The following issues were found

deps/w32-pthreads/ptw32_OLL_lock.c
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 125 Column: 8 CWE codes: 362 

              struct ptw32_oll_queryResult_t_
{
  BOOL	nonZero;
  BOOL	open;
};

union ptw32_oll_snziNodeOrRoot_t_
{
  ptw32_oll_snziRoot_t* rootPtr;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 587 Column: 49 CWE codes: 362 

                  else
    {
      /* Wait until node is properly recycled */
      while (ptw32_oll_Query(oldTailPtr->csnzi).open);
      /*
       * Close C-SNZI of previous reader node.
       * If there are no readers to signal us, spin on
       * previous node and free it before entering
       * critical section.

Reported by FlawFinder.

plugins/obs-outputs/ftl-stream.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 1052 Column: 44 CWE codes: 126 

              	obs_data_t *video_settings = obs_encoder_get_settings(video_encoder);

	ingest_url = obs_service_get_url(service);
	if (strncmp(ingest_url, FTL_URL_PROTOCOL, strlen(FTL_URL_PROTOCOL)) ==
	    0) {
		dstr_copy(&stream->path, ingest_url + strlen(FTL_URL_PROTOCOL));
	} else {
		dstr_copy(&stream->path, ingest_url);
	}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 1054 Column: 41 CWE codes: 126 

              	ingest_url = obs_service_get_url(service);
	if (strncmp(ingest_url, FTL_URL_PROTOCOL, strlen(FTL_URL_PROTOCOL)) ==
	    0) {
		dstr_copy(&stream->path, ingest_url + strlen(FTL_URL_PROTOCOL));
	} else {
		dstr_copy(&stream->path, ingest_url);
	}

	key = obs_service_get_key(service);

Reported by FlawFinder.

plugins/obs-filters/nvafx-load.h
2 issues
LoadLibrary - Ensure that the full path to the library is specified, or current directory may be used
Security

Line: 145 Column: 15 CWE codes: 829 20
Suggestion: Use LoadLibraryEx with one of the search flags, or call SetSearchPathMode to use a safe search path, or pass a full path to the library 

              		return false;

	SetDllDirectoryA(path);
	nv_audiofx = LoadLibrary(L"NVAudioEffects.dll");
	SetDllDirectoryA(NULL);

	return !!nv_audiofx;
}
#endif

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 140 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
static bool load_lib(void)
{
	char path[MAX_PATH];
	if (!nvafx_get_sdk_path(path, sizeof(path)))
		return false;

	SetDllDirectoryA(path);
	nv_audiofx = LoadLibrary(L"NVAudioEffects.dll");

Reported by FlawFinder.

UI/importers/classic.cpp
2 issues
atoi - Unless checked, the resulting number can exceed the expected range
Security

Line: 362 Column: 10 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended) 

              static void create_int(const string &name, Json::object &out,
		       const string &data)
{
	int i = atoi(data.c_str());
	out[name] = i;
}

static void create_data_item(Json::object &out, const string &line)
{

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 556 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              	OBSImporterFiles res;

#ifdef _WIN32
	char dst[512];
	int found = os_get_config_path(dst, 512, "OBS\\sceneCollection\\");
	if (found == -1)
		return res;

	os_dir_t *dir = os_opendir(dst);

Reported by FlawFinder.

plugins/obs-filters/rnnoise/src/rnn.c
2 issues
Null pointer dereference: (int*)0
Error

Line: 105 CWE codes: 476 

                    for (i=0;i<N;i++)
         output[i] = relu(output[i]);
   } else {
     *(int*)0=0;
   }
}

static void compute_gru(const GRULayer *gru, float *state, const float *input)
{

Reported by Cppcheck.

Null pointer dereference: (int*)0
Error

Line: 151 CWE codes: 476 

                    if (gru->activation == ACTIVATION_SIGMOID) sum = sigmoid_approx(WEIGHTS_SCALE*sum);
      else if (gru->activation == ACTIVATION_TANH) sum = tansig_approx(WEIGHTS_SCALE*sum);
      else if (gru->activation == ACTIVATION_RELU) sum = relu(WEIGHTS_SCALE*sum);
      else *(int*)0=0;
      h[i] = z[i]*state[i] + (1-z[i])*sum;
   }
   for (i=0;i<N;i++)
      state[i] = h[i];
}

Reported by Cppcheck.

