Examples of errors detected by the V557 diagnostic

V557. Array overrun is possible.


VirtualDub

V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73


struct ConvoluteFilterData {
 long m[9];
 long bias;
 void *dyna_func;
 DWORD dyna_size;
 DWORD dyna_old_protect;
 BOOL fClip;
};

static unsigned long __fastcall do_conv(
  unsigned long *data,
  const ConvoluteFilterData *cfd,
  long sflags, long pit)
{
  long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
  ...
}

Dynamic Universal Music Bibliotheque

V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34


struct IT_SAMPLE
{
  ...
  unsigned char filename[14];
  ...
};

static int it_riff_dsmf_process_sample(
  IT_SAMPLE * sample, const unsigned char * data, int len)
{
  int flags;
  memcpy( sample->filename, data, 13 );
  sample->filename[ 14 ] = 0;
  ...
}

This is what should have been written here: sample->filename[ 13 ] = 0;


CAMEL

V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947


#define FINDBUFFLEN 64  // Max buffer find/replace size

int WINAPI Sticky (HWND hwnd, UINT message,
  WPARAM wParam, LPARAM lParam)
{
  ...
  static char  findWhat[FINDBUFFLEN] = {'\0'};
  ...
  findWhat[FINDBUFFLEN] = '\0';
  ...
}

Wolfenstein 3D

V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069


typedef struct bot_state_s
{
  ...
  char teamleader[32]; //netname of the team leader
  ...
}  bot_state_t;

void BotMatch_StartTeamLeaderShip(
  bot_state_t *bs, bot_match_t *match)
{
  ...
  bs->teamleader[sizeof( bs->teamleader )] = '\0';
  ...
}

-1 is missing. The same error can be found in Quake 3.

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_team.c 548

Wolfenstein 3D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679


void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
  ...
  unsigned char invModulate[3];
  ...
  invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
  invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
  invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
  // this trashes alpha, but the AGEN block fixes it
  invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
  ...
}

The same error can be found in Quake 3.


IPP Samples

V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495


struct AVS_MB_INFO
{
  ...
  Ipp8u refIdx[AVS_DIRECTIONS][4];
  ...
};

void AVSCompressor::GetRefIndiciesBSlice(void){
  ...
  if (m_pMbInfo->predType[0] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[1] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[2] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
    iRefNum += 1;
  }
  if (m_pMbInfo->predType[3] & predType)
  {
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
    iRefNum += 1;
  }
  ...
}

The programmer's hand faltered and now we have 30 instead of 3.


IPP Samples

V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726


typedef struct
{
  ...
  VM_ALIGN16_DECL(Ipp32f)
    nb_short[2][3][__ALIGNED(MAX_PPT_SHORT)];
  ...
} mpaPsychoacousticBlock;

static void mp3encPsy_short_window(....)
{
  ...
  if (win_counter == 0) {
    nb_s = pBlock->nb_short[0][3];
  }
  ...
}

This is what should have been written here: 2.


LAME

V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895


...
#define SBMAX_l       22
...
int l[1+SBMAX_l];
...

inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
{
  int r0, r1;
  ...

  for (r0 = 0; r0 < 16; r0++) {
    ...
    for (r1 = 0; r1 < 8; r1++) {
      int a2 = gfc->scalefac_band.l[r0 + r1 + 2];
  ...
}

Irrlicht Engine

V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113


struct SPCXHeader {
  ...
  u8   Palette[48];
  u8   Reserved;
  u8   Planes;
  u16  BytesPerLine;
  ...
}

IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
{
  ...
  for( s32 i=0; i<256; i++ )
  {
    paletteData[i] = (header.Palette[i*3+0] << 16) |
     (header.Palette[i*3+1] << 8) |
     (header.Palette[i*3+2]);
  }
  ...
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i * 3 + 1' index could reach 766. Irrlicht cimageloaderpcx.cpp 114
  • V557 Array overrun is possible. The value of 'i * 3 + 2' index could reach 767. Irrlicht cimageloaderpcx.cpp 115

SAGA GIS

V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367


#define DATUM_CODE_LENGTH           7

typedef struct Datum_Table_Row
{
  ...
  char Code[DATUM_CODE_LENGTH];
  ...
} Datum_Row;

long Initialize_Datums_File(const char *File_7Parms,
                            const char *File_3Parms)
{
  ...
  for (i = 0; i < DATUM_CODE_LENGTH; i++)
    Datum_Table_3Param[index].Code[i] =
      Datum_Table_3Param[index].Code[i+1];
  ...
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 630
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 209
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 326

CMake

V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140

V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1142


static const struct {
    DWORD       winerr;
    int     doserr;
} doserrors[] =
{
  ...
};

static void
la_dosmaperr(unsigned long e)
{
  ...
  for (i = 0; i < sizeof(doserrors); i++)
  {
    if (doserrors[i].winerr == e)
    {
      errno = doserrors[i].doserr;
      return;
    }
  }
  ...
}

