Examples of errors detected by the V575 diagnostic
V575. Function receives suspicious argument.
G3D Content Pak
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269
bool Matrix4::operator==(const Matrix4& other) const {
if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
return true;
}
....
}
A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {
Miranda IM
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59
static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
....
memset(&iad->nodes[iad->nodes_allocated_size],
(size_grow - iad->nodes_allocated_size) *
sizeof(IMAGE_ARRAY_DATA_NODE),
0);
....
}
Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));
ReactOS
V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427
#define RtlFillMemory(Destination, Length, Fill) \
memset(Destination, Fill, Length)
#define IOPM_FULL_SIZE 8196
HalpRestoreIopm(VOID)
{
....
RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
....
}
Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);
Doom 3
V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177
void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
....
memset( &statex, sizeof( statex ), 0 );
....
}
This is what should have been written here: memset( &statex, 0, sizeof( statex ) );
Mozilla Firefox
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520
pixman_bool_t
pixman_image_set_transform (....)
{
memcmp (common->transform, transform,
sizeof (pixman_transform_t) == 0))
}
This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)
Fennec Media
V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096
int settings_proc_language_packs(....)
{
....
case WM_DESTROY:
if(mem_files)
{
mem_files = 0;
sys_mem_free(mem_files);
}
EndDialog(hwnd,0);
break;
....
}
ReactOS
V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270
BOOL GetEventCategory(....)
{
....
if (lpMsgBuf)
{
....
}
else
{
wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
}
....
}
ReactOS
V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263
VOID WinLdrSetupEms(IN PCHAR BootOptions)
{
PCHAR RedirectPort;
....
RedirectPort = strstr(RedirectPort, "com");
if (RedirectPort)
{
....
}
else
{
RedirectPort = strstr(RedirectPort, "usebiossettings");
....
}
ReactOS
V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150
DWORD ParseReasonCode(LPCWSTR code)
{
LPWSTR tmpPrefix = NULL;
....
for (reasonptr = shutdownReason ;
reasonptr->prefix ; reasonptr++)
{
if ((majorCode == reasonptr->major) &&
(minorCode == reasonptr->minor) &&
(_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
{
return reasonptr->flag;
}
}
....
}
Multi Theft Auto
V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80
void CDirect3DData::GetTransform (
D3DTRANSFORMSTATETYPE dwRequestedMatrix,
D3DMATRIX * pMatrixOut)
{
switch ( dwRequestedMatrix )
{
case D3DTS_VIEW:
memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
break;
case D3DTS_PROJECTION:
memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
break;
case D3DTS_WORLD:
memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
break;
default:
// Zero out the structure for the user.
memcpy (pMatrixOut, 0, sizeof(D3DMATRIX)); // <=
break;
}
....
}
A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.
Multi Theft Auto
V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499
#define RtlFillMemory(Destination,Length,Fill) \
memset((Destination),(Fill),(Length))
#define FillMemory RtlFillMemory
LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
{
....
PIMAGEHLP_SYMBOL pSym = (PIMAGEHLP_SYMBOL)&g_stSymbol ;
FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
....
}
Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. crashhandler.cpp 499
- V575 The 'memset' function processes value '512'. Inspect the second argument. ccrashhandlerapi.cpp 503
- V575 The 'memset' function processes '0' elements. Inspect the third argument. ccrashhandlerapi.cpp 503
Firebird
V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487
void FB_CARG Why::UtlInterface::getPerfCounters(
...., ISC_INT64* counters)
{
unsigned n = 0;
....
memset(counters, 0, n * sizeof(ISC_INT64));
....
}
Scilab
V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107
char **splitLineCSV(....)
{
....
if (retstr[curr_str] == NULL)
{
*toks = 0;
FREE(substitutedstring);
substitutedstring = NULL;
freeArrayOfString(retstr, strlen(substitutedstring));
return NULL;
}
....
}
WinSCP
V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786
TForm * __fastcall TMessageForm::Create(....)
{
....
LOGFONT AFont;
....
memset(&AFont, sizeof(AFont), 0);
....
}
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 796
Miranda NG
V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)
BYTE CExImContactBase::fromIni(LPSTR& row)
{
....
if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
(p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
....
}
Similar errors can be found in some other places:
- V575 The 'strchr' function processes value '32042'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
- V575 The 'strrchr' function processes value '10812'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
- V575 The 'strchr' function processes value '15914'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
- And 8 additional diagnostic messages.
Miranda NG
V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652
static int ScanFolder(....)
