Our website uses cookies to enhance your browsing experience.
Accept
to the top
>
>
>
Examples of errors detected by the V575…

Examples of errors detected by the V575 diagnostic

V575. Function receives suspicious argument.


G3D Content Pak

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269


bool Matrix4::operator==(const Matrix4& other) const {
  if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
    return true;
  }
  ....
}

A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {


Miranda IM

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59


static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
  ....
  memset(&iad->nodes[iad->nodes_allocated_size],
    (size_grow - iad->nodes_allocated_size) *
       sizeof(IMAGE_ARRAY_DATA_NODE),
    0);
  ....
}

Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));


ReactOS

V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427


#define RtlFillMemory(Destination, Length, Fill) \
  memset(Destination, Fill, Length)

#define IOPM_FULL_SIZE          8196

HalpRestoreIopm(VOID)
{
  ....
  RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
  ....
}

Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);


Doom 3

V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177


void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
  ....
  memset( &statex, sizeof( statex ), 0 );
  ....
}

This is what should have been written here: memset( &statex, 0, sizeof( statex ) );


Mozilla Firefox

V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520


pixman_bool_t
pixman_image_set_transform (....)
{
  memcmp (common->transform, transform,
          sizeof (pixman_transform_t) == 0))
}

This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)


Fennec Media

V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096


int settings_proc_language_packs(....)
{
  ....
  case WM_DESTROY:
    if(mem_files)
    {
      mem_files = 0;
      sys_mem_free(mem_files);
    }
    EndDialog(hwnd,0);
    break;
  ....
}

ReactOS

V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270


BOOL GetEventCategory(....)
{
  ....
  if (lpMsgBuf)
  {
    ....
  }
  else
  {
    wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
  }
  ....
}

ReactOS

V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263


VOID WinLdrSetupEms(IN PCHAR BootOptions)
{
  PCHAR RedirectPort;
  ....
  RedirectPort = strstr(RedirectPort, "com");
  if (RedirectPort)
  {
    ....
  }
  else
  {
    RedirectPort = strstr(RedirectPort, "usebiossettings");
  ....
}

ReactOS

V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150


DWORD ParseReasonCode(LPCWSTR code)
{
  LPWSTR tmpPrefix = NULL;
  ....
  for (reasonptr = shutdownReason ;
       reasonptr->prefix ; reasonptr++)
  {
    if ((majorCode == reasonptr->major) &&
        (minorCode == reasonptr->minor) &&
        (_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
    {
      return reasonptr->flag;
    }
  }
  ....
}

Multi Theft Auto

V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80


void CDirect3DData::GetTransform (
  D3DTRANSFORMSTATETYPE dwRequestedMatrix,
  D3DMATRIX * pMatrixOut)
{
  switch ( dwRequestedMatrix )
  {
    case D3DTS_VIEW:
      memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_PROJECTION:
      memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_WORLD:
      memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
      break;
    default:
      // Zero out the structure for the user.
      memcpy (pMatrixOut, 0, sizeof(D3DMATRIX));   // <=
      break;
  }
  ....
}

A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.


Multi Theft Auto

V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499


#define RtlFillMemory(Destination,Length,Fill) \
  memset((Destination),(Fill),(Length))

#define FillMemory RtlFillMemory

LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
{
  ....
  PIMAGEHLP_SYMBOL pSym = (PIMAGEHLP_SYMBOL)&g_stSymbol ;
  FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
  ....
}

Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. crashhandler.cpp 499
  • V575 The 'memset' function processes value '512'. Inspect the second argument. ccrashhandlerapi.cpp 503
  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ccrashhandlerapi.cpp 503

Firebird

V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487


void FB_CARG Why::UtlInterface::getPerfCounters(
  ...., ISC_INT64* counters)
{
  unsigned n = 0;
  ....
  memset(counters, 0, n * sizeof(ISC_INT64));
  ....
}

Scilab

V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107


char **splitLineCSV(....)
{
  ....
  if (retstr[curr_str] == NULL)
  {
    *toks = 0;
    FREE(substitutedstring);
    substitutedstring = NULL;
    freeArrayOfString(retstr, strlen(substitutedstring));
    return NULL;
  }
  ....
}

WinSCP

V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786


TForm * __fastcall TMessageForm::Create(....)
{
  ....
  LOGFONT AFont;
  ....
  memset(&AFont, sizeof(AFont), 0);
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 796

Miranda NG

V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177


#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)

BYTE CExImContactBase::fromIni(LPSTR& row)
{
  ....
  if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
      (p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
  ....
}

Similar errors can be found in some other places:

  • V575 The 'strchr' function processes value '32042'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
  • V575 The 'strrchr' function processes value '10812'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • V575 The 'strchr' function processes value '15914'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • And 8 additional diagnostic messages.

