<< Return to list of all diagnostics
V557. Array overrun is possible.
VirtualDub
V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73
struct ConvoluteFilterData {
long m[9];
long bias;
void *dyna_func;
DWORD dyna_size;
DWORD dyna_old_protect;
BOOL fClip;
};
static unsigned long __fastcall do_conv(
unsigned long *data,
const ConvoluteFilterData *cfd,
long sflags, long pit)
{
long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
...
}
Dynamic Universal Music Bibliotheque
V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34
struct IT_SAMPLE
{
...
unsigned char filename[14];
...
};
static int it_riff_dsmf_process_sample(
IT_SAMPLE * sample, const unsigned char * data, int len)
{
int flags;
memcpy( sample->filename, data, 13 );
sample->filename[ 14 ] = 0;
...
}
This is what should have been written here: sample->filename[ 13 ] = 0;
CAMEL
V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947
#define FINDBUFFLEN 64 // Max buffer find/replace size
int WINAPI Sticky (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
...
static char findWhat[FINDBUFFLEN] = {'\0'};
...
findWhat[FINDBUFFLEN] = '\0';
...
}
Wolfenstein 3D
V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069
typedef struct bot_state_s
{
...
char teamleader[32]; //netname of the team leader
...
} bot_state_t;
void BotMatch_StartTeamLeaderShip(
bot_state_t *bs, bot_match_t *match)
{
...
bs->teamleader[sizeof( bs->teamleader )] = '\0';
...
}
-1 is missing. The same error can be found in Quake 3.
Identical errors can be found in some other places:
- V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_team.c 548
Wolfenstein 3D
V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679
void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
...
unsigned char invModulate[3];
...
invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
// this trashes alpha, but the AGEN block fixes it
invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
...
}
The same error can be found in Quake 3.
IPP Samples
V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495
struct AVS_MB_INFO
{
...
Ipp8u refIdx[AVS_DIRECTIONS][4];
...
};
void AVSCompressor::GetRefIndiciesBSlice(void){
...
if (m_pMbInfo->predType[0] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
iRefNum += 1;
}
if (m_pMbInfo->predType[1] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
iRefNum += 1;
}
if (m_pMbInfo->predType[2] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
iRefNum += 1;
}
if (m_pMbInfo->predType[3] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
iRefNum += 1;
}
...
}
The programmer's hand faltered and now we have 30 instead of 3.
IPP Samples
V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726
typedef struct
{
...
VM_ALIGN16_DECL(Ipp32f)
nb_short[2][3][__ALIGNED(MAX_PPT_SHORT)];
...
} mpaPsychoacousticBlock;
static void mp3encPsy_short_window(....)
{
...
if (win_counter == 0) {
nb_s = pBlock->nb_short[0][3];
}
...
}
This is what should have been written here: 2.
LAME
V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895
...
#define SBMAX_l 22
...
int l[1+SBMAX_l];
...
inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
{
int r0, r1;
...
for (r0 = 0; r0 < 16; r0++) {
...
for (r1 = 0; r1 < 8; r1++) {
int a2 = gfc->scalefac_band.l[r0 + r1 + 2];
...
}
Irrlicht Engine
V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113
struct SPCXHeader {
...
u8 Palette[48];
u8 Reserved;
u8 Planes;
u16 BytesPerLine;
...
}
IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
{
...
for( s32 i=0; i<256; i++ )
{
paletteData[i] = (header.Palette[i*3+0] << 16) |
(header.Palette[i*3+1] << 8) |
(header.Palette[i*3+2]);
}
...
}
Identical errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i * 3 + 1' index could reach 766. Irrlicht cimageloaderpcx.cpp 114
- V557 Array overrun is possible. The value of 'i * 3 + 2' index could reach 767. Irrlicht cimageloaderpcx.cpp 115
SAGA GIS
V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367
#define DATUM_CODE_LENGTH 7
typedef struct Datum_Table_Row
{
...
char Code[DATUM_CODE_LENGTH];
...
} Datum_Row;
long Initialize_Datums_File(const char *File_7Parms,
const char *File_3Parms)
{
...
for (i = 0; i < DATUM_CODE_LENGTH; i++)
Datum_Table_3Param[index].Code[i] =
Datum_Table_3Param[index].Code[i+1];
...
}
Identical errors can be found in some other places:
- V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 630
- V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 209
- V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 326
CMake
V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140
V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1142
static const struct {
DWORD winerr;
int doserr;
} doserrors[] =
{
...
};
static void
la_dosmaperr(unsigned long e)
{
...
for (i = 0; i < sizeof(doserrors); i++)
{
if (doserrors[i].winerr == e)
{
errno = doserrors[i].doserr;
return;
}
}
...
}
This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)
Energy Checker SDK
V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114
#define PL_MAX_PATH 255
#define PL2GANFLIA_COUNTER_MAX_LENGTH PL_MAX_PATH
char name[PL_MAX_PATH];
int main(int argc, char *argv[]) {
...
p->pl_counters_data[i].name[
PL2GANFLIA_COUNTER_MAX_LENGTH
] = '\0';
...
}
This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1
Identical errors can be found in some other places:
- V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1134
ReactOS
V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482
static void move_dir_to_dir(....)
{
...
szFrom[lstrlenW(szFrom) + 1] = '\0';
...
}
Very suspicious code. Something different must have been intended.
Identical errors can be found in some other places:
- V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192
- V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196
- V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274
IPP Samples
V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361
Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];
MP3Status mp3enc_psychoacousticInit(....)
{
...
for (ch = 0; ch < NUM_CHANNELS; ch++)
for (i = 0; i < MAX_PPT_LONG; i++) {
for (j = 0; j < 3; j++)
state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;
}
...
}
This is what should have been written here: for (j = 0; j < 2; j++)
IPP Samples
V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
{
...
for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
for (t = 0; t < 3; t++) {
for (sb = 0; sb < sblimit_real; sb++){
for (j = 0; j < 12; j++)
fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];
...
}
If it can be possible that t == 2, while j == 11, an array overrun will occur.
Identical errors can be found in some other places:
- V557 Array overrun is possible. The value of 's * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 580
IPP Samples
V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639
V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 640
typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];
static void mp3enc_join_LR_l2(MP3Enc *state)
{
Ipp32s sb, j;
Ipp32s sblimit_real = state->com.sblimit_real;
for (sb = 0; sb < sblimit_real; sb++)
for (j = 0; j < 36; j++)
state->fbout_data[2][0][j][sb] =
0.5f * (state->fbout_data[0][0][j][sb] +
state->fbout_data[1][0][j][sb]);
}
Chromium
V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307
V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1308
#define FRAMESAMPLES_HALF 240
#define FRAMESAMPLES 480
typedef struct {
...
WebRtc_Word16 realFFT[FRAMESAMPLES_HALF];
WebRtc_Word16 imagFFT[FRAMESAMPLES_HALF];
} ISACUBSaveEncDataStruct;
int WebRtcIsac_EncodeStoredDataUb12(....)
{
...
for(n = 0; n < FRAMESAMPLES; n++)
{
realFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
imagFFT[n] = (WebRtc_Word16)
(scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);
}
...
}
Doom 3
V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551
V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 552
static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
{
...
for ( j = 0 ; j < 6 ; j++ ) {
d1 = frustum[j].Distance( p1 );
d2 = frustum[j].Distance( p2 );
...
}
...
}
Mozilla Firefox
V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89
class nsBaseStatis : public nsStatis {
public:
...
PRUint32 mLWordLen[10];
...
nsBaseStatis::nsBaseStatis(
unsigned char aL, unsigned char aH, float aR)
{
...
for(PRUint32 i = 0; i < 20; i++)
mLWordLen[i] = 0;
...
}
}
...
};
This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)
Quake-III-Arena
V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776
int numteamVotingClients[2];
void CalculateRanks( void ) {
...
for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
level.numteamVotingClients[i] = 0;
}
...
}
Notepad++
V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984
int encodings[] = {
1250,
1251,
1252,
....
};
BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
UINT Message, WPARAM wParam, LPARAM)
{
...
for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
{
int cmdID = em->getIndexFromEncoding(encodings[i]);
...
}
This is what should have been written here: i < sizeof(encodings)/sizeof(int)
Trinity Core
V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260
static struct wordvalue doubles[] = {
{ "ch", (uchar*) "\014\031\057\057" },
{ "Ch", (uchar*) "\014\031\060\060" },
{ "CH", (uchar*) "\014\031\061\061" },
{ "c", (uchar*) "\005\012\021\021" },
{ "C", (uchar*) "\005\012\022\022" },
};
#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1) \
{ \
...... \
for (i = 0; i < (int) sizeof(doubles); i++) \
{ \
const char * pattern = doubles[i].word; \
... \
} \
} \
...... \
}
An incorrect macro NEXT_CMP_VALUE.
IPP Samples
V205 Explicit conversion of pointer type to 32-bit integer type: (unsigned long)(img) ipprsample ippr_sample.cpp 480
void write_output_image(...., const Ipp32f *img,
...., const Ipp32s iStep) {
...
img = (Ipp32f*)((unsigned long)(img) + iStep);
...
}
IPP Samples
V205 Explicit conversion of pointer type to 32-bit integer type: (long)(current) ipprsample ippr_sample.cpp 175
IppStatus kDTreeBuild_th(IpprKDTreeNode **pDstKDTree,
const Ipp32f * const pSrcVert,
const Ipp32s * const pSrcTriInx,
Ipp32s SrcVertSize, Ipp32s SrcTriSize,
Ipp32s *pDstKDTreeSize,
const void * const pBldContext,
int threadCnt, bool *aType)
{
IpprKDTreeNode *current;
...
left = (IpprKDTreeNode *)((long)(current) +
(current->flag_k_ofs)&(~0x3));
...
}
Identical errors can be found in some other places:
- V205 Explicit conversion of pointer type to 32-bit integer type: (unsigned long)(image->imageDataOrigin) ipl iplalloc.c 228
- V205 Explicit conversion of pointer type to 32-bit integer type: (unsigned long)(image->imageDataOrigin) ipl iplalloc.c 297
- V205 Explicit conversion of pointer type to 32-bit integer type: (long) pSrc mpeg4_mux umc_mp4_mux_atoms.cpp 780
- And 8 additional diagnostic messages.
Blender
V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867
V557 Array overrun is possible. The '10' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 868
void CcdPhysicsController::RelativeRotate(
const float rotval[9], bool local)
{
...
btMatrix3x3 drotmat(
rotval[0],rotval[4],rotval[8],
rotval[1],rotval[5],rotval[9],
rotval[2],rotval[6],rotval[10]);
...
}
Trans-Proteomic Pipeline
V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567
int main(int argc, char **argv) {
...
char salt[3];
...
salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
salt[3] = 0;
...
}
This is what should have been written here: salt[2] = 0;
Visualization Toolkit (VTK)
V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313
void vtkCursor2D::SetModelBounds(double bounds[6])
{
this->SetModelBounds(bounds[0], bounds[1], bounds[2],
bounds[3], bounds[6], bounds[5]);
}
This is what should have been written here: bounds[4].
ffdshow
V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39
static uint crc_tables[8][256];
void InitCRC()
{
....
// Build additional lookup tables.
for (uint I=0;I<=256;I++)
{
uint C=crc_tables[0][I];
for (uint J=1;J<8;J++)
{
C=crc_tables[0][(byte)C]^(C>>8);
crc_tables[J][I]=C;
}
}
}
