Мы используем куки, чтобы пользоваться сайтом было удобно.
to the top
close form

Заполните форму в два простых шага ниже:

Ваши контактные данные:

Шаг 1
Поздравляем! У вас есть промокод!

Тип желаемой лицензии:

Шаг 2
Team license
Enterprise license
** Нажимая на кнопку, вы даете согласие на обработку
своих персональных данных. См. Политику конфиденциальности
close form
Запросите информацию о ценах
Новая лицензия
Продление лицензии
--Выберите валюту--
* Нажимая на кнопку, вы даете согласие на обработку
своих персональных данных. См. Политику конфиденциальности

close form
Бесплатная лицензия PVS‑Studio для специалистов Microsoft MVP
* Нажимая на кнопку, вы даете согласие на обработку
своих персональных данных. См. Политику конфиденциальности

close form
Для получения лицензии для вашего открытого
проекта заполните, пожалуйста, эту форму
* Нажимая на кнопку, вы даете согласие на обработку
своих персональных данных. См. Политику конфиденциальности

close form
Мне интересно попробовать плагин на:
* Нажимая на кнопку, вы даете согласие на обработку
своих персональных данных. См. Политику конфиденциальности

close form
check circle
Ваше сообщение отправлено.

Мы ответим вам на

Если вы так и не получили ответ, пожалуйста, проверьте папку
Spam/Junk и нажмите на письме кнопку "Не спам".
Так Вы не пропустите ответы от нашей команды.

Примеры ошибок, обнаруженных с помощью …

Примеры ошибок, обнаруженных с помощью диагностики V557

V557. Possible array overrun.


V557 Array overrun is possible. The '9' index is pointing beyond array bound. VirtualDub f_convolute.cpp 73

struct ConvoluteFilterData {
 long m[9];
 long bias;
 void *dyna_func;
 DWORD dyna_size;
 DWORD dyna_old_protect;
 BOOL fClip;

static unsigned long __fastcall do_conv(
  unsigned long *data,
  const ConvoluteFilterData *cfd,
  long sflags, long pit)
  long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];

Dynamic Universal Music Bibliotheque

V557 Array overrun is possible. The '14' index is pointing beyond array bound. dumb_static readdsmf.c 34

struct IT_SAMPLE
  unsigned char filename[14];

static int it_riff_dsmf_process_sample(
  IT_SAMPLE * sample, const unsigned char * data, int len)
  int flags;
  memcpy( sample->filename, data, 13 );
  sample->filename[ 14 ] = 0;

This is what should have been written here: sample->filename[ 13 ] = 0;


V557 Array overrun is possible. The '64' index is pointing beyond array bound. stickies stickies.cpp 7947

#define FINDBUFFLEN 64  // Max buffer find/replace size

int WINAPI Sticky (HWND hwnd, UINT message,
  WPARAM wParam, LPARAM lParam)
  static char  findWhat[FINDBUFFLEN] = {'\0'};
  findWhat[FINDBUFFLEN] = '\0';

Wolfenstein 3D

V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_cmd.c 1069

typedef struct bot_state_s
  char teamleader[32]; //netname of the team leader
}  bot_state_t;

void BotMatch_StartTeamLeaderShip(
  bot_state_t *bs, bot_match_t *match)
  bs->teamleader[sizeof( bs->teamleader )] = '\0';

-1 is missing. The same error can be found in Quake 3.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'sizeof (bs->teamleader)' index is pointing beyond array bound. game ai_team.c 548

Wolfenstein 3D

V557 Array overrun is possible. The '3' index is pointing beyond array bound. renderer tr_shade_calc.c 679

void RB_CalcColorFromOneMinusEntity(unsigned char *dstColors) {
  unsigned char invModulate[3];
  invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
  invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
  invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
  // this trashes alpha, but the AGEN block fixes it
  invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];

The same error can be found in Quake 3.

IPP Samples

V557 Array overrun is possible. The '30' index is pointing beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495

struct AVS_MB_INFO
  Ipp8u refIdx[AVS_DIRECTIONS][4];

void AVSCompressor::GetRefIndiciesBSlice(void){
  if (m_pMbInfo->predType[0] & predType)
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
    iRefNum += 1;
  if (m_pMbInfo->predType[1] & predType)
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
    iRefNum += 1;
  if (m_pMbInfo->predType[2] & predType)
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
    iRefNum += 1;
  if (m_pMbInfo->predType[3] & predType)
    m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
    iRefNum += 1;

The programmer's hand faltered and now we have 30 instead of 3.

IPP Samples

V557 Array overrun is possible. The '3' index is pointing beyond array bound. mp3_enc mp3enc_psychoacoustic_fp.c 726

typedef struct
} mpaPsychoacousticBlock;

static void mp3encPsy_short_window(....)
  if (win_counter == 0) {
    nb_s = pBlock->nb_short[0][3];

This is what should have been written here: 2.


V557 Array overrun is possible. The value of 'r0 + r1 + 2' index could reach 24. libmp3lame takehiro.c 895

#define SBMAX_l       22
int l[1+SBMAX_l];

inline static void
recalc_divide_init(const lame_internal_flags * const gfc, ...)
  int r0, r1;

  for (r0 = 0; r0 < 16; r0++) {
    for (r1 = 0; r1 < 8; r1++) {
      int a2 = gfc->scalefac_band.l[r0 + r1 + 2];

Irrlicht Engine

V557 Array overrun is possible. The value of 'i * 3 + 0' index could reach 765. Irrlicht cimageloaderpcx.cpp 113

struct SPCXHeader {
  u8   Palette[48];
  u8   Reserved;
  u8   Planes;
  u16  BytesPerLine;

IImage* CImageLoaderPCX::loadImage(io::IReadFile* file) const
  for( s32 i=0; i<256; i++ )
    paletteData[i] = (header.Palette[i*3+0] << 16) |
     (header.Palette[i*3+1] << 8) |

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i * 3 + 1' index could reach 766. Irrlicht cimageloaderpcx.cpp 114
  • V557 Array overrun is possible. The value of 'i * 3 + 2' index could reach 767. Irrlicht cimageloaderpcx.cpp 115


V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 367

#define DATUM_CODE_LENGTH           7

typedef struct Datum_Table_Row
} Datum_Row;

long Initialize_Datums_File(const char *File_7Parms,
                            const char *File_3Parms)
  for (i = 0; i < DATUM_CODE_LENGTH; i++)
    Datum_Table_3Param[index].Code[i] =

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 7. pj_geotrans datum.c 630
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 209
  • V557 Array overrun is possible. The value of 'i + 1' index could reach 30. pj_geotrans ellipse.c 326


V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1140

static const struct {
    DWORD       winerr;
    int     doserr;
} doserrors[] =

static void
la_dosmaperr(unsigned long e)
  for (i = 0; i < sizeof(doserrors); i++)
    if (doserrors[i].winerr == e)
      errno = doserrors[i].doserr;

This is what should have been written here: sizeof(doserrors) / sizeof(*doserrors)

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 367. cmlibarchive archive_windows.c 1142

Energy Checker SDK

V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1114

#define PL_MAX_PATH 255

char name[PL_MAX_PATH];

int main(int argc, char *argv[]) {
  ] = '\0';

This is what should have been written here: PL2GANFLIA_COUNTER_MAX_LENGTH - 1

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '255' index is pointing beyond array bound. pl2ganglia pl2ganglia.c 1134


V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1482

static void move_dir_to_dir(....)
  szFrom[lstrlenW(szFrom) + 1] = '\0';

Very suspicious code. Something different must have been intended.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'lstrlenW (szTo) + 1' index could reach 260. shell32 shlfileop.c 1192
  • V557 Array overrun is possible. The value of 'lstrlenW (szFrom) + 1' index could reach 260. shell32 shlfileop.c 1196
  • V557 Array overrun is possible. The value of 'lstrlenW (curdir) + 1' index could reach 261. shell32 shlfileop.c 1274

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 2. mp3_enc mp3enc_psychoacoustic_fp.c 361

Ipp32f pa_nb_long[NUM_CHANNELS][2][MAX_PPT_LONG];

MP3Status mp3enc_psychoacousticInit(....)
  for (ch = 0; ch < NUM_CHANNELS; ch++)
    for (i = 0; i < MAX_PPT_LONG; i++) {
      for (j = 0; j < 3; j++)
        state->pa_nb_long[ch][j][i] = (Ipp32f)1.0e30;

This is what should have been written here: for (j = 0; j < 2; j++)

IPP Samples

V557 Array overrun is possible. The value of 't * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 275

typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_scale_factor_calc_l2(MP3Enc *state)
  for (ch = 0; ch < stereo + state->com.mc_channel; ch++) {
    for (t = 0; t < 3; t++) {
      for (sb = 0; sb < sblimit_real; sb++){
        for (j = 0; j < 12; j++)
          fbout[j] = state->fbout_data[ch][0][t * 12 + j][sb];

If it can be possible that t == 2, while j == 11, an array overrun will occur.

