Examples of errors detected by the V557 diagnostic
V557. Possible array overrun.
VirtualDub
V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73
struct ConvoluteFilterData {
long m[9];
long bias;
void *dyna_func;
DWORD dyna_size;
DWORD dyna_old_protect;
BOOL fClip;
};
static unsigned long __fastcall do_conv(
unsigned long *data,
const ConvoluteFilterData *cfd,
long sflags, long pit)
{
long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
....
}
Dynamic Universal Music Bibliotheque
V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34
struct IT_SAMPLE
{
....
unsigned char filename[14];
....
};
static int it_riff_dsmf_process_sample(
IT_SAMPLE * sample, const unsigned char * data, int len)
{
int flags;
memcpy( sample->filename, data, 13 );
sample->filename[ 14 ] = 0;
....
}
This is what should have been written here: sample->filename[ 13 ] = 0;
CAMEL
V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947
#define FINDBUFFLEN 64 // Max buffer find/replace size
int WINAPI Sticky (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
....
static char findWhat[FINDBUFFLEN] = {'\0'};
....
findWhat[FINDBUFFLEN] = '\0';
....
}
Wolfenstein 3D
V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069
typedef struct bot_state_s
{
....
char teamleader[32]; //netname of the team leader
....
} bot_state_t;
void BotMatch_StartTeamLeaderShip(
bot_state_t *bs, bot_match_t *match)
{
....
bs->teamleader[sizeof( bs->teamleader )] = '\0';
....
}
-1 is missing. The same error can be found in Quake 3.
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_team.c 548
Wolfenstein 3D
V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679
void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
....
unsigned char invModulate[3];
....
invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
// this trashes alpha, but the AGEN block fixes it
invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
....
}
The same error can be found in Quake 3.
IPP Samples
V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495
struct AVS_MB_INFO
{
....
Ipp8u refIdx[AVS_DIRECTIONS][4];
....
};
void AVSCompressor::GetRefIndiciesBSlice(void){
....
if (m_pMbInfo->predType[0] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
iRefNum += 1;
}
if (m_pMbInfo->predType[1] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
iRefNum += 1;
}
if (m_pMbInfo->predType[2] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
iRefNum += 1;
}
if (m_pMbInfo->predType[3] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
iRefNum += 1;
}
....
}
The programmer's hand faltered and now we have 30 instead of 3.
IPP Samples
V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726
typedef struct
{
....
VM_ALIGN16_DECL(Ipp32f)
nb_short[2][3][__ALIGNED(MAX_PPT_SHORT)];
....
} mpaPsychoacousticBlock;
static void mp3encPsy_short_window(....)
{
....
if (win_counter == 0) {
nb_s = pBlock->nb_short[0][3];
}
....
}
This is what should have been written here: 2.
LAME
V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895
....
#define SBMAX_l 22
....
int l[1+SBMAX_l];
....
inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
{
int r0, r1;
....
for (r0 = 0; r0 < 16; r0++) {
....
for (r1 = 0; r1 < 8; r1++) {
int a2 = gfc->scalefac_band.l[r0 + r1 + 2];
....
}
Irrlicht Engine
V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113
struct SPCXHeader {
....
u8 Palette[48];
u8 Reserved;
u8 Planes;
u16 BytesPerLine;
....
}
IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
{
....
for( s32 i=0; i<256; i++ )
{
paletteData[i] = (header.Palette[i*3+0] << 16) |
(header.Palette[i*3+1] << 8) |
(header.Palette[i*3+2]);
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i * 3 + 1' index could reach 766. Irrlicht cimageloaderpcx.cpp 114
- V557 Array overrun is possible. The value of 'i * 3 + 2' index could reach 767. Irrlicht cimageloaderpcx.cpp 115
SAGA GIS
V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367
#define DATUM_CODE_LENGTH 7
typedef struct Datum_Table_Row
{
....
char Code[DATUM_CODE_LENGTH];
....
} Datum_Row;
long Initialize_Datums_File(const char *File_7Parms,
const char *File_3Parms)
{
....
for (i = 0; i < DATUM_CODE_LENGTH; i++)
Datum_Table_3Param[index].Code[i] =
Datum_Table_3Param[index].Code[i+1];
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 630
- V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 209
- V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 326
CMake
V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140
static const struct {
DWORD winerr;
int doserr;
} doserrors[] =
{
....
};
static void
la_dosmaperr(unsigned long e)
{
....
for (i = 0; i < sizeof(doserrors); i++)
{
if (doserrors[i].winerr == e)
{
errno = doserrors[i].doserr;
return;
}
}
....
}
This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1142
Energy Checker SDK
V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114
#define PL_MAX_PATH 255
#define PL2GANFLIA_COUNTER_MAX_LENGTH PL_MAX_PATH
char name[PL_MAX_PATH];
int main(int argc, char *argv[]) {
....
p->pl_counters_data[i].name[
PL2GANFLIA_COUNTER_MAX_LENGTH
] = '\0';
....
}
This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1134
ReactOS
V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482
static void move_dir_to_dir(....)
{
....
szFrom[lstrlenW(szFrom) + 1] = '\0';
....
}
Very suspicious code. Something different must have been intended.
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192
- V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196
- V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274
IPP Samples
V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361
Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];
MP3Status mp3enc_psychoacousticInit(....)
{
....
for (ch = 0; ch < NUM_CHANNELS; ch++)
for (i = 0; i < MAX_PPT_LONG; i++) {
for (j = 0; j < 3; j++)
state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;
}
....
}
This is what should have been written here: for (j = 0; j < 2; j++)
IPP Samples
V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
{
....
for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
for (t = 0; t < 3; t++) {
for (sb = 0; sb < sblimit_real; sb++){
for (j = 0; j < 12; j++)
fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];
....
}
If it can be possible that t == 2, while j == 11, an array overrun will occur.
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 's * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 580
IPP Samples
V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_join_LR_l2(MP3Enc *state)
{
Ipp32s sb, j;
Ipp32s sblimit_real = state->com.sblimit_real;
for (sb = 0; sb < sblimit_real; sb++)
for (j = 0; j < 36; j++)
state->fbout_data[2][0][j][sb] =
0.5f * (state->fbout_data[0][0][j][sb] +
state->fbout_data[1][0][j][sb]);
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 640
Chromium
V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307
#define FRAMESAMPLES_HALF 240
#define FRAMESAMPLES 480
typedef struct {
....
WebRtc_Word16 realFFT[FRAMESAMPLES_HALF];
WebRtc_Word16 imagFFT[FRAMESAMPLES_HALF];
} ISACUBSaveEncDataStruct;
int WebRtcIsac_EncodeStoredDataUb12(....)
{
....
for(n = 0; n < FRAMESAMPLES; n++)
{
realFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
imagFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1308
Doom 3
V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551
static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
{
....
for ( j = 0 ; j < 6 ; j++ ) {
d1 = frustum[j].Distance( p1 );
d2 = frustum[j].Distance( p2 );
....
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 552
Mozilla Firefox
V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89
class nsBaseStatis : public nsStatis {
public:
....
PRUint32 mLWordLen[10];
....
nsBaseStatis::nsBaseStatis(
unsigned char aL, unsigned char aH, float aR)
{
....
for(PRUint32 i = 0; i < 20; i++)
mLWordLen[i] = 0;
....
}
}
....
};
This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)
Quake-III-Arena
V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776
int numteamVotingClients[2];
void CalculateRanks( void ) {
....
for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
level.numteamVotingClients[i] = 0;
}
....
}
Notepad++
V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984
int encodings[] = {
1250,
1251,
1252,
....
};
BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
UINT Message, WPARAM wParam, LPARAM)
{
....
for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
{
int cmdID = em->getIndexFromEncoding(encodings[i]);
....
}
This is what should have been written here: i < sizeof(encodings)/sizeof(int)
Trinity Core
V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260
static struct wordvalue doubles[] = {
{ "ch", (uchar*) "\014\031\057\057" },
{ "Ch", (uchar*) "\014\031\060\060" },
{ "CH", (uchar*) "\014\031\061\061" },
{ "c", (uchar*) "\005\012\021\021" },
{ "C", (uchar*) "\005\012\022\022" },
};
#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1) \
{ \
...... \
for (i = 0; i < (int) sizeof(doubles); i++) \
{ \
const char * pattern = doubles[i].word; \
... \
} \
} \
...... \
}
An incorrect macro NEXT_CMP_VALUE.
Blender
V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867
void CcdPhysicsController::RelativeRotate(
const float rotval[9], bool local)
{
....
btMatrix3x3 drotmat(
rotval[0],rotval[4],rotval[8],
rotval[1],rotval[5],rotval[9],
rotval[2],rotval[6],rotval[10]);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '10' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 868
Blender
V557 Array overrun is possible. The '7' index is pointing beyond array bound. vfont.cc 612
typedef struct BezTriple
{
float vec[3][3];
....
}
void BKE_vfont_build_char(....)
{
....
BezTriple *bezt2 = (BezTriple *)MEM_malloc_arrayN(u,
sizeof(BezTriple),
"duplichar_bezt2" );
....
for (int i = nu2->pntsu; i > 0; i--)
{
float *fp = bezt2->vec[0];
fp[0] = (fp[0] + ofsx) * fsize;
fp[1] = (fp[1] + ofsy) * fsize;
fp[3] = (fp[3] + ofsx) * fsize;
fp[4] = (fp[4] + ofsy) * fsize;
fp[6] = (fp[6] + ofsx) * fsize;
fp[7] = (fp[7] + ofsy) * fsize;
bezt2++;
}
....
}
Trans-Proteomic Pipeline
V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567
int main(int argc, char **argv) {
....
char salt[3];
....
salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
salt[3] = 0;
....
}
This is what should have been written here: salt[2] = 0;
Visualization Toolkit (VTK)
V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313
void vtkCursor2D::SetModelBounds(double bounds[6])
{
this->SetModelBounds(bounds[0], bounds[1], bounds[2],
bounds[3], bounds[6], bounds[5]);
}
This is what should have been written here: bounds[4].
ffdshow
V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39
static uint crc_tables[8][256];
void InitCRC()
{
....
