Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Evaluation - 05.12

>
>
>
Examples of errors detected by the V557…

Examples of errors detected by the V557 diagnostic

V557. Possible array overrun.


VirtualDub

V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73


struct ConvoluteFilterData {
 long m[9];
 long bias;
 void *dyna_func;
 DWORD dyna_size;
 DWORD dyna_old_protect;
 BOOL fClip;
};

static unsigned long __fastcall do_conv(
  unsigned long *data,
  const ConvoluteFilterData *cfd,
  long sflags, long pit)
{
  long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
  ....
}

Dynamic Universal Music Bibliotheque

V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34


struct IT_SAMPLE
{
  ....
  unsigned char filename[14];
  ....
};

static int it_riff_dsmf_process_sample(
  IT_SAMPLE * sample, const unsigned char * data, int len)
{
  int flags;
  memcpy( sample->filename, data, 13 );
  sample->filename[ 14 ] = 0;
  ....
}

This is what should have been written here: sample->filename[ 13 ] = 0;


CAMEL

V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947


#define FINDBUFFLEN 64  // Max buffer find/replace size

int WINAPI Sticky (HWND hwnd, UINT message,
  WPARAM wParam, LPARAM lParam)
{
  ....
  static char  findWhat[FINDBUFFLEN] = {'\0'};
  ....
  findWhat[FINDBUFFLEN] = '\0';
  ....
}

Wolfenstein 3D

V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069


typedef struct bot_state_s
{
  ....
  char teamleader[32]; //netname of the team leader
  ....
}  bot_state_t;

void BotMatch_StartTeamLeaderShip(
  bot_state_t *bs, bot_match_t *match)
{
  ....
  bs->teamleader[sizeof( bs->teamleader )] = '\0';
  ....
}

-1 is missing. The same error can be found in Quake 3.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_team.c 548

Wolfenstein 3D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679


void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
  ....
  unsigned char invModulate[3];
  ....
  invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
  invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
  invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
  // this trashes alpha, but the AGEN block fixes it
  invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
  ....
}

The same error can be found in Quake 3.


IPP Samples

V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495


struct AVS_MB_INFO
{
  ....
  Ipp8u refIdx[AVS_DIRECTIONS][4];
  ....
};

void AVSCompressor::GetRefIndiciesBSlice(void){
  ....
  if (m_pMbInfo->predType[0] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[1] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[2] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[3] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
    iRefNum += 1;
  }
  ....
}

The programmer's hand faltered and now we have 30 instead of 3.


IPP Samples

V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726


typedef struct
{
  ....
  VM_ALIGN16_DECL(Ipp32f)
    nb_short[2][3][__ALIGNED(MAX_PPT_SHORT)];
  ....
} mpaPsychoacousticBlock;

static void mp3encPsy_short_window(....)
{
  ....
  if (win_counter == 0) {
    nb_s = pBlock->nb_short[0][3];
  }
  ....
}

This is what should have been written here: 2.


LAME

V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895


....
#define SBMAX_l       22
....
int l[1+SBMAX_l];
....

inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
{
  int r0, r1;
  ....

  for (r0 = 0; r0 < 16; r0++) {
    ....
    for (r1 = 0; r1 < 8; r1++) {
      int a2 = gfc->scalefac_band.l[r0 + r1 + 2];
  ....
}

Irrlicht Engine

V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113


struct SPCXHeader {
  ....
  u8   Palette[48];
  u8   Reserved;
  u8   Planes;
  u16  BytesPerLine;
  ....
}

IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
{
  ....
  for( s32 i=0; i<256; i++ )
  {
    paletteData[i] = (header.Palette[i*3+0] << 16) |
     (header.Palette[i*3+1] << 8) |
     (header.Palette[i*3+2]);
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i * 3 + 1' index could reach 766. Irrlicht cimageloaderpcx.cpp 114
  • V557 Array overrun is possible. The value of 'i * 3 + 2' index could reach 767. Irrlicht cimageloaderpcx.cpp 115

SAGA GIS

V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367


#define DATUM_CODE_LENGTH           7

typedef struct Datum_Table_Row
{
  ....
  char Code[DATUM_CODE_LENGTH];
  ....
} Datum_Row;

long Initialize_Datums_File(const char *File_7Parms,
                            const char *File_3Parms)
{
  ....
  for (i = 0; i < DATUM_CODE_LENGTH; i++)
    Datum_Table_3Param[index].Code[i] =
      Datum_Table_3Param[index].Code[i+1];
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 630
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 209
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 326

CMake

V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140


static const struct {
    DWORD       winerr;
    int     doserr;
} doserrors[] =
{
  ....
};

static void
la_dosmaperr(unsigned long e)
{
  ....
  for (i = 0; i < sizeof(doserrors); i++)
  {
    if (doserrors[i].winerr == e)
    {
      errno = doserrors[i].doserr;
      return;
    }
  }
  ....
}

This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1142

Energy Checker SDK

V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114


#define PL_MAX_PATH 255
#define PL2GANFLIA_COUNTER_MAX_LENGTH PL_MAX_PATH

char name[PL_MAX_PATH];

int main(int argc, char *argv[]) {
  ....
  p->pl_counters_data[i].name[
    PL2GANFLIA_COUNTER_MAX_LENGTH
  ] = '\0';
  ....
}

This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1134

ReactOS

V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482


static void move_dir_to_dir(....)
{
  ....
  szFrom[lstrlenW(szFrom) + 1] = '\0';
  ....
}

Very suspicious code. Something different must have been intended.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192
  • V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196
  • V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361


Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];

MP3Status mp3enc_psychoacousticInit(....)
{
  ....
  for (ch = 0; ch < NUM_CHANNELS; ch++)
    for (i = 0; i < MAX_PPT_LONG; i++) {
      for (j = 0; j < 3; j++)
        state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;
    }
  ....
}

This is what should have been written here: for (j = 0; j < 2; j++)


IPP Samples

V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275


typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
{
  ....
  for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
    for (t = 0; t < 3; t++) {
      for (sb = 0; sb < sblimit_real; sb++){
        for (j = 0; j < 12; j++)
          fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];
  ....
}

If it can be possible that t == 2, while j == 11, an array overrun will occur.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 's * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 580

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639


typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_join_LR_l2(MP3Enc *state)
{
  Ipp32s sb, j;
  Ipp32s sblimit_real = state->com.sblimit_real;

  for (sb = 0; sb < sblimit_real; sb++)
    for (j = 0; j < 36; j++)
      state->fbout_data[2][0][j][sb] =
        0.5f * (state->fbout_data[0][0][j][sb] +
        state->fbout_data[1][0][j][sb]);
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 640

Chromium

V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307


#define FRAMESAMPLES_HALF      240
#define FRAMESAMPLES           480

typedef struct {
  ....
  WebRtc_Word16 realFFT[FRAMESAMPLES_HALF];
  WebRtc_Word16 imagFFT[FRAMESAMPLES_HALF];
} ISACUBSaveEncDataStruct;

int WebRtcIsac_EncodeStoredDataUb12(....)
{
  ....
  for(n = 0; n < FRAMESAMPLES; n++)
  {
    realFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
    imagFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1308

Doom 3

V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551


static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
{
  ....
  for ( j = 0 ; j < 6 ; j++ ) {
    d1 = frustum[j].Distance( p1 );
    d2 = frustum[j].Distance( p2 );
    ....
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 552

Mozilla Firefox

V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89


class nsBaseStatis : public nsStatis {
public:
  ....
  PRUint32 mLWordLen[10];
  ....
  nsBaseStatis::nsBaseStatis(
    unsigned char aL, unsigned char aH, float aR)
  {
    ....
    for(PRUint32 i = 0; i < 20; i++)
       mLWordLen[i] = 0;
    ....
  }
}

  ....
};

This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)


Quake-III-Arena

V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776


int   numteamVotingClients[2];

void CalculateRanks( void ) {
  ....
  for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
    level.numteamVotingClients[i] = 0;
  }
  ....
}

Notepad++

V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984


int encodings[] = {
  1250,
  1251,
  1252,
  ....
};


BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
  UINT Message, WPARAM wParam, LPARAM)
{
  ....
  for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
  {
    int cmdID = em->getIndexFromEncoding(encodings[i]);
  ....
}

This is what should have been written here: i < sizeof(encodings)/sizeof(int)


Trinity Core

V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260


static struct wordvalue doubles[] = {
 { "ch", (uchar*) "\014\031\057\057" },
 { "Ch", (uchar*) "\014\031\060\060" },
 { "CH", (uchar*) "\014\031\061\061" },
 { "c",  (uchar*) "\005\012\021\021" },
 { "C",  (uchar*) "\005\012\022\022" },
 };

#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1)                                      \
{                                              \
  ......                                       \
  for (i = 0; i < (int) sizeof(doubles); i++)  \
  {                                            \
    const char * pattern = doubles[i].word;    \
    ...                                        \
    }                                          \
  }                                            \
  ......                                       \
}

An incorrect macro NEXT_CMP_VALUE.