deps/obs-scripting/obs-scripting-logging.c
2 issues
vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate
Security

Line: 50 Column: 2 CWE codes: 134
Suggestion: Use a constant for the format specification 

              		start_len = snprintf(msg, sizeof(msg), "[Unknown Script] ");
	}

	vsnprintf(msg + start_len, sizeof(msg) - start_len, format, args);

	if (callback)
		callback(param, script, level, msg + start_len);
	blog(level, "%s", msg);
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 27 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              void script_log_va(obs_script_t *script, int level, const char *format,
		   va_list args)
{
	char msg[2048];
	const char *lang = "(Unknown)";
	size_t start_len;

	if (script) {
		switch (script->type) {

Reported by FlawFinder.

deps/lzma/liblzma/simple/simple_coder.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 119 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		// coder->pos and coder->size yet. This way the coder can be
		// restarted if the next filter in the chain returns e.g.
		// LZMA_MEM_ERROR.
		memcpy(out + *out_pos, coder->buffer + coder->pos, buf_avail);
		*out_pos += buf_avail;

		// Copy/Encode/Decode more data to out[].
		{
			const lzma_ret ret = copy_or_code(coder, allocator,

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 154 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			// There is unfiltered data left in out[]. Copy it to
			// coder->buffer[] and rewind *out_pos appropriately.
			*out_pos -= unfiltered;
			memcpy(coder->buffer, out + *out_pos, unfiltered);
		}
	} else if (coder->pos > 0) {
		memmove(coder->buffer, coder->buffer + coder->pos, buf_avail);
		coder->size -= coder->pos;
		coder->pos = 0;

Reported by FlawFinder.

UI/frontend-plugins/decklink-output-ui/decklink-ui-main.cpp
2 issues
There is an unknown macro here somewhere. Configuration is required. If OBS_DECLARE_MODULE is a macro then please configure it.
Error

Line: 12 

              #include "DecklinkOutputUI.h"
#include "../../../plugins/decklink/const.h"

OBS_DECLARE_MODULE()
OBS_MODULE_USE_DEFAULT_LOCALE("decklink-output-ui", "en-US")

DecklinkOutputUI *doUI;

bool shutting_down = false;

Reported by Cppcheck.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 286 Column: 6 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              					uint32_t dst_offset = linesize * i;
					uint32_t src_offset =
						ctx->video_linesize * i;
					memcpy(output_frame.data[0] +
						       dst_offset,
					       ctx->video_data + src_offset,
					       linesize);
				}

Reported by FlawFinder.

plugins/obs-qsv11/common_directx9.cpp
2 issues
Memory leak: dxMidPtrs
Error

Line: 405 CWE codes: 401 

              			new IDirect3DSurface9 *[request->NumFrameSuggested]);
		if (!dxSrf.get()) {
			MSDK_SAFE_FREE(dxMids);
			return MFX_ERR_MEMORY_ALLOC;
		}
		hr = videoService->CreateSurface(
			request->Info.Width, request->Info.Height,
			request->NumFrameSuggested - 1, format, D3DPOOL_DEFAULT,
			m_surfaceUsage, target, dxSrf.get(), NULL);

Reported by Cppcheck.

Memory leak: dxMidPtrs
Error

Line: 413 CWE codes: 401 

              			m_surfaceUsage, target, dxSrf.get(), NULL);
		if (FAILED(hr)) {
			MSDK_SAFE_FREE(dxMids);
			return MFX_ERR_MEMORY_ALLOC;
		}

		for (int i = 0; i < request->NumFrameSuggested; i++) {
			dxMids[i].first = dxSrf.get()[i];
			dxMidPtrs[i] = &dxMids[i];

Reported by Cppcheck.

deps/lzma/liblzma/lz/lz_decoder.h
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 148 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
	} else if (distance < dict->pos) {
		// The easiest and fastest case
		memcpy(dict->buf + dict->pos,
				dict->buf + dict->pos - distance - 1,
				left);
		dict->pos += left;

	} else {

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 167 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              					copy_size);
			dict->pos += copy_size;
			copy_size = left - copy_size;
			memcpy(dict->buf + dict->pos, dict->buf, copy_size);
			dict->pos += copy_size;
		} else {
			memmove(dict->buf + dict->pos, dict->buf + copy_pos,
					left);
			dict->pos += left;

Reported by FlawFinder.