Examples of errors detected by the V1086 diagnostic

V1086. Call of the 'Foo' function will lead to buffer underflow.

Microsoft PowerToys

V1086 A call of the 'memset' function will lead to underflow of the buffer 'keyEventList'. KeyboardEventHandlers.cpp 16

 typedef struct tagINPUT { DWORD type; union { MOUSEINPUT mi; KEYBDINPUT ki; HARDWAREINPUT hi; } DUMMYUNIONNAME; } INPUT, *PINPUT, FAR* LPINPUT; void SetNumLockToPreviousState(....) { int key_count = 2; LPINPUT keyEventList = new INPUT[size_t(key_count)](); memset(keyEventList, 0, sizeof(keyEventList)); .... }

Qt

V1086 [CWE-682] A call of the 'memset' function will lead to underflow of the buffer 'm_keys'. qv4estable.cpp 57

 ESTable::ESTable() : m_capacity(8) { m_keys = (Value*)malloc(m_capacity * sizeof(Value)); m_values = (Value*)malloc(m_capacity * sizeof(Value)); memset(m_keys, 0, m_capacity); memset(m_values, 0, m_capacity); }

Command & Conquer

V1086 A call of the 'memset' function will lead to underflow of the buffer 'Buffer'. KEYBOARD.CPP 96

 unsigned short Buffer[256]; WWKeyboardClass::WWKeyboardClass(void) { .... memset(Buffer, 0, 256); .... }

WebRTC

V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer '_jumpBuf'. rtt_filter.cc 52

 class VCMRttFilter { .... enum { kMaxDriftJumpCount = 5 }; .... int64_t _jumpBuf[kMaxDriftJumpCount]; int64_t _driftBuf[kMaxDriftJumpCount]; .... }; void VCMRttFilter::Reset() { _gotNonZeroUpdate = false; _avgRtt = 0; _varRtt = 0; _maxRtt = 0; _filtFactCount = 1; _jumpCount = 0; _driftCount = 0; memset(_jumpBuf, 0, kMaxDriftJumpCount); memset(_driftBuf, 0, kMaxDriftJumpCount); }

Confusion between the number of elements in the array and the size of the buffer in bytes.

Chromium

V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->text'. event_conversion.cc 435

 #if defined(WIN32) typedef wchar_t WebUChar; #else typedef unsigned short WebUChar; #endif static const size_t kTextLengthCap = 4; class WebKeyboardEvent : public WebInputEvent { .... WebUChar text[kTextLengthCap]; WebUChar unmodified_text[kTextLengthCap]; .... }; WebKeyboardEvent* BuildCharEvent(const InputEventData& event) { WebKeyboardEvent* key_event = new WebKeyboardEvent(....); .... memset(key_event->text, 0, text_length_cap); memset(key_event->unmodified_text, 0, text_length_cap); .... }

Confusion between the number of elements in the array and the size of the buffer in bytes.

Similar errors can be found in some other places:

V1086 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->unmodified_text'. event_conversion.cc 436

Ardour

V1086 A call of the 'memset' function will lead to underflow of the buffer 'error_buffer'. ardour_http.cc 142

 class HttpGet { .... char error_buffer[CURL_ERROR_SIZE]; .... }; HttpGet::HttpGet (bool p, bool ssl) : persist (p) , _status (-1) , _result (-1) { memset (error_buffer, 0, sizeof (*error_buffer)); .... }

Tizen

V1086 A call of the 'memset' function will lead to underflow of the buffer 'formatted_number'. i18ninfo.c 544

 typedef short unsigned int i18n_uchar; #define BUF_SIZE 1000 static int __get_number_format(char *input_number) { .... i18n_uchar formatted_number[BUF_SIZE]; .... memset(formatted_number, 0, BUF_SIZE); .... }

Tizen

V1086 A call of the 'memset' function will lead to underflow of the buffer 'req_id_used'. bt-service-util.c 38

 typedef int gint; typedef gint gboolean; #define BT_REQUEST_ID_RANGE_MAX 245 static gboolean req_id_used[BT_REQUEST_ID_RANGE_MAX]; void _bt_init_request_id(void) { assigned_id = 0; memset(req_id_used, 0x00, BT_REQUEST_ID_RANGE_MAX); }