// Build additional lookup tables.
for (uint I=0;I<=256;I++)
{
uint C=crc_tables[0][I];
for (uint J=1;J<8;J++)
{
C=crc_tables[0][(byte)C]^(C>>8);
crc_tables[J][I]=C;
}
}
}
Skia Graphics Engine
V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1480
static void p3d_interp(const SkScalar src[3],
SkScalar dst[3], SkScalar t) {
SkScalar ab = SkScalarInterp(src[0], src[3], t);
SkScalar bc = SkScalarInterp(src[3], src[6], t);
dst[0] = ab;
dst[3] = SkScalarInterp(ab, bc, t);
dst[6] = bc;
}
void SkConic::chopAt(SkScalar t, SkConic dst[2]) const {
SkP3D tmp[3], tmp2[3];
ratquad_mapTo3D(fPts, fW, tmp);
p3d_interp(&tmp[0].fX, &tmp2[0].fX, t);
p3d_interp(&tmp[0].fY, &tmp2[0].fY, t);
p3d_interp(&tmp[0].fZ, &tmp2[0].fZ, t);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1481
- V557 Array overrun is possible. The '6' index is pointing beyond array bound. skgeometry.cpp 1481
- V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1483
- And 1 additional diagnostic messages.
Chromium
V557 Array overrun is possible. The value of 'i' index could reach 2. shader_bench.cc 152
static const int kNumPainters = 3;
static const struct {
const char* name;
GPUPainter* painter;
} painters[] = {
{ "CPU CSC + GPU Render", new CPUColorPainter() },
{ "GPU CSC/Render", new GPUColorWithLuminancePainter() },
};
int main(int argc, char** argv) {
....
// Run GPU painter tests.
for (int i = 0; i < kNumPainters; i++) {
scoped_ptr<GPUPainter> painter(painters[i].painter);
....
}
Multi Theft Auto
V557 Array overrun is possible. The '7' index is pointing beyond array bound. cjoystickmanager.cpp 1003
struct
{
bool bEnabled;
long lMax;
long lMin;
DWORD dwType;
} axis[7];
bool CJoystickManager::IsXInputDeviceAttached ( void )
{
....
m_DevInfo.axis[6].bEnabled = 0;
m_DevInfo.axis[7].bEnabled = 0;
....
}
Multi Theft Auto
V557 Array overrun is possible. The '3' index is pointing beyond array bound. cwatermanagersa.cpp 595
class CWaterPolySAInterface
{
public:
WORD m_wVertexIDs[3];
};
CWaterPoly* CWaterManagerSA::CreateQuad (....)
{
....
pInterface->m_wVertexIDs [ 0 ] = pV1->GetID ();
pInterface->m_wVertexIDs [ 1 ] = pV2->GetID ();
pInterface->m_wVertexIDs [ 2 ] = pV3->GetID ();
pInterface->m_wVertexIDs [ 3 ] = pV4->GetID ();
....
}
Multi Theft Auto
V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1062
#define CORE_MTA_NEWS_ITEMS 3
CGUILabel* m_pNewsItemLabels[CORE_MTA_NEWS_ITEMS];
CGUILabel* m_pNewsItemShadowLabels[CORE_MTA_NEWS_ITEMS];
void CMainMenu::SetNewsHeadline (....)
{
....
for ( char i=0; i <= CORE_MTA_NEWS_ITEMS; i++ )
{
m_pNewsItemLabels[ i ]->SetFont ( szFontName );
m_pNewsItemShadowLabels[ i ]->SetFont ( szFontName );
....
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1063
Portable UnRAR
V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 35
static uint crc_tables[8][256]; // Tables for Slicing-by-8.
void InitCRC()
{
....
for (uint I=0;I<=256;I++)
{
uint C=crc_tables[0][I];
for (uint J=1;J<8;J++)
{
C=crc_tables[0][(byte)C]^(C>>8);
crc_tables[J][I]=C;
}
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39
Multi Theft Auto
V557 Array overrun is possible. The value of 'i' index could reach 19. cpoolssa.cpp 1036
enum ePools {
BUILDING_POOL = 0,
PED_POOL,
OBJECT_POOL,
DUMMY_POOL,
VEHICLE_POOL,
COL_MODEL_POOL,
TASK_POOL,
EVENT_POOL,
TASK_ALLOCATOR_POOL,
PED_INTELLIGENCE_POOL,
PED_ATTRACTOR_POOL,
ENTRY_INFO_NODE_POOL,
NODE_ROUTE_POOL,
PATROL_ROUTE_POOL,
POINT_ROUTE_POOL,
POINTER_DOUBLE_LINK_POOL,
POINTER_SINGLE_LINK_POOL,
ENV_MAP_MATERIAL_POOL,
ENV_MAP_ATOMIC_POOL,
SPEC_MAP_MATERIAL_POOL,
MAX_POOLS
};
void CPoolsSA::DumpPoolsStatus ()
{
char* poolNames[] = {
"Buildings", "Peds", "Objects", "Dummies", "Vehicles",
"ColModels", "Tasks", "Events", "TaskAllocators",
"PedIntelligences", "PedAttractors", "EntryInfoNodes",
"NodeRoutes", "PatrolRoutes", "PointRoutes",
"PointerNodeDoubleLinks", "PointerNodeSingleLinks" };
int poolSizes[] = {
13000,140,350,2500,110,10150,500,200,16,140,64,500,
64,32,64,3200,70000 };
int iPosition = 0;
char percent = '%';
iPosition += snprintf ( szOutput, 1024,
"-----------------\n" );
for ( int i = 0; i < MAX_POOLS; i++ )
{
int usedSpaces = GetNumberOfUsedSpaces ( (ePools)i );
iPosition +=
snprintf ( szOutput + iPosition, 1024 - iPosition,
"%s: %d (%d) (%.2f%c)\n", poolNames[i],
usedSpaces, poolSizes[i],
((float)usedSpaces/(float)poolSizes[i]*100),
percent );
}
#ifdef MTA_DEBUG
OutputDebugString ( szOutput );
#endif
}
OpenMS
V557 Array overrun is possible. The value of 'i' index could reach 7. itraqanalyzer.c 232
static const Int CHANNELS_FOURPLEX[4][1];
static const Int CHANNELS_EIGHTPLEX[8][1];
ExitCodes main_(int, const char **)
{
....
if (itraq_type == ItraqQuantifier::FOURPLEX)
{
for (Size i = 0; i < 4; ++i)
{
std::vector<std::pair<String, DoubleReal> > one_label;
one_label.push_back(std::make_pair<String, DoubleReal>(
String("Channel ") +
String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
labels.push_back(one_label);
}
}
else //ItraqQuantifier::EIGHTPLEX
{
for (Size i = 0; i < 8; ++i)
{
std::vector<std::pair<String, DoubleReal> > one_label;
one_label.push_back(std::make_pair<String, DoubleReal>(
String("Channel ") +
String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
labels.push_back(one_label);
}
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 7. tmtanalyzer.c 225
OpenMS
V557 Array overrun is possible. The value of 'i' index could reach 255. edwardslippertiterator.c 134
DoubleReal masse_[255]; // <= mass table
EdwardsLippertIterator::EdwardsLippertIterator(
const EdwardsLippertIterator & source) :
PepIterator(source),
f_file_(source.f_file_),
actual_pep_(source.actual_pep_),
spec_(source.spec_),
tol_(source.tol_),
is_at_end_(source.is_at_end_),
f_iterator_(source.f_iterator_),
f_entry_(source.f_entry_),
b_(source.b_),
e_(source.e_),
m_(source.m_),
massMax_(source.massMax_)
{
for (Size i = 0; i < 256; i++)
{
masse_[i] = source.masse_[i];
}
}
OpenCOLLADA
V557 Array overrun is possible. The '2' index is pointing beyond array bound. mayadmtypes.h 48
struct short2
{
short values[2];
short2(short s1, short s2)
{
values[0] = s1;
values[2] = s2;
}
....
};
QuantLib
V557 Array overrun is possible. The value of 'i' index could reach 64. markovfunctional.cpp 176
Handle<YieldTermStructure> md0Yts() {
....
double q6mh[] = {
0.0001,0.0001,0.0001,0.0003,0.00055,0.0009,0.0014,0.0019,
0.0025,0.0031,0.00325,0.00313,0.0031,0.00307,0.00309,
0.00339,0.00316,0.00326,0.00335,0.00343,0.00358,0.00351,
0.00388,0.00404,0.00425,0.00442,0.00462,0.00386,0.00491,
0.00647,0.00837,0.01033,0.01218,0.01382,0.01527,0.01654,
0.0177,0.01872,0.01959,0.0203,0.02088,0.02132,0.02164,
0.02186,0.02202,0.02213,0.02222,0.02229,0.02234,0.02238,
0.02241,0.02243,0.02244,0.02245,0.02247,0.0225,0.02284,
0.02336,0.02407,0.0245 };
....
for(int i=0;i<10+18+37;i++) {
q6m.push_back(
boost::shared_ptr<Quote>(new SimpleQuote(q6mh[i])));
}
....
}
Geant4 software
V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 62
enum { NENERGY=22, NANGLE=180 };
class G4LEpp : public G4HadronicInteraction
{
....
G4float * sig[NANGLE];
static G4float SigCoul[NENERGY][NANGLE];
....
};
G4LEpp::SetCoulombEffects(G4int State)
{
if (State) {
for(G4int i=0; i<NANGLE; i++)
{
sig[i] = SigCoul[i];
}
elab = ElabCoul;
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 69
Geant4 software
V557 Array overrun is possible. The value of 'j' index could reach 7. g4heinelastic.cc 4682
void
G4HEInelastic::MediumEnergyClusterProduction(....)
{
....
G4double alem[] = {1.40, 2.30, 2.70, 3.00, 3.40, 4.60, 7.00};
....
for (j = 1; j < 8; j++) {
if (alekw < alem[j]) {
jmax = j;
break;
}
}
....
