V557. Array overrun is possible.
V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73
struct ConvoluteFilterData {
long m[9];
long bias;
void *dyna_func;
DWORD dyna_size;
DWORD dyna_old_protect;
BOOL fClip;
};
static unsigned long __fastcall do_conv(
unsigned long *data,
const ConvoluteFilterData *cfd,
long sflags, long pit)
{
long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
....
}
V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34
struct IT_SAMPLE
{
....
unsigned char filename[14];
....
};
static int it_riff_dsmf_process_sample(
IT_SAMPLE * sample, const unsigned char * data, int len)
{
int flags;
memcpy( sample->filename, data, 13 );
sample->filename[ 14 ] = 0;
....
}
This is what should have been written here: sample->filename[ 13 ] = 0;
V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947
#define FINDBUFFLEN 64 // Max buffer find/replace size
int WINAPI Sticky (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
....
static char findWhat[FINDBUFFLEN] = {'\0'};
....
findWhat[FINDBUFFLEN] = '\0';
....
}
V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069
typedef struct bot_state_s
{
....
char teamleader[32]; //netname of the team leader
....
} bot_state_t;
void BotMatch_StartTeamLeaderShip(
bot_state_t *bs, bot_match_t *match)
{
....
bs->teamleader[sizeof( bs->teamleader )] = '\0';
....
}
-1 is missing. The same error can be found in Quake 3.
Similar errors can be found in some other places:
V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679
void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
....
unsigned char invModulate[3];
....
invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
// this trashes alpha, but the AGEN block fixes it
invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
....
}
The same error can be found in Quake 3.
V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495
struct AVS_MB_INFO
{
....
Ipp8u refIdx[AVS_DIRECTIONS][4];
....
};
void AVSCompressor::GetRefIndiciesBSlice(void){
....
if (m_pMbInfo->predType[0] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
iRefNum += 1;
}
if (m_pMbInfo->predType[1] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
iRefNum += 1;
}
if (m_pMbInfo->predType[2] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
iRefNum += 1;
}
if (m_pMbInfo->predType[3] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
iRefNum += 1;
}
....
}
The programmer's hand faltered and now we have 30 instead of 3.
V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726
typedef struct
{
....
VM_ALIGN16_DECL(Ipp32f)
nb_short[2][3][__ALIGNED(MAX_PPT_SHORT)];
....
} mpaPsychoacousticBlock;
static void mp3encPsy_short_window(....)
{
....
if (win_counter == 0) {
nb_s = pBlock->nb_short[0][3];
}
....
}
This is what should have been written here: 2.
V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895
....
#define SBMAX_l 22
....
int l[1+SBMAX_l];
....
inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
{
int r0, r1;
....
for (r0 = 0; r0 < 16; r0++) {
....
for (r1 = 0; r1 < 8; r1++) {
int a2 = gfc->scalefac_band.l[r0 + r1 + 2];
....
}
V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113
struct SPCXHeader {
....
u8 Palette[48];
u8 Reserved;
u8 Planes;
u16 BytesPerLine;
....
}
IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
{
....
for( s32 i=0; i<256; i++ )
{
paletteData[i] = (header.Palette[i*3+0] << 16) |
(header.Palette[i*3+1] << 8) |
(header.Palette[i*3+2]);
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367
#define DATUM_CODE_LENGTH 7
typedef struct Datum_Table_Row
{
....
char Code[DATUM_CODE_LENGTH];
....
} Datum_Row;
long Initialize_Datums_File(const char *File_7Parms,
const char *File_3Parms)
{
....
for (i = 0; i < DATUM_CODE_LENGTH; i++)
Datum_Table_3Param[index].Code[i] =
Datum_Table_3Param[index].Code[i+1];
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140
static const struct {
DWORD winerr;
int doserr;
} doserrors[] =
{
....
};
static void
la_dosmaperr(unsigned long e)
{
....
for (i = 0; i < sizeof(doserrors); i++)
{
if (doserrors[i].winerr == e)
{
errno = doserrors[i].doserr;
return;
}
}
....
}
This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)
Similar errors can be found in some other places:
V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114
#define PL_MAX_PATH 255
#define PL2GANFLIA_COUNTER_MAX_LENGTH PL_MAX_PATH
char name[PL_MAX_PATH];
int main(int argc, char *argv[]) {
....
p->pl_counters_data[i].name[
PL2GANFLIA_COUNTER_MAX_LENGTH
] = '\0';
....
}
This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482
static void move_dir_to_dir(....)
{
....
szFrom[lstrlenW(szFrom) + 1] = '\0';
....
}
Very suspicious code. Something different must have been intended.
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361
Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];
MP3Status mp3enc_psychoacousticInit(....)
{
....
for (ch = 0; ch < NUM_CHANNELS; ch++)
for (i = 0; i < MAX_PPT_LONG; i++) {
for (j = 0; j < 3; j++)
state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;
}
....
}
This is what should have been written here: for (j = 0; j < 2; j++)
V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
{
....
for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
for (t = 0; t < 3; t++) {
for (sb = 0; sb < sblimit_real; sb++){
for (j = 0; j < 12; j++)
fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];
....
}
If it can be possible that t == 2, while j == 11, an array overrun will occur.
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_join_LR_l2(MP3Enc *state)
{
Ipp32s sb, j;
Ipp32s sblimit_real = state->com.sblimit_real;
for (sb = 0; sb < sblimit_real; sb++)
for (j = 0; j < 36; j++)
state->fbout_data[2][0][j][sb] =
0.5f * (state->fbout_data[0][0][j][sb] +
state->fbout_data[1][0][j][sb]);
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307
#define FRAMESAMPLES_HALF 240
#define FRAMESAMPLES 480
typedef struct {
....
WebRtc_Word16 realFFT[FRAMESAMPLES_HALF];
WebRtc_Word16 imagFFT[FRAMESAMPLES_HALF];
} ISACUBSaveEncDataStruct;
int WebRtcIsac_EncodeStoredDataUb12(....)
{
....
for(n = 0; n < FRAMESAMPLES; n++)
{
realFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
imagFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551
static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
{
....
for ( j = 0 ; j < 6 ; j++ ) {
d1 = frustum[j].Distance( p1 );
d2 = frustum[j].Distance( p2 );
....
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89
class nsBaseStatis : public nsStatis {
public:
....
PRUint32 mLWordLen[10];
....
nsBaseStatis::nsBaseStatis(
unsigned char aL, unsigned char aH, float aR)
{
....
for(PRUint32 i = 0; i < 20; i++)
mLWordLen[i] = 0;
....
}
}
....
};
This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)
V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776
int numteamVotingClients[2];
void CalculateRanks( void ) {
....
for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
level.numteamVotingClients[i] = 0;
}
....
}
V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984
int encodings[] = {
1250,
1251,
1252,
....
};
BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
UINT Message, WPARAM wParam, LPARAM)
{
....
for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
{
int cmdID = em->getIndexFromEncoding(encodings[i]);
....
}
This is what should have been written here: i < sizeof(encodings)/sizeof(int)
V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260
static struct wordvalue doubles[] = {
{ "ch", (uchar*) "\014\031\057\057" },
{ "Ch", (uchar*) "\014\031\060\060" },
{ "CH", (uchar*) "\014\031\061\061" },
{ "c", (uchar*) "\005\012\021\021" },
{ "C", (uchar*) "\005\012\022\022" },
};
#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1) \
{ \
...... \
for (i = 0; i < (int) sizeof(doubles); i++) \
{ \
const char * pattern = doubles[i].word; \
... \
} \
} \
...... \
}
An incorrect macro NEXT_CMP_VALUE.
