Examples of errors detected by the V575 diagnostic.


V575. Function receives an odd argument.


G3D Content Pak

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269


bool Matrix4::operator==(const Matrix4& other) const {
  if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
    return true;
  }
  ...
}

A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {


Miranda IM

V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59


static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
  ...
  memset(&iad->nodes[iad->nodes_allocated_size],
    (size_grow - iad->nodes_allocated_size) *
       sizeof(IMAGE_ARRAY_DATA_NODE),
    0);
  ...
}

Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));


ReactOS

V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427


#define RtlFillMemory(Destination, Length, Fill) \
  memset(Destination, Fill, Length)

#define IOPM_FULL_SIZE          8196

HalpRestoreIopm(VOID)
{
  ...
  RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
  ...
}

Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);


Doom 3

V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177


void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
  ...
  memset( &statex, sizeof( statex ), 0 );
  ...
}

This is what should have been written here: memset( &statex, 0, sizeof( statex ) );


Mozilla Firefox

V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520


pixman_bool_t
pixman_image_set_transform (....)
{
  memcmp (common->transform, transform,
          sizeof (pixman_transform_t) == 0))
}

This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)


Fennec Media

V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096


int settings_proc_language_packs(....)
{
  ....
  case WM_DESTROY:
    if(mem_files)
    {
      mem_files = 0;
      sys_mem_free(mem_files);
    }
    EndDialog(hwnd,0);
    break;
  ....
}

ReactOS

V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270


BOOL GetEventCategory(....)
{
  ....
  if (lpMsgBuf)
  {
    ....
  }
  else
  {
    wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
  }
  ....
}

ReactOS

V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263


VOID WinLdrSetupEms(IN PCHAR BootOptions)
{
  PCHAR RedirectPort;
  ....
  RedirectPort = strstr(RedirectPort, "com");
  if (RedirectPort)
  {
    ....
  }
  else
  {
    RedirectPort = strstr(RedirectPort, "usebiossettings");
  ....
}

ReactOS

V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150


DWORD ParseReasonCode(LPCWSTR code)
{
  LPWSTR tmpPrefix = NULL;
  ....
  for (reasonptr = shutdownReason ;
       reasonptr->prefix ; reasonptr++)
  {
    if ((majorCode == reasonptr->major) &&
        (minorCode == reasonptr->minor) &&
        (_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
    {
      return reasonptr->flag;
    }
  }
  ....
}

Multi Theft Auto

V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80


void CDirect3DData::GetTransform (
  D3DTRANSFORMSTATETYPE dwRequestedMatrix,
  D3DMATRIX * pMatrixOut)
{
  switch ( dwRequestedMatrix )
  {
    case D3DTS_VIEW:
      memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_PROJECTION:
      memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
      break;
    case D3DTS_WORLD:
      memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
      break;
    default:
      // Zero out the structure for the user.
      memcpy (pMatrixOut, 0, sizeof(D3DMATRIX));   // <=
      break;
  }
  ....
}

A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.


Multi Theft Auto

V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499

V575 The 'memset' function processes '0' elements. Inspect the third argument. crashhandler.cpp 499


#define RtlFillMemory(Destination,Length,Fill) \
  memset((Destination),(Fill),(Length))

#define FillMemory RtlFillMemory

LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
{
  ....
  PIMAGEHLP_SYMBOL pSym = (PIMAGEHLP_SYMBOL)&g_stSymbol ;
  FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
  ....
}

Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;

Similar errors can be found in some other places:

  • V575 The 'memset' function processes value '512'. Inspect the second argument. ccrashhandlerapi.cpp 503
  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ccrashhandlerapi.cpp 503

Firebird

V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487


void FB_CARG Why::UtlInterface::getPerfCounters(
  ...., ISC_INT64* counters)
{
  unsigned n = 0;
  ....
  memset(counters, 0, n * sizeof(ISC_INT64));
  ....
}

Scilab

V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107


char **splitLineCSV(....)
{
  ....
  if (retstr[curr_str] == NULL)
  {
    *toks = 0;
    FREE(substitutedstring);
    substitutedstring = NULL;
    freeArrayOfString(retstr, strlen(substitutedstring));
    return NULL;
  }
  ....
}

WinSCP

V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786


TForm * __fastcall TMessageForm::Create(....)
{
  ....
  LOGFONT AFont;
  ....
  memset(&AFont, sizeof(AFont), 0);
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 796

Miranda NG

V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177

V575 The 'strchr' function processes value '32042'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177


#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)

BYTE CExImContactBase::fromIni(LPSTR& row)
{
  ....
  if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
      (p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
  ....
}

Similar errors can be found in some other places:

  • V575 The 'strrchr' function processes value '10812'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • V575 The 'strchr' function processes value '15914'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 182
  • V575 The 'strrchr' function processes value '10792'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 187
  • And 7 additional diagnostic messages.

Miranda NG

V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652


static int ScanFolder(....)
{
  ....
  __except (EXCEPTION_EXECUTE_HANDLER)
  {
    ZeroMemory(szMyHash, 0);
    // smth went wrong, reload a file from scratch
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The 'memset' function processes '0' elements. Inspect the third argument. ShlExt shlipc.cpp 68

Miranda NG

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97


int savehtml(char* outFile)
{
  FILE* file = fopen(outFile, "w");
  if (!file)
  {
    fclose(file);
    return 0;
  }
  fprintf(file, "%s", szInfo);
  fclose(file);
  return 1;
}

Haiku Operation System

V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517


extern char    *strchr(const char *string, int character);

SendMessageCommandActuator::
SendMessageCommandActuator(int32 argc, char** argv)
  :
  CommandActuator(argc, argv),
  fSignature((argc > 1) ? argv[1] : "")
{
  ....
  const char* arg = argv[i];
  BString argString(arg);
  const char* equals = strchr(arg, ' = ');  // <=
  ....
}

ReactOS

V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153


void UpdateStatusBar(void)
{
  TCHAR szStatusText[128];
  ....
  ZeroMemory(szStatusText,
             sizeof(szStatusText) / sizeof(TCHAR)); // <=
  ....
}

Open X-Ray Engine

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47


ETOOLS_API int __stdcall ogg_enc(....)
{
  ....
  FILE *in, *out    = NULL;
  ....
  input_format    *format;
  ....
  in = fopen(in_fn, "rb");

  if(in == NULL)  return 0;

  format = open_audio_file(in, &enc_opts);
  if(!format){
    fclose(in);
    return 0;
  };

  out = fopen(out_fn, "wb");
  if(out == NULL){
    fclose(out);
    return 0;
  }
  ....
}

Open X-Ray Engine

V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104


size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
                                char *buffer,
                                size_t capacity,
                                size_t lineCapacity)
{
  memset(buffer, capacity*lineCapacity, 0);
  ....
}

CryEngine V

V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294


void EnableFloatExceptions(....)
{
  ....
  CONTEXT ctx;
  memset(&ctx, sizeof(ctx), 0);  // <=
  ....
}

GNU GRUB

V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184


Int main (int argc, char *argv[])
{
  ....
  {
    FILE *f;
    size_t rd;
    f = fopen ("/dev/urandom", "rb");
    if (!f)
    {
      memset (pass1, 0, sizeof (pass1));
      free (buf);
      free (bufhex);
      free (salthex);
      free (salt);
      fclose (f);                     //<=
      ....
    }
    ....
    fclose (f);
  }
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. grub-setup.c 1187

Linux Kernel

V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121


static int mac_ioctl(struct net_device *ndev,
                     struct ifreq *req,
                     int cmd)
{
  u8 *buff = NULL;
  s8 rssi;
  u32 size = 0, length = 0;
  struct wilc_vif *vif;
  s32 ret = 0;
  struct wilc *wilc;

  vif = netdev_priv(ndev);
  wilc = vif->wilc;

  if (!wilc->initialized)
    return 0;

  switch (cmd) {
  case SIOCSIWPRIV:
  {
    struct iwreq *wrq = (struct iwreq *)req;

    size = wrq->u.data.length;

    if (size && wrq->u.data.pointer) {
      buff = memdup_user(wrq->u.data.pointer,
                         wrq->u.data.length);
      if (IS_ERR(buff))
        return PTR_ERR(buff);

      if (strncasecmp(buff, "RSSI", length) == 0) {   // <=
        ....
      }
    }
  }
  ....
  }

done:

  kfree(buff);

  return ret;
}

CryEngine V

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045


class CLvlRes_finalstep : public CLvlRes_base
{
  ....
  for (;; )
  {
    if (*p == '/' || *p == '\\' || *p == 0)
    {
      char cOldChar = *p;
      *p = 0; // create zero termination
      _finddata_t fd;

      bool bOk = FindFile(szFilePath, szFile, fd);

      if (bOk)
        assert(strlen(szFile) == strlen(fd.name));

      *p = cOldChar; // get back the old separator

      if (!bOk)
        return;

      memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=

      if (*p == 0)
        break;

      ++p;
      szFile = p;
    }
    else ++p;
  }
  ....
}

Tizen

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. wayland_panel_agent_module.cpp 1060


static char *
insert_text (const char *text, uint32_t offset,
             const char *insert)
{
  uint32_t tlen = strlen (text), ilen = strlen (insert);
  char *new_text = (char*)malloc (tlen + ilen + 1);
  if ((unsigned int) tlen < offset)
      offset = tlen;
  memcpy (new_text, text, offset);
  ....
}

Scilab

V575 The 'memset' function processes '0' elements. Inspect the third argument. win_mem_alloc.c 91


void *MyHeapAlloc(size_t dwSize, char *file, int line)
{
  LPVOID NewPointer = NULL;

  if (dwSize > 0)
  {
    _try
    {
      NewPointer = malloc(dwSize);
      NewPointer = memset (NewPointer, 0, dwSize);
    }
    _except (EXCEPTION_EXECUTE_HANDLER)
    {
    }
    ....
  }
  else
  {
    _try
    {
      NewPointer = malloc(dwSize);
      NewPointer = memset (NewPointer, 0, dwSize);
    }
    _except (EXCEPTION_EXECUTE_HANDLER)
    {
    }
  }
  return NewPointer;
}

EFL Core Libraries

V575 The 'memcmp' function processes '0' elements. Inspect the third argument. eina_simple_xml_parser.c 355


EAPI Eina_Bool
eina_simple_xml_parse(....)
{
  ....
  else if ((itr + sizeof("<!>") - 1 < itr_end) &&
            (!memcmp(itr + 2, "", sizeof("") - 1)))        // <=
  {
    type = EINA_SIMPLE_XML_DOCTYPE_CHILD;
    toff = sizeof("!") - 1;
  }
  ....
}

EFL Core Libraries

V575 The 'munmap' function processes '0' elements. Inspect the second argument. eina_evlog.c 117


static void
free_buf(Eina_Evlog_Buf *b)
{
   if (!b->buf) return;
   b->size = 0;
   b->top = 0;
# ifdef HAVE_MMAP
   munmap(b->buf, b->size);
# else
   free(b->buf);
# endif
   b->buf = NULL;
}

EFL Core Libraries

V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_entry.c 2306


static void
_edje_key_down_cb(....)
{
  ....
  char *compres = NULL, *string = (char *)ev->string;
  ....
  if (compres)
  {
    string = compres;
    free_string = EINA_TRUE;
  }
  else free(compres);
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. efl_ui_internal_text_interactive.c 1022
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_cc_handlers.c 15962

EFL Core Libraries

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. edje_pick.c 595


static void
_edje_pick_header_alias_parent_add(....)
{
  Edje_Part_Collection_Directory_Entry *ce_cor, *ce_new, *ce_f;
  ....
  ce_new = malloc(sizeof(*ce_new));
  memcpy(ce_new, ce_cor, sizeof(*ce_new));
  ....
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strrchr' function. Inspect the first argument. types_generator.c 40
  • V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. docs_generator.c 243
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. eina_unicode.c 119
  • And 54 additional diagnostic messages.

Aspell

V575 The potential null pointer is passed into 'memmove' function. Inspect the first argument. string.hpp 54


void assign_only_nonnull(const char * b, unsigned size)
{
  begin_ = (char *)malloc(size + 1);
  memmove(begin_, b, size);
  end_   = begin_ + size;
  storage_end_ = end_ + 1;
}

Similar errors can be found in some other places:

  • V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. error.cpp 28
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. error.cpp 40
  • V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. new_filter.cpp 300
  • And 2 additional diagnostic messages.

Enlightenment

V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. e_info_server.c 3165


static E_Info_Transform*
_e_info_transform_new(....)
{
  E_Info_Transform *result = NULL;
  result = _e_info_transform_find(ec, id);

  if (!result)
  {
    result = (E_Info_Transform*)malloc(sizeof(E_Info_Transform));
    memset(result, 0, sizeof(E_Info_Transform));
  ....
}

Tizen

V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 207

V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 208


int main(int argc, char *argv[])
{
  ....
  char *temp1 = strstr(dp->d_name, "-");
  char *temp2 = strstr(dp->d_name, ".");

  strncpy(temp_filename, dp->d_name, strlen(dp->d_name) -
                                     strlen(temp1));
  strncpy(file_format, temp2, strlen(temp2));
  ....
}

Similar errors can be found in some other places:

  • V575 The null pointer is passed into 'free' function. Inspect the first argument. edit.c 2823
  • V575 The null pointer is passed into 'free' function. Inspect the first argument. apps_data_db.c 300
  • V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. apps_data_db.c 229
  • And 9 additional diagnostic messages.

Ardour

V575 The 'substr' function processes '-1' elements. Inspect the second argument. meter_strip.cc 491


void
MeterStrip::set_tick_bar (int m)
{
  std::string n;
  _tick_bar = m;
  if (_tick_bar & 1) {
    n = meter_ticks1_area.get_name();
    if (n.substr(0,3) != "Bar") {
      meter_ticks1_area.set_name("Bar" + n);
    }
  } else {
    n = meter_ticks1_area.get_name();
    if (n.substr(0,3) == "Bar") {
      meter_ticks1_area.set_name(n.substr(3,-1)); // <=
    }
  }
  if (_tick_bar & 2) {
    n = meter_ticks2_area.get_name();
    if (n.substr(0,3) != "Bar") {
      meter_ticks2_area.set_name("Bar" + n);
    }
  } else {
    n = meter_ticks2_area.get_name();
    if (n.substr(0,3) == "Bar") {
      meter_ticks2_area.set_name(n.substr(3,-1)); // <=
    }
  }
}

string substr (size_t pos = 0, size_t len = npos) const;


Firebird

V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1106, 1105. iscguard.cpp 1106


static void write_log(int log_action, const char* buff)
{
  ....
  log_info* tmp =
    static_cast<log_info*>(malloc(sizeof(log_info)));
  memset(tmp, 0, sizeof(log_info));
  ....
}

MySQL

V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 43, 42. gcs_xcom_state_exchange.cc 43


Xcom_member_state::Xcom_member_state(....)
{
  ....
  m_data_size= data_size;
  m_data=
    static_cast<uchar *>(malloc(sizeof(uchar) * m_data_size));
  memcpy(m_data, data, m_data_size);
  ....
}

MySQL

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. control_events.cpp 830


View_change_event::View_change_event(char* raw_view_id)
  : Binary_log_event(VIEW_CHANGE_EVENT),
    view_id(), seq_number(0), certification_info()
{
  memcpy(view_id, raw_view_id, strlen(raw_view_id));
}

PostgreSQL Database Management System

V575 The potential null pointer is passed into 'strncpy' function. Inspect the first argument. Check lines: 66, 65. pg_regress_ecpg.c 66


static void
ecpg_filter(const char *sourcefile, const char *outfile)
{
  ....
  n = (char *) malloc(plen);
  StrNCpy(n, p + 1, plen);
  ....
}

PostgreSQL Database Management System

V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. informix.c 677


int
intoasc(interval * i, char *str)
{
  char  *tmp;

  errno = 0;
  tmp = PGTYPESinterval_to_asc(i);

  if (!tmp)
    return -errno;

  memcpy(str, tmp, strlen(tmp));
  free(tmp);
  return 0;
}


Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++, and C#

goto PVS-Studio;
We use cookies for the analysis of events to improve our content and make user interaction more convenient. By continuing the view of our web-pages you accept the terms of using these files. You can find out more about cookie-files and privacy policy or close the notification, by clicking on the button. Learn More →
Do not show