}
Source Engine SDK
V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 632
#define MAX_WEAPON_SLOTS 6 // hud item selection slots
void CHudWeaponSelection::Paint()
{
....
int xModifiers[] = { 0, 1, 0, -1 };
int yModifiers[] = { -1, 0, 1, 0 };
for ( int i = 0; i < MAX_WEAPON_SLOTS; ++i )
{
....
xPos += ( m_flMediumBoxWide + 5 ) * xModifiers[ i ];
yPos += ( m_flMediumBoxTall + 5 ) * yModifiers[ i ];
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 633
Miranda IM
V557 Array underrun is possible. The value of 'index' index could reach -1. controls.cpp 491
const int idToIndex(const int id) const
{
for(int i = 0; i < NR_BUTTONS; i++) {
if(m_TbButtons[i].idCommand == id )
return(i);
}
return(-1);
}
TBBUTTON CMenuBar::m_TbButtons[8] = {0};
void CMenuBar::invoke(const int id)
{
const int index = idToIndex(id);
....
if(index == 3 && hContact != 0) {
....
} else if(index == 0) {
....
} else
hMenu = reinterpret_cast<HMENU>(m_TbButtons[index].dwData);
....
}
Coin3D
V557 Array overrun is possible. The '3' index is pointing beyond array bound. somfcolorrgba.cpp 220
void
SoMFColorRGBA::set1HSVValue(int idx, const float hsva[3])
{
this->set1HSVValue(idx, hsva[0], hsva[1], hsva[2], hsva[3]);
}
Wild Magic 5
V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 365
void Triangles::UpdateModelTangentsUseTCoords(....)
{
....
Float2 locTCoord[2];
int curr;
for (curr = 0; curr < 3; ++curr)
{
....
locTCoord[curr] = vba.TCoord<Float2>(0, k);
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 382
FlightGear
V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1717
enum {
ALL_EJECTION_SEATS = -1,
MAX_EJECTION_SEATS = 10
};
int eseat_status[MAX_EJECTION_SEATS];
void
FGControls::set_ejection_seat( int which_seat, bool val )
{
....
if ((which_seat >= 0) && (which_seat <= MAX_EJECTION_SEATS))
{
if ( eseat_status[which_seat] == SEAT_SAFED ||
eseat_status[which_seat] == SEAT_FAIL )
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1718
- V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1724
- V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1738
FFmpeg
V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497
void ff_mjpeg_encode_mb(MpegEncContext *s,
int16_t block[6][64])
{
int i;
if (s->chroma_format == CHROMA_444) {
encode_block(s, block[0], 0);
encode_block(s, block[2], 2);
encode_block(s, block[4], 4);
encode_block(s, block[8], 8);
encode_block(s, block[5], 5);
encode_block(s, block[9], 9);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '9' index is pointing beyond array bound. mjpegenc.c 499
- V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 504
- V557 Array overrun is possible. The '10' index is pointing beyond array bound. mjpegenc.c 505
- And 4 additional diagnostic messages.
Word for Windows 1.1a
V557 Array overrun is possible. The '5' index is pointing beyond array bound. dnatfile.c 444
uns rgwSpare0 [5];
DumpHeader()
{
....
printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[5], 0, 0, fTrue);
printUns ("rgwSpare0[1] = ", Fib.rgwSpare0[1], 1, 1, fTrue);
printUns ("rgwSpare0[2] = ", Fib.rgwSpare0[2], 0, 0, fTrue);
printUns ("rgwSpare0[3] = ", Fib.rgwSpare0[3], 1, 1, fTrue);
printUns ("rgwSpare0[4] = ", Fib.rgwSpare0[4], 2, 2, fTrue);
....
}
This is what should have been written here: printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[0], 0, 0, fTrue);
Qt
V557 Array overrun is possible. The value of 'j' index could reach 4. harfbuzz-arabic.c 516
static const JoiningPair joining_table[5][4] = { .... };
typedef enum {
JNone,
JCausing,
JDual,
JRight,
JTransparent
} Joining;
static Joining getNkoJoining(unsigned short uc)
{
if (uc < 0x7ca)
return JNone;
if (uc <= 0x7ea)
return JDual;
if (uc <= 0x7f3)
return JTransparent;
if (uc <= 0x7f9)
return JNone;
if (uc == 0x7fa)
return JCausing;
return JNone;
}
static void getNkoProperties(....)
{
....
Joining j = getNkoJoining(chars[0]);
ArabicShape shape = joining_table[XIsolated][j].form2;
....
}
TortoiseGit
V557 Array underrun is possible. The value of 'idx' index could reach -1. diff_file.c 1052
static int
datasource_to_index(svn_diff_datasource_e datasource)
{
switch (datasource)
{
....
}
return -1;
}
static svn_error_t *
token_compare(....)
{
....
int idx = datasource_to_index(file_token[i]->datasource);
file[i] = &file_baton->files[idx];
....
}
OpenMW
V557 Array overrun is possible. The value of 'idx' index could reach 3. esmtool labels.cpp 502
std::string rangeTypeLabel(int idx)
{
const char* rangeTypeLabels [] = {
"Self",
"Touch",
"Target"
};
if (idx >= 0 && idx <= 3)
return rangeTypeLabels[idx];
else
return "Invalid";
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'idx' index could reach 143. esmtool labels.cpp 391
- V557 Array overrun is possible. The value of 'idx' index could reach 27. esmtool labels.cpp 475
LibLog
V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 153
typedef struct LogState {
int fakeFd;
char *debugName;
int isBinary;
....
} LogState;
#define MAX_OPEN_LOGS 16
static LogState *openLogTable[MAX_OPEN_LOGS];
static LogState *createLogState()
{
size_t i;
for (i = 0; i < sizeof(openLogTable); i++) {
if (openLogTable[i] == NULL) {
openLogTable[i] = calloc(1, sizeof(LogState));
openLogTable[i]->fakeFd = FAKE_FD_BASE + i;
return openLogTable[i];
}
}
return NULL;
}
This is what should have been written here: sizeof(openLogTable) / sizeof(openLogTable[0]).
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 154
- V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 155
- V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 156
WebRTC
V557 Array overrun is possible. The value of 'btn' index could reach 52. ccapi_snapshot.c 38
cc_string_t lineLabels[MAX_CONFIG_LINES+1] = {0};
void ccsnap_set_line_label(int btn, cc_string_t label) {
....
if ( btn > 0 && btn <= MAX_CONFIG_LINES+1 ) {
....
if ( lineLabels[btn] == NULL ) {
....
}
....
}
WebRTC
V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 357
#define MAX_CCMS 4
ccm_cfg_t ccm[MAX_CCMS];
var_t prot_cfg_table[CFGID_PROTOCOL_MAX+1] = {
....
{"ccmSrstIpAddr", CFGVAR(ccm[4].address), PA_STR, PR_STR, 0},
{"ccmSrst_sipPort", CFGVAR(ccm[4].sip_port),PA_INT, PR_INT, 0},
{"ccmSrst_isValid", CFGVAR(ccm[4].is_valid),PA_INT, PR_INT, 0},
{"ccmSrst_securityLevel",
CFGVAR(ccm[4].sec_level), PA_INT, PR_INT, 0},
....
};
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 358
- V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 359
- V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 360
ITK
V557 Array overrun is possible. The value of '_vType' index could reach 29. metautils.cxx 239
#define MET_NUM_VALUE_TYPES 29
const char MET_ValueTypeName[MET_NUM_VALUE_TYPES][21] = { ... };
bool MET_TypeToString(MET_ValueEnumType _vType, char *_s)
{
if(_vType>=0 && _vType<=MET_NUM_VALUE_TYPES)
{
strcpy(_s, MET_ValueTypeName[_vType]);
return true;
}
return false;
}
Haiku Operation System
V557 Array overrun is possible. The '8' index is pointing beyond array bound. floppy_ctrl.c 637
typedef struct floppy {
....
uint8 result[8]; /* status of the last finished command */
....
};
void
floppy_dump_reg(floppy_t *flp) {
....
//uint8 result[10]; // <= This was correct!
uint8 *result = flp->result; // <= Bad fix! :)
....
dprintf(FLO "gap=%d wg=%d eis=%d fifo=%d "
"poll=%d thresh=%d pretrk=%d\n",
(result[7] & 0x02) >> 1, result[7] & 0x01,
(result[8] & 0x40) >> 6,
(result[8] & 0x20) >> 5, (result[8] & 0x10) >> 4,
result[8] & 0x0f, result[9]);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '9' index is pointing beyond array bound. floppy_ctrl.c 638
Godot Engine
V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 194
enum ShapeType {
SHAPE_LINE,
SHAPE_RAY,
SHAPE_SEGMENT,
SHAPE_CIRCLE,
SHAPE_RECTANGLE,
SHAPE_CAPSULE,
SHAPE_CONVEX_POLYGON,
SHAPE_CONCAVE_POLYGON,
SHAPE_CUSTOM,
};
BodyShapeData body_shape_data[6];
void _create_body_shape_data()
{
....
body_shape_data[Physics2DServer::SHAPE_CONVEX_POLYGON].image
=vs->texture_create_from_image(image);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 209
Wine Is Not an Emulator
V557 Array overrun is possible. The '16' index is pointing beyond array bound. winaspi32.c 232
/* SCSI Miscellaneous Stuff */
#define SENSE_LEN 14
typedef struct tagSRB32_ExecSCSICmd {
....
BYTE SenseArea[SENSE_LEN+2];
} SRB_ExecSCSICmd, *PSRB_ExecSCSICmd;
static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
{
BYTE *rqbuf = prb->SenseArea;
....
if (rqbuf[15]&0x8) {
TRACE("Pointer at %d, bit %d\n",
rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7); // <=
}
....
