From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [WIP] False positives on Coverity
Date: Sat, 8 Jun 2024 18:01:43 +0200
Message-ID: <20240608160143.GW2821752@pb2> (raw)
In-Reply-To: <20240513233816.GL6420@pb2>
[-- Attachment #1.1: Type: text/plain, Size: 24019 bytes --]
On Tue, May 14, 2024 at 01:38:16AM +0200, Michael Niedermayer wrote:
> Hi all
>
> To keep people updated (and as this is not vissible on the ML)
> heres my current list of issues marked as false positives / intentional in Mai & April 2024
> (in case anyone wants to review, i presume noone wants but just in case)
updated list as of today:
1409917 Unintentional integer overflow No overflow happens as dimensions and sprite accuracy are too limited
1409920 Unintentional integer overflow The involved variables are too restricted for overflow
1416963 Unintentional integer overflow No overflow happens as bytes of an image are addressible by int
1417663 Uninitialized scalar variable par_m_source is 0..3 and mid is initialized
1419522 Unintentional integer overflow No overflow can happen, the values are too restricted
1419833 Untrusted loop bound The loop bound is limited to 65535
I also submit a patch to check the 2nd case better
1500345 Uninitialized scalar variable Not a bugf strictly but bad practice and fix submitted
1503083 Uninitialized pointer read nb_channels is non negative, coverity assumes it could be negative
1452594 Free of array-typed value passed flags are 0 but assumed by coverity to be non 0
1452451 Use after free coverity assumes FLAGS has values it does not
1452474 Use after free coverity assumes FLAGS has values it does not
1452532 Use after free coverity assumes FLAGS has values it does not
1524728 Free of array-typed value coverity assumes 0 (flags) is not 0
1591440 Free of array-typed value coverity assumes 0 (flags) is not 0
1452617 Free of array-typed value coverity assumes AV_DICT_DONT_STRDUP_KEY but that is not set
1520670 Dereference after null check either frame or pkt is NULL
1524701 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1538859 Dereference after null check frame is always non-NULL for audio and video
1596536 Dereference null return value There should be a descriptor for every type that is used
1518989 Missing break in switch no break is intentional
1559177 Resource leak av_fifo_write() either succeeds or the frame is freed
1559181 Resource leak av_fifo_write() either succeeds or the frame is freed
1596530 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1516444 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1524729 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1596628 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1452412 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1452415 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1452551 Free of array-typed value coverity assumes flags to be a value it is not
1559186 Resource leak The value is stored by av_fifo_write() and thus not lost
1452419 Free of array-typed value coverity assumes flags to be non 0 while it is 0
1452457 Missing break in switch this looks intentional
1500328 Resource leak packet_queue_put_private() either stores pkt1 or it fails and its freed
1452606 Free of array-typed value coverity assumes AV_DICT_DONT_STRDUP_VAL is set while it is not
1551681 Data race condition The mutex is in the caller
1475938 Uninitialized array index read all of dither seems to be intiialized
1465483 Unintentional integer overflow the clip limits len
1473539 Explicit null dereferenced new_rematrixing_strategy is always set for block 0
1596532 Copy of overlapping memory num_blocks ia positive so the loop does at least one iteration
1500322 Out-of-bounds read the mode is simply not possible
1473499 Uninitialized scalar variable the default case seems unreachable
1595709 Uninitialized scalar variable num_uv_points cannot be set when predict_uv_scaling is uninitialized
1595705 Uninitialized scalar variable the parts of scaling used and initialized
1595706 Uninitialized scalar variable the parts of scaling used and initialized
1595707 Unintended sign extension the array is not gb sized, the shift is not nearly that large
1467648 Untrusted loop bound loop bound is 16bit and thus bound by 65535, its also bound by the data length
1504415 Untrusted value as argument av_grow_packet() will allocate a buffer matching the value or it will fail
1545117 Division or modulo by zero coverity assumes the loop never executes but thats not currently possible
1473510 Untrusted loop bound the read values are checked when they are read
1507875 Untrusted array index read seq_parameter_set_id is checked when read (also coverity seems to have alot of problems with the multiple layers of macros and functions in the CBS system)