Miranda NG

V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652


static int ScanFolder(....)
{
  ....
  __except (EXCEPTION_EXECUTE_HANDLER)
  {
    ZeroMemory(szMyHash, 0);
    // smth went wrong, reload a file from scratch
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ShlExt shlipc.cpp 68

Miranda NG

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97


int savehtml(char* outFile)
{
  FILE* file = fopen(outFile, "w");
  if (!file)
  {
    fclose(file);
    return 0;
  }
  fprintf(file, "%s", szInfo);
  fclose(file);
  return 1;
}

Haiku Operation System

V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517


extern char    *strchr(const char *string, int character);

SendMessageCommandActuator::
SendMessageCommandActuator(int32 argc, char** argv)
  :
  CommandActuator(argc, argv),
  fSignature((argc > 1) ? argv[1] : "")
{
  ....
  const char* arg = argv[i];
  BString argString(arg);
  const char* equals = strchr(arg, ' = ');  // <=
  ....
}

ReactOS

V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153


void UpdateStatusBar(void)
{
  TCHAR szStatusText[128];
  ....
  ZeroMemory(szStatusText,
             sizeof(szStatusText) / sizeof(TCHAR)); // <=
  ....
}

Open X-Ray Engine

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47


ETOOLS_API int __stdcall ogg_enc(....)
{
  ....
  FILE *in, *out    = NULL;
  ....
  input_format    *format;
  ....
  in = fopen(in_fn, "rb");

  if(in == NULL)  return 0;

  format = open_audio_file(in, &enc_opts);
  if(!format){
    fclose(in);
    return 0;
  };

  out = fopen(out_fn, "wb");
  if(out == NULL){
    fclose(out);
    return 0;
  }
  ....
}

Open X-Ray Engine

V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104


size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
                                char *buffer,
                                size_t capacity,
                                size_t lineCapacity)
{
  memset(buffer, capacity*lineCapacity, 0);
  ....
}

CryEngine V

V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294


void EnableFloatExceptions(....)
{
  ....
  CONTEXT ctx;
  memset(&ctx, sizeof(ctx), 0);
  ....
}

GNU GRUB

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184


Int main (int argc, char *argv[])
{
  ....
  {
    FILE *f;
    size_t rd;
    f = fopen ("/dev/urandom", "rb");
    if (!f)
    {
      memset (pass1, 0, sizeof (pass1));
      free (buf);
      free (bufhex);
      free (salthex);
      free (salt);
      fclose (f);                     // <=
      ....
    }
    ....
    fclose (f);
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. grub-setup.c 1187

Linux Kernel

V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121


static int mac_ioctl(struct net_device *ndev,
                     struct ifreq *req,
                     int cmd)
{
  u8 *buff = NULL;
  s8 rssi;
  u32 size = 0, length = 0;
  struct wilc_vif *vif;
  s32 ret = 0;
  struct wilc *wilc;

  vif = netdev_priv(ndev);
  wilc = vif->wilc;

  if (!wilc->initialized)
    return 0;

  switch (cmd) {
  case SIOCSIWPRIV:
  {
    struct iwreq *wrq = (struct iwreq *)req;

    size = wrq->u.data.length;

    if (size && wrq->u.data.pointer) {
      buff = memdup_user(wrq->u.data.pointer,
                         wrq->u.data.length);
      if (IS_ERR(buff))
        return PTR_ERR(buff);

      if (strncasecmp(buff, "RSSI", length) == 0) {   // <=
        ....
      }
    }
  }
  ....
  }

done:

  kfree(buff);

  return ret;
}

CryEngine V

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045


class CLvlRes_finalstep : public CLvlRes_base
{
  ....
  for (;; )
  {
    if (*p == '/' || *p == '\\' || *p == 0)
    {
      char cOldChar = *p;
      *p = 0; // create zero termination
      _finddata_t fd;

      bool bOk = FindFile(szFilePath, szFile, fd);

      if (bOk)
        assert(strlen(szFile) == strlen(fd.name));

      *p = cOldChar; // get back the old separator

      if (!bOk)
        return;

      memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=

      if (*p == 0)
        break;

      ++p;
      szFile = p;
    }
    else ++p;
  }
  ....
}

Tizen

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. wayland_panel_agent_module.cpp 1060


static char *
insert_text (const char *text, uint32_t offset,
             const char *insert)
{
  uint32_t tlen = strlen (text), ilen = strlen (insert);
  char *new_text = (char*)malloc (tlen + ilen + 1);
  if ((unsigned int) tlen < offset)
      offset = tlen;
  memcpy (new_text, text, offset);
  ....
}

Scilab

V575 The 'memset' function processes '0' elements. Inspect the third argument. win_mem_alloc.c 91


void *MyHeapAlloc(size_t dwSize, char *file, int line)
{
  LPVOID NewPointer = NULL;

  if (dwSize > 0)
  {
    _try
    {
      NewPointer = malloc(dwSize);
      NewPointer = memset (NewPointer, 0, dwSize);
    }
    _except (EXCEPTION_EXECUTE_HANDLER)
    {
    }
    ....
  }
  else
  {
    _try
    {
      NewPointer = malloc(dwSize);
      NewPointer = memset (NewPointer, 0, dwSize);
    }
    _except (EXCEPTION_EXECUTE_HANDLER)
    {
    }
  }
  return NewPointer;
}

