The following issues were found
libavfilter/f_zmq.c
3 issues
Line: 142
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = AVERROR(ENOMEM);
goto end;
}
memcpy(*buf, zmq_msg_data(&msg), *buf_size - 1);
(*buf)[*buf_size-1] = 0;
end:
zmq_msg_close(&msg);
return ret;
Reported by FlawFinder.
Line: 156
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ZMQContext *zmq = ctx->priv;
while (1) {
char cmd_buf[1024];
char *recv_buf, *send_buf;
int recv_buf_size;
Command cmd = {0};
int ret;
Reported by FlawFinder.
Line: 190
Column: 48
CWE codes:
126
av_log(ctx, AV_LOG_VERBOSE,
"Sending command reply for command #%d:\n%s\n",
zmq->command_count, send_buf);
if (zmq_send(zmq->responder, send_buf, strlen(send_buf), 0) == -1)
av_log(ctx, AV_LOG_ERROR, "Failed to send reply for command #%d: %s\n",
zmq->command_count, zmq_strerror(ret));
end:
av_freep(&send_buf);
Reported by FlawFinder.
libavformat/pcmdec.c
3 issues
Line: 134
#define PCMDEF(name, long_name, ext, uppercase) \
PCMDEF_EXT(name, long_name, ext, uppercase, )
PCMDEF(f64be, "PCM 64-bit floating-point big-endian", NULL, F64BE)
PCMDEF(f64le, "PCM 64-bit floating-point little-endian", NULL, F64LE)
PCMDEF(f32be, "PCM 32-bit floating-point big-endian", NULL, F32BE)
PCMDEF(f32le, "PCM 32-bit floating-point little-endian", NULL, F32LE)
PCMDEF(s32be, "PCM signed 32-bit big-endian", NULL, S32BE)
PCMDEF(s32le, "PCM signed 32-bit little-endian", NULL, S32LE)
Reported by Cppcheck.
Line: 65
Column: 22
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!channels)
sscanf(options, " channels=%d", &channels);
if (!little_endian) {
char val[sizeof("little-endian")];
if (sscanf(options, " endianness=%13s", val) == 1) {
little_endian = strcmp(val, "little-endian") == 0;
}
}
}
Reported by FlawFinder.
Line: 66
Column: 26
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
sscanf(options, " channels=%d", &channels);
if (!little_endian) {
char val[sizeof("little-endian")];
if (sscanf(options, " endianness=%13s", val) == 1) {
little_endian = strcmp(val, "little-endian") == 0;
}
}
}
if (rate <= 0) {
Reported by FlawFinder.
libavformat/pjsdec.c
3 issues
Line: 55
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
{
int64_t start, end;
if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) {
*line += strcspn(*line, "\"");
*line += !!**line;
if (end < start || end - (uint64_t)start > INT_MAX)
return AV_NOPTS_VALUE;
*duration = end - start;
Reported by FlawFinder.
Line: 78
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
st->codecpar->codec_id = AV_CODEC_ID_PJS;
while (!avio_feof(s->pb)) {
char line[4096];
char *p = line;
const int64_t pos = avio_tell(s->pb);
int len = ff_get_line(s->pb, line, sizeof(line));
int64_t pts_start;
int duration;
Reported by FlawFinder.
Line: 95
Column: 57
CWE codes:
126
AVPacket *sub;
p[strcspn(p, "\"")] = 0;
sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0);
if (!sub)
return AVERROR(ENOMEM);
sub->pos = pos;
sub->pts = pts_start;
sub->duration = duration;
Reported by FlawFinder.
libavcodec/pgssubdec.c
3 issues
Line: 267
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf_size > object->rle_remaining_len)
return AVERROR_INVALIDDATA;
memcpy(object->rle + object->rle_data_len, buf, buf_size);
object->rle_data_len += buf_size;
object->rle_remaining_len -= buf_size;
return 0;
}
Reported by FlawFinder.
Line: 309
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOMEM);
}
memcpy(object->rle, buf, buf_size);
object->rle_data_len = buf_size;
object->rle_remaining_len = rle_bitmap_len - buf_size;
return 0;
}
Reported by FlawFinder.
Line: 598
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (!ctx->forced_subs_only || ctx->presentation.objects[i].composition_flag & 0x40)
memcpy(sub->rects[i]->data[1], palette->clut, sub->rects[i]->nb_colors * sizeof(uint32_t));
}
return 1;
}
static int decode(AVCodecContext *avctx, void *data, int *got_sub_ptr,
Reported by FlawFinder.
libavcodec/pcm-dvd.c
3 issues
Line: 261
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (s->extra_sample_count) {
int missing_samples = s->block_size - s->extra_sample_count;
if (buf_size >= missing_samples) {
memcpy(s->extra_samples + s->extra_sample_count, src,
missing_samples);
dst = pcm_dvd_decode_samples(avctx, s->extra_samples, dst, 1);
src += missing_samples;
buf_size -= missing_samples;
s->extra_sample_count = 0;
Reported by FlawFinder.
Line: 270
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
blocks--;
} else {
/* new packet still doesn't have enough samples */
memcpy(s->extra_samples + s->extra_sample_count, src, buf_size);
s->extra_sample_count += buf_size;
return avpkt->size;
}
}
Reported by FlawFinder.
Line: 285
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* store leftover samples */
if (buf_size) {
src += blocks * s->block_size;
memcpy(s->extra_samples, src, buf_size);
s->extra_sample_count = buf_size;
}
*got_frame_ptr = 1;
Reported by FlawFinder.
libavcodec/pamenc.c
3 issues
Line: 33
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, h, w, n, linesize, depth, maxval, ret, header_size;
uint8_t *bytestream, *ptr;
const char *tuple_type;
char header[100];
h = avctx->height;
w = avctx->width;
switch (avctx->pix_fmt) {
case AV_PIX_FMT_MONOBLACK:
Reported by FlawFinder.
Line: 105
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
bytestream = pkt->data;
memcpy(bytestream, header, header_size);
bytestream += header_size;
ptr = p->data[0];
linesize = p->linesize[0];
Reported by FlawFinder.
Line: 120
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
for (i = 0; i < h; i++) {
memcpy(bytestream, ptr, n);
bytestream += n;
ptr += linesize;
}
}
Reported by FlawFinder.
libavfilter/drawutils.c
3 issues
Line: 215
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wp = AV_CEIL_RSHIFT(w, draw->hsub[plane]) * draw->pixelstep[plane];
hp = AV_CEIL_RSHIFT(h, draw->vsub[plane]);
for (y = 0; y < hp; y++) {
memcpy(q, p, wp);
p += src_linesize[plane];
q += dst_linesize[plane];
}
}
}
Reported by FlawFinder.
Line: 245
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy first line from color */
for (x = 0; x < wp; x++) {
memcpy(p, color_tmp.comp[plane].u8, draw->pixelstep[plane]);
p += draw->pixelstep[plane];
}
wp *= draw->pixelstep[plane];
/* copy next lines from first line */
p = p0 + dst_linesize[plane];
Reported by FlawFinder.
Line: 252
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy next lines from first line */
p = p0 + dst_linesize[plane];
for (y = 1; y < hp; y++) {
memcpy(p, p0, wp);
p += dst_linesize[plane];
}
}
}
Reported by FlawFinder.
libavcodec/ffv1enc.c
3 issues
Line: 288
CWE codes:
786
for (i = 0; i < ring_size; i++)
sample[i] = s->sample_buffer + (w + 6) * ((h + i - y) % ring_size) + 3;
sample[0][-1]= sample[1][0 ];
sample[1][ w]= sample[1][w-1];
if (s->bits_per_raw_sample <= 8) {
for (x = 0; x < w; x++)
sample[0][x] = src[x * pixel_stride + stride * y];
if((ret = encode_line(s, w, sample, plane_index, 8)) < 0)
Reported by Cppcheck.
Line: 1138
Column: 22
CWE codes:
126
for (j = 0; j < 256; j++) {
snprintf(p, end - p, "%" PRIu64 " %" PRIu64 " ",
f->rc_stat[j][0], f->rc_stat[j][1]);
p += strlen(p);
}
snprintf(p, end - p, "\n");
for (i = 0; i < f->quant_table_count; i++) {
for (j = 0; j < f->context_count[i]; j++)
Reported by FlawFinder.
Line: 1147
Column: 30
CWE codes:
126
for (m = 0; m < 32; m++) {
snprintf(p, end - p, "%" PRIu64 " %" PRIu64 " ",
f->rc_stat2[i][j][m][0], f->rc_stat2[i][j][m][1]);
p += strlen(p);
}
}
snprintf(p, end - p, "%d\n", f->gob_count);
}
return 0;
Reported by FlawFinder.
libavformat/mxg.c
3 issues
Line: 176
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = av_new_packet(pkt, size);
if (ret < 0)
return ret;
memcpy(pkt->data, mxg->soi_ptr, size);
pkt->pts = pkt->dts = mxg->dts;
pkt->stream_index = 0;
if (mxg->soi_ptr - mxg->buffer > mxg->cache_size) {
Reported by FlawFinder.
Line: 215
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = av_new_packet(pkt, size - 14);
if (ret < 0)
return ret;
memcpy(pkt->data, startmarker_ptr + 16, size - 14);
/* time (GMT) of first sample in usec since 1970, little-endian */
pkt->pts = pkt->dts = AV_RL64(startmarker_ptr + 8);
pkt->stream_index = 1;
Reported by FlawFinder.
Line: 223
Column: 29
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (startmarker_ptr - mxg->buffer > mxg->cache_size) {
if (mxg->cache_size > 0) {
memcpy(mxg->buffer, mxg->buffer_ptr, mxg->cache_size);
}
mxg->buffer_ptr = mxg->buffer;
}
return pkt->size;
Reported by FlawFinder.
libavformat/mmsh.c
3 issues
Line: 216
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mmsh_open_internal(URLContext *h, const char *uri, int flags, int timestamp, int64_t pos)
{
int i, port, err;
char httpname[256], path[256], host[128];
char *stream_selection = NULL;
char headers[1024];
MMSHContext *mmsh = h->priv_data;
MMSContext *mms;
Reported by FlawFinder.
Line: 218
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, port, err;
char httpname[256], path[256], host[128];
char *stream_selection = NULL;
char headers[1024];
MMSHContext *mmsh = h->priv_data;
MMSContext *mms;
mmsh->request_seq = h->is_streamed = 1;
mms = &mmsh->mms;
Reported by FlawFinder.
Line: 277
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!stream_selection)
return AVERROR(ENOMEM);
for (i = 0; i < mms->stream_num; i++) {
char tmp[20];
err = snprintf(tmp, sizeof(tmp), "ffff:%d:0 ", mms->streams[i].id);
if (err < 0)
goto fail;
av_strlcat(stream_selection, tmp, mms->stream_num * 19 + 1);
}
Reported by FlawFinder.