Blender

V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867


void CcdPhysicsController::RelativeRotate(
  const float rotval[9], bool local)
{
  ....
  btMatrix3x3 drotmat(
    rotval[0],rotval[4],rotval[8],
    rotval[1],rotval[5],rotval[9],
    rotval[2],rotval[6],rotval[10]);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 868

Blender

V557 Array overrun is possible. The '7' index is pointing beyond array bound. vfont.cc 612


typedef struct BezTriple
{
  float vec[3][3];
  ....
}

void BKE_vfont_build_char(....)
{
  ....
  BezTriple *bezt2 = (BezTriple *)MEM_malloc_arrayN(u,
                                                    sizeof(BezTriple),
                                                    "duplichar_bezt2" );
  ....
  for (int i = nu2->pntsu; i > 0; i--)
  {
    float *fp = bezt2->vec[0];
    fp[0] = (fp[0] + ofsx) * fsize;
    fp[1] = (fp[1] + ofsy) * fsize;
    fp[3] = (fp[3] + ofsx) * fsize;
    fp[4] = (fp[4] + ofsy) * fsize;
    fp[6] = (fp[6] + ofsx) * fsize;
    fp[7] = (fp[7] + ofsy) * fsize;
    bezt2++;
  }
  ....
}

Trans-Proteomic Pipeline

V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567


int main(int argc, char **argv) {
  ....
  char salt[3];
  ....
  salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
  salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
  salt[3] = 0;
  ....
}

This is what should have been written here: salt[2] = 0;


Visualization Toolkit (VTK)

V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313


void vtkCursor2D::SetModelBounds(double bounds[6])
{
  this->SetModelBounds(bounds[0], bounds[1], bounds[2],
                       bounds[3], bounds[6], bounds[5]);
}

This is what should have been written here: bounds[4].


ffdshow

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39


static uint crc_tables[8][256];

void InitCRC()
{
  ....
  // Build additional lookup tables.
  for (uint I=0;I<=256;I++)
  {
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)
    {
      C=crc_tables[0][(byte)C]^(C>>8);
      crc_tables[J][I]=C;
    }
  }
}

Skia Graphics Engine

V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1480


static void p3d_interp(const SkScalar src[3],
                       SkScalar dst[3], SkScalar t) {
    SkScalar ab = SkScalarInterp(src[0], src[3], t);
    SkScalar bc = SkScalarInterp(src[3], src[6], t);
    dst[0] = ab;
    dst[3] = SkScalarInterp(ab, bc, t);
    dst[6] = bc;
}

void SkConic::chopAt(SkScalar t, SkConic dst[2]) const {
  SkP3D tmp[3], tmp2[3];

  ratquad_mapTo3D(fPts, fW, tmp);

  p3d_interp(&tmp[0].fX, &tmp2[0].fX, t);
  p3d_interp(&tmp[0].fY, &tmp2[0].fY, t);
  p3d_interp(&tmp[0].fZ, &tmp2[0].fZ, t);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1481
  • V557 Array overrun is possible. The '6' index is pointing beyond array bound. skgeometry.cpp 1481
  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1483
  • And 1 additional diagnostic messages.

Chromium

V557 Array overrun is possible. The value of 'i' index could reach 2. shader_bench.cc 152


static const int kNumPainters = 3;

static const struct {
  const char* name;
  GPUPainter* painter;
} painters[] = {
  { "CPU CSC + GPU Render", new CPUColorPainter() },
  { "GPU CSC/Render", new GPUColorWithLuminancePainter() },
};

int main(int argc, char** argv) {
  ....
  // Run GPU painter tests.
  for (int i = 0; i < kNumPainters; i++) {
    scoped_ptr<GPUPainter> painter(painters[i].painter);
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The '7' index is pointing beyond array bound. cjoystickmanager.cpp 1003


struct
{
  bool    bEnabled;
  long    lMax;
  long    lMin;
  DWORD   dwType;
} axis[7];

bool CJoystickManager::IsXInputDeviceAttached ( void )
{
  ....
  m_DevInfo.axis[6].bEnabled = 0;
  m_DevInfo.axis[7].bEnabled = 0;
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The '3' index is pointing beyond array bound. cwatermanagersa.cpp 595


class CWaterPolySAInterface
{
public:
    WORD m_wVertexIDs[3];
};

CWaterPoly* CWaterManagerSA::CreateQuad (....)
{
  ....
  pInterface->m_wVertexIDs [ 0 ] = pV1->GetID ();
  pInterface->m_wVertexIDs [ 1 ] = pV2->GetID ();
  pInterface->m_wVertexIDs [ 2 ] = pV3->GetID ();
  pInterface->m_wVertexIDs [ 3 ] = pV4->GetID ();
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1062


#define CORE_MTA_NEWS_ITEMS 3

CGUILabel* m_pNewsItemLabels[CORE_MTA_NEWS_ITEMS];
CGUILabel* m_pNewsItemShadowLabels[CORE_MTA_NEWS_ITEMS];

void CMainMenu::SetNewsHeadline (....)
{
  ....
  for ( char i=0; i <= CORE_MTA_NEWS_ITEMS; i++ )
  {
    m_pNewsItemLabels[ i ]->SetFont ( szFontName );
    m_pNewsItemShadowLabels[ i ]->SetFont ( szFontName );
    ....
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1063

Portable UnRAR

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 35


static uint crc_tables[8][256]; // Tables for Slicing-by-8.

void InitCRC()
{
  ....
  for (uint I=0;I<=256;I++)
  {
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)
    {
      C=crc_tables[0][(byte)C]^(C>>8);
      crc_tables[J][I]=C;
    }
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 19. cpoolssa.cpp 1036


enum ePools {
    BUILDING_POOL = 0,
    PED_POOL,
    OBJECT_POOL,
    DUMMY_POOL,
    VEHICLE_POOL,
    COL_MODEL_POOL,
    TASK_POOL,
    EVENT_POOL,
    TASK_ALLOCATOR_POOL,
    PED_INTELLIGENCE_POOL,
    PED_ATTRACTOR_POOL,
    ENTRY_INFO_NODE_POOL,
    NODE_ROUTE_POOL,
    PATROL_ROUTE_POOL,
    POINT_ROUTE_POOL,
    POINTER_DOUBLE_LINK_POOL,
    POINTER_SINGLE_LINK_POOL,
    ENV_MAP_MATERIAL_POOL,
    ENV_MAP_ATOMIC_POOL,
    SPEC_MAP_MATERIAL_POOL,
    MAX_POOLS
};

void CPoolsSA::DumpPoolsStatus ()
{
  char*  poolNames[] = {
    "Buildings", "Peds", "Objects", "Dummies", "Vehicles",
    "ColModels", "Tasks", "Events", "TaskAllocators",
    "PedIntelligences", "PedAttractors", "EntryInfoNodes",
    "NodeRoutes", "PatrolRoutes", "PointRoutes",
    "PointerNodeDoubleLinks", "PointerNodeSingleLinks" };

    int poolSizes[] = {
      13000,140,350,2500,110,10150,500,200,16,140,64,500,
      64,32,64,3200,70000 };

    int iPosition = 0;
    char percent = '%';
    iPosition += snprintf ( szOutput, 1024,
                            "-----------------\n" );
    for ( int i = 0; i < MAX_POOLS; i++ )
    {
      int usedSpaces = GetNumberOfUsedSpaces ( (ePools)i );
      iPosition +=
        snprintf ( szOutput + iPosition, 1024 - iPosition,
                   "%s: %d (%d) (%.2f%c)\n", poolNames[i],
                   usedSpaces, poolSizes[i],
                   ((float)usedSpaces/(float)poolSizes[i]*100),
                   percent  );
    }
    #ifdef MTA_DEBUG
    OutputDebugString ( szOutput );
    #endif
}

OpenMS

V557 Array overrun is possible. The value of 'i' index could reach 7. itraqanalyzer.c 232


static const Int CHANNELS_FOURPLEX[4][1];
static const Int CHANNELS_EIGHTPLEX[8][1];

ExitCodes main_(int, const char **)
{
  ....
  if (itraq_type == ItraqQuantifier::FOURPLEX)
  {
    for (Size i = 0; i < 4; ++i)
    {
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +
          String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
        DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
      labels.push_back(one_label);
    }
  }
  else //ItraqQuantifier::EIGHTPLEX
  {
    for (Size i = 0; i < 8; ++i)
    {
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +
          String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
        DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
      labels.push_back(one_label);
    }
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 7. tmtanalyzer.c 225

OpenMS

V557 Array overrun is possible. The value of 'i' index could reach 255. edwardslippertiterator.c 134


DoubleReal masse_[255]; // <= mass table

EdwardsLippertIterator::EdwardsLippertIterator(
    const EdwardsLippertIterator & source) :
  PepIterator(source),
  f_file_(source.f_file_),
  actual_pep_(source.actual_pep_),
  spec_(source.spec_),
  tol_(source.tol_),
  is_at_end_(source.is_at_end_),
  f_iterator_(source.f_iterator_),
  f_entry_(source.f_entry_),
  b_(source.b_),
  e_(source.e_),
  m_(source.m_),
  massMax_(source.massMax_)
{
  for (Size i = 0; i < 256; i++)
  {
    masse_[i] = source.masse_[i];
  }
}

OpenCOLLADA

V557 Array overrun is possible. The '2' index is pointing beyond array bound. mayadmtypes.h 48


struct short2
{
  short values[2];
  short2(short s1, short s2)
  {
    values[0] = s1;
    values[2] = s2;
  }
  ....
};

QuantLib

V557 Array overrun is possible. The value of 'i' index could reach 64. markovfunctional.cpp 176


Handle<YieldTermStructure> md0Yts() {
  ....
  double q6mh[] = {
    0.0001,0.0001,0.0001,0.0003,0.00055,0.0009,0.0014,0.0019,
    0.0025,0.0031,0.00325,0.00313,0.0031,0.00307,0.00309,
    0.00339,0.00316,0.00326,0.00335,0.00343,0.00358,0.00351,
    0.00388,0.00404,0.00425,0.00442,0.00462,0.00386,0.00491,
    0.00647,0.00837,0.01033,0.01218,0.01382,0.01527,0.01654,
    0.0177,0.01872,0.01959,0.0203,0.02088,0.02132,0.02164,
    0.02186,0.02202,0.02213,0.02222,0.02229,0.02234,0.02238,
    0.02241,0.02243,0.02244,0.02245,0.02247,0.0225,0.02284,
    0.02336,0.02407,0.0245 };
  ....
  for(int i=0;i<10+18+37;i++) {
    q6m.push_back(
      boost::shared_ptr<Quote>(new SimpleQuote(q6mh[i])));
  }
  ....
}

Geant4 software

V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 62


enum { NENERGY=22, NANGLE=180 };

class G4LEpp : public G4HadronicInteraction
{
  ....
  G4float * sig[NANGLE];
  static G4float SigCoul[NENERGY][NANGLE];
  ....
};

G4LEpp::SetCoulombEffects(G4int State)
{
  if (State) {
    for(G4int i=0; i<NANGLE; i++)
    {
      sig[i] = SigCoul[i];
    }
    elab = ElabCoul;
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 69

Geant4 software

V557 Array overrun is possible. The value of 'j' index could reach 7. g4heinelastic.cc 4682


void
G4HEInelastic::MediumEnergyClusterProduction(....)
{
  ....
  G4double alem[] = {1.40, 2.30, 2.70, 3.00, 3.40, 4.60, 7.00};
  ....
  for (j = 1; j < 8; j++) {
    if (alekw < alem[j]) {
      jmax = j;
      break;
    }
  }
  ....
}

