The following issues were found
libavcodec/nvdec_av1.c
2 issues
Line: 54
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
NVDECFrame *cf;
AVFrame *cur_frame = s->cur_frame.tf.f;
unsigned char remap_lr_type[4] = { AV1_RESTORE_NONE, AV1_RESTORE_SWITCHABLE, AV1_RESTORE_WIENER, AV1_RESTORE_SGRPROJ };
int apply_grain = !(avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && film_grain->apply_grain;
int ret, i, j;
ret = ff_nvdec_start_frame_sep_ref(avctx, cur_frame, apply_grain);
Reported by FlawFinder.
Line: 323
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ctx->bitstream = ctx->bitstream_internal = tmp;
memcpy(ctx->bitstream + ctx->bitstream_len, buffer, size);
for (uint32_t tile_num = s->tg_start; tile_num <= s->tg_end; ++tile_num) {
ctx->slice_offsets[tile_num*2 ] = ctx->bitstream_len + s->tile_group_info[tile_num].tile_offset;
ctx->slice_offsets[tile_num*2 + 1] = ctx->slice_offsets[tile_num*2] + s->tile_group_info[tile_num].tile_size;
}
Reported by FlawFinder.
libavcodec/nvdec_h264.c
2 issues
Line: 115
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ppc->WeightScale4x4, pps->scaling_matrix4, sizeof(ppc->WeightScale4x4));
memcpy(ppc->WeightScale8x8[0], pps->scaling_matrix8[0], sizeof(ppc->WeightScale8x8[0]));
memcpy(ppc->WeightScale8x8[1], pps->scaling_matrix8[3], sizeof(ppc->WeightScale8x8[0]));
dpb_size = 0;
for (i = 0; i < h->short_ref_count; i++)
dpb_add(h, &ppc->dpb[dpb_size++], h->short_ref[i], h->short_ref[i]->frame_num);
for (i = 0; i < 16; i++) {
Reported by FlawFinder.
Line: 153
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->slice_offsets = tmp;
AV_WB24(ctx->bitstream + ctx->bitstream_len, 1);
memcpy(ctx->bitstream + ctx->bitstream_len + 3, buffer, size);
ctx->slice_offsets[ctx->nb_slices] = ctx->bitstream_len ;
ctx->bitstream_len += size + 3;
ctx->nb_slices++;
if (sl->slice_type != AV_PICTURE_TYPE_I && sl->slice_type != AV_PICTURE_TYPE_SI)
Reported by FlawFinder.
libavformat/stldec.c
2 issues
Line: 84
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
st->codecpar->codec_id = AV_CODEC_ID_STL;
while (!avio_feof(s->pb)) {
char line[4096];
char *p = line;
const int64_t pos = avio_tell(s->pb);
int len = ff_get_line(s->pb, line, sizeof(line));
int64_t pts_start;
int duration;
Reported by FlawFinder.
Line: 99
Column: 57
CWE codes:
126
if (pts_start != AV_NOPTS_VALUE) {
AVPacket *sub;
sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0);
if (!sub)
return AVERROR(ENOMEM);
sub->pos = pos;
sub->pts = pts_start;
sub->duration = duration;
Reported by FlawFinder.
libavformat/swfdec.c
2 issues
Line: 448
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res = AVERROR(ENOMEM);
goto bitmap_end;
}
memcpy(pal, colormap, AVPALETTE_SIZE);
break;
case 4:
pix_fmt = AV_PIX_FMT_RGB555;
break;
case 5:
Reported by FlawFinder.
Line: 464
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else
st->codecpar->format = pix_fmt;
memcpy(pkt->data, buf + colormapsize*colormapbpp, linesize * height);
res = pkt->size;
bitmap_end:
av_freep(&zbuf);
Reported by FlawFinder.
libavformat/tests/fifo_muxer.c
2 issues
Line: 46
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret = av_new_packet(pkt, sizeof(*pkt_data));
if (ret < 0)
return ret;
memcpy(pkt->data, pkt_data, sizeof(*pkt_data));
pkt->pts = pkt->dts = pts;
pkt->duration = 1;
return 0;
Reported by FlawFinder.
