Примеры ошибок, обнаруженных с помощью диагностики V1028

V1028. Possible overflow. Consider casting operands, not the result.

FreeRDP

V1028 Possible overflow. Consider casting operands, not the result. makecert.c 1087

// openssl/x509.h
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);

struct _MAKECERT_CONTEXT
{
  ....
  int duration_years;
  int duration_months;
};

typedef struct _MAKECERT_CONTEXT MAKECERT_CONTEXT;

int makecert_context_process(MAKECERT_CONTEXT* context, ....)
{
  ....
  if (context->duration_months)
    X509_gmtime_adj(after, (long)(60 * 60 * 24 * 31 *
      context->duration_months));
  else if (context->duration_years)
    X509_gmtime_adj(after, (long)(60 * 60 * 24 * 365 *
      context->duration_years));
  ....
}

LLVM/Clang

V1028 [CWE-190] Possible overflow. Consider casting operands of the 'NumElts * Scale' operator to the 'size_t' type, not the result. X86ISelLowering.h 1577

template <typename T>
void scaleShuffleMask(int Scale, ArrayRef<T> Mask,
                      SmallVectorImpl<T> &ScaledMask) {
  assert(0 < Scale && "Unexpected scaling factor");
  int NumElts = Mask.size();
  ScaledMask.assign(static_cast<size_t>(NumElts * Scale), -1);
  ....
}

PMDK

V1028 [CWE-190] Possible overflow. Consider casting operands, not the result. memcpy_common.c 62

typedef long long os_off_t;

void
do_memcpy(int fd, char *dest, int dest_off, char *src, int src_off,
    size_t bytes, size_t mapped_len, const char *file_name, memcpy_fn fn,
    unsigned flags, persist_fn persist)
{
  ....
  LSEEK(fd, (os_off_t)(dest_off + (int)(mapped_len / 2)), SEEK_SET);
  ....
}

Qt

V1028 [CWE-190] Possible overflow. Consider casting operands of the 'd->m_offsetFromUtc * 1000' operator to the 'qint64' type, not the result. qdatetime.cpp 3922

int m_offsetFromUtc;
....
void QDateTime::setMSecsSinceEpoch(qint64 msecs)
{
  ....
  if (!add_overflow(msecs, qint64(d->m_offsetFromUtc * 1000), &msecs))
    status |= QDateTimePrivate::ValidWhenMask;
  ....
}

Snort

V1028 Possible overflow. Consider casting operands of the 'b->yy_buf_size + 2' operator to the 'yy_size_t' type, not the result. sf_attribute_table_parser.c 7578

YY_BUFFER_STATE yy_create_buffer(FILE * file, int  size)
{
  YY_BUFFER_STATE b;

  b = (YY_BUFFER_STATE)yyalloc(sizeof(struct yy_buffer_state));
  if (!b)
    YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()");

  b->yy_buf_size = size;

  /* yy_ch_buf has to be 2 characters longer than the size given because
   * we need to put in 2 end-of-buffer characters.
   */
  b->yy_ch_buf = (char *)yyalloc((yy_size_t)(b->yy_buf_size + 2));
    if (!b->yy_ch_buf)
      YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()");

  b->yy_is_our_buffer = 1;

  yy_init_buffer(b, file);

  return b;
}

Darwin-XNU

V1028 Possible overflow. Consider casting operands of the 'amount + used' operator to the 'size_t' type, not the result. kpi_mbuf.c 503

errno_t
mbuf_adjustlen(mbuf_t m, int amount)
{
  /* Verify m_len will be valid after adding amount */
  if (amount > 0) {
    int used =  (size_t)mbuf_data(m)
              - (size_t)mbuf_datastart(m)
              + m->m_len;

    if ((size_t)(amount + used) > mbuf_maxlen(m)) {
      ....
    }
  ....
  return 0;
}

Similar errors can be found in some other places:

• V1028 Possible overflow. Consider casting operands, not the result. vm_compressor_pager.c 1165
• V1028 Possible overflow. Consider casting operands, not the result. vm_compressor_pager.c 1131
• V1028 Possible overflow. Consider casting operands, not the result. audit_worker.c 241
• And 1 additional diagnostic messages.

