string, var, range_min, range_max, subs, ...) do { \
uint32_t value; \
CHECK(ff_cbs_read_unsigned(ctx, rw, width, string, \
Reported by FlawFinder.