Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
* Difference between Team and Enterprise
Didn't get our email?
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
Why do we ask to use Business Email?
New License
License Renewal
--Select currency--
USD
EUR
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
Why do we ask to use Business Email?
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
Why do we ask to use Business Email?
Didn't get our email?
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Evaluation - 05.12

Registration
Home
>
Posts
>
Examples of errors
>
Examples of errors detected by the V512…

Examples of errors detected by the V512 diagnostic

V512. Call of the 'Foo' function will lead to buffer overflow.

Game_Music_Emu library

V512 A call of the 'memcpy' function will lead to a buffer overflow. game-music-emu nsfe_emu.cpp 162


struct header_t
{
  ....
  byte load_addr [2];
  byte init_addr [2];
  byte play_addr [2];
  ....
}

blargg_err_t Nsfe_Info::load( Data_Reader& in,
                              Nsf_Emu* nsf_emu )
{
  ....
  memcpy( info.load_addr, finfo.load_addr, 2 * 3 );
  ....
}

There's no error, but this code is dangerous.

UCSniff

V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566


struct targets{
  char ip[MAX_ASCII_ADDR_LEN];
  u_char mac[MAX_ASCII_ADDR_LEN];
  char extension[64];
  char dirname[64];
  char protocol[11];
  char ua[48];
  char misc[64];
};

void sip_targetlookup(sipDB* currentSipCall)
{
  ....
  memcpy(targettab[targetcount].protocol,
         "sip",
         sizeof(targettab[targetcount].protocol));
  ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 631

MAME

V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870


#define CHD_SHA1_BYTES    20
#define CHD_V4_HEADER_SIZE   108
#define CHD_MAX_HEADER_SIZE   CHD_V4_HEADER_SIZE

static chd_error header_read(...., chd_header *header)
{
  UINT8 rawheader[CHD_MAX_HEADER_SIZE];
  ....
  memcpy(header->parentsha1, &rawheader[100],
         CHD_SHA1_BYTES);
  ....
}

OpenCV

V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238


class CV_EXPORTS CvCalibFilter
{
  ....
  enum { MAX_CAMERAS = 3 };
  int latestCounts[MAX_CAMERAS];
  CvPoint2D32f* latestPoints[MAX_CAMERAS];
  ....
};

void CvCalibFilter::SetCameraCount( int count )
{
  ....
  memset( latestCounts, 0, sizeof(latestPoints) );
  ....
}

Micro-Manager

V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.lPosition'. MotorStage.cpp 247


typedef struct _DCMOTSTATUS
{
  unsigned short wChannel;   // Channel ident.
  unsigned int lPosition;    // Position in encoder counts.
  unsigned short wVelocity;  // Velocity in encoder counts/sec.
  unsigned short wReserved;  // Controller specific use
  unsigned int dwStatusBits; // Status bits (see #defines below).
} DCMOTSTATUS;

int MotorStage::ParseStatus(const unsigned char* buf, int bufLen,
  DCMOTSTATUS& stat)
{
  ....
  memcpy(&stat.lPosition, buf + bufPtr, sizeof(long));  // <= (1)
  bufPtr += sizeof(long);

  memcpy(&stat.wVelocity, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

  memcpy(&stat.wReserved, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

  memcpy(&stat.dwStatusBits,
         buf + bufPtr, sizeof(unsigned long));          // <= (2)
  return DEVICE_OK;
}

(1) - Not critical. (2) - Critical.

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.dwStatusBits'. MotorStage.cpp 256

FCEUX

V512 A call of the 'strcpy' function will lead to overflow of the buffer '(char *) & bdata[13]'. bworld.cpp 64


static uint8 bdata[20];

static void Update(void *data, int arg)
{
 if(*(uint8 *)data)
 {
  *(uint8 *)data=0;
  seq=ptr=0;
  have=1;
  strcpy((char*)bdata,(char *)data+1);
  strcpy((char*)&bdata[13],"SUNSOFT");
 }
}

OGRE

V512 A call of the 'memcpy' function will lead to a buffer overflow. OgreMain ogrequaternion.h 87


Real w, x, y, z;
....

inline Quaternion(Real* valptr)
{
  memcpy(&w, valptr, sizeof(Real)*4);
}

There's no error, but this code is dangerous.