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 's * 12 + j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 580

IPP Samples

V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 639

typedef Ipp32f samplefbout[2][18][32];
samplefbout fbout_data[NUM_CHANNELS];

static void mp3enc_join_LR_l2(MP3Enc *state)
  Ipp32s sb, j;
  Ipp32s sblimit_real = state->com.sblimit_real;

  for (sb = 0; sb < sblimit_real; sb++)
    for (j = 0; j < 36; j++)
      state->fbout_data[2][0][j][sb] =
        0.5f * (state->fbout_data[0][0][j][sb] +

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'j' index could reach 35. mp3_enc mp3enc_quantization_12_fp.c 640


V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1307

#define FRAMESAMPLES_HALF      240
#define FRAMESAMPLES           480

typedef struct {
} ISACUBSaveEncDataStruct;

int WebRtcIsac_EncodeStoredDataUb12(....)
  for(n = 0; n < FRAMESAMPLES; n++)
    realFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->realFFT[n] + 0.5f);
    imagFFT[n] = (WebRtc_Word16)
      (scale * (float)ISACSavedEnc_obj->imagFFT[n] + 0.5f);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'n' index could reach 479. iSAC encode.c 1308

Doom 3

V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 551

static bool R_ClipLineToLight(..., const idPlane frustum[4], ...)
  for ( j = 0 ; j < 6 ; j++ ) {
    d1 = frustum[j].Distance( p1 );
    d2 = frustum[j].Distance( p2 );

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'j' index could reach 5. DoomDLL tr_stencilshadow.cpp 552

Mozilla Firefox

V557 Array overrun is possible. The value of 'i' index could reach 19. detectcharset.cpp 89

class nsBaseStatis : public nsStatis {
  PRUint32 mLWordLen[10];
    unsigned char aL, unsigned char aH, float aR)
    for(PRUint32 i = 0; i < 20; i++)
       mLWordLen[i] = 0;


This is what should have been written here: for(PRUint32 i = 0; i < 10; i++) or: for(PRUint32 i = 0; i < sizeof(mLWordLen)/sizeof(mLWordLen[0]); i++)


V557 Array overrun is possible. The value of 'i' index could reach 3. game g_main.c 776

int   numteamVotingClients[2];

void CalculateRanks( void ) {
  for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
    level.numteamVotingClients[i] = 0;


V557 Array overrun is possible. The value of 'i' index could reach 46. Notepad++ preferencedlg.cpp 984

int encodings[] = {

BOOL CALLBACK DefaultNewDocDlg::run_dlgProc(
  UINT Message, WPARAM wParam, LPARAM)
  for (int i = 0 ; i <= sizeof(encodings)/sizeof(int) ; i++)
    int cmdID = em->getIndexFromEncoding(encodings[i]);

This is what should have been written here: i < sizeof(encodings)/sizeof(int)

Trinity Core

V557 Array overrun is possible. The value of 'i' index could reach 39. libmysql ctype-czech.c 260

static struct wordvalue doubles[] = {
 { "ch", (uchar*) "\014\031\057\057" },
 { "Ch", (uchar*) "\014\031\060\060" },
 { "CH", (uchar*) "\014\031\061\061" },
 { "c",  (uchar*) "\005\012\021\021" },
 { "C",  (uchar*) "\005\012\022\022" },

#define NEXT_CMP_VALUE(src, p, store, pass, value, len) \
while (1)                                      \
{                                              \
  ......                                       \
  for (i = 0; i < (int) sizeof(doubles); i++)  \
  {                                            \
    const char * pattern = doubles[i].word;    \
    ...                                        \
    }                                          \
  }                                            \
  ......                                       \

An incorrect macro NEXT_CMP_VALUE.


V557 Array overrun is possible. The '9' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 867

void CcdPhysicsController::RelativeRotate(
  const float rotval[9], bool local)
  btMatrix3x3 drotmat(

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. ge_phys_bullet ccdphysicscontroller.cpp 868


V557 Array overrun is possible. The '7' index is pointing beyond array bound. vfont.cc 612

typedef struct BezTriple
  float vec[3][3];

void BKE_vfont_build_char(....)
  BezTriple *bezt2 = (BezTriple *)MEM_malloc_arrayN(u,
                                                    "duplichar_bezt2" );
  for (int i = nu2->pntsu; i > 0; i--)
    float *fp = bezt2->vec[0];
    fp[0] = (fp[0] + ofsx) * fsize;
    fp[1] = (fp[1] + ofsy) * fsize;
    fp[3] = (fp[3] + ofsx) * fsize;
    fp[4] = (fp[4] + ofsy) * fsize;
    fp[6] = (fp[6] + ofsx) * fsize;
    fp[7] = (fp[7] + ofsy) * fsize;

Trans-Proteomic Pipeline

V557 Array overrun is possible. The '3' index is pointing beyond array bound. crypt crypt.cxx 567

int main(int argc, char **argv) {
  char salt[3];
  salt[0] = (argc>2)?(argv[1][0]):rndChar[rand() % 64];
  salt[1] = (argc>2)?(argv[1][1]):rndChar[rand() % 64];
  salt[3] = 0;

This is what should have been written here: salt[2] = 0;

Visualization Toolkit (VTK)

V557 Array overrun is possible. The '6' index is pointing beyond array bound. vtkGraphics vtkcursor2d.cxx 313

void vtkCursor2D::SetModelBounds(double bounds[6])
  this->SetModelBounds(bounds[0], bounds[1], bounds[2],
                       bounds[3], bounds[6], bounds[5]);

This is what should have been written here: bounds[4].


V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39

static uint crc_tables[8][256];

void InitCRC()
  // Build additional lookup tables.
  for (uint I=0;I<=256;I++)
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)

Skia Graphics Engine

V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1480

static void p3d_interp(const SkScalar src[3],
                       SkScalar dst[3], SkScalar t) {
    SkScalar ab = SkScalarInterp(src[0], src[3], t);
    SkScalar bc = SkScalarInterp(src[3], src[6], t);
    dst[0] = ab;
    dst[3] = SkScalarInterp(ab, bc, t);
    dst[6] = bc;

void SkConic::chopAt(SkScalar t, SkConic dst[2]) const {
  SkP3D tmp[3], tmp2[3];

  ratquad_mapTo3D(fPts, fW, tmp);

  p3d_interp(&tmp[0].fX, &tmp2[0].fX, t);
  p3d_interp(&tmp[0].fY, &tmp2[0].fY, t);
  p3d_interp(&tmp[0].fZ, &tmp2[0].fZ, t);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1481
  • V557 Array overrun is possible. The '6' index is pointing beyond array bound. skgeometry.cpp 1481
  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. skgeometry.cpp 1483
  • And 1 additional diagnostic messages.


V557 Array overrun is possible. The value of 'i' index could reach 2. shader_bench.cc 152

static const int kNumPainters = 3;

static const struct {
  const char* name;
  GPUPainter* painter;
} painters[] = {
  { "CPU CSC + GPU Render", new CPUColorPainter() },
  { "GPU CSC/Render", new GPUColorWithLuminancePainter() },

int main(int argc, char** argv) {
  // Run GPU painter tests.
  for (int i = 0; i < kNumPainters; i++) {
    scoped_ptr<GPUPainter> painter(painters[i].painter);

Multi Theft Auto

V557 Array overrun is possible. The '7' index is pointing beyond array bound. cjoystickmanager.cpp 1003

  bool    bEnabled;
  long    lMax;
  long    lMin;
  DWORD   dwType;
} axis[7];

bool CJoystickManager::IsXInputDeviceAttached ( void )
  m_DevInfo.axis[6].bEnabled = 0;
  m_DevInfo.axis[7].bEnabled = 0;

Multi Theft Auto

V557 Array overrun is possible. The '3' index is pointing beyond array bound. cwatermanagersa.cpp 595

class CWaterPolySAInterface
    WORD m_wVertexIDs[3];

CWaterPoly* CWaterManagerSA::CreateQuad (....)
  pInterface->m_wVertexIDs [ 0 ] = pV1->GetID ();
  pInterface->m_wVertexIDs [ 1 ] = pV2->GetID ();
  pInterface->m_wVertexIDs [ 2 ] = pV3->GetID ();
  pInterface->m_wVertexIDs [ 3 ] = pV4->GetID ();

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1062


CGUILabel* m_pNewsItemLabels[CORE_MTA_NEWS_ITEMS];
CGUILabel* m_pNewsItemShadowLabels[CORE_MTA_NEWS_ITEMS];

void CMainMenu::SetNewsHeadline (....)
  for ( char i=0; i <= CORE_MTA_NEWS_ITEMS; i++ )
    m_pNewsItemLabels[ i ]->SetFont ( szFontName );
    m_pNewsItemShadowLabels[ i ]->SetFont ( szFontName );

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 3. cmainmenu.cpp 1063

Portable UnRAR

V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 35

static uint crc_tables[8][256]; // Tables for Slicing-by-8.

