Examples of errors detected by the V512 diagnostic
V512. Call of the 'Foo' function will lead to buffer overflow or underflow.
SMTP Client
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. CSmtp md5.cpp 212
void MD5::finalize () {
....
uint1 buffer[64];
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer));
....
}
Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));
Fennec Media
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 150
#define uinput_size 1024
typedef wchar_t letter;
letter uinput_text[uinput_size];
string basewindows_getuserinput(const string title,
const string cap, const string dtxt)
{
memset(uinput_text, 0, uinput_size);
....
}
At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.
Fennec Media
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 2892
typedef wchar_t letter;
letter name[30];
int Conv_EqualizerProc(HWND hwnd,UINT uMsg,
WPARAM wParam,LPARAM lParam)
{
....
memset(eqp.name, 0, 30);
....
}
This is what should have been written here: sizeof(letter) * 30
Notepad++
V512 A call of the memset function will lead to a buffer overflow or underflow. dockingmanager.cpp 78
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
....
DockingManager::DockingManager()
{
....
memset(_iContMap, -1, CONT_MAP_MAX);
....
}
This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));
Game_Music_Emu library
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. game-music-emu nsfe_emu.cpp 162
struct header_t
{
....
byte load_addr [2];
byte init_addr [2];
byte play_addr [2];
....
}
blargg_err_t Nsfe_Info::load( Data_Reader& in,
Nsf_Emu* nsf_emu )
{
....
memcpy( info.load_addr, finfo.load_addr, 2 * 3 );
....
}
There's no error, but this code is dangerous.
Wolfenstein 3D
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. cgame bg_animation.c 999
typedef struct
{
short int bodyPart[2];
short int animIndex[2];
short int animDuration[2];
short int soundIndex;
short int accShowBits;
short int accHideBits;
} animScriptCommand_t;
void BG_ParseCommands(....) {
....
animScriptCommand_t *command = NULL;
....
memset( command, 0, sizeof( command ) );
....
}
This is what should have been written here: sizeof(*command)
Wolfenstein 3D
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. wolf cvar.c 764
typedef struct cvar_s {
char *name;
....
struct cvar_s *hashNext;
} cvar_t;
void Cvar_Restart_f( void ) {
cvar_t *var;
....
memset( var, 0, sizeof( var ) );
....
}
This is what should have been written here: memset( var, 0, sizeof( *var ) );
Newton Game Dynamics
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. physics dgcollisioncompoundbreakable.cpp 702
dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....)
{
....
dgInt32 faceOffsetHitogram[256];
dgSubMesh* mainSegmenst[256];
....
memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram));
memset(mainSegmenst, 0, sizeof(faceOffsetHitogram));
....
}
A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.
Miranda IM
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. tabsrmm utils.cpp 1080
typedef struct _textrangew
{
CHARRANGE chrg;
LPWSTR lpstrText;
} TEXTRANGEW;
const wchar_t* Utils::extractURLFromRichEdit(....)
{
....
::CopyMemory(tr.lpstrText, L"mailto:", 7);
....
}
This is what should have been written here: sizeof(wchar_t) * 7
Chromium
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227
void Time::Explode(bool is_local, Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
Chromium
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116
void NaCl::Time::Explode(bool is_local,
Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
Qt
V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77
int s_attr_table[256];
void CppLexer::setupScanTable()
{
....
memset(s_attr_table, 0, 256);
....
}
This is what should have been written here: sizeof(int) * 256
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 rpplexer.cpp 60
Apache HTTP Server
V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void apr__SHA256_Final(sha2_byte digest[],
SHA256_CTX* context) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context)
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 581
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 892
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 912
- And 2 additional diagnostic messages.
Energy Checker SDK
V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683
#define PL_MAX_PATH 255
typedef WCHAR TCHAR, *PTCHAR;
TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' };
int plh_read_pl_config_ini_file(....)
{
....
ZeroMemory(
pl_cvt_buffer,
PL_MAX_PATH
);
....
}
This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 714
- V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 745
- V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 789
- And 5 additional diagnostic messages.
Energy Checker SDK
V512 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806
typedef struct _plh_dynamic_pl_folder_info {
....
} PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO;
int plh_dynamic_read_pl_folder(
PPLH_DYNAMIC_PL_FOLDER_INFO pconfig)
{
....
memset(
pconfig,
0,
sizeof(pconfig)
);
....
}
This is what should have been written here: sizeof(*pconfig)
Energy Checker SDK
V512 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379
void plt_tools_get_pl_config_full_file_name(char *buffer) {
....
char temp[PL_MAX_PATH] = { '\0' };
....
memset(
temp,
0,
sizeof(buffer)
);
....
}
This is what should have been written here: sizeof(temp)
Far Manager
V512 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672
__int64 FileList::VMProcess(int OpCode,void *vParam,
__int64 iParam)
{
....
PluginInfo *PInfo=(PluginInfo *)vParam;
memset(PInfo,0,sizeof(PInfo));
PInfo->StructSize=sizeof(PInfo);
....
}
This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));
ReactOS
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162
VOID
UnloadAppInitDlls()
{
....
WCHAR buffer[KEY_LENGTH];
....
RtlCopyMemory(buffer, szAppInit, KEY_LENGTH);
....
