Context Navigation

#3466 closed defect (fixed)

PVS-Studio static code analysis

Reported by:	Andrey Karpov	Owned by:
Priority:	normal	Component:	undetermined
Version:	unspecified	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description (last modified by Carl Eugen Hoyos)

Analyzer PVS-Studio (http://www.viva64.com/) slowly learns to check Linux projects. Currently can not very well. However, tool was able to find some suspicious code. I checked the project FFmpeg. Maybe something here is errors:

V501 There are identical sub-expressions '!srcSlice' to the left and to the right of the '||' operator. swscale.c 924

int attribute_align_arg sws_scale(struct SwsContext *c,
                                  const uint8_t * const srcSlice[],
                                  const int srcStride[], int srcSliceY,
                                  int srcSliceH, uint8_t *const dst[],
                                  const int dstStride[])
{
    int i, ret;
    const uint8_t *src2[4];
    uint8_t *dst2[4];
    uint8_t *rgb0_tmp = NULL;

    if (!srcSlice || !dstStride || !dst || !srcSlice) {
        av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n");
        return 0;
    }
  ....
}

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'frame->data'. vf_shuffleplanes.c 98

typedef struct AVFrame {
  uint8_t *data[8];
  ....
};

static int shuffleplanes_filter_frame(AVFilterLink *inlink, AVFrame *frame)
{
  ....
  uint8_t *shuffled_data[4] = { NULL };
  ....
  memcpy(frame->data, shuffled_data, sizeof(shuffled_data));
  ....
}

V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497
V557 Array overrun is possible. The '9' index is pointing beyond array bound. mjpegenc.c 499

void ff_mjpeg_encode_mb(MpegEncContext *s, int16_t block[6][64])
{
    int i;
    if (s->chroma_format == CHROMA_444) {
        encode_block(s, block[0], 0);
        encode_block(s, block[2], 2);
        encode_block(s, block[4], 4);
        encode_block(s, block[8], 8);
        encode_block(s, block[5], 5);
        encode_block(s, block[9], 9);
  ....
}
#add
V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 504
V557 Array overrun is possible. The '10' index is pointing beyond array bound. mjpegenc.c 505
V557 Array overrun is possible. The '7' index is pointing beyond array bound. mjpegenc.c 506
V557 Array overrun is possible. The '11' index is pointing beyond array bound. mjpegenc.c 507
V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 516
V557 Array overrun is possible. The '7' index is pointing beyond array bound. mjpegenc.c 518

V564 The '&' operator is applied to bool type value. You've probably forgotten to include parentheses or intended to use the '&&' operator. dcadec.c 1373

static int dca_subsubframe(DCAContext *s, int base_channel, int block_index)
{
  ....
  if (!s->debug_flag & 0x01) {
    av_log(s->avctx, AV_LOG_DEBUG,
      "Stream with high frequencies VQ coding\n");
    s->debug_flag |= 0x01;
  }
  ....
}

V564 The '&' operator is applied to bool type value. You've probably forgotten to include parentheses or intended to use the '&&' operator. vc1dec.c 3675

static int vc1_decode_p_mb(VC1Context *v)
{
  ....
  int is_intra[6], is_coded[6];
  ....
  if (!coded_inter)
    coded_inter = !is_intra[i] & is_coded[i];
  ....
}

V593 Consider reviewing the expression of the 'A = B < C' kind. The expression is calculated as following: 'A = (B < C)'. fic.c 245

static int fic_decode_frame(....)
{
  ....
  if (ret = avctx->execute(avctx, fic_decode_slice, ctx->slice_data,
                           NULL, nslices, sizeof(ctx->slice_data[0])) < 0)
    return ret;
  ....
}

V595 The 'ts->pids[pid]' pointer was utilized before it was verified against nullptr. Check lines: 1377, 1379. mpegts.c 1377

static void m4sl_cb(....)
{
  ....
  if (ts->pids[pid]->es_id != mp4_descr[i].es_id)
    continue;
  if (!(ts->pids[pid] && ts->pids[pid]->type == MPEGTS_PES)) {
  ....
}

