Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Evaluation - 05.12

>
>
>
Examples of errors detected by the V769…

Examples of errors detected by the V769 diagnostic

V769. The pointer in the expression equals nullptr. The resulting value is meaningless and should not be used.


Tor

V769 The 'strchr(cp, ':')' pointer in the 'strchr(cp, ':') + 2' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. dns.c 163


static void
evdns_log_cb(int warn, const char *msg)
{
  ....
  const char *err = strchr(cp, ':')+2;
  tor_assert(err);
  ....
}

Aspell

V769 The 'strchr(s, ':')' pointer in the 'strchr(s, ':') + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. posib_err.cpp 52


PosibErrBase & PosibErrBase::set(....)
{
  ....
  s = strchr(s, ':') + 1;
  unsigned int ip = *s - '0' - 1;
  ....
}

Similar errors can be found in some other places:

  • V769 The 'begin_' pointer in the 'begin_ + old_size' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. string.cpp 36
  • V769 The 'w->data' pointer in the 'w->data + cc' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. typo_editdist.cpp 166
  • V769 The '(cur)->str' pointer in the '(cur)->str + pos' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. prezip.c 103
  • And 1 additional diagnostic messages.

EFL Core Libraries

V769 The 'ed->file->sound_dir->samples' pointer in the expression could be nullptr. In such case, resulting value of arithmetic operations on this pointer will be senseless and it should not be used. edje_edit.c 1271


EAPI Eina_Bool
edje_edit_sound_sample_add(Evas_Object *obj, const char *name,
                           const char *snd_src)
{
   ....
   ed->file->sound_dir->samples =
     realloc(ed->file->sound_dir->samples,
             sizeof(Edje_Sound_Sample) *
             ed->file->sound_dir->samples_count);

   sound_sample = ed->file->sound_dir->samples +
     ed->file->sound_dir->samples_count - 1;
   sound_sample->name = (char *)eina_stringshare_add(name);
   ....
}

Similar errors can be found in some other places:

  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 539
  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 611
  • V769 The 'tmp' pointer in the 'tmp ++' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. evas_object_textblock.c 11131
  • And 7 additional diagnostic messages.

MySQL

V769 The 'new_buffer' pointer in the 'new_buffer + fixed_header_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 74, 73. gcs_message_stage_lz4.cc 74


bool
Gcs_message_stage_lz4::apply(Gcs_packet &packet)
{
  ....
  unsigned char *new_buffer =
    (unsigned char*) malloc(new_capacity);
  unsigned char *new_payload_ptr =
    new_buffer + fixed_header_len + hd_len;

  // compress payload
  compressed_len=
    LZ4_compress_default((const char*)packet.get_payload(),
                         (char*)new_payload_ptr,
                         static_cast<int>(old_payload_len),
                         compress_bound);
  ....
}

V8 JavaScript Engine

V769 CWE-119 The 'copy' pointer in the 'copy + prefix_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 394, 393. code-assembler.cc 394


void CodeAssembler::Comment(const char* format, ...) {
  ....
  const int prefix_len = 2;
  int length = builder.position() + 1;
  char* copy = reinterpret_cast<char*>(malloc(length +
                                              prefix_len));
  MemCopy(copy + prefix_len, builder.Finalize(), length);
  copy[0] = ';';
  copy[1] = ' ';
  raw_assembler()->Comment(copy);
}

There is no protection if the malloc function returns a null pointer.


LLVM/Clang

V769 CWE-119 The 'NewTableArray' pointer in the 'NewTableArray + NewSize' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 218, 216. stringmap.cpp 218


unsigned StringMapImpl::RehashTable(unsigned BucketNo) {
  ....
  StringMapEntryBase **NewTableArray =
    (StringMapEntryBase **)calloc(NewSize+1,
      sizeof(StringMapEntryBase *) + sizeof(unsigned));
  unsigned *NewHashArray =
    (unsigned *)(NewTableArray + NewSize + 1);
  NewTableArray[NewSize] = (StringMapEntryBase*)2;
  ....
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NewSize.


Hunspell

V769 CWE-119 The 'candidate' pointer in the 'candidate + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 864, 863. suggestmgr.cxx 864


int SuggestMgr::twowords(....)
{
  ....
  char* candidate = (char*)malloc(wl + 2);
  strcpy(candidate + 1, word);
  ....
}

There is no protection if the malloc function returns a null pointer.