V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867
void CcdPhysicsController::RelativeRotate(
const float rotval[9], bool local)
{
....
btMatrix3x3 drotmat(
rotval[0],rotval[4],rotval[8],
rotval[1],rotval[5],rotval[9],
rotval[2],rotval[6],rotval[10]);
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567
int main(int argc, char **argv) {
....
char salt[3];
....
salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
salt[3] = 0;
....
}
This is what should have been written here: salt[2] = 0;
V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313
void vtkCursor2D::SetModelBounds(double bounds[6])
{
this->SetModelBounds(bounds[0], bounds[1], bounds[2],
bounds[3], bounds[6], bounds[5]);
}
This is what should have been written here: bounds[4].
V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39
static uint crc_tables[8][256];
void InitCRC()
{
....
// Build additional lookup tables.
for (uint I=0;I<=256;I++)
{
uint C=crc_tables[0][I];
for (uint J=1;J<8;J++)
{
C=crc_tables[0][(byte)C]^(C>>8);
crc_tables[J][I]=C;
}
}
}
V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1480
static void p3d_interp(const SkScalar src[3],
SkScalar dst[3], SkScalar t) {
SkScalar ab = SkScalarInterp(src[0], src[3], t);
SkScalar bc = SkScalarInterp(src[3], src[6], t);
dst[0] = ab;
dst[3] = SkScalarInterp(ab, bc, t);
dst[6] = bc;
}
void SkConic::chopAt(SkScalar t, SkConic dst[2]) const {
SkP3D tmp[3], tmp2[3];
ratquad_mapTo3D(fPts, fW, tmp);
p3d_interp(&tmp[0].fX, &tmp2[0].fX, t);
p3d_interp(&tmp[0].fY, &tmp2[0].fY, t);
p3d_interp(&tmp[0].fZ, &tmp2[0].fZ, t);
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 2. shader_bench.cc 152
static const int kNumPainters = 3;
static const struct {
const char* name;
GPUPainter* painter;
} painters[] = {
{ "CPU CSC + GPU Render", new CPUColorPainter() },
{ "GPU CSC/Render", new GPUColorWithLuminancePainter() },
};
int main(int argc, char** argv) {
....
// Run GPU painter tests.
for (int i = 0; i < kNumPainters; i++) {
scoped_ptr<GPUPainter> painter(painters[i].painter);
....
}
V557 Array overrun is possible. The '7' index is pointing beyond array bound. cjoystickmanager.cpp 1003
struct
{
bool bEnabled;
long lMax;
long lMin;
DWORD dwType;
} axis[7];
bool CJoystickManager::IsXInputDeviceAttached ( void )
{
....
m_DevInfo.axis[6].bEnabled = 0;
m_DevInfo.axis[7].bEnabled = 0;
....
}
V557 Array overrun is possible. The '3' index is pointing beyond array bound. cwatermanagersa.cpp 595
class CWaterPolySAInterface
{
public:
WORD m_wVertexIDs[3];
};
CWaterPoly* CWaterManagerSA::CreateQuad (....)
{
....
pInterface->m_wVertexIDs [ 0 ] = pV1->GetID ();
pInterface->m_wVertexIDs [ 1 ] = pV2->GetID ();
pInterface->m_wVertexIDs [ 2 ] = pV3->GetID ();
pInterface->m_wVertexIDs [ 3 ] = pV4->GetID ();
....
}
V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1062
#define CORE_MTA_NEWS_ITEMS 3
CGUILabel* m_pNewsItemLabels[CORE_MTA_NEWS_ITEMS];
CGUILabel* m_pNewsItemShadowLabels[CORE_MTA_NEWS_ITEMS];
void CMainMenu::SetNewsHeadline (....)
{
....
for ( char i=0; i <= CORE_MTA_NEWS_ITEMS; i++ )
{
m_pNewsItemLabels[ i ]->SetFont ( szFontName );
m_pNewsItemShadowLabels[ i ]->SetFont ( szFontName );
....
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 35
static uint crc_tables[8][256]; // Tables for Slicing-by-8.
void InitCRC()
{
....
for (uint I=0;I<=256;I++)
{
uint C=crc_tables[0][I];
for (uint J=1;J<8;J++)
{
C=crc_tables[0][(byte)C]^(C>>8);
crc_tables[J][I]=C;
}
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 19. cpoolssa.cpp 1036
enum ePools {
BUILDING_POOL = 0,
PED_POOL,
OBJECT_POOL,
DUMMY_POOL,
VEHICLE_POOL,
COL_MODEL_POOL,
TASK_POOL,
EVENT_POOL,
TASK_ALLOCATOR_POOL,
PED_INTELLIGENCE_POOL,
PED_ATTRACTOR_POOL,
ENTRY_INFO_NODE_POOL,
NODE_ROUTE_POOL,
PATROL_ROUTE_POOL,
POINT_ROUTE_POOL,
POINTER_DOUBLE_LINK_POOL,
POINTER_SINGLE_LINK_POOL,
ENV_MAP_MATERIAL_POOL,
ENV_MAP_ATOMIC_POOL,
SPEC_MAP_MATERIAL_POOL,
MAX_POOLS
};
void CPoolsSA::DumpPoolsStatus ()
{
char* poolNames[] = {
"Buildings", "Peds", "Objects", "Dummies", "Vehicles",
"ColModels", "Tasks", "Events", "TaskAllocators",
"PedIntelligences", "PedAttractors", "EntryInfoNodes",
"NodeRoutes", "PatrolRoutes", "PointRoutes",
"PointerNodeDoubleLinks", "PointerNodeSingleLinks" };
int poolSizes[] = {
13000,140,350,2500,110,10150,500,200,16,140,64,500,
64,32,64,3200,70000 };
int iPosition = 0;
char percent = '%';
iPosition += snprintf ( szOutput, 1024,
"-----------------\n" );
for ( int i = 0; i < MAX_POOLS; i++ )
{
int usedSpaces = GetNumberOfUsedSpaces ( (ePools)i );
iPosition +=
snprintf ( szOutput + iPosition, 1024 - iPosition,
"%s: %d (%d) (%.2f%c)\n", poolNames[i],
usedSpaces, poolSizes[i],
((float)usedSpaces/(float)poolSizes[i]*100),
percent );
}
#ifdef MTA_DEBUG
OutputDebugString ( szOutput );
#endif
}
V557 Array overrun is possible. The value of 'i' index could reach 7. itraqanalyzer.c 232
static const Int CHANNELS_FOURPLEX[4][1];
static const Int CHANNELS_EIGHTPLEX[8][1];
ExitCodes main_(int, const char **)
{
....
if (itraq_type == ItraqQuantifier::FOURPLEX)
{
for (Size i = 0; i < 4; ++i)
{
std::vector<std::pair<String, DoubleReal> > one_label;
one_label.push_back(std::make_pair<String, DoubleReal>(
String("Channel ") +
String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
labels.push_back(one_label);
}
}
else //ItraqQuantifier::EIGHTPLEX
{
for (Size i = 0; i < 8; ++i)
{
std::vector<std::pair<String, DoubleReal> > one_label;
one_label.push_back(std::make_pair<String, DoubleReal>(
String("Channel ") +
String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
labels.push_back(one_label);
}
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 255. edwardslippertiterator.c 134
DoubleReal masse_[255]; // <= mass table
EdwardsLippertIterator::EdwardsLippertIterator(
const EdwardsLippertIterator & source) :
PepIterator(source),
f_file_(source.f_file_),
actual_pep_(source.actual_pep_),
spec_(source.spec_),
tol_(source.tol_),
is_at_end_(source.is_at_end_),
f_iterator_(source.f_iterator_),
f_entry_(source.f_entry_),
b_(source.b_),
e_(source.e_),
m_(source.m_),
massMax_(source.massMax_)
{
for (Size i = 0; i < 256; i++)
{
masse_[i] = source.masse_[i];
}
}
V557 Array overrun is possible. The '2' index is pointing beyond array bound. mayadmtypes.h 48
struct short2
{
short values[2];
short2(short s1, short s2)
{
values[0] = s1;
values[2] = s2;
}
....
