Examples of errors detected by the V512…

Examples of errors detected by the V512 diagnostic

V512. Call of the 'Foo' function will lead to buffer overflow.

Game_Music_Emu library

V512 A call of the 'memcpy' function will lead to a buffer overflow. game-music-emu nsfe_emu.cpp 162

struct header_t
  byte load_addr [2];
  byte init_addr [2];
  byte play_addr [2];

blargg_err_t Nsfe_Info::load( Data_Reader& in,
                              Nsf_Emu* nsf_emu )
  memcpy( info.load_addr, finfo.load_addr, 2 * 3 );

There's no error, but this code is dangerous.


V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566

struct targets{
  char ip[MAX_ASCII_ADDR_LEN];
  u_char mac[MAX_ASCII_ADDR_LEN];
  char extension[64];
  char dirname[64];
  char protocol[11];
  char ua[48];
  char misc[64];

void sip_targetlookup(sipDB* currentSipCall)

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 631


V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870

#define CHD_SHA1_BYTES    20
#define CHD_V4_HEADER_SIZE   108

static chd_error header_read(...., chd_header *header)
  memcpy(header->parentsha1, &rawheader[100],


V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238

class CV_EXPORTS CvCalibFilter
  enum { MAX_CAMERAS = 3 };
  int latestCounts[MAX_CAMERAS];
  CvPoint2D32f* latestPoints[MAX_CAMERAS];

void CvCalibFilter::SetCameraCount( int count )
  memset( latestCounts, 0, sizeof(latestPoints) );


V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.lPosition'. MotorStage.cpp 247

typedef struct _DCMOTSTATUS
  unsigned short wChannel;   // Channel ident.
  unsigned int lPosition;    // Position in encoder counts.
  unsigned short wVelocity;  // Velocity in encoder counts/sec.
  unsigned short wReserved;  // Controller specific use
  unsigned int dwStatusBits; // Status bits (see #defines below).

int MotorStage::ParseStatus(const unsigned char* buf, int bufLen,
  memcpy(&stat.lPosition, buf + bufPtr, sizeof(long));  // <= (1)
  bufPtr += sizeof(long);

  memcpy(&stat.wVelocity, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

  memcpy(&stat.wReserved, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

         buf + bufPtr, sizeof(unsigned long));          // <= (2)
  return DEVICE_OK;

(1) - Not critical. (2) - Critical.

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.dwStatusBits'. MotorStage.cpp 256


V512 A call of the 'strcpy' function will lead to overflow of the buffer '(char *) & bdata[13]'. bworld.cpp 64

static uint8 bdata[20];

static void Update(void *data, int arg)
 if(*(uint8 *)data)
  *(uint8 *)data=0;
  strcpy((char*)bdata,(char *)data+1);


V512 A call of the 'memcpy' function will lead to a buffer overflow. OgreMain ogrequaternion.h 87

Real w, x, y, z;

inline Quaternion(Real* valptr)
  memcpy(&w, valptr, sizeof(Real)*4);

There's no error, but this code is dangerous.

Miranda NG

V512 A call of the 'strcat' function will lead to overflow of the buffer 'fn'. NimContact files.cpp 290

INT_PTR CALLBACK DlgProcFiles(....)
  char fn[6], tmp[MAX_PATH];
  SetDlgItemTextA(hwnd, IDC_WWW_TIMER,
    _itoa(db_get_w(NULL, MODNAME, strcat(fn, "_timer"), 60),
    tmp, 10));

Miranda NG

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2246

typedef struct
  int cbSize;
  char caps[0x10];
  HANDLE hIcon;
  char name[MAX_CAPNAME];

void InitCheck()
  strcpy(cap.caps, "GPG AutoExchange");

Similar errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2261
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 541
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 849
  • And 1 additional diagnostic messages.