This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)


Energy Checker SDK

V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114


#define PL_MAX_PATH 255
#define PL2GANFLIA_COUNTER_MAX_LENGTH PL_MAX_PATH

char name[PL_MAX_PATH];

int main(int argc, char *argv[]) {
  ...
  p->pl_counters_data[i].name[
    PL2GANFLIA_COUNTER_MAX_LENGTH
  ] = '\0';
  ...
}

This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1134

ReactOS

V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482


static void move_dir_to_dir(....)
{
  ...
  szFrom[lstrlenW(szFrom) + 1] = '\0';
  ...
}

Very suspicious code. Something different must have been intended.

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192
  • V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196
  • V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361


Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];

MP3Status mp3enc_psychoacousticInit(....)
{
  ...
  for (ch = 0; ch < NUM_CHANNELS; ch++)
    for (i = 0; i < MAX_PPT_LONG; i++) {
      for (j = 0; j < 3; j++)
        state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;
    }
  ...
}

This is what should have been written here: for (j = 0; j < 2; j++)


IPP Samples

V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275


typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
{
  ...
  for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
    for (t = 0; t < 3; t++) {
      for (sb = 0; sb < sblimit_real; sb++){
        for (j = 0; j < 12; j++)
          fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];
  ...
}

If it can be possible that t == 2, while j == 11, an array overrun will occur.

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 's * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 580

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639

V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 640


typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_join_LR_l2(MP3Enc *state)
{
  Ipp32s sb, j;
  Ipp32s sblimit_real = state->com.sblimit_real;

  for (sb = 0; sb < sblimit_real; sb++)
    for (j = 0; j < 36; j++)
      state->fbout_data[2][0][j][sb] =
        0.5f * (state->fbout_data[0][0][j][sb] +
        state->fbout_data[1][0][j][sb]);
}

Chromium

V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307

V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1308


#define FRAMESAMPLES_HALF      240
#define FRAMESAMPLES           480

typedef struct {
  ...
  WebRtc_Word16 realFFT[FRAMESAMPLES_HALF];
  WebRtc_Word16 imagFFT[FRAMESAMPLES_HALF];
} ISACUBSaveEncDataStruct;

int WebRtcIsac_EncodeStoredDataUb12(....)
{
  ...
  for(n = 0; n < FRAMESAMPLES; n++)
  {
    realFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
    imagFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);
  }
  ...
}

Doom 3

V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551

V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 552


static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
{
  ...
  for ( j = 0 ; j < 6 ; j++ ) {
    d1 = frustum[j].Distance( p1 );
    d2 = frustum[j].Distance( p2 );
    ...
  }
  ...
}

Mozilla Firefox

V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89


class nsBaseStatis : public nsStatis {
public:
  ...
  PRUint32 mLWordLen[10];
  ...
  nsBaseStatis::nsBaseStatis(
    unsigned char aL, unsigned char aH, float aR)
  {
    ...
    for(PRUint32 i = 0; i < 20; i++)
       mLWordLen[i] = 0;
    ...
  }
}

  ...
};

This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)


Quake-III-Arena

V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776


int   numteamVotingClients[2];

void CalculateRanks( void ) {
  ...
  for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
    level.numteamVotingClients[i] = 0;
  }
  ...
}

Notepad++

V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984


int encodings[] = {
  1250,
  1251,
  1252,
  ....
};

BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
  UINT Message, WPARAM wParam, LPARAM)
{
  ...
  for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
  {
    int cmdID = em->getIndexFromEncoding(encodings[i]);
  ...
}

This is what should have been written here: i < sizeof(encodings)/sizeof(int)


Trinity Core

V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260


static struct wordvalue doubles[] = {
 { "ch", (uchar*) "\014\031\057\057" },
 { "Ch", (uchar*) "\014\031\060\060" },
 { "CH", (uchar*) "\014\031\061\061" },
 { "c",  (uchar*) "\005\012\021\021" },
 { "C",  (uchar*) "\005\012\022\022" },
 };

#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1)                                      \
{                                              \
  ......                                       \
  for (i = 0; i < (int) sizeof(doubles); i++)  \
  {                                            \
    const char * pattern = doubles[i].word;    \
    ...                                        \
    }                                          \
  }                                            \
  ......                                       \
}

An incorrect macro NEXT_CMP_VALUE.


Blender

V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867

V557 Array overrun is possible. The '10' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 868


void CcdPhysicsController::RelativeRotate(
  const float rotval[9], bool local)
{
  ...
  btMatrix3x3 drotmat(
    rotval[0],rotval[4],rotval[8],
    rotval[1],rotval[5],rotval[9],
    rotval[2],rotval[6],rotval[10]);
  ...
}

Trans-Proteomic Pipeline

V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567


int main(int argc, char **argv) {
  ...
  char salt[3];
  ...
  salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
  salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
  salt[3] = 0;
  ...
}

This is what should have been written here: salt[2] = 0;


Visualization Toolkit (VTK)

V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313


void vtkCursor2D::SetModelBounds(double bounds[6])
{
  this->SetModelBounds(bounds[0], bounds[1], bounds[2],
                       bounds[3], bounds[6], bounds[5]);
}

This is what should have been written here: bounds[4].


ffdshow

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39


static uint crc_tables[8][256];

void InitCRC()
{
  ....
  // Build additional lookup tables.
  for (uint I=0;I<=256;I++)
  {
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)
    {
      C=crc_tables[0][(byte)C]^(C>>8);
      crc_tables[J][I]=C;
    }
  }
}

Skia Graphics Engine

V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1480

V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1481

V557 Array overrun is possible. The '6' index is pointing beyond array bound. skgeometry.cpp 1481

V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1483

V557 Array overrun is possible. The '6' index is pointing beyond array bound. skgeometry.cpp 1484


static void p3d_interp(const SkScalar src[3],
                       SkScalar dst[3], SkScalar t) {
    SkScalar ab = SkScalarInterp(src[0], src[3], t);
    SkScalar bc = SkScalarInterp(src[3], src[6], t);
    dst[0] = ab;
    dst[3] = SkScalarInterp(ab, bc, t);
    dst[6] = bc;
}

void SkConic::chopAt(SkScalar t, SkConic dst[2]) const {
  SkP3D tmp[3], tmp2[3];

  ratquad_mapTo3D(fPts, fW, tmp);

  p3d_interp(&tmp[0].fX, &tmp2[0].fX, t);
  p3d_interp(&tmp[0].fY, &tmp2[0].fY, t);
  p3d_interp(&tmp[0].fZ, &tmp2[0].fZ, t);
  ....
}

Chromium

V557 Array overrun is possible. The value of 'i' index could reach 2. shader_bench.cc 152


static const int kNumPainters = 3;

static const struct {
  const char* name;
  GPUPainter* painter;
} painters[] = {
  { "CPU CSC + GPU Render", new CPUColorPainter() },
  { "GPU CSC/Render", new GPUColorWithLuminancePainter() },
};

int main(int argc, char** argv) {
  ....
  // Run GPU painter tests.
  for (int i = 0; i < kNumPainters; i++) {
    scoped_ptr<GPUPainter> painter(painters[i].painter);
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The '7' index is pointing beyond array bound. cjoystickmanager.cpp 1003


struct
{
  bool    bEnabled;
  long    lMax;
  long    lMin;
  DWORD   dwType;
} axis[7];

bool CJoystickManager::IsXInputDeviceAttached ( void )
{
  ....
  m_DevInfo.axis[6].bEnabled = 0;
  m_DevInfo.axis[7].bEnabled = 0;
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The '3' index is pointing beyond array bound. cwatermanagersa.cpp 595


class CWaterPolySAInterface
{
public:
    WORD m_wVertexIDs[3];
};

CWaterPoly* CWaterManagerSA::CreateQuad (....)
{
  ....
  pInterface->m_wVertexIDs [ 0 ] = pV1->GetID ();
  pInterface->m_wVertexIDs [ 1 ] = pV2->GetID ();
  pInterface->m_wVertexIDs [ 2 ] = pV3->GetID ();
  pInterface->m_wVertexIDs [ 3 ] = pV4->GetID ();
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1062

V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1063


#define CORE_MTA_NEWS_ITEMS 3

CGUILabel* m_pNewsItemLabels[CORE_MTA_NEWS_ITEMS];
CGUILabel* m_pNewsItemShadowLabels[CORE_MTA_NEWS_ITEMS];

void CMainMenu::SetNewsHeadline (....)
{
  ....
  for ( char i=0; i <= CORE_MTA_NEWS_ITEMS; i++ )
  {
    m_pNewsItemLabels[ i ]->SetFont ( szFontName );
    m_pNewsItemShadowLabels[ i ]->SetFont ( szFontName );
    ....
  }
  ....
}

Portable UnRAR

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 35

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39


static uint crc_tables[8][256]; // Tables for Slicing-by-8.

void InitCRC()
{
  ....
  for (uint I=0;I<=256;I++)
  {
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)
    {
      C=crc_tables[0][(byte)C]^(C>>8);
      crc_tables[J][I]=C;
    }
  }
  ....
}

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 19. cpoolssa.cpp 1036


enum ePools {
    BUILDING_POOL = 0,
    PED_POOL,
    OBJECT_POOL,
    DUMMY_POOL,
    VEHICLE_POOL,
    COL_MODEL_POOL,
    TASK_POOL,
    EVENT_POOL,
    TASK_ALLOCATOR_POOL,
    PED_INTELLIGENCE_POOL,
    PED_ATTRACTOR_POOL,
    ENTRY_INFO_NODE_POOL,
    NODE_ROUTE_POOL,
    PATROL_ROUTE_POOL,
    POINT_ROUTE_POOL,
    POINTER_DOUBLE_LINK_POOL,
    POINTER_SINGLE_LINK_POOL,
    ENV_MAP_MATERIAL_POOL,
    ENV_MAP_ATOMIC_POOL,
    SPEC_MAP_MATERIAL_POOL,
    MAX_POOLS
};

void CPoolsSA::DumpPoolsStatus ()
{
  char*  poolNames[] = {
    "Buildings", "Peds", "Objects", "Dummies", "Vehicles",
    "ColModels", "Tasks", "Events", "TaskAllocators",
    "PedIntelligences", "PedAttractors", "EntryInfoNodes",
    "NodeRoutes", "PatrolRoutes", "PointRoutes",
    "PointerNodeDoubleLinks", "PointerNodeSingleLinks" };

    int poolSizes[] = {
      13000,140,350,2500,110,10150,500,200,16,140,64,500,
      64,32,64,3200,70000 };

    int iPosition = 0;
    char percent = '%';
    iPosition += snprintf ( szOutput, 1024,
                            "-----------------\n" );
    for ( int i = 0; i < MAX_POOLS; i++ )
    {
      int usedSpaces = GetNumberOfUsedSpaces ( (ePools)i );
      iPosition +=
        snprintf ( szOutput + iPosition, 1024 - iPosition,
                   "%s: %d (%d) (%.2f%c)\n", poolNames[i],
                   usedSpaces, poolSizes[i],
                   ((float)usedSpaces/(float)poolSizes[i]*100),
                   percent  );
    }
    #ifdef MTA_DEBUG
    OutputDebugString ( szOutput );
    #endif
}

OpenMS

V557 Array overrun is possible. The value of 'i' index could reach 7. itraqanalyzer.c 232


static const Int CHANNELS_FOURPLEX[4][1];
static const Int CHANNELS_EIGHTPLEX[8][1];

ExitCodes main_(int, const char **)
{
  ....
  if (itraq_type == ItraqQuantifier::FOURPLEX)
  {
    for (Size i = 0; i < 4; ++i)
    {
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +
          String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
        DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
      labels.push_back(one_label);
    }
  }
  else //ItraqQuantifier::EIGHTPLEX
  {
    for (Size i = 0; i < 8; ++i)
    {
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +
          String(ItraqConstants::CHANNELS_FOURPLEX[i][0]),
        DoubleReal(ItraqConstants::CHANNELS_FOURPLEX[i][0])));
      labels.push_back(one_label);
    }
  }
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 7. tmtanalyzer.c 225

OpenMS

V557 Array overrun is possible. The value of 'i' index could reach 255. edwardslippertiterator.c 134


DoubleReal masse_[255]; // <= mass table

EdwardsLippertIterator::EdwardsLippertIterator(
    const EdwardsLippertIterator & source) :
  PepIterator(source),
  f_file_(source.f_file_),
  actual_pep_(source.actual_pep_),
  spec_(source.spec_),
  tol_(source.tol_),
  is_at_end_(source.is_at_end_),
  f_iterator_(source.f_iterator_),
  f_entry_(source.f_entry_),
  b_(source.b_),
  e_(source.e_),
  m_(source.m_),
  massMax_(source.massMax_)
{
  for (Size i = 0; i < 256; i++)
  {
    masse_[i] = source.masse_[i];
  }
}

OpenCOLLADA

V557 Array overrun is possible. The '2' index is pointing beyond array bound. mayadmtypes.h 48


struct short2
{
  short values[2];
  short2(short s1, short s2)
  {
    values[0] = s1;
    values[2] = s2;
  }
  ....
};

QuantLib

V557 Array overrun is possible. The value of 'i' index could reach 64. markovfunctional.cpp 176


Handle<YieldTermStructure> md0Yts() {
  ....
  double q6mh[] = {
    0.0001,0.0001,0.0001,0.0003,0.00055,0.0009,0.0014,0.0019,
    0.0025,0.0031,0.00325,0.00313,0.0031,0.00307,0.00309,
    0.00339,0.00316,0.00326,0.00335,0.00343,0.00358,0.00351,
    0.00388,0.00404,0.00425,0.00442,0.00462,0.00386,0.00491,
    0.00647,0.00837,0.01033,0.01218,0.01382,0.01527,0.01654,
    0.0177,0.01872,0.01959,0.0203,0.02088,0.02132,0.02164,
    0.02186,0.02202,0.02213,0.02222,0.02229,0.02234,0.02238,
    0.02241,0.02243,0.02244,0.02245,0.02247,0.0225,0.02284,
    0.02336,0.02407,0.0245 };
  ....
  for(int i=0;i<10+18+37;i++) {
    q6m.push_back(
      boost::shared_ptr<Quote>(new SimpleQuote(q6mh[i])));
  }
  ....
}

Geant4 software

V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 62


enum { NENERGY=22, NANGLE=180 };

class G4LEpp : public G4HadronicInteraction
{
  ....
  G4float * sig[NANGLE];
  static G4float SigCoul[NENERGY][NANGLE];
  ....
};

G4LEpp::SetCoulombEffects(G4int State)
{
  if (State) {
    for(G4int i=0; i<NANGLE; i++)
    {
      sig[i] = SigCoul[i];
    }
    elab = ElabCoul;
  }
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 69

Geant4 software

V557 Array overrun is possible. The value of 'j' index could reach 7. g4heinelastic.cc 4682


void
G4HEInelastic::MediumEnergyClusterProduction(....)
{
  ....
  G4double alem[] = {1.40, 2.30, 2.70, 3.00, 3.40, 4.60, 7.00};
  ....
  for (j = 1; j < 8; j++) {
    if (alekw < alem[j]) {
      jmax = j;
      break;
    }
  }
  ....
}

Source Engine SDK

V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 632

V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 633


#define MAX_WEAPON_SLOTS    6  // hud item selection slots

void CHudWeaponSelection::Paint()
{
  ....
  int xModifiers[] = { 0, 1, 0, -1 };
  int yModifiers[] = { -1, 0, 1, 0 };

  for ( int i = 0; i < MAX_WEAPON_SLOTS; ++i )
  {
    ....
    xPos += ( m_flMediumBoxWide + 5 ) * xModifiers[ i ];
    yPos += ( m_flMediumBoxTall + 5 ) * yModifiers[ i ];
  ....
}

Miranda IM

V557 Array underrun is possible. The value of 'index' index could reach -1. controls.cpp 491


const int idToIndex(const int id) const
{
  for(int i = 0; i < NR_BUTTONS; i++) {
    if(m_TbButtons[i].idCommand == id )
      return(i);
  }
  return(-1);
}

TBBUTTON CMenuBar::m_TbButtons[8] = {0};

void CMenuBar::invoke(const int id)
{
  const int index = idToIndex(id);
  ....
  if(index == 3 && hContact != 0) {
    ....
  } else if(index == 0) {
    ....
  } else
    hMenu = reinterpret_cast<HMENU>(m_TbButtons[index].dwData);
  ....
}

Coin3D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. somfcolorrgba.cpp 220


void
SoMFColorRGBA::set1HSVValue(int idx, const float hsva[3])
{
  this->set1HSVValue(idx, hsva[0], hsva[1], hsva[2], hsva[3]);
}

Wild Magic 5

V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 365


void Triangles::UpdateModelTangentsUseTCoords(....)
{
  ....
  Float2 locTCoord[2];
  int curr;
  for (curr = 0; curr < 3; ++curr)
  {
    ....
    locTCoord[curr] = vba.TCoord<Float2>(0, k);
  }
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 382

FlightGear

V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1717


enum {
  ALL_EJECTION_SEATS = -1,
  MAX_EJECTION_SEATS = 10
};

int eseat_status[MAX_EJECTION_SEATS];

void
FGControls::set_ejection_seat( int which_seat, bool val )
{
  ....
  if ((which_seat >= 0) && (which_seat <= MAX_EJECTION_SEATS))
  {
    if ( eseat_status[which_seat] == SEAT_SAFED ||
         eseat_status[which_seat] == SEAT_FAIL )
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1718
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1724
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1738

FFmpeg

V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497

V557 Array overrun is possible. The '9' index is pointing beyond array bound. mjpegenc.c 499


void ff_mjpeg_encode_mb(MpegEncContext *s,
                        int16_t block[6][64])
{
    int i;
    if (s->chroma_format == CHROMA_444) {
        encode_block(s, block[0], 0);
        encode_block(s, block[2], 2);
        encode_block(s, block[4], 4);
        encode_block(s, block[8], 8);
        encode_block(s, block[5], 5);
        encode_block(s, block[9], 9);
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 504
  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. mjpegenc.c 505
  • V557 Array overrun is possible. The '7' index is pointing beyond array bound. mjpegenc.c 506
  • And 3 additional diagnostic messages.

Word for Windows 1.1a

V557 Array overrun is possible. The '5' index is pointing beyond array bound. dnatfile.c 444


uns rgwSpare0 [5];

DumpHeader()
{
  ....
  printUns ("rgwSpare0[0]   = ", Fib.rgwSpare0[5], 0, 0, fTrue);
  printUns ("rgwSpare0[1]   = ", Fib.rgwSpare0[1], 1, 1, fTrue);
  printUns ("rgwSpare0[2]   = ", Fib.rgwSpare0[2], 0, 0, fTrue);
  printUns ("rgwSpare0[3]   = ", Fib.rgwSpare0[3], 1, 1, fTrue);
  printUns ("rgwSpare0[4]   = ", Fib.rgwSpare0[4], 2, 2, fTrue);
  ....
}

This is what should have been written here: printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[0], 0, 0, fTrue);


Qt

V557 Array overrun is possible. The value of 'j' index could reach 4. harfbuzz-arabic.c 516


static const JoiningPair joining_table[5][4] = { .... };

typedef enum {
    JNone,
    JCausing,
    JDual,
    JRight,
    JTransparent
} Joining;

static Joining getNkoJoining(unsigned short uc)
{
    if (uc < 0x7ca)
        return JNone;
    if (uc <= 0x7ea)
        return JDual;
    if (uc <= 0x7f3)
        return JTransparent;
    if (uc <= 0x7f9)
        return JNone;
    if (uc == 0x7fa)
        return JCausing;
    return JNone;
}

static void getNkoProperties(....)
{
  ....
  Joining j = getNkoJoining(chars[0]);
  ArabicShape shape = joining_table[XIsolated][j].form2;
  ....
}

TortoiseGit

V557 Array underrun is possible. The value of 'idx' index could reach -1. diff_file.c 1052


static int
datasource_to_index(svn_diff_datasource_e datasource)
{
  switch (datasource)
  {
    ....
  }
  return -1;
}

static svn_error_t *
token_compare(....)
{
  ....
  int idx = datasource_to_index(file_token[i]->datasource);
  file[i] = &file_baton->files[idx];
  ....
}

OpenMW

V557 Array overrun is possible. The value of 'idx' index could reach 3. esmtool labels.cpp 502


std::string rangeTypeLabel(int idx)
{
  const char* rangeTypeLabels [] = {
    "Self",
    "Touch",
    "Target"
  };
  if (idx >= 0 && idx <= 3)
    return rangeTypeLabels[idx];
  else
    return "Invalid";
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'idx' index could reach 143. esmtool labels.cpp 391
  • V557 Array overrun is possible. The value of 'idx' index could reach 27. esmtool labels.cpp 475

LibLog

V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 153


typedef struct LogState {
  int     fakeFd;
  char   *debugName;
  int     isBinary;
  ....
} LogState;

#define MAX_OPEN_LOGS 16

static LogState *openLogTable[MAX_OPEN_LOGS];

static LogState *createLogState()
{
  size_t i;

  for (i = 0; i < sizeof(openLogTable); i++) {
    if (openLogTable[i] == NULL) {
      openLogTable[i] = calloc(1, sizeof(LogState));
      openLogTable[i]->fakeFd = FAKE_FD_BASE + i;
      return openLogTable[i];
    }
  }
  return NULL;
}

This is what should have been written here: sizeof(openLogTable) / sizeof(openLogTable[0]).

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 154
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 155
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 156

WebRTC

V557 Array overrun is possible. The value of 'btn' index could reach 52. ccapi_snapshot.c 38


cc_string_t lineLabels[MAX_CONFIG_LINES+1] = {0};

void ccsnap_set_line_label(int btn, cc_string_t label) {
  ....
  if ( btn > 0 && btn <= MAX_CONFIG_LINES+1 ) {
    ....
    if ( lineLabels[btn] == NULL ) {
    ....
  }
  ....
}

WebRTC

V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 357

V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 358

V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 359

V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 360


#define MAX_CCMS 4

ccm_cfg_t   ccm[MAX_CCMS];

var_t prot_cfg_table[CFGID_PROTOCOL_MAX+1] = {
  ....
  {"ccmSrstIpAddr",   CFGVAR(ccm[4].address), PA_STR, PR_STR, 0},
  {"ccmSrst_sipPort", CFGVAR(ccm[4].sip_port),PA_INT, PR_INT, 0},
  {"ccmSrst_isValid", CFGVAR(ccm[4].is_valid),PA_INT, PR_INT, 0},
  {"ccmSrst_securityLevel",
                    CFGVAR(ccm[4].sec_level), PA_INT, PR_INT, 0},
  ....
};

ITK

V557 Array overrun is possible. The value of '_vType' index could reach 29. metautils.cxx 239


#define MET_NUM_VALUE_TYPES 29

const char MET_ValueTypeName[MET_NUM_VALUE_TYPES][21] = { ... };

bool MET_TypeToString(MET_ValueEnumType _vType, char *_s)
{
  if(_vType>=0 && _vType<=MET_NUM_VALUE_TYPES)
    {
    strcpy(_s, MET_ValueTypeName[_vType]);
    return true;
    }

  return false;
}

Haiku Operation System

V557 Array overrun is possible. The '8' index is pointing beyond array bound. floppy_ctrl.c 637


typedef struct floppy {
  ....
  uint8 result[8]; /* status of the last finished command */
  ....
};

void
floppy_dump_reg(floppy_t *flp) {
  ....
  //uint8 result[10];           // <= This was correct!
  uint8 *result = flp->result;  // <= Bad fix! :)
  ....
  dprintf(FLO "gap=%d wg=%d eis=%d fifo=%d "
              "poll=%d thresh=%d pretrk=%d\n",
    (result[7] & 0x02) >> 1, result[7] & 0x01,
    (result[8] & 0x40) >> 6,
    (result[8] & 0x20) >> 5, (result[8] & 0x10) >> 4,
     result[8] & 0x0f, result[9]);
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The '9' index is pointing beyond array bound. floppy_ctrl.c 638

Godot Engine

V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 194


enum ShapeType {
  SHAPE_LINE,
  SHAPE_RAY,
  SHAPE_SEGMENT,
  SHAPE_CIRCLE,
  SHAPE_RECTANGLE,
  SHAPE_CAPSULE,
  SHAPE_CONVEX_POLYGON,
  SHAPE_CONCAVE_POLYGON,
  SHAPE_CUSTOM,
};

BodyShapeData body_shape_data[6];
void _create_body_shape_data()
{
  ....
  body_shape_data[Physics2DServer::SHAPE_CONVEX_POLYGON].image
    =vs->texture_create_from_image(image);
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 209

Wine Is Not an Emulator

V557 Array overrun is possible. The '16' index is pointing beyond array bound. winaspi32.c 232


/* SCSI Miscellaneous Stuff */
#define SENSE_LEN      14

typedef struct tagSRB32_ExecSCSICmd {
  ....
  BYTE        SenseArea[SENSE_LEN+2];
} SRB_ExecSCSICmd, *PSRB_ExecSCSICmd;

static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
{
  BYTE  *rqbuf = prb->SenseArea;
  ....
  if (rqbuf[15]&0x8) {
    TRACE("Pointer at %d, bit %d\n",
          rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7);      // <=
  }
  ....
}

Unreal Engine 4

V557 Array overrun is possible. The 'NumOutUAVs ++' index is pointing beyond array bound. distancefieldlightingshared.h 388


template<typename TParamRef>
void UnsetParameters(
  FRHICommandList& RHICmdList, const TParamRef& ShaderRHI,
  const FDistanceFieldCulledObjectBuffers& ObjectBuffers)
{
  ....
  int32 NumOutUAVs = 0;
  FUnorderedAccessViewRHIParamRef OutUAVs[3];
  OutUAVs[NumOutUAVs++] = ObjectBuffers......;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Bounds.UAV;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Data.UAV;

  if (CulledObjectBoxBounds.IsBound())
  {
    OutUAVs[NumOutUAVs++] = ObjectBuffers.BoxBounds.UAV;
  }
  ....
}

ffdshow

V557 Array overrun is possible. The value of 'len' index could reach 16384. - ADDITIONAL IN CURRENT cavisynth.cpp 129


#define MAX_AVISYNTH_SCRIPT_LENGTH 16384

void TavisynthPage::onLoad(void)
{
  char_t scriptflnm[MAX_PATH] = _l("");
  if (dlgGetFile(....) {
    FILE *f = fopen(scriptflnm, _l("rb"));
    if (f) {
      char script[MAX_AVISYNTH_SCRIPT_LENGTH];
      size_t len =
        fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
      fclose(f);
      script[len] = '\0';
      setDlgItemText(m_hwnd, IDC_ED_AVISYNTH,
                     text<char_t>(script));
    }
    parent->setChange();
  }
}

ChakraCore

V557 Array overrun is possible. The value of 'i' index could reach 8. rl.cpp 2375


enum TestInfoKind::_TIK_COUNT = 9

const char * const TestInfoEnvLstFmt[] =
{
   " TESTFILE=\"%s\"",
   " BASELINE=\"%s\"",
   " CFLAGS=\"%s\"",
   " LFLAGS=\"%s\"",
   NULL,
   NULL,
   NULL,
   NULL    // <= TestInfoEnvLstFmt[7]
};

void
WriteEnvLst
(
   Test * pDir, TestList * pTestList
)
{
  ....
  // print the other TIK_*
  for(int i=0;i < _TIK_COUNT; i++) {
    if (variants->testInfo.data[i] && TestInfoEnvLstFmt[i]){// <=
       LstFilesOut->Add(TestInfoEnvLstFmt[i],               // <=
                        variants->testInfo.data[i]);
    }
    ....
  }
  ....
}

FreeBSD Kernel

V557 Array overrun is possible. The '2' index is pointing beyond array bound. if_spppsubr.c 4348


