[FFmpeg-devel] [PATCH] avutil: add av_memcpy() to avoid undefined behavior with NULL, NULL, 0

Sun Jul 7 19:19:00 EEST 2019

On Sat, Jul 06, 2019 at 11:22:59PM +0200, Tomas Härdin wrote:
> lör 2019-07-06 klockan 18:34 +0200 skrev Michael Niedermayer:
> > On Sat, Jul 06, 2019 at 02:34:34PM +0200, Tomas Härdin wrote:
> > > lör 2019-07-06 klockan 00:08 +0200 skrev Michael Niedermayer:
> > > > As we are already off topic, heres an example to test static
> > > > analysis, does this trigger undefined behavior by executing the
> > > > memcpy
> > > > for some user input ?
> > > > 
> > > > void f(unsigned bigint a) {
> > > >     bigint i;
> > > >     for (i = 2; (((bigint)1 << a) + 1) % i; i++)
> > > >         ;
> > > >     if (a > 20 && i > ((bigint)1 << a))
> > > >         memcpy(NULL, NULL, 0);
> > > > }
> > > > 
> > > > i know its a lame example but just to remind that static analysis
> > > > has
> > > > limitations. (your mail sounds a bit like static analysis could
> > > > replace
> > > > everything ...)
> > > 
> > > That is acually perfectly legal since the intersection between
> > > [NULL,NULL) and [NULL,NULL) is empty and thus they do not overlap.
> > > Here's an example that validates:
> > > 
> > > #include <stdint.h>
> > > #include <string.h>
> > > 
> > > /*@ axiomatic Foo {
> > >     axiom Bar: \forall integer a;
> > >       0 <= a <= 62 ==>
> > >         1 <= (1<<a) <= (1<<62);
> > >     }
> > >  */
> > > 
> > > /*@ requires 0 <= a <= 62;
> > >     assigns ((char*)NULL)[0..-1];
> > >  */
> > > void f(uint64_t a) {
> > >     int64_t i = 2;
> > >     int64_t a2 = (1LL << a) + 1;
> > >     /*@ loop invariant 2 <= i <= a2;
> > >         loop assigns i;
> > >      */
> > >     for (; a2 % i; i++)
> > >         ;
> > >     //@ assert a2 % i == 0;
> > >     if (a > 20 && i > ((int64_t)1 << a))
> > >         memcpy(NULL, NULL, 0);
> > > }
> > 
> > this code is wrong.
> > Imagine this was real code, and to make it fit in the static
> > analyzer one changes it like this
> > 
> > why is it worng ?
> > the range should not have a upper bound of 62 in fact there is no
> > reason to run this function with input below 1LL<<33 that is not
> > 33 that is 1LL<<33
> 
> All bignum implementations I've seen have upper bounds. 

How can this help ?

assume we proof avutil is free of UB, then we update some external lib
or change to a platform with a larger INT_MAX and boom, the proof is
no longer valid 
(this could happen if such implementation limits are used in a proof)

Thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

You can kill me, but you cannot change the truth.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190707/d32dc769/attachment.sig>