V512 A call of the 'wcsncpy' function will lead to overflow of the buffer 'psci->wszTitle'. columninfo.cxx 129

typedef struct {
  WCHAR wszDescription[MAX_COLUMN_DESC_LEN];

  DWORD dwIndex, SHCOLUMNINFO *psci)
          (sizeof(psci->wszTitle) - 1));
  return S_OK;

FreeBSD Kernel

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->vendor'. aacraid_cam.c 571

#define  SID_VENDOR_SIZE   8
  char   vendor[SID_VENDOR_SIZE];
#define  SID_PRODUCT_SIZE  16
  char   product[SID_PRODUCT_SIZE];
  char   revision[SID_REVISION_SIZE];

static void
aac_container_special_command(struct cam_sim *sim,union ccb *ccb,
  u_int8_t *cmdp)
  /* OEM Vendor defines */
  strcpy(p->vendor,"Adaptec ");          // <=
  strcpy(p->product,"Array           "); // <=
  strcpy(p->revision,"V1.0");            // <=

Similar errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->product'. aacraid_cam.c 572
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->revision'. aacraid_cam.c 573


V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. stickyinstaller.cpp 162

BOOL DDE_InitClient (void)
  UINT errCode = DdeInitialize(....);
  if (errCode != 0)
    char errTxt[32];
    sprintf (errTxt, "DDE Server Failed, error code = %d",

Similar errors can be found in some other places:

  • V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. ddemlfuncs.cpp 151

FreeBSD Kernel

V512 A call of the 'memcpy' function will lead to the '"MPI Coredump"' buffer becoming out of range. qls_dump.c 1615

typedef struct qls_mpid_glbl_hdr
  uint8_t   id[16];
} qls_mpid_glbl_hdr_t;

struct qls_mpi_coredump {
  qls_mpid_glbl_hdr_t  mpi_global_header;

typedef struct qls_mpi_coredump qls_mpi_coredump_t;

qls_mpi_core_dump(qla_host_t *ha)
  qls_mpi_coredump_t *mpi_dump = &ql_mpi_coredump;
  memcpy(mpi_dump->mpi_global_header.id, "MPI Coredump",

FreeBSD Kernel

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'lldev->mtx_name_tx[qindex]'. if_nxge.c 511


typedef struct xge_lldev_t {
  char                 mtx_name_tx[16][XGE_FIFO_COUNT];
  struct callout       timer;
  struct ifmedia       media;
  xge_hal_channel_h    fifo_channel[XGE_FIFO_COUNT];

xge_mutex_init(xge_lldev_t *lldev)
  int qindex;
  for(qindex = 0; qindex < XGE_FIFO_COUNT; qindex++) {
    sprintf(lldev->mtx_name_tx[qindex], "%s_tx_%d",
      device_get_nameunit(lldev->device), qindex);


V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 226


typedef struct {
 unsigned char addr[6];
} bluetooth_device_address_t;

typedef struct {
 int count;
 bluetooth_device_address_t addresses[20];
} bt_dpm_device_list_t;

dpm_result_t _bt_dpm_get_bluetooth_devices_from_whitelist(
  GArray **out_param1)
  dpm_result_t ret = DPM_RESULT_FAIL;
  bt_dpm_device_list_t device_list;
  for (; list; list = list->next, i++) {
    memset(device_list.addresses[i].addr, 0,

Similar errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to overflow of the buffer 'device_list.addresses[i].addr'. bt-service-dpm.c 176


V512 A call of the 'snprintf' function will lead to overflow of the buffer 'buf + strlen(buf)'. app_tracker.c 450

static void _on_atspi_event_cb(const AtspiEvent * event)
  char buf[256] = "\0";
  snprintf(buf, sizeof(buf), "%s, %s, ",
           name, _("IDS_BR_BODY_IMAGE_T_TTS"));
  snprintf(buf + strlen(buf), sizeof(buf),
           "%s, ", _("IDS_ACCS_BODY_SELECTED_TTS"));


V512 A call of the 'snprintf' function will lead to overflow of the buffer 'trait + strlen(trait)'. navigator.c 514


void add_slider_description(....)
  char trait[HOVERSEL_TRAIT_SIZE] = "";
  snprintf(trait, HOVERSEL_TRAIT_SIZE,
           _("IDS_GCTS_OPT_P1SS_PERCENT_TTS"), buf_percent);
  snprintf(trait + strlen(trait), HOVERSEL_TRAIT_SIZE,     // <=
           ", %s", _IGNORE_ON_TV("IDS_......."));