void InitCRC()
  for (uint I=0;I<=256;I++)
    uint C=crc_tables[0][I];
    for (uint J=1;J<8;J++)

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'I' index could reach 256. crc.cpp 39

Multi Theft Auto

V557 Array overrun is possible. The value of 'i' index could reach 19. cpoolssa.cpp 1036

enum ePools {

void CPoolsSA::DumpPoolsStatus ()
  char*  poolNames[] = {
    "Buildings", "Peds", "Objects", "Dummies", "Vehicles",
    "ColModels", "Tasks", "Events", "TaskAllocators",
    "PedIntelligences", "PedAttractors", "EntryInfoNodes",
    "NodeRoutes", "PatrolRoutes", "PointRoutes",
    "PointerNodeDoubleLinks", "PointerNodeSingleLinks" };

    int poolSizes[] = {
      64,32,64,3200,70000 };

    int iPosition = 0;
    char percent = '%';
    iPosition += snprintf ( szOutput, 1024,
                            "-----------------\n" );
    for ( int i = 0; i < MAX_POOLS; i++ )
      int usedSpaces = GetNumberOfUsedSpaces ( (ePools)i );
      iPosition +=
        snprintf ( szOutput + iPosition, 1024 - iPosition,
                   "%s: %d (%d) (%.2f%c)\n", poolNames[i],
                   usedSpaces, poolSizes[i],
                   percent  );
    #ifdef MTA_DEBUG
    OutputDebugString ( szOutput );


V557 Array overrun is possible. The value of 'i' index could reach 7. itraqanalyzer.c 232

static const Int CHANNELS_FOURPLEX[4][1];
static const Int CHANNELS_EIGHTPLEX[8][1];

ExitCodes main_(int, const char **)
  if (itraq_type == ItraqQuantifier::FOURPLEX)
    for (Size i = 0; i < 4; ++i)
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +
  else //ItraqQuantifier::EIGHTPLEX
    for (Size i = 0; i < 8; ++i)
      std::vector<std::pair<String, DoubleReal> > one_label;
      one_label.push_back(std::make_pair<String, DoubleReal>(
        String("Channel ") +

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 7. tmtanalyzer.c 225


V557 Array overrun is possible. The value of 'i' index could reach 255. edwardslippertiterator.c 134

DoubleReal masse_[255]; // <= mass table

    const EdwardsLippertIterator & source) :
  for (Size i = 0; i < 256; i++)
    masse_[i] = source.masse_[i];


V557 Array overrun is possible. The '2' index is pointing beyond array bound. mayadmtypes.h 48

struct short2
  short values[2];
  short2(short s1, short s2)
    values[0] = s1;
    values[2] = s2;


V557 Array overrun is possible. The value of 'i' index could reach 64. markovfunctional.cpp 176

Handle<YieldTermStructure> md0Yts() {
  double q6mh[] = {
    0.02336,0.02407,0.0245 };
  for(int i=0;i<10+18+37;i++) {
      boost::shared_ptr<Quote>(new SimpleQuote(q6mh[i])));

Geant4 software

V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 62

enum { NENERGY=22, NANGLE=180 };

class G4LEpp : public G4HadronicInteraction
  G4float * sig[NANGLE];
  static G4float SigCoul[NENERGY][NANGLE];

G4LEpp::SetCoulombEffects(G4int State)
  if (State) {
    for(G4int i=0; i<NANGLE; i++)
      sig[i] = SigCoul[i];
    elab = ElabCoul;

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 179. g4lepp.cc 69

Geant4 software

V557 Array overrun is possible. The value of 'j' index could reach 7. g4heinelastic.cc 4682

  G4double alem[] = {1.40, 2.30, 2.70, 3.00, 3.40, 4.60, 7.00};
  for (j = 1; j < 8; j++) {
    if (alekw < alem[j]) {
      jmax = j;

Source Engine SDK

V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 632

#define MAX_WEAPON_SLOTS    6  // hud item selection slots

void CHudWeaponSelection::Paint()
  int xModifiers[] = { 0, 1, 0, -1 };
  int yModifiers[] = { -1, 0, 1, 0 };

  for ( int i = 0; i < MAX_WEAPON_SLOTS; ++i )
    xPos += ( m_flMediumBoxWide + 5 ) * xModifiers[ i ];
    yPos += ( m_flMediumBoxTall + 5 ) * yModifiers[ i ];

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 5. Client (HL2) hud_weaponselection.cpp 633

Miranda IM

V557 Array underrun is possible. The value of 'index' index could reach -1. controls.cpp 491

const int idToIndex(const int id) const
  for(int i = 0; i < NR_BUTTONS; i++) {
    if(m_TbButtons[i].idCommand == id )

TBBUTTON CMenuBar::m_TbButtons[8] = {0};

void CMenuBar::invoke(const int id)
  const int index = idToIndex(id);
  if(index == 3 && hContact != 0) {
  } else if(index == 0) {
  } else
    hMenu = reinterpret_cast<HMENU>(m_TbButtons[index].dwData);


V557 Array overrun is possible. The '3' index is pointing beyond array bound. somfcolorrgba.cpp 220

SoMFColorRGBA::set1HSVValue(int idx, const float hsva[3])
  this->set1HSVValue(idx, hsva[0], hsva[1], hsva[2], hsva[3]);

Wild Magic 5

V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 365

void Triangles::UpdateModelTangentsUseTCoords(....)
  Float2 locTCoord[2];
  int curr;
  for (curr = 0; curr < 3; ++curr)
    locTCoord[curr] = vba.TCoord<Float2>(0, k);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'curr' index could reach 2. wm5triangles.cpp 382


V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1717

enum {

int eseat_status[MAX_EJECTION_SEATS];

FGControls::set_ejection_seat( int which_seat, bool val )
  if ((which_seat >= 0) && (which_seat <= MAX_EJECTION_SEATS))
    if ( eseat_status[which_seat] == SEAT_SAFED ||
         eseat_status[which_seat] == SEAT_FAIL )

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1718
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1724
  • V557 Array overrun is possible. The value of 'which_seat' index could reach 10. controls.cxx 1738


V557 Array overrun is possible. The '8' index is pointing beyond array bound. mjpegenc.c 497

void ff_mjpeg_encode_mb(MpegEncContext *s,
                        int16_t block[6][64])
    int i;
    if (s->chroma_format == CHROMA_444) {
        encode_block(s, block[0], 0);
        encode_block(s, block[2], 2);
        encode_block(s, block[4], 4);
        encode_block(s, block[8], 8);
        encode_block(s, block[5], 5);
        encode_block(s, block[9], 9);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '9' index is pointing beyond array bound. mjpegenc.c 499
  • V557 Array overrun is possible. The '6' index is pointing beyond array bound. mjpegenc.c 504
  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. mjpegenc.c 505
  • And 4 additional diagnostic messages.

Word for Windows 1.1a

V557 Array overrun is possible. The '5' index is pointing beyond array bound. dnatfile.c 444

uns rgwSpare0 [5];

  printUns ("rgwSpare0[0]   = ", Fib.rgwSpare0[5], 0, 0, fTrue);
  printUns ("rgwSpare0[1]   = ", Fib.rgwSpare0[1], 1, 1, fTrue);
  printUns ("rgwSpare0[2]   = ", Fib.rgwSpare0[2], 0, 0, fTrue);
  printUns ("rgwSpare0[3]   = ", Fib.rgwSpare0[3], 1, 1, fTrue);
  printUns ("rgwSpare0[4]   = ", Fib.rgwSpare0[4], 2, 2, fTrue);

This is what should have been written here: printUns ("rgwSpare0[0] = ", Fib.rgwSpare0[0], 0, 0, fTrue);


V557 Array overrun is possible. The value of 'j' index could reach 4. harfbuzz-arabic.c 516

static const JoiningPair joining_table[5][4] = { .... };

typedef enum {
} Joining;

static Joining getNkoJoining(unsigned short uc)
    if (uc < 0x7ca)
        return JNone;
    if (uc <= 0x7ea)
        return JDual;
    if (uc <= 0x7f3)
        return JTransparent;
    if (uc <= 0x7f9)
        return JNone;
    if (uc == 0x7fa)
        return JCausing;
    return JNone;

static void getNkoProperties(....)
  Joining j = getNkoJoining(chars[0]);
  ArabicShape shape = joining_table[XIsolated][j].form2;


V557 Array underrun is possible. The value of 'idx' index could reach -1. diff_file.c 1052

static int
datasource_to_index(svn_diff_datasource_e datasource)
  switch (datasource)
  return -1;

static svn_error_t *
  int idx = datasource_to_index(file_token[i]->datasource);
  file[i] = &file_baton->files[idx];


V557 Array overrun is possible. The value of 'idx' index could reach 3. esmtool labels.cpp 502

std::string rangeTypeLabel(int idx)
  const char* rangeTypeLabels [] = {
  if (idx >= 0 && idx <= 3)
    return rangeTypeLabels[idx];
    return "Invalid";

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'idx' index could reach 143. esmtool labels.cpp 391
  • V557 Array overrun is possible. The value of 'idx' index could reach 27. esmtool labels.cpp 475


V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 153

typedef struct LogState {
  int     fakeFd;
  char   *debugName;
  int     isBinary;
} LogState;

#define MAX_OPEN_LOGS 16

static LogState *openLogTable[MAX_OPEN_LOGS];

static LogState *createLogState()
  size_t i;

  for (i = 0; i < sizeof(openLogTable); i++) {
    if (openLogTable[i] == NULL) {
      openLogTable[i] = calloc(1, sizeof(LogState));
      openLogTable[i]->fakeFd = FAKE_FD_BASE + i;
      return openLogTable[i];
  return NULL;

This is what should have been written here: sizeof(openLogTable) / sizeof(openLogTable[0]).

