You are on page 1of 67

100 Open Source

/++
: ,
: 16.03.2012

.
, Open-Source ,
/++. PVS-Studio.

. ,
, , .
, , PVS-Studio , :
http://www.viva64.com/ru/pvs-studio/.
, . " ,
".

open-source
. .
,
.
, , .
, . :

Apache HTTP Server - http://httpd.apache.org/


Audacity - http://audacity.sourceforge.net/
Chromium - http://www.chromium.org/
Clang - http://clang-analyzer.llvm.org/
CMake - http://www.cmake.org/

Crystal Space 3D SDK - http://www.crystalspace3d.org/main/Main_Page


Emule - http://www.emule.com/
FAR Manager - http://www.farmanager.com/
FCE Ultra - http://fceux.com/web/home.html
Fennec Media Project - http://fennec.sourceforge.net/
G3D Content Pak - http://sourceforge.net/projects/g3d-cpp/
IPP Samples - http://www.viva64.com/go.php?url=449
Lugaru - http://www.wolfire.com/lugaru
Miranda IM - http://www.miranda-im.org/
MySQL - http://www.mysql.com/
Newton Game Dynamics - http://newtondynamics.com/forum/newton.php
Notepad++ - http://notepad-plus-plus.org/
Pixie - http://www.renderpixie.com/
PNG library - http://libpng.org/pub/png/
QT - http://qt.nokia.com/products/
ReactOS - http://www.reactos.org/en/
Shareaza - http://www.shareaza.com/
SMTP Client with SSL/TLS - http://www.codeproject.com/KB/IP/smtp_ssl.aspx
StrongDC++ - http://strongdc.sourceforge.net/index.php?lang=eng
Swiss-Army Knife of Trace - http://www.codeproject.com/KB/trace/tracetool.aspx
TortoiseSVN - http://tortoisesvn.net/
Ultimate TCP/IP - http://www.codeproject.com/KB/MFC/UltimateTCPIP.aspx
VirtualDub - http://www.virtualdub.org/
WinDjView - http://windjview.sourceforge.net/
WinMerge - http://winmerge.org/
Wolfenstein 3D - http://en.wikipedia.org/wiki/Wolfenstein_3D
Crypto++ - http://www.cryptopp.com/
Quake-III-Arena - https://github.com/id-Software/Quake-III-Arena
.



/++.
. ,
PVS-Studio. , /++ ,
.

1. Wolfenstein 3D. .
void CG_RegisterItemVisuals( int itemNum ) {
...
itemInfo_t *itemInfo;

...
memset( itemInfo, 0, sizeof( &itemInfo ) );
...
}
V568: It's odd that the argument of sizeof() operator is the
'&itemInfo' expression. cgame cg_weapons.c 1467.
sizeof() , 'itemInfo_t'.
"sizeof(*itemInfo)".

2. Wolfenstein 3D. .
ID_INLINE mat3_t::mat3_t( float src[ 3 ][ 3 ] ) {
memcpy( mat, src, sizeof( src ) );
}
V511: The sizeof() operator returns size of the pointer, and
not of the array, in 'sizeof(src)' expression. Splines math_matrix.h 94
, , 'sizeof(src)'
"3*3*sizeof(float)". , 'src' , .
, . 'memcpy' 4 8
( ) , 32- 64-.
, .
:
ID_INLINE mat3_t::mat3_t( float (&src)[3][3] )
{
memcpy( mat, src, sizeof( src ) );
}

3. FAR Manager. .
struct TreeItem
{
int *Last;
size_t LastCount;
...

void Clear()
{
strName.Clear();
memset(Last, 0, sizeof(Last));
Depth=0;
}
};
V579: The memset function receives the pointer and its size
as arguments. It is possibly a mistake. Inspect the third argument. far treelist.hpp 66
, ,
: "memset(Last, 0, LastCount * sizeof(*Last));".

4. ReactOS. .
static const PCHAR Nv11Board = "NV11 (GeForce2) Board";
static const PCHAR Nv11Chip = "Chip Rev B2";
static const PCHAR Nv11Vendor = "NVidia Corporation";

BOOLEAN
IsVesaBiosOk(...)
{
...
if (!(strncmp(Vendor, Nv11Vendor, sizeof(Nv11Vendor))) &&
!(strncmp(Product, Nv11Board, sizeof(Nv11Board))) &&
!(strncmp(Revision, Nv11Chip, sizeof(Nv11Chip))) &&
(OemRevision == 0x311))
...
}
V579: The strncmp function receives the pointer and its size
as arguments. It is possibly a mistake. Inspect the third argument. vga vbe.c 57
'strncmp' ,
. ,

sizeof(). sizeof() ,
.
, . 99%
. 1%
.

5. VirtualDub. ( ).
struct ConvoluteFilterData {
long m[9];
long bias;
void *dyna_func;
DWORD dyna_size;
DWORD dyna_old_protect;
BOOL fClip;
};

static unsigned long __fastcall do_conv(


unsigned long *data,
const ConvoluteFilterData *cfd,
long sflags, long pit)
{
long rt0=cfd->m[9], gt0=cfd->m[9], bt0=cfd->m[9];
...
}
V557: Array overrun is possible. The '9' index is
pointing beyond array bound. VirtualDub f_convolute.cpp 73
, . ,
: http://www.viva64.com/go.php?url=756.

6. CPU Identifying Tool. ( ).


#define FINDBUFFLEN 64

// Max buffer find/replace size

...
int WINAPI Sticky (...)
{
...
static char findWhat[FINDBUFFLEN] = {'\0'};
...
findWhat[FINDBUFFLEN] = '\0';
...
}
V557: Array overrun is possible. The '64' index is pointing
beyond array bound. stickies stickies.cpp 7947
.
. : "findWhat[FINDBUFFLEN 1] = '\0';".

7. Wolfenstein 3D. ( ).
typedef struct bot_state_s
{
...
char teamleader[32]; //netname of the team leader
...
}

bot_state_t;

void BotTeamAI( bot_state_t *bs ) {


...
bs->teamleader[sizeof( bs->teamleader )] = '\0';
...
}
V557: Array overrun is possible. The 'sizeof (bs>teamleader)' index is pointing beyond array bound. game ai_team.c 548

.
, , ,
, .
'teamleader'. :
bs->teamleader[
sizeof(bs->teamleader) / sizeof(bs->teamleader[0]) - 1
] = '\0';

8. Miranda IM. .
typedef struct _textrangew
{
CHARRANGE chrg;
LPWSTR lpstrText;
} TEXTRANGEW;

const wchar_t* Utils::extractURLFromRichEdit(...)


{
...
::CopyMemory(tr.lpstrText, L"mailto:", 7);
...
}
V512: A call of the 'memcpy' function will lead to a buffer
overflow or underflow. tabsrmm utils.cpp 1080
Unicode-, , 2 4 (
). ,
, , ,
.
'CopyMemory' L"mailto:", ,
. ,
, , 7 sizeof(wchar_t).

9. CMake. .

static const struct {


DWORD

winerr;

int

doserr;

} doserrors[] =
{
...
};

static void
la_dosmaperr(unsigned long e)
{
...
for (i = 0; i < sizeof(doserrors); i++)
{
if (doserrors[i].winerr == e)
{
errno = doserrors[i].doserr;
return;
}
}
...
}
V557: Array overrun is possible. The value of 'i' index could
reach 367. cmlibarchive archive_windows.c 1140, 1142
. sizeof() ,
. ,
, . :
for (i = 0; i < sizeof(doserrors) / sizeof(*doserrors); i++)

10. CPU Identifying Tool. .


char * OSDetection ()

{
...
sprintf(szOperatingSystem,
"%sversion %d.%d %s (Build %d)",
szOperatingSystem,
osvi.dwMajorVersion,
osvi.dwMinorVersion,
osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
...
sprintf (szOperatingSystem, "%s%s(Build %d)",
szOperatingSystem, osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
...
}
V541: It is dangerous to print the string 'szOperatingSystem'
into itself. stickies camel.cpp 572, 603

. ,
. ,
Access Violation.
" ". ,
, ,
.