V512 A call of the 'snprintf' function will lead to overflow of the buffer 'ret + strlen(ret)'. navigator.c 677

#define TTS_MAX_TEXT_SIZE  2000

char *generate_description_trait(AtspiAccessible * obj) {
  char ret[TTS_MAX_TEXT_SIZE] = { [TTS_MAX_TEXT_SIZE - 1] = 0 };
  snprintf(ret, sizeof(ret),
           index + 1, children_count);
  if (!is_selected)
    snprintf(ret + strlen(ret), sizeof(ret),               // <=
             ", %s",

EFL Core Libraries

V512 A call of the 'memcpy' function will lead to the 'array' buffer becoming out of range. eina_array.c 186

typedef struct _Eina_Array Eina_Array;
struct _Eina_Array
   int version;
   void **data;
   unsigned int total;
   unsigned int count;
   unsigned int step;
   Eina_Magic __magic;

typedef struct _Eina_Accessor_Array Eina_Accessor_Array;
struct _Eina_Accessor_Array
   Eina_Accessor accessor;
   const Eina_Array *array;
   Eina_Magic __magic;

static Eina_Accessor *
eina_array_accessor_clone(const Eina_Array *array)
   Eina_Accessor_Array *ac;
   ac = calloc(1, sizeof (Eina_Accessor_Array));
   if (!ac) return NULL;
   memcpy(ac, array, sizeof(Eina_Accessor_Array));
   return &ac->accessor;

EFL Core Libraries

V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 318

static Eina_Bool _convert_etc2_rgb8_to_argb8888(....)
   const uint8_t *in = src;
   uint32_t *out = dst;
   int out_step, x, y, k;
   unsigned int bgra[16];
   for (k = 0; k < 4; k++)
     memcpy(out + x + k * out_step, bgra + k * 16, 16);

Similar errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to overflow of the buffer 'bgra + k * 16'. draw_convert.c 350

XNU kernel

V512 CWE-119 A call of the 'snprintf' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4376

#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)


static inline const char *
  for (index = 0; index < MAX_ROUTE_RULE_INTERFACES; index++) {
    if (route_rule->exception_if_indices[index] != 0) {
      ifnet_t interface = ifindex2ifnet[....];
               IFXNAMSIZ, "%s%d", ifnet_name(interface),
    } else {
      memset(interface_names[index], 0, IFXNAMSIZ);

Most likely, the array was declared incorrectly and it should be written as follows: char interface_names[MAX_ROUTE_RULE_INTERFACES][IFXNAMSIZ];

Similar errors can be found in some other places:

  • V512 CWE-119 A call of the 'memset' function will lead to overflow of the buffer 'interface_names[index]'. necp.c 4378

XNU kernel

V512 CWE-119 A call of the '__builtin___memcpy_chk' function will lead to a buffer overflow. necp_client.c 1459

#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)


struct necp_client_parsed_parameters {
  char prohibited_interfaces[IFXNAMSIZ]

static int
  struct necp_client_parsed_parameters *parsed_parameters)
  u_int32_t length = ....;
  if (length <= IFXNAMSIZ && length > 0) {
           value, length);
                    num_prohibited_interfaces][length - 1] = 0;

Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];


V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fullpath'. disk.c 1257

  char *dirname, fullpath[PATH_MAX];
  /* Get information for directory entry */
  sprintf(fullpath, "%s/%s", dirname, pdirent->d_name);


V512 A call of the 'sprintf' function will lead to overflow of the buffer 'fileSearch'. FileSystemUtils.cpp 307

#define MAX_PATH          260


void PLATFORM_migrateSaveData(char *output)
  char oldLocation[MAX_PATH];
  char newLocation[MAX_PATH];
  char oldDirectory[MAX_PATH];
  char fileSearch[MAX_PATH];


  /* Same place, different layout. */
  strcpy(oldDirectory, output);

  sprintf(fileSearch, "%s\\*.vvvvvv", oldDirectory);


If the length of the oldDirectory string is more than 251, the resulting string will be longer than fileSearch could contain, which will lead to violating of the array bounds.