}
Unreal Engine 4
V557 Array overrun is possible. The 'NumOutUAVs ++' index is pointing beyond array bound. distancefieldlightingshared.h 388
template<typename TParamRef>
void UnsetParameters(
FRHICommandList& RHICmdList, const TParamRef& ShaderRHI,
const FDistanceFieldCulledObjectBuffers& ObjectBuffers)
{
....
int32 NumOutUAVs = 0;
FUnorderedAccessViewRHIParamRef OutUAVs[3];
OutUAVs[NumOutUAVs++] = ObjectBuffers......;
OutUAVs[NumOutUAVs++] = ObjectBuffers.Bounds.UAV;
OutUAVs[NumOutUAVs++] = ObjectBuffers.Data.UAV;
if (CulledObjectBoxBounds.IsBound())
{
OutUAVs[NumOutUAVs++] = ObjectBuffers.BoxBounds.UAV;
}
....
}
ffdshow
V557 Array overrun is possible. The value of 'len' index could reach 16384. cavisynth.cpp 129
#define MAX_AVISYNTH_SCRIPT_LENGTH 16384
void TavisynthPage::onLoad(void)
{
char_t scriptflnm[MAX_PATH] = _l("");
if (dlgGetFile(....) {
FILE *f = fopen(scriptflnm, _l("rb"));
if (f) {
char script[MAX_AVISYNTH_SCRIPT_LENGTH];
size_t len =
fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
fclose(f);
script[len] = '\0';
setDlgItemText(m_hwnd, IDC_ED_AVISYNTH,
text<char_t>(script));
}
parent->setChange();
}
}
ChakraCore
V557 Array overrun is possible. The value of 'i' index could reach 8. rl.cpp 2375
enum TestInfoKind::_TIK_COUNT = 9
const char * const TestInfoEnvLstFmt[] =
{
" TESTFILE=\"%s\"",
" BASELINE=\"%s\"",
" CFLAGS=\"%s\"",
" LFLAGS=\"%s\"",
NULL,
NULL,
NULL,
NULL // <= TestInfoEnvLstFmt[7]
};
void
WriteEnvLst
(
Test * pDir, TestList * pTestList
)
{
....
// print the other TIK_*
for(int i=0;i < _TIK_COUNT; i++) {
if (variants->testInfo.data[i] && TestInfoEnvLstFmt[i]){// <=
LstFilesOut->Add(TestInfoEnvLstFmt[i], // <=
variants->testInfo.data[i]);
}
....
}
....
}
FreeBSD Kernel
V557 Array overrun is possible. The '2' index is pointing beyond array bound. if_spppsubr.c 4348
#define AUTHKEYLEN 16
struct sauth {
u_short proto;
u_short flags;
#define AUTHFLAG_NOCALLOUT 1
#define AUTHFLAG_NORECHALLENGE 2
u_char name[AUTHNAMELEN];
u_char secret[AUTHKEYLEN];
u_char challenge[AUTHKEYLEN];
};
static void
sppp_chap_scr(struct sppp *sp)
{
u_long *ch, seed;
u_char clen;
/* Compute random challenge. */
ch = (u_long *)sp->myauth.challenge;
read_random(&seed, sizeof seed);
ch[0] = seed ^ random();
ch[1] = seed ^ random();
ch[2] = seed ^ random(); // <=
ch[3] = seed ^ random(); // <=
clen = AUTHKEYLEN;
....
}
If compile the 64-bit kernel, then when accessing ch[2] and ch[3] we'll have array index out of bounds. Details: http://www.viva64.com/en/b/0377/
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '3' index is pointing beyond array bound. if_spppsubr.c 4349
The GTK+ Project
V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1219
#define G_N_ELEMENTS(arr) (sizeof (arr) / sizeof ((arr)[0]))
static GtkCssSelector *
parse_selector_pseudo_class (....)
{
static const struct {
....
} pseudo_classes[] = {
{ "first-child", 0, 0, POSITION_FORWARD, 0, 1 },
....
{ "drop(active)", 0, GTK_STATE_FLAG_DROP_ACTIVE, }
};
guint i;
....
for (i = 0; i < G_N_ELEMENTS (pseudo_classes); i++)
{
....
{
if (pseudo_classes[i + 1].state_flag ==
pseudo_classes[i].state_flag)
_gtk_css_parser_error_full (parser,
GTK_CSS_PROVIDER_ERROR_DEPRECATED,
"The :%s pseudo-class is deprecated. Use :%s instead.",
pseudo_classes[i].name,
pseudo_classes[i + 1].name);
....
}
....
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1224
OpenToonz
V557 Array overrun is possible. The '9' index is pointing beyond array bound. tconvolve.cpp 123
template <class PIXOUT>
void doConvolve_cm32_row_9_i(....)
{
TPixel32 val[9]; // <=
....
for (int i = 0; i < 9; ++i) { // <= OK
....
else if (tone == 0)
val[i] = inks[ink];
else
val[i] = blend(....);
}
pixout->r = (typename PIXOUT::Channel)((
val[1].r * w1 + val[2].r * w2 + val[3].r * w3 +
val[4].r * w4 + val[5].r * w5 + val[6].r * w6 +
val[7].r * w7 + val[8].r * w8 + val[9].r * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->g = (typename PIXOUT::Channel)((
val[1].g * w1 + val[2].g * w2 + val[3].g * w3 +
val[4].g * w4 + val[5].g * w5 + val[6].g * w6 +
val[7].g * w7 + val[8].g * w8 + val[9].g * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->b = (typename PIXOUT::Channel)((
val[1].b * w1 + val[2].b * w2 + val[3].b * w3 +
val[4].b * w4 + val[5].b * w5 + val[6].b * w6 +
val[7].b * w7 + val[8].b * w8 + val[9].b * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->m = (typename PIXOUT::Channel)((
val[1].m * w1 + val[2].m * w2 + val[3].m * w3 +
val[4].m * w4 + val[5].m * w5 + val[6].m * w6 +
val[7].m * w7 + val[8].m * w8 + val[9].m * w9 + // <= ERR
(1 << 15)) >> 16);
....
}
Firebird
V557 Array overrun is possible. The value of 'prefixLen ++' index could reach 124. restore.cpp 10040
const int GDS_NAME_LEN = 32;
....
bool get_function(BurpGlobals* tdgbl)
{
....
struct isc_844_struct {
....
short isc_870; /* gds__null_flag */
....
char isc_874 [125]; /* RDB$PACKAGE_NAME */
....
} isc_844;
att_type attribute;
TEXT temp[GDS_NAME_LEN * 2];
....
SSHORT prefixLen = 0;
if (!/*X.RDB$PACKAGE_NAME.NULL*/
isc_844.isc_870)
{
prefixLen = static_cast<SSHORT>(strlen(/*X.RDB$PACKAGE_NAME*/
isc_844.isc_874));
memcpy(temp, /*X.RDB$PACKAGE_NAME*/
isc_844.isc_874, prefixLen);
temp[prefixLen++] = '.';
}
....
}
.NET CoreCLR
V557 Array overrun is possible. The value of 'dwCode - 1' index could reach 8. cordbdi rsmain.cpp 67
const char * GetDebugCodeName(DWORD dwCode)
{
if (dwCode < 1 || dwCode > 9)
{
return "!Invalid Debug Event Code!";
}
static const char * const szNames[] = {
"(1) EXCEPTION_DEBUG_EVENT",
"(2) CREATE_THREAD_DEBUG_EVENT",
....
"(8) OUTPUT_DEBUG_STRING_EVENT" // <=
"(9) RIP_EVENT",// only on Win9X
};
return szNames[dwCode - 1];
}
FreeBSD Kernel
V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 115
#define R88E_GROUP_2G 6
#define RTWN_RIDX_OFDM6 4
#define RTWN_RIDX_COUNT 28
struct rtwn_r88e_txagc {
uint8_t pwr[R88E_GROUP_2G][20]; /* RTWN_RIDX_MCS(7) + 1 */
};
void
r88e_get_txpower(struct rtwn_softc *sc, int chain,
struct ieee80211_channel *c, uint16_t power[RTWN_RIDX_COUNT])
{
const struct rtwn_r88e_txagc *base = rs->rs_txagc;
....
for (ridx = RTWN_RIDX_OFDM6; ridx < RTWN_RIDX_COUNT; ridx++) {
if (rs->regulatory == 3)
power[ridx] = base->pwr[0][ridx];
else if (rs->regulatory == 1) {
if (!IEEE80211_IS_CHAN_HT40(c))
power[ridx] = base->pwr[group][ridx];
} else if (rs->regulatory != 2)
power[ridx] = base->pwr[0][ridx];
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 118
- V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 120
MuseScore
V557 Array overrun is possible. The value of 'cidx' index could reach 4. staff.cpp 1029
ClefTypeList clefTypes[MAX_STAVES];
int staffLines[MAX_STAVES];
BracketType bracket[MAX_STAVES];
int bracketSpan[MAX_STAVES];
int barlineSpan[MAX_STAVES];
bool smallStaff[MAX_STAVES];
void Staff::init(...., const StaffType* staffType, int cidx)
{
if (cidx > MAX_STAVES) { // <=
setSmall(0, false);
}
else {
setSmall(0, t->smallStaff[cidx]);
setBracketType(0, t->bracket[cidx]);
setBracketSpan(0, t->bracketSpan[cidx]);
setBarLineSpan(t->barlineSpan[cidx]);
}
....
}
MuseScore
V557 Array overrun is possible. The value of 'i' index could reach 59. inspectorAmbitus.cpp 70
class NoteHead : public Symbol {
....
public:
enum class Group : signed char {
HEAD_NORMAL = 0,
HEAD_CROSS,
HEAD_PLUS,
....
HEAD_GROUPS, // <= 59
HEAD_INVALID = -1
};
....
}
InspectorAmbitus::InspectorAmbitus(QWidget* parent)
: InspectorElementBase(parent)
{
r.setupUi(addWidget());
s.setupUi(addWidget());
static const NoteHead::Group heads[] = {
NoteHead::Group::HEAD_NORMAL,
NoteHead::Group::HEAD_CROSS,
NoteHead::Group::HEAD_DIAMOND,
NoteHead::Group::HEAD_TRIANGLE_DOWN,
NoteHead::Group::HEAD_SLASH,
NoteHead::Group::HEAD_XCIRCLE,
NoteHead::Group::HEAD_DO,
NoteHead::Group::HEAD_RE,
NoteHead::Group::HEAD_MI,
NoteHead::Group::HEAD_FA,
NoteHead::Group::HEAD_SOL,
NoteHead::Group::HEAD_LA,
NoteHead::Group::HEAD_TI,
NoteHead::Group::HEAD_BREVIS_ALT
};
....
for (int i = 0; i < int(NoteHead::Group::HEAD_GROUPS); ++i)
r.noteHeadGroup->setItemData(i, int(heads[i]));//out of bound
....
}
Rosegarden
V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 325
#define SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS 64
class SequencerDataBlock
{
....
protected:
int m_submasterLevelUpdateIndices[64];
....
}
bool
SequencerDataBlock::getSubmasterLevel(int submaster, ....) const
{
....int lastUpdateIndex[SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS];
if (submaster < 0 ||
submaster > SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS) {
info.level = info.levelRight = 0;
return false;
}
int currentUpdateIndex=m_submasterLevelUpdateIndices[submaster];
info = m_submasterLevels[submaster];
if (lastUpdateIndex[submaster] != currentUpdateIndex) {
lastUpdateIndex[submaster] = currentUpdateIndex;
return true;
} else {
return false; // no change
}
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 343
- V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 344
libvpx
V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 931
#define VP9_LEVELS 14
extern const Vp9LevelSpec vp9_level_defs[VP9_LEVELS];
typedef enum {
....
LEVEL_MAX = 255
} VP9_LEVEL;
static INLINE int log_tile_cols_from_picsize_level(
uint32_t width, uint32_t height)
{
int i;
const uint32_t pic_size = width * height;
const uint32_t pic_breadth = VPXMAX(width, height);
for (i = LEVEL_1; i < LEVEL_MAX; ++i) {
if (vp9_level_defs[i].max_luma_picture_size >= pic_size &&
vp9_level_defs[i].max_luma_picture_breadth >= pic_breadth)
{
return get_msb(vp9_level_defs[i].max_col_tiles);
}
}
return INT_MAX;
}
Apparently, a wrong constant is used. In an array of 14 elements the cycle index reaches a value of 254. Probably, the cycle was supposed to be as follows: for (i = LEVEL_1; i < VP9_LEVELS; ++i) {
Similar errors can be found in some other places:
- V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 932
- V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 933
SQLite
V557 CWE-125 Array overrun is possible. The value of 'stateno' index could reach 992. sqlite3.c 138802
static const short yy_shift_ofst[] = {
/* 0 */ 355, 888, 1021, 909, 1063, 1063, 1063, 1063, 20, -19,
....
/* 450 */ 1440, 1443, 1538, 1542, 1562,
}
#define YY_SHIFT_COUNT (454)
#define YY_MIN_REDUCE 993
static unsigned int yy_find_shift_action(....)
{
int i;
int stateno = pParser->yytos->stateno;
if( stateno>=YY_MIN_REDUCE ) return stateno; // <=
assert( stateno <= YY_SHIFT_COUNT );
do {
i = yy_shift_ofst[stateno]; // <=
....
}
An array yy_shift_ofst consists of 455 items. In this case, the protection in function is made in the way that when accessing to this array the index must not be greater than 993. Something is clearly wrong here. Below there is a correct assert, but it will not help in the Release-version.
XNU kernel
V557 CWE-787 Array overrun is possible. The value of 'length - 1' index could reach 23. necp_client.c 1460
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define NECP_MAX_PARSED_PARAMETERS 16
struct necp_client_parsed_parameters {
....
char prohibited_interfaces[IFXNAMSIZ]
[NECP_MAX_PARSED_PARAMETERS];
....
};
static int
necp_client_parse_parameters(....,
struct necp_client_parsed_parameters *parsed_parameters)
{
....
u_int32_t length = ....;
....
if (length <= IFXNAMSIZ && length > 0) {
memcpy(parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces],
value, length);
parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces][length - 1] = 0;
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];
Android
V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 277
static btif_hf_cb_t btif_hf_cb[BTA_AG_MAX_NUM_CLIENTS];
static bool IsSlcConnected(RawAddress* bd_addr) {
if (!bd_addr) {
LOG(WARNING) << __func__ << ": bd_addr is null";
return false;
}
int idx = btif_hf_idx_by_bdaddr(bd_addr);
if (idx < 0 || idx > BTA_AG_MAX_NUM_CLIENTS) {
LOG(WARNING) << __func__ << ": invalid index "
<< idx << " for " << *bd_addr;
return false;
}
return btif_hf_cb[idx].state ==
BTHF_CONNECTION_STATE_SLC_CONNECTED;
}
Similar errors can be found in some other places:
- V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 869
- V557 CWE-119 Array overrun is possible. The value of 'index' index could reach 6. btif_rc.cc 374
Amazon Lumberyard
V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 113
uint32 CGameObjectSystem::GetExtensionSerializationPriority(....)
{
if (id > m_extensionInfo.size())
{
return 0xffffffff; // minimum possible priority
}
else
{
return m_extensionInfo[id].serializationPriority;
}
}
Amazon Lumberyard
V557 CWE-119 Array overrun is possible. The 'index' index is pointing beyond array bound. vehicleseatgroup.cpp 73
CVehicleSeat* CVehicleSeatGroup::GetSeatByIndex(unsigned index)
{
if (index >= 0 && index <= m_seats.size())
{
return m_seats[index];
}
return NULL;
}
Similar errors can be found in some other places:
- V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 195
- V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 290
- V557 CWE-119 Array overrun is possible. The 'stateId' index is pointing beyond array bound. vehicleanimation.cpp 311
- And 1 additional diagnostic messages.
Godot Engine
V557 CWE-125 Array overrun is possible. The value of 'i' index could reach 9. input_default.cpp 1119
enum JoystickList {
....
JOY_AXIS_MAX = 10,
....
};
static const char *_axes[] = {
"Left Stick X",
"Left Stick Y",
"Right Stick X",
"Right Stick Y",
"",
"",
"L2",
"R2"
};
int InputDefault::get_joy_axis_index_from_string(String p_axis) {
for (int i = 0; i < JOY_AXIS_MAX; i++) {
if (p_axis == _axes[i]) {
return i;
}
}
ERR_FAIL_V(-1);
}
NCBI Genome Workbench
V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 412
bool CAlnReader::x_IsGap(TNumrow row, TSeqPos pos, const string& residue)
{
if (m_MiddleSections.size() == 0) {
x_CalculateMiddleSections();
}
if (row > m_MiddleSections.size()) {
return false;
}
if (pos < m_MiddleSections[row].first) {
....
}
....
}
if (row >= m_MiddleSections.size()) {
return false;
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'i' index is pointing beyond array bound. resource_pool.hpp 388
- V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 418
- V557 Array overrun is possible. The 'fmt_idx' index is pointing beyond array bound. seq_writer.cpp 384
- And 2 additional diagnostic messages.
LibreOffice
V557 Array overrun is possible. The 'nPageNum' index is pointing beyond array bound. pptx-epptooxml.cxx 1168
void PowerPointExport::ImplWriteNotes(sal_uInt32 nPageNum)
{
....
// add slide implicit relation to notes
if (mpSlidesFSArray.size() >= nPageNum)
addRelation(mpSlidesFSArray[ nPageNum ]->getOutputStream(),
oox::getRelationship(Relationship::NOTESSLIDE),
OUStringBuffer()
.append("../notesSlides/notesSlide")
.append(static_cast<sal_Int32>(nPageNum) + 1)
.append(".xml")
.makeStringAndClear());
....
}
LibreOffice
V557 Array overrun is possible. The 'mnSelectedMenu' index is pointing beyond array bound. checklistmenu.cxx 826
void ScMenuFloatingWindow::ensureSubMenuNotVisible()
{
if (mnSelectedMenu <= maMenuItems.size() &&
maMenuItems[mnSelectedMenu].mpSubMenuWin &&
maMenuItems[mnSelectedMenu].mpSubMenuWin->IsVisible())
{
maMenuItems[mnSelectedMenu].mpSubMenuWin->ensureSubMenuNotVisible();
}
EndPopupMode();
}
LibreOffice
V557 Array overrun is possible. The 'nXFIndex' index is pointing beyond array bound. xestyle.cxx 2613
sal_Int32 XclExpXFBuffer::GetXmlStyleIndex( sal_uInt32 nXFIndex ) const
{
OSL_ENSURE( nXFIndex < maStyleIndexes.size(), "...." );
if( nXFIndex > maStyleIndexes.size() )
return 0; // should be caught/debugged via above assert;
return maStyleIndexes[ nXFIndex ];
}
FreeRDP
V557 Array overrun is possible. The value of 'event->EventHandlerCount' index could reach 32. PubSub.c 117
#define MAX_EVENT_HANDLERS 32
struct _wEventType
{
....
int EventHandlerCount;
pEventHandler EventHandlers[MAX_EVENT_HANDLERS];
};
int PubSub_Subscribe(wPubSub* pubSub, const char* EventName,
pEventHandler EventHandler)
{
....
if (event->EventHandlerCount <= MAX_EVENT_HANDLERS)
{
event->EventHandlers[event->EventHandlerCount] = EventHandler;
event->EventHandlerCount++;
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'iBitmapFormat' index could reach 8. orders.c 2623
rdesktop
V557 Array underrun is possible. The value of 'n' index could reach -1. rdesktop.c 1872
RD_BOOL
subprocess(char *const argv[], str_handle_lines_t linehandler, void *data)
{
int n = 1;
char output[256];
....
while (n > 0)
{
n = read(fd[0], output, 255);
output[n] = '\0'; // <=
str_handle_lines(output, &rest, linehandler, data);
}
....
}
xrdp
V557 Array overrun is possible. The value of 'i - 8' index could reach 129. genkeymap.c 142
// evdev-map.c
int xfree86_to_evdev[137-8+1] = {
....