Source Engine SDK

V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 632


#define MAX_WEAPON_SLOTS    6  // hud item selection slots

void CHudWeaponSelection::Paint()
{
  ....
  int xModifiers[] = { 0, 1, 0, -1 };
  int yModifiers[] = { -1, 0, 1, 0 };

  for ( int i = 0; i < MAX_WEAPON_SLOTS; ++i )
  {
    ....
    xPos += ( m_flMediumBoxWide + 5 ) * xModifiers[ i ];
    yPos += ( m_flMediumBoxTall + 5 ) * yModifiers[ i ];
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 633

Miranda IM

V557 Array underrun is possible. The value of 'index' index could reach -1. controls.cpp 491


const int idToIndex(const int id) const
{
  for(int i = 0; i < NR_BUTTONS; i++) {
    if(m_TbButtons[i].idCommand == id )
      return(i);
  }
  return(-1);
}

TBBUTTON CMenuBar::m_TbButtons[8] = {0};

void CMenuBar::invoke(const int id)
{
  const int index = idToIndex(id);
  ....
  if(index == 3 && hContact != 0) {
    ....
  } else if(index == 0) {
    ....
  } else
    hMenu = reinterpret_cast<HMENU>(m_TbButtons[index].dwData);
  ....
}

Coin3D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. somfcolorrgba.cpp 220


void
SoMFColorRGBA::set1HSVValue(int idx, const float hsva[3])
{
  this->set1HSVValue(idx, hsva[0], hsva[1], hsva[2], hsva[3]);
}

Wild Magic 5

V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 365


void Triangles::UpdateModelTangentsUseTCoords(....)
{
  ....
  Float2 locTCoord[2];
  int curr;
  for (curr = 0; curr < 3; ++curr)
  {
    ....
    locTCoord[curr] = vba.TCoord<Float2>(0, k);
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 382

FlightGear

V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1717


enum {
  ALL_EJECTION_SEATS = -1,
  MAX_EJECTION_SEATS = 10
};

int eseat_status[MAX_EJECTION_SEATS];

void
FGControls::set_ejection_seat( int which_seat, bool val )
{
  ....
  if ((which_seat >= 0) && (which_seat <= MAX_EJECTION_SEATS))
  {
    if ( eseat_status[which_seat] == SEAT_SAFED ||
         eseat_status[which_seat] == SEAT_FAIL )
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1718
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1724
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1738

FFmpeg

V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497


void ff_mjpeg_encode_mb(MpegEncContext *s,
                        int16_t block[6][64])
{
    int i;
    if (s->chroma_format == CHROMA_444) {
        encode_block(s, block[0], 0);
        encode_block(s, block[2], 2);
        encode_block(s, block[4], 4);
        encode_block(s, block[8], 8);
        encode_block(s, block[5], 5);
        encode_block(s, block[9], 9);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '9' index is pointing beyond array bound. mjpegenc.c 499
  • V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 504
  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. mjpegenc.c 505
  • And 4 additional diagnostic messages.

Word for Windows 1.1a

V557 Array overrun is possible. The '5' index is pointing beyond array bound. dnatfile.c 444


uns rgwSpare0 [5];

DumpHeader()
{
  ....
  printUns ("rgwSpare0[0]   = ", Fib.rgwSpare0[5], 0, 0, fTrue);
  printUns ("rgwSpare0[1]   = ", Fib.rgwSpare0[1], 1, 1, fTrue);
  printUns ("rgwSpare0[2]   = ", Fib.rgwSpare0[2], 0, 0, fTrue);
  printUns ("rgwSpare0[3]   = ", Fib.rgwSpare0[3], 1, 1, fTrue);
  printUns ("rgwSpare0[4]   = ", Fib.rgwSpare0[4], 2, 2, fTrue);
  ....
}

This is what should have been written here: printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[0], 0, 0, fTrue);


Qt

V557 Array overrun is possible. The value of 'j' index could reach 4. harfbuzz-arabic.c 516


static const JoiningPair joining_table[5][4] = { .... };

typedef enum {
    JNone,
    JCausing,
    JDual,
    JRight,
    JTransparent
} Joining;

static Joining getNkoJoining(unsigned short uc)
{
    if (uc < 0x7ca)
        return JNone;
    if (uc <= 0x7ea)
        return JDual;
    if (uc <= 0x7f3)
        return JTransparent;
    if (uc <= 0x7f9)
        return JNone;
    if (uc == 0x7fa)
        return JCausing;
    return JNone;
}

static void getNkoProperties(....)
{
  ....
  Joining j = getNkoJoining(chars[0]);
  ArabicShape shape = joining_table[XIsolated][j].form2;
  ....
}

TortoiseGit

V557 Array underrun is possible. The value of 'idx' index could reach -1. diff_file.c 1052


static int
datasource_to_index(svn_diff_datasource_e datasource)
{
  switch (datasource)
  {
    ....
  }
  return -1;
}

static svn_error_t *
token_compare(....)
{
  ....
  int idx = datasource_to_index(file_token[i]->datasource);
  file[i] = &file_baton->files[idx];
  ....
}

OpenMW

V557 Array overrun is possible. The value of 'idx' index could reach 3. esmtool labels.cpp 502


std::string rangeTypeLabel(int idx)
{
  const char* rangeTypeLabels [] = {
    "Self",
    "Touch",
    "Target"
  };
  if (idx >= 0 && idx <= 3)
    return rangeTypeLabels[idx];
  else
    return "Invalid";
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'idx' index could reach 143. esmtool labels.cpp 391
  • V557 Array overrun is possible. The value of 'idx' index could reach 27. esmtool labels.cpp 475

LibLog

V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 153


typedef struct LogState {
  int     fakeFd;
  char   *debugName;
  int     isBinary;
  ....
} LogState;

#define MAX_OPEN_LOGS 16

static LogState *openLogTable[MAX_OPEN_LOGS];

static LogState *createLogState()
{
  size_t i;

  for (i = 0; i < sizeof(openLogTable); i++) {
    if (openLogTable[i] == NULL) {
      openLogTable[i] = calloc(1, sizeof(LogState));
      openLogTable[i]->fakeFd = FAKE_FD_BASE + i;
      return openLogTable[i];
    }
  }
  return NULL;
}

This is what should have been written here: sizeof(openLogTable) / sizeof(openLogTable[0]).

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 154
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 155
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 156

WebRTC

V557 Array overrun is possible. The value of 'btn' index could reach 52. ccapi_snapshot.c 38


cc_string_t lineLabels[MAX_CONFIG_LINES+1] = {0};

void ccsnap_set_line_label(int btn, cc_string_t label) {
  ....
  if ( btn > 0 && btn <= MAX_CONFIG_LINES+1 ) {
    ....
    if ( lineLabels[btn] == NULL ) {
    ....
  }
  ....
}

WebRTC

V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 357


#define MAX_CCMS 4

ccm_cfg_t   ccm[MAX_CCMS];

var_t prot_cfg_table[CFGID_PROTOCOL_MAX+1] = {
  ....
  {"ccmSrstIpAddr",   CFGVAR(ccm[4].address), PA_STR, PR_STR, 0},
  {"ccmSrst_sipPort", CFGVAR(ccm[4].sip_port),PA_INT, PR_INT, 0},
  {"ccmSrst_isValid", CFGVAR(ccm[4].is_valid),PA_INT, PR_INT, 0},
  {"ccmSrst_securityLevel",
                    CFGVAR(ccm[4].sec_level), PA_INT, PR_INT, 0},
  ....
};

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 358
  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 359
  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 360

ITK

V557 Array overrun is possible. The value of '_vType' index could reach 29. metautils.cxx 239


#define MET_NUM_VALUE_TYPES 29

const char MET_ValueTypeName[MET_NUM_VALUE_TYPES][21] = { ... };

bool MET_TypeToString(MET_ValueEnumType _vType, char *_s)
{
  if(_vType>=0 && _vType<=MET_NUM_VALUE_TYPES)
    {
    strcpy(_s, MET_ValueTypeName[_vType]);
    return true;
    }

  return false;
}

Haiku Operation System

V557 Array overrun is possible. The '8' index is pointing beyond array bound. floppy_ctrl.c 637


typedef struct floppy {
  ....
  uint8 result[8]; /* status of the last finished command */
  ....
};

void
floppy_dump_reg(floppy_t *flp) {
  ....
  //uint8 result[10];           // <= This was correct!
  uint8 *result = flp->result;  // <= Bad fix! :)
  ....
  dprintf(FLO "gap=%d wg=%d eis=%d fifo=%d "
              "poll=%d thresh=%d pretrk=%d\n",
    (result[7] & 0x02) >> 1, result[7] & 0x01,
    (result[8] & 0x40) >> 6,
    (result[8] & 0x20) >> 5, (result[8] & 0x10) >> 4,
     result[8] & 0x0f, result[9]);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '9' index is pointing beyond array bound. floppy_ctrl.c 638

Godot Engine

V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 194


enum ShapeType {
  SHAPE_LINE,
  SHAPE_RAY,
  SHAPE_SEGMENT,
  SHAPE_CIRCLE,
  SHAPE_RECTANGLE,
  SHAPE_CAPSULE,
  SHAPE_CONVEX_POLYGON,
  SHAPE_CONCAVE_POLYGON,
  SHAPE_CUSTOM,
};

BodyShapeData body_shape_data[6];
void _create_body_shape_data()
{
  ....
  body_shape_data[Physics2DServer::SHAPE_CONVEX_POLYGON].image
    =vs->texture_create_from_image(image);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 209

Wine Is Not an Emulator

V557 Array overrun is possible. The '16' index is pointing beyond array bound. winaspi32.c 232


/* SCSI Miscellaneous Stuff */
#define SENSE_LEN      14

typedef struct tagSRB32_ExecSCSICmd {
  ....
  BYTE        SenseArea[SENSE_LEN+2];
} SRB_ExecSCSICmd, *PSRB_ExecSCSICmd;

static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
{
  BYTE  *rqbuf = prb->SenseArea;
  ....
  if (rqbuf[15]&0x8) {
    TRACE("Pointer at %d, bit %d\n",
          rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7);      // <=
  }
  ....
}

Unreal Engine 4

V557 Array overrun is possible. The 'NumOutUAVs ++' index is pointing beyond array bound. distancefieldlightingshared.h 388


template<typename TParamRef>
void UnsetParameters(
  FRHICommandList& RHICmdList, const TParamRef& ShaderRHI,
  const FDistanceFieldCulledObjectBuffers& ObjectBuffers)
{
  ....
  int32 NumOutUAVs = 0;
  FUnorderedAccessViewRHIParamRef OutUAVs[3];
  OutUAVs[NumOutUAVs++] = ObjectBuffers......;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Bounds.UAV;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Data.UAV;

  if (CulledObjectBoxBounds.IsBound())
  {
    OutUAVs[NumOutUAVs++] = ObjectBuffers.BoxBounds.UAV;
  }
  ....
}

ffdshow

V557 Array overrun is possible. The value of 'len' index could reach 16384. cavisynth.cpp 129