Miranda NG

V512 A call of the 'strcat' function will lead to overflow of the buffer 'fn'. NimContact files.cpp 290


INT_PTR CALLBACK DlgProcFiles(....)
{
  ....
  char fn[6], tmp[MAX_PATH];
  ....
  SetDlgItemTextA(hwnd, IDC_WWW_TIMER,
    _itoa(db_get_w(NULL, MODNAME, strcat(fn, "_timer"), 60),
    tmp, 10));
  ....
}

Miranda NG

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2246


typedef struct
{
  int cbSize;
  char caps[0x10];
  HANDLE hIcon;
  char name[MAX_CAPNAME];
} ICQ_CUSTOMCAP;

void InitCheck()
{
  ....
  strcpy(cap.caps, "GPG AutoExchange");
  ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2261
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 541
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 849
  • And 1 additional diagnostic messages.

LibreOffice

V512 A call of the 'wcsncpy' function will lead to overflow of the buffer 'psci->wszTitle'. columninfo.cxx 129


typedef struct {
  ....
  WCHAR wszTitle[MAX_COLUMN_NAME_LEN];
  WCHAR wszDescription[MAX_COLUMN_DESC_LEN];
} SHCOLUMNINFO, *LPSHCOLUMNINFO;

HRESULT STDMETHODCALLTYPE CColumnInfo::GetColumnInfo(
  DWORD dwIndex, SHCOLUMNINFO *psci)
{
  ....
  wcsncpy(psci->wszTitle,
          ColumnInfoTable[dwIndex].wszTitle,
          (sizeof(psci->wszTitle) - 1));
  return S_OK;
}

FreeBSD Kernel

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->vendor'. aacraid_cam.c 571


#define  SID_VENDOR_SIZE   8
  char   vendor[SID_VENDOR_SIZE];
#define  SID_PRODUCT_SIZE  16
  char   product[SID_PRODUCT_SIZE];
#define  SID_REVISION_SIZE 4
  char   revision[SID_REVISION_SIZE];

static void
aac_container_special_command(struct cam_sim *sim,union ccb *ccb,
  u_int8_t *cmdp)
{
  ....
  /* OEM Vendor defines */
  strcpy(p->vendor,"Adaptec ");          // <=
  strcpy(p->product,"Array           "); // <=
  strcpy(p->revision,"V1.0");            // <=
  ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->product'. aacraid_cam.c 572
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->revision'. aacraid_cam.c 573

Stickies

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. stickyinstaller.cpp 162


BOOL DDE_InitClient (void)
{
  UINT errCode = DdeInitialize(....);
  if (errCode != 0)
  {
    char errTxt[32];
    sprintf (errTxt, "DDE Server Failed, error code = %d",
             errCode);
    ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. ddemlfuncs.cpp 151

FreeBSD Kernel

V512 A call of the 'memcpy' function will lead to the '"MPI Coredump"' buffer becoming out of range. qls_dump.c 1615


typedef struct qls_mpid_glbl_hdr
{
  ....
  uint8_t   id[16];
  ....
} qls_mpid_glbl_hdr_t;

struct qls_mpi_coredump {
  qls_mpid_glbl_hdr_t  mpi_global_header;
  ....
};

typedef struct qls_mpi_coredump qls_mpi_coredump_t;

int
qls_mpi_core_dump(qla_host_t *ha)
{
  ....
  qls_mpi_coredump_t *mpi_dump = &ql_mpi_coredump;
  ....
  memcpy(mpi_dump->mpi_global_header.id, "MPI Coredump",
         sizeof(mpi_dump->mpi_global_header.id));
  ....
}

FreeBSD Kernel

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'lldev->mtx_name_tx[qindex]'. if_nxge.c 511


#define XGE_HAL_MIN_FIFO_NUM  1
#define XGE_FIFO_COUNT  XGE_HAL_MIN_FIFO_NUM

typedef struct xge_lldev_t {
  ....
  char                 mtx_name_tx[16][XGE_FIFO_COUNT];
  struct callout       timer;
  struct ifmedia       media;
  xge_hal_channel_h    fifo_channel[XGE_FIFO_COUNT];
  ....
}

void
xge_mutex_init(xge_lldev_t *lldev)
{
  int qindex;
  ....
  for(qindex = 0; qindex < XGE_FIFO_COUNT; qindex++) {
    sprintf(lldev->mtx_name_tx[qindex], "%s_tx_%d",
      device_get_nameunit(lldev->device), qindex);
  ....
}