Line: 202
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
AVDictionary *opts = NULL;
AVFormatContext *oc = NULL;
AVPacket *pkt = NULL;
char buffer[BUFFER_SIZE];
int ret, ret1;
ret = initialize_fifo_tst_muxer_chain(&oc, &pkt);
if (ret < 0) {
fprintf(stderr, "Muxer initialization failed: %s\n", av_err2str(ret));
Reported by FlawFinder.
libavformat/tests/srtp.c
2 issues
Line: 106
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,
uint8_t *out)
{
memcpy(out, in, len);
if (!ff_srtp_decrypt(srtp, out, &len)) {
print_data(out, len);
return len;
} else
return -1;
Reported by FlawFinder.
Line: 119
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct SRTPContext enc = { 0 }, dec = { 0 };
int len;
char buf[RTP_MAX_PACKET_LENGTH];
ff_srtp_set_crypto(&enc, suite, key);
ff_srtp_set_crypto(&dec, suite, key);
len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));
if (!ff_srtp_decrypt(&dec, buf, &len)) {
if (len == in_len && !memcmp(buf, data, len))
Reported by FlawFinder.
libavcodec/opus.c
2 issues
Line: 490
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
the second to ensure the second band never has to use the LCG. */
int count = (ff_celt_freq_range[i] - ff_celt_freq_range[i-1]) << f->size;
memcpy(&norm1[band_offset], &norm1[band_offset - count], count * sizeof(float));
if (f->channels == 2)
memcpy(&norm2[band_offset], &norm2[band_offset - count], count * sizeof(float));
}
Reported by FlawFinder.
Line: 493
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&norm1[band_offset], &norm1[band_offset - count], count * sizeof(float));
if (f->channels == 2)
memcpy(&norm2[band_offset], &norm2[band_offset - count], count * sizeof(float));
}
/* Get a conservative estimate of the collapse_mask's for the bands we're
going to be folding from. */
if (lowband_offset != 0 && (f->spread != CELT_SPREAD_AGGRESSIVE ||
Reported by FlawFinder.
libavcodec/opus_pvq.c
2 issues
Line: 209
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < N0; j++)
tmp[j*stride+i] = X[order[i]*N0+j];
memcpy(X, tmp, N*sizeof(float));
}
static void celt_deinterleave_hadamard(float *tmp, float *X, int N0,
int stride, int hadamard)
{
Reported by FlawFinder.
Line: 222
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < N0; j++)
tmp[order[i]*N0+j] = X[j*stride+i];
memcpy(X, tmp, N*sizeof(float));
}
static void celt_haar1(float *X, int N0, int stride)
{
int i, j;
Reported by FlawFinder.
libavcodec/opus_rc.c
2 issues
Line: 384
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
opus_rc_enc_carryout(rc, 0);
rng_bytes = rc->rng_cur - rc->buf;
memcpy(dst, rc->buf, rng_bytes);
rc->waste = size*8 - (rc->rb.bytes*8 + rc->rb.cachelen) - rng_bytes*8;
/* Put the rawbits part, if any */
if (rc->rb.bytes || rc->rb.cachelen) {
Reported by FlawFinder.
Line: 398
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lap = &dst[rng_bytes] - rb_dst;
for (i = 0; i < lap; i++)
rb_dst[i] |= rb_src[i];
memcpy(&rb_dst[lap], &rb_src[lap], FFMAX(rc->rb.bytes - lap, 0));
}
}
void ff_opus_rc_enc_init(OpusRangeCoder *rc)
{
Reported by FlawFinder.
libavcodec/dcaadpcm.c
2 issues
Line: 193
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int32_t dequant_delta;
int32_t work_bufer[16 + DCA_ADPCM_COEFFS];
memcpy(work_bufer, prev_hist, sizeof(int32_t) * DCA_ADPCM_COEFFS);
for (i = 0; i < len; i++) {
work_bufer[DCA_ADPCM_COEFFS + i] = ff_dcaadpcm_predict(pred_vq_index, &work_bufer[i]);
delta = (int64_t)in[i] - ((int64_t)work_bufer[DCA_ADPCM_COEFFS + i] << 7);
Reported by FlawFinder.
Line: 207
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
work_bufer[DCA_ADPCM_COEFFS+i] += dequant_delta;
}
memcpy(next_hist, &work_bufer[len], sizeof(int32_t) * DCA_ADPCM_COEFFS);
return 0;
}
av_cold int ff_dcaadpcm_init(DCAADPCMEncContext *s)
Reported by FlawFinder.