#define MAX_AVISYNTH_SCRIPT_LENGTH 16384

void TavisynthPage::onLoad(void)
{
  char_t scriptflnm[MAX_PATH] = _l("");
  if (dlgGetFile(....) {
    FILE *f = fopen(scriptflnm, _l("rb"));
    if (f) {
      char script[MAX_AVISYNTH_SCRIPT_LENGTH];
      size_t len =
        fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
      fclose(f);
      script[len] = '\0';
      setDlgItemText(m_hwnd, IDC_ED_AVISYNTH,
                     text<char_t>(script));
    }
    parent->setChange();
  }
}

ChakraCore

V557 Array overrun is possible. The value of 'i' index could reach 8. rl.cpp 2375


enum TestInfoKind::_TIK_COUNT = 9

const char * const TestInfoEnvLstFmt[] =
{
   " TESTFILE=\"%s\"",
   " BASELINE=\"%s\"",
   " CFLAGS=\"%s\"",
   " LFLAGS=\"%s\"",
   NULL,
   NULL,
   NULL,
   NULL    // <= TestInfoEnvLstFmt[7]
};

void
WriteEnvLst
(
   Test * pDir, TestList * pTestList
)
{
  ....
  // print the other TIK_*
  for(int i=0;i < _TIK_COUNT; i++) {
    if (variants->testInfo.data[i] && TestInfoEnvLstFmt[i]){// <=
       LstFilesOut->Add(TestInfoEnvLstFmt[i],               // <=
                        variants->testInfo.data[i]);
    }
    ....
  }
  ....
}

FreeBSD Kernel

V557 Array overrun is possible. The '2' index is pointing beyond array bound. if_spppsubr.c 4348


#define AUTHKEYLEN  16

struct sauth {
  u_short  proto;
  u_short  flags;
#define AUTHFLAG_NOCALLOUT  1
#define AUTHFLAG_NORECHALLENGE  2
  u_char  name[AUTHNAMELEN];
  u_char  secret[AUTHKEYLEN];
  u_char  challenge[AUTHKEYLEN];
};

static void
sppp_chap_scr(struct sppp *sp)
{
  u_long *ch, seed;
  u_char clen;

  /* Compute random challenge. */
  ch = (u_long *)sp->myauth.challenge;
  read_random(&seed, sizeof seed);
  ch[0] = seed ^ random();
  ch[1] = seed ^ random();
  ch[2] = seed ^ random(); // <=
  ch[3] = seed ^ random(); // <=
  clen = AUTHKEYLEN;
  ....
}

If compile the 64-bit kernel, then when accessing ch[2] and ch[3] we'll have array index out of bounds. Details: http://www.viva64.com/en/b/0377/

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. if_spppsubr.c 4349

The GTK+ Project

V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1219


#define G_N_ELEMENTS(arr)   (sizeof (arr) / sizeof ((arr)[0]))

static GtkCssSelector *
parse_selector_pseudo_class (....)
{
  static const struct {
    ....
  } pseudo_classes[] = {
    { "first-child",   0, 0,  POSITION_FORWARD,  0, 1 },
    ....
    { "drop(active)",  0, GTK_STATE_FLAG_DROP_ACTIVE, }
  };
  guint i;
  ....
  for (i = 0; i < G_N_ELEMENTS (pseudo_classes); i++)
    {
      ....
      {
        if (pseudo_classes[i + 1].state_flag ==
            pseudo_classes[i].state_flag)
          _gtk_css_parser_error_full (parser,
          GTK_CSS_PROVIDER_ERROR_DEPRECATED,
          "The :%s pseudo-class is deprecated. Use :%s instead.",
          pseudo_classes[i].name,
          pseudo_classes[i + 1].name);
        ....
      }
       ....
    }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1224

OpenToonz

V557 Array overrun is possible. The '9' index is pointing beyond array bound. tconvolve.cpp 123


template <class PIXOUT>
void doConvolve_cm32_row_9_i(....)
{
  TPixel32 val[9];                                  // <=
  ....
  for (int i = 0; i < 9; ++i) {                     // <= OK
    ....
    else if (tone == 0)
      val[i] = inks[ink];
    else
      val[i] = blend(....);
  }

  pixout->r = (typename PIXOUT::Channel)((
    val[1].r * w1 + val[2].r * w2 + val[3].r * w3 +
    val[4].r * w4 + val[5].r * w5 + val[6].r * w6 +
    val[7].r * w7 + val[8].r * w8 + val[9].r * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->g = (typename PIXOUT::Channel)((
    val[1].g * w1 + val[2].g * w2 + val[3].g * w3 +
    val[4].g * w4 + val[5].g * w5 + val[6].g * w6 +
    val[7].g * w7 + val[8].g * w8 + val[9].g * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->b = (typename PIXOUT::Channel)((
    val[1].b * w1 + val[2].b * w2 + val[3].b * w3 +
    val[4].b * w4 + val[5].b * w5 + val[6].b * w6 +
    val[7].b * w7 + val[8].b * w8 + val[9].b * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->m = (typename PIXOUT::Channel)((
    val[1].m * w1 + val[2].m * w2 + val[3].m * w3 +
    val[4].m * w4 + val[5].m * w5 + val[6].m * w6 +
    val[7].m * w7 + val[8].m * w8 + val[9].m * w9 + // <= ERR
    (1 << 15)) >> 16);
  ....
}

Firebird

V557 Array overrun is possible. The value of 'prefixLen ++' index could reach 124. restore.cpp 10040


const int GDS_NAME_LEN = 32;
....
bool get_function(BurpGlobals* tdgbl)
{
  ....
  struct isc_844_struct {
    ....
    short isc_870; /* gds__null_flag */
    ....
    char  isc_874 [125]; /* RDB$PACKAGE_NAME */
    ....
  } isc_844;

  att_type attribute;
  TEXT    temp[GDS_NAME_LEN * 2];
  ....
  SSHORT prefixLen = 0;
  if (!/*X.RDB$PACKAGE_NAME.NULL*/
       isc_844.isc_870)
  {
    prefixLen = static_cast<SSHORT>(strlen(/*X.RDB$PACKAGE_NAME*/
                                           isc_844.isc_874));
    memcpy(temp, /*X.RDB$PACKAGE_NAME*/
                 isc_844.isc_874, prefixLen);
    temp[prefixLen++] = '.';
  }
  ....

}

.NET CoreCLR

V557 Array overrun is possible. The value of 'dwCode - 1' index could reach 8. cordbdi rsmain.cpp 67


const char * GetDebugCodeName(DWORD dwCode)
{
  if (dwCode < 1 || dwCode > 9)
  {
    return "!Invalid Debug Event Code!";
  }

  static const char * const szNames[] = {
    "(1) EXCEPTION_DEBUG_EVENT",
    "(2) CREATE_THREAD_DEBUG_EVENT",
    ....
    "(8) OUTPUT_DEBUG_STRING_EVENT"         // <=
    "(9) RIP_EVENT",// only on Win9X
  };

  return szNames[dwCode - 1];
}

FreeBSD Kernel

V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 115


#define R88E_GROUP_2G    6
#define RTWN_RIDX_OFDM6  4
#define RTWN_RIDX_COUNT  28

struct rtwn_r88e_txagc {
  uint8_t pwr[R88E_GROUP_2G][20];  /* RTWN_RIDX_MCS(7) + 1 */
};

void
r88e_get_txpower(struct rtwn_softc *sc, int chain,
    struct ieee80211_channel *c, uint16_t power[RTWN_RIDX_COUNT])
{
  const struct rtwn_r88e_txagc *base = rs->rs_txagc;
  ....
  for (ridx = RTWN_RIDX_OFDM6; ridx < RTWN_RIDX_COUNT; ridx++) {
    if (rs->regulatory == 3)
      power[ridx] = base->pwr[0][ridx];
    else if (rs->regulatory == 1) {
      if (!IEEE80211_IS_CHAN_HT40(c))
        power[ridx] = base->pwr[group][ridx];
    } else if (rs->regulatory != 2)
      power[ridx] = base->pwr[0][ridx];
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 118
  • V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 120

MuseScore

V557 Array overrun is possible. The value of 'cidx' index could reach 4. staff.cpp 1029


ClefTypeList clefTypes[MAX_STAVES];
int staffLines[MAX_STAVES];
BracketType bracket[MAX_STAVES];
int bracketSpan[MAX_STAVES];
int barlineSpan[MAX_STAVES];
bool smallStaff[MAX_STAVES];

void Staff::init(...., const StaffType* staffType, int cidx)
{
  if (cidx > MAX_STAVES) { // <=
    setSmall(0, false);
  }
  else {
    setSmall(0,       t->smallStaff[cidx]);
    setBracketType(0, t->bracket[cidx]);
    setBracketSpan(0, t->bracketSpan[cidx]);
    setBarLineSpan(t->barlineSpan[cidx]);
  }
  ....
}

MuseScore

V557 Array overrun is possible. The value of 'i' index could reach 59. inspectorAmbitus.cpp 70


class NoteHead : public Symbol {
  ....
public:
  enum class Group : signed char {
    HEAD_NORMAL = 0,
    HEAD_CROSS,
    HEAD_PLUS,
    ....
    HEAD_GROUPS,              // <= 59
    HEAD_INVALID = -1
    };
  ....
}

InspectorAmbitus::InspectorAmbitus(QWidget* parent)
   : InspectorElementBase(parent)
{
  r.setupUi(addWidget());
  s.setupUi(addWidget());

  static const NoteHead::Group heads[] = {
    NoteHead::Group::HEAD_NORMAL,
    NoteHead::Group::HEAD_CROSS,
    NoteHead::Group::HEAD_DIAMOND,
    NoteHead::Group::HEAD_TRIANGLE_DOWN,
    NoteHead::Group::HEAD_SLASH,
    NoteHead::Group::HEAD_XCIRCLE,
    NoteHead::Group::HEAD_DO,
    NoteHead::Group::HEAD_RE,
    NoteHead::Group::HEAD_MI,
    NoteHead::Group::HEAD_FA,
    NoteHead::Group::HEAD_SOL,
    NoteHead::Group::HEAD_LA,
    NoteHead::Group::HEAD_TI,
    NoteHead::Group::HEAD_BREVIS_ALT
    };
  ....
  for (int i = 0; i < int(NoteHead::Group::HEAD_GROUPS); ++i)
    r.noteHeadGroup->setItemData(i, int(heads[i]));//out of bound
  ....
}