V512 [CWE-119] A call of the 'memcpy' function will lead to the 'net_hostname_get()' buffer becoming out of range. log_backend_net.c 114

const char *net_hostname_get(void);
static inline const char *net_hostname_get(void)
  return "zephyr";

#define NET_IPV6_ADDR_LEN sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx")

static int do_net_init(void)
  (void)memcpy(hostname, net_hostname_get(), MAX_HOSTNAME_LEN);


V512 [CWE-119] A call of the 'snprintf' function will lead to overflow of the buffer 'full_name'. lwm2m_rw_json.c 826

int do_write_op_json(struct lwm2m_message *msg)
  u8_t value[TOKEN_BUF_LEN];         // TOKEN_BUF_LEN = 64
  u8_t base_name[MAX_RESOURCE_LEN];  // MAX_RESOURCE_LEN = 20
  u8_t full_name[MAX_RESOURCE_LEN];  // MAX_RESOURCE_LEN = 20
  /* combine base_name + name */
  snprintf(full_name, TOKEN_BUF_LEN, "%s%s", base_name, value);

Command & Conquer

V512 A call of the 'sprintf' function will lead to overflow of the buffer '(char *) ptr'. SOUNDDLG.CPP 250

void SoundControlsClass::Process(void)
  void * ptr = new char [sizeof(100)];                                // <=

  if (ptr) {
    sprintf((char *)ptr, "%cTrack %d\t%d:%02d\t%s",                   // <=
      index, listbox.Count()+1, length / 60, length % 60, fullname);
    listbox.Add_Item((char const *)ptr);


V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'param->reserved'. sce_gnm_draw.cpp 420

struct GnmCmdPSShader
  uint32_t reserved[27];

int PS4API sceGnmSetPsShader350(....)
  memset(param->reserved, 0, sizeof(param->reserved) * sizeof(uint32_t));
  return SCE_OK;


V512 [CWE-119] A call of the 'memset' function will lead to overflow of the buffer 'initParam->reserved'. sce_gnm_dispatch.cpp 16

uint32_t PS4API sceGnmDispatchInitDefaultHardwareState(....)
  memset(initParam->reserved, 0,
         sizeof(initParam->reserved) * sizeof(uint32_t));
  return initCmdSize;


V512 A call of the 'memcpy' function will lead to the '& ix' buffer becoming out of range. math_util.h 23

typedef unsigned short float16;
inline float Float16ToFloat(float16 ix)
    float x;
    memcpy(&x, &ix, sizeof(float));
    return x;

If the `float` size is 32 bits (4 bytes) and the `unsigned short` size is 16 bits (2 bytes), the `ix` buffer overflow will occur.


V512 A call of the 'rocksdb_iter_value' function will lead to overflow of the buffer '& vlen'. streamBackendRocksdb.c 4390

const char* rocksdb_iter_value(const rocksdb_iterator_t* iter, size_t* vlen) {
  Slice s = iter->rep->value();
  *vlen = s.size();
  return s.data();

int32_t streamDefaultIterGet_rocksdb(....) {
  while (rocksdb_iter_valid(pIter)) {
    const char* key = rocksdb_iter_key(pIter, &klen);
    int32_t     vlen = 0;
    const char* vval = rocksdb_iter_value(pIter, (size_t*)&vlen);


V512 A call of the 'memcpy' function will lead to overflow of the buffer 'value'. simExec.c 786

#define MAX_QUERY_VALUE_LEN       1024

typedef struct _script_t {
  char              data[100][100][1024];
} SScript;

bool simExecuteNativeSqlCommand(SScript *script, char *rest, bool isSlow) {
  char *value = NULL;
  if (i < MAX_QUERY_COL_NUM) {
    value = script->data[numOfRows][i];
  if (value == NULL) {
  int32_t    *length = taos_fetch_lengths(pSql);
  if (length[i] < 0 || length[i] > 1 << 20) {
    fprintf(stderr, "Invalid length(%d) of BINARY or NCHAR\n", length[i]);
  memset(value, 0, MAX_QUERY_VALUE_LEN);
  memcpy(value, row[i], length[i]);
  value[length[i]] = 0;

