Примеры ошибок, обнаруженных с помощью диагностики V1086
V1086. Call of the 'Foo' function will lead to buffer underflow.
SMTP Client
V1086 A call of the 'memset' function will lead to a buffer underflow. CSmtp md5.cpp 212
void MD5::finalize () {
....
uint1 buffer[64];
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer));
....
}
Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));
Fennec Media
V1086 A call of the 'memset' function will lead to a buffer underflow. base windows.c 150
#define uinput_size 1024
typedef wchar_t letter;
letter uinput_text[uinput_size];
string basewindows_getuserinput(const string title,
const string cap, const string dtxt)
{
memset(uinput_text, 0, uinput_size);
....
}
At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.
Fennec Media
V1086 A call of the 'memset' function will lead to a buffer underflow. base windows.c 2892
typedef wchar_t letter;
letter name[30];
int Conv_EqualizerProc(HWND hwnd,UINT uMsg,
WPARAM wParam,LPARAM lParam)
{
....
memset(eqp.name, 0, 30);
....
}
This is what should have been written here: sizeof(letter) * 30
Notepad++
V1086 A call of the memset function will lead to a buffer underflow. dockingmanager.cpp 78
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
....
DockingManager::DockingManager()
{
....
memset(_iContMap, -1, CONT_MAP_MAX);
....
}
This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));
Wolfenstein 3D
V1086 A call of the 'memset' function will lead to a buffer underflow. cgame bg_animation.c 999
typedef struct
{
short int bodyPart[2];
short int animIndex[2];
short int animDuration[2];
short int soundIndex;
short int accShowBits;
short int accHideBits;
} animScriptCommand_t;
void BG_ParseCommands(....) {
....
animScriptCommand_t *command = NULL;
....
memset( command, 0, sizeof( command ) );
....
}
This is what should have been written here: sizeof(*command)
Wolfenstein 3D
V1086 A call of the 'memset' function will lead to a buffer underflow. wolf cvar.c 764
typedef struct cvar_s {
char *name;
....
struct cvar_s *hashNext;
} cvar_t;
void Cvar_Restart_f( void ) {
cvar_t *var;
....
memset( var, 0, sizeof( var ) );
....
}
This is what should have been written here: memset( var, 0, sizeof( *var ) );
Newton Game Dynamics
V1086 A call of the 'memset' function will lead to a buffer underflow. physics dgcollisioncompoundbreakable.cpp 702
dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....)
{
....
dgInt32 faceOffsetHitogram[256];
dgSubMesh* mainSegmenst[256];
....
memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram));
memset(mainSegmenst, 0, sizeof(faceOffsetHitogram));
....
}
A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.
Miranda IM
V1086 A call of the 'memcpy' function will lead to a buffer underflow. tabsrmm utils.cpp 1080
typedef struct _textrangew
{
CHARRANGE chrg;
LPWSTR lpstrText;
} TEXTRANGEW;
const wchar_t* Utils::extractURLFromRichEdit(....)
{
....
::CopyMemory(tr.lpstrText, L"mailto:", 7);
....
}
This is what should have been written here: sizeof(wchar_t) * 7
Chromium
V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227
void Time::Explode(bool is_local, Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
Chromium
V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116
void NaCl::Time::Explode(bool is_local,
Exploded* exploded) const
{
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: sizeof(*exploded)
Qt
V1086 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77
int s_attr_table[256];
void CppLexer::setupScanTable()
{
....
memset(s_attr_table, 0, 256);
....
}
This is what should have been written here: sizeof(int) * 256
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 rpplexer.cpp 60
Apache HTTP Server
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void apr__SHA256_Final(sha2_byte digest[],
SHA256_CTX* context) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context)
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 581
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 892
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 912
- And 2 additional diagnostic messages.
Energy Checker SDK
V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683
#define PL_MAX_PATH 255
typedef WCHAR TCHAR, *PTCHAR;
TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' };
int plh_read_pl_config_ini_file(....)
{
....
ZeroMemory(
pl_cvt_buffer,
PL_MAX_PATH
);
....
}
This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 714
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 745
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 789
- And 5 additional diagnostic messages.
Energy Checker SDK
V1086 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806
typedef struct _plh_dynamic_pl_folder_info {
....
} PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO;
int plh_dynamic_read_pl_folder(
PPLH_DYNAMIC_PL_FOLDER_INFO pconfig)
{
....
memset(
pconfig,
0,
sizeof(pconfig)
);
....