Rosegarden

V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 325


#define SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS 64

class SequencerDataBlock
{
  ....
protected:
  int m_submasterLevelUpdateIndices[64];
  ....
}

bool
SequencerDataBlock::getSubmasterLevel(int submaster, ....) const
{
 ....int lastUpdateIndex[SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS];

 if (submaster < 0 ||
     submaster > SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS) {
   info.level = info.levelRight = 0;
   return false;
 }

 int currentUpdateIndex=m_submasterLevelUpdateIndices[submaster];
 info = m_submasterLevels[submaster];

 if (lastUpdateIndex[submaster] != currentUpdateIndex) {
   lastUpdateIndex[submaster] = currentUpdateIndex;
   return true;
 } else {
   return false; // no change
 }
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 343
  • V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 344

libvpx

V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 931


#define VP9_LEVELS 14

extern const Vp9LevelSpec vp9_level_defs[VP9_LEVELS];

typedef enum {
  ....
  LEVEL_MAX = 255
} VP9_LEVEL;

static INLINE int log_tile_cols_from_picsize_level(
  uint32_t width, uint32_t height)
{
  int i;
  const uint32_t pic_size = width * height;
  const uint32_t pic_breadth = VPXMAX(width, height);
  for (i = LEVEL_1; i < LEVEL_MAX; ++i) {
   if (vp9_level_defs[i].max_luma_picture_size >= pic_size &&
       vp9_level_defs[i].max_luma_picture_breadth >= pic_breadth)
   {
     return get_msb(vp9_level_defs[i].max_col_tiles);
   }
  }
  return INT_MAX;
}

Apparently, a wrong constant is used. In an array of 14 elements the cycle index reaches a value of 254. Probably, the cycle was supposed to be as follows: for (i = LEVEL_1; i < VP9_LEVELS; ++i) {

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 932
  • V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 933

SQLite

V557 CWE-125 Array overrun is possible. The value of 'stateno' index could reach 992. sqlite3.c 138802


static const short yy_shift_ofst[] = {
  /*   0 */ 355, 888, 1021, 909, 1063, 1063, 1063, 1063, 20, -19,
  ....
  /* 450 */ 1440, 1443, 1538, 1542, 1562,
}

#define YY_SHIFT_COUNT    (454)
#define YY_MIN_REDUCE     993

static unsigned int yy_find_shift_action(....)
{
  int i;
  int stateno = pParser->yytos->stateno;

  if( stateno>=YY_MIN_REDUCE ) return stateno;      // <=

  assert( stateno <= YY_SHIFT_COUNT );

  do {
    i = yy_shift_ofst[stateno];                     // <=
  ....
}

An array yy_shift_ofst consists of 455 items. In this case, the protection in function is made in the way that when accessing to this array the index must not be greater than 993. Something is clearly wrong here. Below there is a correct assert, but it will not help in the Release-version.


XNU kernel

V557 CWE-787 Array overrun is possible. The value of 'length - 1' index could reach 23. necp_client.c 1460


#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)

#define NECP_MAX_PARSED_PARAMETERS 16

struct necp_client_parsed_parameters {
  ....
  char prohibited_interfaces[IFXNAMSIZ]
                                  [NECP_MAX_PARSED_PARAMETERS];
  ....
};

static int
necp_client_parse_parameters(....,
  struct necp_client_parsed_parameters *parsed_parameters)
{
  ....
  u_int32_t length = ....;
  ....
  if (length <= IFXNAMSIZ && length > 0) {
    memcpy(parsed_parameters->prohibited_interfaces[
                                     num_prohibited_interfaces],
           value, length);
    parsed_parameters->prohibited_interfaces[
                    num_prohibited_interfaces][length - 1] = 0;
  ....
}

Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];


Android

V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 277


static btif_hf_cb_t btif_hf_cb[BTA_AG_MAX_NUM_CLIENTS];

static bool IsSlcConnected(RawAddress* bd_addr) {
  if (!bd_addr) {
    LOG(WARNING) << __func__ << ": bd_addr is null";
    return false;
  }
  int idx = btif_hf_idx_by_bdaddr(bd_addr);
  if (idx < 0 || idx > BTA_AG_MAX_NUM_CLIENTS) {
    LOG(WARNING) << __func__ << ": invalid index "
                 << idx << " for " << *bd_addr;
    return false;
  }
  return btif_hf_cb[idx].state ==
           BTHF_CONNECTION_STATE_SLC_CONNECTED;
}

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 869
  • V557 CWE-119 Array overrun is possible. The value of 'index' index could reach 6. btif_rc.cc 374

Amazon Lumberyard

V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 113


uint32 CGameObjectSystem::GetExtensionSerializationPriority(....)
{
  if (id > m_extensionInfo.size())
  {
    return 0xffffffff; // minimum possible priority
  }
  else
  {
    return m_extensionInfo[id].serializationPriority;
  }
}

Amazon Lumberyard

V557 CWE-119 Array overrun is possible. The 'index' index is pointing beyond array bound. vehicleseatgroup.cpp 73


CVehicleSeat* CVehicleSeatGroup::GetSeatByIndex(unsigned index)
{
  if (index >= 0 && index <= m_seats.size())
  {
    return m_seats[index];
  }

  return NULL;
}

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 195
  • V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 290
  • V557 CWE-119 Array overrun is possible. The 'stateId' index is pointing beyond array bound. vehicleanimation.cpp 311
  • And 1 additional diagnostic messages.

Godot Engine

V557 CWE-125 Array overrun is possible. The value of 'i' index could reach 9. input_default.cpp 1119


enum JoystickList {
  ....
  JOY_AXIS_MAX = 10,
  ....
};

static const char *_axes[] = {
  "Left Stick X",
  "Left Stick Y",
  "Right Stick X",
  "Right Stick Y",
  "",
  "",
  "L2",
  "R2"
};

int InputDefault::get_joy_axis_index_from_string(String p_axis) {
  for (int i = 0; i < JOY_AXIS_MAX; i++) {
    if (p_axis == _axes[i]) {
      return i;
    }
  }
  ERR_FAIL_V(-1);
}

NCBI Genome Workbench

V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 412


bool CAlnReader::x_IsGap(TNumrow row, TSeqPos pos, const string& residue)
{
  if (m_MiddleSections.size() == 0) {
    x_CalculateMiddleSections();
  }

  if (row > m_MiddleSections.size()) {
      return false;
  }
  if (pos < m_MiddleSections[row].first) {
    ....
  }
  ....
}
if (row >= m_MiddleSections.size()) {
  return false;
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'i' index is pointing beyond array bound. resource_pool.hpp 388
  • V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 418
  • V557 Array overrun is possible. The 'fmt_idx' index is pointing beyond array bound. seq_writer.cpp 384
  • And 2 additional diagnostic messages.

LibreOffice

V557 Array overrun is possible. The 'nPageNum' index is pointing beyond array bound. pptx-epptooxml.cxx 1168


void PowerPointExport::ImplWriteNotes(sal_uInt32 nPageNum)
{
  ....
  // add slide implicit relation to notes
  if (mpSlidesFSArray.size() >= nPageNum)
      addRelation(mpSlidesFSArray[ nPageNum ]->getOutputStream(),
                  oox::getRelationship(Relationship::NOTESSLIDE),
                  OUStringBuffer()
                  .append("../notesSlides/notesSlide")
                  .append(static_cast<sal_Int32>(nPageNum) + 1)
                  .append(".xml")
                  .makeStringAndClear());
  ....
}

LibreOffice

V557 Array overrun is possible. The 'mnSelectedMenu' index is pointing beyond array bound. checklistmenu.cxx 826


void ScMenuFloatingWindow::ensureSubMenuNotVisible()
{
  if (mnSelectedMenu <= maMenuItems.size() &&
      maMenuItems[mnSelectedMenu].mpSubMenuWin &&
      maMenuItems[mnSelectedMenu].mpSubMenuWin->IsVisible())
  {
      maMenuItems[mnSelectedMenu].mpSubMenuWin->ensureSubMenuNotVisible();
  }

  EndPopupMode();
}

LibreOffice

V557 Array overrun is possible. The 'nXFIndex' index is pointing beyond array bound. xestyle.cxx 2613


sal_Int32 XclExpXFBuffer::GetXmlStyleIndex( sal_uInt32 nXFIndex ) const
{
    OSL_ENSURE( nXFIndex < maStyleIndexes.size(), "...." );
    if( nXFIndex > maStyleIndexes.size() )
        return 0;   // should be caught/debugged via above assert;
    return maStyleIndexes[ nXFIndex ];
}

FreeRDP

V557 Array overrun is possible. The value of 'event->EventHandlerCount' index could reach 32. PubSub.c 117


#define MAX_EVENT_HANDLERS  32

struct _wEventType
{
  ....
  int EventHandlerCount;
  pEventHandler EventHandlers[MAX_EVENT_HANDLERS];
};

int PubSub_Subscribe(wPubSub* pubSub, const char* EventName,
      pEventHandler EventHandler)
{
  ....
  if (event->EventHandlerCount <= MAX_EVENT_HANDLERS)
  {
    event->EventHandlers[event->EventHandlerCount] = EventHandler;
    event->EventHandlerCount++;
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'iBitmapFormat' index could reach 8. orders.c 2623

rdesktop

V557 Array underrun is possible. The value of 'n' index could reach -1. rdesktop.c 1872


RD_BOOL
subprocess(char *const argv[], str_handle_lines_t linehandler, void *data)
{
  int n = 1;
  char output[256];
  ....
  while (n > 0)
  {
    n = read(fd[0], output, 255);
    output[n] = '\0'; // <=
    str_handle_lines(output, &rest, linehandler, data);
  }
  ....
}

xrdp

V557 Array overrun is possible. The value of 'i - 8' index could reach 129. genkeymap.c 142


// evdev-map.c
int xfree86_to_evdev[137-8+1] = {
  ....
};

