Examples of errors detected by the V575 diagnostic
V575. Function receives suspicious argument.
G3D Content Pak
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269
bool Matrix4::operator==(const Matrix4& other) const {
if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
return true;
A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {
Miranda IM
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59
static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
(size_grow - iad->nodes_allocated_size) *
Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));
V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427
#define RtlFillMemory(Destination, Length, Fill) \
memset(Destination, Fill, Length)
#define IOPM_FULL_SIZE 8196
RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);
Doom 3
V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177
void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
memset( &statex, sizeof( statex ), 0 );
This is what should have been written here: memset( &statex, 0, sizeof( statex ) );
Mozilla Firefox
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520
pixman_image_set_transform (....)
memcmp (common->transform, transform,
sizeof (pixman_transform_t) == 0))
This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)
Fennec Media
V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096
int settings_proc_language_packs(....)
mem_files = 0;
V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270
BOOL GetEventCategory(....)
if (lpMsgBuf)
wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263
VOID WinLdrSetupEms(IN PCHAR BootOptions)
PCHAR RedirectPort;
RedirectPort = strstr(RedirectPort, "com");
if (RedirectPort)
RedirectPort = strstr(RedirectPort, "usebiossettings");
V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150
DWORD ParseReasonCode(LPCWSTR code)
LPWSTR tmpPrefix = NULL;
for (reasonptr = shutdownReason ;
reasonptr->prefix ; reasonptr++)
if ((majorCode == reasonptr->major) &&
(minorCode == reasonptr->minor) &&
(_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
return reasonptr->flag;
Multi Theft Auto
V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80
void CDirect3DData::GetTransform (
D3DMATRIX * pMatrixOut)
switch ( dwRequestedMatrix )
case D3DTS_VIEW:
memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
// Zero out the structure for the user.
memcpy (pMatrixOut, 0, sizeof(D3DMATRIX)); // <=
A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.
Multi Theft Auto
V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499
#define RtlFillMemory(Destination,Length,Fill) \
#define FillMemory RtlFillMemory
LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. crashhandler.cpp 499
- V575 The 'memset' function processes value '512'. Inspect the second argument. ccrashhandlerapi.cpp 503
- V575 The 'memset' function processes '0' elements. Inspect the third argument. ccrashhandlerapi.cpp 503
V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487
void FB_CARG Why::UtlInterface::getPerfCounters(
...., ISC_INT64* counters)
unsigned n = 0;
memset(counters, 0, n * sizeof(ISC_INT64));
V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107
char **splitLineCSV(....)
if (retstr[curr_str] == NULL)
*toks = 0;
substitutedstring = NULL;
freeArrayOfString(retstr, strlen(substitutedstring));
return NULL;
V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786
TForm * __fastcall TMessageForm::Create(....)
memset(&AFont, sizeof(AFont), 0);
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 796
Miranda NG
V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)
BYTE CExImContactBase::fromIni(LPSTR& row)
if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
(p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
Similar errors can be found in some other places:
- V575 The 'strchr' function processes value '32042'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
- V575 The 'strrchr' function processes value '10812'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
- V575 The 'strchr' function processes value '15914'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
- And 8 additional diagnostic messages.
Miranda NG
V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652
static int ScanFolder(....)
ZeroMemory(szMyHash, 0);
// smth went wrong, reload a file from scratch
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. ShlExt shlipc.cpp 68
Miranda NG
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97
int savehtml(char* outFile)
FILE* file = fopen(outFile, "w");
if (!file)
return 0;
fprintf(file, "%s", szInfo);
return 1;
Haiku Operation System
V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517
extern char *strchr(const char *string, int character);
SendMessageCommandActuator(int32 argc, char** argv)
CommandActuator(argc, argv),
fSignature((argc > 1) ? argv[1] : "")
const char* arg = argv[i];
BString argString(arg);
const char* equals = strchr(arg, ' = '); // <=
V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153
void UpdateStatusBar(void)
TCHAR szStatusText[128];
sizeof(szStatusText) / sizeof(TCHAR)); // <=
Open X-Ray Engine
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47
ETOOLS_API int __stdcall ogg_enc(....)
