• Home
  • Examples of errors detected by the V512 diagnostic
 

Examples of errors detected by the V512 diagnostic

<< Return to list of all diagnostics

V512. A call of the 'Foo' function will lead to a buffer overflow or underflow.

OGRE

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. OgreMain ogrequaternion.h 87


Real w, x, y, z;
...

inline Quaternion(Real* valptr)
{
  memcpy(&w, valptr, sizeof(Real)*4);
}

There's no error, but this code is dangerous.

SMTP Client

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. CSmtp md5.cpp 212


void MD5::finalize () {
  ...
  uint1 buffer[64];
  ...
  // Zeroize sensitive information
  memset (buffer, 0, sizeof(*buffer));
  ...
}

Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));

Fennec Media

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 150


#define uinput_size       1024
typedef wchar_t letter;

letter  uinput_text[uinput_size];

string basewindows_getuserinput(const string title,
  const string cap, const string dtxt)
{
  memset(uinput_text, 0, uinput_size);
  ...
}

At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.

Fennec Media

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 2892


typedef wchar_t letter;

letter name[30];

int Conv_EqualizerProc(HWND hwnd,UINT uMsg,
  WPARAM wParam,LPARAM lParam)
{
  ...
  memset(eqp.name, 0, 30);
  ...
}

This is what should have been written here: sizeof(latter) * 30

Notepad++

V512 A call of the memset function will lead to a buffer overflow or underflow


#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
...
DockingManager::DockingManager()
{
  ...
  memset(_iContMap, -1, CONT_MAP_MAX);
  ...
}

This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));

Game_Music_Emu library

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. game-music-emu nsfe_emu.cpp 162


struct header_t
{
  ...
  byte load_addr [2];
  byte init_addr [2];
  byte play_addr [2];
  ...
}

blargg_err_t Nsfe_Info::load( Data_Reader& in,
                              Nsf_Emu* nsf_emu )
{
  ...
  memcpy( info.load_addr, finfo.load_addr, 2 * 3 );
  ...
}

There's no error, but this code is dangerous.

Wolfenstein 3D

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. cgame bg_animation.c 999


typedef struct
{
  short int bodyPart[2];
  short int animIndex[2];
  short int animDuration[2];
  short int soundIndex;
  short int accShowBits;
  short int accHideBits;
} animScriptCommand_t;

void BG_ParseCommands(....) {
  ...
  animScriptCommand_t *command = NULL;
  ...
  memset( command, 0, sizeof( command ) );
  ...
}

This is what should have been written here: sizeof(*command)

Wolfenstein 3D

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. wolf cvar.c 764


typedef struct cvar_s {
  char        *name;
  ...
  struct cvar_s *hashNext;
} cvar_t;

void Cvar_Restart_f( void ) {
  cvar_t  *var;
  ...
  memset( var, 0, sizeof( var ) );
  ...
}

This is what should have been written here: memset( var, 0, sizeof( *var ) );

Newton Game Dynamics

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. physics dgcollisioncompoundbreakable.cpp 702


dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....)
{
  ...
  dgInt32 faceOffsetHitogram[256];
  dgSubMesh* mainSegmenst[256];
  ...
  memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram));
  memset(mainSegmenst, 0, sizeof(faceOffsetHitogram));
  ...
}

A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.

Miranda IM

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. tabsrmm utils.cpp 1080


typedef struct _textrangew
{
  CHARRANGE chrg;
  LPWSTR lpstrText;
} TEXTRANGEW;

const wchar_t* Utils::extractURLFromRichEdit(....)
{
  ...
  ::CopyMemory(tr.lpstrText, L"mailto:", 7);
  ...
}

This is what should have been written here: sizeof(wchar_t) * 7

Chromium

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227


void Time::Explode(bool is_local, Exploded* exploded) const
{
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: sizeof(*exploded)

Chromium

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116


void NaCl::Time::Explode(bool is_local,
                         Exploded* exploded) const
{
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: sizeof(*exploded)

QT

V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77


int s_attr_table[256];

void CppLexer::setupScanTable()
{
  ...
  memset(s_attr_table, 0, 256);
  ...
}

This is what should have been written here: sizeof(int) * 256

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 rpplexer.cpp 60

Apache HTTP Server

V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560


#define MEMSET_BZERO(p,l)       memset((p), 0, (l))

void apr__SHA256_Final(sha2_byte digest[],
                       SHA256_CTX* context) {
  ...
  MEMSET_BZERO(context, sizeof(context));
  ...
}

This is what should have been written here: sizeof(*context)

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 581
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 892
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 912
  • And 2 additional diagnostic messages.

Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683


#define PL_MAX_PATH 255
typedef WCHAR TCHAR, *PTCHAR;
TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' };

int plh_read_pl_config_ini_file(....)
{
  ...
  ZeroMemory(
    pl_cvt_buffer,
    PL_MAX_PATH
  );
  ...
}

This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 714
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 745
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 789
  • And 5 additional diagnostic messages.

Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806


typedef struct _plh_dynamic_pl_folder_info {
...
} PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO;

int plh_dynamic_read_pl_folder(
  PPLH_DYNAMIC_PL_FOLDER_INFO pconfig)
{
  ...
  memset(
    pconfig,
    0,
    sizeof(pconfig)
  );
  ...
}

This is what should have been written here: sizeof(*pconfig)

Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379


void plt_tools_get_pl_config_full_file_name(char *buffer) {
  ...
  char temp[PL_MAX_PATH] = { '\0' };
  ...
  memset(
    temp,
    0,
    sizeof(buffer)
  );
  ...
}

This is what should have been written here: sizeof(temp)

Far Manager

V512 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672


__int64 FileList::VMProcess(int OpCode,void *vParam,
                            __int64 iParam)
{
  ...
  PluginInfo *PInfo=(PluginInfo *)vParam;
  memset(PInfo,0,sizeof(PInfo));
  PInfo->StructSize=sizeof(PInfo);
  ...
}

This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));

ReactOS

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162


VOID
UnloadAppInitDlls()
{
  ...
  WCHAR buffer[KEY_LENGTH];
  ...
  RtlCopyMemory(buffer, szAppInit, KEY_LENGTH);
  ...
}

Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).

ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769


typedef WCHAR TCHAR,*PTCHAR;
TCHAR file_path[MAX_PATH];

#define MAX_PATH 260

LRESULT CALLBACK
WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
  ...
  ZeroMemory( file_path, MAX_PATH );
  ...
}

This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442

ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160


HRESULT WINAPI SHGetDataFromIDListW(....)
{
  ...
  WIN32_FIND_DATAW * pfd = dest;
  ...
  ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA));
}

Identical errors can be found in some other places:

  • This is what should have been written here: sizeof(WIN32_FIND_DATAW)

ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991


#define MEMSET_BZERO(p,l) memset((p), 0, (l))

char *SHA384_End(SHA384_CTX* context, char buffer[]) {
  ...
  MEMSET_BZERO(context, sizeof(context));
  ...
}

This is what should have been written here: sizeof(*context).

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896
  • And 2 additional diagnostic messages.

ReactOS

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'guidentry'. oleaut32 typelib2.c 320


#define IsEqualGUID(rguid1, rguid2) \
  (!memcmp(&(rguid1), &(rguid2), sizeof(GUID)))

static int ctl2_find_guid(....)
{
  MSFT_GuidEntry *guidentry;
  ...
  if (IsEqualGUID(guidentry, guid)) return offset;
  ...
}

Macros are evil! They can hide errors very well. The error is this: guidentry is a pointer. This is what should have been written here: if (IsEqualGUID(*guidentry, guid)) return offset;

Identical errors can be found in some other places:

  • V512 A call of the 'memcmp' function will lead to overflow of the buffer '& (pguidCmdGroup)'. browseui bandsite.cpp 722

IPP Samples

V512 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767


UMC::Status
VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams)
{
  UMC::Status umcSts    UMC::UMC_OK;
  memset(MEParams,0,sizeof(MEParams));
  ...
}

This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));

Doom 3

V512 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731


aseMesh_t *currentMesh;

static void ASE_KeyGEOMOBJECT( const char *token )
{
  ...
  ase.currentMesh = &ase.currentObject->mesh;
  memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) );
  ...
}

This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );

Doom 3

V512 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312


void idAASFileLocal::DeleteClusters( void ) {
  ...
  memset( &portal, 0, sizeof( portal ) );
  portals.Append( portal );

  // first cluster is a dummy
  memset( &cluster, 0, sizeof( portal ) );
  clusters.Append( cluster );
}

This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );

Mozilla Firefox

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198


void Time::Explode(bool is_local, Exploded* exploded) const {
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));

ADAPTIVE Communication Environment (ACE)

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109


struct Message
{
  unsigned int sn;
  unsigned short payload[payload_size];
};

int
ACE_TMAIN (int argc, ACE_TCHAR* argv[])
{
  ...
  if (ACE_OS::memcmp (expected_msg.payload,
                      msg.payload,
                      payload_size) != 0)
  {
    damaged[msg.sn] = 1;
  }
  ...
}

Most likely this is what should be written here: payload_size * sizeof(short)

