Примеры ошибок, обнаруженных с помощью диагностики V1028

V1028. Possible overflow. Consider casting operands, not the result.

FreeRDP

V1028 Possible overflow. Consider casting operands, not the result. makecert.c 1087


// openssl/x509.h
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);

struct _MAKECERT_CONTEXT
{
  ....
  int duration_years;
  int duration_months;
};

typedef struct _MAKECERT_CONTEXT MAKECERT_CONTEXT;

int makecert_context_process(MAKECERT_CONTEXT* context, ....)
{
  ....
  if (context->duration_months)
    X509_gmtime_adj(after, (long)(60 * 60 * 24 * 31 *
      context->duration_months));
  else if (context->duration_years)
    X509_gmtime_adj(after, (long)(60 * 60 * 24 * 365 *
      context->duration_years));
  ....
}

LLVM/Clang

V1028 [CWE-190] Possible overflow. Consider casting operands of the 'NumElts * Scale' operator to the 'size_t' type, not the result. X86ISelLowering.h 1577


template <typename T>
void scaleShuffleMask(int Scale, ArrayRef<T> Mask,
                      SmallVectorImpl<T> &ScaledMask) {
  assert(0 < Scale && "Unexpected scaling factor");
  int NumElts = Mask.size();
  ScaledMask.assign(static_cast<size_t>(NumElts * Scale), -1);
  ....
}

PMDK

V1028 [CWE-190] Possible overflow. Consider casting operands, not the result. memcpy_common.c 62


typedef long long os_off_t;

void
do_memcpy(int fd, char *dest, int dest_off, char *src, int src_off,
    size_t bytes, size_t mapped_len, const char *file_name, memcpy_fn fn,
    unsigned flags, persist_fn persist)
{
  ....
  LSEEK(fd, (os_off_t)(dest_off + (int)(mapped_len / 2)), SEEK_SET);
  ....
}

Qt

V1028 [CWE-190] Possible overflow. Consider casting operands of the 'd->m_offsetFromUtc * 1000' operator to the 'qint64' type, not the result. qdatetime.cpp 3922


int m_offsetFromUtc;
....
void QDateTime::setMSecsSinceEpoch(qint64 msecs)
{
  ....
  if (!add_overflow(msecs, qint64(d->m_offsetFromUtc * 1000), &msecs))
    status |= QDateTimePrivate::ValidWhenMask;
  ....
}

Snort

V1028 Possible overflow. Consider casting operands of the 'b->yy_buf_size + 2' operator to the 'yy_size_t' type, not the result. sf_attribute_table_parser.c 7578


YY_BUFFER_STATE yy_create_buffer(FILE * file, int  size)
{
  YY_BUFFER_STATE b;

  b = (YY_BUFFER_STATE)yyalloc(sizeof(struct yy_buffer_state));
  if (!b)
    YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()");

  b->yy_buf_size = size;

  /* yy_ch_buf has to be 2 characters longer than the size given because
   * we need to put in 2 end-of-buffer characters.
   */
  b->yy_ch_buf = (char *)yyalloc((yy_size_t)(b->yy_buf_size + 2));
    if (!b->yy_ch_buf)
      YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()");

  b->yy_is_our_buffer = 1;

  yy_init_buffer(b, file);

  return b;
}

Darwin-XNU

V1028 Possible overflow. Consider casting operands of the 'amount + used' operator to the 'size_t' type, not the result. kpi_mbuf.c 503


errno_t
mbuf_adjustlen(mbuf_t m, int amount)
{
  /* Verify m_len will be valid after adding amount */
  if (amount > 0) {
    int used =  (size_t)mbuf_data(m)
              - (size_t)mbuf_datastart(m)
              + m->m_len;

    if ((size_t)(amount + used) > mbuf_maxlen(m)) {
      ....
    }
  ....
  return 0;
}

Similar errors can be found in some other places:

V1028 Possible overflow. Consider casting operands, not the result. vm_compressor_pager.c 1165
V1028 Possible overflow. Consider casting operands, not the result. vm_compressor_pager.c 1131
V1028 Possible overflow. Consider casting operands, not the result. audit_worker.c 241
And 1 additional diagnostic messages.

libtorrent

V1028 Possible overflow. Consider casting operands of the 'counter * blocks_per_piece' operator to the 'size_t' type, not the result. torrent.cpp 7092


void torrent::get_download_queue(std::vector<partial_piece_info>* queue) const
{
  ....
  const int blocks_per_piece = m_picker->blocks_in_piece(piece_index_t(0));
  ....
  int counter = 0;
  for (auto i = q.begin(); i != q.end(); ++i, ++counter)
  {
    partial_piece_info pi;
    ....
    pi.blocks = &blk[std::size_t(counter * blocks_per_piece)];
  }
}

Protocol Buffers

V1028 [CWE-190] Possible overflow. Consider casting operands, not the result. generated_message_reflection.h 140


uint32_t GetFieldOffset(const FieldDescriptor* field) const {
  if (InRealOneof(field)) {
    size_t offset =
        static_cast<size_t>(field->containing_type()->field_count() +
                            field->containing_oneof()->index());
    return OffsetValue(offsets_[offset], field->type());
  } else {
    return GetFieldOffsetNonOneof(field);
  }
}

Dagor Engine

V1028 Possible overflow. Consider casting operands of the 'length + pa_diff' operator to the 'size_t' type, not the result. DagorEngine/prog/engine/osApiWrappers/mmap.cpp 77


const void *df_mmap(file_ptr_t fp, int *flen, int length, int offset)
{
  ....
  int pa_diff = (base + offset) - pa_offs;
  ....
  void *ret = mmap(NULL,
                  (size_t)(length + pa_diff),
                  PROT_READ, MAP_SHARED, fd, (off_t)pa_offs);
  ....
}

Заполните форму в два простых шага ниже:

Ваши контактные данные:

Тип желаемой лицензии:

Примеры ошибок, обнаруженных с помощью диагностики V1028

FreeRDP

LLVM/Clang

PMDK

Qt

Snort

Darwin-XNU

libtorrent

Protocol Buffers

Dagor Engine

Хотите получить ключ на использование анализатора в пробный период?

Достижения

PVS-Studio

Лицензирование

Компания