ÿþ$09; A>45@68B A?8A>: ?>B5=F80;L=KE >H81>:, =0945==KE 0=0;870B>@>< PVS-Studio 4.36 2 ?@>5:B5 ReactOS. ReactOS 27OB A A09B0 25.08.2011. P.S. 0 A0<>< 45;5 >H81>: 1>;LH5. @54;030N A:0G0BL 8 2=8<0B5;L=> ?>@01>B0BL A PVS-Studio. http://www.viva64.com/ ------------------------------------------------------------------------------- V576 Incorrect format. Consider checking the third actual argument of the 'fprintf' function. The char type argument is expected. regedit regproc.c 293 static void REGPROC_unescape_string(WCHAR* str) { ... default: fprintf(stderr,"Warning! Unrecognized escape sequence: \\%c'\n", str[str_idx]); ... } 45AL A;54C5B 8A?>;L7>20BL %C. =0;>38G=> 745AL: V576 Incorrect format. Consider checking the fourth actual argument of the 'fprintf' function. The char type argument is expected. regedit regedit.c 234 V576 Incorrect format. Consider checking the fourth actual argument of the 'fprintf' function. The char type argument is expected. regedit regedit.c 230 ------------------------------------------------------------------------------- V576 Incorrect format. Consider checking the second actual argument of the 'wprintf' function. The argument is expected to be not greater than 32-bit. dwnl dwnl.c 229 static HRESULT STDMETHODCALLTYPE CBindStatusCallback_OnProgress(...) { ... if (This->szMimeType[0] != _T('\0')) _tprintf(_T("Length: %I64u [%s]\n"), This->Size, This->szMimeType); else _tprintf(_T("Length: %ull\n"), This->Size); ... } > 2B>@>< A;CG05 B0:65 4>;6=> 8A?>;L7>20BLAO %I64u: _tprintf(_T("Length: %I64u\n"), This->Size); ------------------------------------------------------------------------------- V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427 #define RtlFillMemory(Destination, Length, Fill) \ memset(Destination, Fill, Length) #define IOPM_FULL_SIZE 8196 HalpRestoreIopm(VOID) { ... RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE); ... } 5@5?CB0=K 0@3C<5=BK. >;6=> 1KBL: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF); ------------------------------------------------------------------------------- V570 The 'mii->cch' variable is assigned to itself. user32 menu.c 4347 BOOL WINAPI GetMenuItemInfoA(...) { ... mii->cch = mii->cch; ... } 848<> >?5G0B:0 8 4>;6> 1KBL: mii->cch = miiW->cch; ------------------------------------------------------------------------------- V568 It's odd that the argument of sizeof() operator is the 'UnknownError [0] - 20' expression. syssetup wizard.c 1696 static DWORD CALLBACK RegistrationProc(LPVOID Parameter) { ... if (0 == LoadStringW(hDllInstance, IDS_UNKNOWN_ERROR, UnknownError, sizeof(UnknownError) / sizeof(UnknownError[0] - 20))) ... } 5 B0< ?>AB02;5=0 A:>1:0 8 4>;6=> 1KBL: if (0 == LoadStringW(hDllInstance, IDS_UNKNOWN_ERROR, UnknownError, sizeof(UnknownError) / sizeof(UnknownError[0]) - 20)) ------------------------------------------------------------------------------- V562 It's odd to compare 0 or 1 with a value of 4294967295. eventlog file.c 264 #define INVALID_SET_FILE_POINTER ((DWORD)-1) BOOL LogfInitializeExisting(PLOGFILE LogFile) { ... if (!SetFilePointer(LogFile->hFile, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER) { DPRINT1("SetFilePointer() failed! %d\n", GetLastError()); return FALSE; } ... } >;6=> 1KBL: if (SetFilePointer(LogFile->hFile, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER) ------------------------------------------------------------------------------- V560 A part of conditional expression is always true: ACO_AUTOSUGGEST. shell32 autocomplete.c 451 enum _tagAUTOCOMPLETEOPTIONS { ACO_AUTOSUGGEST = 0x1, ... } static LRESULT APIENTRY ACEditSubclassProc() { ... if ((This->options && ACO_AUTOSUGGEST) && ((HWND)wParam != This->hwndListBox)) ... } !?CB0=> && 8 &. >;6=> 1KBL: if ((This->options & ACO_AUTOSUGGEST) && ((HWND)wParam != This->hwndListBox)) ------------------------------------------------------------------------------- V560 A part of conditional expression is always true: 2. netshell lanstatusui.c 182 VOID UpdateLanStatus(HWND hwndDlg, LANSTATUSUI_CONTEXT * pContext) { ... else if (IfEntry.dwOperStatus == MIB_IF_OPER_STATUS_UNREACHABLE || MIB_IF_OPER_STATUS_DISCONNECTED) ... } !?CB0=> && 8 &. >;6=> 1KBL: else if (IfEntry.dwOperStatus == MIB_IF_OPER_STATUS_UNREACHABLE | MIB_IF_OPER_STATUS_DISCONNECTED) ------------------------------------------------------------------------------- V560 A part of conditional expression is always true: 10035L. adns transmit.c 203 void adns__querysend_tcp(adns_query qu, struct timeval now) { ... if (!(errno == EAGAIN || EWOULDBLOCK || errno == EINTR || errno == ENOSPC || errno == ENOBUFS || errno == ENOMEM)) { ... } 01KB> A@02=5=85. >;6=> 1KBL: ... || errno == EWOULDBLOCK || ... ------------------------------------------------------------------------------- V549 The first argument of 'strcmp' function matches it's the second argument. stlport locale.cpp 211 static void _Stl_loc_combine_names(_Locale_impl* L, const char* name1, const char* name2, locale::category c) { if ((c & locale::all) == 0 || strcmp(name1, name1) == 0) ... } ?5G0B:0. >;6=> 1KBL: strcmp(name1, name2) ------------------------------------------------------------------------------- V547 Expression is always false. Probably the '||' operator should be used here. ws2_32_new sockctrl.c 55 INT WSAAPI connect(IN SOCKET s, IN CONST struct sockaddr *name, IN INT namelen) { ... /* Check if error code was due to the host not being found */ if ((Status == SOCKET_ERROR) && (ErrorCode == WSAEHOSTUNREACH) && (ErrorCode == WSAENETUNREACH)) { ... } 848<> ?5@5?CB0=0 >?5@0F8O && 8 ||. >;6=> 1KBL: if ((Status == SOCKET_ERROR) (ErrorCode == WSAEHOSTUNREACH) || (ErrorCode == WSAENETUNREACH)) ------------------------------------------------------------------------------- V547 Expression is always true. Probably the '&&' operator should be used here. win32k arc.c 67 typedef enum _ARCTYPE { GdiTypeArc, GdiTypeArcTo, GdiTypeChord, GdiTypePie, } ARCTYPE, *PARCTYPE; BOOL IntArc(...) { ... if ((Left == Right) || (Top == Bottom) || (((arctype != GdiTypeArc) || (arctype != GdiTypeArcTo)) && ((Right - Left == 1) || (Bottom - Top == 1)))) return TRUE; ... } K@065=85 (arctype != GdiTypeArc) || (arctype != GdiTypeArcTo) 2A5340 8AB8==>. 848<> 4>;6=> 1KBL: (arctype != GdiTypeArc) && (arctype != GdiTypeArcTo) ------------------------------------------------------------------------------- V547 Expression 'LeftOfBuffer < 0' is always false. Unsigned type value is never < 0. svchost svchost.c 56 BOOL PrepareService(LPCTSTR ServiceName) { DWORD LeftOfBuffer; ... if (LeftOfBuffer < 0) { DPRINT1("Buffer overflow for service name: '%s'\n", ServiceName); return FALSE; } ... } >4>1=KE <5AB <=>3>, => A;>6=> ?>=OBL =0A:>;L:> >=8 :@8B8G=K! 0?@8<5@, 2>B :>4, :>B>@K9 :>@@5:B5=, E>BO 8 871KB>G5=: V547 Expression 'c >= 0' is always true. Unsigned type value is always >= 0. stlport ctype.cpp 282 struct _WCharIndexT<true> { static bool in_range(wchar_t c, size_t upperBound) { return c >= 0 && size_t(c) < upperBound; } >AB0B>G=>: return size_t(c) < upperBound; ------------------------------------------------------------------------------- V547 Expression '(Minor != 0x02) || (Minor != 0x13)' is always true. Probably the '&&' operator should be used here. ramdisk ramdisk.c 1955 #define IRP_MN_REMOVE_DEVICE 0x02 #define IRP_MN_QUERY_ID 0x13 NTSTATUS RamdiskPnp(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { ... // Only remove-device and query-id are allowed if ((Minor != IRP_MN_REMOVE_DEVICE) || (Minor != IRP_MN_QUERY_ID)) ... } >;6=> 1KBL: if ((Minor == IRP_MN_REMOVE_DEVICE) || (Minor == IRP_MN_QUERY_ID)) =0;>38G=0O >H81:0: V547 Expression is always true. Probably the '&&' operator should be used here. ntoskrnl section.c 1685 V547 Expression is always true. Probably the '&&' operator should be used here. fastfat create.c 456 ------------------------------------------------------------------------------- V547 Expression is always false. Unsigned type value is never < 0. opengl32 font.c 1099 BOOL APIENTRY IntUseFontOutlinesW(...) { ... if (GetGlyphOutline(hDC, glyphIndex, GGO_NATIVE, &glyphMetrics, glyphBufSize, glyphBuf, &matrix) < 0) { HeapFree(GetProcessHeap(), 0, glyphBuf); return FALSE; /*WGL_STATUS_FAILURE*/ } ... } >;6=> 1KBL: if (GetGlyphOutline(hDC, glyphIndex, GGO_NATIVE, &glyphMetrics, glyphBufSize, glyphBuf, &matrix) == GDI_ERROR) =0;>38G=>5 745AL: V547 Expression 'glyphSize < 0' is always false. Unsigned type value is never < 0. opengl32 font.c 1084 ------------------------------------------------------------------------------- V547 Expression 'IntEaLength >= 0' is always true. Unsigned type value is always >= 0. ntoskrnl util.c 220 NTSTATUS IoCheckEaBufferValidity(...) { ULONG NextEaBufferOffset, IntEaLength; ... if (IntEaLength >= 0) { EaBufferEnd = (PFILE_FULL_EA_INFORMATION) ((ULONG_PTR)EaBufferEnd + EaBufferEnd->NextEntryOffset); continue; } }  745AL: V547 Expression 'IntEaLength >= 0' is always true. Unsigned type value is always >= 0. ntoskrnl util.c 198 I5 >4=0 DC=:F8O @01>B05B =5 B0:, :0: =04>. H81:C >G5=L =5?@>AB> =09B8 B5AB8@>20=85<. !B0B8G5A:89 0=0;87 ?@>AB> =5>1E>48< 2 ?>4>1=KE ?@>5:B0E. H81>: V547 GB>-B> >G5=L <=>3>... ------------------------------------------------------------------------------- V547 Expression 'i < 512' is always true. The value range of unsigned char type: [0, 255]. freeldr_common xboxhw.c 344 static VOID DetectBiosDisks(...) { UCHAR DiskCount, i; ... for (i = 0; ! Changed && i < 512; i++) { Changed = ((PUCHAR)DISKREADBUFFER)[i] != 0xcd; } ... } 45AL 2>7=8:=5B 25G=K9 F8:;, 5A;8 2 ?5@2KE 255 109B0E 1C45B 7=0G5=85 0xcd. =0;>38G=0O >H81:0: V547 Expression 'i < 512' is always true. The value range of unsigned char type: [0, 255]. freeldr_common hardware.c 826 ------------------------------------------------------------------------------- V547 Expression 'ads->tcpsocket >= 0' is always true. Unsigned type value is always >= 0. adns setup.c 683 typedef UINT_PTR SOCKET; #define ADNS_SOCKET SOCKET struct adns__state { ... ADNS_SOCKET udpsocket, tcpsocket; ... }; void adns_finish(adns_state ads) { ... if (ads->tcpsocket >= 0) adns_socket_close(ads->tcpsocket); ... } =0;>38G=K5 ?@>1;5<K 745AL: V547 Expression 'ads->udpsocket < 0' is always false. Unsigned type value is never < 0. adns setup.c 539 V547 Expression 'fd < 0' is always false. Unsigned type value is never < 0. adns event.c 117 P.S. @> ?>4>1=K5 A;CG08, O <>;GC, => 8E <=>3>: V547 Expression 'ads->udpsocket >= 0' is always true. Unsigned type value is always >= 0. adns check.c 105 static void checkc_global(adns_state ads) { ... assert(ads->udpsocket >= 0); ... } ------------------------------------------------------------------------------- V531 It is odd that a sizeof() operator is multiplied by sizeof(). eventvwr eventvwr.c 1112 8 40;55... VOID DisplayEvent(HWND hDlg) { WCHAR szEventType[MAX_PATH]; WCHAR szTime[MAX_PATH]; WCHAR szDate[MAX_PATH]; ... ListView_GetItemText(hwndListView, iIndex, 0, szEventType, sizeof(szEventType) * sizeof(WCHAR)); ListView_GetItemText(hwndListView, iIndex, 1, szDate, sizeof(szDate) * sizeof(WCHAR)); ListView_GetItemText(hwndListView, iIndex, 2, szTime, sizeof(szTime) * sizeof(WCHAR)); ... } 065BAO 745AL C<=>65=8O =0 sizeof(WCHAR) ;8H=88. ------------------------------------------------------------------------------- V530 The return value of function 'wcscmp' is required to be utilized. msdmo dmoreg.c 617 if (ERROR_SUCCESS == hres) { Names[count] = HeapAlloc(GetProcessHeap(), 0, strlenW(szValue) + 1); if (Names[count]) strcmpW(Names[count], szValue); } !B@0==>, GB> @57C;LB0B 2K7>20 DC=:F88 strcmpW() =8:0: =5 8A?>;L7C5BAO. ------------------------------------------------------------------------------- V529 Odd semicolon ';' after 'if' operator. tdi events.c 126 BOOLEAN CTEScheduleEvent(PCTE_DELAYED_EVENT Event, PVOID Context) { ... if (!Event->Queued); { Event->Queued = TRUE; Event->Context = Context; ExQueueWorkItem(&Event->WorkItem, CriticalWorkQueue); } ... } 8H=OO ';'. =0;>38G=0O >H81:0: V529 Odd semicolon ';' after 'if' operator. ntoskrnl mdlsup.c 1177 ------------------------------------------------------------------------------- V527 It is odd that the L'\0' value is assigned to 'wchar_t' type pointer. Probably meant: *lpBackSlash = L'\0'. desk screensaver.c 453 static VOID AddScreenSavers(HWND hwndDlg, PDATA pData) { ... LPTSTR lpBackSlash; lpBackSlash = _tcsrchr(szSearchPath, _T('\\')); if (lpBackSlash != NULL) { lpBackSlash = '\0'; SearchScreenSavers(hwndScreenSavers, szSearchPath, pData); } } <5AB> B>3>, GB>1K >B1@>A8BL 2AQ ?>A;5 ?>A;54=53> A8<2>;0 \, ?@>AB> >1=C;8;8 C:070B5;L lpBackSlash. >;6=> 1KBL: *lpBackSlash = '\0'; ------------------------------------------------------------------------------- V523 The 'then' statement is equivalent to the 'else' statement. cardlib cardbutton.cpp 83 void CardButton::DrawRect(HDC hdc, RECT *rect, bool fNormal) { ... HPEN hhi = CreatePen(0, 0, MAKE_PALETTERGB(crHighlight)); HPEN hsh = CreatePen(0, 0, MAKE_PALETTERGB(crShadow)); ... if(fNormal) hOld = SelectObject(hdc, hhi); else hOld = SelectObject(hdc, hhi); ... } 848<> 4>;6=> 1KBL: if(fNormal) hOld = SelectObject(hdc, hhi); else hOld = SelectObject(hdc, hsh); ------------------------------------------------------------------------------- V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 1190, 1198. setupapi devclass.c 1190 BOOL WINAPI SetupDiGetClassDevPropertySheetsW(...) { ... else if (!PropertySheetHeader) SetLastError(ERROR_INVALID_PARAMETER); else if (PropertySheetHeader->dwFlags & PSH_PROPSHEETPAGE) ... else if (!PropertySheetHeader) SetLastError(ERROR_INVALID_PARAMETER); ... } 20 @070 ?>2B>@O5BAO: "else if (!PropertySheetHeader)". ------------------------------------------------------------------------------- V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 177, 182. mmixer filter.c 177 ULONG MMixerGetControlTypeFromTopologyNode(IN LPGUID NodeType) { ... else if (IsEqualGUIDAligned(NodeType, (LPGUID)&KSNODETYPE_MUX)) { /* mux control */ return MIXERCONTROL_CONTROLTYPE_MUX; } else if (IsEqualGUIDAligned(NodeType, (LPGUID)&KSNODETYPE_MUX)) { /* mux control */ return MIXERCONTROL_CONTROLTYPE_MUX; } ... } ------------------------------------------------------------------------------- V514 Dividing sizeof a pointer 'sizeof (szText)' by another value. There is a probability of logical error presence. shell32 drive.c 126 VOID GetDriveNameWithLetter(LPWSTR szText, UINT Length, WCHAR Drive) { ... TempLength = LoadStringW(shell32_hInstance, IDS_DRIVE_FIXED, &szText[Length+1], (sizeof(szText)/sizeof(WCHAR))- Length - 2); ... } 45AL "sizeof(szText)/sizeof(WCHAR)" @07<5@ C:070B5;O 45;8BAO =0 @07<5@ WCHAR. 848<> E>B5;8 A45;0BL 4@C3>5. ------------------------------------------------------------------------------- V512 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162 VOID UnloadAppInitDlls() { ... WCHAR buffer[KEY_LENGTH]; ... RtlCopyMemory(buffer, szAppInit, KEY_LENGTH); ... } 01KB> C<=>65=85 =0 sizeof(WCHAR), 87-70 G53> :>?8@C5BAO B>;L:> ?>;>28=0 40==KE. >;6=> 1KBL: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)); ------------------------------------------------------------------------------- V512 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769 typedef WCHAR TCHAR,*PTCHAR; TCHAR file_path[MAX_PATH]; #define MAX_PATH 260 LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { ... ZeroMemory( file_path, MAX_PATH ); ... } G8I05< B>;L:> ?>;>28=C 1CD5@0. >;6=> 1KBL: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR)); =0;>38G=0O A8BC0F8O: V512 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442 ------------------------------------------------------------------------------- V512 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160 HRESULT WINAPI SHGetDataFromIDListW(...) { ... WIN32_FIND_DATAW * pfd = dest; ... ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA)); } >;6=> 1KBL: ZeroMemory(pfd, sizeof (WIN32_FIND_DATAW)); ------------------------------------------------------------------------------- V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) char *SHA384_End(SHA384_CTX* context, char buffer[]) { ... MEMSET_BZERO(context, sizeof(context)); ... } G8I0NBAO B>;L:> ?5@2K5 109BK, 0 =5 2AO AB@C:BC@0. >;6=> 1KBL: MEMSET_BZERO(context, sizeof(*context)); =0;>38G=K5 <5AB0 A ?>4>1=>9 >H81:>9: V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566 V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587 V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896 V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 916 V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 971 ------------------------------------------------------------------------------- V512 A call of the 'memcmp' function will lead to underflow of the buffer 'guidentry'. oleaut32 typelib2.c 320 #define IsEqualGUID(rguid1, rguid2) (!memcmp(&(rguid1), &(rguid2), sizeof(GUID))) static int ctl2_find_guid(...) { MSFT_GuidEntry *guidentry; ... if (IsEqualGUID(guidentry, guid)) return offset; ... } 0:@>AK 7;>! =8 B0: ;>2:> A:@K20NB >B 3;07 >H81:8. H81:0 2 B><, GB> guidentry MB> C65 C:070B5;L. >@@5:B=K9 20@80=B :>40: if (IsEqualGUID(*guidentry, guid)) return offset; =0;>38G=0O >H81:0: V512 A call of the 'memcmp' function will lead to overflow of the buffer '& (pguidCmdGroup)'. browseui bandsite.cpp 722 ------------------------------------------------------------------------------- V511 The sizeof() operator returns size of the pointer, and not of the array, in 'sizeof (dest)' expression. glu32 mapdesc.cc 95 void Mapdesc::identify( REAL dest[MAXCOORDS][MAXCOORDS] ) { memset( dest, 0, sizeof( dest ) ); for( int i=0; i != hcoords; i++ ) dest[i][i] = 1.0; } G8I05< B>;L:> G0ABL 1CD5@0, B0: :0: sizeof(dest) 2>72@0I05B @07<5@ C:070B5;O, 0 =5 <0AA820. @028;L=K9 20@80=B: Mapdesc::identify( REAL (&dest)[MAXCOORDS][MAXCOORDS] ) { memset( dest, 0, sizeof( dest ) ); for( int i=0; i != hcoords; i++ ) dest[i][i] = 1.0; } ------------------------------------------------------------------------------- V502 Perhaps the '?:' operator works in a different way than it was expected. The '?:' operator has a lower priority than the '+' operator. uniata id_dma.cpp 1610 VOID NTAPI AtapiDmaInit(...) { ... ULONG treg = 0x54 + (dev < 3) ? (dev << 1) : 7; ... } #A;>285 "0x54 + (dev < 3)" 2A5340 8AB8==>5. >@@5B=K9 20@80=B :>40: ULONG treg = 0x54 + ((dev < 3) ? (dev << 1) : 7); ------------------------------------------------------------------------------- V501 There are identical sub-expressions to the left and to the right of the '&&' operator: str [0] == '\\' && str [0] == '\\' urlmon uri.c 273 static inline BOOL is_unc_path(const WCHAR *str) { return (str[0] == '\\' && str[0] == '\\'); } ------------------------------------------------------------------------------- V501 There are identical sub-expressions 'SetLocalTime (lpSystemTime)' to the left and to the right of the '&&' operator. timedate dateandtime.c 51 BOOL SystemSetLocalTime(LPSYSTEMTIME lpSystemTime) { ... Ret = SetLocalTime(lpSystemTime) && SetLocalTime(lpSystemTime); ... } =0;>38G=> 745AL: V501 There are identical sub-expressions 'SetLocalTime (& SetupData->SystemTime)' to the left and to the right of the '&&' operator. syssetup wizard.c 1398 ------------------------------------------------------------------------------- V501 There are identical sub-expressions '_ILIsControlPanel (pidl)' to the left and to the right of the '||' operator. shell32 she_ocmenu.c 1222 HRESULT SHEOW_LoadOpenWithItems(SHEOWImpl *This, IDataObject *pdtobj) { ... if (_ILIsDesktop(pidl) || _ILIsMyDocuments(pidl) || _ILIsControlPanel(pidl) || _ILIsNetHood(pidl) || _ILIsBitBucket(pidl) || _ILIsDrive(pidl) || _ILIsCPanelStruct(pidl) || _ILIsFolder(pidl) || _ILIsControlPanel(pidl)) { TRACE("pidl is a folder\n"); SHFree((void*)pidl); return E_FAIL; } ... } >6=> A;><0BL 3;070, => 5A;8 ?@8A<>B@5BLAO, B> <>6=> 70<5B8BL, GB> _ILIsControlPanel(pidl) ?@8ABCAB2C5B 2 @070. ------------------------------------------------------------------------------- V501 There are identical sub-expressions 'item->member.para.pCell' to the left and to the right of the '&&' operator. riched20 writer.c 254 static BOOL ME_StreamOutRTFFontAndColorTbl(...) { ... if (item->member.para.pCell && item->member.para.pCell) ... } ------------------------------------------------------------------------------- V501 There are identical sub-expressions to the left and to the right of the '||' operator. ole32 filelockbytes.c 139 static HRESULT WINAPI FileLockBytesImpl_QueryInterface( ILockBytes *iface, REFIID riid, void **ppvObject) { if (IsEqualIID(riid, &IID_ILockBytes) || IsEqualIID(riid, &IID_ILockBytes)) *ppvObject = iface; ... } ------------------------------------------------------------------------------- V501 There are identical sub-expressions '(* DebugOptionEnd == ' ')' to the left and to the right of the '||' operator. ntoskrnl kdinit.c 194 BOOLEAN KdInitSystem(IN ULONG BootPhase, IN PLOADER_PARAMETER_BLOCK LoaderBlock) { ... /* Check if this is a comma, a space or a tab */ if ((*DebugOptionEnd == ',') || (*DebugOptionEnd == ' ') || (*DebugOptionEnd == ' ')) ... } >6=>5 A@010BK20=85. =0;870B>@ ?5@54 =0G0;>< @01>BK 70<5=8; 2A5 B01K =0 ?@>15;K. 7-70 MB>3> 8 =0H;>AL MB> <5AB>. "01 =0?8A0= O2=>. >;=> 1KBL: if ((*DebugOptionEnd == ',') || (*DebugOptionEnd == ' ') || (*DebugOptionEnd == '\t')) ------------------------------------------------------------------------------- V501 There are identical sub-expressions to the left and to the right of the '==' operator: sizeof (GUID) == sizeof (GUID) ntoskrnl events.c 180 NTSTATUS PopAddRemoveSysCapsCallback(...) { else if (RtlCompareMemory(&Notification->Event, &GUID_DEVICE_INTERFACE_REMOVAL, sizeof(GUID) == sizeof(GUID))) } 848<>, =5 B0< ?>AB02;5=0 A:>1:0 8 4>;6=> 1KBL: if (RtlCompareMemory(&Notification->Event, &GUID_DEVICE_INTERFACE_REMOVAL, sizeof(GUID)) == sizeof(GUID)) =0;>38G=>: V501 There are identical sub-expressions to the left and to the right of the '==' operator: sizeof (GUID) == sizeof (GUID) ntoskrnl events.c 178 ------------------------------------------------------------------------------- V501 There are identical sub-expressions '* ScanString == L'\"'' to the left and to the right of the '||' operator. kernel32 proc.c 2326 BOOL CreateProcessInternalW(...) { ... if (*ScanString == L'\"' || *ScanString == L'^' || *ScanString == L'\"') ... } ------------------------------------------------------------------------------- V501 There are identical sub-expressions to the left and to the right of the '&' operator: dwEnabledOptions & dwEnabledOptions jscript jscript.c 905 static HRESULT WINAPI JScriptSafety_SetInterfaceSafetyOptions(...) { ... This->safeopt = dwEnabledOptions & dwEnabledOptions; ... } ------------------------------------------------------------------------------- V501 There are identical sub-expressions 'sizeof (mag [0][0])' to the left and to the right of the '/' operator. glu32 mapdescv.cc 131 REAL Mapdesc::calcPartialVelocity (...) { ... const int istride = sizeof( tmp[0]) / sizeof( tmp[0][0][0] ); const int jstride = sizeof( tmp[0][0]) / sizeof( tmp[0][0][0] ); const int mistride = sizeof( mag[0]) / sizeof( mag[0][0] ); const int mjstride = sizeof( mag[0][0]) / sizeof( mag[0][0] ); ... } Copy-Paste A45;0; A2>Q 45;>. >;6=> 1KBL: const int mjstride = sizeof( mag[0][0]) / sizeof( mag[0][0][0] ); ------------------------------------------------------------------------------- V501 There are identical sub-expressions '!(types [i + 1] & PathPointTypeBezier)' to the left and to the right of the '||' operator. gdiplus graphics.c 925 static GpStatus draw_poly(...) { if((i + 2 >= count) || !(types[i + 1] & PathPointTypeBezier) || !(types[i + 1] & PathPointTypeBezier)){ } ------------------------------------------------------------------------------- V579 The strncmp function receives the pointer and its size as arguments. It is possibly a mistake. Inspect the third argument. vga vbe.c 57  40;55. static const PCHAR Nv11Board = "NV11 (GeForce2) Board"; static const PCHAR Nv11Chip = "Chip Rev B2"; static const PCHAR Nv11Vendor = "NVidia Corporation"; BOOLEAN IsVesaBiosOk(...) { ... if (!(strncmp(Vendor, Nv11Vendor, sizeof(Nv11Vendor))) && !(strncmp(Product, Nv11Board, sizeof(Nv11Board))) && !(strncmp(Revision, Nv11Chip, sizeof(Nv11Chip))) && (OemRevision == 0x311)) ... } H81:0 2 B><, GB> sizeof() 2>72@0I05B @07<5@ C:070B5;O, 0 =5 4;8=C AB@>:8. =0;>38G=K5 >H81:8 745AL: V579 The strncmp function receives the pointer and its size as arguments. It is possibly a mistake. Inspect the third argument. vga vbe.c 54 V579 The WriteFile function receives the pointer and its size as arguments. It is possibly a mistake. Inspect the third argument. syssetup logfile.c 188 ------------------------------------------------------------------------------- V579 The memset function receives the pointer and its size as arguments. It is possibly a mistake. Inspect the third argument. ntoskrnl cmcontrl.c 121 typedef struct _HHIVE { ... } HHIVE, *PHHIVE; VOID CmGetSystemControlValues(...) { PHHIVE SystemHive = (PHHIVE)&CmControlHive; ... RtlZeroMemory(SystemHive, sizeof(SystemHive)); ... } 848<> 745AL 4>;6=> 1KBL: RtlZeroMemory(SystemHive, sizeof(*SystemHive)); ------------------------------------------------------------------------------- V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482 static void move_dir_to_dir(...) { ... szFrom[lstrlenW(szFrom) + 1] = '\0'; ... } G5=L ?>4>7@8B5;L=K9 :>4. !:>@55 2A53> E>B5;8 A45;0BL =5GB> 8=>5. =0;>38G=K5 D@03<5=BK: V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192 V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196 V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274 ------------------------------------------------------------------------------- V537 Consider reviewing the correctness of 'x' item's usage. win32k bitblt.c 670 BOOL APIENTRY GreStretchBltMask(...) { ... MaskPoint.x += DCMask->ptlDCOrig.x; MaskPoint.y += DCMask->ptlDCOrig.x; ... } =5 :065BAO, 745AL 4>;6=> 1KBL: MaskPoint.x += DCMask->ptlDCOrig.x; MaskPoint.y += DCMask->ptlDCOrig.y; ------------------------------------------------------------------------------- V537 Consider reviewing the correctness of 'X' item's usage. gdiplus region.c 715 GpStatus WINGDIPAPI GdipGetRegionBoundsI() { ... if(status == Ok){ rect->X = roundr(rectf.X); rect->Y = roundr(rectf.X); rect->Width = roundr(rectf.Width); rect->Height = roundr(rectf.Height); } ... } =5 :065BAO, 745AL 4>;6=> 1KBL: rect->Y = roundr(rectf.Y); ------------------------------------------------------------------------------- V519 The 'bih.bV5AlphaMask' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 357, 358. windowscodecs bmpencode.c 358 static HRESULT WINAPI BmpFrameEncode_Commit(...) { ... bih.bV5RedMask = This->format->redmask; bih.bV5GreenMask = This->format->greenmask; bih.bV5BlueMask = This->format->bluemask; bih.bV5AlphaMask = This->format->alphamask; bih.bV5AlphaMask = LCS_DEVICE_RGB; ... } KBL <>65B, E>B5;>AL B0:? bih.bV5AlphaMask = This->format->alphamask; bih.bV5CSType = LCS_DEVICE_RGB; ------------------------------------------------------------------------------- V519 The 'v2' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 343, 343. win32k gradient.c 343 BOOL FASTCALL IntEngGradientFillTriangle(...) { ... SWAP(v2,v3,t); ... } =0G0;5, O 1K; 2 =54>C<5=88. 'B>-65 A<0:@>A>< SWAP <>65B 1KBL =5 B0:. :07K205BAO: #define SWAP(a,b,c) c = a;\ a = b;\ a = c (5452@! :) >;6=> 1KBL: #define SWAP(a,b,c) c = a;\ a = b;\ b = c ------------------------------------------------------------------------------- V519 The 'CenterCount' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 4125, 4126. win32k dib32gen.c 4126 static void DIB_32BPP_BitBlt_SRCCOPY(PBLTINFO BltInfo) { ... CenterCount = BltInfo->DestRect.right - BltInfo->DestRect.left; CenterCount = 4 * (BltInfo->DestRect.right - BltInfo->DestRect.left); ... } 'B>-B> BCB =5 B0:.  745AL B>65: V519 The 'CenterCount' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 4102, 4103. win32k dib32gen.c 4103 ------------------------------------------------------------------------------- V519 The 'DriverObject->MajorFunction [0x0f]' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 1058, 1059. scsiport scsiport.c 1059 #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f #define IRP_MJ_SCSI 0x0f ULONG NTAPI ScsiPortInitialize(...) { ... DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = ScsiPortDeviceControl; DriverObject->MajorFunction[IRP_MJ_SCSI] = ScsiPortDispatchScsi; ... } >4>7@8B5;L=K9 :>4. ------------------------------------------------------------------------------- V519 The 'pmsnName->SectionFileName.Length' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 294, 295. psapi psapi.c 295 static DWORD InternalGetMappedFileName(...) { ... pmsnName->SectionFileName.Length = 0; pmsnName->SectionFileName.Length = nBufSize; ... } >4>7@8B5;L=K9 :>4. ------------------------------------------------------------------------------- V519 The 'ObjectName' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 1129, 1130. ntoskrnl obname.c 1130 typedef WCHAR *PWCH; NTSTATUS ObQueryNameString(...) { PWCH ObjectName; ... /* Directory without a name, we add "..." */ ObjectName -= sizeof(L"..."); ObjectName = L"..."; break; ... } ------------------------------------------------------------------------------- V593 Consider reviewing the expression of the 'A = B == C' kind. The expression is calculated as following: 'A = (B == C)'. winhttp net.c 934 DWORD netconn_set_timeout( netconn_t *netconn, BOOL send, int value ) { ... if ((res = setsockopt(....) == -1)) { WARN("setsockopt failed (%s)\n", strerror( errno )); return sock_get_error( errno ); } return ERROR_SUCCESS; } 5 >H81:0. 01>B05B, B0: :0: res ?>B>< =8345 =5 8A?>;L7C5BAO. >;6=> 1KBL ?@>AB>: if (setsockopt(....) == -1) =0;>38G=> 745AL: V593 Consider reviewing the expression of the 'A = B != C' kind. The expression is calculated as following: 'A = (B != C)'. winhttp net.c 891 ------------------------------------------------------------------------------- V590 Consider inspecting the '* token == ' ' && * token != '\0'' expression. The expression is excessive or contains a misprint. wininet http.c 800 static inline BOOL is_basic_auth_value( LPCWSTR pszAuthValue, LPWSTR *pszRealm ) { ... while (*token == ' ' && *token != '\0') token++; ... } 5 >H81:0, => ;8H=OO ?@>25@:0. >AB0B>G=>: while (*token == ' ') token++; =0;>38G=>: V590 Consider inspecting the '* realm == ' ' && * realm != '\0'' expression. The expression is excessive or contains a misprint. wininet http.c 794 V590 Consider inspecting the '* str == ' ' && * str != '\0'' expression. The expression is excessive or contains a misprint. wininet http.c 762 ------------------------------------------------------------------------------- V519 The 'cols [1]' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 716, 719. cardlib cardwindow.cpp 719 NTSTATUS CreateCdRomDeviceObject(...) { ... cddata->XAFlags &= ~XA_USE_6_BYTE; cddata->XAFlags = XA_USE_READ_CD | XA_USE_10_BYTE; ... } ------------------------------------------------------------------------------- V519 The 'cols [1]' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 716, 719. cardlib cardwindow.cpp 719 HPALETTE CardWindow::CreateCardPalette() { ... //include button text colours cols[0] = RGB(0, 0, 0); cols[1] = RGB(255, 255, 255); //include the base background colour cols[1] = crBackgnd; //include the standard button colours... cols[3] = CardButton::GetHighlight(crBackgnd); cols[4] = CardButton::GetShadow(crBackgnd); cols[5] = CardButton::GetFace(crBackgnd); ... } 848<> 4>;6=> 1KBL: cols[2] = crBackgnd; -------------------------------------------------------------------------------