}
Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).
ReactOS
V512 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769
typedef WCHAR TCHAR,*PTCHAR;
TCHAR file_path[MAX_PATH];
#define MAX_PATH 260
LRESULT CALLBACK
WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
....
ZeroMemory( file_path, MAX_PATH );
....
}
This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442
ReactOS
V512 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160
HRESULT WINAPI SHGetDataFromIDListW(....)
{
....
WIN32_FIND_DATAW * pfd = dest;
....
ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA));
}
This is what should have been written here: sizeof(WIN32_FIND_DATAW)
ReactOS
V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
char *SHA384_End(SHA384_CTX* context, char buffer[]) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context).
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587
- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896
- And 2 additional diagnostic messages.
ReactOS
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'guidentry'. oleaut32 typelib2.c 320
#define IsEqualGUID(rguid1, rguid2) \
(!memcmp(&(rguid1), &(rguid2), sizeof(GUID)))
static int ctl2_find_guid(....)
{
MSFT_GuidEntry *guidentry;
....
if (IsEqualGUID(guidentry, guid)) return offset;
....
}
Macros are evil! They can hide errors very well. The error is this: guidentry is a pointer. This is what should have been written here: if (IsEqualGUID(*guidentry, guid)) return offset;
Similar errors can be found in some other places:
- V512 A call of the 'memcmp' function will lead to overflow of the buffer '& (pguidCmdGroup)'. browseui bandsite.cpp 722
IPP Samples
V512 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767
UMC::Status
VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams)
{
UMC::Status umcSts UMC::UMC_OK;
memset(MEParams,0,sizeof(MEParams));
....
}
This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));
Doom 3
V512 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731
aseMesh_t *currentMesh;
static void ASE_KeyGEOMOBJECT( const char *token )
{
....
ase.currentMesh = &ase.currentObject->mesh;
memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) );
....
}
This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );
Doom 3
V512 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312
void idAASFileLocal::DeleteClusters( void ) {
....
memset( &portal, 0, sizeof( portal ) );
portals.Append( portal );
// first cluster is a dummy
memset( &cluster, 0, sizeof( portal ) );
clusters.Append( cluster );
}
This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );
Mozilla Firefox
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198
void Time::Explode(bool is_local, Exploded* exploded) const {
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));
ADAPTIVE Communication Environment (ACE)
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109
struct Message
{
unsigned int sn;
unsigned short payload[payload_size];
};
int
ACE_TMAIN (int argc, ACE_TCHAR* argv[])
{
....
if (ACE_OS::memcmp (expected_msg.payload,
msg.payload,
payload_size) != 0)
{
damaged[msg.sn] = 1;
}
....
}
Most likely this is what should be written here: payload_size * sizeof(short)
Similar errors can be found in some other places:
- V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. RMCast_Receiver receiver.cpp 102
ADAPTIVE Communication Environment (ACE)
V512 A call of the 'memset' function will lead to underflow of the buffer 'old_state'. thread.inl 172
ACE_INLINE int
ACE_Thread::disablecancel (struct cancel_state *old_state)
{
....
ACE_OS::memset (old_state,
0,
sizeof (old_state));
....
}
UCSniff
V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566
struct targets{
char ip[MAX_ASCII_ADDR_LEN];
u_char mac[MAX_ASCII_ADDR_LEN];
char extension[64];
char dirname[64];
char protocol[11];
char ua[48];
char misc[64];
};
void sip_targetlookup(sipDB* currentSipCall)
{
....
memcpy(targettab[targetcount].protocol,
"sip",
sizeof(targettab[targetcount].protocol));
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 631
DeSmuME
V512 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204
mapview_struct *MapView = NULL;
BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
....
MapView = new mapview_struct;
memset(MapView, 0, sizeof(MapView));
....
}
This is what should have been written here: memset(MapView, 0, sizeof(*MapView));
MAME
V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870
#define CHD_SHA1_BYTES 20
#define CHD_V4_HEADER_SIZE 108
#define CHD_MAX_HEADER_SIZE CHD_V4_HEADER_SIZE
static chd_error header_read(...., chd_header *header)
{
UINT8 rawheader[CHD_MAX_HEADER_SIZE];
....
memcpy(header->parentsha1, &rawheader[100],
CHD_SHA1_BYTES);
....
}
MAME
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706
UINT16 m_spriteram16[0x1000];
UINT16 m_spriteram16_buffered[0x1000];
static WRITE32_HANDLER( deco32_buffer_spriteram_w )
{
deco32_state *state =
space->machine().driver_data<deco32_state>();
memcpy(state->m_spriteram16_buffered,
state->m_spriteram16, 0x1000);
}
This is what should have been written here: 0x1000 * sizeof(UINT16).
