The following issues were found
libavformat/pjsdec.c
3 issues
Line: 55
Column: 9
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
{
int64_t start, end;
if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) {
*line += strcspn(*line, "\"");
*line += !!**line;
if (end < start || end - (uint64_t)start > INT_MAX)
return AV_NOPTS_VALUE;
*duration = end - start;
Reported by FlawFinder.
Line: 78
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
st->codecpar->codec_id = AV_CODEC_ID_PJS;
while (!avio_feof(s->pb)) {
char line[4096];
char *p = line;
const int64_t pos = avio_tell(s->pb);
int len = ff_get_line(s->pb, line, sizeof(line));
int64_t pts_start;
int duration;
Reported by FlawFinder.
Line: 95
Column: 57
CWE codes:
126
AVPacket *sub;
p[strcspn(p, "\"")] = 0;
sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0);
if (!sub)
return AVERROR(ENOMEM);
sub->pos = pos;
sub->pts = pts_start;
sub->duration = duration;
Reported by FlawFinder.
libavfilter/drawutils.c
3 issues
Line: 215
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wp = AV_CEIL_RSHIFT(w, draw->hsub[plane]) * draw->pixelstep[plane];
hp = AV_CEIL_RSHIFT(h, draw->vsub[plane]);
for (y = 0; y < hp; y++) {
memcpy(q, p, wp);
p += src_linesize[plane];
q += dst_linesize[plane];
}
}
}
Reported by FlawFinder.
Line: 245
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy first line from color */
for (x = 0; x < wp; x++) {
memcpy(p, color_tmp.comp[plane].u8, draw->pixelstep[plane]);
p += draw->pixelstep[plane];
}
wp *= draw->pixelstep[plane];
/* copy next lines from first line */
p = p0 + dst_linesize[plane];
Reported by FlawFinder.
Line: 252
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy next lines from first line */
p = p0 + dst_linesize[plane];
for (y = 1; y < hp; y++) {
memcpy(p, p0, wp);
p += dst_linesize[plane];
}
}
}
Reported by FlawFinder.
libavcodec/mss12.c
3 issues
Line: 174
CWE codes:
476
idx = 0;
for (i = 0; i < pctx->cache_size; i++) {
for (j = 0; j < num_ngb; j++)
if (pctx->cache[i] == ngb[j])
break;
if (j == num_ngb) {
if (idx == val)
break;
idx++;
Reported by Cppcheck.
Line: 333
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (c->last_rgb_pic)
for (j = y; j < y + height; j++) {
memcpy(c->rgb_pic + j * c->rgb_stride + x * 3,
c->last_rgb_pic + j * c->rgb_stride + x * 3,
width * 3);
memcpy(c->pal_pic + j * c->pal_stride + x,
c->last_pal_pic + j * c->pal_stride + x,
width);
Reported by FlawFinder.
Line: 336
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(c->rgb_pic + j * c->rgb_stride + x * 3,
c->last_rgb_pic + j * c->rgb_stride + x * 3,
width * 3);
memcpy(c->pal_pic + j * c->pal_stride + x,
c->last_pal_pic + j * c->pal_stride + x,
width);
}
}
Reported by FlawFinder.
libavcodec/avrndec.c
3 issues
Line: 76
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(a->interlace) {
buf += (true_height - avctx->height)*avctx->width;
for(y = 0; y < avctx->height-1; y+=2) {
memcpy(p->data[0] + (y+ a->tff)*p->linesize[0], buf , 2*avctx->width);
memcpy(p->data[0] + (y+!a->tff)*p->linesize[0], buf + avctx->width*true_height+4, 2*avctx->width);
buf += 2*avctx->width;
}
} else {
buf += (true_height - avctx->height)*avctx->width*2;
Reported by FlawFinder.
Line: 77
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf += (true_height - avctx->height)*avctx->width;
for(y = 0; y < avctx->height-1; y+=2) {
memcpy(p->data[0] + (y+ a->tff)*p->linesize[0], buf , 2*avctx->width);
memcpy(p->data[0] + (y+!a->tff)*p->linesize[0], buf + avctx->width*true_height+4, 2*avctx->width);
buf += 2*avctx->width;
}
} else {
buf += (true_height - avctx->height)*avctx->width*2;
for(y = 0; y < avctx->height; y++) {
Reported by FlawFinder.
Line: 83
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
buf += (true_height - avctx->height)*avctx->width*2;
for(y = 0; y < avctx->height; y++) {
memcpy(p->data[0] + y*p->linesize[0], buf, 2*avctx->width);
buf += 2*avctx->width;
}
}
*got_frame = 1;
Reported by FlawFinder.
libavcodec/elbg.c
3 issues
Line: 79
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i=0; i<dim; i++)
res[i] = ROUNDED_DIV(vect[i],div);
else if (res != vect)
memcpy(res, vect, dim*sizeof(int));
}
static int eval_error_cell(elbg_data *elbg, int *centroid, cell *cells)
{
Reported by FlawFinder.
Line: 350
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR(ENOMEM);
for (i=0; i<numpoints/8; i++) {
k = (i*BIG_PRIME) % numpoints;
memcpy(temp_points + i*dim, points + k*dim, dim*sizeof(int));
}
ret = avpriv_init_elbg(temp_points, dim, numpoints / 8, codebook,
numCB, 2 * max_steps, closest_cb, rand_state);
if (ret < 0) {
Reported by FlawFinder.
Line: 365
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else // If not, initialize the codebook with random positions
for (i=0; i < numCB; i++)
memcpy(codebook + i*dim, points + ((i*BIG_PRIME)%numpoints)*dim,
dim*sizeof(int));
return ret;
}
int avpriv_do_elbg(int *points, int dim, int numpoints, int *codebook,
Reported by FlawFinder.
libavcodec/vp9recon.c
3 issues
Line: 125
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
if (have_top) {
if (n_px_need <= n_px_have) {
memcpy(*a, top, n_px_need * bytesperpixel);
} else {
#define memset_bpp(c, i1, v, i2, num) do { \
if (bytesperpixel == 1) { \
memset(&(c)[(i1)], (v)[(i2)], (num)); \
} else { \
Reported by FlawFinder.
Line: 137
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} \
} \
} while (0)
memcpy(*a, top, n_px_have * bytesperpixel);
memset_bpp(*a, n_px_have, (*a), n_px_have - 1, n_px_need - n_px_have);
}
} else {
#define memset_val(c, val, num) do { \
if (bytesperpixel == 1) { \
Reported by FlawFinder.
Line: 177
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tx == TX_4X4 && edges[mode].needs_topright) {
if (have_top && have_right &&
n_px_need + n_px_need_tr <= n_px_have) {
memcpy(&(*a)[4 * bytesperpixel], &top[4 * bytesperpixel], 4 * bytesperpixel);
} else {
memset_bpp(*a, 4, *a, 3, 4);
}
}
}
Reported by FlawFinder.
libavformat/mxg.c
3 issues
Line: 176
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = av_new_packet(pkt, size);
if (ret < 0)
return ret;
memcpy(pkt->data, mxg->soi_ptr, size);
pkt->pts = pkt->dts = mxg->dts;
pkt->stream_index = 0;
if (mxg->soi_ptr - mxg->buffer > mxg->cache_size) {
Reported by FlawFinder.
Line: 215
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = av_new_packet(pkt, size - 14);
if (ret < 0)
return ret;
memcpy(pkt->data, startmarker_ptr + 16, size - 14);
/* time (GMT) of first sample in usec since 1970, little-endian */
pkt->pts = pkt->dts = AV_RL64(startmarker_ptr + 8);
pkt->stream_index = 1;
Reported by FlawFinder.
Line: 223
Column: 29
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (startmarker_ptr - mxg->buffer > mxg->cache_size) {
if (mxg->cache_size > 0) {
memcpy(mxg->buffer, mxg->buffer_ptr, mxg->cache_size);
}
mxg->buffer_ptr = mxg->buffer;
}
return pkt->size;
Reported by FlawFinder.
libavfilter/af_lv2.c
3 issues
Line: 142
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp = av_calloc(table->n_uris + 1, sizeof(char*));
if (!tmp)
return table->n_uris;
memcpy(tmp, table->uris, table->n_uris * sizeof(char**));
av_free(table->uris);
table->uris = tmp;
table->uris[table->n_uris] = av_malloc(len + 1);
if (!table->uris[table->n_uris])
Reported by FlawFinder.
Line: 150
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!table->uris[table->n_uris])
return table->n_uris;
memcpy(table->uris[table->n_uris], uri, len + 1);
table->n_uris++;
return table->n_uris;
}
Reported by FlawFinder.
Line: 129
Column: 24
CWE codes:
126
static LV2_URID uri_table_map(LV2_URID_Map_Handle handle, const char *uri)
{
URITable *table = (URITable*)handle;
const size_t len = strlen(uri);
size_t i;
char **tmp;
for (i = 0; i < table->n_uris; i++) {
if (!strcmp(table->uris[i], uri)) {
Reported by FlawFinder.
libavcodec/eatgv.c
3 issues
Line: 126
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size1 > 0) {
size -= size1;
run = FFMIN(size1, dst_end - dst);
memcpy(dst, src, run);
dst += run;
src += run;
}
if (size2 > 0) {
Reported by FlawFinder.
Line: 311
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
return ret;
memcpy(frame->data[1], s->palette, AVPALETTE_SIZE);
if (chunk_type == kVGT_TAG) {
int y;
frame->key_frame = 1;
frame->pict_type = AV_PICTURE_TYPE_I;
Reported by FlawFinder.
Line: 327
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AVERROR_INVALIDDATA;
}
for (y = 0; y < s->height; y++)
memcpy(frame->data[0] + y * frame->linesize[0],
s->frame_buffer + y * s->width,
s->width);
} else {
if (!s->last_frame->data[0]) {
av_log(avctx, AV_LOG_WARNING, "inter frame without corresponding intra frame\n");
Reported by FlawFinder.
libavformat/mmsh.c
3 issues
Line: 216
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mmsh_open_internal(URLContext *h, const char *uri, int flags, int timestamp, int64_t pos)
{
int i, port, err;
char httpname[256], path[256], host[128];
char *stream_selection = NULL;
char headers[1024];
MMSHContext *mmsh = h->priv_data;
MMSContext *mms;
Reported by FlawFinder.
Line: 218
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, port, err;
char httpname[256], path[256], host[128];
char *stream_selection = NULL;
char headers[1024];
MMSHContext *mmsh = h->priv_data;
MMSContext *mms;
mmsh->request_seq = h->is_streamed = 1;
mms = &mmsh->mms;
Reported by FlawFinder.
Line: 277
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!stream_selection)
return AVERROR(ENOMEM);
for (i = 0; i < mms->stream_num; i++) {
char tmp[20];
err = snprintf(tmp, sizeof(tmp), "ffff:%d:0 ", mms->streams[i].id);
if (err < 0)
goto fail;
av_strlcat(stream_selection, tmp, mms->stream_num * 19 + 1);
}
Reported by FlawFinder.