Tizen

V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 226


#define BT_ADDRESS_STRING_SIZE 18

typedef struct {
 unsigned char addr[6];
} bluetooth_device_address_t;

typedef struct {
 int count;
 bluetooth_device_address_t addresses[20];
} bt_dpm_device_list_t;

dpm_result_t _bt_dpm_get_bluetooth_devices_from_whitelist(
  GArray **out_param1)
{
  dpm_result_t ret = DPM_RESULT_FAIL;
  bt_dpm_device_list_t device_list;
  ....
  for (; list; list = list->next, i++) {
    memset(device_list.addresses[i].addr, 0,
           BT_ADDRESS_STRING_SIZE);
  ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 176

Tizen

V512 A call of the 'snprintf' function will lead to overflow of the buffer 'buf + strlen(buf)'. app_tracker.c 450


static void _on_atspi_event_cb(const AtspiEvent * event)
{
  ....
  char buf[256] = "\0";
  ....
  snprintf(buf, sizeof(buf), "%s, %s, ",
           name, _("IDS_BR_BODY_IMAGE_T_TTS"));
  ....
  snprintf(buf + strlen(buf), sizeof(buf),
           "%s, ", _("IDS_ACCS_BODY_SELECTED_TTS"));
  ....
}

Tizen

V512 A call of the 'snprintf' function will lead to overflow of the buffer 'trait + strlen(trait)'. navigator.c 514


#define HOVERSEL_TRAIT_SIZE 200

void add_slider_description(....)
{
  ....
  char trait[HOVERSEL_TRAIT_SIZE] = "";
  ....
  snprintf(trait, HOVERSEL_TRAIT_SIZE,
           _("IDS_GCTS_OPT_P1SS_PERCENT_TTS"), buf_percent);
  ....
  snprintf(trait + strlen(trait), HOVERSEL_TRAIT_SIZE,     // <=
           ", %s", _IGNORE_ON_TV("IDS_......."));
  ....
}

Tizen

V512 A call of the 'snprintf' function will lead to overflow of the buffer 'ret + strlen(ret)'. navigator.c 677


#define TTS_MAX_TEXT_SIZE  2000

char *generate_description_trait(AtspiAccessible * obj) {
  ....
  char ret[TTS_MAX_TEXT_SIZE] = { [TTS_MAX_TEXT_SIZE - 1] = 0 };
  ....
  snprintf(ret, sizeof(ret),
           _("IDS_ACCS_BODY_TAB_P1SD_OF_P2SD"),
           index + 1, children_count);
  if (!is_selected)
    snprintf(ret + strlen(ret), sizeof(ret),               // <=
             ", %s",
             _IGNORE_ON_TV("IDS_......."));
  ....
}

EFL Core Libraries

V512 A call of the 'memcpy' function will lead to the 'array' buffer becoming out of range. eina_array.c 186


typedef struct _Eina_Array Eina_Array;
struct _Eina_Array
{
   int version;
   void **data;
   unsigned int total;
   unsigned int count;
   unsigned int step;
   Eina_Magic __magic;
};

typedef struct _Eina_Accessor_Array Eina_Accessor_Array;
struct _Eina_Accessor_Array
{
   Eina_Accessor accessor;
   const Eina_Array *array;
   Eina_Magic __magic;
};

static Eina_Accessor *
eina_array_accessor_clone(const Eina_Array *array)
{
   Eina_Accessor_Array *ac;
   EINA_SAFETY_ON_NULL_RETURN_VAL(array, NULL);
   EINA_MAGIC_CHECK_ARRAY(array);
   ac = calloc(1, sizeof (Eina_Accessor_Array));
   if (!ac) return NULL;
   memcpy(ac, array, sizeof(Eina_Accessor_Array));
   return &ac->accessor;
}

EFL Core Libraries

V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 318


static Eina_Bool _convert_etc2_rgb8_to_argb8888(....)
{
   const uint8_t *in = src;
   uint32_t *out = dst;
   int out_step, x, y, k;
   unsigned int bgra[16];
   ....
   for (k = 0; k < 4; k++)
     memcpy(out + x + k * out_step, bgra + k * 16, 16);
   ....
}

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 350

XNU kernel

V512 CWE-119 A call of the 'snprintf' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4376


#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)

#define MAX_ROUTE_RULE_INTERFACES 10

static inline const char *
necp_get_result_description(....)
{
  ....
  char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
  ....
  for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
    if (route_rule->exception_if_indices[index] != 0) {
      ifnet_t interface = ifindex2ifnet[....];
      snprintf(interface_names[index],
               IFXNAMSIZ, "%s%d", ifnet_name(interface),
               ifnet_unit(interface));
    } else {
      memset(interface_names[index], 0, IFXNAMSIZ);
    }
  }
  ....
}

Most likely, the array was declared incorrectly and it should be written as follows: char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];