MAME
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949
UINT16 m_rotate_ctrl[8];
static MACHINE_RESET( wgp )
{
wgp_state *state = machine.driver_data<wgp_state>();
int i;
state->m_banknum = 0;
state->m_cpua_ctrl = 0xff;
state->m_port_sel = 0;
state->m_piv_ctrl_reg = 0;
for (i = 0; i < 3; i++)
{
state->m_piv_zoom[i] = 0;
state->m_piv_scrollx[i] = 0;
state->m_piv_scrolly[i] = 0;
}
memset(state->m_rotate_ctrl, 0, 8);
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_2_buffered'. deco32.c 726
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_playfield_code'. malzak.c 392
MAME
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065
UINT16 m_control_0[8];
#define ARRAY_LENGTH(x) (sizeof(x) / sizeof(x[0]))
static MACHINE_RESET( tumbleb )
{
....
memset(state->m_control_0, 0,
ARRAY_LENGTH(state->m_control_0));
}
Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_read'. megadriv.c 7156
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_write'. megadriv.c 7157
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_cart_is_genesis'. megatech.c 426
- And 3 additional diagnostic messages.
MAME
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458
UINT32 m_pstars_regs[16];
static DRIVER_INIT( pstar )
{
....
memset(state->m_pstars_regs, 0, 16);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4975
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4996
- V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 5056
- And 4 additional diagnostic messages.
Samba
V512 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80
void initialize(PERF_DATA_BLOCK *data,
RuntimeSettings *rt, int argc, char **argv)
{
memset(data, 0, sizeof(*data));
memset(rt, 0, sizeof(*data));
....
}
Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.
Samba
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247
static NET_API_STATUS test_netusermodals(
struct libnetapi_ctx *ctx,
const char *hostname)
{
....
struct USER_MODALS_INFO_0 *u0 = NULL;
struct USER_MODALS_INFO_0 *_u0 = NULL;
....
if (memcmp(u0, _u0, sizeof(u0) != 0)) {
printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
return -1;
}
....
}
Most likely this is what should be written here: sizeof(*u0).
libevent
V512 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374
void
win32_dealloc(struct event_base *_base)
{
struct win32op *win32op = _base->evbase;
....
memset(win32op, 0, sizeof(win32op));
....
}
OpenCV
V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238
class CV_EXPORTS CvCalibFilter
{
....
enum { MAX_CAMERAS = 3 };
int latestCounts[MAX_CAMERAS];
CvPoint2D32f* latestPoints[MAX_CAMERAS];
....
};
void CvCalibFilter::SetCameraCount( int count )
{
....
memset( latestCounts, 0, sizeof(latestPoints) );
....
}
Windows 8 Driver Samples
V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288
HRESULT
CDot11SampleExtUI::CreateSecurityProperties(....)
{
....
WCHAR wbuf[128];
....
ZeroMemory(wbuf, 128);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 369
Windows 8 Driver Samples
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'. testapp.c 729
typedef struct _DEVICE_INFO
{
....
WCHAR UnicodeSourceIp[MAX_LEN];
WCHAR UnicodeDestIp[MAX_LEN];
....
} DEVICE_INFO, *PDEVICE_INFO;
PDEVICE_INFO FindDeviceInfo(....)
{
....
PDEVICE_INFO deviceInfo = NULL;
....
memcpy(deviceInfo->UnicodeSourceIp,
InputInfo->SourceIp, MAX_LEN);
memcpy(deviceInfo->UnicodeDestIp,
InputInfo->DestIp, MAX_LEN);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeDestIp'. testapp.c 730
NetXMS
V512 A call of the 'memset' function will lead to underflow of the buffer 'commandLine'. procinfo.cpp 278
typedef WCHAR TCHAR, *PTCHAR;
static BOOL MatchProcess(....)
{
....
TCHAR commandLine[MAX_PATH];
....
memset(commandLine, 0, MAX_PATH);
....
}
NetXMS
V512 A call of the 'memset' function will lead to underflow of the buffer 'm_szTitle'. toolbox.cpp 28
typedef WCHAR TCHAR, *PTCHAR;
#define MAX_TOOLBOX_TITLE 64
TCHAR m_szTitle[MAX_TOOLBOX_TITLE];
CToolBox::CToolBox()
{
memset(m_szTitle, 0, MAX_TOOLBOX_TITLE);
}
Multi Theft Auto
V512 A call of the 'memset' function will lead to underflow of the buffer 'm_buffer'. sharedutil.hash.hpp 216
unsigned char m_buffer[64];
void CMD5Hasher::Finalize ( void )
{
....
// Zeroize sensitive information
memset ( m_buffer, 0, sizeof (*m_buffer) );
....
}
Snes9x
V512 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ramwatch.cpp 1199
struct ICheat
{
uint32 address;
uint32 new_val;
uint32 saved_val;
int size;
bool8 enabled;
bool8 saved;
char name [22];
int format;
};
struct SCheat
{
uint32 address;
uint8 byte;
uint8 saved_byte;
bool8 saved;
};
void RamWatchEnableCommand(....)
{
....
struct ICheat cht;
....
ZeroMemory(&cht, sizeof(struct SCheat));
....
}
Most likely this is what should be written here: ZeroMemory(&cht, sizeof(struct ICheat));
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ram_search.cpp 1789
- V512 A call of the 'memset' function will lead to underflow of the buffer 'new_cheat'. wsnes9x.cpp 9924
VirtualDub
V512 A call of the 'memcmp' function will lead to underflow of the buffer '"GL_EXT_blend_subtract"'. Riza opengl.cpp 393
bool VDOpenGLBinding::Attach(....) {
....
if (!memcmp(start, "GL_EXT_blend_subtract", 20))
....
}
strlen("GL_EXT_blend_subtract") == 21
FlightGear
V512 A call of the 'memset' function will lead to underflow of the buffer 'ctx'. md5.c 180
void MD5Final(uint8_t digest[16], struct MD5Context *ctx)
{
....
memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
....
}
Micro-Manager
V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.lPosition'. MotorStage.cpp 247
typedef struct _DCMOTSTATUS
{
unsigned short wChannel; // Channel ident.
unsigned int lPosition; // Position in encoder counts.
unsigned short wVelocity; // Velocity in encoder counts/sec.
unsigned short wReserved; // Controller specific use
unsigned int dwStatusBits; // Status bits (see #defines below).
} DCMOTSTATUS;
int MotorStage::ParseStatus(const unsigned char* buf, int bufLen,
DCMOTSTATUS& stat)
{
....
memcpy(&stat.lPosition, buf + bufPtr, sizeof(long)); // <= (1)
bufPtr += sizeof(long);
memcpy(&stat.wVelocity, buf + bufPtr, sizeof(unsigned short));
bufPtr += sizeof(unsigned short);
memcpy(&stat.wReserved, buf + bufPtr, sizeof(unsigned short));
bufPtr += sizeof(unsigned short);
memcpy(&stat.dwStatusBits,
buf + bufPtr, sizeof(unsigned long)); // <= (2)
return DEVICE_OK;
}
(1) - Not critical. (2) - Critical.
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.dwStatusBits'. MotorStage.cpp 256
FCEUX
V512 A call of the 'strcpy' function will lead to overflow of the buffer '(char *) & bdata[13]'. bworld.cpp 64
static uint8 bdata[20];
static void Update(void *data, int arg)
{
if(*(uint8 *)data)
{
*(uint8 *)data=0;
seq=ptr=0;
have=1;
strcpy((char*)bdata,(char *)data+1);
strcpy((char*)&bdata[13],"SUNSOFT");
}
}
OGRE
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. OgreMain ogrequaternion.h 87
Real w, x, y, z;
....
inline Quaternion(Real* valptr)
{
memcpy(&w, valptr, sizeof(Real)*4);
}
There's no error, but this code is dangerous.
Gifticlib
V512 A call of the 'memset' function will lead to underflow of the buffer 'gim'. gifti_io.c 4097
int gifti_clear_gifti_image(gifti_image * gim)
{
if(!gim) {
fprintf(stderr,"** NULL in clear_gifti_image\n"); return 1;
}
if( G.verb > 5 )
fprintf(stderr,"-- clearing gifti_image\n");
/* set the version and clear all pointers */
memset(gim, 0, sizeof(gim));
....
}
Miranda NG
V512 A call of the 'memset' function will lead to underflow of the buffer 'logfonts'. TabSRMM msglog.cpp 134
#define MSGDLGFONTCOUNT 22
LOGFONTA logfonts[MSGDLGFONTCOUNT + 2];
void TSAPI CacheLogFonts()
{
int i;
HDC hdc = GetDC(NULL);
logPixelSY = GetDeviceCaps(hdc, LOGPIXELSY);
ReleaseDC(NULL, hdc);
ZeroMemory(logfonts, sizeof(LOGFONTA) * MSGDLGFONTCOUNT + 2);
....
}
Most likely this is what should be written here: ZeroMemory(logfonts, sizeof(LOGFONTA) * (MSGDLGFONTCOUNT + 2));
Miranda NG
V512 A call of the 'memcpy' function will lead to underflow of the buffer 's_list'. Sessions utils.cpp 288
#define SIZEOF(X) (sizeof(X)/sizeof(X[0]))
int CheckForDuplicate(MCONTACT contact_list[], MCONTACT lparam)
{
MCONTACT s_list[255] = { 0 };
memcpy(s_list, contact_list, SIZEOF(s_list));
for (int i = 0;; i++) {
if (s_list[i] == lparam)
return i;
if (s_list[i] == 0)
return -1;
}
return 0;
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list'. Sessions main.cpp 143
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'user_session_list'. Sessions main.cpp 143
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list_temp'. Sessions main.cpp 216
- And 5 additional diagnostic messages.
Miranda NG
V512 A call of the 'memset' function will lead to underflow of the buffer 'Data'. Weather weather_ini.cpp 250
void LoadStationData(...., WIDATA *Data)
{
....
ZeroMemory(Data, sizeof(Data));
....
}
Miranda NG
V512 A call of the 'strcat' function will lead to overflow of the buffer 'fn'. NimContact files.cpp 290
INT_PTR CALLBACK DlgProcFiles(....)
{
....
char fn[6], tmp[MAX_PATH];
....
SetDlgItemTextA(hwnd, IDC_WWW_TIMER,
_itoa(db_get_w(NULL, MODNAME, strcat(fn, "_timer"), 60),
tmp, 10));
....
}
Miranda NG
V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2246
typedef struct
{
int cbSize;
char caps[0x10];
HANDLE hIcon;
char name[MAX_CAPNAME];
} ICQ_CUSTOMCAP;
void InitCheck()
{
....
strcpy(cap.caps, "GPG AutoExchange");
....