// genkeymap.c
extern int xfree86_to_evdev[137-8];

int main(int argc, char **argv)
{
  ....
  for (i = 8; i <= 137; i++) /* Keycodes */
  {
    if (is_evdev)
        e.keycode = xfree86_to_evdev[i-8];
    ....
  }
  ....
}

Haiku Operation System

V557 Array overrun is possible. The 'BT_SCO' index is pointing beyond array bound. h2upper.cpp 75


struct bt_usb_dev {
  ....
  struct list nbuffersTx[(1 + 1 + 0 + 0)];         // <= [0..1]
  ....
}

typedef enum {
    BT_COMMAND = 0,
    BT_EVENT,
    BT_ACL,
    BT_SCO,                                        // <= 3
    BT_ESCO,

    HCI_NUM_PACKET_TYPES
} bt_packet_t;

void
sched_tx_processing(bt_usb_dev* bdev)
{
  ....
  if (!list_is_empty(&bdev->nbuffersTx[BT_SCO])) { // <= fail
    // TODO to be implemented
  }
  ....
}

Haiku Operation System

V557 Array overrun is possible. The 'ieee80211_send_setup' function processes value '16'. Inspect the fourth argument. Check lines: 842, 911. ieee80211_output.c 842


struct ieee80211_node {
  ....
  struct ieee80211_tx_ampdu ni_tx_ampdu[16];              // <= [0..15]
  ....
};

#define IEEE80211_NONQOS_TID 16

int
ieee80211_mgmt_output(....)
{
  ....
  ieee80211_send_setup(ni, m,
     IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, // <= 16
     vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
  ....
}

void
ieee80211_send_setup(
  struct ieee80211_node *ni,
  struct mbuf *m,
  int type,
  int tid,                                                // <= 16
  ....)
{
  ....
  tap = &ni->ni_tx_ampdu[tid];                            // <= 16
  ....
}

EAStdC

V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 246


static const int kSpanFormatCapacity = 16;

struct Span8
{
  ....
  char mFormat[kSpanFormatCapacity];
  ....
};

static int OVprintfCore(....)
{
  ....
  EA_ASSERT(nFormatLength < kSpanFormatCapacity);
  if(nFormatLength < kSpanFormatCapacity)
    spans[spanIndex].mFormat[nFormatLength++] = *p;                        // <=
  else
    return -1;

  switch(*p)
  {
    case 'b': case 'd': case 'i': case 'u': case 'o': case 'x': case 'X':
    case 'g': case 'G': case 'e': case 'E': case 'f': case 'F': case 'a':
    case 'A': case 'p': case 'c': case 'C': case 's': case 'S': case 'n':
    {
      // Finalize the current span.
      spans[spanIndex].mpEnd = p + 1;
      spans[spanIndex].mFormat[nFormatLength] = 0;                         // <=
      spans[spanIndex].mFormatChar = *p;
      if(++spanIndex == kSpanCapacity)
        break;
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 614
  • V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 977

Bullet Physics SDK

V557 Array overrun is possible. The value of 'dofIndex + dof' index could reach 130. PhysicsClientC_API.cpp 968


#define MAX_DEGREE_OF_FREEDOM 128
double m_desiredState[MAX_DEGREE_OF_FREEDOM];

B3_SHARED_API int b3JointControl(int dofIndex,
                                 double* forces,
                                 int dofCount, ....)
{
  ....
  if (   (dofIndex >= 0)
      && (dofIndex < MAX_DEGREE_OF_FREEDOM )
      && dofCount >= 0
      && dofCount <= 4)
  {
    for (int dof = 0; dof < dofCount; dof++)
    {
      command->m_sendState.m_desiredState[dofIndex+dof] = forces[dof];
      ....
    }
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'len' index could reach 1024. PhysicsClientC_API.cpp 5223

libarchive

V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2749


static int64_t
expand(struct archive_read *a, int64_t end)
{
  ....
  if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
    goto bad_data;
  if (lensymbol > (int)(sizeof(lengthbases)/sizeof(lengthbases[0])))
    goto bad_data;
  if (lensymbol > (int)(sizeof(lengthbits)/sizeof(lengthbits[0])))
    goto bad_data;
  len = lengthbases[lensymbol] + 2;
  if (lengthbits[lensymbol] > 0) {
    if (!rar_br_read_ahead(a, br, lengthbits[lensymbol]))
      goto truncated_data;
    len += rar_br_bits(br, lengthbits[lensymbol]);
    rar_br_consume(br, lengthbits[lensymbol]);
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2750
  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2751
  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2753
  • And 2 additional diagnostic messages.

Doom 1

V557 [CWE-119] Array overrun is possible. The value of 'i' index could reach 49. p_switch.c 123


#define MAXSWITCHES 50
void P_InitSwitchList(void)
{
  ....
  for (int index = 0, i = 0; i < MAXSWITCHES; i++)
  {
    if (!alphSwitchList[i].episode)
    {
      ....
      break;
    }
    if (alphSwitchList[i].episode <= episode)
    {
      .... = R_TextureNumForName(alphSwitchList[i].name1);
      .... = R_TextureNumForName(alphSwitchList[i].name2);
    }
  }
  ....
}

switchlist_t alphSwitchList[] =
{
  {"SW1BRCOM",   "SW2BRCOM", 1},
  ....
  {"\0", "\0", 0}
};

Doom 1

V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 668. f_finale.c 621


#define SCREENWIDTH 320
void F_BunnyScroll (void)
{
  int scrolled;
  ....
  scrolled = ....;
  if (scrolled > 320)
    scrolled = 320;
  if (scrolled < 0)
    scrolled = 0;

  for (x=0; x<SCREENWIDTH; x++)
  {
    if (x+scrolled < 320)
      F_DrawPatchCol (...., x+scrolled);
    else
      F_DrawPatchCol (...., x+scrolled - 320);
  }
  ....
}

void F_DrawPatchCol (...., int col)
{
  column_t *column;
  ....
  column = .... + LONG(patch->columnofs[col]));
  ....
}

typedef struct
{
  ....
  int columnofs[8];
} patch_t;

Similar errors can be found in some other places:

  • V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 670. f_finale.c 621

Kodi

V557 Array overrun is possible. The 'idx' index is pointing beyond array bound. PlayerCoreFactory.cpp:240


std::vector<CPlayerCoreConfig *> m_vecPlayerConfigs;
bool CPlayerCoreFactory::PlaysVideo(const std::string& player) const
{
  CSingleLock lock(m_section);
  size_t idx = GetPlayerIndex(player);
  if (m_vecPlayerConfigs.empty() || idx > m_vecPlayerConfigs.size())
    return false;
  return m_vecPlayerConfigs[idx]->m_bPlaysVideo;
}

ROOT

V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 130


bool BasicMinimizer::SetVariableValue(unsigned int ivar, double val) {
  if (ivar > fValues.size() ) return false;
  fValues[ivar] = val;
  return true;
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 186
  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 194
  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 209
  • And 2 additional diagnostic messages.

Command & Conquer

V557 Array overrun is possible. The '9' index is pointing beyond array bound. FOOT.CPP 232


#define  CONQUER_PATH_MAX 9 // Number of cells to look ahead for movement.

FacingType Path[CONQUER_PATH_MAX];

void FootClass::Debug_Dump(MonoClass *mono) const
{
  ....
  if (What_Am_I() != RTTI_AIRCRAFT) {
    mono->Set_Cursor(50, 3);
    mono->Printf("%s%s%s%s%s%s%s%s%s%s%s%s",
      Path_To_String(Path[0]),
      Path_To_String(Path[1]),
      Path_To_String(Path[2]),
      Path_To_String(Path[3]),
      Path_To_String(Path[4]),
      Path_To_String(Path[5]),
      Path_To_String(Path[6]),
      Path_To_String(Path[7]),
      Path_To_String(Path[8]),
      Path_To_String(Path[9]),
      Path_To_String(Path[10]),
      Path_To_String(Path[11]),
      Path_To_String(Path[12]));
    ....
  }
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. FOOT.CPP 233
  • V557 Array overrun is possible. The '11' index is pointing beyond array bound. FOOT.CPP 234
  • V557 Array overrun is possible. The '12' index is pointing beyond array bound. FOOT.CPP 235

Command & Conquer

V557 Array underrun is possible. The value of '_SpillTable[index]' index could reach -1. COORD.CPP 149


typedef enum FacingType : char {
  ....
  FACING_COUNT,  // 8
  FACING_FIRST=0
} FacingType;

short const * Coord_Spillage_List(COORDINATE coord, int maxsize)
{
  static short const _MoveSpillage[(int)FACING_COUNT+1][5] = {
    ....
  };

  static char const _SpillTable[16]  = {8,6,2,-1,0,7,1,-1,4,5,3,-1,-1,-1,-1,-1};

  ....
  return(&_MoveSpillage[_SpillTable[index]][0]);
  ....
}

Command & Conquer

V557 Array overrun is possible. The 'QuantityB' function processes value '[0..86]'. Inspect the first argument. Check lines: 'HOUSE.H:928', 'CELL.CPP:2337'. HOUSE.H 928


typedef enum StructType : char {
  STRUCT_NONE=-1,
  ....
  STRUCT_COUNT,                                       // <= 87
  STRUCT_FIRST=0
} StructType;

int BQuantity[STRUCT_COUNT-3];                        // <= [0..83]

int QuantityB(int index) {return(BQuantity[index]);}  // <= [0..86]

bool CellClass::Goodie_Check(FootClass * object)
{
  ....
  int bcount = 0;
  for( j=0; j < STRUCT_COUNT; j++) {
    bcount += hptr->QuantityB(j);                     // <= [0..86]
  }
  ....
}

Qemu

V557 Array overrun is possible. The 'dwc2_glbreg_read' function processes value '[0..63]'. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667


#define HSOTG_REG(x) (x)
....
struct DWC2State {
  ....
#define DWC2_GLBREG_SIZE    0x70
  uint32_t glbreg[DWC2_GLBREG_SIZE / sizeof(uint32_t)];
  ....
}
....
static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index,
                                 unsigned size)
{
  ....
  val = s->glbreg[index];
  ....
}
static uint64_t dwc2_hsotg_read(void *ptr, hwaddr addr, unsigned size)
{
  ....
  switch (addr) {
    case HSOTG_REG(0x000) ... HSOTG_REG(0x0fc):
        val = dwc2_glbreg_read(ptr, addr,
                              (addr - HSOTG_REG(0x000)) >> 2, size);
    ....
  }
  ....
}

