FFMpeg XTU Analysis

FFMpeg without XTU versus FFMpeg with XTU

(Tested with Clang 4.0)

Summary

Analyzed project	All Non-CTU Findings (baseline)	All CTU Findings	New CTU findings	Disappeared findings	Successfully analyzed	Failed to analyze	Analysis Time (baseline)[s]	Analysis Time XTU (1st Phase + 2nd Phase)[s]	Median of bug path length (BPL) in baseline	Median of BPL CTU	Median of BPL of new findings	Median of BPL of disappeared findings
FFMpeg	394	527	143	36	1559 files	4 files	403	60+963	8	11	17	14

Checker ID	Number of new findings
core.CallAndMessage	5
core.DivideZero	5
core.NonNullParamChecker	36
core.NullDereference	20
core.UndefinedBinaryOperatorResult	26
core.uninitialized.Assign	12
core.uninitialized.Branch	9
unix.Malloc	30

✅ Most important true positives found with XTU

1. Called function pointer is null (core.callAndMessage) http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17582
2. Memory leak (unix.malloc): http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17754
3. Memory Leak (unix.malloc): http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17714
4. core.DivideZero http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17697
5. core.DivideZero http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17616
6. unix.malloc use of memory after freed http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17486
7. core.NullDereference http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17971

• If oformat->priv_data_size is 0, we deref. a proper nullptr at the assignment. ✔️

10. core.uninitialized.Branch -- multiple occurrences of the same error

• http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17493
• http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17539
• http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17827
• The end: "destructor" path does not differentiate on how much "init" steps were successful and always call every "destructor", thus in this case, if no codec is found, the garbage &(AVFrame*) is passed.

❎ False positives

1. core.NullDereference http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17592

• Unlikely to happen, as BugPath involves FFMpeg getting used with an unknown protocol.

2. core.DivisionByZero http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17767

• Analyser didn't enter av_mul_q

3. core.uninitialized.Branch http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17679

• Human code analysis reveals that the documentation indicates that the library user MUST set a certain variable to a certain value, after which the bug isn't relevant anymore, as threaded frames will properly be allocated.

4. core.uninitialized.Branch http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17781 ❎

• In line 2466, pb is initialised, after which this pb is contained in the ptr s->pb. avio_read() is called with this s->pb in line 2293 (which still exists and points to valid memory), though the checker says it (s in the function, which got s->pb as argument) is garbage.

5. core.DivisionByZero http://cc.inf.elte.hu:8080/#baseline=177&newcheck=178&report=17781

• Assuming gcd is 0 is pretty much impossible for rational numbers.
• NOTE! av_gcd() has undefined behaviour if we query gcd( [<= 0], [<= 0]) but in this context, these are positive integers... (sampling ratios, frame-per-sec, etc.)