BUG OF THE MONTH | Array index out of bounds
V557 Array overrun is possible. The ’16’ index is pointing beyond array bound. winaspi32.c 232
/* SCSI Miscellaneous Stuff */ #define SENSE_LEN 14 typedef struct tagSRB32_ExecSCSICmd { .... BYTE SenseArea[SENSE_LEN+2]; } SRB_ExecSCSICmd, *PSRB_ExecSCSICmd; static void ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb) { BYTE *rqbuf = prb->SenseArea; .... if (rqbuf[15]&0x8) { TRACE("Pointer at %d, bit %d\n", rqbuf[16]*256+rqbuf[17],rqbuf[15]&0x7); } .... }
The analyzer detected that the program tries to address items 16 and 17 of the rgbuf array, which is beyond its bounds as it only contains 16 items. The rqbuf[15]&0x8 condition is rarely true, that’s why the error hasn’t been noticed.
Please click here to see more bugs from this project.