Android

V769 CWE-119 The '(uint32_t *) metadata' pointer in the '(uint32_t *) metadata + new_size_int' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 91, 89. radio_metadata.c 91


int check_size(radio_metadata_buffer_t **metadata_ptr, const uint32_t size_int)
{
  ....
  metadata = realloc(metadata,
                     new_size_int * sizeof(uint32_t));
  memmove(
   (uint32_t *)metadata + new_size_int - (metadata->count + 1),
   (uint32_t *)metadata + metadata->size_int -
                           (metadata->count + 1),
   (metadata->count + 1) * sizeof(uint32_t));
  ....
}

Qt

V769 CWE-119 The 'ptr' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. qdbusdemarshaller.cpp 299


QVariant QDBusDemarshaller::toVariantInternal()
{
  ....
  default:
    char *ptr = 0;
    ptr += q_dbus_message_iter_get_arg_type(&iterator);
    q_dbus_message_iter_next(&iterator);

    // I hope you never dereference this pointer!
    return QVariant::fromValue<void *>(ptr);
  };
}

FreeRDP

V769 The 'data' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. nsc_encode.c 124


static BOOL nsc_encode_argb_to_aycocg(NSC_CONTEXT* context,
                                      const BYTE* data,
                                      UINT32 scanline)
{
  ....
  if (!context || data || (scanline == 0))
    return FALSE;
  ....
  src = data + (context->height - 1 - y) * scanline;
  ....
}

Newton Game Dynamics

V769 The 'result' pointer in the 'result + i' expression equals nullptr. The resulting value is senseless and it should not be used. win32_monitor.c 286


GLFWvidmode* _glfwPlatformGetVideoModes(_GLFWmonitor* monitor, int* count)
{
  GLFWvidmode* result = NULL;
  ....
  for (i = 0;  i < *count;  i++)
    {
    if (_glfwCompareVideoModes(result + i, &mode) == 0)
      break;
    }
}

CSV Parser

V769 The 'buffer.get()' pointer in the 'line_buffer - buffer.get()' expression equals nullptr. The resulting value is senseless and it should not be used. csv.hpp 4957


CSV_INLINE void CSVReader::read_csv(const size_t& bytes) {
  const size_t BUFFER_UPPER_LIMIT = std::min(bytes, (size_t)1000000);
  std::unique_ptr<char[]> buffer(new char[BUFFER_UPPER_LIMIT]);
  auto * HEDLEY_RESTRICT line_buffer = buffer.get();
  line_buffer[0] = '\0';
  ....
  this->feed_state->feed_buffer.push_back(
    std::make_pair<>(std::move(buffer), line_buffer - buffer.get())); // <=
  ....
}

DeepSpeech

V769 The 'middle_begin_' pointer in the 'middle_begin_ + (counts.size() - 2)' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 553, 552. search_trie.cc 553


template <class Quant, class Bhiksha> class TrieSearch {
....
private:
  ....
  Middle *middle_begin_, *middle_end_;
  ....
};

template <class Quant, class Bhiksha>
uint8_t *TrieSearch<Quant, Bhiksha>::SetupMemory(....)
{
  ....
  middle_begin_
    = static_cast<Middle*>(malloc(sizeof(Middle) * (counts.size() - 2)));
  middle_end_ = middle_begin_ + (counts.size() - 2);
  ....
}

Overgrowth

V769 [CERT-EXP08-C] The 'idx_buffer_offset' pointer in the 'idx_buffer_offset += pcmd->ElemCount' expression equals nullptr. The resulting value is senseless and it should not be used. imgui_impl_sdl_gl3.cpp 138


void ImGui_ImplSdlGL3_RenderDrawLists(ImDrawData* draw_data)
{
  const ImDrawIdx* idx_buffer_offset = 0;
  ....
  idx_buffer_offset += pcmd->ElemCount;
  ....
}

Similar errors can be found in some other places:

  • V769 [CERT-EXP08-C] The 'cp' pointer in the 'cp ++' expression equals nullptr. The resulting value is senseless and it should not be used. crn_file_utils.cpp 547

GTK

V769 [CWE-119, CERT-EXP08-C] The 'end' pointer in the 'end += strlen(beg)' expression equals nullptr. The resulting value is senseless and it should not be used. position.cpp 36


Offset Offset::init(const char* beg, const char* end)
{
  Offset offset(0, 0);
  if (end == 0) {
    end += strlen(beg);
  }
  offset.add(beg, end);
  return offset;
}

Most likely this is what should be written here: end = beg + strlen(beg);


GZDoom

V769 The 'pp' pointer in the 'pp += 3' expression equals nullptr. The resulting value is senseless and it should not be used. models_voxel.cpp 145


PalettedPixels FVoxelTexture::CreatePalettedPixels(int conversion, int frame)
{
  uint8_t *pp = SourceVox->Palette.Data();

  if (pp != nullptr)
  {
    ....
  }
  else
  {
    for (int i = 0; i < 256; i++, pp+=3)
    {
      bitmap[i] = (uint8_t)i;
      pe[i] = GPalette.BaseColors[i];
      pe[i].a = 255;
    }
  }
}