11. FCE Ultra. , .


int FCEUI_SetCheat(...)
{
...
if((t=(char *)realloc(next->name,strlen(name+1))))
...
}

V518: The 'realloc' function allocates strange amount of


memory calculated by 'strlen(expr)'. Perhaps the correct variant is 'strlen(expr) + 1'. fceux cheat.cpp 609
. strlen() 'name',
"name+1". , realloc 2 ,
. - , .
- , 'strlen' ,
.

12. Notepad++. .
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
...
DockingManager::DockingManager()
{
...
memset(_iContMap, -1, CONT_MAP_MAX);
...
}
V512: A call of the memset function will lead to a buffer
overflow or underflow. notepadPlus DockingManager.cpp 60
.
sizeof(int).

,
. - .

(Undefined behavior)
.
(. undefined behaviour)
( C ++)
, . ,
, : "
". ,
,
.

(. Sequence point) ,
, ,
.
:
http://www.viva64.com/ru/t/0065/.

1. Chromium. .
void AccessibleContainsAccessible(...)
{
...
auto_ptr<VARIANT> child_array(new VARIANT[child_count]);
...
}
V554: Incorrect use of auto_ptr. The memory allocated with
'new []' will be cleaned using 'delete'. interactive_ui_tests accessibility_win_browsertest.cc 171
,
. ,
, .
, new [],
'auto_ptr' delete:
~auto_ptr() {
delete _Myptr;
}
, ,
boost::scoped_array.

2. IPP Samples. Undefined behavior.


template<typename T, Ipp32s size> void HadamardFwdFast(...)
{
Ipp32s *pTemp;
...
for(j=0;j<4;j++) {
a[0] = pTemp[0*4] + pTemp[1*4];

a[1] = pTemp[0*4] - pTemp[1*4];


a[2] = pTemp[2*4] + pTemp[3*4];
a[3] = pTemp[2*4] - pTemp[3*4];
pTemp = pTemp++;
...
}
...
}
V567: Undefined behavior. The 'pTemp' variable is modified
while being used twice between sequence points. me umc_me_cost_func.h 168
.
Undefined behavior . ,
pTemp . pTemp
. , :
pTemp = pTemp + 1;
pTemp = pTemp;
, :
TMP = pTemp;
pTemp = pTemp + 1;
pTemp = TMP;
, .

3. Fennec Media Project. .


uint32 CUnBitArrayOld::DecodeValueRiceUnsigned(uint32 k)
{
...
while (!(m_pBitArray[m_nCurrentBitIndex >> 5] &
Powers_of_Two_Reversed[m_nCurrentBitIndex++ & 31])) {}
...
}

V567: Undefined behavior. The 'm_nCurrentBitIndex'


variable is modified while being used twice at single sequence point. MACLib unbitarrayold.cpp 78
m_nCurrentBitIndex .
, , .
, ,
-.

4. Miranda IM. .
short ezxml_internal_dtd(ezxml_root_t root,
char *s, size_t len)
{
...
while (*(n = ++s + strspn(s, EZXML_WS)) && *n != '>') {
...
}
V567: Undefined behavior. The 's' variable is modified while
being used twice between sequence points.msne zxml.c 371
. .
, 's' strspn().

, .
.
1. MySQL. ! &.
int ha_innobase::create(...)
{
...
if (srv_file_per_table
&& !mysqld_embedded
&& (!create_info->options & HA_LEX_CREATE_TMP_TABLE)) {
...
}
V564: The '&' operator is applied to bool type value. You've
probably forgotten to include parentheses or intended to use the '&&' operator. innobase ha_innodb.cc
6789

, ,
'create_info->options' . , '!' ,
'&'. :
((!create_info->options) & HA_LEX_CREATE_TMP_TABLE)
, :
(!(create_info->options & HA_LEX_CREATE_TMP_TABLE))
, , :
((create_info->options & HA_LEX_CREATE_TMP_TABLE) == 0)

2. Emule. * ++.
STDMETHODIMP
CCustomAutoComplete::Next(..., ULONG *pceltFetched)
{
...
if (pceltFetched != NULL)
*pceltFetched++;
...
}
V532: Consider inspecting the statement of '*pointer++'
pattern. Probably meant: '(*pointer)++'. emule customautocomplete.cpp 277
'pceltFetched' , ULONG,
. , '++' ,
'*' ( ). "*pceltFetched++;"
:
TMP = pceltFetched + 1;
*pceltFetched;
pceltFetched = TMP;
, . ,
: "(*pceltFetched)++;".

3. Chromium. & !=.


#define FILE_ATTRIBUTE_DIRECTORY 0x00000010

bool GetPlatformFileInfo(PlatformFile file, PlatformFileInfo* info) {


...
info->is_directory =
file_info.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY != 0;
...
}
V564: The '&' operator is applied to bool type value. You've
probably forgotten to include parentheses or intended to use the '&&' operator. base
platform_file_win.cc 216
, '!=' , '&'. .
:
info->is_directory =
file_info.dwFileAttributes & (0x00000010 != 0);
:
info->is_directory = file_info.dwFileAttributes & (true);
:
info->is_directory = file_info.dwFileAttributes & 1;
, , . ,
.

4. BCmenu. IF ELSE.
void BCMenu::InsertSpaces(void)
{
if(IsLunaMenuStyle())
if(!xp_space_accelerators) return;
else
if(!original_space_accelerators) return;
...
}

V563: It is possible that this 'else' branch must apply to the


previous 'if' statement. fire bcmenu.cpp 1853
, . , 'else'
'if'. , , :
if(IsLunaMenuStyle()) {
if(!xp_space_accelerators) return;
} else {
if(!original_space_accelerators) return;
}
:
if(IsLunaMenuStyle())
{
if(!xp_space_accelerators) {
return;
} else {
if(!original_space_accelerators) return;
}
}

5. IPP Samples. ?: |.
vm_file* vm_file_fopen(...)
{
...
mds[3] = FILE_ATTRIBUTE_NORMAL |
(islog == 0) ? 0 : FILE_FLAG_NO_BUFFERING;
...
}
V502: Perhaps the '?:' operator works in a different way
than it was expected. The '?:' operator has a lower priority than the '|' operator. vm vm_file_win.c 393

'islog',
"FILE_ATTRIBUTE_NORMAL" "FILE_ATTRIBUTE_NORMAL | FILE_FLAG_NO_BUFFERING".
. '?:' , '|'. :
mds[3] = (FILE_ATTRIBUTE_NORMAL | (islog == 0)) ?
0 : FILE_FLAG_NO_BUFFERING;
:
mds[3] = (0x00000080 | ...) ? 0 : FILE_FLAG_NO_BUFFERING;
FILE_ATTRIBUTE_NORMAL 0x00000080, . ,
mds[3] 0.

6. Newton Game Dynamics. ?: *.


dgInt32 CalculateConvexShapeIntersection (...)
{
...
den = dgFloat32 (1.0e-24f) *
(den > dgFloat32 (0.0f)) ?
dgFloat32 (1.0f) : dgFloat32 (-1.0f);
...
}
V502: Perhaps the '?:' operator works in a different way
than it was expected. The '?:' operator has a lower priority than the '*' operator. physics
dgminkowskiconv.cpp 1061
'?:'.
'?:' "dgFloat32 (1.0e-24f) * (den > dgFloat32 (0.0f))".
, .
, '?:'. :
" . N2".


, .
,
, , . ,
, printf(), .

