Examples of errors detected by the V512 diagnostic.

V512. A call of the 'Foo' function will lead to a buffer overflow or underflow.


SMTP Client

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. CSmtp md5.cpp 212


void MD5::finalize () {
  ...
  uint1 buffer[64];
  ...
  // Zeroize sensitive information
  memset (buffer, 0, sizeof(*buffer));
  ...
}

Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));


Fennec Media

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 150


#define uinput_size       1024
typedef wchar_t letter;

letter  uinput_text[uinput_size];

string basewindows_getuserinput(const string title,
  const string cap, const string dtxt)
{
  memset(uinput_text, 0, uinput_size);
  ...
}

At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.


Fennec Media

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. base windows.c 2892


typedef wchar_t letter;

letter name[30];

int Conv_EqualizerProc(HWND hwnd,UINT uMsg,
  WPARAM wParam,LPARAM lParam)
{
  ...
  memset(eqp.name, 0, 30);
  ...
}

This is what should have been written here: sizeof(letter) * 30


Notepad++

V512 A call of the memset function will lead to a buffer overflow or underflow


#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
...
DockingManager::DockingManager()
{
  ...
  memset(_iContMap, -1, CONT_MAP_MAX);
  ...
}

This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));


Game_Music_Emu library

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. game-music-emu nsfe_emu.cpp 162


struct header_t
{
  ...
  byte load_addr [2];
  byte init_addr [2];
  byte play_addr [2];
  ...
}

blargg_err_t Nsfe_Info::load( Data_Reader& in,
                              Nsf_Emu* nsf_emu )
{
  ...
  memcpy( info.load_addr, finfo.load_addr, 2 * 3 );
  ...
}

There's no error, but this code is dangerous.


Wolfenstein 3D

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. cgame bg_animation.c 999


typedef struct
{
  short int bodyPart[2];
  short int animIndex[2];
  short int animDuration[2];
  short int soundIndex;
  short int accShowBits;
  short int accHideBits;
} animScriptCommand_t;

void BG_ParseCommands(....) {
  ...
  animScriptCommand_t *command = NULL;
  ...
  memset( command, 0, sizeof( command ) );
  ...
}

This is what should have been written here: sizeof(*command)


Wolfenstein 3D

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. wolf cvar.c 764


typedef struct cvar_s {
  char        *name;
  ...
  struct cvar_s *hashNext;
} cvar_t;

void Cvar_Restart_f( void ) {
  cvar_t  *var;
  ...
  memset( var, 0, sizeof( var ) );
  ...
}

This is what should have been written here: memset( var, 0, sizeof( *var ) );


Newton Game Dynamics

V512 A call of the 'memset' function will lead to a buffer overflow or underflow. physics dgcollisioncompoundbreakable.cpp 702


dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....)
{
  ...
  dgInt32 faceOffsetHitogram[256];
  dgSubMesh* mainSegmenst[256];
  ...
  memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram));
  memset(mainSegmenst, 0, sizeof(faceOffsetHitogram));
  ...
}

A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.


Miranda IM

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. tabsrmm utils.cpp 1080


typedef struct _textrangew
{
  CHARRANGE chrg;
  LPWSTR lpstrText;
} TEXTRANGEW;

const wchar_t* Utils::extractURLFromRichEdit(....)
{
  ...
  ::CopyMemory(tr.lpstrText, L"mailto:", 7);
  ...
}

This is what should have been written here: sizeof(wchar_t) * 7


Chromium

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227


void Time::Explode(bool is_local, Exploded* exploded) const
{
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: sizeof(*exploded)


Chromium

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116


void NaCl::Time::Explode(bool is_local,
                         Exploded* exploded) const
{
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: sizeof(*exploded)


Qt

V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77


int s_attr_table[256];

void CppLexer::setupScanTable()
{
  ...
  memset(s_attr_table, 0, 256);
  ...
}

This is what should have been written here: sizeof(int) * 256

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 rpplexer.cpp 60

Apache HTTP Server

V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560


#define MEMSET_BZERO(p,l)       memset((p), 0, (l))

void apr__SHA256_Final(sha2_byte digest[],
                       SHA256_CTX* context) {
  ...
  MEMSET_BZERO(context, sizeof(context));
  ...
}

This is what should have been written here: sizeof(*context)

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 581
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 892
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 912
  • And 2 additional diagnostic messages.

Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683


#define PL_MAX_PATH 255
typedef WCHAR TCHAR, *PTCHAR;
TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' };

int plh_read_pl_config_ini_file(....)
{
  ...
  ZeroMemory(
    pl_cvt_buffer,
    PL_MAX_PATH
  );
  ...
}

This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 714
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 745
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 789
  • And 5 additional diagnostic messages.

Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806


typedef struct _plh_dynamic_pl_folder_info {
...
} PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO;

int plh_dynamic_read_pl_folder(
  PPLH_DYNAMIC_PL_FOLDER_INFO pconfig)
{
  ...
  memset(
    pconfig,
    0,
    sizeof(pconfig)
  );
  ...
}

This is what should have been written here: sizeof(*pconfig)


Energy Checker SDK

V512 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379


void plt_tools_get_pl_config_full_file_name(char *buffer) {
  ...
  char temp[PL_MAX_PATH] = { '\0' };
  ...
  memset(
    temp,
    0,
    sizeof(buffer)
  );
  ...
}

This is what should have been written here: sizeof(temp)


Far Manager

V512 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672


__int64 FileList::VMProcess(int OpCode,void *vParam,
                            __int64 iParam)
{
  ...
  PluginInfo *PInfo=(PluginInfo *)vParam;
  memset(PInfo,0,sizeof(PInfo));
  PInfo->StructSize=sizeof(PInfo);
  ...
}

This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));


ReactOS

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162


VOID
UnloadAppInitDlls()
{
  ...
  WCHAR buffer[KEY_LENGTH];
  ...
  RtlCopyMemory(buffer, szAppInit, KEY_LENGTH);
  ...
}

Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).


ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769


typedef WCHAR TCHAR,*PTCHAR;
TCHAR file_path[MAX_PATH];

#define MAX_PATH 260

LRESULT CALLBACK
WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
  ...
  ZeroMemory( file_path, MAX_PATH );
  ...
}

This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442

ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160


HRESULT WINAPI SHGetDataFromIDListW(....)
{
  ...
  WIN32_FIND_DATAW * pfd = dest;
  ...
  ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA));
}

Identical errors can be found in some other places:

  • This is what should have been written here: sizeof(WIN32_FIND_DATAW)

ReactOS

V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991


#define MEMSET_BZERO(p,l) memset((p), 0, (l))

char *SHA384_End(SHA384_CTX* context, char buffer[]) {
  ...
  MEMSET_BZERO(context, sizeof(context));
  ...
}

This is what should have been written here: sizeof(*context).

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587
  • V512 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896
  • And 2 additional diagnostic messages.

ReactOS

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'guidentry'. oleaut32 typelib2.c 320


#define IsEqualGUID(rguid1, rguid2) \
  (!memcmp(&(rguid1), &(rguid2), sizeof(GUID)))

static int ctl2_find_guid(....)
{
  MSFT_GuidEntry *guidentry;
  ...
  if (IsEqualGUID(guidentry, guid)) return offset;
  ...
}

Macros are evil! They can hide errors very well. The error is this: guidentry is a pointer. This is what should have been written here: if (IsEqualGUID(*guidentry, guid)) return offset;

Identical errors can be found in some other places:

  • V512 A call of the 'memcmp' function will lead to overflow of the buffer '& (pguidCmdGroup)'. browseui bandsite.cpp 722

IPP Samples

V512 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767


UMC::Status
VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams)
{
  UMC::Status umcSts    UMC::UMC_OK;
  memset(MEParams,0,sizeof(MEParams));
  ...
}

This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));


Doom 3

V512 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731


aseMesh_t *currentMesh;

static void ASE_KeyGEOMOBJECT( const char *token )
{
  ...
  ase.currentMesh = &ase.currentObject->mesh;
  memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) );
  ...
}

This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );


Doom 3

V512 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312


void idAASFileLocal::DeleteClusters( void ) {
  ...
  memset( &portal, 0, sizeof( portal ) );
  portals.Append( portal );

  // first cluster is a dummy
  memset( &cluster, 0, sizeof( portal ) );
  clusters.Append( cluster );
}

This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );


Mozilla Firefox

V512 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198


void Time::Explode(bool is_local, Exploded* exploded) const {
  ...
  ZeroMemory(exploded, sizeof(exploded));
  ...
}

This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));


ADAPTIVE Communication Environment (ACE)

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109


struct Message
{
  unsigned int sn;
  unsigned short payload[payload_size];
};

int
ACE_TMAIN (int argc, ACE_TCHAR* argv[])
{
  ...
  if (ACE_OS::memcmp (expected_msg.payload,
                      msg.payload,
                      payload_size) != 0)
  {
    damaged[msg.sn] = 1;
  }
  ...
}

Most likely this is what should be written here: payload_size * sizeof(short)

Identical errors can be found in some other places:

  • V512 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. RMCast_Receiver receiver.cpp 102

ADAPTIVE Communication Environment (ACE)

V512 A call of the 'memset' function will lead to underflow of the buffer 'old_state'. thread.inl 172


ACE_INLINE int
ACE_Thread::disablecancel (struct cancel_state *old_state)
{
  ....
  ACE_OS::memset (old_state,
                  0,
                  sizeof (old_state));
  ....
}

UCSniff

V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 566


struct targets{
  char ip[MAX_ASCII_ADDR_LEN];
  u_char mac[MAX_ASCII_ADDR_LEN];
  char extension[64];
  char dirname[64];
  char protocol[11];
  char ua[48];
  char misc[64];
};

void sip_targetlookup(sipDB* currentSipCall)
{
  ...
  memcpy(targettab[targetcount].protocol,
         "sip",
         sizeof(targettab[targetcount].protocol));
  ...
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to the '"sip"' buffer becoming out of range. targets.c 631

DeSmuME

V512 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204


mapview_struct *MapView = NULL;

BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message,
                            WPARAM wParam, LPARAM lParam)
{
  ...
  MapView = new mapview_struct;
  memset(MapView, 0, sizeof(MapView));
  ...
}

This is what should have been written here: memset(MapView, 0, sizeof(*MapView));


MAME

V512 A call of the 'memcpy' function will lead to the '& rawheader[100]' buffer becoming out of range. chd.c 1870


#define CHD_SHA1_BYTES    20
#define CHD_V4_HEADER_SIZE   108
#define CHD_MAX_HEADER_SIZE   CHD_V4_HEADER_SIZE

static chd_error header_read(...., chd_header *header)
{
  UINT8 rawheader[CHD_MAX_HEADER_SIZE];
  ...
  memcpy(header->parentsha1, &rawheader[100],
         CHD_SHA1_BYTES);
  ...
}

MAME

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706


UINT16 m_spriteram16[0x1000];
UINT16 m_spriteram16_buffered[0x1000];

static WRITE32_HANDLER( deco32_buffer_spriteram_w )
{
  deco32_state *state =
    space->machine().driver_data<deco32_state>();
  memcpy(state->m_spriteram16_buffered,
         state->m_spriteram16, 0x1000);
}

This is what should have been written here: 0x1000 * sizeof(UINT16).


MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949


UINT16      m_rotate_ctrl[8];

static MACHINE_RESET( wgp )
{
  wgp_state *state = machine.driver_data<wgp_state>();
  int i;

  state->m_banknum = 0;
  state->m_cpua_ctrl = 0xff;
  state->m_port_sel = 0;
  state->m_piv_ctrl_reg = 0;

  for (i = 0; i < 3; i++)
  {
    state->m_piv_zoom[i] = 0;
    state->m_piv_scrollx[i] = 0;
    state->m_piv_scrolly[i] = 0;
  }

  memset(state->m_rotate_ctrl, 0, 8);
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_2_buffered'. deco32.c 726
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_playfield_code'. malzak.c 392

MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065


UINT16 m_control_0[8];
#define ARRAY_LENGTH(x)  (sizeof(x) / sizeof(x[0]))

static MACHINE_RESET( tumbleb )
{
  ...
  memset(state->m_control_0, 0,
         ARRAY_LENGTH(state->m_control_0));
}

Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_read'. megadriv.c 7156
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_write'. megadriv.c 7157
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_cart_is_genesis'. megatech.c 426
  • And 3 additional diagnostic messages.

MAME

V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458


UINT32 m_pstars_regs[16];

static DRIVER_INIT( pstar )
{
  ...
  memset(state->m_pstars_regs, 0, 16);
  ...
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4975
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4996
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 5056
  • And 4 additional diagnostic messages.

Samba

V512 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80


void initialize(PERF_DATA_BLOCK *data,
  RuntimeSettings *rt, int argc, char **argv)
{
    memset(data, 0, sizeof(*data));
    memset(rt, 0, sizeof(*data));
  ....
}

Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.


Samba

V512 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247


static NET_API_STATUS test_netusermodals(
  struct libnetapi_ctx *ctx,
  const char *hostname)
{
  ....
  struct USER_MODALS_INFO_0 *u0 = NULL;
  struct USER_MODALS_INFO_0 *_u0 = NULL;
  ....
  if (memcmp(u0, _u0, sizeof(u0) != 0)) {
    printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
    return -1;
  }
  ....
}

Most likely this is what should be written here: sizeof(*u0).


libevent

V512 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374


void
win32_dealloc(struct event_base *_base)
{
  struct win32op *win32op = _base->evbase;
  ....
  memset(win32op, 0, sizeof(win32op));
  ....
}

OpenCV

V512 A call of the 'memset' function will lead to overflow of the buffer 'latestCounts'. calibfilter.cpp 238


class CV_EXPORTS CvCalibFilter
{
  ....
  enum { MAX_CAMERAS = 3 };
  int latestCounts[MAX_CAMERAS];
  CvPoint2D32f* latestPoints[MAX_CAMERAS];
  ....
};

void CvCalibFilter::SetCameraCount( int count )
{
  ....
  memset( latestCounts, 0, sizeof(latestPoints) );
  ....
}

Windows 8 Driver Samples

V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288


HRESULT
CDot11SampleExtUI::CreateSecurityProperties(....)
{
  ....
  WCHAR wbuf[128];
  ....
  ZeroMemory(wbuf, 128);
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 369

Windows 8 Driver Samples

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'. testapp.c 729

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeDestIp'. testapp.c 730


typedef struct _DEVICE_INFO
{
  ....
  WCHAR UnicodeSourceIp[MAX_LEN];
  WCHAR UnicodeDestIp[MAX_LEN];
  ....
} DEVICE_INFO, *PDEVICE_INFO;

PDEVICE_INFO FindDeviceInfo(....)
{
  ....
  PDEVICE_INFO    deviceInfo = NULL;
  ....
  memcpy(deviceInfo->UnicodeSourceIp,
         InputInfo->SourceIp, MAX_LEN);
  memcpy(deviceInfo->UnicodeDestIp,
         InputInfo->DestIp, MAX_LEN);
  ....
}

NetXMS

V512 A call of the 'memset' function will lead to underflow of the buffer 'commandLine'. procinfo.cpp 278


typedef WCHAR TCHAR, *PTCHAR;

static BOOL MatchProcess(....)
{
  ....
  TCHAR commandLine[MAX_PATH];
  ....
  memset(commandLine, 0, MAX_PATH);
  ....
}

NetXMS

V512 A call of the 'memset' function will lead to underflow of the buffer 'm_szTitle'. toolbox.cpp 28


typedef WCHAR TCHAR, *PTCHAR;

#define MAX_TOOLBOX_TITLE  64

TCHAR m_szTitle[MAX_TOOLBOX_TITLE];

CToolBox::CToolBox()
{
  memset(m_szTitle, 0, MAX_TOOLBOX_TITLE);
}

Multi Theft Auto

V512 A call of the 'memset' function will lead to underflow of the buffer 'm_buffer'. sharedutil.hash.hpp 216


unsigned char m_buffer[64];

void CMD5Hasher::Finalize ( void )
{
  ....
  // Zeroize sensitive information
  memset ( m_buffer, 0, sizeof (*m_buffer) );
  ....
}

Snes9x

V512 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ramwatch.cpp 1199


struct ICheat
{
  uint32  address;
  uint32  new_val;
  uint32  saved_val;
  int     size;
  bool8   enabled;
  bool8   saved;
  char    name [22];
  int format;
};

struct SCheat
{
  uint32 address;
  uint8   byte;
  uint8   saved_byte;
  bool8  saved;
};

void RamWatchEnableCommand(....)
{
  ....
  struct ICheat cht;
  ....
  ZeroMemory(&cht, sizeof(struct SCheat));
  ....
}

Most likely this is what should be written here: ZeroMemory(&cht, sizeof(struct ICheat));

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ram_search.cpp 1789
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'new_cheat'. wsnes9x.cpp 9924

VirtualDub

V512 A call of the 'memcmp' function will lead to underflow of the buffer '"GL_EXT_blend_subtract"'. Riza opengl.cpp 393


bool VDOpenGLBinding::Attach(....) {
  ....
  if (!memcmp(start, "GL_EXT_blend_subtract", 20))
  ....
}

strlen("GL_EXT_blend_subtract") == 21


FlightGear

V512 A call of the 'memset' function will lead to underflow of the buffer 'ctx'. md5.c 180


void MD5Final(uint8_t digest[16], struct MD5Context *ctx)
{
  ....
  memset(ctx, 0, sizeof(ctx));  /* In case it's sensitive */
  ....
}

Micro-Manager

V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.lPosition'. MotorStage.cpp 247

V512 A call of the 'memcpy' function will lead to overflow of the buffer '& stat.dwStatusBits'. MotorStage.cpp 256


typedef struct _DCMOTSTATUS
{
  unsigned short wChannel;   // Channel ident.
  unsigned int lPosition;    // Position in encoder counts.
  unsigned short wVelocity;  // Velocity in encoder counts/sec.
  unsigned short wReserved;  // Controller specific use
  unsigned int dwStatusBits; // Status bits (see #defines below).
} DCMOTSTATUS;

int MotorStage::ParseStatus(const unsigned char* buf, int bufLen,
  DCMOTSTATUS& stat)
{
  ....
  memcpy(&stat.lPosition, buf + bufPtr, sizeof(long));  // <= (1)
  bufPtr += sizeof(long);

  memcpy(&stat.wVelocity, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

  memcpy(&stat.wReserved, buf + bufPtr, sizeof(unsigned short));
  bufPtr += sizeof(unsigned short);

  memcpy(&stat.dwStatusBits,
         buf + bufPtr, sizeof(unsigned long));          // <= (2)
  return DEVICE_OK;
}

(1) - Not critical. (2) - Critical.


FCEUX

V512 A call of the 'strcpy' function will lead to overflow of the buffer '(char *) & bdata[13]'. - ADDITIONAL IN CURRENT bworld.cpp 64


static uint8 bdata[20];

static void Update(void *data, int arg)
{
 if(*(uint8 *)data)
 {
  *(uint8 *)data=0;
  seq=ptr=0;
  have=1;
  strcpy((char*)bdata,(char *)data+1);
  strcpy((char*)&bdata[13],"SUNSOFT");
 }
}

OGRE

V512 A call of the 'memcpy' function will lead to a buffer overflow or underflow. OgreMain ogrequaternion.h 87


Real w, x, y, z;
...

inline Quaternion(Real* valptr)
{
  memcpy(&w, valptr, sizeof(Real)*4);
}

There's no error, but this code is dangerous.


Gifticlib

V512 A call of the 'memset' function will lead to underflow of the buffer 'gim'. gifti_io.c 4097


int gifti_clear_gifti_image(gifti_image * gim)
{
  if(!gim) {
    fprintf(stderr,"** NULL in clear_gifti_image\n"); return 1;
  }

  if( G.verb > 5 )
    fprintf(stderr,"-- clearing gifti_image\n");

  /* set the version and clear all pointers */
  memset(gim, 0, sizeof(gim));
  ....
}

Miranda NG

V512 A call of the 'memset' function will lead to underflow of the buffer 'logfonts'. TabSRMM msglog.cpp 134


#define MSGDLGFONTCOUNT 22

LOGFONTA logfonts[MSGDLGFONTCOUNT + 2];

void TSAPI CacheLogFonts()
{
  int i;
  HDC hdc = GetDC(NULL);
  logPixelSY = GetDeviceCaps(hdc, LOGPIXELSY);
  ReleaseDC(NULL, hdc);

  ZeroMemory(logfonts, sizeof(LOGFONTA) * MSGDLGFONTCOUNT + 2);
  ....
}

Most likely this is what should be written here: ZeroMemory(logfonts, sizeof(LOGFONTA) * (MSGDLGFONTCOUNT + 2));


Miranda NG

V512 A call of the 'memcpy' function will lead to underflow of the buffer 's_list'. Sessions utils.cpp 288


#define SIZEOF(X) (sizeof(X)/sizeof(X[0]))

int CheckForDuplicate(MCONTACT contact_list[], MCONTACT lparam)
{
  MCONTACT s_list[255] = { 0 };
  memcpy(s_list, contact_list, SIZEOF(s_list));
  for (int i = 0;; i++) {
    if (s_list[i] == lparam)
      return i;
    if (s_list[i] == 0)
      return -1;
  }
  return 0;
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list'. Sessions main.cpp 143
  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'user_session_list'. Sessions main.cpp 143
  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list_temp'. Sessions main.cpp 216
  • And 5 additional diagnostic messages.

Miranda NG

V512 A call of the 'memset' function will lead to underflow of the buffer 'Data'. Weather weather_ini.cpp 250


void LoadStationData(...., WIDATA *Data)
{
  ....
  ZeroMemory(Data, sizeof(Data));
  ....
}

Miranda NG

V512 A call of the 'strcat' function will lead to overflow of the buffer 'fn'. NimContact files.cpp 290


INT_PTR CALLBACK DlgProcFiles(....)
{
  ....
  char fn[6], tmp[MAX_PATH];
  ....
  SetDlgItemTextA(hwnd, IDC_WWW_TIMER,
    _itoa(db_get_w(NULL, MODNAME, strcat(fn, "_timer"), 60),
    tmp, 10));
  ....
}

Miranda NG

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2246


typedef struct
{
  int cbSize;
  char caps[0x10];
  HANDLE hIcon;
  char name[MAX_CAPNAME];
} ICQ_CUSTOMCAP;

void InitCheck()
{
  ....
  strcpy(cap.caps, "GPG AutoExchange");
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG main.cpp 2261
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 541
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'cap.caps'. New_GPG messages.cpp 849
  • And 1 additional diagnostic messages.

Miranda NG

V512 A call of the 'memset' function will lead to underflow of the buffer 'msgFrom'. LotusNotify lotusnotify.cpp 760

V512 A call of the 'memset' function will lead to underflow of the buffer 'msgSubject'. LotusNotify lotusnotify.cpp 761


void checkthread(void*)
{
  ....
  WCHAR msgFrom[512];
  WCHAR msgSubject[512];
  ZeroMemory(msgFrom,512);
  ZeroMemory(msgSubject,512);
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'nd->dd_dir.d_name'. glib dirent.c 138

Miranda NG

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'L"mailto:"'. TabSRMM msgdialog.cpp 2085


INT_PTR CALLBACK DlgProcMessage(....)
{
  ....
  CopyMemory(tr.lpstrText, _T("mailto:"), 7);
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'lfFont.lfFaceName'. Xfire userdetails.cpp 206
  • V512 A call of the 'memcpy' function will lead to underflow of the buffer 'L"%20"'. Weather weather_conv.cpp 476

Spring Engine

V512 A call of the 'memset' function will lead to underflow of the buffer 'area'. RAI gterrainmap.h 84


#define MAP_AREA_LIST_SIZE 50
struct TerrainMapMobileType
{
  TerrainMapMobileType()
  {
    ....
    memset(area,0,MAP_AREA_LIST_SIZE);       // <=
  };

  TerrainMapArea *area[MAP_AREA_LIST_SIZE];  // <=
  ....
};

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'BQ'. RAI builder.cpp 67
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'SL'. RAI unitmanager.cpp 28
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'Group'. RAI unitmanager.cpp 29
  • And 1 additional diagnostic messages.

LibreOffice

V512 A call of the 'wcsncpy' function will lead to overflow of the buffer 'psci->wszTitle'. columninfo.cxx 129


typedef struct {
  ....
  WCHAR wszTitle[MAX_COLUMN_NAME_LEN];
  WCHAR wszDescription[MAX_COLUMN_DESC_LEN];
} SHCOLUMNINFO, *LPSHCOLUMNINFO;

HRESULT STDMETHODCALLTYPE CColumnInfo::GetColumnInfo(
  DWORD dwIndex, SHCOLUMNINFO *psci)
{
  ....
  wcsncpy(psci->wszTitle,
          ColumnInfoTable[dwIndex].wszTitle,
          (sizeof(psci->wszTitle) - 1));
  return S_OK;
}

.NET CoreCLR

V512 A call of the 'memset' function will lead to underflow of the buffer 'pAddExpression'. sos strike.cpp 11973


DECLARE_API(Watch)
{
  ....
  if(addExpression.data != NULL || aExpression.data != NULL)
  {
    WCHAR pAddExpression[MAX_EXPRESSION];
    memset(pAddExpression, 0, MAX_EXPRESSION);
    swprintf_s(pAddExpression, MAX_EXPRESSION, L"%S", ....);
    Status = g_watchCmd.Add(pAddExpression);
  }
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'pSaveName'. sos strike.cpp 11997
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'pOldName'. sos strike.cpp 12013
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'pNewName'. sos strike.cpp 12016
  • And 2 additional diagnostic messages.

Haiku Operation System

V512 A call of the 'memcmp' function will lead to underflow of the buffer '"Private-key-format: v"'. dst_api.c 858


dst_s_read_private_key_file(....)
{
  ....
  if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
    goto fail;
  ....
}

Haiku Operation System

V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 623


#define MEMSET_BZERO(p,l)  memset((p), 0, (l))

void solv_SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
  ....
  /* Clean up state data: */
  MEMSET_BZERO(context, sizeof(context));
  usedspace = 0;
}

Identical errors can be found in some other places:

  • V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 644
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 953
  • V512 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 973
  • And 2 additional diagnostic messages.

Unreal Engine 4

V512 A call of the 'memset' function will lead to underflow of the buffer 'StartTimestampListHandles'. d3d12query.cpp 493

V512 A call of the 'memset' function will lead to underflow of the buffer 'EndTimestampListHandles'. d3d12query.cpp 495


class FD3D12BufferedGPUTiming
{
  ....
  FD3D12CLSyncPoint* StartTimestampListHandles;
  FD3D12CLSyncPoint* EndTimestampListHandles;
  ....
};

void FD3D12BufferedGPUTiming::InitDynamicRHI()
{
  ....
  StartTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
  ZeroMemory(StartTimestampListHandles,
             sizeof(StartTimestampListHandles));

  EndTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
  ZeroMemory(EndTimestampListHandles,
             sizeof(EndTimestampListHandles));
  ....
}

FreeBSD Kernel

V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->vendor'. aacraid_cam.c 571


#define  SID_VENDOR_SIZE   8
  char   vendor[SID_VENDOR_SIZE];
#define  SID_PRODUCT_SIZE  16
  char   product[SID_PRODUCT_SIZE];
#define  SID_REVISION_SIZE 4
  char   revision[SID_REVISION_SIZE];

static void
aac_container_special_command(struct cam_sim *sim,union ccb *ccb,
  u_int8_t *cmdp)
{
  ....
  /* OEM Vendor defines */
  strcpy(p->vendor,"Adaptec ");          // <=
  strcpy(p->product,"Array           "); // <=
  strcpy(p->revision,"V1.0");            // <=
  ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->product'. aacraid_cam.c 572
  • V512 A call of the 'strcpy' function will lead to overflow of the buffer 'p->revision'. aacraid_cam.c 573

Stickies

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. stickyinstaller.cpp 162


BOOL DDE_InitClient (void)
{
  UINT errCode = DdeInitialize(....);
  if (errCode != 0)
  {
    char errTxt[32];
    sprintf (errTxt, "DDE Server Failed, error code = %d",
             errCode);
    ....
}