}
This is what should have been written here: sizeof(*pconfig)
Energy Checker SDK
V1086 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379
void plt_tools_get_pl_config_full_file_name(char *buffer) {
....
char temp[PL_MAX_PATH] = { '\0' };
....
memset(
temp,
0,
sizeof(buffer)
);
....
}
This is what should have been written here: sizeof(temp)
Far Manager
V1086 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672
__int64 FileList::VMProcess(int OpCode,void *vParam,
__int64 iParam)
{
....
PluginInfo *PInfo=(PluginInfo *)vParam;
memset(PInfo,0,sizeof(PInfo));
PInfo->StructSize=sizeof(PInfo);
....
}
This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));
ReactOS
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162
VOID
UnloadAppInitDlls()
{
....
WCHAR buffer[KEY_LENGTH];
....
RtlCopyMemory(buffer, szAppInit, KEY_LENGTH);
....
}
Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).
ReactOS
V1086 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769
typedef WCHAR TCHAR,*PTCHAR;
TCHAR file_path[MAX_PATH];
#define MAX_PATH 260
LRESULT CALLBACK
WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
....
ZeroMemory( file_path, MAX_PATH );
....
}
This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));
Similar errors can be found in some other places:
- V1086 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442
ReactOS
V1086 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160
HRESULT WINAPI SHGetDataFromIDListW(....)
{
....
WIN32_FIND_DATAW * pfd = dest;
....
ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA));
}
This is what should have been written here: sizeof(WIN32_FIND_DATAW)
ReactOS
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
char *SHA384_End(SHA384_CTX* context, char buffer[]) {
....
MEMSET_BZERO(context, sizeof(context));
....
}
This is what should have been written here: sizeof(*context).
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587
- V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896
- And 2 additional diagnostic messages.
IPP Samples
V1086 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767
UMC::Status
VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams)
{
UMC::Status umcSts UMC::UMC_OK;
memset(MEParams,0,sizeof(MEParams));
....
}
This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));
Doom 3
V1086 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731
aseMesh_t *currentMesh;
static void ASE_KeyGEOMOBJECT( const char *token )
{
....
ase.currentMesh = &ase.currentObject->mesh;
memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) );
....
}
This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );
Doom 3
V1086 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312
void idAASFileLocal::DeleteClusters( void ) {
....
memset( &portal, 0, sizeof( portal ) );
portals.Append( portal );
// first cluster is a dummy
memset( &cluster, 0, sizeof( portal ) );
clusters.Append( cluster );
}
This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );
Mozilla Firefox
V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198
void Time::Explode(bool is_local, Exploded* exploded) const {
....
ZeroMemory(exploded, sizeof(exploded));
....
}
This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));
ADAPTIVE Communication Environment (ACE)
V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109
struct Message
{
unsigned int sn;
unsigned short payload[payload_size];
};
int
ACE_TMAIN (int argc, ACE_TCHAR* argv[])
{
....
if (ACE_OS::memcmp (expected_msg.payload,
msg.payload,
payload_size) != 0)
{
damaged[msg.sn] = 1;
}
....
}
Most likely this is what should be written here: payload_size * sizeof(short)
Similar errors can be found in some other places:
- V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. RMCast_Receiver receiver.cpp 102
ADAPTIVE Communication Environment (ACE)
V1086 A call of the 'memset' function will lead to underflow of the buffer 'old_state'. thread.inl 172
ACE_INLINE int
ACE_Thread::disablecancel (struct cancel_state *old_state)
{
....
ACE_OS::memset (old_state,
0,
sizeof (old_state));
....
}
DeSmuME
V1086 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204
mapview_struct *MapView = NULL;
BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message,
WPARAM wParam, LPARAM lParam)
{
....
MapView = new mapview_struct;
memset(MapView, 0, sizeof(MapView));
....
}
This is what should have been written here: memset(MapView, 0, sizeof(*MapView));
MAME
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706
UINT16 m_spriteram16[0x1000];
UINT16 m_spriteram16_buffered[0x1000];
static WRITE32_HANDLER( deco32_buffer_spriteram_w )
{
deco32_state *state =
space->machine().driver_data<deco32_state>();
memcpy(state->m_spriteram16_buffered,
state->m_spriteram16, 0x1000);
}
This is what should have been written here: 0x1000 * sizeof(UINT16).