{
....
__except (EXCEPTION_EXECUTE_HANDLER)
{
ZeroMemory(szMyHash, 0);
// smth went wrong, reload a file from scratch
}
....
}
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. ShlExt shlipc.cpp 68
Miranda NG
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97
int savehtml(char* outFile)
{
FILE* file = fopen(outFile, "w");
if (!file)
{
fclose(file);
return 0;
}
fprintf(file, "%s", szInfo);
fclose(file);
return 1;
}
Haiku Operation System
V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517
extern char *strchr(const char *string, int character);
SendMessageCommandActuator::
SendMessageCommandActuator(int32 argc, char** argv)
:
CommandActuator(argc, argv),
fSignature((argc > 1) ? argv[1] : "")
{
....
const char* arg = argv[i];
BString argString(arg);
const char* equals = strchr(arg, ' = '); // <=
....
}
ReactOS
V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153
void UpdateStatusBar(void)
{
TCHAR szStatusText[128];
....
ZeroMemory(szStatusText,
sizeof(szStatusText) / sizeof(TCHAR)); // <=
....
}
Open X-Ray Engine
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47
ETOOLS_API int __stdcall ogg_enc(....)
{
....
FILE *in, *out = NULL;
....
input_format *format;
....
in = fopen(in_fn, "rb");
if(in == NULL) return 0;
format = open_audio_file(in, &enc_opts);
if(!format){
fclose(in);
return 0;
};
out = fopen(out_fn, "wb");
if(out == NULL){
fclose(out);
return 0;
}
....
}
Open X-Ray Engine
V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104
size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
char *buffer,
size_t capacity,
size_t lineCapacity)
{
memset(buffer, capacity*lineCapacity, 0);
....
}
CryEngine V
V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294
void EnableFloatExceptions(....)
{
....
CONTEXT ctx;
memset(&ctx, sizeof(ctx), 0);
....
}
GNU GRUB
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184
Int main (int argc, char *argv[])
{
....
{
FILE *f;
size_t rd;
f = fopen ("/dev/urandom", "rb");
if (!f)
{
memset (pass1, 0, sizeof (pass1));
free (buf);
free (bufhex);
free (salthex);
free (salt);
fclose (f); // <=
....
}
....
fclose (f);
}
....
}
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. grub-setup.c 1187
Linux Kernel
V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121
static int mac_ioctl(struct net_device *ndev,
struct ifreq *req,
int cmd)
{
u8 *buff = NULL;
s8 rssi;
u32 size = 0, length = 0;
struct wilc_vif *vif;
s32 ret = 0;
struct wilc *wilc;
vif = netdev_priv(ndev);
wilc = vif->wilc;
if (!wilc->initialized)
return 0;
switch (cmd) {
case SIOCSIWPRIV:
{
struct iwreq *wrq = (struct iwreq *)req;
size = wrq->u.data.length;
if (size && wrq->u.data.pointer) {
buff = memdup_user(wrq->u.data.pointer,
wrq->u.data.length);
if (IS_ERR(buff))
return PTR_ERR(buff);
if (strncasecmp(buff, "RSSI", length) == 0) { // <=
....
}
}
}
....
}
done:
kfree(buff);
return ret;
}
CryEngine V
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045
class CLvlRes_finalstep : public CLvlRes_base
{
....
for (;; )
{
if (*p == '/' || *p == '\\' || *p == 0)
{
char cOldChar = *p;
*p = 0; // create zero termination
_finddata_t fd;
bool bOk = FindFile(szFilePath, szFile, fd);
if (bOk)
assert(strlen(szFile) == strlen(fd.name));
*p = cOldChar; // get back the old separator
if (!bOk)
return;
memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=
if (*p == 0)
break;
++p;
szFile = p;
}
else ++p;
}
....
}
Tizen
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. wayland_panel_agent_module.cpp 1060
static char *
insert_text (const char *text, uint32_t offset,
const char *insert)
{
uint32_t tlen = strlen (text), ilen = strlen (insert);
char *new_text = (char*)malloc (tlen + ilen + 1);
if ((unsigned int) tlen < offset)
offset = tlen;
memcpy (new_text, text, offset);
....
}
Scilab
V575 The 'memset' function processes '0' elements. Inspect the third argument. win_mem_alloc.c 91
void *MyHeapAlloc(size_t dwSize, char *file, int line)
{
LPVOID NewPointer = NULL;
if (dwSize > 0)
{
_try
{
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}
....
}
else
{
_try
{
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
return NewPointer;
}
EFL Core Libraries
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. eina_simple_xml_parser.c 355
EAPI Eina_Bool
eina_simple_xml_parse(....)
{
....
else if ((itr + sizeof("<!>") - 1 < itr_end) &&
(!memcmp(itr + 2, "", sizeof("") - 1)))
{
type = EINA_SIMPLE_XML_DOCTYPE_CHILD;
toff = sizeof("!") - 1;
}
....
}
EFL Core Libraries
V575 The 'munmap' function processes '0' elements. Inspect the second argument. eina_evlog.c 117
static void
free_buf(Eina_Evlog_Buf *b)
{
if (!b->buf) return;
b->size = 0;
b->top = 0;
# ifdef HAVE_MMAP
munmap(b->buf, b->size);
# else
free(b->buf);
# endif
b->buf = NULL;
}
EFL Core Libraries
V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_entry.c 2306
static void
_edje_key_down_cb(....)
{
....
char *compres = NULL, *string = (char *)ev->string;
....
if (compres)
{
string = compres;
free_string = EINA_TRUE;
}
else free(compres);
....
}
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. efl_ui_internal_text_interactive.c 1022
- V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_cc_handlers.c 15962
EFL Core Libraries
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. edje_pick.c 595
static void
_edje_pick_header_alias_parent_add(....)
{
Edje_Part_Collection_Directory_Entry *ce_cor, *ce_new, *ce_f;
....
ce_new = malloc(sizeof(*ce_new));
memcpy(ce_new, ce_cor, sizeof(*ce_new));
....
}
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strrchr' function. Inspect the first argument. types_generator.c 40
- V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. docs_generator.c 243
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. eina_unicode.c 119
- And 54 additional diagnostic messages.
Aspell
V575 The potential null pointer is passed into 'memmove' function. Inspect the first argument. string.hpp 54
void assign_only_nonnull(const char * b, unsigned size)
{
begin_ = (char *)malloc(size + 1);
memmove(begin_, b, size);
end_ = begin_ + size;
storage_end_ = end_ + 1;
}
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. error.cpp 28
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. error.cpp 40
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. new_filter.cpp 300
- And 2 additional diagnostic messages.
Enlightenment
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. e_info_server.c 3165
static E_Info_Transform*
_e_info_transform_new(....)
{
E_Info_Transform *result = NULL;
result = _e_info_transform_find(ec, id);
if (!result)
{
result = (E_Info_Transform*)malloc(sizeof(E_Info_Transform));
memset(result, 0, sizeof(E_Info_Transform));
....
}
Tizen
V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 207
int main(int argc, char *argv[])
{
....
char *temp1 = strstr(dp->d_name, "-");
char *temp2 = strstr(dp->d_name, ".");
strncpy(temp_filename, dp->d_name, strlen(dp->d_name) -
strlen(temp1));
strncpy(file_format, temp2, strlen(temp2));
....
}
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 208
- V575 The null pointer is passed into 'free' function. Inspect the first argument. edit.c 2823
- V575 The null pointer is passed into 'free' function. Inspect the first argument. apps_data_db.c 300
- And 10 additional diagnostic messages.
Ardour
V575 The 'substr' function processes '-1' elements. Inspect the second argument. meter_strip.cc 491
void
MeterStrip::set_tick_bar (int m)
{
std::string n;
_tick_bar = m;
if (_tick_bar & 1) {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks1_area.set_name("Bar" + n);
}
} else {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks1_area.set_name(n.substr(3,-1)); // <=
}
}
if (_tick_bar & 2) {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks2_area.set_name("Bar" + n);
}
} else {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks2_area.set_name(n.substr(3,-1)); // <=
}
}
}
string substr (size_t pos = 0, size_t len = npos) const;
Firebird
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1106, 1105. iscguard.cpp 1106
static void write_log(int log_action, const char* buff)
{
....
log_info* tmp =
static_cast<log_info*>(malloc(sizeof(log_info)));
memset(tmp, 0, sizeof(log_info));
....
}
MySQL
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 43, 42. gcs_xcom_state_exchange.cc 43
Xcom_member_state::Xcom_member_state(....)
{
....
m_data_size= data_size;
m_data=
static_cast<uchar *>(malloc(sizeof(uchar) * m_data_size));
memcpy(m_data, data, m_data_size);
....
