Codekhana

libavutil/tests/camellia.c

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 63 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      }
    }
    av_camellia_init(cs, Key[0], 128);
    memcpy(iv, "HALLO123HALLO123", 16);
    av_camellia_crypt(cs, temp, rpt, 2, iv, 0);
    memcpy(iv, "HALLO123HALLO123", 16);
    av_camellia_crypt(cs, temp, temp, 2, iv, 1);
    for (i = 0; i < 32; i++) {
        if (rpt[i] != temp[i]) {

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 65 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  av_camellia_init(cs, Key[0], 128);
    memcpy(iv, "HALLO123HALLO123", 16);
    av_camellia_crypt(cs, temp, rpt, 2, iv, 0);
    memcpy(iv, "HALLO123HALLO123", 16);
    av_camellia_crypt(cs, temp, temp, 2, iv, 1);
    for (i = 0; i < 32; i++) {
        if (rpt[i] != temp[i]) {
            av_log(NULL, AV_LOG_ERROR, "%d %02x %02x\n", i, rpt[i], temp[i]);
            err = 1;

Reported by FlawFinder.

libavutil/tests/cpu.c

2 issues

getopt - Some older implementations do not protect against internal buffer overflows

Security

Line: 117 Column: 17 CWE codes: 120 20
Suggestion: Check implementation on installation, or limit the size of all string inputs

                      return 1;

    for (;;) {
        int c = getopt(argc, argv, "c:t:");
        if (c == -1)
            break;
        switch (c) {
        case 'c':
        {

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 102 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

                  int cpu_flags_raw = av_get_cpu_flags();
    int cpu_flags_eff;
    int cpu_count = av_cpu_count();
    char threads[5] = "auto";
    int i;

    for(i = 0; cpu_flag_tab[i].flag; i++) {
        unsigned tmp = 0;
        if (av_parse_cpu_caps(&tmp, cpu_flag_tab[i].name) < 0) {

Reported by FlawFinder.

libavutil/tests/des.c

2 issues

printf - If format strings can be influenced by an attacker, they can be exploited

Security

Line: 126 Column: 13 CWE codes: 134
Suggestion: Use a constant for the format specification

                          v   = j & 1 ? v >> 4 : v & 0xf;
            v <<= 28 - 4 * i;
            v   = shuffle(v, P_shuffle, sizeof(P_shuffle));
            printf((j & 7) == 0 ? "\n    " : " ");
            printf("0x%08X,", v);
        }
        printf("\n    },\n");
    }
    printf("};\n");

Reported by FlawFinder.

srand - This function is not sufficiently random for security-related functions such as key and nonce creation

Security

Line: 84 Column: 5 CWE codes: 327
Suggestion: Use a more secure technique for acquiring random values

                  int i;
    union word_byte key[3], data, ct;
    uint64_t roundkeys[16];
    srand(av_gettime());
    key[0].word = AV_RB64(test_key);
    data.word   = AV_RB64(plain);
    gen_roundkeys(roundkeys, key[0].word);
    if (des_encdec(data.word, roundkeys, 0) != AV_RB64(crypt_ref)) {
        printf("Test 1 failed\n");

Reported by FlawFinder.

libavutil/tests/lzo.c

2 issues

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 36 Column: 16 CWE codes: 362

              #define BENCHMARK_LIBLZO_UNSAFE 0

int main(int argc, char *argv[]) {
    FILE *in = fopen(argv[1], "rb");
    int comp_level = argc > 2 ? atoi(argv[2]) : 0;
    uint8_t *orig = av_malloc(MAXSZ + 16);
    uint8_t *comp = av_malloc(2*MAXSZ + 16);
    uint8_t *decomp = av_malloc(MAXSZ + 16);
    size_t s = fread(orig, 1, MAXSZ, in);

Reported by FlawFinder.

atoi - Unless checked, the resulting number can exceed the expected range

Security

Line: 37 Column: 33 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)

              
int main(int argc, char *argv[]) {
    FILE *in = fopen(argv[1], "rb");
    int comp_level = argc > 2 ? atoi(argv[2]) : 0;
    uint8_t *orig = av_malloc(MAXSZ + 16);
    uint8_t *comp = av_malloc(2*MAXSZ + 16);
    uint8_t *decomp = av_malloc(MAXSZ + 16);
    size_t s = fread(orig, 1, MAXSZ, in);
    lzo_uint clen = 0;

Reported by FlawFinder.

libavcodec/proresdec2.c

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 294 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      }
        permute(ctx->qmat_chroma, ctx->prodsp.idct_permutation, ptr);
    } else {
        memcpy(ctx->qmat_chroma, ctx->qmat_luma, 64);
    }

    return hdr_size;
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 612 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  block = blocks;

    for (i = 0; i < 16; i++) {
        memcpy(dst, block, 16 * blocks_per_slice * sizeof(*dst));
        dst   += dst_stride >> 1;
        block += 16 * blocks_per_slice;
    }
}

Reported by FlawFinder.

libavcodec/psymodel.c

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 49 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      return AVERROR(ENOMEM);
    }

    memcpy(ctx->bands,     bands,     sizeof(ctx->bands[0])     *  num_lens);
    memcpy(ctx->num_bands, num_bands, sizeof(ctx->num_bands[0]) *  num_lens);

    /* assign channels to groups (with virtual channels for coupling) */
    for (i = 0; i < num_groups; i++) {
        /* NOTE: Add 1 to handle the AAC chan_config without modification.