};
// genkeymap.c
extern int xfree86_to_evdev[137-8];
int main(int argc, char **argv)
{
....
for (i = 8; i <= 137; i++) /* Keycodes */
{
if (is_evdev)
e.keycode = xfree86_to_evdev[i-8];
....
}
....
}
Haiku Operation System
V557 Array overrun is possible. The 'BT_SCO' index is pointing beyond array bound. h2upper.cpp 75
struct bt_usb_dev {
....
struct list nbuffersTx[(1 + 1 + 0 + 0)]; // <= [0..1]
....
}
typedef enum {
BT_COMMAND = 0,
BT_EVENT,
BT_ACL,
BT_SCO, // <= 3
BT_ESCO,
HCI_NUM_PACKET_TYPES
} bt_packet_t;
void
sched_tx_processing(bt_usb_dev* bdev)
{
....
if (!list_is_empty(&bdev->nbuffersTx[BT_SCO])) { // <= fail
// TODO to be implemented
}
....
}
Haiku Operation System
V557 Array overrun is possible. The 'ieee80211_send_setup' function processes value '16'. Inspect the fourth argument. Check lines: 842, 911. ieee80211_output.c 842
struct ieee80211_node {
....
struct ieee80211_tx_ampdu ni_tx_ampdu[16]; // <= [0..15]
....
};
#define IEEE80211_NONQOS_TID 16
int
ieee80211_mgmt_output(....)
{
....
ieee80211_send_setup(ni, m,
IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, // <= 16
vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
....
}
void
ieee80211_send_setup(
struct ieee80211_node *ni,
struct mbuf *m,
int type,
int tid, // <= 16
....)
{
....
tap = &ni->ni_tx_ampdu[tid]; // <= 16
....
}
EAStdC
V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 246
static const int kSpanFormatCapacity = 16;
struct Span8
{
....
char mFormat[kSpanFormatCapacity];
....
};
static int OVprintfCore(....)
{
....
EA_ASSERT(nFormatLength < kSpanFormatCapacity);
if(nFormatLength < kSpanFormatCapacity)
spans[spanIndex].mFormat[nFormatLength++] = *p; // <=
else
return -1;
switch(*p)
{
case 'b': case 'd': case 'i': case 'u': case 'o': case 'x': case 'X':
case 'g': case 'G': case 'e': case 'E': case 'f': case 'F': case 'a':
case 'A': case 'p': case 'c': case 'C': case 's': case 'S': case 'n':
{
// Finalize the current span.
spans[spanIndex].mpEnd = p + 1;
spans[spanIndex].mFormat[nFormatLength] = 0; // <=
spans[spanIndex].mFormatChar = *p;
if(++spanIndex == kSpanCapacity)
break;
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 614
- V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 977
Bullet Physics SDK
V557 Array overrun is possible. The value of 'dofIndex + dof' index could reach 130. PhysicsClientC_API.cpp 968
#define MAX_DEGREE_OF_FREEDOM 128
double m_desiredState[MAX_DEGREE_OF_FREEDOM];
B3_SHARED_API int b3JointControl(int dofIndex,
double* forces,
int dofCount, ....)
{
....
if ( (dofIndex >= 0)
&& (dofIndex < MAX_DEGREE_OF_FREEDOM )
&& dofCount >= 0
&& dofCount <= 4)
{
for (int dof = 0; dof < dofCount; dof++)
{
command->m_sendState.m_desiredState[dofIndex+dof] = forces[dof];
....
}
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'len' index could reach 1024. PhysicsClientC_API.cpp 5223
libarchive
V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2749
static int64_t
expand(struct archive_read *a, int64_t end)
{
....
if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
goto bad_data;
if (lensymbol > (int)(sizeof(lengthbases)/sizeof(lengthbases[0])))
goto bad_data;
if (lensymbol > (int)(sizeof(lengthbits)/sizeof(lengthbits[0])))
goto bad_data;
len = lengthbases[lensymbol] + 2;
if (lengthbits[lensymbol] > 0) {
if (!rar_br_read_ahead(a, br, lengthbits[lensymbol]))
goto truncated_data;
len += rar_br_bits(br, lengthbits[lensymbol]);
rar_br_consume(br, lengthbits[lensymbol]);
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2750
- V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2751
- V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2753
- And 2 additional diagnostic messages.
Doom 1
V557 [CWE-119] Array overrun is possible. The value of 'i' index could reach 49. p_switch.c 123
#define MAXSWITCHES 50
void P_InitSwitchList(void)
{
....
for (int index = 0, i = 0; i < MAXSWITCHES; i++)
{
if (!alphSwitchList[i].episode)
{
....
break;
}
if (alphSwitchList[i].episode <= episode)
{
.... = R_TextureNumForName(alphSwitchList[i].name1);
.... = R_TextureNumForName(alphSwitchList[i].name2);
}
}
....
}
switchlist_t alphSwitchList[] =
{
{"SW1BRCOM", "SW2BRCOM", 1},
....
{"\0", "\0", 0}
};
Doom 1
V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 668. f_finale.c 621
#define SCREENWIDTH 320
void F_BunnyScroll (void)
{
int scrolled;
....
scrolled = ....;
if (scrolled > 320)
scrolled = 320;
if (scrolled < 0)
scrolled = 0;
for (x=0; x<SCREENWIDTH; x++)
{
if (x+scrolled < 320)
F_DrawPatchCol (...., x+scrolled);
else
F_DrawPatchCol (...., x+scrolled - 320);
}
....
}
void F_DrawPatchCol (...., int col)
{
column_t *column;
....
column = .... + LONG(patch->columnofs[col]));
....
}
typedef struct
{
....
int columnofs[8];
} patch_t;
Similar errors can be found in some other places:
- V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 670. f_finale.c 621
Kodi
V557 Array overrun is possible. The 'idx' index is pointing beyond array bound. PlayerCoreFactory.cpp:240
std::vector<CPlayerCoreConfig *> m_vecPlayerConfigs;
bool CPlayerCoreFactory::PlaysVideo(const std::string& player) const
{
CSingleLock lock(m_section);
size_t idx = GetPlayerIndex(player);
if (m_vecPlayerConfigs.empty() || idx > m_vecPlayerConfigs.size())
return false;
return m_vecPlayerConfigs[idx]->m_bPlaysVideo;
}
ROOT
V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 130
bool BasicMinimizer::SetVariableValue(unsigned int ivar, double val) {
if (ivar > fValues.size() ) return false;
fValues[ivar] = val;
return true;
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 186
- V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 194
- V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 209
- And 2 additional diagnostic messages.
Command & Conquer
V557 Array overrun is possible. The '9' index is pointing beyond array bound. FOOT.CPP 232
#define CONQUER_PATH_MAX 9 // Number of cells to look ahead for movement.
FacingType Path[CONQUER_PATH_MAX];
void FootClass::Debug_Dump(MonoClass *mono) const
{
....
if (What_Am_I() != RTTI_AIRCRAFT) {
mono->Set_Cursor(50, 3);
mono->Printf("%s%s%s%s%s%s%s%s%s%s%s%s",
Path_To_String(Path[0]),
Path_To_String(Path[1]),
Path_To_String(Path[2]),
Path_To_String(Path[3]),
Path_To_String(Path[4]),
Path_To_String(Path[5]),
Path_To_String(Path[6]),
Path_To_String(Path[7]),
Path_To_String(Path[8]),
Path_To_String(Path[9]),
Path_To_String(Path[10]),
Path_To_String(Path[11]),
Path_To_String(Path[12]));
....
}
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The '10' index is pointing beyond array bound. FOOT.CPP 233
- V557 Array overrun is possible. The '11' index is pointing beyond array bound. FOOT.CPP 234
- V557 Array overrun is possible. The '12' index is pointing beyond array bound. FOOT.CPP 235
Command & Conquer
V557 Array underrun is possible. The value of '_SpillTable[index]' index could reach -1. COORD.CPP 149
typedef enum FacingType : char {
....
FACING_COUNT, // 8
FACING_FIRST=0
} FacingType;
short const * Coord_Spillage_List(COORDINATE coord, int maxsize)
{
static short const _MoveSpillage[(int)FACING_COUNT+1][5] = {
....
};
static char const _SpillTable[16] = {8,6,2,-1,0,7,1,-1,4,5,3,-1,-1,-1,-1,-1};
....
return(&_MoveSpillage[_SpillTable[index]][0]);
....
}
Command & Conquer
V557 Array overrun is possible. The 'QuantityB' function processes value '[0..86]'. Inspect the first argument. Check lines: 'HOUSE.H:928', 'CELL.CPP:2337'. HOUSE.H 928
typedef enum StructType : char {
STRUCT_NONE=-1,
....
STRUCT_COUNT, // <= 87
STRUCT_FIRST=0
} StructType;
int BQuantity[STRUCT_COUNT-3]; // <= [0..83]
int QuantityB(int index) {return(BQuantity[index]);} // <= [0..86]
bool CellClass::Goodie_Check(FootClass * object)
{
....
int bcount = 0;
for( j=0; j < STRUCT_COUNT; j++) {
bcount += hptr->QuantityB(j); // <= [0..86]
}
....
}
Qemu
V557 Array overrun is possible. The 'dwc2_glbreg_read' function processes value '[0..63]'. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667
#define HSOTG_REG(x) (x)
....
struct DWC2State {
....
#define DWC2_GLBREG_SIZE 0x70
uint32_t glbreg[DWC2_GLBREG_SIZE / sizeof(uint32_t)];
....
}
....
static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index,
unsigned size)
{
....
val = s->glbreg[index];
....
}
static uint64_t dwc2_hsotg_read(void *ptr, hwaddr addr, unsigned size)
{
....
switch (addr) {
case HSOTG_REG(0x000) ... HSOTG_REG(0x0fc):
val = dwc2_glbreg_read(ptr, addr,
(addr - HSOTG_REG(0x000)) >> 2, size);
....
}
....