}
MySQL
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. control_events.cpp 830
View_change_event::View_change_event(char* raw_view_id)
: Binary_log_event(VIEW_CHANGE_EVENT),
view_id(), seq_number(0), certification_info()
{
memcpy(view_id, raw_view_id, strlen(raw_view_id));
}
PostgreSQL Database Management System
V575 The potential null pointer is passed into 'strncpy' function. Inspect the first argument. Check lines: 66, 65. pg_regress_ecpg.c 66
static void
ecpg_filter(const char *sourcefile, const char *outfile)
{
....
n = (char *) malloc(plen);
StrNCpy(n, p + 1, plen);
....
}
PostgreSQL Database Management System
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. informix.c 677
int
intoasc(interval * i, char *str)
{
char *tmp;
errno = 0;
tmp = PGTYPESinterval_to_asc(i);
if (!tmp)
return -errno;
memcpy(str, tmp, strlen(tmp));
free(tmp);
return 0;
}
Chromium
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. dns_config_service_win.cc 134
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter>
ReadIpHelper(ULONG flags) {
....
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter> out;
....
out.reset(static_cast<PIP_ADAPTER_ADDRESSES>(malloc(len)));
memset(out.get(), 0, len);
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 129, 127. nacl_validation_query.cc 129
V8 JavaScript Engine
V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 327
void i::V8::FatalProcessOutOfMemory(const char* location,
bool is_heap_oom) {
....
memset(last_few_messages, 0x0BADC0DE,
Heap::kTraceRingBufferSize + 1);
memset(js_stacktrace, 0x0BADC0DE,
Heap::kStacktraceBufferSize + 1);
memset(&heap_stats, 0xBADC0DE, sizeof(heap_stats));
....
}
Memory will not be filled with 0xBADC0DE constant but with the value 0xDE.
Similar errors can be found in some other places:
- V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 328
- V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 329
OpenVR
V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 35, 34. dirtools_public.cpp 35
bool BCreateDirectoryRecursive( const char *pchPath )
{
....
int len = (int)strlen( pchPath );
char *path = (char *)malloc( len + 1 );
strcpy( path, pchPath );
....
}
There is no protection if the malloc function returns a null pointer.
SwiftShader
V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 102, 101. bitvector.h 102
BitVector(const BitVector &RHS) : Size(RHS.size()) {
....
Bits = (BitWord *)std::malloc(Capacity * sizeof(BitWord));
std::memcpy(Bits, RHS.Bits, Capacity * sizeof(BitWord));
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 440, 439. bitvector.h 440
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 31, 28. smallvector.cpp 31
Yasm
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 134, 129. dfa.c 134
DFA *
DFA_new(Ins *ins, unsigned int ni, unsigned int lb,
unsigned int ub, Char *rep)
{
DFA *d = malloc(sizeof(DFA));
Ins **work = malloc(sizeof(Ins*)*(ni+1));
unsigned int nc = ub - lb;
GoTo *goTo = malloc(sizeof(GoTo)*nc); // <=
Span *span = malloc(sizeof(Span)*nc);
d->lbChar = lb;
d->ubChar = ub;
memset((char*) goTo, 0, nc*sizeof(GoTo)); // <=
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 81, 80. genmodule.c 81
- V575 CWE-628 The potential null pointer is passed into 'fgets' function. Inspect the first argument. Check lines: 76, 59. genmacro.c 76
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 83, 82. main.c 83
- And 8 additional diagnostic messages.
WebRTC
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 154, 153. resampler.cc 154
int Resampler::Reset(int inFreq, int outFreq,
size_t num_channels) {
....
state1_ = malloc(8 * sizeof(int32_t));
memset(state1_, 0, 8 * sizeof(int32_t));
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 167, 166. resampler.cc 167
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 237, 236. resampler.cc 237
Android
V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 47, 46. libxt_tcp.c 47
static void
parse_tcp_ports(const char *portstring, uint16_t *ports)
{
char *buffer;
char *cp;
buffer = strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
....
}
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 74, 72. libxt_sctp.c 74
- V575 CWE-628 The potential null pointer is passed into 'strcasecmp' function. Inspect the first argument. Check lines: 171, 166. libxt_sctp.c 171
- V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 111, 110. libip6t_mh.c 111
- And 79 additional diagnostic messages.