}
Similar errors can be found in some other places:
- V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2261
- V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 541
- V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 849
- And 1 additional diagnostic messages.
Miranda NG
V512 A call of the 'memset' function will lead to underflow of the buffer 'msgFrom'. LotusNotify lotusnotify.cpp 760
void checkthread(void*)
{
....
WCHAR msgFrom[512];
WCHAR msgSubject[512];
ZeroMemory(msgFrom,512);
ZeroMemory(msgSubject,512);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'msgSubject'. LotusNotify lotusnotify.cpp 761
- V512 A call of the 'memset' function will lead to underflow of the buffer 'nd->dd_dir.d_name'. glib dirent.c 138
Miranda NG
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'L"mailto:"'. TabSRMM msgdialog.cpp 2085
INT_PTR CALLBACK DlgProcMessage(....)
{
....
CopyMemory(tr.lpstrText, _T("mailto:"), 7);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'lfFont.lfFaceName'. Xfire userdetails.cpp 206
- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'L"%20"'. Weather weather_conv.cpp 476
Spring Engine
V512 A call of the 'memset' function will lead to underflow of the buffer 'area'. RAI gterrainmap.h 84
#define MAP_AREA_LIST_SIZE 50
struct TerrainMapMobileType
{
TerrainMapMobileType()
{
....
memset(area,0,MAP_AREA_LIST_SIZE); // <=
};
TerrainMapArea *area[MAP_AREA_LIST_SIZE]; // <=
....
};
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'BQ'. RAI builder.cpp 67
- V512 A call of the 'memset' function will lead to underflow of the buffer 'SL'. RAI unitmanager.cpp 28
- V512 A call of the 'memset' function will lead to underflow of the buffer 'Group'. RAI unitmanager.cpp 29
- And 1 additional diagnostic messages.
LibreOffice
V512 A call of the 'wcsncpy' function will lead to overflow of the buffer 'psci->wszTitle'. columninfo.cxx 129
typedef struct {
....
WCHAR wszTitle[MAX_COLUMN_NAME_LEN];
WCHAR wszDescription[MAX_COLUMN_DESC_LEN];
} SHCOLUMNINFO, *LPSHCOLUMNINFO;
HRESULT STDMETHODCALLTYPE CColumnInfo::GetColumnInfo(
DWORD dwIndex, SHCOLUMNINFO *psci)
{
....
wcsncpy(psci->wszTitle,
ColumnInfoTable[dwIndex].wszTitle,
(sizeof(psci->wszTitle) - 1));
return S_OK;
}
.NET CoreCLR
V512 A call of the 'memset' function will lead to underflow of the buffer 'pAddExpression'. sos strike.cpp 11973
DECLARE_API(Watch)
{
....
if(addExpression.data != NULL || aExpression.data != NULL)
{
WCHAR pAddExpression[MAX_EXPRESSION];
memset(pAddExpression, 0, MAX_EXPRESSION);
swprintf_s(pAddExpression, MAX_EXPRESSION, L"%S", ....);
Status = g_watchCmd.Add(pAddExpression);
}
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'pSaveName'. sos strike.cpp 11997
- V512 A call of the 'memset' function will lead to underflow of the buffer 'pOldName'. sos strike.cpp 12013
- V512 A call of the 'memset' function will lead to underflow of the buffer 'pNewName'. sos strike.cpp 12016
- And 2 additional diagnostic messages.
Haiku Operation System
V512 A call of the 'memcmp' function will lead to underflow of the buffer '"Private-key-format: v"'. dst_api.c 858
dst_s_read_private_key_file(....)
{
....
if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
goto fail;
....
}
Haiku Operation System
V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 623
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void solv_SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
....
/* Clean up state data: */
MEMSET_BZERO(context, sizeof(context));
usedspace = 0;
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 644
- V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 953
- V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 973
- And 2 additional diagnostic messages.
Unreal Engine 4
V512 A call of the 'memset' function will lead to underflow of the buffer 'StartTimestampListHandles'. d3d12query.cpp 493
class FD3D12BufferedGPUTiming
{
....
FD3D12CLSyncPoint* StartTimestampListHandles;
FD3D12CLSyncPoint* EndTimestampListHandles;
....
};
void FD3D12BufferedGPUTiming::InitDynamicRHI()
{
....
StartTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(StartTimestampListHandles,
sizeof(StartTimestampListHandles));
EndTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(EndTimestampListHandles,
sizeof(EndTimestampListHandles));
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to underflow of the buffer 'EndTimestampListHandles'. d3d12query.cpp 495
FreeBSD Kernel
V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->vendor'. aacraid_cam.c 571
#define SID_VENDOR_SIZE 8
char vendor[SID_VENDOR_SIZE];
#define SID_PRODUCT_SIZE 16
char product[SID_PRODUCT_SIZE];
#define SID_REVISION_SIZE 4
char revision[SID_REVISION_SIZE];
static void
aac_container_special_command(struct cam_sim *sim,union ccb *ccb,
u_int8_t *cmdp)
{
....
/* OEM Vendor defines */
strcpy(p->vendor,"Adaptec "); // <=
strcpy(p->product,"Array "); // <=
strcpy(p->revision,"V1.0"); // <=
....