};
V557 Array overrun is possible. The value of 'i' index could reach 64. markovfunctional.cpp 176
Handle<YieldTermStructure> md0Yts() {
....
double q6mh[] = {
0.0001,0.0001,0.0001,0.0003,0.00055,0.0009,0.0014,0.0019,
0.0025,0.0031,0.00325,0.00313,0.0031,0.00307,0.00309,
0.00339,0.00316,0.00326,0.00335,0.00343,0.00358,0.00351,
0.00388,0.00404,0.00425,0.00442,0.00462,0.00386,0.00491,
0.00647,0.00837,0.01033,0.01218,0.01382,0.01527,0.01654,
0.0177,0.01872,0.01959,0.0203,0.02088,0.02132,0.02164,
0.02186,0.02202,0.02213,0.02222,0.02229,0.02234,0.02238,
0.02241,0.02243,0.02244,0.02245,0.02247,0.0225,0.02284,
0.02336,0.02407,0.0245 };
....
for(int i=0;i<10+18+37;i++) {
q6m.push_back(
boost::shared_ptr<Quote>(new SimpleQuote(q6mh[i])));
}
....
}
V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 62
enum { NENERGY=22, NANGLE=180 };
class G4LEpp : public G4HadronicInteraction
{
....
G4float * sig[NANGLE];
static G4float SigCoul[NENERGY][NANGLE];
....
};
G4LEpp::SetCoulombEffects(G4int State)
{
if (State) {
for(G4int i=0; i<NANGLE; i++)
{
sig[i] = SigCoul[i];
}
elab = ElabCoul;
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'j' index could reach 7. g4heinelastic.cc 4682
void
G4HEInelastic::MediumEnergyClusterProduction(....)
{
....
G4double alem[] = {1.40, 2.30, 2.70, 3.00, 3.40, 4.60, 7.00};
....
for (j = 1; j < 8; j++) {
if (alekw < alem[j]) {
jmax = j;
break;
}
}
....
}
V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 632
#define MAX_WEAPON_SLOTS 6 // hud item selection slots
void CHudWeaponSelection::Paint()
{
....
int xModifiers[] = { 0, 1, 0, -1 };
int yModifiers[] = { -1, 0, 1, 0 };
for ( int i = 0; i < MAX_WEAPON_SLOTS; ++i )
{
....
xPos += ( m_flMediumBoxWide + 5 ) * xModifiers[ i ];
yPos += ( m_flMediumBoxTall + 5 ) * yModifiers[ i ];
....
}
Similar errors can be found in some other places:
V557 Array underrun is possible. The value of 'index' index could reach -1. controls.cpp 491
const int idToIndex(const int id) const
{
for(int i = 0; i < NR_BUTTONS; i++) {
if(m_TbButtons[i].idCommand == id )
return(i);
}
return(-1);
}
TBBUTTON CMenuBar::m_TbButtons[8] = {0};
void CMenuBar::invoke(const int id)
{
const int index = idToIndex(id);
....
if(index == 3 && hContact != 0) {
....
} else if(index == 0) {
....
} else
hMenu = reinterpret_cast<HMENU>(m_TbButtons[index].dwData);
....
}
V557 Array overrun is possible. The '3' index is pointing beyond array bound. somfcolorrgba.cpp 220
void
SoMFColorRGBA::set1HSVValue(int idx, const float hsva[3])
{
this->set1HSVValue(idx, hsva[0], hsva[1], hsva[2], hsva[3]);
}
V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 365
void Triangles::UpdateModelTangentsUseTCoords(....)
{
....
Float2 locTCoord[2];
int curr;
for (curr = 0; curr < 3; ++curr)
{
....
locTCoord[curr] = vba.TCoord<Float2>(0, k);
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1717
enum {
ALL_EJECTION_SEATS = -1,
MAX_EJECTION_SEATS = 10
};
int eseat_status[MAX_EJECTION_SEATS];
void
FGControls::set_ejection_seat( int which_seat, bool val )
{
....
if ((which_seat >= 0) && (which_seat <= MAX_EJECTION_SEATS))
{
if ( eseat_status[which_seat] == SEAT_SAFED ||
eseat_status[which_seat] == SEAT_FAIL )
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497
void ff_mjpeg_encode_mb(MpegEncContext *s,
int16_t block[6][64])
{
int i;
if (s->chroma_format == CHROMA_444) {
encode_block(s, block[0], 0);
encode_block(s, block[2], 2);
encode_block(s, block[4], 4);
encode_block(s, block[8], 8);
encode_block(s, block[5], 5);
encode_block(s, block[9], 9);
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '5' index is pointing beyond array bound. dnatfile.c 444
uns rgwSpare0 [5];
DumpHeader()
{
....
printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[5], 0, 0, fTrue);
printUns ("rgwSpare0[1] = ", Fib.rgwSpare0[1], 1, 1, fTrue);
printUns ("rgwSpare0[2] = ", Fib.rgwSpare0[2], 0, 0, fTrue);
printUns ("rgwSpare0[3] = ", Fib.rgwSpare0[3], 1, 1, fTrue);
printUns ("rgwSpare0[4] = ", Fib.rgwSpare0[4], 2, 2, fTrue);
....
}
This is what should have been written here: printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[0], 0, 0, fTrue);
V557 Array overrun is possible. The value of 'j' index could reach 4. harfbuzz-arabic.c 516
static const JoiningPair joining_table[5][4] = { .... };
typedef enum {
JNone,
JCausing,
JDual,
JRight,
JTransparent
} Joining;
static Joining getNkoJoining(unsigned short uc)
{
if (uc < 0x7ca)
return JNone;
if (uc <= 0x7ea)
return JDual;
if (uc <= 0x7f3)
return JTransparent;
if (uc <= 0x7f9)
return JNone;
if (uc == 0x7fa)
return JCausing;
return JNone;
}
static void getNkoProperties(....)
{
....
Joining j = getNkoJoining(chars[0]);
ArabicShape shape = joining_table[XIsolated][j].form2;
....
}
V557 Array underrun is possible. The value of 'idx' index could reach -1. diff_file.c 1052
static int
datasource_to_index(svn_diff_datasource_e datasource)
{
switch (datasource)
{
....
}
return -1;
}
static svn_error_t *
token_compare(....)
{
....
int idx = datasource_to_index(file_token[i]->datasource);
file[i] = &file_baton->files[idx];
....