1452623 Free of address-of expression coverity fails to keep track of data_ref/data_buf
1458177 Free of address-of expression coverity assumes data_ref is NULL
1465491 Unintentional integer overflow 8 is smaller than 32
1465864 Out-of-bounds read coverity assumes planes can be more than 4
1543204 Logically dead code Lynne preferres to keep this code
1500292 Unintentional integer overflow the error is too small for an overflow to happen
1443722 Unintentional integer overflow image dimensions do not overflow 32bit
1467656 Out-of-bounds access There is enough space allocated for what is accessed
1427586 Out-of-bounds read coverity assumes (x&511) >= 512
1465486 Unintentional integer overflow 16bit + 8bit doesnt need 64bit
1496852 Macro compares unsigned to 0 macro tests the valid range, one side is 0
1596606 Unintentional integer overflow valid width * height must fit in int
1452461 Free of array-typed value coverity 0 != 0 flags issue
1473505 Untrusted loop bound The loop is checking the upper bound
1466634 Missing break in switch fallthrough initializes [0]
1516445 Out-of-bounds read a j=0; j<1; j++ loops does not execute twice
1473591 Untrusted loop bound The loop checks if more data remains
1496615 Explicit null dereferenced code is not reachable with frame = NULL
1532404 Untrusted loop bound the loop tests if data is remaining
1452436 Free of array-typed value 0 is really 0
1485002 Unintentional integer overflow dc_w and dc_h (xsize * ysize) is tested by av_image_check_size2()
1500327 Unintentional integer overflow width *planes does not overflow
1452485 Free of array-typed value flags 0 is really 0
1500307 Unintentional integer overflow The arguments to the multiplication are small numbers
1500324 Unintentional integer overflow The arguments to the multiplication are small numbers
1500335 Unintentional integer overflow The arguments to the multiplication are small numbers
1500337 Unintentional integer overflow The arguments to the multiplication are small numbers
1551680 Check of thread-shared field evades lock acquisition thread1 and thread2 are the same and the main thread so they dont need a mutex between each other
1551686 Data race condition task index is not changed by another thread
1551692 Data race condition the return code is not changed once the task has returned a code
1452477 Untrusted value as argument zsize is positve and its maximum is checked
1500326 Unintentional integer overflow no overflow
1500323 Unintentional integer overflow ccr_bur*cb_tbl cannot overflow here atm
1500348 Unintentional integer overflow f*ff_g723_1_cos_tab will not overflow here atm
1500352 Unintentional integer overflow 16bit * 16384 will not overflow
1515882 Unintentional integer overflow
1515883 Unintentional integer overflow
1515884 Unintentional integer overflow
1473559 Uninitialized scalar variable coverity hallucinates different sub_mb_type values each time it looks
1465261 Free of array-typed value and 0 is still 0
1413314 Untrusted pointer read The code seems ok, just ugly
1430928 Untrusted loop bound The values are checked against size
1430929 Untrusted value as argument The values are checked against side_data_size
1452417 Free of array-typed value coverity still fails to consider the flag value
1452423 Free of array-typed value 0 is REALLY 0
1452553 Free of array-typed value 0 AV_DICT_DONT_OVERWRITE is not AV_DICT_DONT_STRDUP_VAL
1452575 Free of array-typed value 0 is REALLY 0
1466602 Free of array-typed value if flags 0 is passed then the flags argument is 0
1473502 Untrusted loop bound seeking to a "untrusted value" is fine
1473502 Untrusted loop bound avio_seek() checks the offset
1473544 Untrusted loop bound allocate then store
1473561 Untrusted pointer write a non negative variable only needs a upper bound check, i will suggest to add a assert though. This code does have a feeling of fragility to it
1473589 Untrusted value as argument mode_blocksize is 0 or 1
1477411 Free of array-typed value another 0 is not 0 in coverity
1477412 Untrusted divisor the pcrs are checked so they are not equal
1477435 Untrusted loop bound inside the loop there are checks
1477437 Untrusted loop bound the code just skips over the chunk size with avio_skip()
1500301 String not null terminated the profile_string const and 0 terminated. p is initialized to all 0, there is remaining space after the memcpy thus p is 0 terminated
1500302 Uninitialized scalar variable is_pipe and ts_from_file is contradicting
1452430 Free of array-typed value 0 != 0 again
1442565 Untrusted loop bound dict_entries is checked against extradata_size
1596608 Dereference after null check a new frame is allocated by ff_progress_frame_get_buffer
1455684 Unintentional integer overflow w*h doesnt overflow w*h/256*100 also wont
1361959 Untrusted loop bound cnt is checked against bytestream2_get_bytes_left(&dgb