EFL Core Libraries

V575 The 'memcmp' function processes '0' elements. Inspect the third argument. eina_simple_xml_parser.c 355


EAPI Eina_Bool
eina_simple_xml_parse(....)
{
  ....
  else if ((itr + sizeof("<!>") - 1 < itr_end) &&
            (!memcmp(itr + 2, "", sizeof("") - 1)))
  {
    type = EINA_SIMPLE_XML_DOCTYPE_CHILD;
    toff = sizeof("!") - 1;
  }
  ....
}

EFL Core Libraries

V575 The 'munmap' function processes '0' elements. Inspect the second argument. eina_evlog.c 117


static void
free_buf(Eina_Evlog_Buf *b)
{
   if (!b->buf) return;
   b->size = 0;
   b->top = 0;
# ifdef HAVE_MMAP
   munmap(b->buf, b->size);
# else
   free(b->buf);
# endif
   b->buf = NULL;
}

EFL Core Libraries

V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_entry.c 2306


static void
_edje_key_down_cb(....)
{
  ....
  char *compres = NULL, *string = (char *)ev->string;
  ....
  if (compres)
  {
    string = compres;
    free_string = EINA_TRUE;
  }
  else free(compres);
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. efl_ui_internal_text_interactive.c 1022
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_cc_handlers.c 15962

EFL Core Libraries

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. edje_pick.c 595


static void
_edje_pick_header_alias_parent_add(....)
{
  Edje_Part_Collection_Directory_Entry *ce_cor, *ce_new, *ce_f;
  ....
  ce_new = malloc(sizeof(*ce_new));
  memcpy(ce_new, ce_cor, sizeof(*ce_new));
  ....
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strrchr' function. Inspect the first argument. types_generator.c 40
  • V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. docs_generator.c 243
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. eina_unicode.c 119
  • And 54 additional diagnostic messages.

Aspell

V575 The potential null pointer is passed into 'memmove' function. Inspect the first argument. string.hpp 54


void assign_only_nonnull(const char * b, unsigned size)
{
  begin_ = (char *)malloc(size + 1);
  memmove(begin_, b, size);
  end_   = begin_ + size;
  storage_end_ = end_ + 1;
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. error.cpp 28
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. error.cpp 40
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. new_filter.cpp 300
  • And 2 additional diagnostic messages.

Enlightenment

V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. e_info_server.c 3165


static E_Info_Transform*
_e_info_transform_new(....)
{
  E_Info_Transform *result = NULL;
  result = _e_info_transform_find(ec, id);

  if (!result)
  {
    result = (E_Info_Transform*)malloc(sizeof(E_Info_Transform));
    memset(result, 0, sizeof(E_Info_Transform));
  ....
}

Tizen

V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 207


int main(int argc, char *argv[])
{
  ....
  char *temp1 = strstr(dp->d_name, "-");
  char *temp2 = strstr(dp->d_name, ".");

  strncpy(temp_filename, dp->d_name, strlen(dp->d_name) -
                                     strlen(temp1));
  strncpy(file_format, temp2, strlen(temp2));
  ....
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 208
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. edit.c 2823
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. apps_data_db.c 300
  • And 10 additional diagnostic messages.

Ardour

V575 The 'substr' function processes '-1' elements. Inspect the second argument. meter_strip.cc 491


void
MeterStrip::set_tick_bar (int m)
{
  std::string n;
  _tick_bar = m;
  if (_tick_bar & 1) {
    n = meter_ticks1_area.get_name();
    if (n.substr(0,3) != "Bar") {
      meter_ticks1_area.set_name("Bar" + n);
    }
  } else {
    n = meter_ticks1_area.get_name();
    if (n.substr(0,3) == "Bar") {
      meter_ticks1_area.set_name(n.substr(3,-1)); // <=
    }
  }
  if (_tick_bar & 2) {
    n = meter_ticks2_area.get_name();
    if (n.substr(0,3) != "Bar") {
      meter_ticks2_area.set_name("Bar" + n);
    }
  } else {
    n = meter_ticks2_area.get_name();
    if (n.substr(0,3) == "Bar") {
      meter_ticks2_area.set_name(n.substr(3,-1)); // <=
    }
  }
}

string substr (size_t pos = 0, size_t len = npos) const;


Firebird

V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1106, 1105. iscguard.cpp 1106


static void write_log(int log_action, const char* buff)
{
  ....
  log_info* tmp =
    static_cast<log_info*>(malloc(sizeof(log_info)));
  memset(tmp, 0, sizeof(log_info));
  ....
}

MySQL

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 43, 42. gcs_xcom_state_exchange.cc 43