}
LLVM/Clang
V557 Array overrun is possible. The 'Index' index is pointing beyond array bound. ASTReader.cpp 7318
std::vector<Decl *> DeclsLoaded;
SourceLocation ASTReader::getSourceLocationForDeclID(GlobalDeclID ID) {
....
unsigned Index = ID - NUM_PREDEF_DECL_IDS;
if (Index > DeclsLoaded.size()) {
Error("declaration ID out-of-range for AST file");
return SourceLocation();
}
if (Decl *D = DeclsLoaded[Index])
return D->getLocation();
....
}
Espressif IoT Development Framework
V557 Array overrun is possible. The value of 'other_if' index could reach 3. mdns.c 2206
typedef enum mdns_if_internal {
MDNS_IF_STA = 0,
MDNS_IF_AP = 1,
MDNS_IF_ETH = 2,
MDNS_IF_MAX
} mdns_if_t;
typedef struct mdns_server_s {
struct {
mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
} interfaces[MDNS_IF_MAX];
const char * hostname;
const char * instance;
mdns_srv_item_t * services;
SemaphoreHandle_t lock;
QueueHandle_t action_queue;
mdns_tx_packet_t * tx_queue_head;
mdns_search_once_t * search_once;
esp_timer_handle_t timer_handle;
} mdns_server_t;
mdns_server_t * _mdns_server = NULL;
static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
if (tcpip_if == MDNS_IF_STA) {
return MDNS_IF_ETH;
} else if (tcpip_if == MDNS_IF_ETH) {
return MDNS_IF_STA;
}
return MDNS_IF_MAX;
}
static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
uint8_t i;
mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
....
}
}
}
Espressif IoT Development Framework
V557 Array overrun is possible. The '_mdns_announce_pcb' function processes value '[0..3]'. Inspect the first argument. Check lines: 1674, 2213. mdns.c 1674
typedef enum mdns_if_internal {
MDNS_IF_STA = 0,
MDNS_IF_AP = 1,
MDNS_IF_ETH = 2,
MDNS_IF_MAX
} mdns_if_t;
typedef struct mdns_server_s {
struct {
mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
} interfaces[MDNS_IF_MAX];
const char * hostname;
const char * instance;
mdns_srv_item_t * services;
SemaphoreHandle_t lock;
QueueHandle_t action_queue;
mdns_tx_packet_t * tx_queue_head;
mdns_search_once_t * search_once;
esp_timer_handle_t timer_handle;
} mdns_server_t;
mdns_server_t * _mdns_server = NULL;
static void _mdns_announce_pcb(mdns_if_t tcpip_if,
mdns_ip_protocol_t ip_protocol,
mdns_srv_item_t ** services,
size_t len, bool include_ip)
{
mdns_pcb_t * _pcb = &_mdns_server->interfaces[tcpip_if].pcbs[ip_protocol];
....
}
static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
if (tcpip_if == MDNS_IF_STA) {
return MDNS_IF_ETH;
} else if (tcpip_if == MDNS_IF_ETH) {
return MDNS_IF_STA;
}
return MDNS_IF_MAX;
}
static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
uint8_t i;
mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
//stop this interface and mark as dup
if (_mdns_server->interfaces[tcpip_if].pcbs[i].pcb) {
_mdns_clear_pcb_tx_queue_head(tcpip_if, i);
_mdns_pcb_deinit(tcpip_if, i);
}
_mdns_server->interfaces[tcpip_if].pcbs[i].state = PCB_DUP;
_mdns_announce_pcb(other_if, i, NULL, 0, true); // <=
}
}
}
Espressif IoT Development Framework
V557 Array overrun is possible. The value of 'frame->exccause' index could reach 16. gdbstub_xtensa.c 132
int esp_gdbstub_get_signal(const esp_gdbstub_frame_t *frame)
{
const char exccause_to_signal[] =
{4, 31, 11, 11, 2, 6, 8, 0, 6, 7, 0, 0, 7, 7, 7, 7};
if (frame->exccause > sizeof(exccause_to_signal)) {
return 11;
}
return (int) exccause_to_signal[frame->exccause];
}
Storm Engine
V557 Array overrun is possible. The value of 'TempLong2 - TempLong1 + 1' index could reach 520. internal_functions.cpp 1131
DATA *COMPILER::BC_CallIntFunction(....)
{
if (TempLong2 - TempLong1 >= sizeof(Message_string))
{
SetError("internal: buffer too small");
pV = SStack.Push();
pV->Set("");
pVResult = pV;
return pV;
}
memcpy(Message_string, pChar + TempLong1,
TempLong2 - TempLong1 + 1);
Message_string[TempLong2 - TempLong1 + 1] = 0;
pV = SStack.Push();
}
LLVM/Clang
V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'Kind' index could reach 19. InstrumentationMap.cpp 196
enum class FunctionKinds { ENTRY, EXIT, TAIL, LOG_ARGS_ENTER, CUSTOM_EVENT };
....
static Error loadObj(....) {
....
auto Kind = Extractor.getU8(&OffsetPtr);
static constexpr SledEntry::FunctionKinds Kinds[] = {
SledEntry::FunctionKinds::ENTRY, SledEntry::FunctionKinds::EXIT,
SledEntry::FunctionKinds::TAIL,
SledEntry::FunctionKinds::LOG_ARGS_ENTER,
SledEntry::FunctionKinds::CUSTOM_EVENT};
if (Kind >= sizeof(Kinds))
return errorCodeToError(
std::make_error_code(std::errc::executable_format_error));
Entry.Kind = Kinds[Kind];
....
}
RPCS3
V557 Array underrun is possible. The value of 'month + - 1' index could reach -1. cellRtc.cpp 1470
error_code cellRtcGetDaysInMonth(s32 year, s32 month)
{
cellRtc.todo("cellRtcGetDaysInMonth(year=%d, month=%d)", year, month);
if ((year < 0) || (month < 0) || (month > 12))
{
return CELL_RTC_ERROR_INVALID_ARG;
}
if (is_leap_year(year))
{
return not_an_error(DAYS_IN_MONTH[month + 11]);
}
return not_an_error(DAYS_IN_MONTH[month + -1]); // <=
}
RPCS3
V557 Array overrun is possible. The 'pad' index is pointing beyond array bound. pad_thread.cpp 191
void pad_thread::SetRumble(const u32 pad, u8 largeMotor, bool smallMotor)
{
if (pad > m_pads.size())
return;
if (m_pads[pad]->m_vibrateMotors.size() >= 2)
{
m_pads[pad]->m_vibrateMotors[0].m_value = largeMotor;
m_pads[pad]->m_vibrateMotors[1].m_value = smallMotor ? 255 : 0;
}
}
Blend2D
V557 Array overrun is possible. The '3' index is pointing beyond array bound. geometry_p.h 552
static BL_INLINE bool blIsCubicFlat(const BLPoint p[3], double f) {
if (p[3] == p[0]) {
// ....
}
// ....
}
Ogre3D
V557 Array overrun is possible. The 'j' index is pointing beyond array bound. OgreAnimationTrack.cpp 219
void AnimationTrack::_buildKeyFrameIndexMap(
const std::vector<Real>& keyFrameTimes)
{
// ....
size_t i = 0, j = 0;
while (j <= keyFrameTimes.size()) // <=
{
mKeyFrameIndexMap[j] = static_cast<ushort>(i);
while (i < mKeyFrames.size()
&& mKeyFrames[i]->getTime() <= keyFrameTimes[j]) // <=
++i;
++j;
}
}
The j index that gives us access to the elements of the keyFrameTimes container is incremented to a value equal to the container size
GPCS4
V557 [CWE-787] Array overrun is possible. The 'dynamicStateCount ++' index is pointing beyond array bound. VltGraphics.cpp 157
VkPipeline VltGraphicsPipeline::createPipeline(....) const
{
....
std::array<VkDynamicState, 6> dynamicStates;
uint32_t dynamicStateCount = 0;
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_VIEWPORT;
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_SCISSOR;
if (state.useDynamicDepthBias())
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BIAS;
if (state.useDynamicDepthBounds())
{
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BOUNDS;
dynamicStates[dynamicStateCount++] =
VK_DYNAMIC_STATE_DEPTH_BOUNDS_TEST_ENABLE;
}
if (state.useDynamicBlendConstants())
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_BLEND_CONSTANTS;
if (state.useDynamicStencilRef())
dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_STENCIL_REFERENCE;
....
}
#info if all 7 assignes happen, the 'dynamiStates' array will overrun
GCC
V557 Array overrun is possible. The value of 'i' index could reach 256. c-format.cc 1994
char m_flag_chars[256];
void
flag_chars_t::add_char (char ch)
{
int i = strlen (m_flag_chars);
m_flag_chars[i++] = ch;
m_flag_chars[i] = 0;
}
FreeCAD
V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The 'iTarget' index is pointing beyond array bound. DrawViewPart.cpp 809
/*static*/ int DrawUtil::getIndexFromName(const std::string& geomName)
{
....