Similar errors can be found in some other places:

  • V512 CWE-119 A call of the 'memset' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4378

XNU kernel

V512 CWE-119 A call of the '__builtin___memcpy_chk' function will lead to a buffer overflow. necp_client.c 1459


#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)

#define NECP_MAX_PARSED_PARAMETERS 16

struct necp_client_parsed_parameters {
  ....
  char prohibited_interfaces[IFXNAMSIZ]
                                  [NECP_MAX_PARSED_PARAMETERS];
  ....
};

static int
necp_client_parse_parameters(....,
  struct necp_client_parsed_parameters *parsed_parameters)
{
  ....
  u_int32_t length = ....;
  ....
  if (length <= IFXNAMSIZ && length > 0) {
    memcpy(parsed_parameters->prohibited_interfaces[
                                     num_prohibited_interfaces],
           value, length);
    parsed_parameters->prohibited_interfaces[
                    num_prohibited_interfaces][length - 1] = 0;
  ....
}

Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];

rdesktop

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fullpath'. disk.c 1257


RD_NTSTATUS
disk_query_directory(....)
{
  ....
  char *dirname, fullpath[PATH_MAX];
  ....
  /* Get information for directory entry */
  sprintf(fullpath, "%s/%s", dirname, pdirent->d_name);
  ....
}

VVVVVV

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fileSearch'. FileSystemUtils.cpp 307


#define MAX_PATH          260

....

void PLATFORM_migrateSaveData(char *output)
{
  char oldLocation[MAX_PATH];
  char newLocation[MAX_PATH];
  char oldDirectory[MAX_PATH];
  char fileSearch[MAX_PATH];

  ....

  /* Same place, different layout. */
  strcpy(oldDirectory, output);

  sprintf(fileSearch, "%s\\*.vvvvvv", oldDirectory);

  ....
}

If the length of the oldDirectory string is more than 251, the resulting string will be longer than fileSearch could contain, which will lead to violating of the array bounds.

Zephyr

V512 [CWE-119] A call of the 'memcpy' function will lead to the 'net_hostname_get()' buffer becoming out of range. log_backend_net.c 114


#if defined(CONFIG_NET_HOSTNAME_ENABLE)
const char *net_hostname_get(void);
#else
static inline const char *net_hostname_get(void)
{
  return "zephyr";
}
#endif

#define NET_IPV6_ADDR_LEN sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx")
#define MAX_HOSTNAME_LEN NET_IPV6_ADDR_LEN

static int do_net_init(void)
{
  ....
  (void)memcpy(hostname, net_hostname_get(), MAX_HOSTNAME_LEN);
  ....
}

Zephyr

V512 [CWE-119] A call of the 'snprintf' function will lead to overflow of the buffer 'full_name'. lwm2m_rw_json.c 826


int do_write_op_json(struct lwm2m_message *msg)
{
  u8_t value[TOKEN_BUF_LEN];         // TOKEN_BUF_LEN = 64
  u8_t base_name[MAX_RESOURCE_LEN];  // MAX_RESOURCE_LEN = 20
  u8_t full_name[MAX_RESOURCE_LEN];  // MAX_RESOURCE_LEN = 20
  ....
  /* combine base_name + name */
  snprintf(full_name, TOKEN_BUF_LEN, "%s%s", base_name, value);
  ....
}

Command & Conquer

V512 A call of the 'sprintf' function will lead to overflow of the buffer '(char *) ptr'. SOUNDDLG.CPP 250


void SoundControlsClass::Process(void)
{
  ....
  void * ptr = new char [sizeof(100)];                                // <=

  if (ptr) {
    sprintf((char *)ptr, "%cTrack %d\t%d:%02d\t%s",                   // <=
      index, listbox.Count()+1, length / 60, length % 60, fullname);
    listbox.Add_Item((char const *)ptr);
  }
  ....
}

GPCS4

V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'param->reserved'. sce_gnm_draw.cpp 420


struct GnmCmdPSShader
{
  ....
  uint32_t reserved[27];
};

int PS4API sceGnmSetPsShader350(....)
{
  ....
  memset(param->reserved, 0, sizeof(param->reserved) * sizeof(uint32_t));
  return SCE_OK;
}

GPCS4

V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'initParam->reserved'. sce_gnm_dispatch.cpp 16


uint32_t PS4API sceGnmDispatchInitDefaultHardwareState(....)
{
  ....
  memset(initParam->reserved, 0,
         sizeof(initParam->reserved) * sizeof(uint32_t));
  return initCmdSize;
}