}
V557 Array overrun is possible. The value of 'idx' index could reach 3. esmtool labels.cpp 502
std::string rangeTypeLabel(int idx)
{
const char* rangeTypeLabels [] = {
"Self",
"Touch",
"Target"
};
if (idx >= 0 && idx <= 3)
return rangeTypeLabels[idx];
else
return "Invalid";
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 153
typedef struct LogState {
int fakeFd;
char *debugName;
int isBinary;
....
} LogState;
#define MAX_OPEN_LOGS 16
static LogState *openLogTable[MAX_OPEN_LOGS];
static LogState *createLogState()
{
size_t i;
for (i = 0; i < sizeof(openLogTable); i++) {
if (openLogTable[i] == NULL) {
openLogTable[i] = calloc(1, sizeof(LogState));
openLogTable[i]->fakeFd = FAKE_FD_BASE + i;
return openLogTable[i];
}
}
return NULL;
}
This is what should have been written here: sizeof(openLogTable) / sizeof(openLogTable[0]).
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'btn' index could reach 52. ccapi_snapshot.c 38
cc_string_t lineLabels[MAX_CONFIG_LINES+1] = {0};
void ccsnap_set_line_label(int btn, cc_string_t label) {
....
if ( btn > 0 && btn <= MAX_CONFIG_LINES+1 ) {
....
if ( lineLabels[btn] == NULL ) {
....
}
....
}
V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 357
#define MAX_CCMS 4
ccm_cfg_t ccm[MAX_CCMS];
var_t prot_cfg_table[CFGID_PROTOCOL_MAX+1] = {
....
{"ccmSrstIpAddr", CFGVAR(ccm[4].address), PA_STR, PR_STR, 0},
{"ccmSrst_sipPort", CFGVAR(ccm[4].sip_port),PA_INT, PR_INT, 0},
{"ccmSrst_isValid", CFGVAR(ccm[4].is_valid),PA_INT, PR_INT, 0},
{"ccmSrst_securityLevel",
CFGVAR(ccm[4].sec_level), PA_INT, PR_INT, 0},
....
};
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of '_vType' index could reach 29. metautils.cxx 239
#define MET_NUM_VALUE_TYPES 29
const char MET_ValueTypeName[MET_NUM_VALUE_TYPES][21] = { ... };
bool MET_TypeToString(MET_ValueEnumType _vType, char *_s)
{
if(_vType>=0 && _vType<=MET_NUM_VALUE_TYPES)
{
strcpy(_s, MET_ValueTypeName[_vType]);
return true;
}
return false;
}
V557 Array overrun is possible. The '8' index is pointing beyond array bound. floppy_ctrl.c 637
typedef struct floppy {
....
uint8 result[8]; /* status of the last finished command */
....
};
void
floppy_dump_reg(floppy_t *flp) {
....
//uint8 result[10]; // <= This was correct!
uint8 *result = flp->result; // <= Bad fix! :)
....
dprintf(FLO "gap=%d wg=%d eis=%d fifo=%d "
"poll=%d thresh=%d pretrk=%d\n",
(result[7] & 0x02) >> 1, result[7] & 0x01,
(result[8] & 0x40) >> 6,
(result[8] & 0x20) >> 5, (result[8] & 0x10) >> 4,
result[8] & 0x0f, result[9]);
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 194
enum ShapeType {
SHAPE_LINE,
SHAPE_RAY,
SHAPE_SEGMENT,
SHAPE_CIRCLE,
SHAPE_RECTANGLE,
SHAPE_CAPSULE,
SHAPE_CONVEX_POLYGON,
SHAPE_CONCAVE_POLYGON,
SHAPE_CUSTOM,
};
BodyShapeData body_shape_data[6];
void _create_body_shape_data()
{
....
body_shape_data[Physics2DServer::SHAPE_CONVEX_POLYGON].image
=vs->texture_create_from_image(image);
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '16' index is pointing beyond array bound. winaspi32.c 232
/* SCSI Miscellaneous Stuff */
#define SENSE_LEN 14
typedef struct tagSRB32_ExecSCSICmd {
....
BYTE SenseArea[SENSE_LEN+2];
} SRB_ExecSCSICmd, *PSRB_ExecSCSICmd;
static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
{
BYTE *rqbuf = prb->SenseArea;
....
if (rqbuf[15]&0x8) {
TRACE("Pointer at %d, bit %d\n",
rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7); // <=
}
....
}
V557 Array overrun is possible. The 'NumOutUAVs ++' index is pointing beyond array bound. distancefieldlightingshared.h 388
template<typename TParamRef>
void UnsetParameters(
FRHICommandList& RHICmdList, const TParamRef& ShaderRHI,
const FDistanceFieldCulledObjectBuffers& ObjectBuffers)
{
....
int32 NumOutUAVs = 0;
FUnorderedAccessViewRHIParamRef OutUAVs[3];
OutUAVs[NumOutUAVs++] = ObjectBuffers......;
OutUAVs[NumOutUAVs++] = ObjectBuffers.Bounds.UAV;
OutUAVs[NumOutUAVs++] = ObjectBuffers.Data.UAV;
if (CulledObjectBoxBounds.IsBound())
{
OutUAVs[NumOutUAVs++] = ObjectBuffers.BoxBounds.UAV;
}
....
}
V557 Array overrun is possible. The value of 'len' index could reach 16384. cavisynth.cpp 129
#define MAX_AVISYNTH_SCRIPT_LENGTH 16384
void TavisynthPage::onLoad(void)
{
char_t scriptflnm[MAX_PATH] = _l("");
if (dlgGetFile(....) {
FILE *f = fopen(scriptflnm, _l("rb"));
if (f) {
char script[MAX_AVISYNTH_SCRIPT_LENGTH];
size_t len =
fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
fclose(f);
script[len] = '\0';
setDlgItemText(m_hwnd, IDC_ED_AVISYNTH,
text<char_t>(script));
}
parent->setChange();
}
}
V557 Array overrun is possible. The value of 'i' index could reach 8. rl.cpp 2375
enum TestInfoKind::_TIK_COUNT = 9
const char * const TestInfoEnvLstFmt[] =
{
" TESTFILE=\"%s\"",
" BASELINE=\"%s\"",
" CFLAGS=\"%s\"",
" LFLAGS=\"%s\"",
NULL,
NULL,
NULL,
NULL // <= TestInfoEnvLstFmt[7]
};
void
WriteEnvLst
(
Test * pDir, TestList * pTestList
)
{
....
// print the other TIK_*
for(int i=0;i < _TIK_COUNT; i++) {
if (variants->testInfo.data[i] && TestInfoEnvLstFmt[i]){// <=
LstFilesOut->Add(TestInfoEnvLstFmt[i], // <=
variants->testInfo.data[i]);
}
....
}
....
}
V557 Array overrun is possible. The '2' index is pointing beyond array bound. if_spppsubr.c 4348
#define AUTHKEYLEN 16
struct sauth {
u_short proto;
u_short flags;
#define AUTHFLAG_NOCALLOUT 1
#define AUTHFLAG_NORECHALLENGE 2
u_char name[AUTHNAMELEN];
u_char secret[AUTHKEYLEN];
u_char challenge[AUTHKEYLEN];
};
static void
sppp_chap_scr(struct sppp *sp)
{
u_long *ch, seed;
u_char clen;
/* Compute random challenge. */
ch = (u_long *)sp->myauth.challenge;
read_random(&seed, sizeof seed);
ch[0] = seed ^ random();
ch[1] = seed ^ random();
ch[2] = seed ^ random(); // <=
ch[3] = seed ^ random(); // <=
clen = AUTHKEYLEN;
....