Vangers: One For The Road
V575 CWE-628 The potential null pointer is passed into 'strdup' function. Inspect the first argument. ivmap.cpp 309
char* iGetMergedName(char *name, char *path)
{
....
return strdup(out.c_str());
}
void ivrtMap::fileLoad(void)
{
analyzeINI(iniName);
iYSetup();
XBuffer buf;
buf < fileName < (isCompressed ? ".vmc" : ".vmp");
std::string sbuf = strdup(iGetMergedName(buf.GetBuf(), iniName)), sbuf2;
int startR = sbuf.find("reso");
sbuf2 = sbuf.substr(startR, sbuf.size() - startR);
fname = strdup(sbuf2.c_str());
}
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 2156, 2155. road.cpp 2156
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 810, 809. vmap.cpp 810
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 813, 812. vmap.cpp 813
Qt
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 406, 405. harfbuzz-thai.c 406
static void HB_ThaiAssignAttributes(....)
{
....
int *break_positions = 0;
....
break_positions = (int*) malloc (sizeof(int) * len);
memset (break_positions, 0, sizeof(int) * len);
....
}
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2432, 2430. qbytearray.cpp 2432
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2438, 2436. qbytearray.cpp 2438
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2553, 2551. qstring.cpp 2553
- And 9 additional diagnostic messages.
FreeRDP
V575 The null pointer is passed into 'free' function. Inspect the first argument. smartcard_pcsc.c 875
WINSCARDAPI LONG WINAPI PCSC_SCardListReadersW(
SCARDCONTEXT hContext,
LPCWSTR mszGroups,
LPWSTR mszReaders,
LPDWORD pcchReaders)
{
LPSTR mszGroupsA = NULL;
....
mszGroups = NULL; /* mszGroups is not supported by pcsc-lite */
if (mszGroups)
ConvertFromUnicode(CP_UTF8,0, mszGroups, -1,
(char**) &mszGroupsA, 0,
NULL, NULL);
status = PCSC_SCardListReaders_Internal(hContext, mszGroupsA,
(LPSTR) &mszReadersA,
pcchReaders);
if (status == SCARD_S_SUCCESS)
{
....
}
free(mszGroupsA);
....
}
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. license.c 790
- V575 The null pointer is passed into 'free' function. Inspect the first argument. rdpsnd_alsa.c 575
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. setmime.cpp 727
void
MimeType::_PurgeProperties()
{
fShort.Truncate(0);
fLong.Truncate(0);
fPrefApp.Truncate(0);
fPrefAppSig.Truncate(0);
fSniffRule.Truncate(0);
delete fSmallIcon;
fSmallIcon = NULL;
delete fBigIcon;
fBigIcon = NULL;
fVectorIcon = NULL;
free(fVectorIcon);
fExtensions.clear();
fAttributes.clear();
}
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 461
static settings_handle *
load_driver_settings_from_file(int file, const char *driverName)
{
....
handle = new_settings(text, driverName);
if (handle != NULL) {
// everything went fine!
return handle;
}
free(handle);
....
}
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 427
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. PackageFileHeapWriter.cpp 166
void* _GetBuffer()
{
....
void* buffer = malloc(fBufferSize);
if (buffer == NULL && !fBuffers.AddItem(buffer)) {
free(buffer);
throw std::bad_alloc();
}
return buffer;
}
Celestia
V575 The 'memset' function processes '0' elements. Inspect the third argument. winmain.cpp 2235
static void BuildScriptsMenu(HMENU menuBar, const fs::path& scriptsDir)
{
....
MENUITEMINFO info;
memset(&info, sizeof(info), 0);
info.cbSize = sizeof(info);
info.fMask = MIIM_SUBMENU;
....
}
Kodi
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 39, 38. DVDOverlayImage.h:39
CDVDOverlayImage(const CDVDOverlayImage& src)
: CDVDOverlay(src)
{
Data = (uint8_t*)malloc(src.linesize * src.height);
memcpy(data, src.data, src.linesize * src.height); // <=
if(src.palette)
{
palette = (uint32_t*)malloc(src.palette_colors * 4);
memcpy(palette, src.palette, src.palette_colors * 4); // <=
}
....
}
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 44, 43. DVDOverlayImage.h:44
Zephyr
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. shell.c 427
static char *mntpt_prepare(char *mntpt)
{
char *cpy_mntpt;
cpy_mntpt = k_malloc(strlen(mntpt) + 1);
if (cpy_mntpt) {
((u8_t *)mntpt)[strlen(mntpt)] = '\0';
memcpy(cpy_mntpt, mntpt, strlen(mntpt));
}
return cpy_mntpt;
}
Command & Conquer
V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1103
void* __cdecl memset(
_Out_writes_bytes_all_(_Size) void* _Dst,
_In_ int _Val,
_In_ size_t _Size
);
extern "C" __declspec(dllexport) bool __cdecl CNC_Read_INI(....)