}
Similar errors can be found in some other places:
- V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->product'. aacraid_cam.c 572
- V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->revision'. aacraid_cam.c 573
Stickies
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. stickyinstaller.cpp 162
BOOL DDE_InitClient (void)
{
UINT errCode = DdeInitialize(....);
if (errCode != 0)
{
char errTxt[32];
sprintf (errTxt, "DDE Server Failed, error code = %d",
errCode);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. ddemlfuncs.cpp 151
CodeLite
V512 A call of the 'memset' function will lead to underflow of the buffer 'buffer'. md5.cpp 243
class MD5
{
....
typedef unsigned char uint1;
....
uint1 buffer[64]; // input buffer
....
static void memset(uint1 *start, uint1 val, uint4 length);
....
};
void MD5::finalize ()
{
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer)); // <=
finalized=1;
}
FreeBSD Kernel
V512 A call of the 'memset' function will lead to underflow of the buffer 'plog'. nat64lsn.c 218
struct pfloghdr {
u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
char ifname[IFNAMSIZ];
char ruleset[PFLOG_RULESET_NAME_SIZE];
u_int32_t rulenr;
u_int32_t subrulenr;
uid_t uid;
pid_t pid;
uid_t rule_uid;
pid_t rule_pid;
u_int8_t dir;
u_int8_t pad[3];
};
static void
nat64lsn_log(struct pfloghdr *plog, ....)
{
memset(plog, 0, sizeof(plog)); // <=
plog->length = PFLOG_REAL_HDRLEN;
plog->af = family;
plog->action = PF_NAT;
plog->dir = PF_IN;
plog->rulenr = htonl(n);
plog->subrulenr = htonl(sn);
plog->ruleset[0] = '\0';
strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname));
ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m);
}
CryEngine V
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285
void CGeomCacheRenderNode::Render(....)
{
....
CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement;
....
uint8 hashableData[] =
{
0, 0, 0, 0, 0, 0, 0, 0,
(uint8)std::distance(pCREGeomCache->....->begin(), &meshData),
(uint8)std::distance(meshData....->....begin(), &chunk),
(uint8)std::distance(meshData.m_instances.begin(), &instance)
};
memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <=
....
}
FreeBSD Kernel
V512 A call of the 'memcpy' function will lead to the '"MPI Coredump"' buffer becoming out of range. qls_dump.c 1615
typedef struct qls_mpid_glbl_hdr
{
....
uint8_t id[16];
....
} qls_mpid_glbl_hdr_t;
struct qls_mpi_coredump {
qls_mpid_glbl_hdr_t mpi_global_header;
....
};
typedef struct qls_mpi_coredump qls_mpi_coredump_t;
int
qls_mpi_core_dump(qla_host_t *ha)
{
....
qls_mpi_coredump_t *mpi_dump = &ql_mpi_coredump;
....
memcpy(mpi_dump->mpi_global_header.id, "MPI Coredump",
sizeof(mpi_dump->mpi_global_header.id));
....
}
FreeBSD Kernel
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'lldev->mtx_name_tx[qindex]'. if_nxge.c 511
#define XGE_HAL_MIN_FIFO_NUM 1
#define XGE_FIFO_COUNT XGE_HAL_MIN_FIFO_NUM
typedef struct xge_lldev_t {
....
char mtx_name_tx[16][XGE_FIFO_COUNT];
struct callout timer;
struct ifmedia media;
xge_hal_channel_h fifo_channel[XGE_FIFO_COUNT];
....
}
void
xge_mutex_init(xge_lldev_t *lldev)
{
int qindex;
....
for(qindex = 0; qindex < XGE_FIFO_COUNT; qindex++) {
sprintf(lldev->mtx_name_tx[qindex], "%s_tx_%d",
device_get_nameunit(lldev->device), qindex);
....
}
Tizen
V512 A call of the 'memset' function will lead to underflow of the buffer 'req_id_used'. bt-service-util.c 38
typedef int gint;
typedef gint gboolean;
#define BT_REQUEST_ID_RANGE_MAX 245
static gboolean req_id_used[BT_REQUEST_ID_RANGE_MAX];
void _bt_init_request_id(void)
{
assigned_id = 0;
memset(req_id_used, 0x00, BT_REQUEST_ID_RANGE_MAX);
}
Tizen
V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 226
#define BT_ADDRESS_STRING_SIZE 18
typedef struct {
unsigned char addr[6];
} bluetooth_device_address_t;
typedef struct {
int count;
bluetooth_device_address_t addresses[20];
} bt_dpm_device_list_t;
dpm_result_t _bt_dpm_get_bluetooth_devices_from_whitelist(
GArray **out_param1)
{
dpm_result_t ret = DPM_RESULT_FAIL;
bt_dpm_device_list_t device_list;
....
for (; list; list = list->next, i++) {
memset(device_list.addresses[i].addr, 0,
BT_ADDRESS_STRING_SIZE);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 176
Tizen
V512 A call of the 'memset' function will lead to underflow of the buffer 'formatted_number'. i18ninfo.c 544
typedef short unsigned int i18n_uchar;
#define BUF_SIZE 1000
static int __get_number_format(char *input_number)
{
....
i18n_uchar formatted_number[BUF_SIZE];
....
memset(formatted_number, 0, BUF_SIZE);
....