}
If compile the 64-bit kernel, then when accessing ch[2] and ch[3] we'll have array index out of bounds. Details: http://www.viva64.com/en/b/0377/
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1219
#define G_N_ELEMENTS(arr) (sizeof (arr) / sizeof ((arr)[0]))
static GtkCssSelector *
parse_selector_pseudo_class (....)
{
static const struct {
....
} pseudo_classes[] = {
{ "first-child", 0, 0, POSITION_FORWARD, 0, 1 },
....
{ "drop(active)", 0, GTK_STATE_FLAG_DROP_ACTIVE, }
};
guint i;
....
for (i = 0; i < G_N_ELEMENTS (pseudo_classes); i++)
{
....
{
if (pseudo_classes[i + 1].state_flag ==
pseudo_classes[i].state_flag)
_gtk_css_parser_error_full (parser,
GTK_CSS_PROVIDER_ERROR_DEPRECATED,
"The :%s pseudo-class is deprecated. Use :%s instead.",
pseudo_classes[i].name,
pseudo_classes[i + 1].name);
....
}
....
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '9' index is pointing beyond array bound. tconvolve.cpp 123
template <class PIXOUT>
void doConvolve_cm32_row_9_i(....)
{
TPixel32 val[9]; // <=
....
for (int i = 0; i < 9; ++i) { // <= OK
....
else if (tone == 0)
val[i] = inks[ink];
else
val[i] = blend(....);
}
pixout->r = (typename PIXOUT::Channel)((
val[1].r * w1 + val[2].r * w2 + val[3].r * w3 +
val[4].r * w4 + val[5].r * w5 + val[6].r * w6 +
val[7].r * w7 + val[8].r * w8 + val[9].r * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->g = (typename PIXOUT::Channel)((
val[1].g * w1 + val[2].g * w2 + val[3].g * w3 +
val[4].g * w4 + val[5].g * w5 + val[6].g * w6 +
val[7].g * w7 + val[8].g * w8 + val[9].g * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->b = (typename PIXOUT::Channel)((
val[1].b * w1 + val[2].b * w2 + val[3].b * w3 +
val[4].b * w4 + val[5].b * w5 + val[6].b * w6 +
val[7].b * w7 + val[8].b * w8 + val[9].b * w9 + // <= ERR
(1 << 15)) >> 16);
pixout->m = (typename PIXOUT::Channel)((
val[1].m * w1 + val[2].m * w2 + val[3].m * w3 +
val[4].m * w4 + val[5].m * w5 + val[6].m * w6 +
val[7].m * w7 + val[8].m * w8 + val[9].m * w9 + // <= ERR
(1 << 15)) >> 16);
....
}
V557 Array overrun is possible. The value of 'prefixLen ++' index could reach 124. restore.cpp 10040
const int GDS_NAME_LEN = 32;
....
bool get_function(BurpGlobals* tdgbl)
{
....
struct isc_844_struct {
....
short isc_870; /* gds__null_flag */
....
char isc_874 [125]; /* RDB$PACKAGE_NAME */
....
} isc_844;
att_type attribute;
TEXT temp[GDS_NAME_LEN * 2];
....
SSHORT prefixLen = 0;
if (!/*X.RDB$PACKAGE_NAME.NULL*/
isc_844.isc_870)
{
prefixLen = static_cast<SSHORT>(strlen(/*X.RDB$PACKAGE_NAME*/
isc_844.isc_874));
memcpy(temp, /*X.RDB$PACKAGE_NAME*/
isc_844.isc_874, prefixLen);
temp[prefixLen++] = '.';
}
....
}
V557 Array overrun is possible. The value of 'dwCode - 1' index could reach 8. cordbdi rsmain.cpp 67
const char * GetDebugCodeName(DWORD dwCode)
{
if (dwCode < 1 || dwCode > 9)
{
return "!Invalid Debug Event Code!";
}
static const char * const szNames[] = {
"(1) EXCEPTION_DEBUG_EVENT",
"(2) CREATE_THREAD_DEBUG_EVENT",
....
"(8) OUTPUT_DEBUG_STRING_EVENT" // <=
"(9) RIP_EVENT",// only on Win9X
};
return szNames[dwCode - 1];
}
V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 115
#define R88E_GROUP_2G 6
#define RTWN_RIDX_OFDM6 4
#define RTWN_RIDX_COUNT 28
struct rtwn_r88e_txagc {
uint8_t pwr[R88E_GROUP_2G][20]; /* RTWN_RIDX_MCS(7) + 1 */
};
void
r88e_get_txpower(struct rtwn_softc *sc, int chain,
struct ieee80211_channel *c, uint16_t power[RTWN_RIDX_COUNT])
{
const struct rtwn_r88e_txagc *base = rs->rs_txagc;
....
for (ridx = RTWN_RIDX_OFDM6; ridx < RTWN_RIDX_COUNT; ridx++) {
if (rs->regulatory == 3)
power[ridx] = base->pwr[0][ridx];
else if (rs->regulatory == 1) {
if (!IEEE80211_IS_CHAN_HT40(c))
power[ridx] = base->pwr[group][ridx];
} else if (rs->regulatory != 2)
power[ridx] = base->pwr[0][ridx];
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'cidx' index could reach 4. staff.cpp 1029
ClefTypeList clefTypes[MAX_STAVES];
int staffLines[MAX_STAVES];
BracketType bracket[MAX_STAVES];
int bracketSpan[MAX_STAVES];
int barlineSpan[MAX_STAVES];
bool smallStaff[MAX_STAVES];
void Staff::init(...., const StaffType* staffType, int cidx)
{
if (cidx > MAX_STAVES) { // <=
setSmall(0, false);
}
else {
setSmall(0, t->smallStaff[cidx]);
setBracketType(0, t->bracket[cidx]);
setBracketSpan(0, t->bracketSpan[cidx]);
setBarLineSpan(t->barlineSpan[cidx]);
}
....
}
V557 Array overrun is possible. The value of 'i' index could reach 59. inspectorAmbitus.cpp 70
class NoteHead : public Symbol {
....
public:
enum class Group : signed char {
HEAD_NORMAL = 0,
HEAD_CROSS,
HEAD_PLUS,
....
HEAD_GROUPS, // <= 59
HEAD_INVALID = -1
};
....
}
InspectorAmbitus::InspectorAmbitus(QWidget* parent)
: InspectorElementBase(parent)
{
r.setupUi(addWidget());
s.setupUi(addWidget());
static const NoteHead::Group heads[] = {
NoteHead::Group::HEAD_NORMAL,
NoteHead::Group::HEAD_CROSS,
NoteHead::Group::HEAD_DIAMOND,
NoteHead::Group::HEAD_TRIANGLE_DOWN,
NoteHead::Group::HEAD_SLASH,
NoteHead::Group::HEAD_XCIRCLE,
NoteHead::Group::HEAD_DO,
NoteHead::Group::HEAD_RE,
NoteHead::Group::HEAD_MI,
NoteHead::Group::HEAD_FA,
NoteHead::Group::HEAD_SOL,
NoteHead::Group::HEAD_LA,
NoteHead::Group::HEAD_TI,
NoteHead::Group::HEAD_BREVIS_ALT
};
....
for (int i = 0; i < int(NoteHead::Group::HEAD_GROUPS); ++i)
r.noteHeadGroup->setItemData(i, int(heads[i]));//out of bound
....