libtorrent

V1028 Possible overflow. Consider casting operands of the 'counter * blocks_per_piece' operator to the 'size_t' type, not the result. torrent.cpp 7092

void torrent::get_download_queue(std::vector<partial_piece_info>* queue) const
{
  ....
  const int blocks_per_piece = m_picker->blocks_in_piece(piece_index_t(0));
  ....
  int counter = 0;
  for (auto i = q.begin(); i != q.end(); ++i, ++counter)
  {
    partial_piece_info pi;
    ....
    pi.blocks = &blk[std::size_t(counter * blocks_per_piece)];
  }
}

Protocol Buffers

V1028 [CWE-190] Possible overflow. Consider casting operands, not the result. generated_message_reflection.h 140

uint32_t GetFieldOffset(const FieldDescriptor* field) const {
  if (InRealOneof(field)) {
    size_t offset =
        static_cast<size_t>(field->containing_type()->field_count() +
                            field->containing_oneof()->index());
    return OffsetValue(offsets_[offset], field->type());
  } else {
    return GetFieldOffsetNonOneof(field);
  }
}

Dagor Engine

V1028 Possible overflow. Consider casting operands of the 'length + pa_diff' operator to the 'size_t' type, not the result. DagorEngine/prog/engine/osApiWrappers/mmap.cpp 77

const void *df_mmap(file_ptr_t fp, int *flen, int length, int offset)
{
  ....
  int pa_diff = (base + offset) - pa_offs;
  ....
  void *ret = mmap(NULL,
                  (size_t)(length + pa_diff),
                  PROT_READ, MAP_SHARED, fd, (off_t)pa_offs);
  ....
}

Nau Engine

V1028 Possible overflow. Consider casting operands of the 'location[0] << 4' operator to the 'size_t' type, not the result. Types.cpp 40

std::size_t UniformLocation::operator()(const UniformLocation &uniform) const
{
    return (((size_t) shaderStage) & 0xF)
           |((size_t)(location[0] << 4))
           |((size_t)(location[1] << 8));
}

Similar errors can be found in some other places:

• V1028 Possible overflow. Consider casting operands of the 'location[1] << 8' operator to the 'size_t' type, not the result. Types.cpp 40

TDengine

V1028 Possible overflow. Consider casting operands of the 'pg->num * pMemBucket->bytes' operator to the 'size_t' type, not the result. tpercentile.c 64

typedef struct SFilePage {
  int32_t num;
  ....
} SFilePage;

typedef struct tMemBucket {
  ....
  int32_t            bytes;
  ....
} tMemBucket;


static int32_t loadDataFromFilePage(tMemBucket *pMemBucket, ....) {
  ....
  SFilePage *pg = getBufPage(pMemBucket->pBuffer, *pageId);
  ....
  (void)memcpy((*buffer)->data + offset, pg->data,
               (size_t)(pg->num * pMemBucket->bytes));
  ....
}

TDengine

V1028 Possible overflow. Consider casting operands of the '1 << set->nbits' operator to the 'size_t' type, not the result. tdbPager.c 88

static int hashset_add(hashset_t set, void *item) {
  int ret = hashset_add_member(set, item);

  size_t old_capacity = set->capacity;
  if (set->nitems >= (double)old_capacity * set->load_factor) {
    size_t *old_items = set->items;
    ++set->nbits;
    set->capacity = (size_t)(1 << set->nbits);
  ....
}

TDengine

V1028 Possible overflow. Consider casting operands of the 'n + 1' operator to the 'size_t' type, not the result. divsufsort.c 1881

int
divbwt(const unsigned char *T, unsigned char *U, int *A, int n,
       unsigned char * num_indexes, int * indexes, int openMP) {
{
  ....
  if((B = A) == NULL) { B = (int *)malloc((size_t)(n + 1) * sizeof(int)); }
  ....
}

Similar errors can be found in some other places:

• V1028 Possible overflow. Consider casting operands of the 'pColData->nVal + 1' operator to the 'int64_t' type, not the result. tdataformat.c 1904
• V1028 Possible overflow. Consider casting operands, not the result. compaction_picker_level.cc 818
• V1028 Possible overflow. Consider casting operands of the 'vlen * 4' operator to the 'size_t' type, not the result. tbase64.c 23
• And 1 additional diagnostic messages.