The following issues were found
libavcodec/sga.c
3 issues
Line: 150
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t *dst = frame->data[0] + y * 8 * frame->linesize[0] + x * 8;
if (!flip_x && !flip_y) {
memcpy(tile, tt, 64);
} else if (flip_x && flip_y) {
for (int i = 0; i < 8; i++) {
for (int j = 0; j < 8; j++)
tile[i * 8 + j] = tt[(7 - i) * 8 + 7 - j];
}
Reported by FlawFinder.
Line: 407
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sizeof(s->uncompressed) - offset < size)
return AVERROR_INVALIDDATA;
memcpy(s->uncompressed + offset, gb->buffer, size);
bytestream2_skip(gb, size);
} else {
GetByteContext gb2;
if (bytestream2_get_bytes_left(gb) < size)
Reported by FlawFinder.
Line: 499
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR_INVALIDDATA;
}
memcpy(frame->data[1], s->pal, AVPALETTE_SIZE);
frame->palette_has_changed = 1;
frame->pict_type = AV_PICTURE_TYPE_I;
frame->key_frame = 1;
*got_frame = 1;
Reported by FlawFinder.
libavcodec/h2645_parse.c
3 issues
Line: 98
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nal->rbsp_buffer = &rbsp->rbsp_buffer[rbsp->rbsp_buffer_size];
dst = nal->rbsp_buffer;
memcpy(dst, src, i);
si = di = i;
while (si + 2 < length) {
// remove escapes (very rare 1:2^22)
if (src[si + 2] > 3) {
dst[di++] = src[si++];
Reported by FlawFinder.
Line: 149
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return si;
}
static const char *const hevc_nal_type_name[64] = {
"TRAIL_N", // HEVC_NAL_TRAIL_N
"TRAIL_R", // HEVC_NAL_TRAIL_R
"TSA_N", // HEVC_NAL_TSA_N
"TSA_R", // HEVC_NAL_TSA_R
"STSA_N", // HEVC_NAL_STSA_N
Reported by FlawFinder.
Line: 222
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return hevc_nal_type_name[nal_type];
}
static const char *const h264_nal_type_name[32] = {
"Unspecified 0", //H264_NAL_UNSPECIFIED
"Coded slice of a non-IDR picture", // H264_NAL_SLICE
"Coded slice data partition A", // H264_NAL_DPA
"Coded slice data partition B", // H264_NAL_DPB
"Coded slice data partition C", // H264_NAL_DPC
Reported by FlawFinder.
libavfilter/f_zmq.c
3 issues
Line: 142
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = AVERROR(ENOMEM);
goto end;
}
memcpy(*buf, zmq_msg_data(&msg), *buf_size - 1);
(*buf)[*buf_size-1] = 0;
end:
zmq_msg_close(&msg);
return ret;
Reported by FlawFinder.
Line: 156
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ZMQContext *zmq = ctx->priv;
while (1) {
char cmd_buf[1024];
char *recv_buf, *send_buf;
int recv_buf_size;
Command cmd = {0};
int ret;
Reported by FlawFinder.
Line: 190
Column: 48
CWE codes:
126
av_log(ctx, AV_LOG_VERBOSE,
"Sending command reply for command #%d:\n%s\n",
zmq->command_count, send_buf);
if (zmq_send(zmq->responder, send_buf, strlen(send_buf), 0) == -1)
av_log(ctx, AV_LOG_ERROR, "Failed to send reply for command #%d: %s\n",
zmq->command_count, zmq_strerror(ret));
end:
av_freep(&send_buf);
Reported by FlawFinder.
libavfilter/formats.c
3 issues
Line: 617
CWE codes:
476
void ff_channel_layouts_changeref(AVFilterChannelLayouts **oldref,
AVFilterChannelLayouts **newref)
{
FORMATS_CHANGEREF(oldref, newref);
}
void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref)
{
FORMATS_CHANGEREF(oldref, newref);
Reported by Cppcheck.