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 154
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 155
  • V557 Array overrun is possible. The value of 'i' index could reach 63. fake_log_device.c 156


V557 Array overrun is possible. The value of 'btn' index could reach 52. ccapi_snapshot.c 38

cc_string_t lineLabels[MAX_CONFIG_LINES+1] = {0};

void ccsnap_set_line_label(int btn, cc_string_t label) {
  if ( btn > 0 && btn <= MAX_CONFIG_LINES+1 ) {
    if ( lineLabels[btn] == NULL ) {


V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 357

#define MAX_CCMS 4

ccm_cfg_t   ccm[MAX_CCMS];

var_t prot_cfg_table[CFGID_PROTOCOL_MAX+1] = {
  {"ccmSrstIpAddr",   CFGVAR(ccm[4].address), PA_STR, PR_STR, 0},
  {"ccmSrst_sipPort", CFGVAR(ccm[4].sip_port),PA_INT, PR_INT, 0},
  {"ccmSrst_isValid", CFGVAR(ccm[4].is_valid),PA_INT, PR_INT, 0},
                    CFGVAR(ccm[4].sec_level), PA_INT, PR_INT, 0},

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 358
  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 359
  • V557 Array overrun is possible. The '4' index is pointing beyond array bound. prot_cfgmgr_private.h 360


V557 Array overrun is possible. The value of '_vType' index could reach 29. metautils.cxx 239


const char MET_ValueTypeName[MET_NUM_VALUE_TYPES][21] = { ... };

bool MET_TypeToString(MET_ValueEnumType _vType, char *_s)
  if(_vType>=0 && _vType<=MET_NUM_VALUE_TYPES)
    strcpy(_s, MET_ValueTypeName[_vType]);
    return true;

  return false;

Haiku Operation System

V557 Array overrun is possible. The '8' index is pointing beyond array bound. floppy_ctrl.c 637

typedef struct floppy {
  uint8 result[8]; /* status of the last finished command */

floppy_dump_reg(floppy_t *flp) {
  //uint8 result[10];           // <= This was correct!
  uint8 *result = flp->result;  // <= Bad fix! :)
  dprintf(FLO "gap=%d wg=%d eis=%d fifo=%d "
              "poll=%d thresh=%d pretrk=%d\n",
    (result[7] & 0x02) >> 1, result[7] & 0x01,
    (result[8] & 0x40) >> 6,
    (result[8] & 0x20) >> 5, (result[8] & 0x10) >> 4,
     result[8] & 0x0f, result[9]);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '9' index is pointing beyond array bound. floppy_ctrl.c 638

Godot Engine

V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 194

enum ShapeType {

BodyShapeData body_shape_data[6];
void _create_body_shape_data()

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'Physics2DServer::SHAPE_CONVEX_POLYGON' index is pointing beyond array bound. test_physics_2d.cpp 209

Wine Is Not an Emulator

V557 Array overrun is possible. The '16' index is pointing beyond array bound. winaspi32.c 232

/* SCSI Miscellaneous Stuff */
#define SENSE_LEN      14

typedef struct tagSRB32_ExecSCSICmd {
  BYTE        SenseArea[SENSE_LEN+2];

static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
  BYTE  *rqbuf = prb->SenseArea;
  if (rqbuf[15]&0x8) {
    TRACE("Pointer at %d, bit %d\n",
          rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7);      // <=

Unreal Engine 4

V557 Array overrun is possible. The 'NumOutUAVs ++' index is pointing beyond array bound. distancefieldlightingshared.h 388

template<typename TParamRef>
void UnsetParameters(
  FRHICommandList& RHICmdList, const TParamRef& ShaderRHI,
  const FDistanceFieldCulledObjectBuffers& ObjectBuffers)
  int32 NumOutUAVs = 0;
  FUnorderedAccessViewRHIParamRef OutUAVs[3];
  OutUAVs[NumOutUAVs++] = ObjectBuffers......;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Bounds.UAV;
  OutUAVs[NumOutUAVs++] = ObjectBuffers.Data.UAV;

  if (CulledObjectBoxBounds.IsBound())
    OutUAVs[NumOutUAVs++] = ObjectBuffers.BoxBounds.UAV;


V557 Array overrun is possible. The value of 'len' index could reach 16384. cavisynth.cpp 129


void TavisynthPage::onLoad(void)
  char_t scriptflnm[MAX_PATH] = _l("");
  if (dlgGetFile(....) {
    FILE *f = fopen(scriptflnm, _l("rb"));
    if (f) {
      char script[MAX_AVISYNTH_SCRIPT_LENGTH];
      size_t len =
        fread(script, 1, MAX_AVISYNTH_SCRIPT_LENGTH, f);
      script[len] = '\0';
      setDlgItemText(m_hwnd, IDC_ED_AVISYNTH,


V557 Array overrun is possible. The value of 'i' index could reach 8. rl.cpp 2375

enum TestInfoKind::_TIK_COUNT = 9

const char * const TestInfoEnvLstFmt[] =
   " TESTFILE=\"%s\"",
   " BASELINE=\"%s\"",
   " CFLAGS=\"%s\"",
   " LFLAGS=\"%s\"",
   NULL    // <= TestInfoEnvLstFmt[7]

   Test * pDir, TestList * pTestList
  // print the other TIK_*
  for(int i=0;i < _TIK_COUNT; i++) {
    if (variants->testInfo.data[i] && TestInfoEnvLstFmt[i]){// <=
       LstFilesOut->Add(TestInfoEnvLstFmt[i],               // <=

FreeBSD Kernel

V557 Array overrun is possible. The '2' index is pointing beyond array bound. if_spppsubr.c 4348

#define AUTHKEYLEN  16

struct sauth {
  u_short  proto;
  u_short  flags;
  u_char  name[AUTHNAMELEN];
  u_char  secret[AUTHKEYLEN];
  u_char  challenge[AUTHKEYLEN];

static void
sppp_chap_scr(struct sppp *sp)
  u_long *ch, seed;
  u_char clen;

  /* Compute random challenge. */
  ch = (u_long *)sp->myauth.challenge;
  read_random(&seed, sizeof seed);
  ch[0] = seed ^ random();
  ch[1] = seed ^ random();
  ch[2] = seed ^ random(); // <=
  ch[3] = seed ^ random(); // <=
  clen = AUTHKEYLEN;

If compile the 64-bit kernel, then when accessing ch[2] and ch[3] we'll have array index out of bounds. Details: http://www.viva64.com/en/b/0377/

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '3' index is pointing beyond array bound. if_spppsubr.c 4349

The GTK+ Project

V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1219

#define G_N_ELEMENTS(arr)   (sizeof (arr) / sizeof ((arr)[0]))

static GtkCssSelector *
parse_selector_pseudo_class (....)
  static const struct {
  } pseudo_classes[] = {
    { "first-child",   0, 0,  POSITION_FORWARD,  0, 1 },
    { "drop(active)",  0, GTK_STATE_FLAG_DROP_ACTIVE, }
  guint i;
  for (i = 0; i < G_N_ELEMENTS (pseudo_classes); i++)
        if (pseudo_classes[i + 1].state_flag ==
          _gtk_css_parser_error_full (parser,
          "The :%s pseudo-class is deprecated. Use :%s instead.",
          pseudo_classes[i + 1].name);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'i + 1' index could reach 21. gtkcssselector.c 1224