Xcom_member_state::Xcom_member_state(....)
{
  ....
  m_data_size= data_size;
  m_data=
    static_cast<uchar *>(malloc(sizeof(uchar) * m_data_size));
  memcpy(m_data, data, m_data_size);
  ....
}

MySQL

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. control_events.cpp 830


View_change_event::View_change_event(char* raw_view_id)
  : Binary_log_event(VIEW_CHANGE_EVENT),
    view_id(), seq_number(0), certification_info()
{
  memcpy(view_id, raw_view_id, strlen(raw_view_id));
}

PostgreSQL Database Management System

V575 The potential null pointer is passed into 'strncpy' function. Inspect the first argument. Check lines: 66, 65. pg_regress_ecpg.c 66


static void
ecpg_filter(const char *sourcefile, const char *outfile)
{
  ....
  n = (char *) malloc(plen);
  StrNCpy(n, p + 1, plen);
  ....
}

PostgreSQL Database Management System

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. informix.c 677


int
intoasc(interval * i, char *str)
{
  char  *tmp;

  errno = 0;
  tmp = PGTYPESinterval_to_asc(i);

  if (!tmp)
    return -errno;

  memcpy(str, tmp, strlen(tmp));
  free(tmp);
  return 0;
}

Chromium

V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. dns_config_service_win.cc 134


std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter>
ReadIpHelper(ULONG flags) {
  ....
  std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter> out;
  ....
  out.reset(static_cast<PIP_ADAPTER_ADDRESSES>(malloc(len)));
  memset(out.get(), 0, len);
  ....
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 129, 127. nacl_validation_query.cc 129

V8 JavaScript Engine

V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 327


void i::V8::FatalProcessOutOfMemory(const char* location,
                                    bool is_heap_oom) {
  ....
  memset(last_few_messages, 0x0BADC0DE,
         Heap::kTraceRingBufferSize + 1);
  memset(js_stacktrace, 0x0BADC0DE,
         Heap::kStacktraceBufferSize + 1);
  memset(&heap_stats, 0xBADC0DE, sizeof(heap_stats));
  ....
}

Memory will not be filled with 0xBADC0DE constant but with the value 0xDE.

Similar errors can be found in some other places:

  • V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 328
  • V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 329

OpenVR

V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 35, 34. dirtools_public.cpp 35


bool BCreateDirectoryRecursive( const char *pchPath )
{
  ....
  int len = (int)strlen( pchPath );
  char *path = (char *)malloc( len + 1 );
  strcpy( path, pchPath );
  ....
}

There is no protection if the malloc function returns a null pointer.


SwiftShader

V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 102, 101. bitvector.h 102


BitVector(const BitVector &RHS) : Size(RHS.size()) {
  ....
  Bits = (BitWord *)std::malloc(Capacity * sizeof(BitWord));
  std::memcpy(Bits, RHS.Bits, Capacity * sizeof(BitWord));
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 440, 439. bitvector.h 440
  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 31, 28. smallvector.cpp 31

Yasm

V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 134, 129. dfa.c 134


DFA *
DFA_new(Ins *ins, unsigned int ni, unsigned int lb,
        unsigned int ub, Char *rep)
{
  DFA *d = malloc(sizeof(DFA));
  Ins **work = malloc(sizeof(Ins*)*(ni+1));
  unsigned int nc = ub - lb;
  GoTo *goTo = malloc(sizeof(GoTo)*nc);          // <=
  Span *span = malloc(sizeof(Span)*nc);

  d->lbChar = lb;
  d->ubChar = ub;
  memset((char*) goTo, 0, nc*sizeof(GoTo));      // <=
  ....
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 81, 80. genmodule.c 81
  • V575 CWE-628 The potential null pointer is passed into 'fgets' function. Inspect the first argument. Check lines: 76, 59. genmacro.c 76
  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 83, 82. main.c 83
  • And 8 additional diagnostic messages.

WebRTC

V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 154, 153. resampler.cc 154


int Resampler::Reset(int inFreq, int outFreq,
                     size_t num_channels) {
  ....
  state1_ = malloc(8 * sizeof(int32_t));
  memset(state1_, 0, 8 * sizeof(int32_t));
  ....
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 167, 166. resampler.cc 167
  • V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 237, 236. resampler.cc 237

Android

V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 47, 46. libxt_tcp.c 47


static void
parse_tcp_ports(const char *portstring, uint16_t *ports)
{
  char *buffer;
  char *cp;

  buffer = strdup(portstring);
  if ((cp = strchr(buffer, ':')) == NULL)
  ....
}

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 74, 72. libxt_sctp.c 74
  • V575 CWE-628 The potential null pointer is passed into 'strcasecmp' function. Inspect the first argument. Check lines: 171, 166. libxt_sctp.c 171
  • V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 111, 110. libip6t_mh.c 111
  • And 79 additional diagnostic messages.

Vangers: One For The Road

V575 CWE-628 The potential null pointer is passed into 'strdup' function. Inspect the first argument. ivmap.cpp 309


char* iGetMergedName(char *name, char *path)
{
  ....
  return strdup(out.c_str());
}

void ivrtMap::fileLoad(void)
{
  analyzeINI(iniName);
  iYSetup();

  XBuffer buf;
  buf < fileName < (isCompressed ? ".vmc" : ".vmp");
  std::string sbuf = strdup(iGetMergedName(buf.GetBuf(), iniName)), sbuf2;
  int startR = sbuf.find("reso");
  sbuf2 = sbuf.substr(startR, sbuf.size() - startR);
  fname = strdup(sbuf2.c_str());
}

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 2156, 2155. road.cpp 2156
  • V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 810, 809. vmap.cpp 810
  • V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 813, 812. vmap.cpp 813

Qt

V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 406, 405. harfbuzz-thai.c 406


static void HB_ThaiAssignAttributes(....)
{
  ....
  int *break_positions = 0;
  ....
  break_positions = (int*) malloc (sizeof(int) * len);
  memset (break_positions, 0, sizeof(int) * len);
  ....
}

Similar errors can be found in some other places:

  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2432, 2430. qbytearray.cpp 2432
  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2438, 2436. qbytearray.cpp 2438
  • V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2553, 2551. qstring.cpp 2553
  • And 9 additional diagnostic messages.

FreeRDP

V575 The null pointer is passed into 'free' function. Inspect the first argument. smartcard_pcsc.c 875


WINSCARDAPI LONG WINAPI PCSC_SCardListReadersW(
  SCARDCONTEXT hContext,
  LPCWSTR mszGroups,
  LPWSTR mszReaders,
  LPDWORD pcchReaders)
{
  LPSTR mszGroupsA = NULL;
  ....
  mszGroups = NULL; /* mszGroups is not supported by pcsc-lite */

  if (mszGroups)
    ConvertFromUnicode(CP_UTF8,0, mszGroups, -1,
                       (char**) &mszGroupsA, 0,
                       NULL, NULL);

  status = PCSC_SCardListReaders_Internal(hContext, mszGroupsA,
                                          (LPSTR) &mszReadersA,
                                          pcchReaders);

  if (status == SCARD_S_SUCCESS)
  {
    ....
  }

  free(mszGroupsA);
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. license.c 790
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. rdpsnd_alsa.c 575

Haiku Operation System

V575 The null pointer is passed into 'free' function. Inspect the first argument. setmime.cpp 727


void
MimeType::_PurgeProperties()
{
  fShort.Truncate(0);
  fLong.Truncate(0);
  fPrefApp.Truncate(0);
  fPrefAppSig.Truncate(0);
  fSniffRule.Truncate(0);

  delete fSmallIcon;
  fSmallIcon = NULL;

  delete fBigIcon;
  fBigIcon = NULL;

  fVectorIcon = NULL;
  free(fVectorIcon);

  fExtensions.clear();
  fAttributes.clear();
}

Haiku Operation System

V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 461


static settings_handle *
load_driver_settings_from_file(int file, const char *driverName)
{
  ....
  handle = new_settings(text, driverName);
  if (handle != NULL) {
    // everything went fine!
    return handle;
  }

  free(handle);
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 427

Haiku Operation System

V575 The null pointer is passed into 'free' function. Inspect the first argument. PackageFileHeapWriter.cpp 166


void* _GetBuffer()
{
  ....
  void* buffer = malloc(fBufferSize);
  if (buffer == NULL && !fBuffers.AddItem(buffer)) {
    free(buffer);
    throw std::bad_alloc();
  }
  return buffer;
}

Celestia

V575 The 'memset' function processes '0' elements. Inspect the third argument. winmain.cpp 2235


static void BuildScriptsMenu(HMENU menuBar, const fs::path& scriptsDir)
{
  ....
  MENUITEMINFO info;
  memset(&info, sizeof(info), 0);
  info.cbSize = sizeof(info);
  info.fMask = MIIM_SUBMENU;
  ....
}

Kodi

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 39, 38. DVDOverlayImage.h:39


CDVDOverlayImage(const CDVDOverlayImage& src)
    : CDVDOverlay(src)
{
  Data = (uint8_t*)malloc(src.linesize * src.height);
  memcpy(data, src.data, src.linesize * src.height); // <=
  if(src.palette)
  {
    palette = (uint32_t*)malloc(src.palette_colors * 4);
    memcpy(palette, src.palette, src.palette_colors * 4); // <=
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 44, 43. DVDOverlayImage.h:44

Zephyr

V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. shell.c 427


static char *mntpt_prepare(char *mntpt)
{
  char *cpy_mntpt;

  cpy_mntpt = k_malloc(strlen(mntpt) + 1);
  if (cpy_mntpt) {
    ((u8_t *)mntpt)[strlen(mntpt)] = '\0';
    memcpy(cpy_mntpt, mntpt, strlen(mntpt));
  }
  return cpy_mntpt;
}

Command & Conquer

V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1103


void* __cdecl memset(
  _Out_writes_bytes_all_(_Size) void*  _Dst,
  _In_                          int    _Val,
  _In_                          size_t _Size
);

extern "C" __declspec(dllexport) bool __cdecl CNC_Read_INI(....)
{
  ....
  memset(ini_buffer, _ini_buffer_size, 0);
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1404

PMDK

V575 [CWE-628] The 'memmove' function processes '0' elements. Inspect the third argument. memmove_common.c 82


void
do_memmove(char *dst, char *src, const char *file_name,
    size_t dest_off, size_t src_off, size_t bytes,
    memmove_fn fn, unsigned flags, persist_fn persist)
{
  ....
  /* do the same using regular memmove and verify that buffers match */
  memmove(dstshadow + dest_off, srcshadow + src_off, 0);
  verify_contents(file_name, 2, dstshadow, dst, bytes);
  verify_contents(file_name, 3, srcshadow, src, bytes);
  ....
}

PMDK

V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. writer.c 41


#define MAX_BUF_LEN 10

struct my_root {
  char buf[MAX_BUF_LEN];
};

int
main(int argc, char *argv[])
{
  ....
  struct my_root *rootp = pmemobj_direct(root);
  char buf[MAX_BUF_LEN] = {0};
  ....
  TX_BEGIN(pop) {
    pmemobj_tx_add_range(root, 0, sizeof(struct my_root));
    memcpy(rootp->buf, buf, strlen(buf));
  } TX_END
  ....
}

PMDK

V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 340, 338. rtree_map.c 340


static void
remove_extra_node(TOID(struct tree_map_node) *node)
{
  ....
  unsigned char *new_key = (unsigned char *)malloc(new_key_size);
  assert(new_key != NULL);
  memcpy(new_key, D_RO(tmp)->key, D_RO(tmp)->key_size);
  ....
}

Similar errors can be found in some other places:

  • V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 133, 127. clo_vec.cpp 133
  • V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 187, 184. clo_vec.cpp 187
  • V575 [CWE-628] The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 446, 439. clo.cpp 446
  • And 2 additional diagnostic messages.

Qemu

V575 The 'strerror_s' function processes '0' elements. Inspect the second argument. commands-win32.c 1642


void qmp_guest_set_time(bool has_time, int64_t time_ns,
                        Error **errp)
{
  ....
  if (GetLastError() != 0) {
    strerror_s((LPTSTR) & msg_buffer, 0, errno);
    ....
  }
}

DeepSpeech

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 73, 68. modelstate.cc 73


Metadata*
ModelState::decode_metadata(const DecoderState& state,
                            size_t num_results)
{
  ....
  Metadata* ret = (Metadata*)malloc(sizeof(Metadata));
  ....
  memcpy(ret, &metadata, sizeof(Metadata));
  return ret;
}

Espressif IoT Development Framework

V575 The null pointer is passed into 'free' function. Inspect the first argument. sae.c 1185


static int sae_parse_password_identifier(struct sae_data *sae,
           const u8 *pos, const u8 *end)
{
  wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
        pos, end - pos);
  if (!sae_is_password_id_elem(pos, end)) {
    if (sae->tmp->pw_id) {
      wpa_printf(MSG_DEBUG,
           "SAE: No Password Identifier included, but expected one (%s)",
           sae->tmp->pw_id);
      return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
    }
    os_free(sae->tmp->pw_id);
    sae->tmp->pw_id = NULL;
    return WLAN_STATUS_SUCCESS; /* No Password Identifier */
  }
  ....
}

Qt

V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 277, 276. qqmlprofilerevent_p.h 277


void assignData(const QQmlProfilerEvent &other)
{
  if (m_dataType & External) {
    uint length = m_dataLength * (other.m_dataType / 8);
    m_data.external = malloc(length);                          // <=
    memcpy(m_data.external, other.m_data.external, length);    // <=
  } else {
    memcpy(&m_data, &other.m_data, sizeof(m_data));
  }
}

Similar errors can be found in some other places:

  • V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 290, 287. qobject_p.h 290
  • V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 3104, 3103. qmetaobject.cpp 3104
  • V575 [CWE-628] The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1486, 1485. qmetaobjectbuilder.cpp 1486
  • And 21 additional diagnostic messages.