}
V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 325
#define SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS 64
class SequencerDataBlock
{
....
protected:
int m_submasterLevelUpdateIndices[64];
....
}
bool
SequencerDataBlock::getSubmasterLevel(int submaster, ....) const
{
....int lastUpdateIndex[SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS];
if (submaster < 0 ||
submaster > SEQUENCER_DATABLOCK_MAX_NB_SUBMASTERS) {
info.level = info.levelRight = 0;
return false;
}
int currentUpdateIndex=m_submasterLevelUpdateIndices[submaster];
info = m_submasterLevels[submaster];
if (lastUpdateIndex[submaster] != currentUpdateIndex) {
lastUpdateIndex[submaster] = currentUpdateIndex;
return true;
} else {
return false; // no change
}
}
Similar errors can be found in some other places:
V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 931
#define VP9_LEVELS 14
extern const Vp9LevelSpec vp9_level_defs[VP9_LEVELS];
typedef enum {
....
LEVEL_MAX = 255
} VP9_LEVEL;
static INLINE int log_tile_cols_from_picsize_level(
uint32_t width, uint32_t height)
{
int i;
const uint32_t pic_size = width * height;
const uint32_t pic_breadth = VPXMAX(width, height);
for (i = LEVEL_1; i < LEVEL_MAX; ++i) {
if (vp9_level_defs[i].max_luma_picture_size >= pic_size &&
vp9_level_defs[i].max_luma_picture_breadth >= pic_breadth)
{
return get_msb(vp9_level_defs[i].max_col_tiles);
}
}
return INT_MAX;
}
Apparently, a wrong constant is used. In an array of 14 elements the cycle index reaches a value of 254. Probably, the cycle was supposed to be as follows: for (i = LEVEL_1; i < VP9_LEVELS; ++i) {
Similar errors can be found in some other places:
V557 CWE-125 Array overrun is possible. The value of 'stateno' index could reach 992. sqlite3.c 138802
static const short yy_shift_ofst[] = {
/* 0 */ 355, 888, 1021, 909, 1063, 1063, 1063, 1063, 20, -19,
....
/* 450 */ 1440, 1443, 1538, 1542, 1562,
}
#define YY_SHIFT_COUNT (454)
#define YY_MIN_REDUCE 993
static unsigned int yy_find_shift_action(....)
{
int i;
int stateno = pParser->yytos->stateno;
if( stateno>=YY_MIN_REDUCE ) return stateno; // <=
assert( stateno <= YY_SHIFT_COUNT );
do {
i = yy_shift_ofst[stateno]; // <=
....
}
An array yy_shift_ofst consists of 455 items. In this case, the protection in function is made in the way that when accessing to this array the index must not be greater than 993. Something is clearly wrong here. Below there is a correct assert, but it will not help in the Release-version.
V557 CWE-787 Array overrun is possible. The value of 'length - 1' index could reach 23. necp_client.c 1460
#define IFNAMSIZ 16
#define IFXNAMSIZ (IFNAMSIZ + 8)
#define NECP_MAX_PARSED_PARAMETERS 16
struct necp_client_parsed_parameters {
....
char prohibited_interfaces[IFXNAMSIZ]
[NECP_MAX_PARSED_PARAMETERS];
....
};
static int
necp_client_parse_parameters(....,
struct necp_client_parsed_parameters *parsed_parameters)
{
....
u_int32_t length = ....;
....
if (length <= IFXNAMSIZ && length > 0) {
memcpy(parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces],
value, length);
parsed_parameters->prohibited_interfaces[
num_prohibited_interfaces][length - 1] = 0;
....
}
Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];
V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 277
static btif_hf_cb_t btif_hf_cb[BTA_AG_MAX_NUM_CLIENTS];
static bool IsSlcConnected(RawAddress* bd_addr) {
if (!bd_addr) {
LOG(WARNING) << __func__ << ": bd_addr is null";
return false;
}
int idx = btif_hf_idx_by_bdaddr(bd_addr);
if (idx < 0 || idx > BTA_AG_MAX_NUM_CLIENTS) {
LOG(WARNING) << __func__ << ": invalid index "
<< idx << " for " << *bd_addr;
return false;
}
return btif_hf_cb[idx].state ==
BTHF_CONNECTION_STATE_SLC_CONNECTED;
}
Similar errors can be found in some other places:
V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 113
uint32 CGameObjectSystem::GetExtensionSerializationPriority(....)
{
if (id > m_extensionInfo.size())
{
return 0xffffffff; // minimum possible priority
}
else
{
return m_extensionInfo[id].serializationPriority;
}
}
V557 CWE-119 Array overrun is possible. The 'index' index is pointing beyond array bound. vehicleseatgroup.cpp 73
CVehicleSeat* CVehicleSeatGroup::GetSeatByIndex(unsigned index)
{
if (index >= 0 && index <= m_seats.size())
{
return m_seats[index];
}
return NULL;
}
Similar errors can be found in some other places:
V557 CWE-125 Array overrun is possible. The value of 'i' index could reach 9. input_default.cpp 1119
enum JoystickList {
....
JOY_AXIS_MAX = 10,
....
};
static const char *_axes[] = {
"Left Stick X",
"Left Stick Y",
"Right Stick X",
"Right Stick Y",
"",
"",
"L2",
"R2"
};
int InputDefault::get_joy_axis_index_from_string(String p_axis) {
for (int i = 0; i < JOY_AXIS_MAX; i++) {
if (p_axis == _axes[i]) {
return i;
}
}
ERR_FAIL_V(-1);
}
V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 412
bool CAlnReader::x_IsGap(TNumrow row, TSeqPos pos, const string& residue)
{
if (m_MiddleSections.size() == 0) {
x_CalculateMiddleSections();
}
if (row > m_MiddleSections.size()) {
return false;
}
if (pos < m_MiddleSections[row].first) {
....
}
....
}
if (row >= m_MiddleSections.size()) {
return false;
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The 'nPageNum' index is pointing beyond array bound. pptx-epptooxml.cxx 1168
void PowerPointExport::ImplWriteNotes(sal_uInt32 nPageNum)
{
....
// add slide implicit relation to notes
if (mpSlidesFSArray.size() >= nPageNum)
addRelation(mpSlidesFSArray[ nPageNum ]->getOutputStream(),
oox::getRelationship(Relationship::NOTESSLIDE),
OUStringBuffer()
.append("../notesSlides/notesSlide")
.append(static_cast<sal_Int32>(nPageNum) + 1)
.append(".xml")
.makeStringAndClear());
....