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 50 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  }

    memcpy(ctx->bands,     bands,     sizeof(ctx->bands[0])     *  num_lens);
    memcpy(ctx->num_bands, num_bands, sizeof(ctx->num_bands[0]) *  num_lens);

    /* assign channels to groups (with virtual channels for coupling) */
    for (i = 0; i < num_groups; i++) {
        /* NOTE: Add 1 to handle the AAC chan_config without modification.
         *       This has the side effect of allowing an array of 0s to map

Reported by FlawFinder.

libavcodec/pthread_frame.c

2 issues

There is an unknown macro here somewhere. Configuration is required. If FF_ENABLE_DEPRECATION_WARNINGS is a macro then please configure it.

Error

Line: 987

                       )) {
        return 0;
    }
FF_ENABLE_DEPRECATION_WARNINGS
    return 1;
}

static int thread_get_buffer_internal(AVCodecContext *avctx, ThreadFrame *f, int flags)
{

Reported by Cppcheck.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 374 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                          if (err < 0)
                return err;
        }
        memcpy(dst->slice_offset, src->slice_offset,
               src->slice_count * sizeof(*dst->slice_offset));
    }
    dst->slice_count = src->slice_count;
    return 0;
}

Reported by FlawFinder.

libavcodec/qpeg.c

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 141 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  if (refdata) {
        /* copy prev frame */
        for (i = 0; i < height; i++)
            memcpy(dst + (i * stride), refdata + (i * stride), width);
    } else {
        refdata = dst;
    }

    orig_height = height;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 303 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
    /* make the palette available on the way out */
    p->palette_has_changed = ff_copy_palette(a->pal, avpkt, avctx);
    memcpy(p->data[1], a->pal, AVPALETTE_SIZE);

    av_frame_unref(ref);
    if ((ret = av_frame_ref(ref, p)) < 0)
        return ret;

Reported by FlawFinder.

libavcodec/qsv.c

2 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 318 Column: 13 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
        ret = MFXVideoUSER_Load(session, &uid, 1);
        if (ret < 0) {
            char errorbuf[128];
            snprintf(errorbuf, sizeof(errorbuf),
                     "Could not load the requested plugin '%s'", plugin);
            err = ff_qsv_print_error(logctx, ret, errorbuf);
            goto load_plugin_fail;
        }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 300 Column: 13 CWE codes: 126

                      char *plugin = av_get_token(&load_plugins, ":");
        if (!plugin)
            return AVERROR(ENOMEM);
        if (strlen(plugin) != 2 * sizeof(uid.Data)) {
            av_log(logctx, AV_LOG_ERROR, "Invalid plugin UID length\n");
            err = AVERROR(EINVAL);
            goto load_plugin_fail;
        }

Reported by FlawFinder.

libavcodec/qsvenc_hevc.c

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 154 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  new_extradata = av_mallocz(vps_size + avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
    if (!new_extradata)
        return AVERROR(ENOMEM);
    memcpy(new_extradata, vps_buf, vps_size);
    memcpy(new_extradata + vps_size, avctx->extradata, avctx->extradata_size);

    av_freep(&avctx->extradata);
    avctx->extradata       = new_extradata;
    avctx->extradata_size += vps_size;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 155 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  if (!new_extradata)
        return AVERROR(ENOMEM);
    memcpy(new_extradata, vps_buf, vps_size);
    memcpy(new_extradata + vps_size, avctx->extradata, avctx->extradata_size);

    av_freep(&avctx->extradata);
    avctx->extradata       = new_extradata;
    avctx->extradata_size += vps_size;

Reported by FlawFinder.

Modal title

The following issues were found

libavutil/tests/camellia.c

2 issues

libavutil/tests/cpu.c

2 issues

libavutil/tests/des.c

2 issues

libavutil/tests/lzo.c

2 issues

libavcodec/proresdec2.c

2 issues

libavcodec/psymodel.c

2 issues

libavcodec/pthread_frame.c

2 issues

libavcodec/qpeg.c

2 issues

libavcodec/qsv.c

2 issues

libavcodec/qsvenc_hevc.c

2 issues