LLVM/Clang

V557 Array overrun is possible. The 'Index' index is pointing beyond array bound. ASTReader.cpp 7318


std::vector<Decl *> DeclsLoaded;

SourceLocation ASTReader::getSourceLocationForDeclID(GlobalDeclID ID) {
  ....
  unsigned Index = ID - NUM_PREDEF_DECL_IDS;

  if (Index > DeclsLoaded.size()) {
    Error("declaration ID out-of-range for AST file");
    return SourceLocation();
  }

  if (Decl *D = DeclsLoaded[Index])
    return D->getLocation();
  ....
}

Espressif IoT Development Framework

V557 Array overrun is possible. The value of 'other_if' index could reach 3. mdns.c 2206


typedef enum mdns_if_internal {
    MDNS_IF_STA = 0,
    MDNS_IF_AP = 1,
    MDNS_IF_ETH = 2,
    MDNS_IF_MAX
} mdns_if_t;

typedef struct mdns_server_s {
    struct {
        mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
    } interfaces[MDNS_IF_MAX];
    const char * hostname;
    const char * instance;
    mdns_srv_item_t * services;
    SemaphoreHandle_t lock;
    QueueHandle_t action_queue;
    mdns_tx_packet_t * tx_queue_head;
    mdns_search_once_t * search_once;
    esp_timer_handle_t timer_handle;
} mdns_server_t;

mdns_server_t * _mdns_server = NULL;

static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
  if (tcpip_if == MDNS_IF_STA) {
    return MDNS_IF_ETH;
  } else if (tcpip_if == MDNS_IF_ETH) {
     return MDNS_IF_STA;
  }
  return MDNS_IF_MAX;
}

static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
  uint8_t i;
  mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
  for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
      if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
        ....
      }
  }
}

Espressif IoT Development Framework

V557 Array overrun is possible. The '_mdns_announce_pcb' function processes value '[0..3]'. Inspect the first argument. Check lines: 1674, 2213. mdns.c 1674


typedef enum mdns_if_internal {
    MDNS_IF_STA = 0,
    MDNS_IF_AP = 1,
    MDNS_IF_ETH = 2,
    MDNS_IF_MAX
} mdns_if_t;

typedef struct mdns_server_s {
    struct {
        mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
    } interfaces[MDNS_IF_MAX];
    const char * hostname;
    const char * instance;
    mdns_srv_item_t * services;
    SemaphoreHandle_t lock;
    QueueHandle_t action_queue;
    mdns_tx_packet_t * tx_queue_head;
    mdns_search_once_t * search_once;
    esp_timer_handle_t timer_handle;
} mdns_server_t;

mdns_server_t * _mdns_server = NULL;

static void _mdns_announce_pcb(mdns_if_t tcpip_if,
                               mdns_ip_protocol_t ip_protocol,
                               mdns_srv_item_t ** services,
                               size_t len, bool include_ip)
{
  mdns_pcb_t * _pcb = &_mdns_server->interfaces[tcpip_if].pcbs[ip_protocol];
  ....
}

static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
    if (tcpip_if == MDNS_IF_STA) {
        return MDNS_IF_ETH;
    } else if (tcpip_if == MDNS_IF_ETH) {
        return MDNS_IF_STA;
    }
    return MDNS_IF_MAX;
}

static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
    uint8_t i;
    mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
    for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
        if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
            //stop this interface and mark as dup
            if (_mdns_server->interfaces[tcpip_if].pcbs[i].pcb) {
                _mdns_clear_pcb_tx_queue_head(tcpip_if, i);
                _mdns_pcb_deinit(tcpip_if, i);
            }
            _mdns_server->interfaces[tcpip_if].pcbs[i].state = PCB_DUP;
            _mdns_announce_pcb(other_if, i, NULL, 0, true);               // <=
        }
    }
}

Espressif IoT Development Framework

V557 Array overrun is possible. The value of 'frame->exccause' index could reach 16. gdbstub_xtensa.c 132


int esp_gdbstub_get_signal(const esp_gdbstub_frame_t *frame)
{
  const char exccause_to_signal[] =
    {4, 31, 11, 11, 2, 6, 8, 0, 6, 7, 0, 0, 7, 7, 7, 7};
  if (frame->exccause > sizeof(exccause_to_signal)) {
    return 11;
  }
  return (int) exccause_to_signal[frame->exccause];
}

Storm Engine

V557 Array overrun is possible. The value of 'TempLong2 - TempLong1 + 1' index could reach 520. internal_functions.cpp 1131


DATA *COMPILER::BC_CallIntFunction(....)
{
  if (TempLong2 - TempLong1 >= sizeof(Message_string))
  {
    SetError("internal: buffer too small");
    pV = SStack.Push();
    pV->Set("");
    pVResult = pV;
    return pV;
  }
  memcpy(Message_string, pChar + TempLong1,
         TempLong2 - TempLong1 + 1);
  Message_string[TempLong2 - TempLong1 + 1] = 0;
  pV = SStack.Push();
}

LLVM/Clang

V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'Kind' index could reach 19. InstrumentationMap.cpp 196


enum class FunctionKinds { ENTRY, EXIT, TAIL, LOG_ARGS_ENTER, CUSTOM_EVENT };
....
static Error loadObj(....) {
  ....
  auto Kind = Extractor.getU8(&OffsetPtr);
  static constexpr SledEntry::FunctionKinds Kinds[] = {
      SledEntry::FunctionKinds::ENTRY, SledEntry::FunctionKinds::EXIT,
      SledEntry::FunctionKinds::TAIL,
      SledEntry::FunctionKinds::LOG_ARGS_ENTER,
      SledEntry::FunctionKinds::CUSTOM_EVENT};
  if (Kind >= sizeof(Kinds))
    return errorCodeToError(
        std::make_error_code(std::errc::executable_format_error));
  Entry.Kind = Kinds[Kind];
  ....
}

RPCS3

V557 Array underrun is possible. The value of 'month + - 1' index could reach -1. cellRtc.cpp 1470


error_code cellRtcGetDaysInMonth(s32 year, s32 month)
{
  cellRtc.todo("cellRtcGetDaysInMonth(year=%d, month=%d)", year, month);

  if ((year < 0) || (month < 0) || (month > 12))
  {
    return CELL_RTC_ERROR_INVALID_ARG;
  }

  if (is_leap_year(year))
  {
    return not_an_error(DAYS_IN_MONTH[month + 11]);
  }

  return not_an_error(DAYS_IN_MONTH[month + -1]); // <=
}

RPCS3

V557 Array overrun is possible. The 'pad' index is pointing beyond array bound. pad_thread.cpp 191


void pad_thread::SetRumble(const u32 pad, u8 largeMotor, bool smallMotor)
{
  if (pad > m_pads.size())
    return;

  if (m_pads[pad]->m_vibrateMotors.size() >= 2)
  {
    m_pads[pad]->m_vibrateMotors[0].m_value = largeMotor;
    m_pads[pad]->m_vibrateMotors[1].m_value = smallMotor ? 255 : 0;
  }
}

Blend2D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. geometry_p.h 552


static BL_INLINE bool blIsCubicFlat(const BLPoint p[3], double f) {
  if (p[3] == p[0]) {
    // ....
  }
  // ....
}

Ogre3D

V557 Array overrun is possible. The 'j' index is pointing beyond array bound. OgreAnimationTrack.cpp 219


void AnimationTrack::_buildKeyFrameIndexMap(
  const std::vector<Real>& keyFrameTimes)
{

  // ....

  size_t i = 0, j = 0;
  while (j <= keyFrameTimes.size())                    // <=
  {
    mKeyFrameIndexMap[j] = static_cast<ushort>(i);
    while (i < mKeyFrames.size()
      && mKeyFrames[i]->getTime() <= keyFrameTimes[j]) // <=
      ++i;
    ++j;
  }
}

The j index that gives us access to the elements of the keyFrameTimes container is incremented to a value equal to the container size


GPCS4

V557 [CWE-787] Array overrun is possible. The 'dynamicStateCount ++' index is pointing beyond array bound. VltGraphics.cpp 157


VkPipeline VltGraphicsPipeline::createPipeline(....) const
{
  ....
  std::array<VkDynamicState, 6> dynamicStates;
  uint32_t dynamicStateCount = 0;
  dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_VIEWPORT;
  dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_SCISSOR;
  if (state.useDynamicDepthBias())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BIAS;
  if (state.useDynamicDepthBounds())
  {
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BOUNDS;
    dynamicStates[dynamicStateCount++] =
                             VK_DYNAMIC_STATE_DEPTH_BOUNDS_TEST_ENABLE;
  }
  if (state.useDynamicBlendConstants())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_BLEND_CONSTANTS;
  if (state.useDynamicStencilRef())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_STENCIL_REFERENCE;
  ....
}

#info if all 7 assignes happen, the 'dynamiStates' array will overrun

GCC

V557 Array overrun is possible. The value of 'i' index could reach 256. c-format.cc 1994


char m_flag_chars[256];

void
flag_chars_t::add_char (char ch)
{
  int i = strlen (m_flag_chars);
  m_flag_chars[i++] = ch;
  m_flag_chars[i] = 0;
}

FreeCAD

V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The 'iTarget' index is pointing beyond array bound. DrawViewPart.cpp 809


/*static*/ int DrawUtil::getIndexFromName(const std::string& geomName)
{
  ....
  if (boost::regex_search(begin, end, what, re, flags)) {
    return int(std::stoi(what.str()));
  } else {
    ErrorMsg << "getIndexFromName: malformed geometry name - " << geomName;
    throw Base::ValueError(ErrorMsg.str());
  }
}