}
V557 Array overrun is possible. The 'mnSelectedMenu' index is pointing beyond array bound. checklistmenu.cxx 826
void ScMenuFloatingWindow::ensureSubMenuNotVisible()
{
if (mnSelectedMenu <= maMenuItems.size() &&
maMenuItems[mnSelectedMenu].mpSubMenuWin &&
maMenuItems[mnSelectedMenu].mpSubMenuWin->IsVisible())
{
maMenuItems[mnSelectedMenu].mpSubMenuWin->ensureSubMenuNotVisible();
}
EndPopupMode();
}
V557 Array overrun is possible. The 'nXFIndex' index is pointing beyond array bound. xestyle.cxx 2613
sal_Int32 XclExpXFBuffer::GetXmlStyleIndex( sal_uInt32 nXFIndex ) const
{
OSL_ENSURE( nXFIndex < maStyleIndexes.size(), "...." );
if( nXFIndex > maStyleIndexes.size() )
return 0; // should be caught/debugged via above assert;
return maStyleIndexes[ nXFIndex ];
}
V557 Array overrun is possible. The value of 'event->EventHandlerCount' index could reach 32. PubSub.c 117
#define MAX_EVENT_HANDLERS 32
struct _wEventType
{
....
int EventHandlerCount;
pEventHandler EventHandlers[MAX_EVENT_HANDLERS];
};
int PubSub_Subscribe(wPubSub* pubSub, const char* EventName,
pEventHandler EventHandler)
{
....
if (event->EventHandlerCount <= MAX_EVENT_HANDLERS)
{
event->EventHandlers[event->EventHandlerCount] = EventHandler;
event->EventHandlerCount++;
}
....
}
Similar errors can be found in some other places:
V557 Array underrun is possible. The value of 'n' index could reach -1. rdesktop.c 1872
RD_BOOL
subprocess(char *const argv[], str_handle_lines_t linehandler, void *data)
{
int n = 1;
char output[256];
....
while (n > 0)
{
n = read(fd[0], output, 255);
output[n] = '\0'; // <=
str_handle_lines(output, &rest, linehandler, data);
}
....
}
V557 Array overrun is possible. The value of 'i - 8' index could reach 129. genkeymap.c 142
// evdev-map.c
int xfree86_to_evdev[137-8+1] = {
....
};
// genkeymap.c
extern int xfree86_to_evdev[137-8];
int main(int argc, char **argv)
{
....
for (i = 8; i <= 137; i++) /* Keycodes */
{
if (is_evdev)
e.keycode = xfree86_to_evdev[i-8];
....
}
....
}
V557 Array overrun is possible. The 'BT_SCO' index is pointing beyond array bound. h2upper.cpp 75
struct bt_usb_dev {
....
struct list nbuffersTx[(1 + 1 + 0 + 0)]; // <= [0..1]
....
}
typedef enum {
BT_COMMAND = 0,
BT_EVENT,
BT_ACL,
BT_SCO, // <= 3
BT_ESCO,
HCI_NUM_PACKET_TYPES
} bt_packet_t;
void
sched_tx_processing(bt_usb_dev* bdev)
{
....
if (!list_is_empty(&bdev->nbuffersTx[BT_SCO])) { // <= fail
// TODO to be implemented
}
....
}
V557 Array overrun is possible. The 'ieee80211_send_setup' function processes value '16'. Inspect the fourth argument. Check lines: 842, 911. ieee80211_output.c 842
struct ieee80211_node {
....
struct ieee80211_tx_ampdu ni_tx_ampdu[16]; // <= [0..15]
....
};
#define IEEE80211_NONQOS_TID 16
int
ieee80211_mgmt_output(....)
{
....
ieee80211_send_setup(ni, m,
IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, // <= 16
vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
....
}
void
ieee80211_send_setup(
struct ieee80211_node *ni,
struct mbuf *m,
int type,
int tid, // <= 16
....)
{
....
tap = &ni->ni_tx_ampdu[tid]; // <= 16
....
}
V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 246
static const int kSpanFormatCapacity = 16;
struct Span8
{
....
char mFormat[kSpanFormatCapacity];
....
};
static int OVprintfCore(....)
{
....
EA_ASSERT(nFormatLength < kSpanFormatCapacity);
if(nFormatLength < kSpanFormatCapacity)
spans[spanIndex].mFormat[nFormatLength++] = *p; // <=
else
return -1;
switch(*p)
{
case 'b': case 'd': case 'i': case 'u': case 'o': case 'x': case 'X':
case 'g': case 'G': case 'e': case 'E': case 'f': case 'F': case 'a':
case 'A': case 'p': case 'c': case 'C': case 's': case 'S': case 'n':
{
// Finalize the current span.
spans[spanIndex].mpEnd = p + 1;
spans[spanIndex].mFormat[nFormatLength] = 0; // <=
spans[spanIndex].mFormatChar = *p;
if(++spanIndex == kSpanCapacity)
break;
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'dofIndex + dof' index could reach 130. PhysicsClientC_API.cpp 968
#define MAX_DEGREE_OF_FREEDOM 128
double m_desiredState[MAX_DEGREE_OF_FREEDOM];
B3_SHARED_API int b3JointControl(int dofIndex,
double* forces,
int dofCount, ....)
{
....
if ( (dofIndex >= 0)
&& (dofIndex < MAX_DEGREE_OF_FREEDOM )
&& dofCount >= 0
&& dofCount <= 4)
{
for (int dof = 0; dof < dofCount; dof++)
{
command->m_sendState.m_desiredState[dofIndex+dof] = forces[dof];
....
}
}
....
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2749
static int64_t
expand(struct archive_read *a, int64_t end)
{
....
if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
goto bad_data;
if (lensymbol > (int)(sizeof(lengthbases)/sizeof(lengthbases[0])))
goto bad_data;
if (lensymbol > (int)(sizeof(lengthbits)/sizeof(lengthbits[0])))
goto bad_data;
len = lengthbases[lensymbol] + 2;
if (lengthbits[lensymbol] > 0) {
if (!rar_br_read_ahead(a, br, lengthbits[lensymbol]))
goto truncated_data;
len += rar_br_bits(br, lengthbits[lensymbol]);
rar_br_consume(br, lengthbits[lensymbol]);
}
....
}
Similar errors can be found in some other places:
V557 [CWE-119] Array overrun is possible. The value of 'i' index could reach 49. p_switch.c 123
#define MAXSWITCHES 50
void P_InitSwitchList(void)
{
....
for (int index = 0, i = 0; i < MAXSWITCHES; i++)
{
if (!alphSwitchList[i].episode)
{
....
break;
}
if (alphSwitchList[i].episode <= episode)
{
.... = R_TextureNumForName(alphSwitchList[i].name1);
.... = R_TextureNumForName(alphSwitchList[i].name2);
}
}
....
}
switchlist_t alphSwitchList[] =
{
{"SW1BRCOM", "SW2BRCOM", 1},
....
{"\0", "\0", 0}
};
V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 668. f_finale.c 621
#define SCREENWIDTH 320
void F_BunnyScroll (void)
{
int scrolled;
....
scrolled = ....;
if (scrolled > 320)
scrolled = 320;
if (scrolled < 0)
scrolled = 0;
for (x=0; x<SCREENWIDTH; x++)
{
if (x+scrolled < 320)
F_DrawPatchCol (...., x+scrolled);
else
F_DrawPatchCol (...., x+scrolled - 320);
}
....
}
void F_DrawPatchCol (...., int col)
{
column_t *column;
....
column = .... + LONG(patch->columnofs[col]));
....
}
typedef struct
{
....
int columnofs[8];
} patch_t;
Similar errors can be found in some other places:
V557 Array overrun is possible. The 'idx' index is pointing beyond array bound. PlayerCoreFactory.cpp:240
std::vector<CPlayerCoreConfig *> m_vecPlayerConfigs;
bool CPlayerCoreFactory::PlaysVideo(const std::string& player) const
{
CSingleLock lock(m_section);
size_t idx = GetPlayerIndex(player);
if (m_vecPlayerConfigs.empty() || idx > m_vecPlayerConfigs.size())
return false;
return m_vecPlayerConfigs[idx]->m_bPlaysVideo;
}
V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 130
bool BasicMinimizer::SetVariableValue(unsigned int ivar, double val) {
if (ivar > fValues.size() ) return false;
fValues[ivar] = val;
return true;
}
Similar errors can be found in some other places:
V557 Array overrun is possible. The '9' index is pointing beyond array bound. FOOT.CPP 232
#define CONQUER_PATH_MAX 9 // Number of cells to look ahead for movement.