1. ReactOS. WCHAR.
static void REGPROC_unescape_string(WCHAR* str)
{
...
default:
fprintf(stderr,
"Warning! Unrecognized escape sequence: \\%c'\n",
str[str_idx]);
...
}
V576: Incorrect format. Consider checking the third actual
argument of the 'fprintf' function. The char type argument is expected. regedit regproc.c 293
fprinf() char.
WCHAR. .
, , , '%c' '%C'.

2. Intel AMT SDK. '%'.


void addAttribute(...)
{
...
int index = _snprintf(temp, 1023,
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:"
"%02x%02x:02x%02x:%02x%02x:%02x%02x",
value[0],value[1],value[2],value[3],value[4],
value[5],value[6],value[7],value[8],
value[9],value[10],value[11],value[12],
value[13],value[14],value[15]);
...
}

V576: Incorrect format. A different number of actual


arguments is expected while calling '_snprintf' function. Expected: 18. Present: 19. mod_pvs
mod_pvs.cpp 308
. , PVS-Studio
, ,
. , '%'.
:
"%02x%02x:[HERE]02x%02x:%02x%02x:%02x%02x",

3. Intel AMT SDK. .


bool GetUserValues(...)
{
...
printf("Error: illegal value. Aborting.\n", tmp);
return false;
}
V576: Incorrect format. A different number of actual
arguments is expected while calling 'printf' function. Expected: 1. Present: 2. RemoteControlSample
remotecontrolsample.cpp 792
, 'tmp'
.

4. G3D Content Pak. .


class Matrix3 {
...
inline float* operator[] (int iRow) {
...
};
void AnyVal::serialize(G3D::TextOutput& t) const {
...
const Matrix3& m = *(Matrix3*)m_value;
...

t.printf("%10.5f, %10.5f, %10.5f,\n


%10.5f, %10.5f, %10.5f,\n
%10.5f, %10.5f, %10.5f)",
m[0, 0], m[0, 1], m[0, 2],
m[1, 0], m[1, 1], m[1, 2],
m[2, 0], m[2, 1], m[2, 2]);
...
}
V520: The comma operator ',' in array index expression '[0,
0]'. graphics3D anyval.cpp 275
. ,
,
.
, 'm[0, 1]'. "0, 1".
1. 'operator[]'
Matrix3. 1
. 'printf()',
float.
:
t.printf("%10.5f, %10.5f, %10.5f,\n
%10.5f, %10.5f, %10.5f,\n
%10.5f, %10.5f, %10.5f)",
m[0][0], m[0][1], m[0][2],
m[1][0], m[1][1], m[1][2],
m[2][0], m[2][1], m[2][2]);


- .
. ,
,
.
, PVSStudio. ,
.

1. Miranda IM. IF.


void CIcqProto::handleUserOffline(BYTE *buf, WORD wLen)
{
...
else if (wTLVType = 0x29 && wTLVLen == sizeof(DWORD))
...
}
V560: A part of conditional expression is always true: 0x29.
icqoscar8 fam_03buddy.cpp 632
- , 'if' . : "if
(wTLVType == 0x29 && wTLVLen == sizeof(DWORD))".

2. ReactOS. .
BOOL WINAPI GetMenuItemInfoA(...)
{
...
mii->cch = mii->cch;
...
}
V570: The 'mii->cch' variable is assigned to itself. user32
menu.c 4347
. , : "mii->cch
= miiW->cch;".

3. Clang. .
static Value *SimplifyICmpInst(...) {
...
case Instruction::Shl: {
bool NUW =
LBO->hasNoUnsignedWrap() && LBO->hasNoUnsignedWrap();

bool NSW =
LBO->hasNoSignedWrap() && RBO->hasNoSignedWrap();
...
}
V501: There are identical sub-expressions 'LBO>hasNoUnsignedWrap ()' to the left and to the right of the '&&' operator. LLVMAnalysis
instructionsimplify.cpp 1891
.
LBO, RBO. :
bool NUW = LBO->hasNoUnsignedWrap() && RBO->hasNoUnsignedWrap();

4. Notepad++. .
bool _isPointXValid;
bool _isPointYValid;
...
bool isPointValid() {
return _isPointXValid && _isPointXValid;
};
V501: There are identical sub-expressions to the left and to
the right of the '&&' operator. _isPointXValid && _isPointXValid
'_isPointXValid'. , :
"_isPointXValid && _isPointYValid".

5. StrongDC++. \r\n.
static void getContentLengthAndHeaderLength(...)
{
...
while(line[linelen] != '\r' && line[linelen] != '\r')
...
}
V501: There are identical sub-expressions 'line [linelen] !=
'\r'' to the left and to the right of the '&&' operator. miniupnpc miniupnpc.c 153

- '\r'.
'\n'.

6. G3D Content Pak. .


bool Matrix4::operator==(const Matrix4& other) const {
if (memcmp(this, &other, sizeof(Matrix4) == 0)) {
return true;
}
...
}
V575: The 'memcmp' function processes '0' elements.
Inspect the 'third' argument. graphics3D matrix4.cpp 269
, . ,
"sizeof(Matrix4) == 0".
'false'. 'false' , 0.
:
if (memcmp(this, &other, sizeof(Matrix4)) == 0) {

7. QT. .
PassRefPtr<Structure>
Structure::getterSetterTransition(Structure* structure)
{
...
transition->m_propertyStorageCapacity =
structure->m_propertyStorageCapacity;
transition->m_hasGetterSetterProperties =
transition->m_hasGetterSetterProperties;
transition->m_hasNonEnumerableProperties =
structure->m_hasNonEnumerableProperties;
transition->m_specificFunctionThrashCount =
structure->m_specificFunctionThrashCount;

...
}
V570: The 'transition->m_hasGetterSetterProperties'
variable is assigned to itself. QtScript structure.cpp 512
, . , .
'm_hasGetterSetterProperties' . :
transition->m_hasGetterSetterProperties =
structure->m_hasGetterSetterProperties;

8. Apache HTTP Server. sizeof.


PSECURITY_ATTRIBUTES GetNullACL(void)
{
PSECURITY_ATTRIBUTES sa;
sa

= (PSECURITY_ATTRIBUTES)
LocalAlloc(LPTR, sizeof(SECURITY_ATTRIBUTES));

sa->nLength = sizeof(sizeof(SECURITY_ATTRIBUTES));
...
}
V568: It's odd that the argument of sizeof() operator is the
'sizeof (SECURITY_ATTRIBUTES)' expression. libhttpd util_win32.c 115
'nLength' 'SECURITY_ATTRIBUTES'.
. 'sizeof' . , 'nLength'
, 'size_t'. :
sa->nLength = sizeof(SECURITY_ATTRIBUTES);

9. FCE Ultra. .
int iNesSaveAs(char* name)
{
...
fp = fopen(name,"wb");
int x = 0;

if (!fp)
int x = 1;
...
}
V561: It's probably better to assign value to 'x' variable than
to declare it anew. Previous daclaration: ines.cpp, line 960. fceuxines.cpp 962
'x' , . - ,

'x'. , :
if (!fp)
x = 1;

10. Notepad++. &&, &.


TCHAR GetASCII(WPARAM wParam, LPARAM lParam)
{
...
result=ToAscii(wParam,
(lParam >> 16) && 0xff, keys,&dwReturnedValue,0);
...
}
V560: A part of conditional expression is always true: 0xff.
notepadPlus babygrid.cpp 694
"(lParam >> 16) && 0xff"
1 (true). , '&&',
'&'.

11. WinDjView. .
inline bool IsValidChar(int c)
{
return c == 0x9 || 0xA || c == 0xD || c >= 0x20 &&
c <= 0xD7FF || c >= 0xE000 && c <= 0xFFFD ||
c >= 0x10000 && c <= 0x10FFFF;

}
V560: A part of conditional expression is always true: 0xA.
WinDjView xmlparser.cpp 45 False
IsValidChar 'true'. - ,
: "... || 0xA || ...".