CryEngine V

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285

 void CGeomCacheRenderNode::Render(....) { .... CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement; .... uint8 hashableData[] = { 0, 0, 0, 0, 0, 0, 0, 0, (uint8)std::distance(pCREGeomCache->....->begin(), &meshData), (uint8)std::distance(meshData....->....begin(), &chunk), (uint8)std::distance(meshData.m_instances.begin(), &instance) }; memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <= .... }

FreeBSD Kernel

V1086 A call of the 'memset' function will lead to underflow of the buffer 'plog'. nat64lsn.c 218

 struct pfloghdr { u_int8_t length; sa_family_t af; u_int8_t action; u_int8_t reason; char ifname[IFNAMSIZ]; char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; uid_t uid; pid_t pid; uid_t rule_uid; pid_t rule_pid; u_int8_t dir; u_int8_t pad[3]; }; static void nat64lsn_log(struct pfloghdr *plog, ....) { memset(plog, 0, sizeof(plog)); // <= plog->length = PFLOG_REAL_HDRLEN; plog->af = family; plog->action = PF_NAT; plog->dir = PF_IN; plog->rulenr = htonl(n); plog->subrulenr = htonl(sn); plog->ruleset[0] = '\0'; strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname)); ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m); }

CodeLite

V1086 A call of the 'memset' function will lead to underflow of the buffer 'buffer'. md5.cpp 243

 class MD5 { .... typedef unsigned char uint1; .... uint1 buffer[64]; // input buffer .... static void memset(uint1 *start, uint1 val, uint4 length); .... }; void MD5::finalize () { .... // Zeroize sensitive information memset (buffer, 0, sizeof(*buffer)); // <= finalized=1; }

Unreal Engine 4

V1086 A call of the 'memset' function will lead to underflow of the buffer 'StartTimestampListHandles'. d3d12query.cpp 493

 class FD3D12BufferedGPUTiming { .... FD3D12CLSyncPoint* StartTimestampListHandles; FD3D12CLSyncPoint* EndTimestampListHandles; .... }; void FD3D12BufferedGPUTiming::InitDynamicRHI() { .... StartTimestampListHandles = new FD3D12CLSyncPoint[BufferSize]; ZeroMemory(StartTimestampListHandles, sizeof(StartTimestampListHandles)); EndTimestampListHandles = new FD3D12CLSyncPoint[BufferSize]; ZeroMemory(EndTimestampListHandles, sizeof(EndTimestampListHandles)); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'EndTimestampListHandles'. d3d12query.cpp 495

Haiku Operation System

V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 623

 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) void solv_SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { .... /* Clean up state data: */ MEMSET_BZERO(context, sizeof(context)); usedspace = 0; }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 644
V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 953
V1086 A call of the 'memset' function will lead to underflow of the buffer 'context'. sha2.c 973
And 2 additional diagnostic messages.

Haiku Operation System

V1086 A call of the 'memcmp' function will lead to underflow of the buffer '"Private-key-format: v"'. dst_api.c 858

 dst_s_read_private_key_file(....) { .... if (memcmp(in_buff, "Private-key-format: v", 20) != 0) goto fail; .... }

.NET CoreCLR

V1086 A call of the 'memset' function will lead to underflow of the buffer 'pAddExpression'. sos strike.cpp 11973

 DECLARE_API(Watch) { .... if(addExpression.data != NULL || aExpression.data != NULL) { WCHAR pAddExpression[MAX_EXPRESSION]; memset(pAddExpression, 0, MAX_EXPRESSION); swprintf_s(pAddExpression, MAX_EXPRESSION, L"%S", ....); Status = g_watchCmd.Add(pAddExpression); } .... }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'pSaveName'. sos strike.cpp 11997
V1086 A call of the 'memset' function will lead to underflow of the buffer 'pOldName'. sos strike.cpp 12013
V1086 A call of the 'memset' function will lead to underflow of the buffer 'pNewName'. sos strike.cpp 12016
And 2 additional diagnostic messages.

