Examples of errors detected by the V645 diagnostic.


V645. The function call could lead to the buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold.


ReactOS

V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1314

V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1319

V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1320


void shell(int argc, const char *argv[])
{
  char CmdLine[MAX_PATH];
  ....
  strcpy( CmdLine, ShellCmd );

  if (argc > 1)
  {
    strncat(CmdLine, " /C", MAX_PATH);
  }

  for (i=1; i<argc; i++)
  {
    strncat(CmdLine, " ", MAX_PATH);
    strncat(CmdLine, argv[i], MAX_PATH);
  }
  ....
}

Similar errors can be found in some other places:

  • V645 The 'wcsncat' function call could lead to the 'szFileName' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. logfile.c 50

ICU

V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 739

V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 740

V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 741


#define uprv_strncat(dst, src, n) \
  U_STANDARD_CPP_NAMESPACE strncat(dst, src, n)

static char plugin_file[2048] = "";

U_CAPI void U_EXPORT2
uplug_init(UErrorCode *status)
{
  ....
  uprv_strncpy(plugin_file, plugin_dir, 2047);
  uprv_strncat(plugin_file, U_FILE_SEP_STRING,2047);
  uprv_strncat(plugin_file, "icuplugins",2047);
  uprv_strncat(plugin_file, U_ICU_VERSION_SHORT ,2047);
  uprv_strncat(plugin_file, ".txt" ,2047);
  ....
}

Multi Theft Auto

V645 The 'strncat' function call could lead to the 'szRightName' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cluaacldefs.cpp 400


int CLuaACLDefs::aclListRights ( lua_State* luaVM )
{
  char szRightName [128];
  ....
  strncat ( szRightName, (*iter)->GetRightName (), 128 );
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'szObjectType' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. caccesscontrollistgroup.cpp 226

Miranda NG

V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 162


BOOL ExportSettings(....)
{
  ....
  char header[512], buff[1024], abuff[1024];
  ....
  strncat(buff, abuff, SIZEOF(buff));
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 179
  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 183
  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 186
  • And 45 additional diagnostic messages.

Miranda NG

V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 273


void __cdecl GGPROTO::dccmainthread(void*)
{
  ....
  strncat(filename, (char*)local_dcc->file_info.filename,
          sizeof(filename) - strlen(filename));
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 304
  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 503
  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 534
  • And 31 additional diagnostic messages.

Enlightenment

V645 The 'strncat' function call could lead to the 'transients' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 739


static void
_msg_window_prop_client_append(....)
{
  ....
  char availables[256] = { 0, };

  for (i = 0; i < target_ec->e.state.rot.count; i++)
  {
    char tmp[16];
    snprintf(tmp, sizeof(tmp), "%d ",
             target_ec->e.state.rot.available_rots[i]);
    strncat(availables, tmp,                             // <=
            sizeof(availables) - strlen(availables));
  }
  ....
}

The correct variant of the code: sizeof(availables) - strlen(availables) - 1

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'shape_rects' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 751
  • V645 The 'strncat' function call could lead to the 'shape_input' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 763
  • V645 The 'strncat' function call could lead to the 'availables' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 924

Tizen

V645 The 'strncat' function call could lead to the 'dd_info->object_uri' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. oma-parser-dd1.c 422


#define OP_MAX_URI_LEN 2048

char object_uri[OP_MAX_URI_LEN];

void op_libxml_characters_dd1(....)
{
  ....
  strncat(dd_info->object_uri, ch_str,
          OP_MAX_URI_LEN - strlen(dd_info->object_uri));
  ....
}

The correct variant of the code: OP_MAX_URI_LEN - strlen(dd_info->object_uri) - 1

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'dd_info->name' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. oma-parser-dd1.c 433


Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++, and C#

goto PVS-Studio;
We use cookies for the analysis of events to improve our content and make user interaction more convenient. By continuing the view of our web-pages you accept the terms of using these files. You can find out more about cookie-files and privacy policy or close the notification, by clicking on the button. Learn More →
Do not show again