1473503 Untrusted loop bound the loop checks if there is input data remaining
1473551 Untrusted loop bound the loop is checked by height and linesize
1473573 Untrusted loop bound the loop checks if there is input data remaining
1473506 Missing break in switch intentional
1466603 Uninitialized scalar variable good_thresh is given inconsistant values by coverity
1528149 Unintended sign extension width * height < 4096
1547074 Missing break in switch intentional fallthrough
1547075 Missing break in switch intentional fallthrough
1477413 Missing break in switch intentional fallthrough
1512411 Dereference after null check pkt_out is NULL for alpha, the dereference is under !ctx->is_alpha
1530136 Operands don't affect result LONG may be the same as uint64_t but it doesnt have to be
1465488 Unintentional integer overflow with 1U this is now a false positive
1500294 Unintentional integer overflow the shift is limited to 7+15
1465264 Free of array-typed value 0 & x == 0
1521983 Unintentional integer overflow
1465484 Unintentional integer overflow the dc chroma vlcs dont overflow 32bit
1465485 Unintentional integer overflow the dc luma vlcs dont overflow 32bit
1473497 Uninitialized scalar variable switch case default is impossible
1473517 Uninitialized scalar variable switch case default is impossible
1500291 Unintentional integer overflow Straight above the use its checked
1500295 Unintentional integer overflow Straight above the use its checked
1465480 Unintentional integer overflow mb num doesnt overflow
1465490 Unintentional integer overflow ESC3 should not overflow
1473567 Result is not floating-point yes thats how the mp3 dequant works
1503079 Division or modulo by zero coverity assumes frames = 0 but this is impossible
1465482 Unintentional integer overflow the number of bits written is max 10 so no overflow is possible
1596736 Untrusted loop bound the flags are 0, coverity assumes they are not and taking an impossible branch / The 2 of 3 case is unrelated, and simply checks strcasecmps the given filename
1596737 Free of array-typed value the flags are 0, coverity assumes they are not and taking an impossible branch
1441937 Unintentional integer overflow MB num doesnt overflow
1500279 Unintentional integer overflow libopus uses 16bit so 32 will suffice
1452479 Out-of-bounds access coverity disregards thath the nlsf[] access is after a i != order check
1452618 Out-of-bounds access coverity assumes impossible subframes, this begins with the assumtation of duration_ms=60 and nb_frames = 1, which is already not possible at the same time
1447467 Free of address-of expression the flags are 0, coverity assumes they are not and taking an impossible branch
1521984 Free of array-typed value the flags are 0, coverity assumes they are not and taking an impossible branch
1465489 Unintentional integer overflow put_bits() already asserts a limit in k of 30 indirectly
1500333 Uninitialized scalar variable lpc should be initialzed in all cases in subframe 0, other subframes follow and thus have it initialized from subframe 0
1505357 Unintentional integer overflow w*h*4 doesnt overflow
1495853 Missing break in switch Looks like intended fallthrough
1465487 Unintentional integer overflow Check is above
1548380 Uninitialized scalar variable This is possible if size is 0 but it is never 0
1429858 Unintended sign extension 8bit * 1 is not overflowing
1473496 Unchecked return value With a fixed size, a failure is not expected
1473581 Missing break in switch
1515890 Out-of-bounds access width is not a negative value
1500282 Uninitialized scalar variable Either vlc table is set or value is, coverity assumes a invalid state
1473508 Untrusted array index read The indexes are limited to the array sizes
1500353 Unintentional integer overflow The line above checks for this
1500293 Unintentional integer overflow the product of 2 8 bit numbers does not overflow 32bit
1469450 Unintentional integer overflow dc vlc should fit in 32bit
1469451 Unintentional integer overflow dc vlc should fit in 32bit
1473582 Uninitialized scalar variable frame and block need to be intra OR inter they cannot be neither
1500311 Uninitialized scalar variable frame and block need to be intra OR inter they cannot be neither
1452495 Uninitialized scalar variable 3bits are within 0..7
1452628 Uninitialized scalar variable 3bits are within 0..7
1518967 Unchecked return value buf cant be NULL and 157 isnt 0 nor is it overflowing
1518968 Unchecked return value buf cant be NULL and 157 isnt 0 nor is it overflowing
1429859 Unintentional integer overflow The range of hscale and delta_size is too l imited and w h are checked
1465479 Unintentional integer overflow unary is 31 or lower here
1427156 Uninitialized pointer read the implied pix fmts and pack are incompatible, thus the execution path is impossible