Line: 622
CWE codes:
476
void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref)
{
FORMATS_CHANGEREF(oldref, newref);
}
#define SET_COMMON_FORMATS(ctx, fmts, ref_fn, unref_fn) \
int count = 0, i; \
\
Reported by Cppcheck.
Line: 395
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MAKE_FORMAT_LIST(AVFilterChannelLayouts,
channel_layouts, nb_channel_layouts);
if (count)
memcpy(formats->channel_layouts, fmts,
sizeof(*formats->channel_layouts) * count);
return formats;
}
Reported by FlawFinder.
libavcodec/cbrt_tablegen.h
3 issues
Line: 43
av_cold void AAC_RENAME(ff_cbrt_tableinit)(void)
{
static double cbrt_tab_dbl[1 << 13];
if (!AAC_RENAME(ff_cbrt_tab)[(1<<13) - 1]) {
int i, j, k;
double cbrt_val;
for (i = 1; i < 1<<13; i++)
cbrt_tab_dbl[i] = 1;
Reported by Cppcheck.
Line: 43
av_cold void AAC_RENAME(ff_cbrt_tableinit)(void)
{
static double cbrt_tab_dbl[1 << 13];
if (!AAC_RENAME(ff_cbrt_tab)[(1<<13) - 1]) {
int i, j, k;
double cbrt_val;
for (i = 1; i < 1<<13; i++)
cbrt_tab_dbl[i] = 1;
Reported by Cppcheck.
Line: 43
av_cold void AAC_RENAME(ff_cbrt_tableinit)(void)
{
static double cbrt_tab_dbl[1 << 13];
if (!AAC_RENAME(ff_cbrt_tab)[(1<<13) - 1]) {
int i, j, k;
double cbrt_val;
for (i = 1; i < 1<<13; i++)
cbrt_tab_dbl[i] = 1;
Reported by Cppcheck.
libavcodec/rl.c
3 issues
Line: 62
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
max_run[level] = run;
}
rl->max_level[last] = static_store[last];
memcpy(rl->max_level[last], max_level, MAX_RUN + 1);
rl->max_run[last] = static_store[last] + MAX_RUN + 1;
memcpy(rl->max_run[last], max_run, MAX_LEVEL + 1);
rl->index_run[last] = static_store[last] + MAX_RUN + MAX_LEVEL + 2;
memcpy(rl->index_run[last], index_run, MAX_RUN + 1);
}
Reported by FlawFinder.
Line: 64
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rl->max_level[last] = static_store[last];
memcpy(rl->max_level[last], max_level, MAX_RUN + 1);
rl->max_run[last] = static_store[last] + MAX_RUN + 1;
memcpy(rl->max_run[last], max_run, MAX_LEVEL + 1);
rl->index_run[last] = static_store[last] + MAX_RUN + MAX_LEVEL + 2;
memcpy(rl->index_run[last], index_run, MAX_RUN + 1);
}
}
Reported by FlawFinder.
Line: 66
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rl->max_run[last] = static_store[last] + MAX_RUN + 1;
memcpy(rl->max_run[last], max_run, MAX_LEVEL + 1);
rl->index_run[last] = static_store[last] + MAX_RUN + MAX_LEVEL + 2;
memcpy(rl->index_run[last], index_run, MAX_RUN + 1);
}
}
av_cold void ff_rl_init_vlc(RLTable *rl, unsigned static_size)
{
Reported by FlawFinder.
libavcodec/rl2.c
3 issues
Line: 75
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/** copy start of the background frame */
for (i = 0; i <= base_y; i++) {
if (s->back_frame)
memcpy(out, back_frame, s->avctx->width);
out += stride;
back_frame += s->avctx->width;
}
back_frame += base_x - s->avctx->width;
line_end = out - stride_adj;
Reported by FlawFinder.
Line: 118
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/** copy the rest from the background frame */
if (s->back_frame) {
while (out < out_end) {
memcpy(out, back_frame, line_end - out);
back_frame += line_end - out;
out = line_end + stride_adj;
line_end += stride;
}
}
Reported by FlawFinder.