FILE *in, *out = NULL;
input_format *format;
in = fopen(in_fn, "rb");
if(in == NULL) return 0;
format = open_audio_file(in, &enc_opts);
return 0;
out = fopen(out_fn, "wb");
if(out == NULL){
return 0;
Open X-Ray Engine
V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104
size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
char *buffer,
size_t capacity,
size_t lineCapacity)
memset(buffer, capacity*lineCapacity, 0);
CryEngine V
V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294
void EnableFloatExceptions(....)
memset(&ctx, sizeof(ctx), 0);
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184
Int main (int argc, char *argv[])
FILE *f;
size_t rd;
f = fopen ("/dev/urandom", "rb");
if (!f)
memset (pass1, 0, sizeof (pass1));
free (buf);
free (bufhex);
free (salthex);
free (salt);
fclose (f); // <=
fclose (f);
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. grub-setup.c 1187
Linux Kernel
V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121
static int mac_ioctl(struct net_device *ndev,
struct ifreq *req,
int cmd)
u8 *buff = NULL;
s8 rssi;
u32 size = 0, length = 0;
struct wilc_vif *vif;
s32 ret = 0;
struct wilc *wilc;
vif = netdev_priv(ndev);
wilc = vif->wilc;
if (!wilc->initialized)
return 0;
switch (cmd) {
struct iwreq *wrq = (struct iwreq *)req;
size = wrq->u.data.length;
if (size && wrq->u.data.pointer) {
buff = memdup_user(wrq->u.data.pointer,
if (IS_ERR(buff))
return PTR_ERR(buff);
if (strncasecmp(buff, "RSSI", length) == 0) { // <=
return ret;
CryEngine V
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045
class CLvlRes_finalstep : public CLvlRes_base
for (;; )
if (*p == '/' || *p == '\\' || *p == 0)
char cOldChar = *p;
*p = 0; // create zero termination
_finddata_t fd;
bool bOk = FindFile(szFilePath, szFile, fd);
if (bOk)
assert(strlen(szFile) == strlen(fd.name));
*p = cOldChar; // get back the old separator
if (!bOk)
memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=
if (*p == 0)
szFile = p;
else ++p;
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. wayland_panel_agent_module.cpp 1060
static char *
insert_text (const char *text, uint32_t offset,
const char *insert)
uint32_t tlen = strlen (text), ilen = strlen (insert);
char *new_text = (char*)malloc (tlen + ilen + 1);
if ((unsigned int) tlen < offset)
offset = tlen;
memcpy (new_text, text, offset);
V575 The 'memset' function processes '0' elements. Inspect the third argument. win_mem_alloc.c 91
void *MyHeapAlloc(size_t dwSize, char *file, int line)
LPVOID NewPointer = NULL;
if (dwSize > 0)
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
return NewPointer;
EFL Core Libraries
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. eina_simple_xml_parser.c 355
EAPI Eina_Bool
else if ((itr + sizeof("<!>") - 1 < itr_end) &&
(!memcmp(itr + 2, "", sizeof("") - 1)))
toff = sizeof("!") - 1;
EFL Core Libraries
V575 The 'munmap' function processes '0' elements. Inspect the second argument. eina_evlog.c 117
static void
free_buf(Eina_Evlog_Buf *b)
if (!b->buf) return;
b->size = 0;
b->top = 0;
# ifdef HAVE_MMAP
munmap(b->buf, b->size);
# else
# endif
b->buf = NULL;
EFL Core Libraries
V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_entry.c 2306
static void
char *compres = NULL, *string = (char *)ev->string;
if (compres)
string = compres;
free_string = EINA_TRUE;
else free(compres);
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. efl_ui_internal_text_interactive.c 1022
- V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_cc_handlers.c 15962
EFL Core Libraries
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. edje_pick.c 595
static void
Edje_Part_Collection_Directory_Entry *ce_cor, *ce_new, *ce_f;
ce_new = malloc(sizeof(*ce_new));
memcpy(ce_new, ce_cor, sizeof(*ce_new));
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strrchr' function. Inspect the first argument. types_generator.c 40
- V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. docs_generator.c 243
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. eina_unicode.c 119
- And 54 additional diagnostic messages.
V575 The potential null pointer is passed into 'memmove' function. Inspect the first argument. string.hpp 54
void assign_only_nonnull(const char * b, unsigned size)
begin_ = (char *)malloc(size + 1);
memmove(begin_, b, size);
end_ = begin_ + size;
storage_end_ = end_ + 1;
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. error.cpp 28
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. error.cpp 40
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. new_filter.cpp 300
- And 2 additional diagnostic messages.
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. e_info_server.c 3165
static E_Info_Transform*
E_Info_Transform *result = NULL;
result = _e_info_transform_find(ec, id);
if (!result)
result = (E_Info_Transform*)malloc(sizeof(E_Info_Transform));
memset(result, 0, sizeof(E_Info_Transform));
V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 207
int main(int argc, char *argv[])
char *temp1 = strstr(dp->d_name, "-");
char *temp2 = strstr(dp->d_name, ".");
strncpy(temp_filename, dp->d_name, strlen(dp->d_name) -
strncpy(file_format, temp2, strlen(temp2));
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 208
- V575 The null pointer is passed into 'free' function. Inspect the first argument. edit.c 2823
- V575 The null pointer is passed into 'free' function. Inspect the first argument. apps_data_db.c 300
- And 10 additional diagnostic messages.
V575 The 'substr' function processes '-1' elements. Inspect the second argument. meter_strip.cc 491
MeterStrip::set_tick_bar (int m)
std::string n;
_tick_bar = m;
if (_tick_bar & 1) {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks1_area.set_name("Bar" + n);
} else {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks1_area.set_name(n.substr(3,-1)); // <=
if (_tick_bar & 2) {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks2_area.set_name("Bar" + n);
} else {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks2_area.set_name(n.substr(3,-1)); // <=
string substr (size_t pos = 0, size_t len = npos) const;
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1106, 1105. iscguard.cpp 1106
static void write_log(int log_action, const char* buff)
log_info* tmp =
memset(tmp, 0, sizeof(log_info));
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 43, 42. gcs_xcom_state_exchange.cc 43
m_data_size= data_size;
static_cast<uchar *>(malloc(sizeof(uchar) * m_data_size));
memcpy(m_data, data, m_data_size);
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. control_events.cpp 830
View_change_event::View_change_event(char* raw_view_id)
: Binary_log_event(VIEW_CHANGE_EVENT),
view_id(), seq_number(0), certification_info()
memcpy(view_id, raw_view_id, strlen(raw_view_id));
PostgreSQL Database Management System
V575 The potential null pointer is passed into 'strncpy' function. Inspect the first argument. Check lines: 66, 65. pg_regress_ecpg.c 66
static void
ecpg_filter(const char *sourcefile, const char *outfile)
n = (char *) malloc(plen);
StrNCpy(n, p + 1, plen);
PostgreSQL Database Management System
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. informix.c 677
intoasc(interval * i, char *str)
char *tmp;
errno = 0;
tmp = PGTYPESinterval_to_asc(i);
if (!tmp)
return -errno;
memcpy(str, tmp, strlen(tmp));
return 0;
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. dns_config_service_win.cc 134
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter>
ReadIpHelper(ULONG flags) {
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter> out;
memset(out.get(), 0, len);
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 129, 127. nacl_validation_query.cc 129
V8 JavaScript Engine
V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 327
void i::V8::FatalProcessOutOfMemory(const char* location,
bool is_heap_oom) {
memset(last_few_messages, 0x0BADC0DE,
Heap::kTraceRingBufferSize + 1);
memset(js_stacktrace, 0x0BADC0DE,
Heap::kStacktraceBufferSize + 1);
memset(&heap_stats, 0xBADC0DE, sizeof(heap_stats));
Memory will not be filled with 0xBADC0DE constant but with the value 0xDE.
Similar errors can be found in some other places:
- V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 328
- V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 329
V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 35, 34. dirtools_public.cpp 35
bool BCreateDirectoryRecursive( const char *pchPath )
int len = (int)strlen( pchPath );
char *path = (char *)malloc( len + 1 );
strcpy( path, pchPath );
There is no protection if the malloc function returns a null pointer.
V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 102, 101. bitvector.h 102
BitVector(const BitVector &RHS) : Size(RHS.size()) {
Bits = (BitWord *)std::malloc(Capacity * sizeof(BitWord));
std::memcpy(Bits, RHS.Bits, Capacity * sizeof(BitWord));
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 440, 439. bitvector.h 440
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 31, 28. smallvector.cpp 31
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 134, 129. dfa.c 134
DFA_new(Ins *ins, unsigned int ni, unsigned int lb,
unsigned int ub, Char *rep)
DFA *d = malloc(sizeof(DFA));
Ins **work = malloc(sizeof(Ins*)*(ni+1));
unsigned int nc = ub - lb;
GoTo *goTo = malloc(sizeof(GoTo)*nc); // <=
Span *span = malloc(sizeof(Span)*nc);
d->lbChar = lb;
d->ubChar = ub;
memset((char*) goTo, 0, nc*sizeof(GoTo)); // <=
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 81, 80. genmodule.c 81
- V575 CWE-628 The potential null pointer is passed into 'fgets' function. Inspect the first argument. Check lines: 76, 59. genmacro.c 76
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 83, 82. main.c 83
- And 8 additional diagnostic messages.
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 154, 153. resampler.cc 154
int Resampler::Reset(int inFreq, int outFreq,
size_t num_channels) {
state1_ = malloc(8 * sizeof(int32_t));
memset(state1_, 0, 8 * sizeof(int32_t));
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 167, 166. resampler.cc 167
- V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 237, 236. resampler.cc 237
V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 47, 46. libxt_tcp.c 47
static void
parse_tcp_ports(const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
buffer = strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 74, 72. libxt_sctp.c 74
- V575 CWE-628 The potential null pointer is passed into 'strcasecmp' function. Inspect the first argument. Check lines: 171, 166. libxt_sctp.c 171
- V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 111, 110. libip6t_mh.c 111
- And 79 additional diagnostic messages.
Vangers: One For The Road
V575 CWE-628 The potential null pointer is passed into 'strdup' function. Inspect the first argument. ivmap.cpp 309
char* iGetMergedName(char *name, char *path)
return strdup(out.c_str());
void ivrtMap::fileLoad(void)
XBuffer buf;
buf < fileName < (isCompressed ? ".vmc" : ".vmp");
std::string sbuf = strdup(iGetMergedName(buf.GetBuf(), iniName)), sbuf2;
int startR = sbuf.find("reso");
sbuf2 = sbuf.substr(startR, sbuf.size() - startR);
fname = strdup(sbuf2.c_str());
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 2156, 2155. road.cpp 2156
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 810, 809. vmap.cpp 810
- V575 CWE-628 The potential null pointer is passed into 'strlen' function. Inspect the first argument. Check lines: 813, 812. vmap.cpp 813
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 406, 405. harfbuzz-thai.c 406
static void HB_ThaiAssignAttributes(....)
int *break_positions = 0;
break_positions = (int*) malloc (sizeof(int) * len);
memset (break_positions, 0, sizeof(int) * len);
Similar errors can be found in some other places:
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2432, 2430. qbytearray.cpp 2432
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2438, 2436. qbytearray.cpp 2438
- V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 2553, 2551. qstring.cpp 2553
- And 9 additional diagnostic messages.
V575 The null pointer is passed into 'free' function. Inspect the first argument. smartcard_pcsc.c 875
LPCWSTR mszGroups,
LPWSTR mszReaders,
LPDWORD pcchReaders)
LPSTR mszGroupsA = NULL;
mszGroups = NULL; /* mszGroups is not supported by pcsc-lite */
if (mszGroups)
ConvertFromUnicode(CP_UTF8,0, mszGroups, -1,
(char**) &mszGroupsA, 0,
status = PCSC_SCardListReaders_Internal(hContext, mszGroupsA,
(LPSTR) &mszReadersA,
if (status == SCARD_S_SUCCESS)
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. license.c 790
- V575 The null pointer is passed into 'free' function. Inspect the first argument. rdpsnd_alsa.c 575
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. setmime.cpp 727
delete fSmallIcon;
fSmallIcon = NULL;
delete fBigIcon;
fBigIcon = NULL;
fVectorIcon = NULL;
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 461
static settings_handle *
load_driver_settings_from_file(int file, const char *driverName)
handle = new_settings(text, driverName);
if (handle != NULL) {
// everything went fine!
return handle;
Similar errors can be found in some other places:
- V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 427
Haiku Operation System
V575 The null pointer is passed into 'free' function. Inspect the first argument. PackageFileHeapWriter.cpp 166
void* _GetBuffer()
void* buffer = malloc(fBufferSize);
if (buffer == NULL && !fBuffers.AddItem(buffer)) {
throw std::bad_alloc();
return buffer;
V575 The 'memset' function processes '0' elements. Inspect the third argument. winmain.cpp 2235
static void BuildScriptsMenu(HMENU menuBar, const fs::path& scriptsDir)
memset(&info, sizeof(info), 0);
info.cbSize = sizeof(info);
info.fMask = MIIM_SUBMENU;
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 39, 38. DVDOverlayImage.h:39
CDVDOverlayImage(const CDVDOverlayImage& src)
: CDVDOverlay(src)
Data = (uint8_t*)malloc(src.linesize * src.height);
memcpy(data, src.data, src.linesize * src.height); // <=
palette = (uint32_t*)malloc(src.palette_colors * 4);
memcpy(palette, src.palette, src.palette_colors * 4); // <=
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 44, 43. DVDOverlayImage.h:44
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. shell.c 427
static char *mntpt_prepare(char *mntpt)
char *cpy_mntpt;
cpy_mntpt = k_malloc(strlen(mntpt) + 1);
if (cpy_mntpt) {
((u8_t *)mntpt)[strlen(mntpt)] = '\0';
memcpy(cpy_mntpt, mntpt, strlen(mntpt));
return cpy_mntpt;
Command & Conquer
V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1103
void* __cdecl memset(
_Out_writes_bytes_all_(_Size) void* _Dst,
_In_ int _Val,
_In_ size_t _Size
extern "C" __declspec(dllexport) bool __cdecl CNC_Read_INI(....)
memset(ini_buffer, _ini_buffer_size, 0);
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1404
V575 [CWE-628] The 'memmove' function processes '0' elements. Inspect the third argument. memmove_common.c 82
do_memmove(char *dst, char *src, const char *file_name,
size_t dest_off, size_t src_off, size_t bytes,
memmove_fn fn, unsigned flags, persist_fn persist)
/* do the same using regular memmove and verify that buffers match */
memmove(dstshadow + dest_off, srcshadow + src_off, 0);
verify_contents(file_name, 2, dstshadow, dst, bytes);
verify_contents(file_name, 3, srcshadow, src, bytes);
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. writer.c 41
#define MAX_BUF_LEN 10
struct my_root {
char buf[MAX_BUF_LEN];
main(int argc, char *argv[])
struct my_root *rootp = pmemobj_direct(root);
char buf[MAX_BUF_LEN] = {0};
TX_BEGIN(pop) {
pmemobj_tx_add_range(root, 0, sizeof(struct my_root));
memcpy(rootp->buf, buf, strlen(buf));
V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 340, 338. rtree_map.c 340
static void
remove_extra_node(TOID(struct tree_map_node) *node)
unsigned char *new_key = (unsigned char *)malloc(new_key_size);
assert(new_key != NULL);
memcpy(new_key, D_RO(tmp)->key, D_RO(tmp)->key_size);
Similar errors can be found in some other places:
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 133, 127. clo_vec.cpp 133
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 187, 184. clo_vec.cpp 187
- V575 [CWE-628] The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 446, 439. clo.cpp 446
- And 2 additional diagnostic messages.
V575 The 'strerror_s' function processes '0' elements. Inspect the second argument. commands-win32.c 1642
void qmp_guest_set_time(bool has_time, int64_t time_ns,
Error **errp)
if (GetLastError() != 0) {
strerror_s((LPTSTR) & msg_buffer, 0, errno);
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 73, 68. modelstate.cc 73
ModelState::decode_metadata(const DecoderState& state,
size_t num_results)
Metadata* ret = (Metadata*)malloc(sizeof(Metadata));
memcpy(ret, &metadata, sizeof(Metadata));
return ret;
Espressif IoT Development Framework
V575 The null pointer is passed into 'free' function. Inspect the first argument. sae.c 1185
static int sae_parse_password_identifier(struct sae_data *sae,
const u8 *pos, const u8 *end)
wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
pos, end - pos);
if (!sae_is_password_id_elem(pos, end)) {
if (sae->tmp->pw_id) {
"SAE: No Password Identifier included, but expected one (%s)",
sae->tmp->pw_id = NULL;
return WLAN_STATUS_SUCCESS; /* No Password Identifier */
V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 277, 276. qqmlprofilerevent_p.h 277
void assignData(const QQmlProfilerEvent &other)
if (m_dataType & External) {
uint length = m_dataLength * (other.m_dataType / 8);
m_data.external = malloc(length); // <=
memcpy(m_data.external, other.m_data.external, length); // <=
} else {
memcpy(&m_data, &other.m_data, sizeof(m_data));
Similar errors can be found in some other places:
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 290, 287. qobject_p.h 290
- V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 3104, 3103. qmetaobject.cpp 3104
- V575 [CWE-628] The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1486, 1485. qmetaobjectbuilder.cpp 1486
- And 21 additional diagnostic messages.
V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 487, 486. sc_report_handler.cpp 487
sc_msg_def * sc_report_handler::add_msg_type(const char * msg_type_)
items->md->msg_type_data = (char*) malloc(msg_type_len+1);
strcpy( items->md->msg_type_data, msg_type_ );
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 683, 682. sc_report_handler.cpp 683
V575 The null pointer is passed into 'free' function. Inspect the first argument. sdf_us_ssn.c 202
int ParseSSNGroups(....)
FILE *ssn_file;
char *contents;
contents = (char *)malloc(length + 1);
if (contents == NULL)
_dpd.logMsg("Sensitive Data preprocessor: Failed to allocate memory "
"for SSN groups.\n");
return -1;
return 0;
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 1142, 1139. jsonsl.c:1142
void jsonsl_jpr_match_state_init(jsonsl_t jsn,
jsonsl_jpr_t *jprs,
size_t njprs)
size_t ii, *firstjmp;
jsn->jprs = (jsonsl_jpr_t *)malloc(sizeof(jsonsl_jpr_t) * njprs);
jsn->jpr_count = njprs;
jsn->jpr_root = (size_t*)calloc(1, sizeof(size_t) * njprs * jsn->levels_max);
memcpy(jsn->jprs, jprs, sizeof(jsonsl_jpr_t) * njprs);
/* Set the initial jump table values */
firstjmp = jsn->jpr_root;
for (ii = 0; ii < njprs; ii++) {
firstjmp[ii] = ii+1;
V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes the pointer to enum type. Inspect the first argument. TargetLoweringBase.cpp 662
enum CondCode {
// Opcode N U L G E Intuitive operation
SETFALSE, // 0 0 0 0 Always false (always folded)
SETOEQ, // 0 0 0 1 True if ordered and equal
SETCC_INVALID // Marker value.
static void InitCmpLibcallCCs(ISD::CondCode *CCs) {
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. subghz_scene_save_name.c 22
void subghz_scene_save_name_on_enter(void* context) {
SubGhz* subghz = context;
memcpy(subghz->file_name_tmp, subghz->file_name, strlen(subghz->file_name));
V575 [CWE-628, CERT-EXP37-C] The 'memset' function processes '0' elements. Inspect the third argument. space_buttons.c 868
static void buttons_id_remap(....)
for (int i = 0; i < path->len; i++) {
switch (BKE_id_remapper_apply(....)) {
path->len = i;
if (i != 0) {
memset(&path->ptr[i], 0, sizeof(path->ptr[i]) * (path->len - i));
V575 [CWE-628, CERT-EXP37-C] The 'memmove' function processes '0' elements. Inspect the third argument. text_draw.cc 673
static void space_text_update_drawcache(SpaceText *st,
const ARegion *region)
if (st->wordwrap)
if (drawcache->update)
drawcache->valid_tail = drawcache->valid_head = 0;
memmove(new_tail, old_tail, drawcache->valid_tail);
V575 [CWE-628, CERT-EXP37-C] The 'realloc' function processes '0' elements. Inspect the second argument. rigidbody.cc 1696
static void rigidbody_update_ob_array(RigidBodyWorld *rbw)
if (rbw->group == nullptr)
rbw->numbodies = 0;
rbw->objects = static_cast<Object **>(realloc(rbw->objects, 0));
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'memset' function. Inspect the first argument. MemRefUtils.h 194
OwningMemRef &operator=(const OwningMemRef &&other) {
freeFunc = other.freeFunc;
descriptor = other.descriptor;
other.freeFunc = nullptr;
memset(0, &other.descriptor, sizeof(other.descriptor));
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'g_free' function. Inspect the first argument. gtkcssparser.c 189
gtk_css_parser_resolve_url (GtkCssParser *self,
const char *url)
char *scheme;
scheme = g_uri_parse_scheme (url);
if (scheme != NULL)
GFile *file = g_file_new_for_uri (url);
g_free (scheme);
return file;
g_free (scheme); // <=
if (self->directory == NULL)
return NULL;
return g_file_resolve_relative_path (self->directory, url);
V575 The 'memset' function processes '0' elements. Inspect the third argument. info.cpp 518
void PClassActor::InitializeDefaults()
if (MetaSize > 0)
memcpy(Meta, ParentClass->Meta, ParentClass->MetaSize);
memset(Meta, 0, MetaSize);
Dagor Engine
V575 The null pointer is passed into 'operator delete'. Inspect the argument. DagorEngine/prog/engine/scene/sh3LtMgr.cpp 435
SH3LightingData *SH3LightingData::loadBinary(IGenLoad &crd)
SH3LightingData *data =
new (memalloc(sz, midmem), _NEW_INPLACE) SH3LightingData;
return data;
int SH3LightingManager::loadLtDataBinary(IGenLoad &crd, unsigned id)
SH3LightingData *ltData = SH3LightingData::loadBinary(crd);
if (!ltData)
delete ltData;
return -1;
return addLtData(ltData, id);
Dagor Engine
V575 The 'munmap' function processes '0' elements. Inspect the second argument. DagorEngine/prog/1stPartyLibs/daScript/src/builtin/module_builtin_fio.cpp 214
void builtin_map_file(const FILE* f,
const TBlock<void, TTemporary<TArray<uint8_t>>>& blk,
Context* context, LineInfoArg * at) {
munmap(data, 0);
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. oci_import.c 75
static void free_import_desc(import_desc *desc)
if (desc == NULL) {
desc->manifest = NULL;
desc->manifest_digest = NULL;
desc->config = NULL;
desc->config_digest = NULL;
free(desc->uncompressed_digest); // <=
desc->uncompressed_digest = NULL; // <=
desc->compressed_digest = NULL;
desc->tag = NULL;
free(desc->uncompressed_digest); // <=
desc->uncompressed_digest = NULL; // <=
desc->layer_file = NULL;
desc->layer_of_hold_refs = NULL;
V575 [CWE-628, CERT-EXP37-C] The null pointer is passed into 'free' function. Inspect the first argument. image.c 605
void free_im_prepare_request(im_prepare_request *request)
if (request == NULL) {
request->image_name = NULL;
request->container_id = NULL;
request->rootfs = NULL;
request->image_type = NULL;
free(request->mount_label); // <=
request->mount_label = NULL; // <=
free(request->mount_label); // <=
request->mount_label = NULL; // <=
request->storage_opt = NULL;
V575 [CERT-EXP37-C] The null pointer is passed into 'move' function. Inspect the first argument. xml_parse_utils.hpp 249
inline ParseResult parse_xml(const char* file_path)
auto xml = std::unique_ptr<pugi::
xml_document>{new pugi::xml_document{}};
const auto error_msg = [&]() -> std::string {....}();
return {std::move(xml), error_msg};
catch (std::exception& e)
return {std::move(nullptr),std::string(
"Error loading XML file: ") + e.what()};
V575 [CERT-EXP37-C] The null pointer is passed into 'operator delete'. Inspect the argument. w_dirent.h 94
if (!next)
delete next;
next = nullptr;
V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2622
int qat_sym_cd_auth_set(....)
uint16_t state1_size = 0, state2_size = 0, cd_extra_size = 0;
switch (cdesc->qat_hash_alg) {
/* Plain SHA3-224 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N1
state1_size = qat_hash_get_state1_size(
/* Plain SHA3-256 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N2
state1_size = qat_hash_get_state1_size(
/* Plain SHA3-384 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N3
state1_size = qat_hash_get_state1_size(
/* Plain SHA3-512 */
memset(cdesc->cd_cur_ptr, 0, state1_size); // <= BUG N4
state1_size = qat_hash_get_state1_size(
Similar errors can be found in some other places:
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2628
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2634
- V575 The 'memset' function processes '0' elements. Inspect the third argument. qat_sym_session.c 2640
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 28, 27. sz_double.c 28
unsigned char*
SZ_skip_compress_double(double* data, size_t dataLength, size_t* outSize)
*outSize = dataLength*sizeof(double);
unsigned char* out = (unsigned char*)malloc(dataLength*sizeof(double));
memcpy(out, data, dataLength*sizeof(double));
return out;
Similar errors can be found in some other places:
- V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 51, 50. sz_double.c 51
- V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 273, 272. sz_double.c 273
- V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 380, 379. sz_double.c 380
- And 45 additional diagnostic messages.