Identical errors can be found in some other places:

  • V512 A call of the 'sprintf' function will lead to overflow of the buffer 'errTxt'. ddemlfuncs.cpp 151

CodeLite

V512 A call of the 'memset' function will lead to underflow of the buffer 'buffer'. md5.cpp 243


class MD5
{
  ....
  typedef unsigned      char uint1;
  ....
  uint1 buffer[64];   // input buffer
  ....
  static void memset(uint1 *start, uint1 val, uint4 length);
  ....
};

void MD5::finalize ()
{
  ....
  // Zeroize sensitive information
  memset (buffer, 0, sizeof(*buffer));         // <=
  finalized=1;
}

FreeBSD Kernel

V512 A call of the 'memset' function will lead to underflow of the buffer 'plog'. nat64lsn.c 218


struct pfloghdr {
  u_int8_t  length;
  sa_family_t  af;
  u_int8_t  action;
  u_int8_t  reason;
  char    ifname[IFNAMSIZ];
  char    ruleset[PFLOG_RULESET_NAME_SIZE];
  u_int32_t  rulenr;
  u_int32_t  subrulenr;
  uid_t    uid;
  pid_t    pid;
  uid_t    rule_uid;
  pid_t    rule_pid;
  u_int8_t  dir;
  u_int8_t  pad[3];
};

static void
nat64lsn_log(struct pfloghdr *plog, ....)
{
  memset(plog, 0, sizeof(plog));        // <=
  plog->length = PFLOG_REAL_HDRLEN;
  plog->af = family;
  plog->action = PF_NAT;
  plog->dir = PF_IN;
  plog->rulenr = htonl(n);
  plog->subrulenr = htonl(sn);
  plog->ruleset[0] = '\0';
  strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname));
  ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m);
}

CryEngine V

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285


void CGeomCacheRenderNode::Render(....)
{
  ....
  CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement;
  ....
  uint8 hashableData[] =
  {
   0, 0, 0, 0, 0, 0, 0, 0,
   (uint8)std::distance(pCREGeomCache->....->begin(), &meshData),
   (uint8)std::distance(meshData....->....begin(), &chunk),
   (uint8)std::distance(meshData.m_instances.begin(), &instance)
  };

  memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <=
  ....
}

FreeBSD Kernel

V512 A call of the 'memcpy' function will lead to the '"MPI Coredump"' buffer becoming out of range. qls_dump.c 1615


typedef struct qls_mpid_glbl_hdr
{
  ....
  uint8_t   id[16];
  ....
} qls_mpid_glbl_hdr_t;

struct qls_mpi_coredump {
  qls_mpid_glbl_hdr_t  mpi_global_header;
  ....
};

typedef struct qls_mpi_coredump qls_mpi_coredump_t;

int
qls_mpi_core_dump(qla_host_t *ha)
{
  ....
  qls_mpi_coredump_t *mpi_dump = &ql_mpi_coredump;
  ....
  memcpy(mpi_dump->mpi_global_header.id, "MPI Coredump",
         sizeof(mpi_dump->mpi_global_header.id));
  ....
}

FreeBSD Kernel

V512 A call of the 'sprintf' function will lead to overflow of the buffer 'lldev->mtx_name_tx[qindex]'. if_nxge.c 511


#define XGE_HAL_MIN_FIFO_NUM  1
#define XGE_FIFO_COUNT  XGE_HAL_MIN_FIFO_NUM

typedef struct xge_lldev_t {
  ....
  char                 mtx_name_tx[16][XGE_FIFO_COUNT];
  struct callout       timer;
  struct ifmedia       media;
  xge_hal_channel_h    fifo_channel[XGE_FIFO_COUNT];
  ....
}

void
xge_mutex_init(xge_lldev_t *lldev)
{
  int qindex;
  ....
  for(qindex = 0; qindex < XGE_FIFO_COUNT; qindex++) {
    sprintf(lldev->mtx_name_tx[qindex], "%s_tx_%d",
      device_get_nameunit(lldev->device), qindex);
  ....
}


Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++ and C#

goto PVS-Studio;