if (boost::regex_search(begin, end, what, re, flags)) {
return int(std::stoi(what.str()));
} else {
ErrorMsg << "getIndexFromName: malformed geometry name - " << geomName;
throw Base::ValueError(ErrorMsg.str());
}
}
TechDraw::VertexPtr DrawViewPart::getVertex(std::string vertexName) const
{
const std::vector<TechDraw::VertexPtr>
allVertex(DrawViewPart::getVertexGeometry());
size_t iTarget = DrawUtil::getIndexFromName(vertexName);
if (allVertex.empty()) {
//should not happen
throw Base::IndexError("DVP::getVertex - No vertices found.");
}
if (iTarget > allVertex.size()) { // <=
//should not happen
throw Base::IndexError("DVP::getVertex - Vertex not found.");
}
return allVertex.at(iTarget); // <=
}
GTK
V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The value of 'format' index could reach 27. testupload.c 13
typedef enum {
GDK_MEMORY_B8G8R8A8_PREMULTIPLIED,
GDK_MEMORY_A8R8G8B8_PREMULTIPLIED,
GDK_MEMORY_R8G8B8A8_PREMULTIPLIED,
GDK_MEMORY_B8G8R8A8,
GDK_MEMORY_A8R8G8B8,
GDK_MEMORY_R8G8B8A8,
GDK_MEMORY_A8B8G8R8,
GDK_MEMORY_R8G8B8,
GDK_MEMORY_B8G8R8,
GDK_MEMORY_R16G16B16,
GDK_MEMORY_R16G16B16A16_PREMULTIPLIED,
GDK_MEMORY_R16G16B16A16,
GDK_MEMORY_R16G16B16_FLOAT,
GDK_MEMORY_R16G16B16A16_FLOAT_PREMULTIPLIED,
GDK_MEMORY_R16G16B16A16_FLOAT,
GDK_MEMORY_R32G32B32_FLOAT,
GDK_MEMORY_R32G32B32A32_FLOAT_PREMULTIPLIED,
GDK_MEMORY_R32G32B32A32_FLOAT,
GDK_MEMORY_G8A8_PREMULTIPLIED GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_G8A8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_G8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_G16A16_PREMULTIPLIED GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_G16A16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_G16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_A8 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_A16 GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_A16_FLOAT GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_A32_FLOAT GDK_AVAILABLE_ENUMERATOR_IN_4_12,
GDK_MEMORY_N_FORMATS
} GdkMemoryFormat;
static const char *format_name[] = {
"BGRAp", "ARGBp", "RGBAp",
"BGRA", "ARGB", "RGBA", "ABGR",
"RGB", "BGR", NULL
};
static const char *
format_to_string (GdkMemoryFormat format)
{
if (format < GDK_MEMORY_N_FORMATS)
return format_name[format];
else
return "ERROR";
}
Qt Creator
V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4682
using Flag = GenerateGetterSetterOp::GenerateFlag;
constexpr static Flag ColumnFlag[] = {
Flag::Invalid, // 0
Flag::GenerateGetter, // 1
Flag::GenerateSetter, // 2
Flag::GenerateSignal, // 3
Flag::GenerateReset, // 4
Flag::GenerateProperty, // 5
Flag::GenerateConstantProperty, // 6
};
QVariant data(int column, int role) const override
{
if (role == Qt::DisplayRole && column == NameColumn)
return m_memberInfo->data.memberVariableName;
if ( role == Qt::CheckStateRole && column > 0
&& column <= static_cast<int>(std::size(ColumnFlag)))
{
return m_memberInfo->requestedFlags & ColumnFlag[column] ? Qt::Checked :
Qt::Unchecked;
}
return {};
}
Similar errors can be found in some other places:
- V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4693
- V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4697
- V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4699
- And 1 additional diagnostic messages.
LLVM/Clang
V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3308
bool AppleObjCRuntimeV2::NonPointerISACache::EvaluateNonPointerISA(
ObjCISA isa, ObjCISA &ret_isa) {
....
if (index > m_indexed_isa_cache.size())
return false;
LLDB_LOGF(log, "AOCRT::NPI Evaluate(ret_isa = 0x%" PRIx64 ")",
(uint64_t)m_indexed_isa_cache[index]);
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3311
OpenVINO
V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 402
std::vector<PortConfig> inConfs;
....
MemoryDescPtr Node::getBaseMemDescAtInputPort(size_t portNum) const
{
if (auto primDesc = getSelectedPrimitiveDescriptor())
{
const auto& inConfs = primDesc->getConfig().inConfs;
if (inConfs.size() < portNum)
{
OPENVINO_THROW("Can't get input memory desc at port: ",
portNum, ", incorrect port number" );
}
return inConfs[portNum].getMemDesc();
}
OPENVINO_THROW("Can't get input memory desc,
primitive descriptor is not selected");
}
....
std::vector<PortConfig> outConfs;
....
MemoryDescPtr Node::getBaseMemDescAtOutputPort(size_t portNum) const
{
if (auto primDesc = getSelectedPrimitiveDescriptor())
{
const auto& outConfs = primDesc->getConfig().outConfs;
if (outConfs.size() < portNum)
{
OPENVINO_THROW("Can't get output memory desc at port: ",
portNum, ", incorrect port number" );
}
return outConfs[portNum].getMemDesc();
}
OPENVINO_THROW("Can't get output memory desc,
primitive descriptor is not selected");
}
Similar errors can be found in some other places:
- V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 413
DPDK
V557 Array overrun is possible. The value of 'n_bus_type_id' index could reach 9. nthw_fpga_model.c 32
static const char *const sa_nthw_fpga_bus_type_str[] = {
"ERR", /* NTHW_FPGA_BUS_TYPE_UNKNOWN, */
"BAR", /* NTHW_FPGA_BUS_TYPE_BAR, */
"PCI", /* NTHW_FPGA_BUS_TYPE_PCI, */
"CCIP", /* NTHW_FPGA_BUS_TYPE_CCIP, */
"RAB0", /* NTHW_FPGA_BUS_TYPE_RAB0, */
"RAB1", /* NTHW_FPGA_BUS_TYPE_RAB1, */
"RAB2", /* NTHW_FPGA_BUS_TYPE_RAB2, */
"NMB", /* NTHW_FPGA_BUS_TYPE_NMB, */
"NDM", /* NTHW_FPGA_BUS_TYPE_NDM, */
};
static const char *get_bus_name(int n_bus_type_id)
{
if (n_bus_type_id >= 1 &&
n_bus_type_id <= (int)ARRAY_SIZE(sa_nthw_fpga_bus_type_str))
return sa_nthw_fpga_bus_type_str[n_bus_type_id];
else
return "ERR";
}
DPDK
V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 95
/** Number of elements in the array. */
#define RTE_DIM(a) (sizeof (a) / sizeof ((a)[0]))
int
rte_devargs_layers_parse(struct rte_devargs *devargs,
const char *devstr)
{
struct {
const char *key;
const char *str;
struct rte_kvargs *kvlist;
} layers[] = {
{ RTE_DEVARGS_KEY_BUS "=", NULL, NULL, },
{ RTE_DEVARGS_KEY_CLASS "=", NULL, NULL, },
{ RTE_DEVARGS_KEY_DRIVER "=", NULL, NULL, },
};
....
if (nblayer > RTE_DIM(layers)) {
ret = -E2BIG;
goto get_out;
}
layers[nblayer].str = s;
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 114
- V557 Array overrun is possible. The value of 'nblayer' index could reach 3. eal_common_devargs.c 116
DPDK
V557 Array overrun is possible. The value of 'status' index could reach 58. qede_debug.c 7149
enum dbg_status {
DBG_STATUS_OK,
DBG_STATUS_APP_VERSION_NOT_SET,
....
DBG_STATUS_INVALID_FILTER_TRIGGER_DWORDS,
DBG_STATUS_NO_MATCHING_FRAMING_MODE,
DBG_STATUS_VFC_READ_ERROR,
....
DBG_STATUS_MISSING_TRIGGER_STATE_STORM,
MAX_DBG_STATUS
};
static const char * const s_status_str[] = {
/* DBG_STATUS_OK */
"Operation completed successfully",
/* DBG_STATUS_APP_VERSION_NOT_SET */
"Debug application version wasn't set",
....
/* DBG_STATUS_INVALID_FILTER_TRIGGER_DWORDS */
"The filter/trigger constraint dword offsets are not enabled for recording",
/* DBG_STATUS_VFC_READ_ERROR */
"Error reading from VFC",
....
/* DBG_STATUS_MISSING_TRIGGER_STATE_STORM */
"When triggering on Storm data, the Storm to trigger on must be specified"
};
const char *qed_dbg_get_status_str(enum dbg_status status)
{
return (status <
MAX_DBG_STATUS) ? s_status_str[status] : "Invalid debug status";
}
LLVM/Clang
V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3284
std::vector<lldb::addr_t> m_indexed_isa_cache;
bool AppleObjCRuntimeV2::NonPointerISACache::EvaluateNonPointerISA(
ObjCISA isa, ObjCISA &ret_isa) {
....
uintptr_t index = (isa & m_objc_debug_indexed_isa_index_mask) >>
m_objc_debug_indexed_isa_index_shift;
....
// If the index is still out of range then this isn't a pointer.
if (index > m_indexed_isa_cache.size())
return false;
LLDB_LOGF(log, "AOCRT::NPI Evaluate(ret_isa = 0x%" PRIx64 ")",
(uint64_t)m_indexed_isa_cache[index]);
ret_isa = m_indexed_isa_cache[index];
....
}
Similar errors can be found in some other places:
- V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3287
x64dbg
V557 Array overrun is possible. The value of 'registerName - ZYDIS_REGISTER_XMM0' index could reach 47. TraceInfoBox.cpp 310
typedef enum ZydisRegister_
{
....
ZYDIS_REGISTER_XMM0, // 88
....
ZYDIS_REGISTER_YMM0, // 120
....
ZYDIS_REGISTER_YMM15, // 135
}
typedef struct
{
....
#ifdef _WIN64
XMMREGISTER XmmRegisters[16];
YMMREGISTER YmmRegisters[16];
#else // x86
XMMREGISTER XmmRegisters[8];
YMMREGISTER YmmRegisters[8];
#endif
} REGISTERCONTEXT;
#ifdef _WIN64
#define ArchValue(x32value, x64value) x64value
#else
#define ArchValue(x32value, x64value) x32value
#endif //_WIN64
void TraceInfoBox::update(unsigned long long selection,
TraceFileReader* traceFile,
const REGDUMP & registers)
{
....
else if( registerName >= ZYDIS_REGISTER_YMM0
&& registerName <= ArchValue(ZYDIS_REGISTER_YMM7,
ZYDIS_REGISTER_YMM15))
{
registerLine += CPUInfoBox::formatSSEOperand(
QByteArray((const char*)®isters.regcontext
.YmmRegisters[registerName - ZYDIS_REGISTER_XMM0], 32), // <=
zydis.getVectorElementType(opindex)
);
}
....
}