{
....
memset(ini_buffer, _ini_buffer_size, 0);
....
}
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1404
PMDK
V575 [CWE-628] The 'memmove' function processes '0' elements. Inspect the third argument. memmove_common.c 82
void
do_memmove(char *dst, char *src, const char *file_name,
size_t dest_off, size_t src_off, size_t bytes,
memmove_fn fn, unsigned flags, persist_fn persist)
{
....
/* do the same using regular memmove and verify that buffers match */
memmove(dstshadow + dest_off, srcshadow + src_off, 0);
verify_contents(file_name, 2, dstshadow, dst, bytes);
verify_contents(file_name, 3, srcshadow, src, bytes);
....
}
PMDK
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. writer.c 41
#define MAX_BUF_LEN 10
struct my_root {
char buf[MAX_BUF_LEN];
};
int
main(int argc, char *argv[])
{
....
struct my_root *rootp = pmemobj_direct(root);
char buf[MAX_BUF_LEN] = {0};
....
TX_BEGIN(pop) {
pmemobj_tx_add_range(root, 0, sizeof(struct my_root));
memcpy(rootp->buf, buf, strlen(buf));
} TX_END
....
}
PMDK
V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 340, 338. rtree_map.c 340
static void
remove_extra_node(TOID(struct tree_map_node) *node)
{
....
unsigned char *new_key = (unsigned char *)malloc(new_key_size);
assert(new_key != NULL);
memcpy(new_key, D_RO(tmp)->key, D_RO(tmp)->key_size);
....
}
Similar errors can be found in some other places:
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 133, 127. clo_vec.cpp 133
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 187, 184. clo_vec.cpp 187
- V575 [CWE-628] The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 446, 439. clo.cpp 446
- And 2 additional diagnostic messages.
Qemu
V575 The 'strerror_s' function processes '0' elements. Inspect the second argument. commands-win32.c 1642
void qmp_guest_set_time(bool has_time, int64_t time_ns,
Error **errp)
{
....
if (GetLastError() != 0) {
strerror_s((LPTSTR) & msg_buffer, 0, errno);
....
}
}
DeepSpeech
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 73, 68. modelstate.cc 73
Metadata*
ModelState::decode_metadata(const DecoderState& state,
size_t num_results)
{
....
Metadata* ret = (Metadata*)malloc(sizeof(Metadata));
....
memcpy(ret, &metadata, sizeof(Metadata));
return ret;
}
Espressif IoT Development Framework
V575 The null pointer is passed into 'free' function. Inspect the first argument. sae.c 1185
static int sae_parse_password_identifier(struct sae_data *sae,
const u8 *pos, const u8 *end)
{
wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
pos, end - pos);
if (!sae_is_password_id_elem(pos, end)) {
if (sae->tmp->pw_id) {
wpa_printf(MSG_DEBUG,
"SAE: No Password Identifier included, but expected one (%s)",
sae->tmp->pw_id);
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
}
os_free(sae->tmp->pw_id);
sae->tmp->pw_id = NULL;
return WLAN_STATUS_SUCCESS; /* No Password Identifier */
}
....
}
Qt
V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 277, 276. qqmlprofilerevent_p.h 277
void assignData(const QQmlProfilerEvent &other)
{
if (m_dataType & External) {
uint length = m_dataLength * (other.m_dataType / 8);
m_data.external = malloc(length); // <=
memcpy(m_data.external, other.m_data.external, length); // <=
} else {
memcpy(&m_data, &other.m_data, sizeof(m_data));
}
}
Similar errors can be found in some other places:
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 290, 287. qobject_p.h 290
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 3104, 3103. qmetaobject.cpp 3104
- V575 [CWE-628] The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1486, 1485. qmetaobjectbuilder.cpp 1486
- And 21 additional diagnostic messages.
SystemC
V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 487, 486. sc_report_handler.cpp 487
sc_msg_def * sc_report_handler::add_msg_type(const char * msg_type_)
{
....
items->md->msg_type_data = (char*) malloc(msg_type_len+1);
strcpy( items->md->msg_type_data, msg_type_ );
....
}
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 683, 682. sc_report_handler.cpp 683
Snort
V575 The null pointer is passed into 'free' function. Inspect the first argument. sdf_us_ssn.c 202
int ParseSSNGroups(....)