SystemC

V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 487, 486. sc_report_handler.cpp 487


sc_msg_def * sc_report_handler::add_msg_type(const char * msg_type_)
{
  ....
  items->md->msg_type_data = (char*) malloc(msg_type_len+1);
  strcpy( items->md->msg_type_data, msg_type_ );
  ....
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 683, 682. sc_report_handler.cpp 683

Snort

V575 The null pointer is passed into 'free' function. Inspect the first argument. sdf_us_ssn.c 202


int ParseSSNGroups(....)
{
  FILE *ssn_file;
  char *contents;
  ....
  contents = (char *)malloc(length + 1);
  if (contents == NULL)
  {
    _dpd.logMsg("Sensitive Data preprocessor: Failed to allocate memory "
      "for SSN groups.\n");

    fclose(ssn_file);
    free(contents);
    return -1;
  }
  ....
  free(contents);
  return 0;
}

Transmission

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 1142, 1139. jsonsl.c:1142


void jsonsl_jpr_match_state_init(jsonsl_t jsn,
                                 jsonsl_jpr_t *jprs,
                                 size_t njprs)
{
  size_t ii, *firstjmp;
  ....
  jsn->jprs = (jsonsl_jpr_t *)malloc(sizeof(jsonsl_jpr_t) * njprs);
  jsn->jpr_count = njprs;
  jsn->jpr_root = (size_t*)calloc(1, sizeof(size_t) * njprs * jsn->levels_max);
  memcpy(jsn->jprs, jprs, sizeof(jsonsl_jpr_t) * njprs);

  /* Set the initial jump table values */
  firstjmp = jsn->jpr_root;
  for (ii = 0; ii < njprs; ii++) {
    firstjmp[ii] = ii+1;
  }
}

LLVM/Clang

V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes the pointer to enum type. Inspect the first argument. TargetLoweringBase.cpp 662


enum CondCode {
  // Opcode       N U L G E       Intuitive operation
  SETFALSE, //      0 0 0 0       Always false (always folded)
  SETOEQ,   //      0 0 0 1       True if ordered and equal
  ....
  SETCC_INVALID // Marker value.
};

static void InitCmpLibcallCCs(ISD::CondCode *CCs) {
  memset(CCs, ISD::SETCC_INVALID, sizeof(ISD::CondCode)*RTLIB::UNKNOWN_LIBCALL);
  ....
}

FlipperZero

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. subghz_scene_save_name.c 22


void subghz_scene_save_name_on_enter(void* context) {
  SubGhz* subghz = context;
  ....
  memcpy(subghz->file_name_tmp, subghz->file_name, strlen(subghz->file_name));
  ....
}

Blender

V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes '0' elements. Inspect the third argument. space_buttons.c 868


static void buttons_id_remap(....)
{
  ....
  for (int i = 0; i < path->len; i++) {
    switch (BKE_id_remapper_apply(....)) {
      case ID_REMAP_RESULT_SOURCE_UNASSIGNED: {
        path->len = i;
        if (i != 0) {
          memset(&path->ptr[i], 0, sizeof(path->ptr[i]) * (path->len - i));
  ....
}

Blender

V575 [CWE-628, CERT-EXP37-C] The 'memmove' function processes '0' elements. Inspect the third argument. text_draw.cc 673


static void space_text_update_drawcache(SpaceText *st,
                                        const ARegion *region)
{
  ....
  if (st->wordwrap)
  {
    ....
    if (drawcache->update)
    {
      drawcache->valid_tail = drawcache->valid_head = 0;
      ....
      memmove(new_tail, old_tail, drawcache->valid_tail);
      ....
    }
    ....
  }
  ....
}

Blender

V575 [CWE-628, CERT-EXP37-C] The 'realloc' function processes '0' elements. Inspect the second argument. rigidbody.cc 1696


static void rigidbody_update_ob_array(RigidBodyWorld *rbw)
{
  if (rbw->group == nullptr)
  {
    rbw->numbodies = 0;
    rbw->objects = static_cast<Object **>(realloc(rbw->objects, 0));
    return;
  }
  ....
}

LLVM/Clang

V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'memset' function. Inspect the first argument. MemRefUtils.h 194


OwningMemRef &operator=(const OwningMemRef &&other) {
  freeFunc = other.freeFunc;
  descriptor = other.descriptor;
  other.freeFunc = nullptr;
  memset(0, &other.descriptor, sizeof(other.descriptor));
}

GTK

V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'g_free' function. Inspect the first argument. gtkcssparser.c 189


gtk_css_parser_resolve_url (GtkCssParser *self,
                            const char   *url)
{
  char *scheme;

  scheme = g_uri_parse_scheme (url);
  if (scheme != NULL)
    {
      GFile *file = g_file_new_for_uri (url);
      g_free (scheme);
      return file;
    }
  g_free (scheme);                               // <=

  if (self->directory == NULL)
    return NULL;

  return g_file_resolve_relative_path (self->directory, url);
}

GZDoom

V575 The 'memset' function processes '0' elements. Inspect the third argument. info.cpp 518


void PClassActor::InitializeDefaults()
{
  ....
  if (MetaSize > 0)
   memcpy(Meta, ParentClass->Meta, ParentClass->MetaSize);
  else
   memset(Meta, 0, MetaSize);
  ....
}

Dagor Engine

V575 The null pointer is passed into 'operator delete'. Inspect the argument. DagorEngine/prog/engine/scene/sh3LtMgr.cpp 435