TechDraw::VertexPtr DrawViewPart::getVertex(std::string vertexName) const
{
  const std::vector<TechDraw::VertexPtr>
    allVertex(DrawViewPart::getVertexGeometry());

  size_t iTarget = DrawUtil::getIndexFromName(vertexName);
  if (allVertex.empty()) {
    //should not happen
    throw Base::IndexError("DVP::getVertex - No vertices found.");
  }
  if (iTarget > allVertex.size()) {                                // <=
    //should not happen
    throw Base::IndexError("DVP::getVertex - Vertex not found.");
  }

  return allVertex.at(iTarget);                                    // <=
}

GTK

V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The value of 'format' index could reach 27. testupload.c 13


typedef enum {
  GDK_MEMORY_B8G8R8A8_PREMULTIPLIED,
  GDK_MEMORY_A8R8G8B8_PREMULTIPLIED,
  GDK_MEMORY_R8G8B8A8_PREMULTIPLIED,
  GDK_MEMORY_B8G8R8A8,
  GDK_MEMORY_A8R8G8B8,
  GDK_MEMORY_R8G8B8A8,
  GDK_MEMORY_A8B8G8R8,
  GDK_MEMORY_R8G8B8,
  GDK_MEMORY_B8G8R8,
  GDK_MEMORY_R16G16B16,
  GDK_MEMORY_R16G16B16A16_PREMULTIPLIED,
  GDK_MEMORY_R16G16B16A16,
  GDK_MEMORY_R16G16B16_FLOAT,
  GDK_MEMORY_R16G16B16A16_FLOAT_PREMULTIPLIED,
  GDK_MEMORY_R16G16B16A16_FLOAT,
  GDK_MEMORY_R32G32B32_FLOAT,
  GDK_MEMORY_R32G32B32A32_FLOAT_PREMULTIPLIED,
  GDK_MEMORY_R32G32B32A32_FLOAT,
  GDK_MEMORY_G8A8_PREMULTIPLIED GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_G8A8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_G8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_G16A16_PREMULTIPLIED GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_G16A16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_G16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_A8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_A16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_A16_FLOAT GDK_AVAILABLE_ENUMERATOR_IN_4_12,
  GDK_MEMORY_A32_FLOAT GDK_AVAILABLE_ENUMERATOR_IN_4_12,

  GDK_MEMORY_N_FORMATS
} GdkMemoryFormat;

static const char *format_name[] = {
  "BGRAp", "ARGBp", "RGBAp",
  "BGRA", "ARGB", "RGBA", "ABGR",
  "RGB", "BGR", NULL
};

static const char *
format_to_string (GdkMemoryFormat format)
{
  if (format < GDK_MEMORY_N_FORMATS)
    return format_name[format];
  else
    return "ERROR";
}

Qt Creator

V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4682


using Flag = GenerateGetterSetterOp::GenerateFlag;

constexpr static Flag ColumnFlag[] = {
  Flag::Invalid,                    // 0
  Flag::GenerateGetter,             // 1
  Flag::GenerateSetter,             // 2
  Flag::GenerateSignal,             // 3
  Flag::GenerateReset,              // 4
  Flag::GenerateProperty,           // 5
  Flag::GenerateConstantProperty,   // 6
};
QVariant data(int column, int role) const override
{
  if (role == Qt::DisplayRole && column == NameColumn)
    return m_memberInfo->data.memberVariableName;
  if (   role == Qt::CheckStateRole && column > 0
      && column <= static_cast<int>(std::size(ColumnFlag)))
  {
    return m_memberInfo->requestedFlags & ColumnFlag[column] ? Qt::Checked :
                                                               Qt::Unchecked;
  }

  return {};
}

Similar errors can be found in some other places:

  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4693
  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4697
  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4699
  • And 1 additional diagnostic messages.

LLVM/Clang

V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3308


bool AppleObjCRuntimeV2::NonPointerISACache::EvaluateNonPointerISA(
    ObjCISA isa, ObjCISA &ret_isa) {
  ....
  if (index > m_indexed_isa_cache.size())
    return false;

  LLDB_LOGF(log, "AOCRT::NPI Evaluate(ret_isa = 0x%" PRIx64 ")",
          (uint64_t)m_indexed_isa_cache[index]);
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3311

OpenVINO

V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 402


std::vector<PortConfig> inConfs;
....
MemoryDescPtr Node::getBaseMemDescAtInputPort(size_t portNum) const
{
  if (auto primDesc = getSelectedPrimitiveDescriptor())
  {
    const auto& inConfs = primDesc->getConfig().inConfs;
    if (inConfs.size() < portNum)
    {
      OPENVINO_THROW("Can't get input memory desc at port: ",
                      portNum, ", incorrect port number"     );
    }
    return inConfs[portNum].getMemDesc();
  }
  OPENVINO_THROW("Can't get input memory desc,
                         primitive descriptor is not selected");
}
....
std::vector<PortConfig> outConfs;
....
MemoryDescPtr Node::getBaseMemDescAtOutputPort(size_t portNum) const
{
  if (auto primDesc = getSelectedPrimitiveDescriptor())
  {
    const auto& outConfs = primDesc->getConfig().outConfs;
    if (outConfs.size() < portNum)
    {
      OPENVINO_THROW("Can't get output memory desc at port: ",
                      portNum, ", incorrect port number"      );
    }
    return outConfs[portNum].getMemDesc();
  }
  OPENVINO_THROW("Can't get output memory desc,
                      primitive descriptor is not selected");
}

Similar errors can be found in some other places:

  • V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 413

DPDK

V557 Array overrun is possible. The value of 'n_bus_type_id' index could reach 9. nthw_fpga_model.c 32


static const char *const sa_nthw_fpga_bus_type_str[] = {
  "ERR",  /* NTHW_FPGA_BUS_TYPE_UNKNOWN, */
  "BAR",  /* NTHW_FPGA_BUS_TYPE_BAR, */
  "PCI",  /* NTHW_FPGA_BUS_TYPE_PCI, */
  "CCIP",  /* NTHW_FPGA_BUS_TYPE_CCIP, */
  "RAB0",  /* NTHW_FPGA_BUS_TYPE_RAB0, */
  "RAB1",  /* NTHW_FPGA_BUS_TYPE_RAB1, */
  "RAB2",  /* NTHW_FPGA_BUS_TYPE_RAB2, */
  "NMB",  /* NTHW_FPGA_BUS_TYPE_NMB, */
  "NDM",  /* NTHW_FPGA_BUS_TYPE_NDM, */
};

static const char *get_bus_name(int n_bus_type_id)
{
  if (n_bus_type_id >= 1 &&
      n_bus_type_id <= (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str))
    return sa_nthw_fpga_bus_type_str[n_bus_type_id];
  else
    return "ERR";
}

DPDK

V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 95


/** Number of elements in the array. */
#define  RTE_DIM(a)  (sizeof (a) / sizeof ((a)[0]))

int
rte_devargs_layers_parse(struct rte_devargs *devargs,
       const char *devstr)
{
    struct {
    const char *key;
    const char *str;
    struct rte_kvargs *kvlist;
  } layers[] = {
    { RTE_DEVARGS_KEY_BUS "=",    NULL, NULL, },
    { RTE_DEVARGS_KEY_CLASS "=",  NULL, NULL, },
    { RTE_DEVARGS_KEY_DRIVER "=", NULL, NULL, },
  };
  ....
  if (nblayer > RTE_DIM(layers)) {
    ret = -E2BIG;
    goto get_out;
  }
  layers[nblayer].str = s;
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 114
  • V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 116

DPDK

V557 Array overrun is possible. The value of 'status' index could reach 58. qede_debug.c 7149


enum dbg_status {
  DBG_STATUS_OK,
  DBG_STATUS_APP_VERSION_NOT_SET,
  ....
  DBG_STATUS_INVALID_FILTER_TRIGGER_DWORDS,
  DBG_STATUS_NO_MATCHING_FRAMING_MODE,
  DBG_STATUS_VFC_READ_ERROR,
  ....
  DBG_STATUS_MISSING_TRIGGER_STATE_STORM,
  MAX_DBG_STATUS
};

static const char * const s_status_str[] = {
  /* DBG_STATUS_OK */
  "Operation completed successfully",

  /* DBG_STATUS_APP_VERSION_NOT_SET */
  "Debug application version wasn't set",

  ....

  /* DBG_STATUS_INVALID_FILTER_TRIGGER_DWORDS */
  "The filter/trigger constraint dword offsets are not enabled for recording",


  /* DBG_STATUS_VFC_READ_ERROR */
  "Error reading from VFC",

  ....

  /* DBG_STATUS_MISSING_TRIGGER_STATE_STORM */
  "When triggering on Storm data, the Storm to trigger on must be specified"
};

const char *qed_dbg_get_status_str(enum dbg_status status)
{
  return (status <
    MAX_DBG_STATUS) ? s_status_str[status] : "Invalid debug status";
}

LLVM/Clang

V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3284


std::vector<lldb::addr_t> m_indexed_isa_cache;

bool AppleObjCRuntimeV2::NonPointerISACache::EvaluateNonPointerISA(
    ObjCISA isa, ObjCISA &ret_isa) {
  ....
  uintptr_t index = (isa & m_objc_debug_indexed_isa_index_mask) >>
                     m_objc_debug_indexed_isa_index_shift;
  ....
  // If the index is still out of range then this isn't a pointer.
  if (index > m_indexed_isa_cache.size())
    return false;

  LLDB_LOGF(log, "AOCRT::NPI Evaluate(ret_isa = 0x%" PRIx64 ")",
            (uint64_t)m_indexed_isa_cache[index]);

  ret_isa = m_indexed_isa_cache[index];
  ....
}

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3287

x64dbg

V557 Array overrun is possible. The value of 'registerName - ZYDIS_REGISTER_XMM0' index could reach 47. TraceInfoBox.cpp 310


typedef enum ZydisRegister_
{
  ....
  ZYDIS_REGISTER_XMM0,  // 88
  ....
  ZYDIS_REGISTER_YMM0,  // 120
  ....
  ZYDIS_REGISTER_YMM15, // 135
}

typedef struct
{
    ....
#ifdef _WIN64
    XMMREGISTER XmmRegisters[16];
    YMMREGISTER YmmRegisters[16];
#else // x86
    XMMREGISTER XmmRegisters[8];
    YMMREGISTER YmmRegisters[8];
#endif
} REGISTERCONTEXT;

#ifdef _WIN64
#define ArchValue(x32value, x64value) x64value
#else
#define ArchValue(x32value, x64value) x32value
#endif //_WIN64

void TraceInfoBox::update(unsigned long long selection,
              TraceFileReader* traceFile,
              const REGDUMP & registers)
{
  ....
  else if(   registerName >= ZYDIS_REGISTER_YMM0
          && registerName <= ArchValue(ZYDIS_REGISTER_YMM7,
                                       ZYDIS_REGISTER_YMM15))
  {
    registerLine += CPUInfoBox::formatSSEOperand(
      QByteArray((const char*)®isters.regcontext
        .YmmRegisters[registerName - ZYDIS_REGISTER_XMM0], 32),           // <=
      zydis.getVectorElementType(opindex)
    );
  }
  ....
}