{
FILE *ssn_file;
char *contents;
....
contents = (char *)malloc(length + 1);
if (contents == NULL)
{
_dpd.logMsg("Sensitive Data preprocessor: Failed to allocate memory "
"for SSN groups.\n");
fclose(ssn_file);
free(contents);
return -1;
}
....
free(contents);
return 0;
}
Transmission
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 1142, 1139. jsonsl.c:1142
void jsonsl_jpr_match_state_init(jsonsl_t jsn,
jsonsl_jpr_t *jprs,
size_t njprs)
{
size_t ii, *firstjmp;
....
jsn->jprs = (jsonsl_jpr_t *)malloc(sizeof(jsonsl_jpr_t) * njprs);
jsn->jpr_count = njprs;
jsn->jpr_root = (size_t*)calloc(1, sizeof(size_t) * njprs * jsn->levels_max);
memcpy(jsn->jprs, jprs, sizeof(jsonsl_jpr_t) * njprs);
/* Set the initial jump table values */
firstjmp = jsn->jpr_root;
for (ii = 0; ii < njprs; ii++) {
firstjmp[ii] = ii+1;
}
}
LLVM/Clang
V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes the pointer to enum type. Inspect the first argument. TargetLoweringBase.cpp 662
enum CondCode {
// Opcode N U L G E Intuitive operation
SETFALSE, // 0 0 0 0 Always false (always folded)
SETOEQ, // 0 0 0 1 True if ordered and equal
....
SETCC_INVALID // Marker value.
};
static void InitCmpLibcallCCs(ISD::CondCode *CCs) {
memset(CCs, ISD::SETCC_INVALID, sizeof(ISD::CondCode)*RTLIB::UNKNOWN_LIBCALL);
....
}
FlipperZero
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. subghz_scene_save_name.c 22
void subghz_scene_save_name_on_enter(void* context) {
SubGhz* subghz = context;
....
memcpy(subghz->file_name_tmp, subghz->file_name, strlen(subghz->file_name));
....
}
Blender
V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes '0' elements. Inspect the third argument. space_buttons.c 868
static void buttons_id_remap(....)
{
....
for (int i = 0; i < path->len; i++) {
switch (BKE_id_remapper_apply(....)) {
case ID_REMAP_RESULT_SOURCE_UNASSIGNED: {
path->len = i;
if (i != 0) {
memset(&path->ptr[i], 0, sizeof(path->ptr[i]) * (path->len - i));
....
}
Blender
V575 [CWE-628, CERT-EXP37-C] The 'memmove' function processes '0' elements. Inspect the third argument. text_draw.cc 673
static void space_text_update_drawcache(SpaceText *st,
const ARegion *region)
{
....
if (st->wordwrap)
{
....
if (drawcache->update)
{
drawcache->valid_tail = drawcache->valid_head = 0;
....
memmove(new_tail, old_tail, drawcache->valid_tail);
....
}
....
}
....
}
Blender
V575 [CWE-628, CERT-EXP37-C] The 'realloc' function processes '0' elements. Inspect the second argument. rigidbody.cc 1696
static void rigidbody_update_ob_array(RigidBodyWorld *rbw)
{
if (rbw->group == nullptr)
{
rbw->numbodies = 0;
rbw->objects = static_cast<Object **>(realloc(rbw->objects, 0));
return;
}
....
}
LLVM/Clang
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'memset' function. Inspect the first argument. MemRefUtils.h 194
OwningMemRef &operator=(const OwningMemRef &&other) {
freeFunc = other.freeFunc;
descriptor = other.descriptor;
other.freeFunc = nullptr;
memset(0, &other.descriptor, sizeof(other.descriptor));
}
GTK
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'g_free' function. Inspect the first argument. gtkcssparser.c 189
gtk_css_parser_resolve_url (GtkCssParser *self,
const char *url)
{
char *scheme;
scheme = g_uri_parse_scheme (url);
if (scheme != NULL)
{
GFile *file = g_file_new_for_uri (url);
g_free (scheme);
return file;
}
g_free (scheme); // <=
if (self->directory == NULL)
return NULL;
return g_file_resolve_relative_path (self->directory, url);
}
GZDoom
V575 The 'memset' function processes '0' elements. Inspect the third argument. info.cpp 518
void PClassActor::InitializeDefaults()
{
....
if (MetaSize > 0)
memcpy(Meta, ParentClass->Meta, ParentClass->MetaSize);
else
memset(Meta, 0, MetaSize);
....