12. Fennec Media Project. .


int settings_default(void)
{
...
for(i=0; i<16; i++);
for(j=0; j<32; j++)
{
settings.conversion.equalizer_bands.boost[i][j] = 0.0;
settings.conversion.equalizer_bands.preamp[i]

= 0.0;

}
}
V529: Odd semicolon ';' after 'for' operator. settings.c 483
, ';' ++. ,
. 'for'
, .

13. QT. break.


int QCleanlooksStyle::pixelMetric(...)
{
...
case PM_SpinBoxFrameWidth:
ret = 3;
break;
case PM_MenuBarItemSpacing:
ret = 6;

case PM_MenuBarHMargin:
ret = 0;
break;
...
}
: V519: The 'ret' variable is assigned values twice
successively. Perhaps this is a mistake. Check lines: 3765, 3767. QtGui qcleanlooksstyle.cpp 3767
- 'break' 'switch'. ,
.

14. Miranda IM. .


int FindItem(...)
{
...
int ret;
ret=FindItem(hwnd,dat,hItem,
(struct ClcContact ** )&z,
(struct ClcGroup ** )&isv,NULL);
if (ret=0) {return (0);}
...
}
V559: Suspicious assignment inside the condition
expression of 'if' operator: ret = 0. clist_mw clcidents.c 179
'if'. '==' '='.
, .

15. IPP Samples. .


struct AVS_MB_INFO
{
...
Ipp8u refIdx[AVS_DIRECTIONS][4];

...
};

void AVSCompressor::GetRefIndiciesBSlice(void){
...
if (m_pMbInfo->predType[0] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][0];
iRefNum += 1;
}
if (m_pMbInfo->predType[1] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][1];
iRefNum += 1;
}
if (m_pMbInfo->predType[2] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][2];
iRefNum += 1;
}
if (m_pMbInfo->predType[3] & predType)
{
m_refIdx[iRefNum] = m_pMbInfo->refIdx[dir][30];
iRefNum += 1;
}
...
}
V557: Array overrun is possible. The '30' index is pointing
beyond array bound. avs_enc umc_avs_enc_compressor_enc_b.cpp 495
: "m_pMbInfo->refIdx[dir][30]". -
3 30. ,

. "
". ,
, PVS-Studio.

16. ReactOS. .
#define SWAP(a,b,c)

c = a;\
a = b;\
a = c

V519: The 'v2' variable is assigned values twice successively.


Perhaps this is a mistake. Check lines: 343, 343. win32k gradient.c 343
,
. .
:
#define SWAP(a,b,c)

c = a;\
a = b;\
b = c

17. Quake-III-Arena. . .
void Q1_AllocMaxBSP(void)
{
...
q1_allocatedbspmem +=
Q1_MAX_MAP_CLIPNODES * sizeof(q1_dclipnode_t);
...
q1_allocatedbspmem +=
Q1_MAX_MAP_EDGES , sizeof(q1_dedge_t);
...
q1_allocatedbspmem +=
Q1_MAX_MAP_MARKSURFACES * sizeof(unsigned short);
...
}

V521: Such expressions using the ',' operator are


dangerous. Make sure the expression is correct. bspc l_bsp_q1.c 136
. . '*' ','.
, 'q1_allocatedbspmem' '
sizeof(q1_dedge_t)'. , .

18. LibXml. =+.


static int
xmlXPathCompOpEvalFirst(...)
{
...
total += xmlXPathCompOpEvalFirst(...);
...
total =+ xmlXPathCompOpEvalFilterFirst(ctxt, op, first);
...
}
V588: The expression of the 'A =+ B' kind is utilized.
Consider reviewing it, as it is possible that 'A += B' was meant. libxml xpath.c 12676
, "+=" "=+". ,
. , .

. ,
. .
. - 18 .


1. Fennec Media Project. .
int JoiningProc(HWND hwnd,UINT uMsg,
WPARAM wParam,LPARAM lParam)
{
...
OPENFILENAME

lofn;

memset(&lofn, 0, sizeof(lofn));
...
lofn.lpstrFilter = uni("All Files (*.*)\0*.*");
...
}
V540: Member 'lpstrFilter' should point to string
terminated by two 0 characters. base windows.c 5309
Windows API ,
. 'lpstrFilter' OPENFILENAME.
'lpstrFilter' MSDN:
LPCTSTR
A buffer containing pairs of null-terminated filter strings. The last string in the buffer must be terminated
by two NULL characters.
,
. :
lofn.lpstrFilter = uni("All Files (*.*)\0*.*\0");

2. TortoiseSVN. 'remove'.
STDMETHODIMP CShellExt::Initialize(....)
{
...
ignoredprops = UTF8ToWide(st.c_str());
// remove all escape chars ('\\')
std::remove(ignoredprops.begin(), ignoredprops.end(), '\\');
break;
...
}
V530: The return value of function 'remove' is required to
be utilized. contextmenu.cpp 442
std::remove .
. vector<int>,
1,2,3,1,2,3,1,2,3. "remove( v.begin(), v.end(), 2 )",

1,3,1,3,X,X,X, X - .
, ,
: "v.erase(remove(v.begin(), v.end(), 2), v.end())".

3. TortoiseSVN. 'empty' 'clear'.


CMailMsg& CMailMsg::SetFrom(string sAddress,
string sName)
{
if (initIfNeeded())
{
// only one sender allowed
if (m_from.size())
m_from.empty();
m_from.push_back(TStrStrPair(sAddress,sName));
}
return *this;
}
V530: The return value of function 'empty' is required to be
utilized. mailmsg.cpp 40
, vector::clear()
vector::empty() .
, 'clear' 'empty' , .

4. WinMerge. 'empty' 'clear'.


void CDirView::GetItemFileNames(int sel,
String& strLeft, String& strRight) const
{
UINT_PTR diffpos = GetItemKey(sel);
if (diffpos == (UINT_PTR)SPECIAL_ITEM_POS)
{
strLeft.empty();

strRight.empty();
}
else
{
...
}
}
V530: The return value of function 'empty' is required to be
utilized WinMerge DirActions.cpp 1307, 1308
, clear() empty().
: InstantVNC, IPP Samples, Chromium, Intel AMT SDK
. , , .
, ,
.

5. Pixie. 'alloca' .
inline

void

triangulatePolygon(...) {

...
for (i=1;i<nloops;i++) {
...
do {
...
do {
...
CTriVertex

*snVertex =

(CTriVertex *)alloca(2*sizeof(CTriVertex));
...
} while(dVertex != loops[0]);
...
} while(sVertex != loops[i]);
...
}

...
}
V505: The 'alloca' function is used inside the loop. This can
quickly overflow stack. ri polygons.cpp 1120
alloca , , ,
. ,
. .

6. Miranda IM. .
static BOOL ImageArray_Alloc(LP_IMAGE_ARRAY_DATA iad, int size)
{
...
memset(&iad->nodes[iad->nodes_allocated_size],
(size_grow - iad->nodes_allocated_size) *
sizeof(IMAGE_ARRAY_DATA_NODE),
0);
...
}
V575: Function receives an odd argument. clist_modern
modern_image_array.cpp 59
'memset' 0 . , .
. memset:
memset(&iad->nodes[iad->nodes_allocated_size],
0,
(size_grow - iad->nodes_allocated_size) *
sizeof(IMAGE_ARRAY_DATA_NODE));


1. IPP Samples. .
void lNormalizeVector_32f_P3IM(Ipp32f *vec[3],
Ipp32s* mask, Ipp32s len)
{

Ipp32s

i;

Ipp32f

norm;

for(i=0; i<len; i++) {


if(mask<0) continue;
norm = 1.0f/sqrt(vec[0][i]*vec[0][i]+
vec[1][i]*vec[1][i]+vec[2][i]*vec[2][i]);
vec[0][i] *= norm; vec[1][i] *= norm; vec[2][i] *= norm;
}
}
V503: This is a nonsensical comparison: pointer < 0.
ipprsample ippr_sample.cpp 501
, 3 : "[i]". ,
, , .
: if(mask[i] < 0).