SH3LightingData *SH3LightingData::loadBinary(IGenLoad &crd)
{
  ....
  SH3LightingData *data =
      new (memalloc(sz, midmem), _NEW_INPLACE) SH3LightingData;
  ....
  return data;
}

int SH3LightingManager::loadLtDataBinary(IGenLoad &crd, unsigned id)
{
  SH3LightingData *ltData = SH3LightingData::loadBinary(crd);
  if (!ltData)
  {
    delete ltData;
    return -1;
  }
  return addLtData(ltData, id);
}

Dagor Engine

V575 The 'munmap' function processes '0' elements. Inspect the second argument. DagorEngine/prog/1stPartyLibs/daScript/src/builtin/module_builtin_fio.cpp 214


void builtin_map_file(const FILE* f,
                      const TBlock<void, TTemporary<TArray<uint8_t>>>& blk,
                      Context* context, LineInfoArg * at) {
  ....
  munmap(data, 0);
}

iSulad

V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. oci_import.c 75


static void free_import_desc(import_desc *desc)
{
    if (desc == NULL) {
        return;
    }

    free(desc->manifest);
    desc->manifest = NULL;
    free(desc->manifest_digest);
    desc->manifest_digest = NULL;
    free(desc->config);
    desc->config = NULL;
    free(desc->config_digest);
    desc->config_digest = NULL;
    free(desc->uncompressed_digest);      // <=
    desc->uncompressed_digest = NULL;     // <=
    free(desc->compressed_digest);
    desc->compressed_digest = NULL;
    free(desc->tag);
    desc->tag = NULL;
    free(desc->uncompressed_digest);      // <=
    desc->uncompressed_digest = NULL;     // <=
    free(desc->layer_file);
    desc->layer_file = NULL;
    free(desc->layer_of_hold_refs);
    desc->layer_of_hold_refs = NULL;

    free(desc);

    return;
}

iSulad

V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. image.c 605


void free_im_prepare_request(im_prepare_request *request)
{
    if (request == NULL) {
        return;
    }

    free(request->image_name);
    request->image_name = NULL;
    free(request->container_id);
    request->container_id = NULL;
    free(request->rootfs);
    request->rootfs = NULL;
    free(request->image_type);
    request->image_type = NULL;
    free(request->mount_label);      // <=
    request->mount_label = NULL;     // <=

    free(request->mount_label);      // <=
    request->mount_label = NULL;     // <=

    free_json_map_string_string(request->storage_opt);
    request->storage_opt = NULL;

    free(request);
}

OpenVINO

V575 [CERT-EXP37-C] The null pointer is passed into 'move' function. Inspect the first argument. xml_parse_utils.hpp 249


inline ParseResult parse_xml(const char* file_path)
{
  ....
  try
  {
    auto xml = std::unique_ptr<pugi::
                       xml_document>{new pugi::xml_document{}};
    const auto error_msg = [&]() -> std::string {....}();
    ....
    return {std::move(xml), error_msg};
  }
  catch (std::exception& e)
  {
    return {std::move(nullptr),std::string(
                       "Error loading XML file: ") + e.what()};
  }
}

OpenVINO

V575 [CERT-EXP37-C] The null pointer is passed into 'operator delete'. Inspect the argument. w_dirent.h 94


~DIR()
{
  if (!next)
    delete next;
  next = nullptr;
  FindClose(hFind);
}

DPDK

V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2622


int qat_sym_cd_auth_set(....)
{
  ....
  uint16_t state1_size = 0, state2_size = 0, cd_extra_size = 0;
  ....
  switch (cdesc->qat_hash_alg) {
  ....
  case ICP_QAT_HW_AUTH_ALGO_SHA3_224:
    /* Plain SHA3-224 */
    memset(cdesc->cd_cur_ptr, 0, state1_size);  // <= BUG N1
    state1_size = qat_hash_get_state1_size(
        cdesc->qat_hash_alg);
    break;
  case ICP_QAT_HW_AUTH_ALGO_SHA3_256:
    /* Plain SHA3-256 */
    memset(cdesc->cd_cur_ptr, 0, state1_size);  // <= BUG N2
    state1_size = qat_hash_get_state1_size(
        cdesc->qat_hash_alg);
    break;
  case ICP_QAT_HW_AUTH_ALGO_SHA3_384:
    /* Plain SHA3-384 */
    memset(cdesc->cd_cur_ptr, 0, state1_size);  // <= BUG N3
    state1_size = qat_hash_get_state1_size(
        cdesc->qat_hash_alg);
    break;
  case ICP_QAT_HW_AUTH_ALGO_SHA3_512:
    /* Plain SHA3-512 */
    memset(cdesc->cd_cur_ptr, 0, state1_size);  // <= BUG N4
    state1_size = qat_hash_get_state1_size(
        cdesc->qat_hash_alg);
    break;
  ....
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2628
  • V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2634
  • V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2640

close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam