V512. A call of the 'Foo' function will lead to a buffer overflow or underflow.
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. CSmtp md5.cpp 212
void MD5::finalize () {
....
uint1 buffer[64];
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer));
....
}
Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 150
#define uinput_size 1024
typedef wchar_t letter;
letter uinput_text[uinput_size];
string basewindows_getuserinput(const string title,
const string cap, const string dtxt)
{
memset(uinput_text, 0, uinput_size);
....
}
At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 2892
typedef wchar_t letter;
letter name[30];
int Conv_EqualizerProc(HWND hwnd,UINT uMsg,
WPARAM wParam,LPARAM lParam)
{
....
memset(eqp.name, 0, 30);
....
}
This is what should have been written here: sizeof(letter) * 30
V512 A call of the memset function will lead to a buffer overflow or underflow. dockingmanager.cpp 78
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
....
DockingManager::DockingManager()
{
....
memset(_iContMap, -1, CONT_MAP_MAX);
....
}
This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. game-music-emu nsfe_emu.cpp 162
struct header_t
{
....
byte load_addr [2];
byte init_addr [2];
byte play_addr [2];
....
}
blargg_err_t Nsfe_Info::load( Data_Reader& in,
Nsf_Emu* nsf_emu )
{
....
memcpy( info.load_addr, finfo.load_addr, 2 * 3 );
....
}
There's no error, but this code is dangerous.
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. cgame bg_animation.c 999
typedef struct
{
short int bodyPart[2];
short int animIndex[2];
short int animDuration[2];
short int soundIndex;
short int accShowBits;
short int accHideBits;
} animScriptCommand_t;
void BG_ParseCommands(....) {
....
animScriptCommand_t *command = NULL;
....
memset( command, 0, sizeof( command ) );
....
}
This is what should have been written here: sizeof(*command)
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. wolf cvar.c 764
typedef struct cvar_s {
char *name;
....
struct cvar_s *hashNext;
} cvar_t;
void Cvar_Restart_f( void ) {
cvar_t *var;
....
memset( var, 0, sizeof( var ) );
....
}
This is what should have been written here: memset( var, 0, sizeof( *var ) );
V512 A call of the 'memset' function will lead to a buffer overflow or underflow. physics dgcollisioncompoundbreakable.cpp 702
dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....)
{
....
dgInt32 faceOffsetHitogram[256];
dgSubMesh* mainSegmenst[256];
....
memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram));
memset(mainSegmenst, 0, sizeof(faceOffsetHitogram));
....
}
A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. tabsrmm utils.cpp 1080
typedef struct _textrangew
{
CHARRANGE chrg;
LPWSTR lpstrText;
} TEXTRANGEW;
const wchar_t* Utils::extractURLFromRichEdit(....)
{
....
::CopyMemory(tr.lpstrText, L"mailto:", 7);
....
}
This is what should have been written here: sizeof(wchar_t) * 7
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227
void Time::Explode(bool is_local, Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116
void NaCl::Time::Explode(bool is_local,
Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77
int s_attr_table[256];
void CppLexer::setupScanTable()
{
....
memset(s_attr_table, 0, 256);
....
}
This is what should have been written here: sizeof(int) * 256
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void apr__SHA256_Final(sha2_byte digest[],
SHA256_CTX* context) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context)
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683
#define PL_MAX_PATH 255
typedef WCHAR TCHAR, *PTCHAR;
TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' };
int plh_read_pl_config_ini_file(....)
{
....
ZeroMemory(
pl_cvt_buffer,
PL_MAX_PATH
);
....
}
This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806
typedef struct _plh_dynamic_pl_folder_info {
....
} PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO;
int plh_dynamic_read_pl_folder(
PPLH_DYNAMIC_PL_FOLDER_INFO pconfig)
{
....
memset(
pconfig,
0,
sizeof(pconfig)
);
....
}
This is what should have been written here: sizeof(*pconfig)
V512 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379
void plt_tools_get_pl_config_full_file_name(char *buffer) {
....
char temp[PL_MAX_PATH] = { '\0' };
....
memset(
temp,
0,
sizeof(buffer)
);
....
}
This is what should have been written here: sizeof(temp)
V512 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672
__int64 FileList::VMProcess(int OpCode,void *vParam,
__int64 iParam)
{
....
PluginInfo *PInfo=(PluginInfo *)vParam;
memset(PInfo,0,sizeof(PInfo));
PInfo->StructSize=sizeof(PInfo);
....
}
This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162
VOID
UnloadAppInitDlls()
{
....
WCHAR buffer[KEY_LENGTH];
....
RtlCopyMemory(buffer, szAppInit, KEY_LENGTH);
....
}
Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).
V512 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769
typedef WCHAR TCHAR,*PTCHAR;
TCHAR file_path[MAX_PATH];
#define MAX_PATH 260
LRESULT CALLBACK
WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
....
ZeroMemory( file_path, MAX_PATH );
....
}
This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160
HRESULT WINAPI SHGetDataFromIDListW(....)
{
....
WIN32_FIND_DATAW * pfd = dest;
....
ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA));
}
This is what should have been written here: sizeof(WIN32_FIND_DATAW)
V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
char *SHA384_End(SHA384_CTX* context, char buffer[]) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context).
Similar errors can be found in some other places:
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'guidentry'. oleaut32 typelib2.c 320
#define IsEqualGUID(rguid1, rguid2) \
(!memcmp(&(rguid1), &(rguid2), sizeof(GUID)))
static int ctl2_find_guid(....)
{
MSFT_GuidEntry *guidentry;
....
if (IsEqualGUID(guidentry, guid)) return offset;
....
}
Macros are evil! They can hide errors very well. The error is this: guidentry is a pointer. This is what should have been written here: if (IsEqualGUID(*guidentry, guid)) return offset;
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767
UMC::Status
VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams)
{
UMC::Status umcSts UMC::UMC_OK;
memset(MEParams,0,sizeof(MEParams));
....
}
This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));
V512 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731
aseMesh_t *currentMesh;
static void ASE_KeyGEOMOBJECT( const char *token )
{
....
ase.currentMesh = &ase.currentObject->mesh;
memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) );
....
}
This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );
V512 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312
void idAASFileLocal::DeleteClusters( void ) {
....
memset( &portal, 0, sizeof( portal ) );
portals.Append( portal );
// first cluster is a dummy
memset( &cluster, 0, sizeof( portal ) );
clusters.Append( cluster );
}
This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );
V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198
void Time::Explode(bool is_local, Exploded* exploded) const {
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109
struct Message
{
unsigned int sn;
unsigned short payload[payload_size];
};
int
ACE_TMAIN (int argc, ACE_TCHAR* argv[])
{
....
if (ACE_OS::memcmp (expected_msg.payload,
msg.payload,
payload_size) != 0)
{
damaged[msg.sn] = 1;
}
....
}
Most likely this is what should be written here: payload_size * sizeof(short)
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'old_state'. thread.inl 172
ACE_INLINE int
ACE_Thread::disablecancel (struct cancel_state *old_state)
{
....
ACE_OS::memset (old_state,
0,
sizeof (old_state));
....
}
V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566
struct targets{
char ip[MAX_ASCII_ADDR_LEN];
u_char mac[MAX_ASCII_ADDR_LEN];
char extension[64];
char dirname[64];
char protocol[11];
char ua[48];
char misc[64];
};
void sip_targetlookup(sipDB* currentSipCall)
{
....
memcpy(targettab[targetcount].protocol,
"sip",
sizeof(targettab[targetcount].protocol));
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204
mapview_struct *MapView = NULL;
BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
....
MapView = new mapview_struct;
memset(MapView, 0, sizeof(MapView));
....
}
This is what should have been written here: memset(MapView, 0, sizeof(*MapView));
V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870
#define CHD_SHA1_BYTES 20
#define CHD_V4_HEADER_SIZE 108
#define CHD_MAX_HEADER_SIZE CHD_V4_HEADER_SIZE
static chd_error header_read(...., chd_header *header)
{
UINT8 rawheader[CHD_MAX_HEADER_SIZE];
....
memcpy(header->parentsha1, &rawheader[100],
CHD_SHA1_BYTES);
....
}
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706
UINT16 m_spriteram16[0x1000];
UINT16 m_spriteram16_buffered[0x1000];
static WRITE32_HANDLER( deco32_buffer_spriteram_w )
{
deco32_state *state =
space->machine().driver_data<deco32_state>();
memcpy(state->m_spriteram16_buffered,
state->m_spriteram16, 0x1000);
}
This is what should have been written here: 0x1000 * sizeof(UINT16).
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949
UINT16 m_rotate_ctrl[8];
static MACHINE_RESET( wgp )
{
wgp_state *state = machine.driver_data<wgp_state>();
int i;
state->m_banknum = 0;
state->m_cpua_ctrl = 0xff;
state->m_port_sel = 0;
state->m_piv_ctrl_reg = 0;
for (i = 0; i < 3; i++)
{
state->m_piv_zoom[i] = 0;
state->m_piv_scrollx[i] = 0;
state->m_piv_scrolly[i] = 0;
}
memset(state->m_rotate_ctrl, 0, 8);
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065
UINT16 m_control_0[8];
#define ARRAY_LENGTH(x) (sizeof(x) / sizeof(x[0]))
static MACHINE_RESET( tumbleb )
{
....
memset(state->m_control_0, 0,
ARRAY_LENGTH(state->m_control_0));
}
Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458
UINT32 m_pstars_regs[16];
static DRIVER_INIT( pstar )
{
....
memset(state->m_pstars_regs, 0, 16);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80
void initialize(PERF_DATA_BLOCK *data,
RuntimeSettings *rt, int argc, char **argv)
{
memset(data, 0, sizeof(*data));
memset(rt, 0, sizeof(*data));
....
}
Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.
V512 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247
static NET_API_STATUS test_netusermodals(
struct libnetapi_ctx *ctx,
const char *hostname)
{
....
struct USER_MODALS_INFO_0 *u0 = NULL;
struct USER_MODALS_INFO_0 *_u0 = NULL;
....
if (memcmp(u0, _u0, sizeof(u0) != 0)) {
printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
return -1;
}
....
}
Most likely this is what should be written here: sizeof(*u0).
V512 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374
void
win32_dealloc(struct event_base *_base)
{
struct win32op *win32op = _base->evbase;
....
memset(win32op, 0, sizeof(win32op));
....
}
V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238
class CV_EXPORTS CvCalibFilter
{
....
enum { MAX_CAMERAS = 3 };
int latestCounts[MAX_CAMERAS];
CvPoint2D32f* latestPoints[MAX_CAMERAS];
....
};
void CvCalibFilter::SetCameraCount( int count )
{
....
memset( latestCounts, 0, sizeof(latestPoints) );
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288
HRESULT
CDot11SampleExtUI::CreateSecurityProperties(....)
{
....
WCHAR wbuf[128];
....
ZeroMemory(wbuf, 128);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'. testapp.c 729
typedef struct _DEVICE_INFO
{
....
WCHAR UnicodeSourceIp[MAX_LEN];
WCHAR UnicodeDestIp[MAX_LEN];
....
} DEVICE_INFO, *PDEVICE_INFO;
PDEVICE_INFO FindDeviceInfo(....)
{
....
PDEVICE_INFO deviceInfo = NULL;
....
memcpy(deviceInfo->UnicodeSourceIp,
InputInfo->SourceIp, MAX_LEN);
memcpy(deviceInfo->UnicodeDestIp,
InputInfo->DestIp, MAX_LEN);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'commandLine'. procinfo.cpp 278
typedef WCHAR TCHAR, *PTCHAR;
static BOOL MatchProcess(....)
{
....
TCHAR commandLine[MAX_PATH];
....
memset(commandLine, 0, MAX_PATH);
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'm_szTitle'. toolbox.cpp 28
typedef WCHAR TCHAR, *PTCHAR;
#define MAX_TOOLBOX_TITLE 64
TCHAR m_szTitle[MAX_TOOLBOX_TITLE];
CToolBox::CToolBox()
{
memset(m_szTitle, 0, MAX_TOOLBOX_TITLE);
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'm_buffer'. sharedutil.hash.hpp 216
unsigned char m_buffer[64];
void CMD5Hasher::Finalize ( void )
{
....
// Zeroize sensitive information
memset ( m_buffer, 0, sizeof (*m_buffer) );
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ramwatch.cpp 1199
struct ICheat
{
uint32 address;
uint32 new_val;
uint32 saved_val;
int size;
bool8 enabled;
bool8 saved;
char name [22];
int format;
};
struct SCheat
{
uint32 address;
uint8 byte;
uint8 saved_byte;
bool8 saved;
};
void RamWatchEnableCommand(....)
{
....
struct ICheat cht;
....
ZeroMemory(&cht, sizeof(struct SCheat));
....
}
Most likely this is what should be written here: ZeroMemory(&cht, sizeof(struct ICheat));
Similar errors can be found in some other places:
V512 A call of the 'memcmp' function will lead to underflow of the buffer '"GL_EXT_blend_subtract"'. Riza opengl.cpp 393
bool VDOpenGLBinding::Attach(....) {
....
if (!memcmp(start, "GL_EXT_blend_subtract", 20))
....
}
strlen("GL_EXT_blend_subtract") == 21
V512 A call of the 'memset' function will lead to underflow of the buffer 'ctx'. md5.c 180
void MD5Final(uint8_t digest[16], struct MD5Context *ctx)
{
....
memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
....
}
V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.lPosition'. MotorStage.cpp 247
typedef struct _DCMOTSTATUS
{
unsigned short wChannel; // Channel ident.
unsigned int lPosition; // Position in encoder counts.
unsigned short wVelocity; // Velocity in encoder counts/sec.
unsigned short wReserved; // Controller specific use
unsigned int dwStatusBits; // Status bits (see #defines below).
} DCMOTSTATUS;
int MotorStage::ParseStatus(const unsigned char* buf, int bufLen,
DCMOTSTATUS& stat)
{
....
memcpy(&stat.lPosition, buf + bufPtr, sizeof(long)); // <= (1)
bufPtr += sizeof(long);
memcpy(&stat.wVelocity, buf + bufPtr, sizeof(unsigned short));
bufPtr += sizeof(unsigned short);
memcpy(&stat.wReserved, buf + bufPtr, sizeof(unsigned short));
bufPtr += sizeof(unsigned short);
memcpy(&stat.dwStatusBits,
buf + bufPtr, sizeof(unsigned long)); // <= (2)
return DEVICE_OK;
}
(1) - Not critical. (2) - Critical.
Similar errors can be found in some other places:
V512 A call of the 'strcpy' function will lead to overflow of the buffer '(char *) & bdata[13]'. bworld.cpp 64
static uint8 bdata[20];
static void Update(void *data, int arg)
{
if(*(uint8 *)data)
{
*(uint8 *)data=0;
seq=ptr=0;
have=1;
strcpy((char*)bdata,(char *)data+1);
strcpy((char*)&bdata[13],"SUNSOFT");
}
}
V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. OgreMain ogrequaternion.h 87
Real w, x, y, z;
....
inline Quaternion(Real* valptr)
{
memcpy(&w, valptr, sizeof(Real)*4);
}
There's no error, but this code is dangerous.
V512 A call of the 'memset' function will lead to underflow of the buffer 'gim'. gifti_io.c 4097
int gifti_clear_gifti_image(gifti_image * gim)
{
if(!gim) {
fprintf(stderr,"** NULL in clear_gifti_image\n"); return 1;
}
if( G.verb > 5 )
fprintf(stderr,"-- clearing gifti_image\n");
/* set the version and clear all pointers */
memset(gim, 0, sizeof(gim));
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'logfonts'. TabSRMM msglog.cpp 134
#define MSGDLGFONTCOUNT 22
LOGFONTA logfonts[MSGDLGFONTCOUNT + 2];
void TSAPI CacheLogFonts()
{
int i;
HDC hdc = GetDC(NULL);
logPixelSY = GetDeviceCaps(hdc, LOGPIXELSY);
ReleaseDC(NULL, hdc);
ZeroMemory(logfonts, sizeof(LOGFONTA) * MSGDLGFONTCOUNT + 2);
....
}
Most likely this is what should be written here: ZeroMemory(logfonts, sizeof(LOGFONTA) * (MSGDLGFONTCOUNT + 2));
V512 A call of the 'memcpy' function will lead to underflow of the buffer 's_list'. Sessions utils.cpp 288
#define SIZEOF(X) (sizeof(X)/sizeof(X[0]))
int CheckForDuplicate(MCONTACT contact_list[], MCONTACT lparam)
{
MCONTACT s_list[255] = { 0 };
memcpy(s_list, contact_list, SIZEOF(s_list));
for (int i = 0;; i++) {
if (s_list[i] == lparam)
return i;
if (s_list[i] == 0)
return -1;
}
return 0;
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'Data'. Weather weather_ini.cpp 250
void LoadStationData(...., WIDATA *Data)
{
....
ZeroMemory(Data, sizeof(Data));
....
}
V512 A call of the 'strcat' function will lead to overflow of the buffer 'fn'. NimContact files.cpp 290
INT_PTR CALLBACK DlgProcFiles(....)
{
....
char fn[6], tmp[MAX_PATH];
....
SetDlgItemTextA(hwnd, IDC_WWW_TIMER,
_itoa(db_get_w(NULL, MODNAME, strcat(fn, "_timer"), 60),
tmp, 10));
....
}
V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2246
typedef struct
{
int cbSize;
char caps[0x10];
HANDLE hIcon;
char name[MAX_CAPNAME];
} ICQ_CUSTOMCAP;
void InitCheck()
{
....
strcpy(cap.caps, "GPG AutoExchange");
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'msgFrom'. LotusNotify lotusnotify.cpp 760
void checkthread(void*)
{
....
WCHAR msgFrom[512];
WCHAR msgSubject[512];
ZeroMemory(msgFrom,512);
ZeroMemory(msgSubject,512);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'L"mailto:"'. TabSRMM msgdialog.cpp 2085
INT_PTR CALLBACK DlgProcMessage(....)
{
....
CopyMemory(tr.lpstrText, _T("mailto:"), 7);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'area'. RAI gterrainmap.h 84
#define MAP_AREA_LIST_SIZE 50
struct TerrainMapMobileType
{
TerrainMapMobileType()
{
....
memset(area,0,MAP_AREA_LIST_SIZE); // <=
};
TerrainMapArea *area[MAP_AREA_LIST_SIZE]; // <=
....
};
Similar errors can be found in some other places:
V512 A call of the 'wcsncpy' function will lead to overflow of the buffer 'psci->wszTitle'. columninfo.cxx 129
typedef struct {
....
WCHAR wszTitle[MAX_COLUMN_NAME_LEN];
WCHAR wszDescription[MAX_COLUMN_DESC_LEN];
} SHCOLUMNINFO, *LPSHCOLUMNINFO;
HRESULT STDMETHODCALLTYPE CColumnInfo::GetColumnInfo(
DWORD dwIndex, SHCOLUMNINFO *psci)
{
....
wcsncpy(psci->wszTitle,
ColumnInfoTable[dwIndex].wszTitle,
(sizeof(psci->wszTitle) - 1));
return S_OK;
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'pAddExpression'. sos strike.cpp 11973
DECLARE_API(Watch)
{
....
if(addExpression.data != NULL || aExpression.data != NULL)
{
WCHAR pAddExpression[MAX_EXPRESSION];
memset(pAddExpression, 0, MAX_EXPRESSION);
swprintf_s(pAddExpression, MAX_EXPRESSION, L"%S", ....);
Status = g_watchCmd.Add(pAddExpression);
}
....
}
Similar errors can be found in some other places:
V512 A call of the 'memcmp' function will lead to underflow of the buffer '"Private-key-format: v"'. dst_api.c 858
dst_s_read_private_key_file(....)
{
....
if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
goto fail;
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 623
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void solv_SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
....
/* Clean up state data: */
MEMSET_BZERO(context, sizeof(context));
usedspace = 0;
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'StartTimestampListHandles'. d3d12query.cpp 493
class FD3D12BufferedGPUTiming
{
....
FD3D12CLSyncPoint* StartTimestampListHandles;
FD3D12CLSyncPoint* EndTimestampListHandles;
....
};
void FD3D12BufferedGPUTiming::InitDynamicRHI()
{
....
StartTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(StartTimestampListHandles,
sizeof(StartTimestampListHandles));
EndTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(EndTimestampListHandles,
sizeof(EndTimestampListHandles));
....
}
Similar errors can be found in some other places:
V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->vendor'. aacraid_cam.c 571
#define SID_VENDOR_SIZE 8
char vendor[SID_VENDOR_SIZE];
#define SID_PRODUCT_SIZE 16
char product[SID_PRODUCT_SIZE];
#define SID_REVISION_SIZE 4
char revision[SID_REVISION_SIZE];
static void
aac_container_special_command(struct cam_sim *sim,union ccb *ccb,
u_int8_t *cmdp)
{
....
/* OEM Vendor defines */
strcpy(p->vendor,"Adaptec "); // <=
strcpy(p->product,"Array "); // <=
strcpy(p->revision,"V1.0"); // <=
....
}
Similar errors can be found in some other places:
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. stickyinstaller.cpp 162
BOOL DDE_InitClient (void)
{
UINT errCode = DdeInitialize(....);
if (errCode != 0)
{
char errTxt[32];
sprintf (errTxt, "DDE Server Failed, error code = %d",
errCode);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'buffer'. md5.cpp 243
class MD5
{
....
typedef unsigned char uint1;
....
uint1 buffer[64]; // input buffer
....
static void memset(uint1 *start, uint1 val, uint4 length);
....
};
void MD5::finalize ()
{
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer)); // <=
finalized=1;
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'plog'. nat64lsn.c 218
struct pfloghdr {
u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
char ifname[IFNAMSIZ];
char ruleset[PFLOG_RULESET_NAME_SIZE];
u_int32_t rulenr;
u_int32_t subrulenr;
uid_t uid;
pid_t pid;
uid_t rule_uid;
pid_t rule_pid;
u_int8_t dir;
u_int8_t pad[3];
};
static void
nat64lsn_log(struct pfloghdr *plog, ....)
{
memset(plog, 0, sizeof(plog)); // <=
plog->length = PFLOG_REAL_HDRLEN;
plog->af = family;
plog->action = PF_NAT;
plog->dir = PF_IN;
plog->rulenr = htonl(n);
plog->subrulenr = htonl(sn);
plog->ruleset[0] = '\0';
strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname));
ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m);
}
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285
void CGeomCacheRenderNode::Render(....)
{
....
CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement;
....
uint8 hashableData[] =
{
0, 0, 0, 0, 0, 0, 0, 0,
(uint8)std::distance(pCREGeomCache->....->begin(), &meshData),
(uint8)std::distance(meshData....->....begin(), &chunk),
(uint8)std::distance(meshData.m_instances.begin(), &instance)
};
memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <=
....
}
V512 A call of the 'memcpy' function will lead to the '"MPI Coredump"' buffer becoming out of range. qls_dump.c 1615
typedef struct qls_mpid_glbl_hdr
{
....
uint8_t id[16];
....
} qls_mpid_glbl_hdr_t;
struct qls_mpi_coredump {
qls_mpid_glbl_hdr_t mpi_global_header;
....
};
typedef struct qls_mpi_coredump qls_mpi_coredump_t;
int
qls_mpi_core_dump(qla_host_t *ha)
{
....
qls_mpi_coredump_t *mpi_dump = &ql_mpi_coredump;
....
memcpy(mpi_dump->mpi_global_header.id, "MPI Coredump",
sizeof(mpi_dump->mpi_global_header.id));
....
}
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'lldev->mtx_name_tx[qindex]'. if_nxge.c 511
#define XGE_HAL_MIN_FIFO_NUM 1
#define XGE_FIFO_COUNT XGE_HAL_MIN_FIFO_NUM
typedef struct xge_lldev_t {
....
char mtx_name_tx[16][XGE_FIFO_COUNT];
struct callout timer;
struct ifmedia media;
xge_hal_channel_h fifo_channel[XGE_FIFO_COUNT];
....
}
void
xge_mutex_init(xge_lldev_t *lldev)
{
int qindex;
....
for(qindex = 0; qindex < XGE_FIFO_COUNT; qindex++) {
sprintf(lldev->mtx_name_tx[qindex], "%s_tx_%d",
device_get_nameunit(lldev->device), qindex);
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'req_id_used'. bt-service-util.c 38
typedef int gint;
typedef gint gboolean;
#define BT_REQUEST_ID_RANGE_MAX 245
static gboolean req_id_used[BT_REQUEST_ID_RANGE_MAX];
void _bt_init_request_id(void)
{
assigned_id = 0;
memset(req_id_used, 0x00, BT_REQUEST_ID_RANGE_MAX);
}
V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 226
#define BT_ADDRESS_STRING_SIZE 18
typedef struct {
unsigned char addr[6];
} bluetooth_device_address_t;
typedef struct {
int count;
bluetooth_device_address_t addresses[20];
} bt_dpm_device_list_t;
dpm_result_t _bt_dpm_get_bluetooth_devices_from_whitelist(
GArray **out_param1)
{
dpm_result_t ret = DPM_RESULT_FAIL;
bt_dpm_device_list_t device_list;
....
for (; list; list = list->next, i++) {
memset(device_list.addresses[i].addr, 0,
BT_ADDRESS_STRING_SIZE);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'formatted_number'. i18ninfo.c 544
typedef short unsigned int i18n_uchar;
#define BUF_SIZE 1000
static int __get_number_format(char *input_number)
{
....
i18n_uchar formatted_number[BUF_SIZE];
....
memset(formatted_number, 0, BUF_SIZE);
....
}
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'buf + strlen(buf)'. app_tracker.c 450
static void _on_atspi_event_cb(const AtspiEvent * event)
{
....
char buf[256] = "\0";
....
snprintf(buf, sizeof(buf), "%s, %s, ",
name, _("IDS_BR_BODY_IMAGE_T_TTS"));
....
snprintf(buf + strlen(buf), sizeof(buf),
"%s, ", _("IDS_ACCS_BODY_SELECTED_TTS"));
....
}
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'trait + strlen(trait)'. navigator.c 514
#define HOVERSEL_TRAIT_SIZE 200
void add_slider_description(....)