MAME
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949
UINT16 m_rotate_ctrl[8];
static MACHINE_RESET( wgp )
{
wgp_state *state = machine.driver_data<wgp_state>();
int i;
state->m_banknum = 0;
state->m_cpua_ctrl = 0xff;
state->m_port_sel = 0;
state->m_piv_ctrl_reg = 0;
for (i = 0; i < 3; i++)
{
state->m_piv_zoom[i] = 0;
state->m_piv_scrollx[i] = 0;
state->m_piv_scrolly[i] = 0;
}
memset(state->m_rotate_ctrl, 0, 8);
}
Similar errors can be found in some other places:
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_2_buffered'. deco32.c 726
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_playfield_code'. malzak.c 392
MAME
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065
UINT16 m_control_0[8];
#define ARRAY_LENGTH(x) (sizeof(x) / sizeof(x[0]))
static MACHINE_RESET( tumbleb )
{
....
memset(state->m_control_0, 0,
ARRAY_LENGTH(state->m_control_0));
}
Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_read'. megadriv.c 7156
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_write'. megadriv.c 7157
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_cart_is_genesis'. megatech.c 426
- And 3 additional diagnostic messages.
MAME
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458
UINT32 m_pstars_regs[16];
static DRIVER_INIT( pstar )
{
....
memset(state->m_pstars_regs, 0, 16);
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4975
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4996
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 5056
- And 4 additional diagnostic messages.
Samba
V1086 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80
void initialize(PERF_DATA_BLOCK *data,
RuntimeSettings *rt, int argc, char **argv)
{
memset(data, 0, sizeof(*data));
memset(rt, 0, sizeof(*data));
....
}
Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.
Samba
V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247
static NET_API_STATUS test_netusermodals(
struct libnetapi_ctx *ctx,
const char *hostname)
{
....
struct USER_MODALS_INFO_0 *u0 = NULL;
struct USER_MODALS_INFO_0 *_u0 = NULL;
....
if (memcmp(u0, _u0, sizeof(u0) != 0)) {
printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
return -1;
}
....
}
Most likely this is what should be written here: sizeof(*u0).
libevent
V1086 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374
void
win32_dealloc(struct event_base *_base)
{
struct win32op *win32op = _base->evbase;
....
memset(win32op, 0, sizeof(win32op));
....
}
Windows 8 Driver Samples
V1086 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288
HRESULT
CDot11SampleExtUI::CreateSecurityProperties(....)
{
....
WCHAR wbuf[128];
....
ZeroMemory(wbuf, 128);
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 369
Windows 8 Driver Samples
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'. testapp.c 729
typedef struct _DEVICE_INFO
{
....
WCHAR UnicodeSourceIp[MAX_LEN];
WCHAR UnicodeDestIp[MAX_LEN];
....
} DEVICE_INFO, *PDEVICE_INFO;
PDEVICE_INFO FindDeviceInfo(....)
{
....
PDEVICE_INFO deviceInfo = NULL;
....
memcpy(deviceInfo->UnicodeSourceIp,
InputInfo->SourceIp, MAX_LEN);
memcpy(deviceInfo->UnicodeDestIp,
InputInfo->DestIp, MAX_LEN);
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeDestIp'. testapp.c 730
NetXMS
V1086 A call of the 'memset' function will lead to underflow of the buffer 'commandLine'. procinfo.cpp 278
typedef WCHAR TCHAR, *PTCHAR;
static BOOL MatchProcess(....)
{
....
TCHAR commandLine[MAX_PATH];
....
memset(commandLine, 0, MAX_PATH);
....
}
NetXMS
V1086 A call of the 'memset' function will lead to underflow of the buffer 'm_szTitle'. toolbox.cpp 28
typedef WCHAR TCHAR, *PTCHAR;
#define MAX_TOOLBOX_TITLE 64
TCHAR m_szTitle[MAX_TOOLBOX_TITLE];
CToolBox::CToolBox()
{
memset(m_szTitle, 0, MAX_TOOLBOX_TITLE);
}
Multi Theft Auto
V1086 A call of the 'memset' function will lead to underflow of the buffer 'm_buffer'. sharedutil.hash.hpp 216
unsigned char m_buffer[64];
void CMD5Hasher::Finalize ( void )
{
....
// Zeroize sensitive information
memset ( m_buffer, 0, sizeof (*m_buffer) );
....
}
Snes9x
V1086 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ramwatch.cpp 1199
struct ICheat
{
uint32 address;
uint32 new_val;
uint32 saved_val;
int size;
bool8 enabled;
bool8 saved;
char name [22];
int format;
};
struct SCheat
{
uint32 address;
uint8 byte;
uint8 saved_byte;
bool8 saved;
};
void RamWatchEnableCommand(....)
{
....
struct ICheat cht;
....
ZeroMemory(&cht, sizeof(struct SCheat));
....
}
Most likely this is what should be written here: ZeroMemory(&cht, sizeof(struct ICheat));
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ram_search.cpp 1789
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'new_cheat'. wsnes9x.cpp 9924
VirtualDub
V1086 A call of the 'memcmp' function will lead to underflow of the buffer '"GL_EXT_blend_subtract"'. Riza opengl.cpp 393
bool VDOpenGLBinding::Attach(....) {
....
if (!memcmp(start, "GL_EXT_blend_subtract", 20))
....
}
strlen("GL_EXT_blend_subtract") == 21
FlightGear
V1086 A call of the 'memset' function will lead to underflow of the buffer 'ctx'. md5.c 180
void MD5Final(uint8_t digest[16], struct MD5Context *ctx)
{
....
memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
....
}
Gifticlib
V1086 A call of the 'memset' function will lead to underflow of the buffer 'gim'. gifti_io.c 4097
int gifti_clear_gifti_image(gifti_image * gim)
{
if(!gim) {
fprintf(stderr,"** NULL in clear_gifti_image\n"); return 1;
}
if( G.verb > 5 )
fprintf(stderr,"-- clearing gifti_image\n");
/* set the version and clear all pointers */
memset(gim, 0, sizeof(gim));
....
}
Miranda NG
V1086 A call of the 'memset' function will lead to underflow of the buffer 'logfonts'. TabSRMM msglog.cpp 134
#define MSGDLGFONTCOUNT 22
LOGFONTA logfonts[MSGDLGFONTCOUNT + 2];
void TSAPI CacheLogFonts()
{
int i;
HDC hdc = GetDC(NULL);
logPixelSY = GetDeviceCaps(hdc, LOGPIXELSY);
ReleaseDC(NULL, hdc);
ZeroMemory(logfonts, sizeof(LOGFONTA) * MSGDLGFONTCOUNT + 2);
....
}
Most likely this is what should be written here: ZeroMemory(logfonts, sizeof(LOGFONTA) * (MSGDLGFONTCOUNT + 2));
Miranda NG
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 's_list'. Sessions utils.cpp 288
#define SIZEOF(X) (sizeof(X)/sizeof(X[0]))
int CheckForDuplicate(MCONTACT contact_list[], MCONTACT lparam)
{
MCONTACT s_list[255] = { 0 };
memcpy(s_list, contact_list, SIZEOF(s_list));
for (int i = 0;; i++) {
if (s_list[i] == lparam)
return i;
if (s_list[i] == 0)
return -1;
}
return 0;
}
Similar errors can be found in some other places:
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list'. Sessions main.cpp 143
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'user_session_list'. Sessions main.cpp 143
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list_temp'. Sessions main.cpp 216
- And 5 additional diagnostic messages.
Miranda NG
V1086 A call of the 'memset' function will lead to underflow of the buffer 'Data'. Weather weather_ini.cpp 250
void LoadStationData(...., WIDATA *Data)
{
....
ZeroMemory(Data, sizeof(Data));
....
}
Miranda NG
V1086 A call of the 'memset' function will lead to underflow of the buffer 'msgFrom'. LotusNotify lotusnotify.cpp 760
void checkthread(void*)
{
....
WCHAR msgFrom[512];
WCHAR msgSubject[512];
ZeroMemory(msgFrom,512);
ZeroMemory(msgSubject,512);
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'msgSubject'. LotusNotify lotusnotify.cpp 761
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'nd->dd_dir.d_name'. glib dirent.c 138
Miranda NG
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'L"mailto:"'. TabSRMM msgdialog.cpp 2085
INT_PTR CALLBACK DlgProcMessage(....)
{
....
CopyMemory(tr.lpstrText, _T("mailto:"), 7);
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'lfFont.lfFaceName'. Xfire userdetails.cpp 206
- V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'L"%20"'. Weather weather_conv.cpp 476
Spring Engine
V1086 A call of the 'memset' function will lead to underflow of the buffer 'area'. RAI gterrainmap.h 84
#define MAP_AREA_LIST_SIZE 50
struct TerrainMapMobileType
{
TerrainMapMobileType()
{
....
memset(area,0,MAP_AREA_LIST_SIZE); // <=
};
TerrainMapArea *area[MAP_AREA_LIST_SIZE]; // <=
....
};
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'BQ'. RAI builder.cpp 67
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'SL'. RAI unitmanager.cpp 28
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'Group'. RAI unitmanager.cpp 29
- And 1 additional diagnostic messages.
.NET CoreCLR
V1086 A call of the 'memset' function will lead to underflow of the buffer 'pAddExpression'. sos strike.cpp 11973
DECLARE_API(Watch)
{
....
if(addExpression.data != NULL || aExpression.data != NULL)
{
WCHAR pAddExpression[MAX_EXPRESSION];
memset(pAddExpression, 0, MAX_EXPRESSION);
swprintf_s(pAddExpression, MAX_EXPRESSION, L"%S", ....);
Status = g_watchCmd.Add(pAddExpression);
}
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'pSaveName'. sos strike.cpp 11997
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'pOldName'. sos strike.cpp 12013
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'pNewName'. sos strike.cpp 12016
- And 2 additional diagnostic messages.
Haiku Operation System
V1086 A call of the 'memcmp' function will lead to underflow of the buffer '"Private-key-format: v"'. dst_api.c 858
dst_s_read_private_key_file(....)
{
....
if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
goto fail;
....
}
Haiku Operation System
V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 623
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
void solv_SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
....
/* Clean up state data: */
MEMSET_BZERO(context, sizeof(context));
usedspace = 0;
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 644
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 953
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 973
- And 2 additional diagnostic messages.
Unreal Engine 4
V1086 A call of the 'memset' function will lead to underflow of the buffer 'StartTimestampListHandles'. d3d12query.cpp 493
class FD3D12BufferedGPUTiming
{
....
FD3D12CLSyncPoint* StartTimestampListHandles;
FD3D12CLSyncPoint* EndTimestampListHandles;
....
};
void FD3D12BufferedGPUTiming::InitDynamicRHI()
{
....
StartTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(StartTimestampListHandles,
sizeof(StartTimestampListHandles));
EndTimestampListHandles = new FD3D12CLSyncPoint[BufferSize];
ZeroMemory(EndTimestampListHandles,
sizeof(EndTimestampListHandles));
....
}
Similar errors can be found in some other places:
- V1086 A call of the 'memset' function will lead to underflow of the buffer 'EndTimestampListHandles'. d3d12query.cpp 495
CodeLite
V1086 A call of the 'memset' function will lead to underflow of the buffer 'buffer'. md5.cpp 243
class MD5
{
....
typedef unsigned char uint1;
....
uint1 buffer[64]; // input buffer
....
static void memset(uint1 *start, uint1 val, uint4 length);
....
};
void MD5::finalize ()
{
....
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer)); // <=
finalized=1;
}
FreeBSD Kernel
V1086 A call of the 'memset' function will lead to underflow of the buffer 'plog'. nat64lsn.c 218
struct pfloghdr {
u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
char ifname[IFNAMSIZ];
char ruleset[PFLOG_RULESET_NAME_SIZE];
u_int32_t rulenr;
u_int32_t subrulenr;
uid_t uid;
pid_t pid;
uid_t rule_uid;
pid_t rule_pid;
u_int8_t dir;
u_int8_t pad[3];
};
static void
nat64lsn_log(struct pfloghdr *plog, ....)
{
memset(plog, 0, sizeof(plog)); // <=
plog->length = PFLOG_REAL_HDRLEN;
plog->af = family;
plog->action = PF_NAT;
plog->dir = PF_IN;
plog->rulenr = htonl(n);
plog->subrulenr = htonl(sn);
plog->ruleset[0] = '\0';
strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname));
ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m);
}
CryEngine V
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285
void CGeomCacheRenderNode::Render(....)
{
....
CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement;
....
uint8 hashableData[] =
{
0, 0, 0, 0, 0, 0, 0, 0,
(uint8)std::distance(pCREGeomCache->....->begin(), &meshData),
(uint8)std::distance(meshData....->....begin(), &chunk),
(uint8)std::distance(meshData.m_instances.begin(), &instance)
};
memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <=
....
}
Tizen
V1086 A call of the 'memset' function will lead to underflow of the buffer 'req_id_used'. bt-service-util.c 38
typedef int gint;
typedef gint gboolean;
#define BT_REQUEST_ID_RANGE_MAX 245
static gboolean req_id_used[BT_REQUEST_ID_RANGE_MAX];
void _bt_init_request_id(void)
{
assigned_id = 0;
memset(req_id_used, 0x00, BT_REQUEST_ID_RANGE_MAX);
}
Tizen
V1086 A call of the 'memset' function will lead to underflow of the buffer 'formatted_number'. i18ninfo.c 544
typedef short unsigned int i18n_uchar;
#define BUF_SIZE 1000
static int __get_number_format(char *input_number)
{
....
i18n_uchar formatted_number[BUF_SIZE];
....
memset(formatted_number, 0, BUF_SIZE);
....
}
Ardour
V1086 A call of the 'memset' function will lead to underflow of the buffer 'error_buffer'. ardour_http.cc 142
class HttpGet {
....
char error_buffer[CURL_ERROR_SIZE];
....
};
HttpGet::HttpGet (bool p, bool ssl)
: persist (p)
, _status (-1)
, _result (-1)
{
memset (error_buffer, 0, sizeof (*error_buffer));
....
}
Chromium
V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->text'. event_conversion.cc 435
#if defined(WIN32)
typedef wchar_t WebUChar;
#else
typedef unsigned short WebUChar;
#endif
static const size_t kTextLengthCap = 4;
class WebKeyboardEvent : public WebInputEvent {
....
WebUChar text[kTextLengthCap];
WebUChar unmodified_text[kTextLengthCap];
....
};
WebKeyboardEvent* BuildCharEvent(const InputEventData& event)
{
WebKeyboardEvent* key_event = new WebKeyboardEvent(....);
....
memset(key_event->text, 0, text_length_cap);
memset(key_event->unmodified_text, 0, text_length_cap);
....
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
Similar errors can be found in some other places:
- V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->unmodified_text'. event_conversion.cc 436
WebRTC
V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer '_jumpBuf'. rtt_filter.cc 52
class VCMRttFilter {
....
enum { kMaxDriftJumpCount = 5 };
....
int64_t _jumpBuf[kMaxDriftJumpCount];
int64_t _driftBuf[kMaxDriftJumpCount];
....
};
void VCMRttFilter::Reset() {
_gotNonZeroUpdate = false;
_avgRtt = 0;
_varRtt = 0;
_maxRtt = 0;
_filtFactCount = 1;
_jumpCount = 0;
_driftCount = 0;
memset(_jumpBuf, 0, kMaxDriftJumpCount);
memset(_driftBuf, 0, kMaxDriftJumpCount);
}
Confusion between the number of elements in the array and the size of the buffer in bytes.
Command & Conquer
V1086 A call of the 'memset' function will lead to underflow of the buffer 'Buffer'. KEYBOARD.CPP 96
unsigned short Buffer[256];
WWKeyboardClass::WWKeyboardClass(void)
{
....
memset(Buffer, 0, 256);
....
}
Qt
V1086 [CWE-682] A call of the 'memset' function will lead to underflow of the buffer 'm_keys'. qv4estable.cpp 57
ESTable::ESTable()
: m_capacity(8)
{
m_keys = (Value*)malloc(m_capacity * sizeof(Value));
m_values = (Value*)malloc(m_capacity * sizeof(Value));
memset(m_keys, 0, m_capacity);
memset(m_values, 0, m_capacity);
}
Microsoft PowerToys
V1086 A call of the 'memset' function will lead to underflow of the buffer 'keyEventList'. KeyboardEventHandlers.cpp 16
typedef struct tagINPUT {
DWORD type;
union
{
MOUSEINPUT mi;
KEYBDINPUT ki;
HARDWAREINPUT hi;
} DUMMYUNIONNAME;
} INPUT, *PINPUT, FAR* LPINPUT;
void SetNumLockToPreviousState(....)
{
int key_count = 2;
LPINPUT keyEventList = new INPUT[size_t(key_count)]();
memset(keyEventList, 0, sizeof(keyEventList));
....
}