V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. diracdec.c 1358

static int mc_subpel(....)
{
  ....
  mx = motion_x & ~(-1 << s->mv_precision);
  ....  
}

#add
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. apedec.c 1297
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. diracdec.c 1359
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. g723_1.c 2145
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 162
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 166
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 171
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 174
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 180
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 184
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 188
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 208
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 210
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 212
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 214
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 220
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 224
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 226
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 233
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 242
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 246
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. hevcpred_template.c 250
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- (2))' is negative. indeo3data.h 257
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. mlpdec.c 600
V610 Undefined behavior. Check the shift operator '<<. The left operand '(- 1)' is negative. motion_est_template.c 704
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 431
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 437
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 439
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 443
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 454
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 460
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 461
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 1)' is negative. motion_est.c 468
V610 Unspecified behavior. Check the shift operator '>>. The left operand '(- 32)' is negative. motion_est.c 1423
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. mpegaudiodec_template.c 219
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1LL' is negative. wavpack.c 671
V610 Undefined behavior. Check the shift operator '<<. The left operand '-1' is negative. wmadec.c 702
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 690
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 691
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 770
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 771
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 819
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 820
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 858
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 859
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 908
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 909
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 970
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 971
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 1008
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 1009
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 1036
V610 Undefined behavior. Check the shift operator '<<. The left operand '-128' is negative. output.c 1037

V614 Potentially uninitialized variable 'info_bits' used. g723_1.c 2335

static int pack_bitstream(G723_1_Context *p, unsigned char *frame, int size)
{
  ....
  int info_bits;
  ....
  if (p->cur_rate == RATE_6300) {
    info_bits = 0;
    put_bits(&pb, 2, info_bits);
  }
  ....
  return frame_size[info_bits];
}

V636 The 'i / 4' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. mpegaudio_tablegen.h 48

static void mpegaudio_tableinit(void)
{
  int i, value, exponent;
  for (i = 1; i < TABLE_4_3_SIZE; i++) {
    double value = i / 4;
  ....
}

#add
V636 The 'sad / nb_sad' expression was implicitly casted from 'long' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. f_select.c 282
V636 The 'width / 2' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. vf_deshake.c 309
V636 The 'height / 2' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. vf_deshake.c 310
V636 The 'mb->h / 2' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. vsrc_mandelbrot.c 258
V636 The 'mb->w / 2' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. vsrc_mandelbrot.c 267
V636 The 's->avctx->rc_buffer_size * 3 / 4' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. ratecontrol.c 163
V636 The 's->avctx->rc_buffer_size / 2' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. ratecontrol.c 961
V636 The '1 * s->out.ch_count / s->in.ch_count' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. swresample.c 386

V640 The code's operational logic does not correspond with its formatting. The statement is indented to the right, but it is always executed. It is possible that curly brackets are missing. vc1dec.c 1917

static void vc1_interp_mc(VC1Context *v)
{
  ....
  if (v->field_mode) {
      if (v->cur_field_type != v->ref_field_type[1])
          my   = my   - 2 + 4 * v->cur_field_type;
          uvmy = uvmy - 2 + 4 * v->cur_field_type;
  }
  ....
}

P.S. Errors description: http://www.viva64.com/en/d/

Change History (2)

comment:1 by Carl Eugen Hoyos, 10 years ago

Component:	ffmpeg → undetermined
Description:	modified (diff)
Summary:	PVS-Studio → PVS-Studio static code analysis

comment:2 by Michael Niedermayer, 10 years ago

Resolution:	→ fixed
Status:	new → closed

All issues fixed (except the signed shift, for which a patch is welcome)
I ignored false positives though

Last edited 10 years ago by Michael Niedermayer (previous) (diff)

Note: See TracTickets for help on using tickets.

Download in other formats: