V575. Function receives an odd argument.
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. graphics3D matrix4.cpp 269
Contact Us
bool Matrix4::operator==(const Matrix4& other) const {
if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
return true;
}
....
}
A parenthesis put in a wrong place. This is how it should be: if (memcmp(this, &other, sizeof(Matrix4)) == 0) {
V575 The 'memcmp' function processes '0' elements. Inspect the 'third' argument. clist_modern modern_image_array.cpp 59
static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
....
memset(&iad->nodes[iad->nodes_allocated_size],
(size_grow - iad->nodes_allocated_size) *
sizeof(IMAGE_ARRAY_DATA_NODE),
0);
....
}
Arguments are mixed up. This is what should have been written here: memset(&iad->nodes[iad->nodes_allocated_size], 0, (size_grow - iad->nodes_allocated_size) * sizeof(IMAGE_ARRAY_DATA_NODE));
V575 The 'memset' function processes value '8196'. Inspect the second argument. hal bios.c 427
#define RtlFillMemory(Destination, Length, Fill) \
memset(Destination, Fill, Length)
#define IOPM_FULL_SIZE 8196
HalpRestoreIopm(VOID)
{
....
RtlFillMemory(HalpSavedIoMap, 0xFF, IOPM_FULL_SIZE);
....
}
Arguments are mixed up. This is what should have been written here: RtlFillMemory(HalpSavedIoMap, IOPM_FULL_SIZE, 0xFF);
V575 The 'memset' function processes '0' elements. Inspect the third argument. DoomDLL win_shared.cpp 177
void Sys_GetCurrentMemoryStatus( sysMemoryStats_t &stats ) {
....
memset( &statex, sizeof( statex ), 0 );
....
}
This is what should have been written here: memset( &statex, 0, sizeof( statex ) );
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. pixman-image.c 520
pixman_bool_t
pixman_image_set_transform (....)
{
memcmp (common->transform, transform,
sizeof (pixman_transform_t) == 0))
}
This is what should have been written here: memcmp (common->transform, transform, sizeof (pixman_transform_t)) == 0)
V575 The null pointer is passed into 'free' function. Inspect the first argument. settings interface.c 3096
int settings_proc_language_packs(....)
{
....
case WM_DESTROY:
if(mem_files)
{
mem_files = 0;
sys_mem_free(mem_files);
}
EndDialog(hwnd,0);
break;
....
}
V575 The null pointer is passed into 'wcscpy' function. Inspect the second argument. eventvwr.c 270
BOOL GetEventCategory(....)
{
....
if (lpMsgBuf)
{
....
}
else
{
wcscpy(CategoryName, (LPCWSTR)lpMsgBuf);
}
....
}
V575 The null pointer is passed into 'strstr' function. Inspect the first argument. headless.c 263
VOID WinLdrSetupEms(IN PCHAR BootOptions)
{
PCHAR RedirectPort;
....
RedirectPort = strstr(RedirectPort, "com");
if (RedirectPort)
{
....
}
else
{
RedirectPort = strstr(RedirectPort, "usebiossettings");
....
}
V575 The null pointer is passed into '_wcsicmp' function. Inspect the first argument. misc.c 150
DWORD ParseReasonCode(LPCWSTR code)
{
LPWSTR tmpPrefix = NULL;
....
for (reasonptr = shutdownReason ;
reasonptr->prefix ; reasonptr++)
{
if ((majorCode == reasonptr->major) &&
(minorCode == reasonptr->minor) &&
(_wcsicmp(tmpPrefix, reasonptr->prefix) != 0))
{
return reasonptr->flag;
}
}
....
}
V575 The null pointer is passed into 'memcpy' function. Inspect the second argument. cdirect3ddata.cpp 80
void CDirect3DData::GetTransform (
D3DTRANSFORMSTATETYPE dwRequestedMatrix,
D3DMATRIX * pMatrixOut)
{
switch ( dwRequestedMatrix )
{
case D3DTS_VIEW:
memcpy (pMatrixOut, &m_mViewMatrix, sizeof(D3DMATRIX));
break;
case D3DTS_PROJECTION:
memcpy (pMatrixOut, &m_mProjMatrix, sizeof(D3DMATRIX));
break;
case D3DTS_WORLD:
memcpy (pMatrixOut, &m_mWorldMatrix, sizeof(D3DMATRIX));
break;
default:
// Zero out the structure for the user.
memcpy (pMatrixOut, 0, sizeof(D3DMATRIX)); // <=
break;
}
....
}
A Copy-Paste error. Most likely this is what should be written here: memset(pMatrixOut, 0, sizeof(D3DMATRIX));.
V575 The 'memset' function processes value '512'. Inspect the second argument. crashhandler.cpp 499
#define RtlFillMemory(Destination,Length,Fill) \
memset((Destination),(Fill),(Length))
#define FillMemory RtlFillMemory
LPCTSTR __stdcall GetFaultReason ( EXCEPTION_POINTERS * pExPtrs )
{
....
PIMAGEHLP_SYMBOL pSym = (PIMAGEHLP_SYMBOL)&g_stSymbol ;
FillMemory ( pSym , NULL , SYM_BUFF_SIZE ) ;
....
}
Most likely this is what should be written here: FillMemory ( pSym , SYM_BUFF_SIZE, 0 ) ;
Similar errors can be found in some other places:
V575 The 'memset' function processes '0' elements. Inspect the third argument. perf.cpp 487
void FB_CARG Why::UtlInterface::getPerfCounters(
...., ISC_INT64* counters)
{
unsigned n = 0;
....
memset(counters, 0, n * sizeof(ISC_INT64));
....
}
V575 The null pointer is passed into 'strlen' function. Inspect the first argument. splitline.c 107
char **splitLineCSV(....)
{
....
if (retstr[curr_str] == NULL)
{
*toks = 0;
FREE(substitutedstring);
substitutedstring = NULL;
freeArrayOfString(retstr, strlen(substitutedstring));
return NULL;
}
....
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. messagedlg.cpp 786
TForm * __fastcall TMessageForm::Create(....)
{
....
LOGFONT AFont;
....
memset(&AFont, sizeof(AFont), 0);
....
}
Similar errors can be found in some other places:
V575 The 'strrchr' function processes value '10875'. Inspect the second argument. UInfoEx classeximcontactbase.cpp 177
#define mir_strrchr(s,c) (((s)!=0)?strrchr((s),(c)):0)
BYTE CExImContactBase::fromIni(LPSTR& row)
{
....
if (cchBuf > 10 && (p1 = mir_strrchr(pszBuf, '*{')) &&
(p2 = mir_strchr(p1, '}*')) && p1 + 2 < p2) {
....
}
Similar errors can be found in some other places:
V575 The 'memset' function processes '0' elements. Inspect the third argument. PluginUpdater dlgupdate.cpp 652
static int ScanFolder(....)
{
....
__except (EXCEPTION_EXECUTE_HANDLER)
{
ZeroMemory(szMyHash, 0);
// smth went wrong, reload a file from scratch
}
....
}
Similar errors can be found in some other places:
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. NimContact files.cpp 97
int savehtml(char* outFile)
{
FILE* file = fopen(outFile, "w");
if (!file)
{
fclose(file);
return 0;
}
fprintf(file, "%s", szInfo);
fclose(file);
return 1;
}
V575 The 'strchr' function processes value '2112800'. Inspect the second argument. CommandActuators.cpp 1517
extern char *strchr(const char *string, int character);
SendMessageCommandActuator::
SendMessageCommandActuator(int32 argc, char** argv)
:
CommandActuator(argc, argv),
fSignature((argc > 1) ? argv[1] : "")
{
....
const char* arg = argv[i];
BString argString(arg);
const char* equals = strchr(arg, ' = '); // <=
....
}
V575 Buffer's size in bytes should be passed to the 'memset' function as the third argument instead of the number of processed elements. solitaire.cpp 153
void UpdateStatusBar(void)
{
TCHAR szStatusText[128];
....
ZeroMemory(szStatusText,
sizeof(szStatusText) / sizeof(TCHAR)); // <=
....
}
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. ogg_enc.cpp 47
ETOOLS_API int __stdcall ogg_enc(....)
{
....
FILE *in, *out = NULL;
....
input_format *format;
....
in = fopen(in_fn, "rb");
if(in == NULL) return 0;
format = open_audio_file(in, &enc_opts);
if(!format){
fclose(in);
return 0;
};
out = fopen(out_fn, "wb");
if(out == NULL){
fclose(out);
return 0;
}
....
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. xrdebug.cpp 104
size_t xrDebug::BuildStackTrace(EXCEPTION_POINTERS* exPtrs,
char *buffer,
size_t capacity,
size_t lineCapacity)
{
memset(buffer, capacity*lineCapacity, 0);
....
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. crythreadutil_win32.h 294
void EnableFloatExceptions(....)
{
....
CONTEXT ctx;
memset(&ctx, sizeof(ctx), 0); // <=
....
}
V575 The null pointer is passed into 'fclose' function. Inspect the first argument. grub-mkpasswd-pbkdf2.c 184
Int main (int argc, char *argv[])
{
....
{
FILE *f;
size_t rd;
f = fopen ("/dev/urandom", "rb");
if (!f)
{
memset (pass1, 0, sizeof (pass1));
free (buf);
free (bufhex);
free (salthex);
free (salt);
fclose (f); // <=
....
}
....
fclose (f);
}
....
}
Similar errors can be found in some other places:
V575 The 'strncasecmp' function processes '0' elements. Inspect the third argument. linux_wlan.c 1121
static int mac_ioctl(struct net_device *ndev,
struct ifreq *req,
int cmd)
{
u8 *buff = NULL;
s8 rssi;
u32 size = 0, length = 0;
struct wilc_vif *vif;
s32 ret = 0;
struct wilc *wilc;
vif = netdev_priv(ndev);
wilc = vif->wilc;
if (!wilc->initialized)
return 0;
switch (cmd) {
case SIOCSIWPRIV:
{
struct iwreq *wrq = (struct iwreq *)req;
size = wrq->u.data.length;
if (size && wrq->u.data.pointer) {
buff = memdup_user(wrq->u.data.pointer,
wrq->u.data.length);
if (IS_ERR(buff))
return PTR_ERR(buff);
if (strncasecmp(buff, "RSSI", length) == 0) { // <=
....
}
}
}
....
}
done:
kfree(buff);
return ret;
}
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. SystemInit.cpp 4045
class CLvlRes_finalstep : public CLvlRes_base
{
....
for (;; )
{
if (*p == '/' || *p == '\\' || *p == 0)
{
char cOldChar = *p;
*p = 0; // create zero termination
_finddata_t fd;
bool bOk = FindFile(szFilePath, szFile, fd);
if (bOk)
assert(strlen(szFile) == strlen(fd.name));
*p = cOldChar; // get back the old separator
if (!bOk)
return;
memcpy((void*)szFile, fd.name, strlen(fd.name)); // <=
if (*p == 0)
break;
++p;
szFile = p;
}
else ++p;
}
....
}
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. wayland_panel_agent_module.cpp 1060
static char *
insert_text (const char *text, uint32_t offset,
const char *insert)
{
uint32_t tlen = strlen (text), ilen = strlen (insert);
char *new_text = (char*)malloc (tlen + ilen + 1);
if ((unsigned int) tlen < offset)
offset = tlen;
memcpy (new_text, text, offset);
....
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. win_mem_alloc.c 91
void *MyHeapAlloc(size_t dwSize, char *file, int line)
{
LPVOID NewPointer = NULL;
if (dwSize > 0)
{
_try
{
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}
....
}
else
{
_try
{
NewPointer = malloc(dwSize);
NewPointer = memset (NewPointer, 0, dwSize);
}
_except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
return NewPointer;
}
V575 The 'memcmp' function processes '0' elements. Inspect the third argument. eina_simple_xml_parser.c 355
EAPI Eina_Bool
eina_simple_xml_parse(....)
{
....
else if ((itr + sizeof("<!>") - 1 < itr_end) &&
(!memcmp(itr + 2, "", sizeof("") - 1))) // <=
{
type = EINA_SIMPLE_XML_DOCTYPE_CHILD;
toff = sizeof("!") - 1;
}
....
}
V575 The 'munmap' function processes '0' elements. Inspect the second argument. eina_evlog.c 117
static void
free_buf(Eina_Evlog_Buf *b)
{
if (!b->buf) return;
b->size = 0;
b->top = 0;
# ifdef HAVE_MMAP
munmap(b->buf, b->size);
# else
free(b->buf);
# endif
b->buf = NULL;
}
V575 The null pointer is passed into 'free' function. Inspect the first argument. edje_entry.c 2306
static void
_edje_key_down_cb(....)
{
....
char *compres = NULL, *string = (char *)ev->string;
....
if (compres)
{
string = compres;
free_string = EINA_TRUE;
}
else free(compres);
....
}
Similar errors can be found in some other places:
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. edje_pick.c 595
static void
_edje_pick_header_alias_parent_add(....)
{
Edje_Part_Collection_Directory_Entry *ce_cor, *ce_new, *ce_f;
....
ce_new = malloc(sizeof(*ce_new));
memcpy(ce_new, ce_cor, sizeof(*ce_new));
....
}
Similar errors can be found in some other places:
V575 The potential null pointer is passed into 'memmove' function. Inspect the first argument. string.hpp 54
void assign_only_nonnull(const char * b, unsigned size)
{
begin_ = (char *)malloc(size + 1);
memmove(begin_, b, size);
end_ = begin_ + size;
storage_end_ = end_ + 1;
}
Similar errors can be found in some other places:
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. e_info_server.c 3165
static E_Info_Transform*
_e_info_transform_new(....)
{
E_Info_Transform *result = NULL;
result = _e_info_transform_find(ec, id);
if (!result)
{
result = (E_Info_Transform*)malloc(sizeof(E_Info_Transform));
memset(result, 0, sizeof(E_Info_Transform));
....
}
V575 The potential null pointer is passed into 'strlen' function. Inspect the first argument. image_util_decode_encode_testsuite.c 207
int main(int argc, char *argv[])
{
....
char *temp1 = strstr(dp->d_name, "-");
char *temp2 = strstr(dp->d_name, ".");
strncpy(temp_filename, dp->d_name, strlen(dp->d_name) -
strlen(temp1));
strncpy(file_format, temp2, strlen(temp2));
....
}
Similar errors can be found in some other places:
V575 The 'substr' function processes '-1' elements. Inspect the second argument. meter_strip.cc 491
void
MeterStrip::set_tick_bar (int m)
{
std::string n;
_tick_bar = m;
if (_tick_bar & 1) {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks1_area.set_name("Bar" + n);
}
} else {
n = meter_ticks1_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks1_area.set_name(n.substr(3,-1)); // <=
}
}
if (_tick_bar & 2) {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) != "Bar") {
meter_ticks2_area.set_name("Bar" + n);
}
} else {
n = meter_ticks2_area.get_name();
if (n.substr(0,3) == "Bar") {
meter_ticks2_area.set_name(n.substr(3,-1)); // <=
}
}
}
string substr (size_t pos = 0, size_t len = npos) const;
V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1106, 1105. iscguard.cpp 1106
static void write_log(int log_action, const char* buff)
{
....
log_info* tmp =
static_cast<log_info*>(malloc(sizeof(log_info)));
memset(tmp, 0, sizeof(log_info));
....
}
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 43, 42. gcs_xcom_state_exchange.cc 43
Xcom_member_state::Xcom_member_state(....)
{
....
m_data_size= data_size;
m_data=
static_cast<uchar *>(malloc(sizeof(uchar) * m_data_size));
memcpy(m_data, data, m_data_size);
....
}
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. control_events.cpp 830
View_change_event::View_change_event(char* raw_view_id)
: Binary_log_event(VIEW_CHANGE_EVENT),
view_id(), seq_number(0), certification_info()
{
memcpy(view_id, raw_view_id, strlen(raw_view_id));
}
V575 The potential null pointer is passed into 'strncpy' function. Inspect the first argument. Check lines: 66, 65. pg_regress_ecpg.c 66
static void
ecpg_filter(const char *sourcefile, const char *outfile)
{
....
n = (char *) malloc(plen);
StrNCpy(n, p + 1, plen);
....
}
V575 The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. informix.c 677
int
intoasc(interval * i, char *str)
{
char *tmp;
errno = 0;
tmp = PGTYPESinterval_to_asc(i);
if (!tmp)
return -errno;
memcpy(str, tmp, strlen(tmp));
free(tmp);
return 0;
}
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. dns_config_service_win.cc 134
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter>
ReadIpHelper(ULONG flags) {
....
std::unique_ptr<IP_ADAPTER_ADDRESSES, base::FreeDeleter> out;
....
out.reset(static_cast<PIP_ADAPTER_ADDRESSES>(malloc(len)));
memset(out.get(), 0, len);
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 327
void i::V8::FatalProcessOutOfMemory(const char* location,
bool is_heap_oom) {
....
memset(last_few_messages, 0x0BADC0DE,
Heap::kTraceRingBufferSize + 1);
memset(js_stacktrace, 0x0BADC0DE,
Heap::kStacktraceBufferSize + 1);
memset(&heap_stats, 0xBADC0DE, sizeof(heap_stats));
....
}
Memory will not be filled with 0xBADC0DE constant but with the value 0xDE.
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 35, 34. dirtools_public.cpp 35
bool BCreateDirectoryRecursive( const char *pchPath )
{
....
int len = (int)strlen( pchPath );
char *path = (char *)malloc( len + 1 );
strcpy( path, pchPath );
....
}
There is no protection if the malloc function returns a null pointer.
V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 102, 101. bitvector.h 102
BitVector(const BitVector &RHS) : Size(RHS.size()) {
....
Bits = (BitWord *)std::malloc(Capacity * sizeof(BitWord));
std::memcpy(Bits, RHS.Bits, Capacity * sizeof(BitWord));
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 134, 129. dfa.c 134
DFA *
DFA_new(Ins *ins, unsigned int ni, unsigned int lb,
unsigned int ub, Char *rep)
{
DFA *d = malloc(sizeof(DFA));
Ins **work = malloc(sizeof(Ins*)*(ni+1));
unsigned int nc = ub - lb;
GoTo *goTo = malloc(sizeof(GoTo)*nc); // <=
Span *span = malloc(sizeof(Span)*nc);
d->lbChar = lb;
d->ubChar = ub;
memset((char*) goTo, 0, nc*sizeof(GoTo)); // <=
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 154, 153. resampler.cc 154
int Resampler::Reset(int inFreq, int outFreq,
size_t num_channels) {
....
state1_ = malloc(8 * sizeof(int32_t));
memset(state1_, 0, 8 * sizeof(int32_t));
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 47, 46. libxt_tcp.c 47
static void
parse_tcp_ports(const char *portstring, uint16_t *ports)
{
char *buffer;
char *cp;
buffer = strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
....
}
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'strdup' function. Inspect the first argument. ivmap.cpp 309
char* iGetMergedName(char *name, char *path)
{
....
return strdup(out.c_str());
}
void ivrtMap::fileLoad(void)
{
analyzeINI(iniName);
iYSetup();
XBuffer buf;
buf < fileName < (isCompressed ? ".vmc" : ".vmp");
std::string sbuf = strdup(iGetMergedName(buf.GetBuf(), iniName)), sbuf2;
int startR = sbuf.find("reso");
sbuf2 = sbuf.substr(startR, sbuf.size() - startR);
fname = strdup(sbuf2.c_str());
}
Similar errors can be found in some other places:
V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 406, 405. harfbuzz-thai.c 406
static void HB_ThaiAssignAttributes(....)
{
....
int *break_positions = 0;
....
break_positions = (int*) malloc (sizeof(int) * len);
memset (break_positions, 0, sizeof(int) * len);
....
}
Similar errors can be found in some other places:
V575 The null pointer is passed into 'free' function. Inspect the first argument. smartcard_pcsc.c 875
WINSCARDAPI LONG WINAPI PCSC_SCardListReadersW(
SCARDCONTEXT hContext,
LPCWSTR mszGroups,
LPWSTR mszReaders,
LPDWORD pcchReaders)
{
LPSTR mszGroupsA = NULL;
....
mszGroups = NULL; /* mszGroups is not supported by pcsc-lite */
if (mszGroups)
ConvertFromUnicode(CP_UTF8,0, mszGroups, -1,
(char**) &mszGroupsA, 0,
NULL, NULL);
status = PCSC_SCardListReaders_Internal(hContext, mszGroupsA,
(LPSTR) &mszReadersA,
pcchReaders);
if (status == SCARD_S_SUCCESS)
{
....
}
free(mszGroupsA);
....
}
Similar errors can be found in some other places:
V575 The null pointer is passed into 'free' function. Inspect the first argument. setmime.cpp 727
void
MimeType::_PurgeProperties()
{
fShort.Truncate(0);
fLong.Truncate(0);
fPrefApp.Truncate(0);
fPrefAppSig.Truncate(0);
fSniffRule.Truncate(0);
delete fSmallIcon;
fSmallIcon = NULL;
delete fBigIcon;
fBigIcon = NULL;
fVectorIcon = NULL;
free(fVectorIcon);
fExtensions.clear();
fAttributes.clear();
}
V575 The null pointer is passed into 'free' function. Inspect the first argument. driver_settings.cpp 461
static settings_handle *
load_driver_settings_from_file(int file, const char *driverName)
{
....
handle = new_settings(text, driverName);
if (handle != NULL) {
// everything went fine!
return handle;
}
free(handle);
....
}
Similar errors can be found in some other places:
V575 The null pointer is passed into 'free' function. Inspect the first argument. PackageFileHeapWriter.cpp 166
void* _GetBuffer()
{
....
void* buffer = malloc(fBufferSize);
if (buffer == NULL && !fBuffers.AddItem(buffer)) {
free(buffer);
throw std::bad_alloc();
}
return buffer;
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. winmain.cpp 2235
static void BuildScriptsMenu(HMENU menuBar, const fs::path& scriptsDir)
{
....