Spring Engine

V1086 A call of the 'memset' function will lead to underflow of the buffer 'area'. RAI gterrainmap.h 84

 #define MAP_AREA_LIST_SIZE 50 struct TerrainMapMobileType { TerrainMapMobileType() { .... memset(area,0,MAP_AREA_LIST_SIZE); // <= }; TerrainMapArea *area[MAP_AREA_LIST_SIZE]; // <= .... };

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'BQ'. RAI builder.cpp 67
V1086 A call of the 'memset' function will lead to underflow of the buffer 'SL'. RAI unitmanager.cpp 28
V1086 A call of the 'memset' function will lead to underflow of the buffer 'Group'. RAI unitmanager.cpp 29
And 1 additional diagnostic messages.

Miranda NG

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'L"mailto:"'. TabSRMM msgdialog.cpp 2085

 INT_PTR CALLBACK DlgProcMessage(....) { .... CopyMemory(tr.lpstrText, _T("mailto:"), 7); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'lfFont.lfFaceName'. Xfire userdetails.cpp 206
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'L"%20"'. Weather weather_conv.cpp 476

Miranda NG

V1086 A call of the 'memset' function will lead to underflow of the buffer 'msgFrom'. LotusNotify lotusnotify.cpp 760

 void checkthread(void*) { .... WCHAR msgFrom[512]; WCHAR msgSubject[512]; ZeroMemory(msgFrom,512); ZeroMemory(msgSubject,512); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'msgSubject'. LotusNotify lotusnotify.cpp 761
V1086 A call of the 'memset' function will lead to underflow of the buffer 'nd->dd_dir.d_name'. glib dirent.c 138

Miranda NG

V1086 A call of the 'memset' function will lead to underflow of the buffer 'Data'. Weather weather_ini.cpp 250

 void LoadStationData(...., WIDATA *Data) { .... ZeroMemory(Data, sizeof(Data)); .... }

Miranda NG

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 's_list'. Sessions utils.cpp 288

 #define SIZEOF(X) (sizeof(X)/sizeof(X[0])) int CheckForDuplicate(MCONTACT contact_list[], MCONTACT lparam) { MCONTACT s_list[255] = { 0 }; memcpy(s_list, contact_list, SIZEOF(s_list)); for (int i = 0;; i++) { if (s_list[i] == lparam) return i; if (s_list[i] == 0) return -1; } return 0; }

Similar errors can be found in some other places:

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list'. Sessions main.cpp 143
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'user_session_list'. Sessions main.cpp 143
V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'session_list_temp'. Sessions main.cpp 216
And 5 additional diagnostic messages.

Miranda NG

V1086 A call of the 'memset' function will lead to underflow of the buffer 'logfonts'. TabSRMM msglog.cpp 134

 #define MSGDLGFONTCOUNT 22 LOGFONTA logfonts[MSGDLGFONTCOUNT + 2]; void TSAPI CacheLogFonts() { int i; HDC hdc = GetDC(NULL); logPixelSY = GetDeviceCaps(hdc, LOGPIXELSY); ReleaseDC(NULL, hdc); ZeroMemory(logfonts, sizeof(LOGFONTA) * MSGDLGFONTCOUNT + 2); .... }

Most likely this is what should be written here: ZeroMemory(logfonts, sizeof(LOGFONTA) * (MSGDLGFONTCOUNT + 2));

Gifticlib

V1086 A call of the 'memset' function will lead to underflow of the buffer 'gim'. gifti_io.c 4097

 int gifti_clear_gifti_image(gifti_image * gim) { if(!gim) { fprintf(stderr,"** NULL in clear_gifti_image\n"); return 1; } if( G.verb > 5 ) fprintf(stderr,"-- clearing gifti_image\n"); /* set the version and clear all pointers */ memset(gim, 0, sizeof(gim)); .... }

FlightGear

V1086 A call of the 'memset' function will lead to underflow of the buffer 'ctx'. md5.c 180

 void MD5Final(uint8_t digest[16], struct MD5Context *ctx) { .... memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ .... }

VirtualDub

V1086 A call of the 'memcmp' function will lead to underflow of the buffer '"GL_EXT_blend_subtract"'. Riza opengl.cpp 393

 bool VDOpenGLBinding::Attach(....) { .... if (!memcmp(start, "GL_EXT_blend_subtract", 20)) .... }

strlen("GL_EXT_blend_subtract") == 21

Snes9x

V1086 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ramwatch.cpp 1199

 struct ICheat { uint32 address; uint32 new_val; uint32 saved_val; int size; bool8 enabled; bool8 saved; char name [22]; int format; }; struct SCheat { uint32 address; uint8 byte; uint8 saved_byte; bool8 saved; }; void RamWatchEnableCommand(....) { .... struct ICheat cht; .... ZeroMemory(&cht, sizeof(struct SCheat)); .... }

Most likely this is what should be written here: ZeroMemory(&cht, sizeof(struct ICheat));

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer '& cht'. ram_search.cpp 1789
V1086 A call of the 'memset' function will lead to underflow of the buffer 'new_cheat'. wsnes9x.cpp 9924

Multi Theft Auto

V1086 A call of the 'memset' function will lead to underflow of the buffer 'm_buffer'. sharedutil.hash.hpp 216

 unsigned char m_buffer[64]; void CMD5Hasher::Finalize ( void ) { .... // Zeroize sensitive information memset ( m_buffer, 0, sizeof (*m_buffer) ); .... }

NetXMS

V1086 A call of the 'memset' function will lead to underflow of the buffer 'm_szTitle'. toolbox.cpp 28

 typedef WCHAR TCHAR, *PTCHAR; #define MAX_TOOLBOX_TITLE 64 TCHAR m_szTitle[MAX_TOOLBOX_TITLE]; CToolBox::CToolBox() { memset(m_szTitle, 0, MAX_TOOLBOX_TITLE); }

NetXMS

V1086 A call of the 'memset' function will lead to underflow of the buffer 'commandLine'. procinfo.cpp 278

 typedef WCHAR TCHAR, *PTCHAR; static BOOL MatchProcess(....) { .... TCHAR commandLine[MAX_PATH]; .... memset(commandLine, 0, MAX_PATH); .... }

Windows 8 Driver Samples

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'. testapp.c 729

 typedef struct _DEVICE_INFO { .... WCHAR UnicodeSourceIp[MAX_LEN]; WCHAR UnicodeDestIp[MAX_LEN]; .... } DEVICE_INFO, *PDEVICE_INFO; PDEVICE_INFO FindDeviceInfo(....) { .... PDEVICE_INFO deviceInfo = NULL; .... memcpy(deviceInfo->UnicodeSourceIp, InputInfo->SourceIp, MAX_LEN); memcpy(deviceInfo->UnicodeDestIp, InputInfo->DestIp, MAX_LEN); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeDestIp'. testapp.c 730

Windows 8 Driver Samples

V1086 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288

 HRESULT CDot11SampleExtUI::CreateSecurityProperties(....) { .... WCHAR wbuf[128]; .... ZeroMemory(wbuf, 128); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 369

libevent

V1086 A call of the 'memset' function will lead to underflow of the buffer 'win32op'. win32select.c 374

 void win32_dealloc(struct event_base *_base) { struct win32op *win32op = _base->evbase; .... memset(win32op, 0, sizeof(win32op)); .... }

Samba

V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'u0'. netuser.c 247

 static NET_API_STATUS test_netusermodals( struct libnetapi_ctx *ctx, const char *hostname) { .... struct USER_MODALS_INFO_0 *u0 = NULL; struct USER_MODALS_INFO_0 *_u0 = NULL; .... if (memcmp(u0, _u0, sizeof(u0) != 0)) { printf("USER_MODALS_INFO_0 struct has changed!!!!\n"); return -1; } .... }

Most likely this is what should be written here: sizeof(*u0).