#define AUTHKEYLEN  16

struct sauth {
  u_short  proto;
  u_short  flags;
#define AUTHFLAG_NOCALLOUT  1
#define AUTHFLAG_NORECHALLENGE  2
  u_char  name[AUTHNAMELEN];
  u_char  secret[AUTHKEYLEN];
  u_char  challenge[AUTHKEYLEN];
};

static void
sppp_chap_scr(struct sppp *sp)
{
  u_long *ch, seed;
  u_char clen;

  /* Compute random challenge. */
  ch = (u_long *)sp->myauth.challenge;
  read_random(&seed, sizeof seed);
  ch[0] = seed ^ random();
  ch[1] = seed ^ random();
  ch[2] = seed ^ random(); // <=
  ch[3] = seed ^ random(); // <=
  clen = AUTHKEYLEN;
  ....
}

If compile the 64-bit kernel, then when accessing ch[2] and ch[3] we'll have array index out of bounds. Details: http://www.viva64.com/en/b/0377/

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. if_spppsubr.c 4349

The GTK+ Project

V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1219


#define G_N_ELEMENTS(arr)   (sizeof (arr) / sizeof ((arr)[0]))

static GtkCssSelector *
parse_selector_pseudo_class (....)
{
  static const struct {
    ....
  } pseudo_classes[] = {
    { "first-child",   0, 0,  POSITION_FORWARD,  0, 1 },
    ....
    { "drop(active)",  0, GTK_STATE_FLAG_DROP_ACTIVE, }
  };
  guint i;
  ....
  for (i = 0; i < G_N_ELEMENTS (pseudo_classes); i++)
    {
      ....
      {
        if (pseudo_classes[i + 1].state_flag ==
            pseudo_classes[i].state_flag)
          _gtk_css_parser_error_full (parser,
          GTK_CSS_PROVIDER_ERROR_DEPRECATED,
          "The :%s pseudo-class is deprecated. Use :%s instead.",
          pseudo_classes[i].name,
          pseudo_classes[i + 1].name);
        ....
      }
       ....
    }
  ....
}

Identical errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1224

OpenToonz

V557 Array overrun is possible. The '9' index is pointing beyond array bound. tconvolve.cpp 123


template <class PIXOUT>
void doConvolve_cm32_row_9_i(....)
{
  TPixel32 val[9];                                  // <=
  ....
  for (int i = 0; i < 9; ++i) {                     // <= OK
    ....
    else if (tone == 0)
      val[i] = inks[ink];
    else
      val[i] = blend(....);
  }

  pixout->r = (typename PIXOUT::Channel)((
    val[1].r * w1 + val[2].r * w2 + val[3].r * w3 +
    val[4].r * w4 + val[5].r * w5 + val[6].r * w6 +
    val[7].r * w7 + val[8].r * w8 + val[9].r * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->g = (typename PIXOUT::Channel)((
    val[1].g * w1 + val[2].g * w2 + val[3].g * w3 +
    val[4].g * w4 + val[5].g * w5 + val[6].g * w6 +
    val[7].g * w7 + val[8].g * w8 + val[9].g * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->b = (typename PIXOUT::Channel)((
    val[1].b * w1 + val[2].b * w2 + val[3].b * w3 +
    val[4].b * w4 + val[5].b * w5 + val[6].b * w6 +
    val[7].b * w7 + val[8].b * w8 + val[9].b * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->m = (typename PIXOUT::Channel)((
    val[1].m * w1 + val[2].m * w2 + val[3].m * w3 +
    val[4].m * w4 + val[5].m * w5 + val[6].m * w6 +
    val[7].m * w7 + val[8].m * w8 + val[9].m * w9 + // <= ERR
    (1 << 15)) >> 16);
  ....
}

Firebird

V557 Array overrun is possible. The value of 'prefixLen ++' index could reach 124. restore.cpp 10040


const int GDS_NAME_LEN = 32;
....
bool get_function(BurpGlobals* tdgbl)
{
  ....
  struct isc_844_struct {
    ....
    short isc_870; /* gds__null_flag */
    ....
    char  isc_874 [125]; /* RDB$PACKAGE_NAME */
    ....
  } isc_844;

  att_type attribute;
  TEXT    temp[GDS_NAME_LEN * 2];
  ....
  SSHORT prefixLen = 0;
  if (!/*X.RDB$PACKAGE_NAME.NULL*/
       isc_844.isc_870)
  {
    prefixLen = static_cast<SSHORT>(strlen(/*X.RDB$PACKAGE_NAME*/
                                           isc_844.isc_874));
    memcpy(temp, /*X.RDB$PACKAGE_NAME*/
                 isc_844.isc_874, prefixLen);
    temp[prefixLen++] = '.';
  }
  ....

}


Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++ and C#

goto PVS-Studio;