MENUITEMINFO info;
memset(&info, sizeof(info), 0);
info.cbSize = sizeof(info);
info.fMask = MIIM_SUBMENU;
....
}
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 39, 38. DVDOverlayImage.h:39
CDVDOverlayImage(const CDVDOverlayImage& src)
: CDVDOverlay(src)
{
Data = (uint8_t*)malloc(src.linesize * src.height);
memcpy(data, src.data, src.linesize * src.height); // <=
if(src.palette)
{
palette = (uint32_t*)malloc(src.palette_colors * 4);
memcpy(palette, src.palette, src.palette_colors * 4); // <=
}
....
}
Similar errors can be found in some other places:
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. shell.c 427
static char *mntpt_prepare(char *mntpt)
{
char *cpy_mntpt;
cpy_mntpt = k_malloc(strlen(mntpt) + 1);
if (cpy_mntpt) {
((u8_t *)mntpt)[strlen(mntpt)] = '\0';
memcpy(cpy_mntpt, mntpt, strlen(mntpt));
}
return cpy_mntpt;
}
V575 The 'memset' function processes '0' elements. Inspect the third argument. DLLInterface.cpp 1103
void* __cdecl memset(
_Out_writes_bytes_all_(_Size) void* _Dst,
_In_ int _Val,
_In_ size_t _Size
);
extern "C" __declspec(dllexport) bool __cdecl CNC_Read_INI(....)
{
....
memset(ini_buffer, _ini_buffer_size, 0);
....
}
Similar errors can be found in some other places:
V575 [CWE-628] The 'memmove' function processes '0' elements. Inspect the third argument. memmove_common.c 82
void
do_memmove(char *dst, char *src, const char *file_name,
size_t dest_off, size_t src_off, size_t bytes,
memmove_fn fn, unsigned flags, persist_fn persist)
{
....
/* do the same using regular memmove and verify that buffers match */
memmove(dstshadow + dest_off, srcshadow + src_off, 0);
verify_contents(file_name, 2, dstshadow, dst, bytes);
verify_contents(file_name, 3, srcshadow, src, bytes);
....
}
V575 [CWE-628] The 'memcpy' function doesn't copy the whole string. Use 'strcpy / strcpy_s' function to preserve terminal null. writer.c 41
#define MAX_BUF_LEN 10
struct my_root {
char buf[MAX_BUF_LEN];
};
int
main(int argc, char *argv[])
{
....
struct my_root *rootp = pmemobj_direct(root);
char buf[MAX_BUF_LEN] = {0};
....
TX_BEGIN(pop) {
pmemobj_tx_add_range(root, 0, sizeof(struct my_root));
memcpy(rootp->buf, buf, strlen(buf));
} TX_END
....
}
V575 [CWE-628] The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 340, 338. rtree_map.c 340
static void
remove_extra_node(TOID(struct tree_map_node) *node)
{
....
unsigned char *new_key = (unsigned char *)malloc(new_key_size);
assert(new_key != NULL);
memcpy(new_key, D_RO(tmp)->key, D_RO(tmp)->key_size);
....
}
Similar errors can be found in some other places:
V575 The 'strerror_s' function processes '0' elements. Inspect the second argument. commands-win32.c 1642
void qmp_guest_set_time(bool has_time, int64_t time_ns,
Error **errp)
{
....
if (GetLastError() != 0) {
strerror_s((LPTSTR) & msg_buffer, 0, errno);
....
}
}
V575 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 73, 68. modelstate.cc 73
Metadata*
ModelState::decode_metadata(const DecoderState& state,
size_t num_results)
{
....
Metadata* ret = (Metadata*)malloc(sizeof(Metadata));
....
memcpy(ret, &metadata, sizeof(Metadata));
return ret;
}
V575 The null pointer is passed into 'free' function. Inspect the first argument. sae.c 1185
static int sae_parse_password_identifier(struct sae_data *sae,
const u8 *pos, const u8 *end)
{
wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
pos, end - pos);
if (!sae_is_password_id_elem(pos, end)) {
if (sae->tmp->pw_id) {
wpa_printf(MSG_DEBUG,
"SAE: No Password Identifier included, but expected one (%s)",
sae->tmp->pw_id);
return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
}
os_free(sae->tmp->pw_id);
sae->tmp->pw_id = NULL;
return WLAN_STATUS_SUCCESS; /* No Password Identifier */
}
....
}