Samba

V1086 A call of the 'memset' function will lead to underflow of the buffer 'rt'. perf_writer.c 80

 void initialize(PERF_DATA_BLOCK *data, RuntimeSettings *rt, int argc, char **argv) { memset(data, 0, sizeof(*data)); memset(rt, 0, sizeof(*data)); .... }

Most likely this is what should be written here: memset(rt, 0, sizeof(*rt));.

MAME

V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pstars_regs'. pgm.c 4458

 UINT32 m_pstars_regs[16]; static DRIVER_INIT( pstar ) { .... memset(state->m_pstars_regs, 0, 16); .... }

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4975
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 4996
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_kb_regs'. pgm.c 5056
And 4 additional diagnostic messages.

MAME

V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_control_0'. tumbleb.c 2065

 UINT16 m_control_0[8]; #define ARRAY_LENGTH(x) (sizeof(x) / sizeof(x[0])) static MACHINE_RESET( tumbleb ) { .... memset(state->m_control_0, 0, ARRAY_LENGTH(state->m_control_0)); }

Most likely this is what should be written here: memset(state->m_control_0, 0, sizeof(state->m_control_0));

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_read'. megadriv.c 7156
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_pmac_write'. megadriv.c 7157
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_cart_is_genesis'. megatech.c 426
And 3 additional diagnostic messages.

MAME

V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_rotate_ctrl'. wgp.c 949

 UINT16 m_rotate_ctrl[8]; static MACHINE_RESET( wgp ) { wgp_state *state = machine.driver_data<wgp_state>(); int i; state->m_banknum = 0; state->m_cpua_ctrl = 0xff; state->m_port_sel = 0; state->m_piv_ctrl_reg = 0; for (i = 0; i < 3; i++) { state->m_piv_zoom[i] = 0; state->m_piv_scrollx[i] = 0; state->m_piv_scrolly[i] = 0; } memset(state->m_rotate_ctrl, 0, 8); }

Similar errors can be found in some other places:

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_2_buffered'. deco32.c 726
V1086 A call of the 'memset' function will lead to underflow of the buffer 'state->m_playfield_code'. malzak.c 392

MAME

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'state->m_spriteram16_buffered'. deco32.c 706

 UINT16 m_spriteram16[0x1000]; UINT16 m_spriteram16_buffered[0x1000]; static WRITE32_HANDLER( deco32_buffer_spriteram_w ) { deco32_state *state = space->machine().driver_data<deco32_state>(); memcpy(state->m_spriteram16_buffered, state->m_spriteram16, 0x1000); }

This is what should have been written here: 0x1000 * sizeof(UINT16).

DeSmuME

V1086 A call of the 'memset' function will lead to underflow of the buffer 'MapView'. DeSmuME_VS2005 mapview.cpp 204

 mapview_struct *MapView = NULL; BOOL CALLBACK ViewMapsProc (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { .... MapView = new mapview_struct; memset(MapView, 0, sizeof(MapView)); .... }

This is what should have been written here: memset(MapView, 0, sizeof(*MapView));

ADAPTIVE Communication Environment (ACE)

V1086 A call of the 'memset' function will lead to underflow of the buffer 'old_state'. thread.inl 172

 ACE_INLINE int ACE_Thread::disablecancel (struct cancel_state *old_state) { .... ACE_OS::memset (old_state, 0, sizeof (old_state)); .... }

ADAPTIVE Communication Environment (ACE)

V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. Send_Msg_Receiver receiver.cpp 109

 struct Message { unsigned int sn; unsigned short payload[payload_size]; }; int ACE_TMAIN (int argc, ACE_TCHAR* argv[]) { .... if (ACE_OS::memcmp (expected_msg.payload, msg.payload, payload_size) != 0) { damaged[msg.sn] = 1; } .... }

Most likely this is what should be written here: payload_size * sizeof(short)

Similar errors can be found in some other places:

V1086 A call of the 'memcmp' function will lead to underflow of the buffer 'expected_msg.payload'. RMCast_Receiver receiver.cpp 102

Mozilla Firefox

V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. time_win.cc 198

 void Time::Explode(bool is_local, Exploded* exploded) const { .... ZeroMemory(exploded, sizeof(exploded)); .... }

This is what should have been written here: ZeroMemory(exploded, sizeof(*exploded));

Doom 3

V1086 A call of the 'memset' function will lead to underflow of the buffer '& cluster'. DoomDLL aasfile.cpp 1312

 void idAASFileLocal::DeleteClusters( void ) { .... memset( &portal, 0, sizeof( portal ) ); portals.Append( portal ); // first cluster is a dummy memset( &cluster, 0, sizeof( portal ) ); clusters.Append( cluster ); }

This is what should have been written here: memset( &cluster, 0, sizeof( cluster ) );

Doom 3

V1086 A call of the 'memset' function will lead to underflow of the buffer 'ase.currentMesh'. DoomDLL model_ase.cpp 731

 aseMesh_t *currentMesh; static void ASE_KeyGEOMOBJECT( const char *token ) { .... ase.currentMesh = &ase.currentObject->mesh; memset( ase.currentMesh, 0, sizeof( ase.currentMesh ) ); .... }

This is what should have been written here: memset( ase.currentMesh, 0, sizeof( *ase.currentMesh ) );

IPP Samples

V1086 A call of the 'memset' function will lead to underflow of the buffer 'MEParams'. vc1_enc umc_vc1_enc_adv.cpp 1767

 UMC::Status VC1EncoderADV::SetMEParams_I_Field(UMC::MeParams* MEParams) { UMC::Status umcSts UMC::UMC_OK; memset(MEParams,0,sizeof(MEParams)); .... }

This is what should have been written here: memset(MEParams,0,sizeof(*MEParams));

ReactOS

V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 991

 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) char *SHA384_End(SHA384_CTX* context, char buffer[]) { .... MEMSET_BZERO(context, sizeof(context)); .... }

This is what should have been written here: sizeof(*context).

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 566
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 587
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. rsaenh sha2.c 896
And 2 additional diagnostic messages.

ReactOS

V1086 A call of the 'memset' function will lead to underflow of the buffer '((pfd))'. shell32 pidl.c 1160

 HRESULT WINAPI SHGetDataFromIDListW(....) { .... WIN32_FIND_DATAW * pfd = dest; .... ZeroMemory(pfd, sizeof (WIN32_FIND_DATAA)); }

This is what should have been written here: sizeof(WIN32_FIND_DATAW)

ReactOS

V1086 A call of the 'memset' function will lead to underflow of the buffer '((file_path))'. sndrec32 sndrec32.cpp 769

 typedef WCHAR TCHAR,*PTCHAR; TCHAR file_path[MAX_PATH]; #define MAX_PATH 260 LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { .... ZeroMemory( file_path, MAX_PATH ); .... }

This is what should have been written here: ZeroMemory( file_path, MAX_PATH * sizeof(TCHAR));

Similar errors can be found in some other places:

V1086 A call of the 'memcpy' function will lead to a buffer underflow. smss client.c 442

ReactOS

V1086 A call of the 'memcpy' function will lead to underflow of the buffer 'buffer'. user32 dllmain.c 162

 VOID UnloadAppInitDlls() { .... WCHAR buffer[KEY_LENGTH]; .... RtlCopyMemory(buffer, szAppInit, KEY_LENGTH); .... }

Multiplication by sizeof(WCHAR) is missing, which causes copying only half of the data. This is what the code should look like: RtlCopyMemory(buffer, szAppInit, KEY_LENGTH * sizeof(WCHAR)).