1591438 Division or modulo by zero I dont think widest_tile_sb can be 0 here
DUP 1441935 Unchecked return value The buffer used is a fixed size buffer from the context, it cannot be too large nor can it be NULL
1544628 Unintentional integer overflow no len is all checked
1544629 Unintentional integer overflow no len is all checked
1473569 Untrusted array index read mode_blocksize is 0 or 1, header_len is checked < 7 and not negative
1452622 Logically dead code coverity treats a unisgned check as if it was signed
1516089 Negative array index write unsigned values are not negative
1560038 Negative array index read The invalid case implies CHROMA_FORMAT_444 while the array index is under CHROMA_FORMAT_422
1560043 Uninitialized scalar variable pred_flag should not magically change
1560045 Unintended comparison to logical negation looks intentional to me
1593172 Unintended sign extension 16bit shifted by v/hshift will not overflow
1593173 Unintended sign extension 16bit shifted by v/hshift will not overflow
1593174 Unintended sign extension 16bit shifted by v/hshift will not overflow
1593175 Unintended sign extension 16bit shifted by v/hshift will not overflow
1507877 Unintentional integer overflow w*h doesnt overflow
1560039 Logically dead code ; Work in progress, see review on ML
1458126 Result is not floating-point The exact value doesnt matter as it becomes infinite anyway
1441930 Unintentional integer overflow w*h doesnt overflow
1473557 Uninitialized scalar variable coverity doesnt understand the inline asm
1473585 Uninitialized scalar variable coverity doesnt understand the inline asm
1591975 Explicit null dereferenced u.map is set by av_channel_layout_custom_init()
1458153 Structurally dead code coverity seems to not test CONFIG_VULKAN
1583741 Resource leak the leak is inconsistant with the checks on fd
1593009 Dereference after null check if its NULL, then len is 0
1593010 Out-of-bounds read out_len may be large but that doesnt imply out still points to buf
1583742 Unchecked return value "We're not checking for errors here because the kernel may not support the ioctl, in which case its okay to carry on""
1516764 Dereference null return value the value that has just been stored will not fail to be found
1500313 Out-of-bounds read the sample formats input are valid
1509371 Use of 32-bit time_t the exact value of time doesnt matter
1473549 Untrusted divisor Its a float and it is checked "Value inf for parameter 'flags' is not a valid set of 32bit integer flags"
1500289 Unintentional integer overflow squaring 8bit will not overflow 32bit
1500296 Unintentional integer overflow w*h will not overflow 32bit
1592142 Unintentional integer overflow squaring 8bit (9bit signed) will not overflow 32bit
1497114 Missing break in switch
1473525 Untrusted loop bound we check the user provided name against a list
1506707 Uninitialized scalar variable FFmpeg does not ship a avisynth_c.h anymore
1529991 Arguments in wrong order num/den are xchanged as framerate vs timebase have them exchanged
1482088 Missing break in switch
1507242 Untrusted pointer read The data is checked, the code is ugly though
1473538 Untrusted loop bound reading till EOF if there is nothing better
1497470 Operands don't affect result
1500278 Uninitialized scalar variable uninitialized implies len = 0
1512404 Use after free 0 flags is 0
1464083 Use after free 0 flags are still 0 in the function
1500310 Uninitialized scalar variable data_end would be 0 if data_start had not been initialized
1532406 Untrusted loop bound this simply iterates over NALs
1538299 Untrusted loop bound this simply iterates over NALs
1500346 Uninitialized scalar variable uninitialized implies len = 0
1485969 Result is not floating-point its just a limit
1452541 Use after free 0 flags are 0 even inside av_dict_set()
1598551 Unintentional integer overflow the vertical coordinate fits in int
1598560 Unintentional integer overflow the vertical coordinate fits in int
1591879 Explicit null dereferenced inconsistant avctx->pix_fmt
1591921 Unchecked return value A check is not needed here as its not in a loop
1591895 Unintentional integer overflow mb width *4 doesnt overflow
1591893 Unintentional integer overflow height * linesize should not overflow
1591900 Unintentional integer overflow height * linesize should not overflow
1591904 Unintentional integer overflow height * linesize should not overflow
1591907 Unintentional integer overflow height * linesize should not overflow
1591920 Unintentional integer overflow height * linesize should not overflow
1591934 Unintentional integer overflow height * linesize should not overflow
1591940 Unintentional integer overflow height * linesize should not overflow
1591945 Unintentional integer overflow height * linesize should not overflow
1591950 Unintentional integer overflow height * linesize should not overflow
1591922 Unintentional integer overflow pixel shift wont exceed 32bit
1591943 Unintentional integer overflow pixel shift wont exceed 32bit
1591873 Unintentional integer overflow pixel 80 << pixel shift will not exceed 32bit
1591917 Unintentional integer overflow w and h are checked to be within 16bit
1591883 Unintentional integer overflow height * linesize should not overflow
1591860 Unintentional integer overflow multiplying linesize by 1 or 2 doesnt overflow
1591865 Unintentional integer overflow multiplying linesize by 1 or 2 doesnt overflow
1591871 Unintentional integer overflow linesize *2 does not overflow
1591869 Unintentional integer overflow linesize *2 does not overflow
1591936 Unintentional integer overflow linesize *2 does not overflow
1505358 Untrusted loop bound w,h,channels are checked
1591890 Unintentional integer overflow linesize will fit in int
1598554 Unchecked return value the return does not need to be checked here
1591863 Unintentional integer overflow should not be able to overflow
1591908 Unintentional integer overflow should not be able to overflow
1591949 Unintentional integer overflow 8 * sb_cols should not overflow
1591872 Unintentional integer overflow offset_v << ps should not overflow
1591905 Unintentional integer overflow w << ps should not overflow
1591910 Unintentional integer overflow the pixel size will not overflow 32bit
1591912 Unintentional integer overflow border << pixel_shift should not overflow
1591927 Unintentional integer overflow w << ps should not overflow
1591947 Unintentional integer overflow 1<< ps, w << ps should not overflow
1591882 Unintentional integer overflow the edge buffer stride doesnt overflow
1591919 Unintentional integer overflow the edge buffer stride doesnt overflow
1591941 Unintentional integer overflow the edge buffer stride doesnt overflow
1530245 Out-of-bounds read If the list has 1 element then this element is NULL
1598565 Uninitialized pointer write (see ML)
1598561 Uninitialized pointer write (see ML)
1551690 Check of thread-shared field evades lock acquisition ; async_seek() is not called from 2 threads at the same time
1457610 Use after free ; 0 = 0
1473574 Untrusted loop bound ; i is in a permissible range if its within the buffer, the loop checks this
1591946 Structurally dead code ; It is only dead on some platforms
1492156 Unintentional integer overflow ; nb_index_entries is 16bit here
1452604 Use after free ; 0 flags is 0
1473558 Untrusted loop bound ; header_len is bound by the extradata size
1515516 Use after free ; another form of the eternal 0 becomes non 0 coverity bug
1596702 Explicit null dereferenced ; coverity ignores av_channel_layout_custom_init()
1595708 Explicit null dereferenced ; 1595708 Explicit null dereferenced
1591902 Operands don't affect result ; platform dependant
1477409 Use after free ; The eternal 0 flags bug from coverity, 0 has no flags set the codepath is impossible
1594483 Explicit null dereferenced ; coverity ignores av_channel_layout_custom_init()
1490845 Use after free ; AV_DICT_APPEND is also not the right flag to free the argument
1473547 Untrusted pointer read ; The values are tested a few lines before use
1591794 Out-of-bounds read ; The end check resets the index
1530185 Missing break in switch ; intentional
1530298 Missing break in switch ; intentional
1530313 Untrusted loop bound ; The loop is bounded by bytestream2_get_bytes_left()
1530166 Free of array-typed value ; a flags of 1 also doesnt trigger teh free() code
1530258 Copy of overlapping memory ; username and auth_params are separate fields they do not overlap
1530312 Untrusted loop bound ; we read size, we allocate and process the data, coverity points to no issue
1494441 Untrusted value as argument ; length is checked one line above the coverity warning
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-06-08 16:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-13 23:38 Michael Niedermayer
2024-05-14 7:37 ` Tomas Härdin
2024-05-14 11:28 ` Rémi Denis-Courmont
2024-05-15 8:06 ` Tomas Härdin
2024-06-08 16:01 ` Michael Niedermayer [this message]
2024-06-08 19:49 ` Vittorio Giovara
2024-06-08 22:49 ` Timo Rothenpieler
2024-06-09 13:10 ` Vittorio Giovara
2024-06-09 22:04 ` Michael Niedermayer
2024-06-10 12:37 ` Vittorio Giovara
2024-06-10 12:40 ` Timo Rothenpieler
2024-06-10 12:45 ` Vittorio Giovara
2024-06-11 15:46 ` Michael Niedermayer
2024-06-09 22:02 ` Michael Niedermayer
2024-07-11 23:55 ` Michael Niedermayer
2024-07-12 23:20 ` Michael Niedermayer
2024-07-25 14:41 ` Michael Niedermayer
2024-08-12 17:40 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240608160143.GW2821752@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git