Identical errors can be found in some other places:

  • V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. RMCast_Receiver receiver.cpp 102

UCSniff

V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566


struct targets{
  char ip[MAX_ASCII_ADDR_LEN];
  u_char mac[MAX_ASCII_ADDR_LEN];
  char extension[64];
  char dirname[64];
  char protocol[11];
  char ua[48];
  char misc[64];
};

void sip_targetlookup(sipDB* currentSipCall)
{
  ...
  memcpy(targettab[targetcount].protocol,
         "sip",
         sizeof(targettab[targetcount].protocol));
  ...
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 631

DeSmuME

V512 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204


mapview_struct *MapView = NULL;

BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message,
                            WPARAM wParam, LPARAM lParam)
{
  ...
  MapView = new mapview_struct;
  memset(MapView, 0, sizeof(MapView));
  ...
}

This is what should have been written here: memset(MapView, 0, sizeof(*MapView));

MAME

V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870


#define CHD_SHA1_BYTES    20
#define CHD_V4_HEADER_SIZE   108
#define CHD_MAX_HEADER_SIZE   CHD_V4_HEADER_SIZE

static chd_error header_read(...., chd_header *header)
{
  UINT8 rawheader[CHD_MAX_HEADER_SIZE];
  ...
  memcpy(header->parentsha1, &rawheader[100],
         CHD_SHA1_BYTES);
  ...
}

MAME

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706


UINT16 m_spriteram16[0x1000];
UINT16 m_spriteram16_buffered[0x1000];

static WRITE32_HANDLER( deco32_buffer_spriteram_w )
{
  deco32_state *state =
    space->machine().driver_data<deco32_state>();
  memcpy(state->m_spriteram16_buffered,
         state->m_spriteram16, 0x1000);
}

This is what should have been written here: 0x1000 * sizeof(UINT16).

MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949


UINT16      m_rotate_ctrl[8];

static MACHINE_RESET( wgp )
{
  wgp_state *state = machine.driver_data<wgp_state>();
  int i;

  state->m_banknum = 0;
  state->m_cpua_ctrl = 0xff;
  state->m_port_sel = 0;
  state->m_piv_ctrl_reg = 0;

  for (i = 0; i < 3; i++)
  {
    state->m_piv_zoom[i] = 0;
    state->m_piv_scrollx[i] = 0;
    state->m_piv_scrolly[i] = 0;
  }

  memset(state->m_rotate_ctrl, 0, 8);
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_2_buffered'. deco32.c 726
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_playfield_code'. malzak.c 392

MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065


UINT16 m_control_0[8];
#define ARRAY_LENGTH(x)  (sizeof(x) / sizeof(x[0]))

static MACHINE_RESET( tumbleb )
{
  ...
  memset(state->m_control_0, 0,
         ARRAY_LENGTH(state->m_control_0));
}

Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_read'. megadriv.c 7156
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_write'. megadriv.c 7157
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_cart_is_genesis'. megatech.c 426
  • And 3 additional diagnostic messages.

MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458


UINT32 m_pstars_regs[16];

static DRIVER_INIT( pstar )
{
  ...
  memset(state->m_pstars_regs, 0, 16);
  ...
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4975
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4996
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 5056
  • And 4 additional diagnostic messages.

Samba

V512 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80


void initialize(PERF_DATA_BLOCK *data,
  RuntimeSettings *rt, int argc, char **argv)
{
    memset(data, 0, sizeof(*data));
    memset(rt, 0, sizeof(*data));
  ....
}

Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.

Samba

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247


static NET_API_STATUS test_netusermodals(
  struct libnetapi_ctx *ctx,
  const char *hostname)
{
  ....
  struct USER_MODALS_INFO_0 *u0 = NULL;
  struct USER_MODALS_INFO_0 *_u0 = NULL;
  ....
  if (memcmp(u0, _u0, sizeof(u0) != 0)) {
    printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
    return -1;
  }
  ....
}

Most likely this is what should be written here: sizeof(*u0).

libevent

V512 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374


void
win32_dealloc(struct event_base *_base)
{
  struct win32op *win32op = _base->evbase;
  ....
  memset(win32op, 0, sizeof(win32op));
  ....
}

OpenCV

V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238


class CV_EXPORTS CvCalibFilter
{
  ....
  enum { MAX_CAMERAS = 3 };
  int latestCounts[MAX_CAMERAS];
  CvPoint2D32f* latestPoints[MAX_CAMERAS];
  ....
};

void CvCalibFilter::SetCameraCount( int count )
{
  ....
  memset( latestCounts, 0, sizeof(latestPoints) );
  ....
}

<< Return to list of all diagnostics