Far Manager

V1086 A call of the 'memset' function will lead to underflow of the buffer 'PInfo'. far filelist.cpp 672

 __int64 FileList::VMProcess(int OpCode,void *vParam, __int64 iParam) { .... PluginInfo *PInfo=(PluginInfo *)vParam; memset(PInfo,0,sizeof(PInfo)); PInfo->StructSize=sizeof(PInfo); .... }

This is what should have been written here: memset(PInfo, 0, sizeof(PluginInfo));

Energy Checker SDK

V1086 A call of the 'memset' function will lead to underflow of the buffer 'temp'. core_api_unit_tests unit_tests_tools.c 379

 void plt_tools_get_pl_config_full_file_name(char *buffer) { .... char temp[PL_MAX_PATH] = { '\0' }; .... memset( temp, 0, sizeof(buffer) ); .... }

This is what should have been written here: sizeof(temp)

Energy Checker SDK

V1086 A call of the 'memset' function will lead to underflow of the buffer 'pconfig'. pl_csv_logger productivity_link_helper.c 1806

 typedef struct _plh_dynamic_pl_folder_info { .... } PLH_DYNAMIC_PL_FOLDER_INFO, *PPLH_DYNAMIC_PL_FOLDER_INFO; int plh_dynamic_read_pl_folder( PPLH_DYNAMIC_PL_FOLDER_INFO pconfig) { .... memset( pconfig, 0, sizeof(pconfig) ); .... }

This is what should have been written here: sizeof(*pconfig)

Energy Checker SDK

V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 683

 #define PL_MAX_PATH 255 typedef WCHAR TCHAR, *PTCHAR; TCHAR pl_cvt_buffer[PL_MAX_PATH] = { '\0' }; int plh_read_pl_config_ini_file(....) { .... ZeroMemory( pl_cvt_buffer, PL_MAX_PATH ); .... }

This is what should have been written here: PL_MAX_PATH * sizeof(TCHAR)

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 714
V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 745
V1086 A call of the 'memset' function will lead to underflow of the buffer '(pl_cvt_buffer)'. pl_csv_logger productivity_link_helper.c 789
And 5 additional diagnostic messages.

Apache HTTP Server

V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 560

 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { .... MEMSET_BZERO(context, sizeof(context)); .... }

This is what should have been written here: sizeof(*context)

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 581
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 892
V1086 A call of the 'memset' function will lead to underflow of the buffer '(context)'. apr sha2.c 912
And 2 additional diagnostic messages.

Qt

V1086 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 cpplexer.cpp 77

 int s_attr_table[256]; void CppLexer::setupScanTable() { .... memset(s_attr_table, 0, 256); .... }

This is what should have been written here: sizeof(int) * 256

Similar errors can be found in some other places:

V1086 A call of the 'memset' function will lead to underflow of the buffer 's_attr_table'. qt3to4 rpplexer.cpp 60

Chromium

V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. platform time_win.cc 116

 void NaCl::Time::Explode(bool is_local, Exploded* exploded) const { .... ZeroMemory(exploded, sizeof(exploded)); .... }

This is what should have been written here: sizeof(*exploded)

Chromium

V1086 A call of the 'memset' function will lead to underflow of the buffer '(exploded)'. base time_win.cc 227

 void Time::Explode(bool is_local, Exploded* exploded) const { .... ZeroMemory(exploded, sizeof(exploded)); .... }

This is what should have been written here: sizeof(*exploded)

Miranda IM

V1086 A call of the 'memcpy' function will lead to a buffer underflow. tabsrmm utils.cpp 1080

 typedef struct _textrangew { CHARRANGE chrg; LPWSTR lpstrText; } TEXTRANGEW; const wchar_t* Utils::extractURLFromRichEdit(....) { .... ::CopyMemory(tr.lpstrText, L"mailto:", 7); .... }

This is what should have been written here: sizeof(wchar_t) * 7

Newton Game Dynamics

V1086 A call of the 'memset' function will lead to a buffer underflow. physics dgcollisioncompoundbreakable.cpp 702

 dgCollisionCompoundBreakable::dgCollisionCompoundBreakable (....) { .... dgInt32 faceOffsetHitogram[256]; dgSubMesh* mainSegmenst[256]; .... memset(faceOffsetHitogram, 0, sizeof(faceOffsetHitogram)); memset(mainSegmenst, 0, sizeof(faceOffsetHitogram)); .... }

A 64-bit error. These are the consequences of Copy-Paste. In a 64-bit program, the pointer size will become non-equal to the dgint32 size and we will clear only a part of the mainSegmenst array.

