Examples of errors detected by the V575 diagnostic.

V575. Function receives an odd argument.


G3D Content Pak

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269


bool Matrix4::operator==(const Matrix4& other) const {
  if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
    return true;
  }
  ...
}

A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {


Miranda IM

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59


static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
  ...
  memset(&iad->nodes[iad->nodes_allocated_size],
    (size_grow - iad->nodes_allocated_size) *
       sizeof(IMAGE_ARRAY_DATA_NODE),
    0);
  ...
}

Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));


ReactOS

V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427


#define RtlFillMemory(Destination, Length, Fill) \
  memset(Destination, Fill, Length)

#define IOPM_FULL_SIZE          8196

HalpRestoreIopm(VOID)
{
  ...
  RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
  ...
}

Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);


Doom 3

V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177


void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
  ...
  memset( &statex, sizeof( statex ), 0 );
  ...
}

This is what should have been written here: memset( &statex, 0, sizeof( statex ) );


Mozilla Firefox

V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520


pixman_bool_t
pixman_image_set_transform (....)
{
  memcmp (common->transform, transform,
          sizeof (pixman_transform_t) == 0))
}

This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)


Fennec Media

V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096


int settings_proc_language_packs(....)
{
  ....
  case WM_DESTROY:
    if(mem_files)
    {
      mem_files = 0;
      sys_mem_free(mem_files);
    }
    EndDialog(hwnd,0);
    break;
  ....
}

ReactOS

V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270


BOOL GetEventCategory(....)
{
  ....
  if (lpMsgBuf)
  {
    ....
  }
  else
  {
    wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
  }
  ....
}

ReactOS

V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263


VOID WinLdrSetupEms(IN PCHAR BootOptions)
{
  PCHAR RedirectPort;
  ....
  RedirectPort = strstr(RedirectPort, "com");
  if (RedirectPort)
  {
    ....
  }
  else
  {
    RedirectPort = strstr(RedirectPort, "usebiossettings");
  ....
}

ReactOS

V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150


DWORD ParseReasonCode(LPCWSTR code)
{
  LPWSTR tmpPrefix = NULL;
  ....
  for (reasonptr = shutdownReason ;
       reasonptr->prefix ; reasonptr++)
  {
    if ((majorCode == reasonptr->major) &&
        (minorCode == reasonptr->minor) &&
        (_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
    {
      return reasonptr->flag;
    }
  }
  ....
}

Multi Theft Auto

V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80


void CDirect3DData::GetTransform (
  D3DTRANSFORMSTATETYPE dwRequestedMatrix,
  D3DMATRIX * pMatrixOut)
{
  switch ( dwRequestedMatrix )
  {
    case D3DTS_VIEW:
      memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_PROJECTION:
      memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_WORLD:
      memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
      break;
    default:
      // Zero out the structure for the user.
      memcpy (pMatrixOut, 0, sizeof(D3DMATRIX));   // <=
      break;
  }
  ....
}

A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.


Multi Theft Auto

V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499

V575 The 'memset' function processes '0' elements. Inspect the third argument. crashhandler.cpp 499


#define RtlFillMemory(Destination,Length,Fill) \
  memset((Destination),(Fill),(Length))

#define FillMemory RtlFillMemory

LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
{
  ....
  PIMAGEHLP_SYMBOL pSym = (PIMAGEHLP_SYMBOL)&g_stSymbol ;
  FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
  ....
}

Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;

Identical errors can be found in some other places:

  • V575 The 'memset' function processes value '512'. Inspect the second argument. ccrashhandlerapi.cpp 503
  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ccrashhandlerapi.cpp 503

Firebird

V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487


void FB_CARG Why::UtlInterface::getPerfCounters(
  ...., ISC_INT64* counters)
{
  unsigned n = 0;
  ....
  memset(counters, 0, n * sizeof(ISC_INT64));
  ....
}

Scilab

V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107


char **splitLineCSV(....)
{
  ....
  if (retstr[curr_str] == NULL)
  {
    *toks = 0;
    FREE(substitutedstring);
    substitutedstring = NULL;
    freeArrayOfString(retstr, strlen(substitutedstring));
    return NULL;
  }
  ....
}

WinSCP

V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786


TForm * __fastcall TMessageForm::Create(....)
{
  ....
  LOGFONT AFont;
  ....
  memset(&AFont, sizeof(AFont), 0);
  ....
}

Identical errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 796

Miranda NG

V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177

V575 The 'strchr' function processes value '32042'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177


#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)

BYTE CExImContactBase::fromIni(LPSTR& row)
{
  ....
  if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
      (p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
  ....
}

Identical errors can be found in some other places:

  • V575 The 'strrchr' function processes value '10812'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • V575 The 'strchr' function processes value '15914'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • V575 The 'strrchr' function processes value '10792'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 187
  • And 7 additional diagnostic messages.

Miranda NG

V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652


static int ScanFolder(....)
{
  ....
  __except (EXCEPTION_EXECUTE_HANDLER)
  {
    ZeroMemory(szMyHash, 0);
    // smth went wrong, reload a file from scratch
  }
  ....
}

Identical errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ShlExt shlipc.cpp 68

Miranda NG

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97


int savehtml(char* outFile)
{
  FILE* file = fopen(outFile, "w");
  if (!file)
  {
    fclose(file);
    return 0;
  }
  fprintf(file, "%s", szInfo);
  fclose(file);
  return 1;
}

Haiku Operation System

V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517


extern char    *strchr(const char *string, int character);

SendMessageCommandActuator::
SendMessageCommandActuator(int32 argc, char** argv)
  :
  CommandActuator(argc, argv),
  fSignature((argc > 1) ? argv[1] : "")
{
  ....
  const char* arg = argv[i];
  BString argString(arg);
  const char* equals = strchr(arg, ' = ');  // <=
  ....
}

ReactOS

V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153


void UpdateStatusBar(void)
{
  TCHAR szStatusText[128];
  ....
  ZeroMemory(szStatusText,
             sizeof(szStatusText) / sizeof(TCHAR)); // <=
  ....
}

Open X-Ray Engine

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47


ETOOLS_API int __stdcall ogg_enc(....)
{
  ....
  FILE *in, *out    = NULL;
  ....
  input_format    *format;
  ....
  in = fopen(in_fn, "rb");

  if(in == NULL)  return 0;

  format = open_audio_file(in, &enc_opts);
  if(!format){
    fclose(in);
    return 0;
  };

  out = fopen(out_fn, "wb");
  if(out == NULL){
    fclose(out);
    return 0;
  }
  ....
}

Open X-Ray Engine

V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104


size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
                                char *buffer,
                                size_t capacity,
                                size_t lineCapacity)
{
  memset(buffer, capacity*lineCapacity, 0);
  ....
}

CryEngine V

V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294


void EnableFloatExceptions(....)
{
  ....
  CONTEXT ctx;
  memset(&ctx, sizeof(ctx), 0);  // <=
  ....
}

GNU GRUB

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184


Int main (int argc, char *argv[])
{
  ....
  {
    FILE *f;
    size_t rd;
    f = fopen ("/dev/urandom", "rb");
    if (!f)
    {
      memset (pass1, 0, sizeof (pass1));
      free (buf);
      free (bufhex);
      free (salthex);
      free (salt);
      fclose (f);                     //<=
      ....
    }
    ....
    fclose (f);
  }
  ....
}

Identical errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. grub-setup.c 1187

Linux Kernel

V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121


static int mac_ioctl(struct net_device *ndev,
                     struct ifreq *req,
                     int cmd)
{
  u8 *buff = NULL;
  s8 rssi;
  u32 size = 0, length = 0;
  struct wilc_vif *vif;
  s32 ret = 0;
  struct wilc *wilc;

  vif = netdev_priv(ndev);
  wilc = vif->wilc;

  if (!wilc->initialized)
    return 0;

  switch (cmd) {
  case SIOCSIWPRIV:
  {
    struct iwreq *wrq = (struct iwreq *)req;

    size = wrq->u.data.length;

    if (size && wrq->u.data.pointer) {
      buff = memdup_user(wrq->u.data.pointer,
                         wrq->u.data.length);
      if (IS_ERR(buff))
        return PTR_ERR(buff);

      if (strncasecmp(buff, "RSSI", length) == 0) {   // <=
        ....
      }
    }
  }
  ....
  }

done:

  kfree(buff);

  return ret;
}

CryEngine V

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045


class CLvlRes_finalstep : public CLvlRes_base
{
  ....
  for (;; )
  {
    if (*p == '/' || *p == '\\' || *p == 0)
    {
      char cOldChar = *p;
      *p = 0; // create zero termination
      _finddata_t fd;

      bool bOk = FindFile(szFilePath, szFile, fd);

      if (bOk)
        assert(strlen(szFile) == strlen(fd.name));

      *p = cOldChar; // get back the old separator

      if (!bOk)
        return;

      memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=

      if (*p == 0)
        break;

      ++p;
      szFile = p;
    }
    else ++p;
  }
  ....
}


Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++ and C#

goto PVS-Studio;