}
Tizen
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'buf + strlen(buf)'. app_tracker.c 450
static void _on_atspi_event_cb(const AtspiEvent * event)
{
....
char buf[256] = "\0";
....
snprintf(buf, sizeof(buf), "%s, %s, ",
name, _("IDS_BR_BODY_IMAGE_T_TTS"));
....
snprintf(buf + strlen(buf), sizeof(buf),
"%s, ", _("IDS_ACCS_BODY_SELECTED_TTS"));
....
}
Tizen
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'trait + strlen(trait)'. navigator.c 514
#define HOVERSEL_TRAIT_SIZE 200
void add_slider_description(....)
{
....
char trait[HOVERSEL_TRAIT_SIZE] = "";
....
snprintf(trait, HOVERSEL_TRAIT_SIZE,
_("IDS_GCTS_OPT_P1SS_PERCENT_TTS"), buf_percent);
....
snprintf(trait + strlen(trait), HOVERSEL_TRAIT_SIZE, // <=
", %s", _IGNORE_ON_TV("IDS_......."));
....
}
Tizen
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'ret + strlen(ret)'. navigator.c 677
#define TTS_MAX_TEXT_SIZE 2000
char *generate_description_trait(AtspiAccessible * obj) {
....
char ret[TTS_MAX_TEXT_SIZE] = { [TTS_MAX_TEXT_SIZE - 1] = 0 };
....
snprintf(ret, sizeof(ret),
_("IDS_ACCS_BODY_TAB_P1SD_OF_P2SD"),
index + 1, children_count);
if (!is_selected)
snprintf(ret + strlen(ret), sizeof(ret), // <=
", %s",
_IGNORE_ON_TV("IDS_......."));
....
}
EFL Core Libraries
V512 A call of the 'memcpy' function will lead to the 'array' buffer becoming out of range. eina_array.c 186
typedef struct _Eina_Array Eina_Array;
struct _Eina_Array
{
int version;
void **data;
unsigned int total;
unsigned int count;
unsigned int step;
Eina_Magic __magic;
};
typedef struct _Eina_Accessor_Array Eina_Accessor_Array;
struct _Eina_Accessor_Array
{
Eina_Accessor accessor;
const Eina_Array *array;
Eina_Magic __magic;
};
static Eina_Accessor *
eina_array_accessor_clone(const Eina_Array *array)
{
Eina_Accessor_Array *ac;
EINA_SAFETY_ON_NULL_RETURN_VAL(array, NULL);
EINA_MAGIC_CHECK_ARRAY(array);
ac = calloc(1, sizeof (Eina_Accessor_Array));
if (!ac) return NULL;
memcpy(ac, array, sizeof(Eina_Accessor_Array));
return &ac->accessor;
}
EFL Core Libraries
V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 318
static Eina_Bool _convert_etc2_rgb8_to_argb8888(....)
{
const uint8_t *in = src;
uint32_t *out = dst;
int out_step, x, y, k;
unsigned int bgra[16];
....
for (k = 0; k < 4; k++)
memcpy(out + x + k * out_step, bgra + k * 16, 16);
....
}
Similar errors can be found in some other places:
- V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 350
Ardour
V512 A call of the 'memset' function will lead to underflow of the buffer 'error_buffer'. ardour_http.cc 142
class HttpGet {
....
char error_buffer[CURL_ERROR_SIZE];
....
};
HttpGet::HttpGet (bool p, bool ssl)
: persist (p)
, _status (-1)
, _result (-1)
{
memset (error_buffer, 0, sizeof (*error_buffer));
....
}
Chromium
V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->text'. event_conversion.cc 435
#if defined(WIN32)
typedef wchar_t WebUChar;
#else
typedef unsigned short WebUChar;
#endif
static const size_t kTextLengthCap = 4;
class WebKeyboardEvent : public WebInputEvent {
....
WebUChar text[kTextLengthCap];
WebUChar unmodified_text[kTextLengthCap];
....
};
WebKeyboardEvent* BuildCharEvent(const InputEventData& event)
{
WebKeyboardEvent* key_event = new WebKeyboardEvent(....);
....
memset(key_event->text, 0, text_length_cap);
memset(key_event->unmodified_text, 0, text_length_cap);
....
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
Similar errors can be found in some other places:
- V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->unmodified_text'. event_conversion.cc 436
WebRTC
V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer '_jumpBuf'. rtt_filter.cc 52
class VCMRttFilter {
....
enum { kMaxDriftJumpCount = 5 };
....
int64_t _jumpBuf[kMaxDriftJumpCount];
int64_t _driftBuf[kMaxDriftJumpCount];
....
};
void VCMRttFilter::Reset() {
_gotNonZeroUpdate = false;
_avgRtt = 0;
_varRtt = 0;
_maxRtt = 0;
_filtFactCount = 1;
_jumpCount = 0;
_driftCount = 0;
memset(_jumpBuf, 0, kMaxDriftJumpCount);
memset(_driftBuf, 0, kMaxDriftJumpCount);
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
XNU kernel
V512 CWE-119 A call of the 'snprintf' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4376
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define MAX_ROUTE_RULE_INTERFACES 10
static inline const char *
necp_get_result_description(....)