Wolfenstein 3D

V1086 A call of the 'memset' function will lead to a buffer underflow. wolf cvar.c 764

 typedef struct cvar_s { char *name; .... struct cvar_s *hashNext; } cvar_t; void Cvar_Restart_f( void ) { cvar_t *var; .... memset( var, 0, sizeof( var ) ); .... }

This is what should have been written here: memset( var, 0, sizeof( *var ) );

Wolfenstein 3D

V1086 A call of the 'memset' function will lead to a buffer underflow. cgame bg_animation.c 999

 typedef struct { short int bodyPart[2]; short int animIndex[2]; short int animDuration[2]; short int soundIndex; short int accShowBits; short int accHideBits; } animScriptCommand_t; void BG_ParseCommands(....) { .... animScriptCommand_t *command = NULL; .... memset( command, 0, sizeof( command ) ); .... }

This is what should have been written here: sizeof(*command)

Notepad++

V1086 A call of the memset function will lead to a buffer underflow. dockingmanager.cpp 78

 #define CONT_MAP_MAX 50 int _iContMap[CONT_MAP_MAX]; .... DockingManager::DockingManager() { .... memset(_iContMap, -1, CONT_MAP_MAX); .... }

This is what should have been written here: memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));

Fennec Media

V1086 A call of the 'memset' function will lead to a buffer underflow. base windows.c 2892

 typedef wchar_t letter; letter name[30]; int Conv_EqualizerProc(HWND hwnd,UINT uMsg, WPARAM wParam,LPARAM lParam) { .... memset(eqp.name, 0, 30); .... }

This is what should have been written here: sizeof(letter) * 30

Fennec Media

V1086 A call of the 'memset' function will lead to a buffer underflow. base windows.c 150

 #define uinput_size 1024 typedef wchar_t letter; letter uinput_text[uinput_size]; string basewindows_getuserinput(const string title, const string cap, const string dtxt) { memset(uinput_text, 0, uinput_size); .... }

At the first sight, everything is fine with "memset(uinput_text, 0, uinput_size);". Perhaps it even was fine when the 'letter' type was 'char'. But now this is 'wchar_t', which results in zeroing only half of the buffer.

SMTP Client

V1086 A call of the 'memset' function will lead to a buffer underflow. CSmtp md5.cpp 212

 void MD5::finalize () { .... uint1 buffer[64]; .... // Zeroize sensitive information memset (buffer, 0, sizeof(*buffer)); .... }

Most likely this is what should be written here: memset (buffer, 0, sizeof(buffer));

Examples of errors detected by the V1086 diagnostic

Microsoft PowerToys

Qt

Command & Conquer

WebRTC

Chromium

Ardour

Tizen

Tizen

CryEngine V

FreeBSD Kernel

CodeLite

Unreal Engine 4

Haiku Operation System

Haiku Operation System

.NET CoreCLR

Spring Engine

Miranda NG

Miranda NG

Miranda NG

Miranda NG

Miranda NG

Gifticlib

FlightGear

VirtualDub

Snes9x

Multi Theft Auto

NetXMS

NetXMS

Windows 8 Driver Samples

Windows 8 Driver Samples

libevent

Samba

Samba

MAME

MAME

MAME

MAME

DeSmuME

ADAPTIVE Communication Environment (ACE)

ADAPTIVE Communication Environment (ACE)

Mozilla Firefox

Doom 3

Doom 3

IPP Samples

ReactOS

ReactOS

ReactOS

ReactOS

Far Manager

Energy Checker SDK

Energy Checker SDK

Energy Checker SDK

Apache HTTP Server

Qt

Chromium

Chromium

Miranda IM

Newton Game Dynamics

Wolfenstein 3D

Wolfenstein 3D

Notepad++

Fennec Media

Fennec Media

SMTP Client

Want to try PVS‑Studio for free?