V557 Array overrun is possible. The '9' index is pointing beyond array bound. tconvolve.cpp 123

template <class PIXOUT>
void doConvolve_cm32_row_9_i(....)
  TPixel32 val[9];                                  // <=
  for (int i = 0; i < 9; ++i) {                     // <= OK
    else if (tone == 0)
      val[i] = inks[ink];
      val[i] = blend(....);

  pixout->r = (typename PIXOUT::Channel)((
    val[1].r * w1 + val[2].r * w2 + val[3].r * w3 +
    val[4].r * w4 + val[5].r * w5 + val[6].r * w6 +
    val[7].r * w7 + val[8].r * w8 + val[9].r * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->g = (typename PIXOUT::Channel)((
    val[1].g * w1 + val[2].g * w2 + val[3].g * w3 +
    val[4].g * w4 + val[5].g * w5 + val[6].g * w6 +
    val[7].g * w7 + val[8].g * w8 + val[9].g * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->b = (typename PIXOUT::Channel)((
    val[1].b * w1 + val[2].b * w2 + val[3].b * w3 +
    val[4].b * w4 + val[5].b * w5 + val[6].b * w6 +
    val[7].b * w7 + val[8].b * w8 + val[9].b * w9 + // <= ERR
    (1 << 15)) >> 16);
  pixout->m = (typename PIXOUT::Channel)((
    val[1].m * w1 + val[2].m * w2 + val[3].m * w3 +
    val[4].m * w4 + val[5].m * w5 + val[6].m * w6 +
    val[7].m * w7 + val[8].m * w8 + val[9].m * w9 + // <= ERR
    (1 << 15)) >> 16);


V557 Array overrun is possible. The value of 'prefixLen ++' index could reach 124. restore.cpp 10040

const int GDS_NAME_LEN = 32;
bool get_function(BurpGlobals* tdgbl)
  struct isc_844_struct {
    short isc_870; /* gds__null_flag */
    char  isc_874 [125]; /* RDB$PACKAGE_NAME */
  } isc_844;

  att_type attribute;
  TEXT    temp[GDS_NAME_LEN * 2];
  SSHORT prefixLen = 0;
    prefixLen = static_cast<SSHORT>(strlen(/*X.RDB$PACKAGE_NAME*/
    memcpy(temp, /*X.RDB$PACKAGE_NAME*/
                 isc_844.isc_874, prefixLen);
    temp[prefixLen++] = '.';



V557 Array overrun is possible. The value of 'dwCode - 1' index could reach 8. cordbdi rsmain.cpp 67

const char * GetDebugCodeName(DWORD dwCode)
  if (dwCode < 1 || dwCode > 9)
    return "!Invalid Debug Event Code!";

  static const char * const szNames[] = {
    "(8) OUTPUT_DEBUG_STRING_EVENT"         // <=
    "(9) RIP_EVENT",// only on Win9X

  return szNames[dwCode - 1];

FreeBSD Kernel

V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 115

#define R88E_GROUP_2G    6
#define RTWN_RIDX_OFDM6  4
#define RTWN_RIDX_COUNT  28

struct rtwn_r88e_txagc {
  uint8_t pwr[R88E_GROUP_2G][20];  /* RTWN_RIDX_MCS(7) + 1 */

r88e_get_txpower(struct rtwn_softc *sc, int chain,
    struct ieee80211_channel *c, uint16_t power[RTWN_RIDX_COUNT])
  const struct rtwn_r88e_txagc *base = rs->rs_txagc;
  for (ridx = RTWN_RIDX_OFDM6; ridx < RTWN_RIDX_COUNT; ridx++) {
    if (rs->regulatory == 3)
      power[ridx] = base->pwr[0][ridx];
    else if (rs->regulatory == 1) {
      if (!IEEE80211_IS_CHAN_HT40(c))
        power[ridx] = base->pwr[group][ridx];
    } else if (rs->regulatory != 2)
      power[ridx] = base->pwr[0][ridx];

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 118
  • V557 Array overrun is possible. The value of 'ridx' index could reach 27. r88e_chan.c 120


V557 Array overrun is possible. The value of 'cidx' index could reach 4. staff.cpp 1029

ClefTypeList clefTypes[MAX_STAVES];
int staffLines[MAX_STAVES];
BracketType bracket[MAX_STAVES];
int bracketSpan[MAX_STAVES];
int barlineSpan[MAX_STAVES];
bool smallStaff[MAX_STAVES];

void Staff::init(...., const StaffType* staffType, int cidx)
  if (cidx > MAX_STAVES) { // <=
    setSmall(0, false);
  else {
    setSmall(0,       t->smallStaff[cidx]);
    setBracketType(0, t->bracket[cidx]);
    setBracketSpan(0, t->bracketSpan[cidx]);


V557 Array overrun is possible. The value of 'i' index could reach 59. inspectorAmbitus.cpp 70

class NoteHead : public Symbol {
  enum class Group : signed char {
    HEAD_NORMAL = 0,
    HEAD_GROUPS,              // <= 59

InspectorAmbitus::InspectorAmbitus(QWidget* parent)
   : InspectorElementBase(parent)

  static const NoteHead::Group heads[] = {
  for (int i = 0; i < int(NoteHead::Group::HEAD_GROUPS); ++i)
    r.noteHeadGroup->setItemData(i, int(heads[i]));//out of bound


V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 325


class SequencerDataBlock
  int m_submasterLevelUpdateIndices[64];

SequencerDataBlock::getSubmasterLevel(int submaster, ....) const

 if (submaster < 0 ||
   info.level = info.levelRight = 0;
   return false;

 int currentUpdateIndex=m_submasterLevelUpdateIndices[submaster];
 info = m_submasterLevels[submaster];

 if (lastUpdateIndex[submaster] != currentUpdateIndex) {
   lastUpdateIndex[submaster] = currentUpdateIndex;
   return true;
 } else {
   return false; // no change

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 343
  • V557 Array overrun is possible. The value of 'submaster' index could reach 64. SequencerDataBlock.cpp 344


V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 931

#define VP9_LEVELS 14

extern const Vp9LevelSpec vp9_level_defs[VP9_LEVELS];

typedef enum {
  LEVEL_MAX = 255

static INLINE int log_tile_cols_from_picsize_level(
  uint32_t width, uint32_t height)
  int i;
  const uint32_t pic_size = width * height;
  const uint32_t pic_breadth = VPXMAX(width, height);
  for (i = LEVEL_1; i < LEVEL_MAX; ++i) {
   if (vp9_level_defs[i].max_luma_picture_size >= pic_size &&
       vp9_level_defs[i].max_luma_picture_breadth >= pic_breadth)
     return get_msb(vp9_level_defs[i].max_col_tiles);
  return INT_MAX;

Apparently, a wrong constant is used. In an array of 14 elements the cycle index reaches a value of 254. Probably, the cycle was supposed to be as follows: for (i = LEVEL_1; i < VP9_LEVELS; ++i) {

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 932
  • V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 933


V557 CWE-125 Array overrun is possible. The value of 'stateno' index could reach 992. sqlite3.c 138802

static const short yy_shift_ofst[] = {
  /*   0 */ 355, 888, 1021, 909, 1063, 1063, 1063, 1063, 20, -19,
  /* 450 */ 1440, 1443, 1538, 1542, 1562,

#define YY_SHIFT_COUNT    (454)
#define YY_MIN_REDUCE     993

static unsigned int yy_find_shift_action(....)
  int i;
  int stateno = pParser->yytos->stateno;

  if( stateno>=YY_MIN_REDUCE ) return stateno;      // <=

  assert( stateno <= YY_SHIFT_COUNT );

  do {
    i = yy_shift_ofst[stateno];                     // <=

An array yy_shift_ofst consists of 455 items. In this case, the protection in function is made in the way that when accessing to this array the index must not be greater than 993. Something is clearly wrong here. Below there is a correct assert, but it will not help in the Release-version.

XNU kernel

V557 CWE-787 Array overrun is possible. The value of 'length - 1' index could reach 23. necp_client.c 1460

#define  IFNAMSIZ   16
#define  IFXNAMSIZ  (IFNAMSIZ + 8)


struct necp_client_parsed_parameters {
  char prohibited_interfaces[IFXNAMSIZ]

static int
  struct necp_client_parsed_parameters *parsed_parameters)
  u_int32_t length = ....;
  if (length <= IFXNAMSIZ && length > 0) {
           value, length);
                    num_prohibited_interfaces][length - 1] = 0;

Most likely, the array was declared incorrectly and it should be written as follows: char prohibited_interfaces[NECP_MAX_PARSED_PARAMETERS][IFXNAMSIZ];


V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 277

static btif_hf_cb_t btif_hf_cb[BTA_AG_MAX_NUM_CLIENTS];

static bool IsSlcConnected(RawAddress* bd_addr) {
  if (!bd_addr) {
    LOG(WARNING) << __func__ << ": bd_addr is null";
    return false;
  int idx = btif_hf_idx_by_bdaddr(bd_addr);
  if (idx < 0 || idx > BTA_AG_MAX_NUM_CLIENTS) {
    LOG(WARNING) << __func__ << ": invalid index "
                 << idx << " for " << *bd_addr;
    return false;
  return btif_hf_cb[idx].state ==

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The value of 'idx' index could reach 6. btif_hf.cc 869
  • V557 CWE-119 Array overrun is possible. The value of 'index' index could reach 6. btif_rc.cc 374

Amazon Lumberyard

V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 113

uint32 CGameObjectSystem::GetExtensionSerializationPriority(....)
  if (id > m_extensionInfo.size())
    return 0xffffffff; // minimum possible priority
    return m_extensionInfo[id].serializationPriority;

Amazon Lumberyard

V557 CWE-119 Array overrun is possible. The 'index' index is pointing beyond array bound. vehicleseatgroup.cpp 73

CVehicleSeat* CVehicleSeatGroup::GetSeatByIndex(unsigned index)
  if (index >= 0 && index <= m_seats.size())
    return m_seats[index];

  return NULL;

Similar errors can be found in some other places:

  • V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 195
  • V557 CWE-119 Array overrun is possible. The 'id' index is pointing beyond array bound. gameobjectsystem.cpp 290
  • V557 CWE-119 Array overrun is possible. The 'stateId' index is pointing beyond array bound. vehicleanimation.cpp 311
  • And 1 additional diagnostic messages.

Godot Engine

V557 CWE-125 Array overrun is possible. The value of 'i' index could reach 9. input_default.cpp 1119

enum JoystickList {
  JOY_AXIS_MAX = 10,

static const char *_axes[] = {
  "Left Stick X",
  "Left Stick Y",
  "Right Stick X",
  "Right Stick Y",

int InputDefault::get_joy_axis_index_from_string(String p_axis) {
  for (int i = 0; i < JOY_AXIS_MAX; i++) {
    if (p_axis == _axes[i]) {
      return i;

NCBI Genome Workbench

V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 412

bool CAlnReader::x_IsGap(TNumrow row, TSeqPos pos, const string& residue)
  if (m_MiddleSections.size() == 0) {

  if (row > m_MiddleSections.size()) {
      return false;
  if (pos < m_MiddleSections[row].first) {
if (row >= m_MiddleSections.size()) {
  return false;

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'i' index is pointing beyond array bound. resource_pool.hpp 388
  • V557 Array overrun is possible. The 'row' index is pointing beyond array bound. aln_reader.cpp 418
  • V557 Array overrun is possible. The 'fmt_idx' index is pointing beyond array bound. seq_writer.cpp 384
  • And 2 additional diagnostic messages.


V557 Array overrun is possible. The 'nPageNum' index is pointing beyond array bound. pptx-epptooxml.cxx 1168

void PowerPointExport::ImplWriteNotes(sal_uInt32 nPageNum)
  // add slide implicit relation to notes
  if (mpSlidesFSArray.size() >= nPageNum)
      addRelation(mpSlidesFSArray[ nPageNum ]->getOutputStream(),
                  .append(static_cast<sal_Int32>(nPageNum) + 1)


V557 Array overrun is possible. The 'mnSelectedMenu' index is pointing beyond array bound. checklistmenu.cxx 826

void ScMenuFloatingWindow::ensureSubMenuNotVisible()
  if (mnSelectedMenu <= maMenuItems.size() &&
      maMenuItems[mnSelectedMenu].mpSubMenuWin &&



V557 Array overrun is possible. The 'nXFIndex' index is pointing beyond array bound. xestyle.cxx 2613

sal_Int32 XclExpXFBuffer::GetXmlStyleIndex( sal_uInt32 nXFIndex ) const
    OSL_ENSURE( nXFIndex < maStyleIndexes.size(), "...." );
    if( nXFIndex > maStyleIndexes.size() )
        return 0;   // should be caught/debugged via above assert;
    return maStyleIndexes[ nXFIndex ];


V557 Array overrun is possible. The value of 'event->EventHandlerCount' index could reach 32. PubSub.c 117


struct _wEventType
  int EventHandlerCount;
  pEventHandler EventHandlers[MAX_EVENT_HANDLERS];

int PubSub_Subscribe(wPubSub* pubSub, const char* EventName,
      pEventHandler EventHandler)
  if (event->EventHandlerCount <= MAX_EVENT_HANDLERS)
    event->EventHandlers[event->EventHandlerCount] = EventHandler;

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'iBitmapFormat' index could reach 8. orders.c 2623


V557 Array underrun is possible. The value of 'n' index could reach -1. rdesktop.c 1872

subprocess(char *const argv[], str_handle_lines_t linehandler, void *data)
  int n = 1;
  char output[256];
  while (n > 0)
    n = read(fd[0], output, 255);
    output[n] = '\0'; // <=
    str_handle_lines(output, &rest, linehandler, data);


V557 Array overrun is possible. The value of 'i - 8' index could reach 129. genkeymap.c 142

// evdev-map.c
int xfree86_to_evdev[137-8+1] = {

// genkeymap.c
extern int xfree86_to_evdev[137-8];

int main(int argc, char **argv)
  for (i = 8; i <= 137; i++) /* Keycodes */
    if (is_evdev)
        e.keycode = xfree86_to_evdev[i-8];

Haiku Operation System

V557 Array overrun is possible. The 'BT_SCO' index is pointing beyond array bound. h2upper.cpp 75

struct bt_usb_dev {
  struct list nbuffersTx[(1 + 1 + 0 + 0)];         // <= [0..1]

typedef enum {
    BT_COMMAND = 0,
    BT_SCO,                                        // <= 3

} bt_packet_t;

sched_tx_processing(bt_usb_dev* bdev)
  if (!list_is_empty(&bdev->nbuffersTx[BT_SCO])) { // <= fail
    // TODO to be implemented

Haiku Operation System

V557 Array overrun is possible. The 'ieee80211_send_setup' function processes value '16'. Inspect the fourth argument. Check lines: 842, 911. ieee80211_output.c 842

struct ieee80211_node {
  struct ieee80211_tx_ampdu ni_tx_ampdu[16];              // <= [0..15]

#define IEEE80211_NONQOS_TID 16

  ieee80211_send_setup(ni, m,
     IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID, // <= 16
     vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);

  struct ieee80211_node *ni,
  struct mbuf *m,
  int type,
  int tid,                                                // <= 16
  tap = &ni->ni_tx_ampdu[tid];                            // <= 16


V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 246

static const int kSpanFormatCapacity = 16;

struct Span8
  char mFormat[kSpanFormatCapacity];

static int OVprintfCore(....)
  EA_ASSERT(nFormatLength < kSpanFormatCapacity);
  if(nFormatLength < kSpanFormatCapacity)
    spans[spanIndex].mFormat[nFormatLength++] = *p;                        // <=
    return -1;

    case 'b': case 'd': case 'i': case 'u': case 'o': case 'x': case 'X':
    case 'g': case 'G': case 'e': case 'E': case 'f': case 'F': case 'a':
    case 'A': case 'p': case 'c': case 'C': case 's': case 'S': case 'n':
      // Finalize the current span.
      spans[spanIndex].mpEnd = p + 1;
      spans[spanIndex].mFormat[nFormatLength] = 0;                         // <=
      spans[spanIndex].mFormatChar = *p;
      if(++spanIndex == kSpanCapacity)

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 614
  • V557 Array overrun is possible. The value of 'nFormatLength' index could reach 16. EASprintfOrdered.cpp 977

Bullet Physics SDK

V557 Array overrun is possible. The value of 'dofIndex + dof' index could reach 130. PhysicsClientC_API.cpp 968

double m_desiredState[MAX_DEGREE_OF_FREEDOM];

B3_SHARED_API int b3JointControl(int dofIndex,
                                 double* forces,
                                 int dofCount, ....)
  if (   (dofIndex >= 0)
      && (dofIndex < MAX_DEGREE_OF_FREEDOM )
      && dofCount >= 0
      && dofCount <= 4)
    for (int dof = 0; dof < dofCount; dof++)
      command->m_sendState.m_desiredState[dofIndex+dof] = forces[dof];

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'len' index could reach 1024. PhysicsClientC_API.cpp 5223


V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2749

static int64_t
expand(struct archive_read *a, int64_t end)
  if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
    goto bad_data;
  if (lensymbol > (int)(sizeof(lengthbases)/sizeof(lengthbases[0])))
    goto bad_data;
  if (lensymbol > (int)(sizeof(lengthbits)/sizeof(lengthbits[0])))
    goto bad_data;
  len = lengthbases[lensymbol] + 2;
  if (lengthbits[lensymbol] > 0) {
    if (!rar_br_read_ahead(a, br, lengthbits[lensymbol]))
      goto truncated_data;
    len += rar_br_bits(br, lengthbits[lensymbol]);
    rar_br_consume(br, lengthbits[lensymbol]);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2750
  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2751
  • V557 Array overrun is possible. The value of 'lensymbol' index could reach 28. archive_read_support_format_rar.c 2753
  • And 2 additional diagnostic messages.

Doom 1

V557 [CWE-119] Array overrun is possible. The value of 'i' index could reach 49. p_switch.c 123

#define MAXSWITCHES 50
void P_InitSwitchList(void)
  for (int index = 0, i = 0; i < MAXSWITCHES; i++)
    if (!alphSwitchList[i].episode)
    if (alphSwitchList[i].episode <= episode)
      .... = R_TextureNumForName(alphSwitchList[i].name1);
      .... = R_TextureNumForName(alphSwitchList[i].name2);

switchlist_t alphSwitchList[] =
  {"SW1BRCOM",   "SW2BRCOM", 1},
  {"\0", "\0", 0}

Doom 1

V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 668. f_finale.c 621

#define SCREENWIDTH 320
void F_BunnyScroll (void)
  int scrolled;
  scrolled = ....;
  if (scrolled > 320)
    scrolled = 320;
  if (scrolled < 0)
    scrolled = 0;

  for (x=0; x<SCREENWIDTH; x++)
    if (x+scrolled < 320)
      F_DrawPatchCol (...., x+scrolled);
      F_DrawPatchCol (...., x+scrolled - 320);

void F_DrawPatchCol (...., int col)
  column_t *column;
  column = .... + LONG(patch->columnofs[col]));

typedef struct
  int columnofs[8];
} patch_t;

Similar errors can be found in some other places:

  • V557 [CWE-628] Array overrun is possible. The 'F_DrawPatchCol' function processes value '[0..319]'. Inspect the third argument. Check lines: 621, 670. f_finale.c 621


V557 Array overrun is possible. The 'idx' index is pointing beyond array bound. PlayerCoreFactory.cpp:240

std::vector<CPlayerCoreConfig *> m_vecPlayerConfigs;
bool CPlayerCoreFactory::PlaysVideo(const std::string& player) const
  CSingleLock lock(m_section);
  size_t idx = GetPlayerIndex(player);
  if (m_vecPlayerConfigs.empty() || idx > m_vecPlayerConfigs.size())
    return false;
  return m_vecPlayerConfigs[idx]->m_bPlaysVideo;


V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 130

bool BasicMinimizer::SetVariableValue(unsigned int ivar, double val) {
  if (ivar > fValues.size() ) return false;
  fValues[ivar] = val;
  return true;

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 186
  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 194
  • V557 Array overrun is possible. The 'ivar' index is pointing beyond array bound. BasicMinimizer.cxx 209
  • And 2 additional diagnostic messages.

Command & Conquer

V557 Array overrun is possible. The '9' index is pointing beyond array bound. FOOT.CPP 232

#define  CONQUER_PATH_MAX 9 // Number of cells to look ahead for movement.

FacingType Path[CONQUER_PATH_MAX];

void FootClass::Debug_Dump(MonoClass *mono) const
  if (What_Am_I() != RTTI_AIRCRAFT) {
    mono->Set_Cursor(50, 3);

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The '10' index is pointing beyond array bound. FOOT.CPP 233
  • V557 Array overrun is possible. The '11' index is pointing beyond array bound. FOOT.CPP 234
  • V557 Array overrun is possible. The '12' index is pointing beyond array bound. FOOT.CPP 235

Command & Conquer

V557 Array underrun is possible. The value of '_SpillTable[index]' index could reach -1. COORD.CPP 149

typedef enum FacingType : char {
} FacingType;

short const * Coord_Spillage_List(COORDINATE coord, int maxsize)
  static short const _MoveSpillage[(int)FACING_COUNT+1][5] = {

  static char const _SpillTable[16]  = {8,6,2,-1,0,7,1,-1,4,5,3,-1,-1,-1,-1,-1};


Command & Conquer

V557 Array overrun is possible. The 'QuantityB' function processes value '[0..86]'. Inspect the first argument. Check lines: 'HOUSE.H:928', 'CELL.CPP:2337'. HOUSE.H 928

typedef enum StructType : char {
  STRUCT_COUNT,                                       // <= 87
} StructType;

int BQuantity[STRUCT_COUNT-3];                        // <= [0..83]

int QuantityB(int index) {return(BQuantity[index]);}  // <= [0..86]

bool CellClass::Goodie_Check(FootClass * object)
  int bcount = 0;
  for( j=0; j < STRUCT_COUNT; j++) {
    bcount += hptr->QuantityB(j);                     // <= [0..86]


V557 Array overrun is possible. The 'dwc2_glbreg_read' function processes value '[0..63]'. Inspect the third argument. Check lines: 667, 1040. hcd-dwc2.c 667

#define HSOTG_REG(x) (x)
struct DWC2State {
#define DWC2_GLBREG_SIZE    0x70
  uint32_t glbreg[DWC2_GLBREG_SIZE / sizeof(uint32_t)];
static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index,
                                 unsigned size)
  val = s->glbreg[index];
static uint64_t dwc2_hsotg_read(void *ptr, hwaddr addr, unsigned size)
  switch (addr) {
    case HSOTG_REG(0x000) ... HSOTG_REG(0x0fc):
        val = dwc2_glbreg_read(ptr, addr,
                              (addr - HSOTG_REG(0x000)) >> 2, size);


V557 Array overrun is possible. The 'Index' index is pointing beyond array bound. ASTReader.cpp 7318

std::vector<Decl *> DeclsLoaded;

SourceLocation ASTReader::getSourceLocationForDeclID(GlobalDeclID ID) {
  unsigned Index = ID - NUM_PREDEF_DECL_IDS;

  if (Index > DeclsLoaded.size()) {
    Error("declaration ID out-of-range for AST file");
    return SourceLocation();

  if (Decl *D = DeclsLoaded[Index])
    return D->getLocation();

Espressif IoT Development Framework

V557 Array overrun is possible. The value of 'other_if' index could reach 3. mdns.c 2206

typedef enum mdns_if_internal {
    MDNS_IF_STA = 0,
    MDNS_IF_AP = 1,
    MDNS_IF_ETH = 2,
} mdns_if_t;

typedef struct mdns_server_s {
    struct {
        mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
    } interfaces[MDNS_IF_MAX];
    const char * hostname;
    const char * instance;
    mdns_srv_item_t * services;
    SemaphoreHandle_t lock;
    QueueHandle_t action_queue;
    mdns_tx_packet_t * tx_queue_head;
    mdns_search_once_t * search_once;
    esp_timer_handle_t timer_handle;
} mdns_server_t;

mdns_server_t * _mdns_server = NULL;

static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
  if (tcpip_if == MDNS_IF_STA) {
    return MDNS_IF_ETH;
  } else if (tcpip_if == MDNS_IF_ETH) {
     return MDNS_IF_STA;
  return MDNS_IF_MAX;

static void _mdns_dup_interface(mdns_if_t tcpip_if)
  uint8_t i;
  mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
  for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
      if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {

Espressif IoT Development Framework

V557 Array overrun is possible. The '_mdns_announce_pcb' function processes value '[0..3]'. Inspect the first argument. Check lines: 1674, 2213. mdns.c 1674

typedef enum mdns_if_internal {
    MDNS_IF_STA = 0,
    MDNS_IF_AP = 1,
    MDNS_IF_ETH = 2,
} mdns_if_t;

typedef struct mdns_server_s {
    struct {
        mdns_pcb_t pcbs[MDNS_IP_PROTOCOL_MAX];
    } interfaces[MDNS_IF_MAX];
    const char * hostname;
    const char * instance;
    mdns_srv_item_t * services;
    SemaphoreHandle_t lock;
    QueueHandle_t action_queue;
    mdns_tx_packet_t * tx_queue_head;
    mdns_search_once_t * search_once;
    esp_timer_handle_t timer_handle;
} mdns_server_t;

mdns_server_t * _mdns_server = NULL;

static void _mdns_announce_pcb(mdns_if_t tcpip_if,
                               mdns_ip_protocol_t ip_protocol,
                               mdns_srv_item_t ** services,
                               size_t len, bool include_ip)
  mdns_pcb_t * _pcb = &_mdns_server->interfaces[tcpip_if].pcbs[ip_protocol];

static mdns_if_t _mdns_get_other_if (mdns_if_t tcpip_if)
    if (tcpip_if == MDNS_IF_STA) {
        return MDNS_IF_ETH;
    } else if (tcpip_if == MDNS_IF_ETH) {
        return MDNS_IF_STA;
    return MDNS_IF_MAX;

static void _mdns_dup_interface(mdns_if_t tcpip_if)
    uint8_t i;
    mdns_if_t other_if = _mdns_get_other_if (tcpip_if);
    for (i=0; i<MDNS_IP_PROTOCOL_MAX; i++) {
        if (_mdns_server->interfaces[other_if].pcbs[i].pcb) {
            //stop this interface and mark as dup
            if (_mdns_server->interfaces[tcpip_if].pcbs[i].pcb) {
                _mdns_clear_pcb_tx_queue_head(tcpip_if, i);
                _mdns_pcb_deinit(tcpip_if, i);
            _mdns_server->interfaces[tcpip_if].pcbs[i].state = PCB_DUP;
            _mdns_announce_pcb(other_if, i, NULL, 0, true);               // <=