2. Pc Ps2 Emulator. switch.


LRESULT CALLBACK IOP_DISASM(...)
{
...
switch(LOWORD(wParam))
{
case (IDOK || IDCANCEL):
EndDialog(hDlg,TRUE);
return(TRUE);
break;
}
...
}
V560: A part of conditional expression is always true: 2.
pcsx2 debugger.cpp 321

. ,
:
switch(LOWORD(wParam))
{
case IDOK: //no break
case IDCANCEL:
EndDialog(hDlg,TRUE);
return(TRUE);
break;
}

3. CPU Identifying Tool. .


void projillum(short* wtab, int xdots, int ydots, double dec)
{
...
s = sin(-dtr(dec));
x = -s * sin(th);
y = cos(th);
...
lon = (y == 0 && x == 0) ? 0.0 : rtd(atan2(y, x));
}
V550: An odd precise comparison: x == 0. It's probably
better to use a comparison with defined precision: fabs(A - B) '<' Epsilon. clock_dll sunalgo.cpp 155
, 'sin' 'cos'
0. ,
.

4. Lugaru. .
int Game::DrawGLScene(void)
{
...

radius=fast_sqrt(maxdistance);
radius=110;
...
}
V519: The 'radius' object is assigned values twice
successively. Perhaps this is a mistake. Lugaru gamedraw.cpp 1505
, , 'radius' 110.
. , .

5. QT. .
Q3TextCustomItem* Q3TextDocument::parseTable(...)
{
...
while (end < length
&& !hasPrefix(doc, length, end, QLatin1String("</td"))
&& !hasPrefix(doc, length, end, QLatin1String("<td"))
&& !hasPrefix(doc, length, end, QLatin1String("</th"))
&& !hasPrefix(doc, length, end, QLatin1String("<th"))
&& !hasPrefix(doc, length, end, QLatin1String("<td"))
&& !hasPrefix(doc, length, end, QLatin1String("</tr"))
&& !hasPrefix(doc, length, end, QLatin1String("<tr"))
&& !hasPrefix(doc, length, end, QLatin1String("</table"))) {

...
}
V501: There are identical sub-expressions to the left and to
the right of the '&&' operator. Qt3Support q3richtext.cpp 6978
"<td". . ,
. "<td" .

6. Audacity. .

int sf_error (SNDFILE *sndfile)


{
...
if (!sndfile)
{
if (sf_error != 0)
return sf_errno;
return 0;
} ;
...
}
V516: Consider inspecting an odd expression. Non-null
function pointer is compared to null: 'sf_error != 0'. libsndfile sndfile.c 491
"sf_error != 0" true, 'sf_error' ,
.

7. IPP Samples. .
static IppStatus mp2_HuffmanTableInitAlloc(Ipp32s *tbl, ...)
{
...
for (i = 0; i < num_tbl; i++) {
*tbl++;
}
...
}
V532: Consider inspecting the statement of '*pointer++'
pattern. Probably meant: '(*pointer)++'. mpeg2_dec umc_mpeg2_dec.cpp 59
, , .


.
. ASSERT,
.
.

1. Shareaza. char.
void CRemote::Output(LPCTSTR pszName)
{

...
CHAR* pBytes = new CHAR[ nBytes ];
hFile.Read( pBytes, nBytes );
...
if ( nBytes > 3 && pBytes[0] == 0xEF &&
pBytes[1] == 0xBB && pBytes[2] == 0xBF )
{
pBytes += 3;
nBytes -= 3;
bBOM = true;
}
...
}
V547: Expression 'pBytes [ 0 ] == 0xEF' is always false. The
value range of signed char type: [-128, 127]. Shareaza remote.cpp 350
'TCHAR' 'char'. char -128 127
. 0xEF char , -17.
'char' 0xEF, 'int'. [-128..127]. "pBytes[0] == 0xEF" ("-17 == 0xEF")
, .
:
if ( nBytes > 3 && pBytes[0] == TCHAR(0xEF) &&
pBytes[1] == TCHAR(0xBB) &&

pBytes[2] == TCHAR(0xBF) )

2. TortoiseSVN. char.
BOOL TortoiseBlame::OpenFile(const TCHAR *fileName)
{
...
// check each line for illegal utf8 sequences.
// If one is found, we treat
// the file as ASCII, otherwise we assume
// an UTF8 file.
char * utf8CheckBuf = lineptr;
while ((bUTF8)&&(*utf8CheckBuf))
{
if ((*utf8CheckBuf == 0xC0)||
(*utf8CheckBuf == 0xC1)||
(*utf8CheckBuf >= 0xF5))
{
bUTF8 = false;
break;
}

...
}
...
}
V547: Expression '* utf8CheckBuf == 0xC0' is always false.
The value range of signed char type: [-128, 127]. tortoiseblame.cpp 310
,
. , .
.

3. VirtualDub. >= 0.
typedef unsigned short wint_t;
...
void lexungetc(wint_t c) {
if (c < 0)
return;
g_backstack.push_back(c);
}

V547: Expression 'c < 0' is always false. Unsigned type value
is never < 0. Ami lexer.cpp 225
"c < 0" , 0.

4. Swiss-Army Knife of Trace. .


static UINT_PTR m_socketHandle;

void TTrace::LoopMessages(void)
{
...
// Socket creation
if ( (m_socketHandle = socket(AF_INET,SOCK_STREAM,0)) < 0)
{
continue;
}
...
}
V547: Expression '(m_socketHandle = socket (2, 1, 0)) < 0' is
always false. Unsigned type value is never < 0. Vs8_Win_Lib tracetool.cpp 871
, . ,
. ,
INVALID_SOCKET:

m_socketHandle = socket(AF_INET,SOCK_STREAM, 0);


if (m_socketHandle == INVALID_SOCKET)
...

5. Chromium. .
IdleState CalculateIdleState(...) {
...
DWORD current_idle_time = 0;
...
// Will go -ve if we have been idle for
// a long time (2gb seconds).
if (current_idle_time < 0)
current_idle_time = INT_MAX;
...
}
V547: Expression 'current_idle_time < 0' is always false.
Unsigned type value is never < 0. browser idle_win.cc 23
. ,
. :
if (current_idle_time > INT_MAX)
current_idle_time = INT_MAX;

6. ICU. .
U_CDECL_BEGIN static const char* U_CALLCONV
_processVariableTop(...)
{
...
if(i == locElementCapacity &&
(*string != 0 || *string != '_'))
{

*status = U_BUFFER_OVERFLOW_ERROR;
}
...
}
V547: Expression '*string != 0 || *string != '_'' is always
true. Probably the '&&' operator should be used here. icui18n ucol_sit.cpp 242
. "(*string != 0 || *string != '_')"
. 0 '_'.

7. QT. .
bool equals( class1* val1, class2* val2 ) const{
{
...
size_t size = val1->size();
...
while ( --size >= 0 ){
if ( !comp(*itr1,*itr2) )
return false;
itr1++;
itr2++;
}
...
}
V547: Expression '--size >= 0' is always true. Unsigned type
value is always >= 0. QtCLucene arrays.h 154
(--size >= 0) , size . ,
, .
Access Violation .
:
for (size_t i = 0; i != size; i++){
if ( !comp(*itr1,*itr2) )

return false;
itr1++;
itr2++;
}

8. MySQL. .
enum enum_mysql_timestamp_type
str_to_datetime(...)
{
...
else if (str[0] != 'a' || str[0] != 'A')
continue; /* Not AM/PM */
...
}
V547: Expression 'str [0] != 'a' || str [0] != 'A'' is always true.
Probably the '&&' operator should be used here. clientlib my_time.c 340
, 'a' 'A'. :
else if (str[0] != 'a' && str[0] != 'A')

9. QT. .
STDMETHODIMP QEnumPins::QueryInterface(const IID &iid,void **out)
{
...
if (S_OK)
AddRef();
return hr;
}
V545: Such conditional expression of 'if' operator is
incorrect for the HRESULT type value '(HRESULT) 0L'. The SUCCEEDED or FAILED macro should be used
instead. phonon_ds9 qbasefilter.cpp 60

S_OK. S_OK 0, AddRef()


. : if (hr == S_OK).

10. TickerTape. .
void GetWindAtSingleTornado(...)
{
...
if(radius < THRESH * 5)
*yOut = THRESH * 10 / radius;
else if (radius < THRESH * 5)
*yOut = -3.0f / (THRESH * 5.0f) *
(radius - THRESH * 5.0f) + 3.0f;
else
*yOut = 0.0f;
...
}
V517: The use of 'if (A) {...} else if (A) {...}' pattern was
detected. There is a probability of logical error presence. TickerTape wind.cpp 118
. , . ,
.

11. Apache HTTP Server. Windows.


typedef UINT_PTR SOCKET;

static unsigned int __stdcall win9x_accept(void * dummy)


{
SOCKET csd;
...
do {
clen = sizeof(sa_client);
csd = accept(nsd, (struct sockaddr *) &sa_client, &clen);

} while (csd < 0 && APR_STATUS_IS_EINTR(apr_get_netos_error()));


...
}
V547: Expression 'csd < 0' is always false. Unsigned type
value is never < 0. libhttpd child.c 404
,
Windows. Linux ,
Windows . ,
0. , .

12. QT. .
QStringList ProFileEvaluator::Private::values(...)
{
...
else if (ver == QSysInfo::WV_NT)
ret = QLatin1String("WinNT");
else if (ver == QSysInfo::WV_2000)
ret = QLatin1String("Win2000");
else if (ver == QSysInfo::WV_2000)

<<--

ret = QLatin1String("Win2003");
else if (ver == QSysInfo::WV_XP)
ret = QLatin1String("WinXP");
...
}
V517: The use of 'if (A) {...} else if (A) {...}' pattern was
detected. There is a probability of logical error presence. Check lines: 2303, 2305. lrelease
profileevaluator.cpp 2303
"ver == QSysInfo::WV_2003". -
"ret = QLatin1String("Win2003")" .


, , ,
.

, . ,
,
.

1. Ultimate TCP/IP. .
char *CUT_CramMd5::GetClientResponse(LPCSTR ServerChallenge)
{
...
if (m_szPassword != NULL)
{
...
if (m_szPassword != '\0')
{
...
}
V528: It is odd that pointer to 'char' type is compared with
the '\0' value. Probably meant: *m_szPassword != '\0'. UTMail ut_crammd5.cpp 333
, NULL
. , NULL. ,
. "if (m_szPassword != '\0')" ,
.
, . :
if (m_szPassword != NULL)
{
...
if (*m_szPassword != '\0')

2. Chromium. .
bool ChromeFrameNPAPI::Invoke(...)
{
ChromeFrameNPAPI* plugin_instance =
ChromeFrameInstanceFromNPObject(header);

if (!plugin_instance &&
(plugin_instance->automation_client_.get()))
return false;
...
}
V522: Dereferencing of the null pointer 'plugin_instance'
might take place. Check the logical condition. chrome_frame_npapi chrome_frame_npapi.cc 517
, , . ,
. :
if (plugin_instance &&
(plugin_instance->automation_client_.get()))
return false;

3. SMTP Client with SSL/TLS. .


void MD5::finalize () {
...
uint1 buffer[64];
...
// Zeroize sensitive information
memset (buffer, 0, sizeof(*buffer));
...
}
V512: A call of the 'memset' function will lead to a buffer
overflow or underflow. CSmtp md5.cpp 212
, (sensitive)
. . .
, 'sizeof' 'uint1', . :
memset (buffer, 0, sizeof(buffer));
.
.

4. Chromium. .

void Time::Explode(..., Exploded* exploded) const {


...
ZeroMemory(exploded, sizeof(exploded));
...
}
V512: A call of the 'memset' function will lead to underflow
of the buffer '(exploded)'. base time_win.cc 227
ZeroMemory Exploded. , 'sizeof'
. , :
ZeroMemory(exploded, sizeof(*exploded));

5. Apache HTTP Server. .


#define MEMSET_BZERO(p,l)

memset((p), 0, (l))

void apr__SHA256_Final(..., SHA256_CTX* context) {


...
MEMSET_BZERO(context, sizeof(context));
...
}
V512: A call of the 'memset' function will lead to underflow
of the buffer '(context)'. apr sha2.c 560
. 'sizeof'
. , : "sizeof(*context)".

6. Miranda IM. .
static char *_skipblank(char * str)
{
char * endstr=str+strlen(str);
while ((*str==' ' || *str=='\t') && str!='\0') str++;
while ((*endstr==' ' || *endstr=='\t') &&
endstr!='\0' && endstr<str)

endstr--;
...
}
: V528 It is odd that pointer to 'char' type is compared with
the '\0' value. Probably meant: *str != '\0'. clist_modern modern_skinbutton.cpp 282
V528 It is odd that pointer to 'char' type is compared with the '\0' value. Probably meant: *endstr !=
'\0'. clist_modern modern_skinbutton.cpp 283
, .
, , Access
Violation. : "str!='\0'" "endstr!='\0'".
. :
while ((*str==' ' || *str=='\t') && *str!='\0') str++;
while ((*endstr==' ' || *endstr=='\t') &&
*endstr!='\0' && endstr<str)
endstr--;

7. PNG library. .
png_size_t
png_check_keyword(png_structp png_ptr, png_charp key,
png_charpp new_key)
{
...
if (key_len > 79)
{
png_warning(png_ptr, "keyword length must be 1 - 79 characters");
new_key[79] = '\0';
key_len = 79;
}
...
}
V527: It is odd that the '\0' value is assigned to 'char' type
pointer. Probably meant: *new_key [79] = '\0'. graphics3D pngwutil.c 1283

, ,
. , new_key . , 79
, :
(*new_key)[79] = '\0';

8. Intel AMT SDK. .


static void
wsman_set_subscribe_options(...)
{
...
if (options->delivery_certificatethumbprint ||
options->delivery_password ||
options->delivery_password) {
...
}
V501: There are identical sub-expressions 'options>delivery_password' to the left and to the right of the '||' operator. OpenWsmanLib wsman-client.c 631
- ,
. :
if (options->delivery_certificatethumbprint ||
options->delivery_username ||
options->delivery_password) {

9. Ultimate TCP/IP. .
void CUT_StrMethods::RemoveCRLF(LPSTR buf)
{
// v4.2 changed to size_t
size_t

len, indx = 1;

if(buf != NULL){
len = strlen(buf);
while((len - indx) >= 0 && indx <= 2) {

if(buf[len - indx] == '\r' ||


buf[len - indx] == '\n')
buf[len - indx] = 0;
++indx;
}
}
}
V547: Expression '(len - indx) >= 0' is always true. Unsigned
type value is always >= 0. UTDns utstrlst.cpp 58
"len - indx" 'size_t' >= 0. ,
, .
, : len = 0, indx = 1.
len - indx 0xFFFFFFFFu.
0xFFFFFFFFu > 0 indx <= 2,
"buf[len - indx]".
"buf[0xFFFFFFFFu]" Access Violation.

10. Miranda IM. Underflow.


void Append( PCXSTR pszSrc, int nLength )
{
...
UINT nOldLength = GetLength();
if (nOldLength < 0)
{
// protects from underflow
nOldLength = 0;
}
...
}
V547: Expression 'nOldLength < 0' is always false. Unsigned
type value is never < 0. IRC mstring.h 229

"if (nOldLength < 0)" , nOldLength .

11. Apache HTTP Server. .


typedef

size_t

apr_size_t;

APU_DECLARE(apr_status_t) apr_memcache_getp(...)
{
...
apr_size_t len = 0;
...
len = atoi(length);
...
if (len < 0) {
*new_length = 0;
*baton = NULL;
}
else {
...
}
}
V547: Expression 'len < 0' is always false. Unsigned type
value is never < 0. aprutil apr_memcache.c 814
"if (len < 0)" , 'len' .

12. Ultimate TCP/IP. .


void CUT_StrMethods::RemoveSpaces(LPSTR szString) {
...
size_t loop, len = strlen(szString);
// Remove the trailing spaces
for(loop = (len-1); loop >= 0; loop--) {
if(szString[loop] != ' ')

break;
}
...
}
V547: Expression 'loop >= 0' is always true. Unsigned type
value is always >= 0. UTDns utstrlst.cpp 430
, . ,
'loop' .
'loop'.
, 0xFFFFFFFFu 0xFFFFFFFFFFFFFFFFu (
). , >= 0 .
szString[0xFFFFFFFFu],
/++.

13. Crypto++. .
void CAST256::Base::UncheckedSetKey(const byte *userKey,
unsigned int keylength, const NameValuePairs &)
{
AssertValidKeyLength(keylength);
word32 kappa[8];
...
memset(kappa, 0, sizeof(kappa));
}
V597: The compiler could delete the 'memset' function call,
which is used to flush 'kappa' buffer. The RtlSecureZeroMemory() function should be used to erase the
private data. cryptlib cast.cpp 293
memset(). , .
, Debug- ,
. Release . ,
, . ,
memset() .
" - ?".

Copy-Paste
Copy-Paste,
. . .
Copy-Paste, , , , -
. , .
, - .

1. Fennec Media Project. .


void* tag_write_setframe(char *tmem,
const char *tid, const string dstr)
{
...
if(lset)
{
fhead[11] = '\0';
fhead[12] = '\0';
fhead[13] = '\0';
fhead[13] = '\0';
}
...
}
V525: The code containing the collection of similar blocks.
Check items '11', '12', '13', '13' in lines 716, 717, 718, 719. id3 editor.c 716
, , .
, , - 'fhead[13] '
'fhead[14] '.

2. MySQL. .
static int rr_cmp(uchar *a,uchar *b)
{
if (a[0] != b[0])
return (int) a[0] - (int) b[0];

if (a[1] != b[1])
return (int) a[1] - (int) b[1];
if (a[2] != b[2])
return (int) a[2] - (int) b[2];
if (a[3] != b[3])
return (int) a[3] - (int) b[3];
if (a[4] != b[4])
return (int) a[4] - (int) b[4];
if (a[5] != b[5])
return (int) a[1] - (int) b[5];
if (a[6] != b[6])
return (int) a[6] - (int) b[6];
return (int) a[7] - (int) b[7];
}
V525: The code containing the collection of similar blocks.
Check items '0', '1', '2', '3', '4', '1', '6' in lines 680, 682, 684, 689, 691, 693, 695. sql records.cc 680
, :
return (int) a[1] - (int) b[5];
, :
return (int) a[5] - (int) b[5];

3. TortoiseSVN. .
BOOL GetImageHlpVersion(DWORD &dwMS, DWORD &dwLS)
{
return(GetInMemoryFileVersion(("DBGHELP.DLL"),
dwMS,
dwLS)) ;
}

BOOL GetDbgHelpVersion(DWORD &dwMS, DWORD &dwLS)

{
return(GetInMemoryFileVersion(("DBGHELP.DLL"),
dwMS,
dwLS)) ;
}
V524: It is odd that the 'GetDbgHelpVersion' function is
fully equivalent to the 'GetImageHlpVersion' function (SymbolEngine.h, line 98). symbolengine.h 105
'GetImageHlpVersion', ,
'GetInMemoryFileVersion'. ,
. :
BOOL GetImageHlpVersion(DWORD &dwMS, DWORD &dwLS)
{
return(GetInMemoryFileVersion(("IMAGEHLP.DLL"),
dwMS,
dwLS)) ;
}

4. Clang. .
MapTy PerPtrTopDown;
MapTy PerPtrBottomUp;

void clearBottomUpPointers() {
PerPtrTopDown.clear();
}

void clearTopDownPointers() {
PerPtrTopDown.clear();
}
V524: It is odd that the body of 'clearTopDownPointers'
function is fully equivalent to the body of 'clearBottomUpPointers' function (ObjCARC.cpp, line 1318).
LLVMScalarOpts objcarc.cpp 1322

, clearBottomUpPointers ,
:
void clearBottomUpPointers() {
PerPtrBottomUp.clear();
}

5. QT. swap.
bool qt_testCollision(...)
{
...
t=x1; x1=x2; x2=t;
t=y1; x1=y2; y2=t;
...
}
V519: The 'x1' variable is assigned values twice successively.
Perhaps this is a mistake. Check lines: 2218, 2219. Qt3Support q3canvas.cpp 2219
x1 x2.
y1 y2. .
'x' 'y'. ,
: "... x1=y2; ...".
:
t=x1; x1=x2; x2=t;
t=y1; y1=y2; y2=t;

6. Crystal Space 3D SDK. .


inline_ bool Contains(const LSS& lss)
{
return Contains(Sphere(lss.mP0, lss.mRadius)) &&
Contains(Sphere(lss.mP0, lss.mRadius));
}
V501: There are identical sub-expressions to the left and to
the right of the '&&' operator. plgcsopcode icelss.h 69

, 'lss.mP0.'
'lss.mP1'.

7. Notepad++. .
void KeyWordsStyleDialog::updateDlg()
{
...
Style & w1Style =
_pUserLang->_styleArray.getStyler(STYLE_WORD1_INDEX);
styleUpdate(w1Style, _pFgColour[0], _pBgColour[0],
IDC_KEYWORD1_FONT_COMBO, IDC_KEYWORD1_FONTSIZE_COMBO,
IDC_KEYWORD1_BOLD_CHECK, IDC_KEYWORD1_ITALIC_CHECK,
IDC_KEYWORD1_UNDERLINE_CHECK);

Style & w2Style =


_pUserLang->_styleArray.getStyler(STYLE_WORD2_INDEX);
styleUpdate(w2Style, _pFgColour[1], _pBgColour[1],
IDC_KEYWORD2_FONT_COMBO, IDC_KEYWORD2_FONTSIZE_COMBO,
IDC_KEYWORD2_BOLD_CHECK, IDC_KEYWORD2_ITALIC_CHECK,
IDC_KEYWORD2_UNDERLINE_CHECK);

Style & w3Style =


_pUserLang->_styleArray.getStyler(STYLE_WORD3_INDEX);
styleUpdate(w3Style, _pFgColour[2], _pBgColour[2],
IDC_KEYWORD3_FONT_COMBO, IDC_KEYWORD3_FONTSIZE_COMBO,
IDC_KEYWORD3_BOLD_CHECK, IDC_KEYWORD3_BOLD_CHECK,
IDC_KEYWORD3_UNDERLINE_CHECK);

Style & w4Style =


_pUserLang->_styleArray.getStyler(STYLE_WORD4_INDEX);

styleUpdate(w4Style, _pFgColour[3], _pBgColour[3],


IDC_KEYWORD4_FONT_COMBO, IDC_KEYWORD4_FONTSIZE_COMBO,
IDC_KEYWORD4_BOLD_CHECK, IDC_KEYWORD4_ITALIC_CHECK,
IDC_KEYWORD4_UNDERLINE_CHECK);
...
}
V525: The code containing the collection of similar blocks.
Check items '7', '7', '6', '7' in lines 576, 580, 584, 588
, ,
:
styleUpdate(...
IDC_KEYWORD1_BOLD_CHECK, IDC_KEYWORD1_ITALIC_CHECK,
...);
styleUpdate(...
IDC_KEYWORD2_BOLD_CHECK, IDC_KEYWORD2_ITALIC_CHECK,
...);
styleUpdate(...
IDC_KEYWORD3_BOLD_CHECK, IDC_KEYWORD3_BOLD_CHECK, <<-...);
styleUpdate(...
IDC_KEYWORD4_BOLD_CHECK, IDC_KEYWORD4_ITALIC_CHECK,
...);
IDC_KEYWORD3_BOLD_CHECK IDC_KEYWORD3_ITALIC_CHECK.

8. ReactOS. .
void CardButton::DrawRect(HDC hdc, RECT *rect, bool fNormal)
{
...
HPEN hhi = CreatePen(0, 0, MAKE_PALETTERGB(crHighlight));
HPEN hsh = CreatePen(0, 0, MAKE_PALETTERGB(crShadow));

...
if(fNormal)
hOld = SelectObject(hdc, hhi);
else
hOld = SelectObject(hdc, hhi);
...
}
V523: The 'then' statement is equivalent to the 'else'
statement. cardlib cardbutton.cpp 83
'hsh' , 'hhi' .
:
if(fNormal)
hOld = SelectObject(hdc, hhi);
else
hOld = SelectObject(hdc, hsh);

9. IPP Samples. .
Status VC1VideoDecoder::ResizeBuffer()
{
...
if(m_pContext && m_pContext->m_seqLayerHeader &&
m_pContext->m_seqLayerHeader->heightMB &&
m_pContext->m_seqLayerHeader->heightMB)
...
}
V501: There are identical sub-expressions 'm_pContext>m_seqLayerHeader->heightMB' to the left and to the right of the '&&' operator. vc1_dec
umc_vc1_video_decoder.cpp 1347
:
if(m_pContext && m_pContext->m_seqLayerHeader &&
m_pContext->m_seqLayerHeader->heightMB &&

m_pContext->m_seqLayerHeader->widthMB)

10. ReactOS. .
BOOL APIENTRY
GreStretchBltMask(...)
{
...
MaskPoint.x += DCMask->ptlDCOrig.x;
MaskPoint.y += DCMask->ptlDCOrig.x;
...
}
V537: Consider reviewing the correctness of 'x' item's
usage. win32k bitblt.c 670
, , . 'x' ,
. :
MaskPoint.x += DCMask->ptlDCOrig.x;
MaskPoint.y += DCMask->ptlDCOrig.y;


/++ ,
, . ,
. , ,
NULL. . ,
. .
, Access Violation
.

1. Quake-III-Arena. .
void Item_Paint(itemDef_t *item) {
vec4_t red;
menuDef_t *parent = (menuDef_t*)item->parent;
red[0] = red[3] = 1;
red[1] = red[2] = 0;

if (item == NULL) {
return;
}
...
}
V595: The 'item' pointer was utilized before it was verified
against nullptr. Check lines: 3865, 3869. cgame ui_shared.c 3865
'item' , NULL.

2. LAME Ain't an MP3 Encoder. .


static int
check_vbr_header(PMPSTR mp, int bytes)
{
...
buf

= buf->next;

pos = buf->pos;
if(!buf) return -1; /* fatal error */
...
}
V595: The 'buf' pointer was utilized before it was verified
against nullptr. Check lines: 226, 227. mpglib interface.c 226
'buf' NULL, , .
, .

3. daoParanoia library. .
static long i_stage2_each(root_block *root,
v_fragment *v, void(*callback)(long,int))
{
cdrom_paranoia *p=v->p;
long dynoverlap=p->dynoverlap/2*2;
if (!v || !v->one) return(0);

...
}
V595: The 'v' pointer was utilized before it was verified
against nullptr. Check lines: 532, 535. daoParanoia paranoia.c 532
, .

4. TrinityCore. .
bool OnCheck(Player* player, Unit* /*target*/)
{
bool checkArea =
player->GetAreaId() == AREA_ARGENT_TOURNAMENT_FIELDS ||
player->GetAreaId() == AREA_RING_OF_ASPIRANTS ||
player->GetAreaId() == AREA_RING_OF_ARGENT_VALIANTS ||
player->GetAreaId() == AREA_RING_OF_ALLIANCE_VALIANTS ||
player->GetAreaId() == AREA_RING_OF_HORDE_VALIANTS ||
player->GetAreaId() == AREA_RING_OF_CHAMPIONS;

return player && checkArea && player->duel &&


player->duel->isMounted;
}
V595: The 'player' pointer was utilized before it was verified
against nullptr. Check lines: 310, 312. scripts achievement_scripts.cpp 310
"player && ..." , 'player' . ,
, .
. .
, , .

1. Image Processing SDK. .


inline
void elxLuminocity(const PixelRGBus& iPixel,

LuminanceCell< PixelRGBus >& oCell)


{
oCell._luminance = uint16(0.2220f*iPixel._red +
0.7067f*iPixel._blue + 0.0713f*iPixel._green);
oCell._pixel = iPixel;
}

inline
void elxLuminocity(const PixelRGBi& iPixel,
LuminanceCell< PixelRGBi >& oCell)
{
oCell._luminance = 2220*iPixel._red +
7067*iPixel._blue + 0713*iPixel._green;
oCell._pixel = iPixel;
}
V536: Be advised that the utilized constant value is
represented by an octal form. Oct: 0713, Dec: 459. IFF plugins pixelservices.inl 146
, , 713,
0713. 0713 . ,
.

2. IPP Samples. .
JERRCODE CJPEGDecoder::DecodeScanBaselineNI(void)
{
...
for(c = 0; c < m_scan_ncomps; c++)
{
block = m_block_buffer + (DCTSIZE2*m_nblock*(j+(i*m_numxMCU)));

// skip any relevant components


for(c = 0; c < m_ccomp[m_curr_comp_no].m_comp_no; c++)

{
block += (DCTSIZE2*m_ccomp[c].m_nblocks);
}
...
}
V535: The variable 'c' is being used for this loop and for the
outer loop. jpegcodec jpegdec.cpp 4652
.
, .

3. Quake-III-Arena. return.
static ID_INLINE int BigLong(int l)
{ LongSwap(l); }
V591: Non-void function should return a value. botlib
q_shared.h 155
. , return.
. ,
. , EAX.
. : { return LongSwap(l); }.

4. Notepad++. .
int Notepad_plus::getHtmlXmlEncoding(....) const
{
...
if (langT != L_XML && langT != L_HTML && langT == L_PHP)
return -1;
...
}
V590: Consider inspecting this expression. The expression is
excessive or contains a misprint. Notepad++ notepad_plus.cpp 853
, ,
. , . : if (langT == L_PHP).
, , , :

if (langT != L_XML && langT != L_HTML && langT != L_PHP)


1. PVS-Studio. http://www.viva64.com/ru/pvsstudio/
2. . http://www.viva64.com/ru/pvs-studio-download/
3. PVS-Studio. http://www.viva64.com/ru/order/
4. PVS-Studio. http://www.viva64.com/ru/d/
5. PVS-Studio. http://www.viva64.com/ru/about-feedback/
6. Twitter. http://twitter.com/Code_Analysis