Examples of errors detected by the V645 diagnostic


V645. The function call could lead to the buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold.


ReactOS

V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1314


void shell(int argc, const char *argv[])
{
  char CmdLine[MAX_PATH];
  ....
  strcpy( CmdLine, ShellCmd );

  if (argc > 1)
  {
    strncat(CmdLine, " /C", MAX_PATH);
  }

  for (i=1; i<argc; i++)
  {
    strncat(CmdLine, " ", MAX_PATH);
    strncat(CmdLine, argv[i], MAX_PATH);
  }
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1319
  • V645 The 'strncat' function call could lead to the 'CmdLine' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cmds.c 1320
  • V645 The 'wcsncat' function call could lead to the 'szFileName' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. logfile.c 50

ICU

V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 739


#define uprv_strncat(dst, src, n) \
  U_STANDARD_CPP_NAMESPACE strncat(dst, src, n)

static char plugin_file[2048] = "";

U_CAPI void U_EXPORT2
uplug_init(UErrorCode *status)
{
  ....
  uprv_strncpy(plugin_file, plugin_dir, 2047);
  uprv_strncat(plugin_file, U_FILE_SEP_STRING,2047);
  uprv_strncat(plugin_file, "icuplugins",2047);
  uprv_strncat(plugin_file, U_ICU_VERSION_SHORT ,2047);
  uprv_strncat(plugin_file, ".txt" ,2047);
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 741
  • V645 The 'strncat' function call could lead to the 'plugin_file' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. icuplug.c 740

Multi Theft Auto

V645 The 'strncat' function call could lead to the 'szRightName' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. cluaacldefs.cpp 400


int CLuaACLDefs::aclListRights ( lua_State* luaVM )
{
  char szRightName [128];
  ....
  strncat ( szRightName, (*iter)->GetRightName (), 128 );
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'szObjectType' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. caccesscontrollistgroup.cpp 226

Miranda NG

V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 162


BOOL ExportSettings(....)
{
  ....
  char header[512], buff[1024], abuff[1024];
  ....
  strncat(buff, abuff, SIZEOF(buff));
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 179
  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 183
  • V645 The 'strncat' function call could lead to the 'buff' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. Miranda fontoptions.cpp 186
  • And 45 additional diagnostic messages.

Miranda NG

V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 273


void __cdecl GGPROTO::dccmainthread(void*)
{
  ....
  strncat(filename, (char*)local_dcc->file_info.filename,
          sizeof(filename) - strlen(filename));
  ....
}

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 304
  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 503
  • V645 The 'strncat' function call could lead to the 'filename' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. GG filetransfer.cpp 534
  • And 31 additional diagnostic messages.

Enlightenment

V645 The 'strncat' function call could lead to the 'transients' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 739


static void
_msg_window_prop_client_append(....)
{
  ....
  char availables[256] = { 0, };

  for (i = 0; i < target_ec->e.state.rot.count; i++)
  {
    char tmp[16];
    snprintf(tmp, sizeof(tmp), "%d ",
             target_ec->e.state.rot.available_rots[i]);
    strncat(availables, tmp,                             // <=
            sizeof(availables) - strlen(availables));
  }
  ....
}

The correct variant of the code: sizeof(availables) - strlen(availables) - 1

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'shape_rects' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 751
  • V645 The 'strncat' function call could lead to the 'shape_input' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 763
  • V645 The 'strncat' function call could lead to the 'availables' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. e_info_server.c 924

Tizen

V645 The 'strncat' function call could lead to the 'dd_info->object_uri' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. oma-parser-dd1.c 422


#define OP_MAX_URI_LEN 2048

char object_uri[OP_MAX_URI_LEN];

void op_libxml_characters_dd1(....)
{
  ....
  strncat(dd_info->object_uri, ch_str,
          OP_MAX_URI_LEN - strlen(dd_info->object_uri));
  ....
}

The correct variant of the code: OP_MAX_URI_LEN - strlen(dd_info->object_uri) - 1

Similar errors can be found in some other places:

  • V645 The 'strncat' function call could lead to the 'dd_info->name' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. oma-parser-dd1.c 433


Bugs Found

Checked Projects
336
Collected Errors
12 743