Espressif IoT Development Framework

V557 Array overrun is possible. The value of 'frame->exccause' index could reach 16. gdbstub_xtensa.c 132

int esp_gdbstub_get_signal(const esp_gdbstub_frame_t *frame)
  const char exccause_to_signal[] =
    {4, 31, 11, 11, 2, 6, 8, 0, 6, 7, 0, 0, 7, 7, 7, 7};
  if (frame->exccause > sizeof(exccause_to_signal)) {
    return 11;
  return (int) exccause_to_signal[frame->exccause];

Storm Engine

V557 Array overrun is possible. The value of 'TempLong2 - TempLong1 + 1' index could reach 520. internal_functions.cpp 1131

DATA *COMPILER::BC_CallIntFunction(....)
  if (TempLong2 - TempLong1 >= sizeof(Message_string))
    SetError("internal: buffer too small");
    pV = SStack.Push();
    pVResult = pV;
    return pV;
  memcpy(Message_string, pChar + TempLong1,
         TempLong2 - TempLong1 + 1);
  Message_string[TempLong2 - TempLong1 + 1] = 0;
  pV = SStack.Push();


V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'Kind' index could reach 19. InstrumentationMap.cpp 196

enum class FunctionKinds { ENTRY, EXIT, TAIL, LOG_ARGS_ENTER, CUSTOM_EVENT };
static Error loadObj(....) {
  auto Kind = Extractor.getU8(&OffsetPtr);
  static constexpr SledEntry::FunctionKinds Kinds[] = {
      SledEntry::FunctionKinds::ENTRY, SledEntry::FunctionKinds::EXIT,
  if (Kind >= sizeof(Kinds))
    return errorCodeToError(
  Entry.Kind = Kinds[Kind];


V557 Array underrun is possible. The value of 'month + - 1' index could reach -1. cellRtc.cpp 1470

error_code cellRtcGetDaysInMonth(s32 year, s32 month)
  cellRtc.todo("cellRtcGetDaysInMonth(year=%d, month=%d)", year, month);

  if ((year < 0) || (month < 0) || (month > 12))

  if (is_leap_year(year))
    return not_an_error(DAYS_IN_MONTH[month + 11]);

  return not_an_error(DAYS_IN_MONTH[month + -1]); // <=


V557 Array overrun is possible. The 'pad' index is pointing beyond array bound. pad_thread.cpp 191

void pad_thread::SetRumble(const u32 pad, u8 largeMotor, bool smallMotor)
  if (pad > m_pads.size())

  if (m_pads[pad]->m_vibrateMotors.size() >= 2)
    m_pads[pad]->m_vibrateMotors[0].m_value = largeMotor;
    m_pads[pad]->m_vibrateMotors[1].m_value = smallMotor ? 255 : 0;


V557 Array overrun is possible. The '3' index is pointing beyond array bound. geometry_p.h 552

static BL_INLINE bool blIsCubicFlat(const BLPoint p[3], double f) {
  if (p[3] == p[0]) {
    // ....
  // ....


V557 Array overrun is possible. The 'j' index is pointing beyond array bound. OgreAnimationTrack.cpp 219

void AnimationTrack::_buildKeyFrameIndexMap(
  const std::vector<Real>& keyFrameTimes)

  // ....

  size_t i = 0, j = 0;
  while (j <= keyFrameTimes.size())                    // <=
    mKeyFrameIndexMap[j] = static_cast<ushort>(i);
    while (i < mKeyFrames.size()
      && mKeyFrames[i]->getTime() <= keyFrameTimes[j]) // <=

The j index that gives us access to the elements of the keyFrameTimes container is incremented to a value equal to the container size


V557 [CWE-787] Array overrun is possible. The 'dynamicStateCount ++' index is pointing beyond array bound. VltGraphics.cpp 157

VkPipeline VltGraphicsPipeline::createPipeline(....) const
  std::array<VkDynamicState, 6> dynamicStates;
  uint32_t dynamicStateCount = 0;
  dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_VIEWPORT;
  dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_SCISSOR;
  if (state.useDynamicDepthBias())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BIAS;
  if (state.useDynamicDepthBounds())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_DEPTH_BOUNDS;
    dynamicStates[dynamicStateCount++] =
  if (state.useDynamicBlendConstants())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_BLEND_CONSTANTS;
  if (state.useDynamicStencilRef())
    dynamicStates[dynamicStateCount++] = VK_DYNAMIC_STATE_STENCIL_REFERENCE;

#info if all 7 assignes happen, the 'dynamiStates' array will overrun


V557 Array overrun is possible. The value of 'i' index could reach 256. c-format.cc 1994

char m_flag_chars[256];

flag_chars_t::add_char (char ch)
  int i = strlen (m_flag_chars);
  m_flag_chars[i++] = ch;
  m_flag_chars[i] = 0;


V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The 'iTarget' index is pointing beyond array bound. DrawViewPart.cpp 809

/*static*/ int DrawUtil::getIndexFromName(const std::string& geomName)
  if (boost::regex_search(begin, end, what, re, flags)) {
    return int(std::stoi(what.str()));
  } else {
    ErrorMsg << "getIndexFromName: malformed geometry name - " << geomName;
    throw Base::ValueError(ErrorMsg.str());

TechDraw::VertexPtr DrawViewPart::getVertex(std::string vertexName) const
  const std::vector<TechDraw::VertexPtr>

  size_t iTarget = DrawUtil::getIndexFromName(vertexName);
  if (allVertex.empty()) {
    //should not happen
    throw Base::IndexError("DVP::getVertex - No vertices found.");
  if (iTarget > allVertex.size()) {                                // <=
    //should not happen
    throw Base::IndexError("DVP::getVertex - Vertex not found.");

  return allVertex.at(iTarget);                                    // <=


V557 [CWE-119, CERT-ARR30-C] Array overrun is possible. The value of 'format' index could reach 27. testupload.c 13

typedef enum {

} GdkMemoryFormat;

static const char *format_name[] = {
  "BGRAp", "ARGBp", "RGBAp",
  "BGRA", "ARGB", "RGBA", "ABGR",
  "RGB", "BGR", NULL

static const char *
format_to_string (GdkMemoryFormat format)
  if (format < GDK_MEMORY_N_FORMATS)
    return format_name[format];
    return "ERROR";

Qt Creator

V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4682

using Flag = GenerateGetterSetterOp::GenerateFlag;

constexpr static Flag ColumnFlag[] = {
  Flag::Invalid,                    // 0
  Flag::GenerateGetter,             // 1
  Flag::GenerateSetter,             // 2
  Flag::GenerateSignal,             // 3
  Flag::GenerateReset,              // 4
  Flag::GenerateProperty,           // 5
  Flag::GenerateConstantProperty,   // 6
QVariant data(int column, int role) const override
  if (role == Qt::DisplayRole && column == NameColumn)
    return m_memberInfo->data.memberVariableName;
  if (   role == Qt::CheckStateRole && column > 0
      && column <= static_cast<int>(std::size(ColumnFlag)))
    return m_memberInfo->requestedFlags & ColumnFlag[column] ? Qt::Checked :

  return {};

Similar errors can be found in some other places:

  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4693
  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4697
  • V557 [CWE-125, CERT-ARR30-C] Array overrun is possible. The value of 'column' index could reach 7. cppquickfixes.cpp 4699
  • And 1 additional diagnostic messages.


V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3308

bool AppleObjCRuntimeV2::NonPointerISACache::EvaluateNonPointerISA(
    ObjCISA isa, ObjCISA &ret_isa) {
  if (index > m_indexed_isa_cache.size())
    return false;

  LLDB_LOGF(log, "AOCRT::NPI Evaluate(ret_isa = 0x%" PRIx64 ")",

Similar errors can be found in some other places:

  • V557 Array overrun is possible. The 'index' index is pointing beyond array bound. AppleObjCRuntimeV2.cpp 3311


V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 402

std::vector<PortConfig> inConfs;
MemoryDescPtr Node::getBaseMemDescAtInputPort(size_t portNum) const
  if (auto primDesc = getSelectedPrimitiveDescriptor())
    const auto& inConfs = primDesc->getConfig().inConfs;
    if (inConfs.size() < portNum)
      OPENVINO_THROW("Can't get input memory desc at port: ",
                      portNum, ", incorrect port number"     );
    return inConfs[portNum].getMemDesc();
  OPENVINO_THROW("Can't get input memory desc,
                         primitive descriptor is not selected");
std::vector<PortConfig> outConfs;
MemoryDescPtr Node::getBaseMemDescAtOutputPort(size_t portNum) const
  if (auto primDesc = getSelectedPrimitiveDescriptor())
    const auto& outConfs = primDesc->getConfig().outConfs;
    if (outConfs.size() < portNum)
      OPENVINO_THROW("Can't get output memory desc at port: ",
                      portNum, ", incorrect port number"      );
    return outConfs[portNum].getMemDesc();
  OPENVINO_THROW("Can't get output memory desc,
                      primitive descriptor is not selected");

Similar errors can be found in some other places:

  • V557 [CERT-ARR30-C] Array overrun is possible. The 'portNum' index is pointing beyond array bound. node.cpp 413