{
....
char trait[HOVERSEL_TRAIT_SIZE] = "";
....
snprintf(trait, HOVERSEL_TRAIT_SIZE,
_("IDS_GCTS_OPT_P1SS_PERCENT_TTS"), buf_percent);
....
snprintf(trait + strlen(trait), HOVERSEL_TRAIT_SIZE, // <=
", %s", _IGNORE_ON_TV("IDS_......."));
....
}
V512 A call of the 'snprintf' function will lead to overflow of the buffer 'ret + strlen(ret)'. navigator.c 677
#define TTS_MAX_TEXT_SIZE 2000
char *generate_description_trait(AtspiAccessible * obj) {
....
char ret[TTS_MAX_TEXT_SIZE] = { [TTS_MAX_TEXT_SIZE - 1] = 0 };
....
snprintf(ret, sizeof(ret),
_("IDS_ACCS_BODY_TAB_P1SD_OF_P2SD"),
index + 1, children_count);
if (!is_selected)
snprintf(ret + strlen(ret), sizeof(ret), // <=
", %s",
_IGNORE_ON_TV("IDS_......."));
....
}
V512 A call of the 'memcpy' function will lead to the 'array' buffer becoming out of range. eina_array.c 186
typedef struct _Eina_Array Eina_Array;
struct _Eina_Array
{
int version;
void **data;
unsigned int total;
unsigned int count;
unsigned int step;
Eina_Magic __magic;
};
typedef struct _Eina_Accessor_Array Eina_Accessor_Array;
struct _Eina_Accessor_Array
{
Eina_Accessor accessor;
const Eina_Array *array;
Eina_Magic __magic;
};
static Eina_Accessor *
eina_array_accessor_clone(const Eina_Array *array)
{
Eina_Accessor_Array *ac;
EINA_SAFETY_ON_NULL_RETURN_VAL(array, NULL);
EINA_MAGIC_CHECK_ARRAY(array);
ac = calloc(1, sizeof (Eina_Accessor_Array));
if (!ac) return NULL;
memcpy(ac, array, sizeof(Eina_Accessor_Array));
return &ac->accessor;
}
V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 318
static Eina_Bool _convert_etc2_rgb8_to_argb8888(....)
{
const uint8_t *in = src;
uint32_t *out = dst;
int out_step, x, y, k;
unsigned int bgra[16];
....
for (k = 0; k < 4; k++)
memcpy(out + x + k * out_step, bgra + k * 16, 16);
....
}
Similar errors can be found in some other places:
V512 A call of the 'memset' function will lead to underflow of the buffer 'error_buffer'. ardour_http.cc 142
class HttpGet {
....
char error_buffer[CURL_ERROR_SIZE];
....
};
HttpGet::HttpGet (bool p, bool ssl)
: persist (p)
, _status (-1)
, _result (-1)
{
memset (error_buffer, 0, sizeof (*error_buffer));
....
}
V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->text'. event_conversion.cc 435
#if defined(WIN32)
typedef wchar_t WebUChar;
#else
typedef unsigned short WebUChar;
#endif
static const size_t kTextLengthCap = 4;
class WebKeyboardEvent : public WebInputEvent {
....
WebUChar text[kTextLengthCap];
WebUChar unmodified_text[kTextLengthCap];
....
};
WebKeyboardEvent* BuildCharEvent(const InputEventData& event)
{
WebKeyboardEvent* key_event = new WebKeyboardEvent(....);
....
memset(key_event->text, 0, text_length_cap);
memset(key_event->unmodified_text, 0, text_length_cap);
....
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
Similar errors can be found in some other places:
V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer '_jumpBuf'. rtt_filter.cc 52
class VCMRttFilter {
....
enum { kMaxDriftJumpCount = 5 };
....
int64_t _jumpBuf[kMaxDriftJumpCount];
int64_t _driftBuf[kMaxDriftJumpCount];
....
};
void VCMRttFilter::Reset() {
_gotNonZeroUpdate = false;
_avgRtt = 0;
_varRtt = 0;
_maxRtt = 0;
_filtFactCount = 1;
_jumpCount = 0;
_driftCount = 0;
memset(_jumpBuf, 0, kMaxDriftJumpCount);
memset(_driftBuf, 0, kMaxDriftJumpCount);
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
V512 CWE-119 A call of the 'snprintf' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4376
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define MAX_ROUTE_RULE_INTERFACES 10
static inline const char *
necp_get_result_description(....)
{
....
char interface_names[IFXNAMSIZ][MAX_ROUTE_RULE_INTERFACES];
....
for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
if (route_rule->exception_if_indices[index] != 0) {
ifnet_t interface = ifindex2ifnet[....];
snprintf(interface_names[index],
IFXNAMSIZ, "%s%d", ifnet_name(interface),
ifnet_unit(interface));
} else {
memset(interface_names[index], 0, IFXNAMSIZ);
}
}
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];
Similar errors can be found in some other places:
V512 CWE-119 A call of the '__builtin___memcpy_chk' function will lead to a buffer overflow. necp_client.c 1459
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define NECP_MAX_PARSED_PARAMETERS 16
struct necp_client_parsed_parameters {
....
char prohibited_interfaces[IFXNAMSIZ]
[NECP_MAX_PARSED_PARAMETERS];
....
};
static int
necp_client_parse_parameters(....,
struct necp_client_parsed_parameters *parsed_parameters)
{
....
u_int32_t length = ....;
....
if (length <= IFXNAMSIZ && length > 0) {
memcpy(parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces],
value, length);
parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces][length - 1] = 0;
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fullpath'. disk.c 1257
RD_NTSTATUS
disk_query_directory(....)
{
....
char *dirname, fullpath[PATH_MAX];
....
/* Get information for directory entry */
sprintf(fullpath, "%s/%s", dirname, pdirent->d_name);
....
}
V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fileSearch'. FileSystemUtils.cpp 307
#define MAX_PATH 260
....
void PLATFORM_migrateSaveData(char *output)
{
char oldLocation[MAX_PATH];
char newLocation[MAX_PATH];
char oldDirectory[MAX_PATH];
char fileSearch[MAX_PATH];
....
/* Same place, different layout. */
strcpy(oldDirectory, output);
sprintf(fileSearch, "%s\\*.vvvvvv", oldDirectory);
....
}
If the length of the oldDirectory string is more than 251, the resulting string will be longer than fileSearch could contain, which will lead to violating of the array bounds.
V512 [CWE-119] A call of the 'memcpy' function will lead to the 'net_hostname_get()' buffer becoming out of range. log_backend_net.c 114
#if defined(CONFIG_NET_HOSTNAME_ENABLE)
const char *net_hostname_get(void);
#else
static inline const char *net_hostname_get(void)
{
return "zephyr";
}
#endif
#define NET_IPV6_ADDR_LEN sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx")
#define MAX_HOSTNAME_LEN NET_IPV6_ADDR_LEN
static int do_net_init(void)
{
....
(void)memcpy(hostname, net_hostname_get(), MAX_HOSTNAME_LEN);
....
}
V512 [CWE-119] A call of the 'snprintf' function will lead to overflow of the buffer 'full_name'. lwm2m_rw_json.c 826
int do_write_op_json(struct lwm2m_message *msg)
{
u8_t value[TOKEN_BUF_LEN]; // TOKEN_BUF_LEN = 64
u8_t base_name[MAX_RESOURCE_LEN]; // MAX_RESOURCE_LEN = 20
u8_t full_name[MAX_RESOURCE_LEN]; // MAX_RESOURCE_LEN = 20
....
/* combine base_name + name */
snprintf(full_name, TOKEN_BUF_LEN, "%s%s", base_name, value);
....
}
V512 A call of the 'sprintf' function will lead to overflow of the buffer '(char *) ptr'. SOUNDDLG.CPP 250
void SoundControlsClass::Process(void)
{
....
void * ptr = new char [sizeof(100)]; // <=
if (ptr) {
sprintf((char *)ptr, "%cTrack %d\t%d:%02d\t%s", // <=
index, listbox.Count()+1, length / 60, length % 60, fullname);
listbox.Add_Item((char const *)ptr);
}
....
}
V512 A call of the 'memset' function will lead to underflow of the buffer 'Buffer'. KEYBOARD.CPP 96
unsigned short Buffer[256];
WWKeyboardClass::WWKeyboardClass(void)
{
....
memset(Buffer, 0, 256);
....
}
V512 [CWE-682] A call of the 'memset' function will lead to underflow of the buffer 'm_keys'. qv4estable.cpp 57
ESTable::ESTable()
: m_capacity(8)
{
m_keys = (Value*)malloc(m_capacity * sizeof(Value));
m_values = (Value*)malloc(m_capacity * sizeof(Value));
memset(m_keys, 0, m_capacity);
memset(m_values, 0, m_capacity);
}