}
Dagor Engine
V575 The null pointer is passed into 'operator delete'. Inspect the argument. DagorEngine/prog/engine/scene/sh3LtMgr.cpp 435
SH3LightingData *SH3LightingData::loadBinary(IGenLoad &crd)
{
....
SH3LightingData *data =
new (memalloc(sz, midmem), _NEW_INPLACE) SH3LightingData;
....
return data;
}
int SH3LightingManager::loadLtDataBinary(IGenLoad &crd, unsigned id)
{
SH3LightingData *ltData = SH3LightingData::loadBinary(crd);
if (!ltData)
{
delete ltData;
return -1;
}
return addLtData(ltData, id);
}
Dagor Engine
V575 The 'munmap' function processes '0' elements. Inspect the second argument. DagorEngine/prog/1stPartyLibs/daScript/src/builtin/module_builtin_fio.cpp 214
void builtin_map_file(const FILE* f,
const TBlock<void, TTemporary<TArray<uint8_t>>>& blk,
Context* context, LineInfoArg * at) {
....
munmap(data, 0);
}
iSulad
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. oci_import.c 75
static void free_import_desc(import_desc *desc)
{
if (desc == NULL) {
return;
}
free(desc->manifest);
desc->manifest = NULL;
free(desc->manifest_digest);
desc->manifest_digest = NULL;
free(desc->config);
desc->config = NULL;
free(desc->config_digest);
desc->config_digest = NULL;
free(desc->uncompressed_digest); // <=
desc->uncompressed_digest = NULL; // <=
free(desc->compressed_digest);
desc->compressed_digest = NULL;
free(desc->tag);
desc->tag = NULL;
free(desc->uncompressed_digest); // <=
desc->uncompressed_digest = NULL; // <=
free(desc->layer_file);
desc->layer_file = NULL;
free(desc->layer_of_hold_refs);
desc->layer_of_hold_refs = NULL;
free(desc);
return;
}
iSulad
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. image.c 605
void free_im_prepare_request(im_prepare_request *request)
{
if (request == NULL) {
return;
}
free(request->image_name);
request->image_name = NULL;
free(request->container_id);
request->container_id = NULL;
free(request->rootfs);
request->rootfs = NULL;
free(request->image_type);
request->image_type = NULL;
free(request->mount_label); // <=
request->mount_label = NULL; // <=
free(request->mount_label); // <=
request->mount_label = NULL; // <=
free_json_map_string_string(request->storage_opt);
request->storage_opt = NULL;
free(request);
}
OpenVINO
V575 [CERT-EXP37-C] The null pointer is passed into 'move' function. Inspect the first argument. xml_parse_utils.hpp 249
inline ParseResult parse_xml(const char* file_path)
{
....
try
{
auto xml = std::unique_ptr<pugi::
xml_document>{new pugi::xml_document{}};
const auto error_msg = [&]() -> std::string {....}();
....
return {std::move(xml), error_msg};
}
catch (std::exception& e)
{
return {std::move(nullptr),std::string(
"Error loading XML file: ") + e.what()};
}
}
OpenVINO
V575 [CERT-EXP37-C] The null pointer is passed into 'operator delete'. Inspect the argument. w_dirent.h 94
~DIR()
{
if (!next)
delete next;
next = nullptr;
FindClose(hFind);
}
DPDK
V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2622
int qat_sym_cd_auth_set(....)
{
....
uint16_t state1_size = 0, state2_size = 0, cd_extra_size = 0;
....
switch (cdesc->qat_hash_alg) {
....
case ICP_QAT_HW_AUTH_ALGO_SHA3_224:
/* Plain SHA3-224 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N1
state1_size = qat_hash_get_state1_size(
cdesc->qat_hash_alg);
break;
case ICP_QAT_HW_AUTH_ALGO_SHA3_256:
/* Plain SHA3-256 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N2
state1_size = qat_hash_get_state1_size(
cdesc->qat_hash_alg);
break;
case ICP_QAT_HW_AUTH_ALGO_SHA3_384:
/* Plain SHA3-384 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N3
state1_size = qat_hash_get_state1_size(
cdesc->qat_hash_alg);
break;
case ICP_QAT_HW_AUTH_ALGO_SHA3_512:
/* Plain SHA3-512 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N4
state1_size = qat_hash_get_state1_size(
cdesc->qat_hash_alg);
break;
....
}
....
}
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2628
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2634
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2640