FacingType Path[CONQUER_PATH_MAX];
void FootClass::Debug_Dump(MonoClass *mono) const
{
....
if (What_Am_I() != RTTI_AIRCRAFT) {
mono->Set_Cursor(50, 3);
mono->Printf("%s%s%s%s%s%s%s%s%s%s%s%s",
Path_To_String(Path[0]),
Path_To_String(Path[1]),
Path_To_String(Path[2]),
Path_To_String(Path[3]),
Path_To_String(Path[4]),
Path_To_String(Path[5]),
Path_To_String(Path[6]),
Path_To_String(Path[7]),
Path_To_String(Path[8]),
Path_To_String(Path[9]),
Path_To_String(Path[10]),
Path_To_String(Path[11]),
Path_To_String(Path[12]));
....
}
....
}
Similar errors can be found in some other places:
V557 Array underrun is possible. The value of '_SpillTable[index]' index could reach -1. COORD.CPP 149
typedef enum FacingType : char {
....
FACING_COUNT, // 8
FACING_FIRST=0
} FacingType;
short const * Coord_Spillage_List(COORDINATE coord, int maxsize)
{
static short const _MoveSpillage[(int)FACING_COUNT+1][5] = {
....
};
static char const _SpillTable[16] = {8,6,2,-1,0,7,1,-1,4,5,3,-1,-1,-1,-1,-1};
....
return(&_MoveSpillage[_SpillTable[index]][0]);
....
}
V557 Array overrun is possible. The 'QuantityB' function processes value '[0..86]'. Inspect the first argument. Check lines: 'HOUSE.H:928', 'CELL.CPP:2337'. HOUSE.H 928
typedef enum StructType : char {
STRUCT_NONE=-1,
....
STRUCT_COUNT, // <= 87
STRUCT_FIRST=0
} StructType;
int BQuantity[STRUCT_COUNT-3]; // <= [0..83]
int QuantityB(int index) {return(BQuantity[index]);} // <= [0..86]
bool CellClass::Goodie_Check(FootClass * object)
{
....
int bcount = 0;
for( j=0; j < STRUCT_COUNT; j++) {
bcount += hptr->QuantityB(j); // <= [0..86]
}
....
}
V557 Array overrun is possible. The 'dwc2_glbreg_read' function processes value '[0..63]'. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667
#define HSOTG_REG(x) (x)
....
struct DWC2State {
....
#define DWC2_GLBREG_SIZE 0x70
uint32_t glbreg[DWC2_GLBREG_SIZE / sizeof(uint32_t)];
....
}
....
static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index,
unsigned size)
{
....
val = s->glbreg[index];
....
}
static uint64_t dwc2_hsotg_read(void *ptr, hwaddr addr, unsigned size)
{
....
switch (addr) {
case HSOTG_REG(0x000) ... HSOTG_REG(0x0fc):
val = dwc2_glbreg_read(ptr, addr,
(addr - HSOTG_REG(0x000)) >> 2, size);
....
}
....
}
V557 Array overrun is possible. The 'Index' index is pointing beyond array bound. ASTReader.cpp 7318
std::vector<Decl *> DeclsLoaded;
SourceLocation ASTReader::getSourceLocationForDeclID(GlobalDeclID ID) {
....
unsigned Index = ID - NUM_PREDEF_DECL_IDS;
if (Index > DeclsLoaded.size()) {
Error("declaration ID out-of-range for AST file");
return SourceLocation();
}
if (Decl *D = DeclsLoaded[Index])
return D->getLocation();
....
}
V557 Array overrun is possible. The value of 'other_if' index could reach 3. mdns.c 2206
typedef enum mdns_if_internal {
MDNS_IF_STA = 0,
MDNS_IF_AP = 1,
MDNS_IF_ETH = 2,
MDNS_IF_MAX
} mdns_if_t;
typedef struct mdns_server_s {
struct {
mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
} interfaces[MDNS_IF_MAX];
const char * hostname;
const char * instance;
mdns_srv_item_t * services;
SemaphoreHandle_t lock;
QueueHandle_t action_queue;
mdns_tx_packet_t * tx_queue_head;
mdns_search_once_t * search_once;
esp_timer_handle_t timer_handle;
} mdns_server_t;
mdns_server_t * _mdns_server = NULL;
static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
if (tcpip_if == MDNS_IF_STA) {
return MDNS_IF_ETH;
} else if (tcpip_if == MDNS_IF_ETH) {
return MDNS_IF_STA;
}
return MDNS_IF_MAX;
}
static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
uint8_t i;
mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
....
}
}
}
V557 Array overrun is possible. The '_mdns_announce_pcb' function processes value '[0..3]'. Inspect the first argument. Check lines: 1674, 2213. mdns.c 1674
typedef enum mdns_if_internal {
MDNS_IF_STA = 0,
MDNS_IF_AP = 1,
MDNS_IF_ETH = 2,
MDNS_IF_MAX
} mdns_if_t;
typedef struct mdns_server_s {
struct {
mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
} interfaces[MDNS_IF_MAX];
const char * hostname;
const char * instance;
mdns_srv_item_t * services;
SemaphoreHandle_t lock;
QueueHandle_t action_queue;
mdns_tx_packet_t * tx_queue_head;
mdns_search_once_t * search_once;
esp_timer_handle_t timer_handle;
} mdns_server_t;
mdns_server_t * _mdns_server = NULL;
static void _mdns_announce_pcb(mdns_if_t tcpip_if,
mdns_ip_protocol_t ip_protocol,
mdns_srv_item_t ** services,
size_t len, bool include_ip)
{
mdns_pcb_t * _pcb = &_mdns_server->interfaces[tcpip_if].pcbs[ip_protocol];
....
}
static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
{
if (tcpip_if == MDNS_IF_STA) {
return MDNS_IF_ETH;
} else if (tcpip_if == MDNS_IF_ETH) {
return MDNS_IF_STA;
}
return MDNS_IF_MAX;
}
static void _mdns_dup_interface(mdns_if_t tcpip_if)
{
uint8_t i;
mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
//stop this interface and mark as dup
if (_mdns_server->interfaces[tcpip_if].pcbs[i].pcb) {
_mdns_clear_pcb_tx_queue_head(tcpip_if, i);
_mdns_pcb_deinit(tcpip_if, i);
}
_mdns_server->interfaces[tcpip_if].pcbs[i].state = PCB_DUP;
_mdns_announce_pcb(other_if, i, NULL, 0, true); // <=
}
}
}
V557 Array overrun is possible. The value of 'frame->exccause' index could reach 16. gdbstub_xtensa.c 132
int esp_gdbstub_get_signal(const esp_gdbstub_frame_t *frame)
{
const char exccause_to_signal[] =
{4, 31, 11, 11, 2, 6, 8, 0, 6, 7, 0, 0, 7, 7, 7, 7};
if (frame->exccause > sizeof(exccause_to_signal)) {
return 11;
}
return (int) exccause_to_signal[frame->exccause];
}