{
....
char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
....
for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
if (route_rule->exception_if_indices[index] != 0) {
ifnet_t interface = ifindex2ifnet[....];
snprintf(interface_names[index],
IFXNAMSIZ, "%s%d", ifnet_name(interface),
ifnet_unit(interface));
} else {
memset(interface_names[index], 0, IFXNAMSIZ);
}
}
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];
Similar errors can be found in some other places:
- V512 CWE-119 A call of the 'memset' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4378
XNU kernel
V512 CWE-119 A call of the '__builtin___memcpy_chk' function will lead to a buffer overflow. necp_client.c 1459
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define NECP_MAX_PARSED_PARAMETERS 16
struct necp_client_parsed_parameters {
....
char prohibited_interfaces[IFXNAMSIZ]
[NECP_MAX_PARSED_PARAMETERS];
....
};
static int
necp_client_parse_parameters(....,
struct necp_client_parsed_parameters *parsed_parameters)
{
....
u_int32_t length = ....;
....
if (length <= IFXNAMSIZ && length > 0) {
memcpy(parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces],
value, length);
parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces][length - 1] = 0;
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];
rdesktop
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fullpath'. disk.c 1257
RD_NTSTATUS
disk_query_directory(....)
{
....
char *dirname, fullpath[PATH_MAX];
....
/* Get information for directory entry */
sprintf(fullpath, "%s/%s", dirname, pdirent->d_name);
....
}
VVVVVV
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fileSearch'. FileSystemUtils.cpp 307
#define MAX_PATH 260
....
void PLATFORM_migrateSaveData(char *output)
{
char oldLocation[MAX_PATH];
char newLocation[MAX_PATH];
char oldDirectory[MAX_PATH];
char fileSearch[MAX_PATH];
....
/* Same place, different layout. */
strcpy(oldDirectory, output);
sprintf(fileSearch, "%s\\*.vvvvvv", oldDirectory);
....
}
If the length of the oldDirectory string is more than 251, the resulting string will be longer than fileSearch could contain, which will lead to violating of the array bounds.
Zephyr
V512 [CWE-119] A call of the 'memcpy' function will lead to the 'net_hostname_get()' buffer becoming out of range. log_backend_net.c 114
#if defined(CONFIG_NET_HOSTNAME_ENABLE)
const char *net_hostname_get(void);
#else
static inline const char *net_hostname_get(void)
{
return "zephyr";
}
#endif
#define NET_IPV6_ADDR_LEN sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx")
#define MAX_HOSTNAME_LEN NET_IPV6_ADDR_LEN
static int do_net_init(void)
{
....
(void)memcpy(hostname, net_hostname_get(), MAX_HOSTNAME_LEN);
....
}
Zephyr
V512 [CWE-119] A call of the 'snprintf' function will lead to overflow of the buffer 'full_name'. lwm2m_rw_json.c 826
int do_write_op_json(struct lwm2m_message *msg)
{
u8_t value[TOKEN_BUF_LEN]; // TOKEN_BUF_LEN = 64
u8_t base_name[MAX_RESOURCE_LEN]; // MAX_RESOURCE_LEN = 20
u8_t full_name[MAX_RESOURCE_LEN]; // MAX_RESOURCE_LEN = 20
....
/* combine base_name + name */
snprintf(full_name, TOKEN_BUF_LEN, "%s%s", base_name, value);
....
}
Command & Conquer
V512 A call of the 'sprintf' function will lead to overflow of the buffer '(char *) ptr'. SOUNDDLG.CPP 250
void SoundControlsClass::Process(void)
{
....
void * ptr = new char [sizeof(100)]; // <=
if (ptr) {
sprintf((char *)ptr, "%cTrack %d\t%d:%02d\t%s", // <=
index, listbox.Count()+1, length / 60, length % 60, fullname);
listbox.Add_Item((char const *)ptr);
}
....
}
Command & Conquer
V512 A call of the 'memset' function will lead to underflow of the buffer 'Buffer'. KEYBOARD.CPP 96
unsigned short Buffer[256];
WWKeyboardClass::WWKeyboardClass(void)
{
....
memset(Buffer, 0, 256);
....
}
Qt
V512 [CWE-682] A call of the 'memset' function will lead to underflow of the buffer 'm_keys'. qv4estable.cpp 57
ESTable::ESTable()
: m_capacity(8)
{
m_keys = (Value*)malloc(m_capacity * sizeof(Value));
m_values = (Value*)malloc(m_capacity * sizeof(Value));
memset(m_keys, 0, m_capacity);
memset(m_values, 0, m_capacity);
}
GPCS4
V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'param->reserved'. sce_gnm_draw.cpp 420
struct GnmCmdPSShader
{
....
uint32_t reserved[27];
};
int PS4API sceGnmSetPsShader350(....)
{
....
memset(param->reserved, 0, sizeof(param->reserved) * sizeof(uint32_t));
return SCE_OK;
}
GPCS4
V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'initParam->reserved'. sce_gnm_dispatch.cpp 16
uint32_t PS4API sceGnmDispatchInitDefaultHardwareState(....)
{
....
memset(initParam->reserved, 0,
sizeof(initParam->reserved) * sizeof(uint32_t));
return initCmdSize;
}