Line: 197
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->video_base);
/** make the palette available on the way out */
memcpy(frame->data[1], s->palette, AVPALETTE_SIZE);
*got_frame = 1;
/** report that the buffer was completely consumed */
return buf_size;
Reported by FlawFinder.
libavfilter/vf_libopencv.c
3 issues
Line: 95
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
OCVContext *s = ctx->priv;
SmoothContext *smooth = s->priv;
char type_str[128] = "gaussian";
smooth->param1 = 3;
smooth->param2 = 0;
smooth->param3 = 0.0;
smooth->param4 = 0.0;
Reported by FlawFinder.
Line: 216
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int parse_iplconvkernel(IplConvKernel **kernel, char *buf, void *log_ctx)
{
char shape_filename[128] = "", shape_str[32] = "rect";
int cols = 0, rows = 0, anchor_x = 0, anchor_y = 0, shape = CV_SHAPE_RECT;
int *values = NULL, ret = 0;
sscanf(buf, "%dx%d+%dx%d/%32[^=]=%127s", &cols, &rows, &anchor_x, &anchor_y, shape_str, shape_filename);
Reported by FlawFinder.
Line: 220
Column: 5
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
int cols = 0, rows = 0, anchor_x = 0, anchor_y = 0, shape = CV_SHAPE_RECT;
int *values = NULL, ret = 0;
sscanf(buf, "%dx%d+%dx%d/%32[^=]=%127s", &cols, &rows, &anchor_x, &anchor_y, shape_str, shape_filename);
if (!strcmp(shape_str, "rect" )) shape = CV_SHAPE_RECT;
else if (!strcmp(shape_str, "cross" )) shape = CV_SHAPE_CROSS;
else if (!strcmp(shape_str, "ellipse")) shape = CV_SHAPE_ELLIPSE;
else if (!strcmp(shape_str, "custom" )) {
Reported by FlawFinder.
libavformat/rtspenc.c
3 issues
Line: 52
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
char *sdp;
AVFormatContext sdp_ctx, *ctx_array[1];
char url[MAX_URL_SIZE];
if (s->start_time_realtime == 0 || s->start_time_realtime == AV_NOPTS_VALUE)
s->start_time_realtime = av_gettime();
/* Announce the stream */
Reported by FlawFinder.
Line: 114
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
RTSPState *rt = s->priv_data;
RTSPMessageHeader reply1, *reply = &reply1;
char cmd[MAX_URL_SIZE];
snprintf(cmd, sizeof(cmd),
"Range: npt=0.000-\r\n");
ff_rtsp_send_cmd(s, "RECORD", rt->control_uri, cmd, reply, NULL);
if (reply->status_code != RTSP_STATUS_OK)
Reported by FlawFinder.
Line: 85
Column: 53
CWE codes:
126
av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sdp);
ff_rtsp_send_cmd_with_content(s, "ANNOUNCE", rt->control_uri,
"Content-Type: application/sdp\r\n",
reply, NULL, sdp, strlen(sdp));
av_free(sdp);
if (reply->status_code != RTSP_STATUS_OK)
return ff_rtsp_averror(reply->status_code, AVERROR_INVALIDDATA);
/* Set up the RTSPStreams for each AVStream */
Reported by FlawFinder.
libavutil/detection_bbox.h
3 issues
Line: 41
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/**
* Detect result with confidence
*/
char detect_label[AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE];
AVRational detect_confidence;
/**
* At most 4 classifications based on the detected bounding box.
* For example, we can get max 4 different attributes with 4 different
Reported by FlawFinder.
Line: 52
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define AV_NUM_DETECTION_BBOX_CLASSIFY 4
uint32_t classify_count;
char classify_labels[AV_NUM_DETECTION_BBOX_CLASSIFY][AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE];
AVRational classify_confidences[AV_NUM_DETECTION_BBOX_CLASSIFY];
} AVDetectionBBox;
typedef struct AVDetectionBBoxHeader {
/**
Reported by FlawFinder.
Line: 61
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Information about how the bounding box is generated.
* for example, the DNN model name.
*/
char source[256];
/**
* Number of bounding boxes in the array.
*/
uint32_t nb_bboxes;
Reported by FlawFinder.