BUG OF THE MONTH | Array index out of bounds

V557 Array overrun is possible. The ’16’ index is pointing beyond array bound. winaspi32.c 232

/* SCSI Miscellaneous Stuff */
#define SENSE_LEN      14

typedef struct tagSRB32_ExecSCSICmd {
  BYTE        SenseArea[SENSE_LEN+2];

static void
ASPI_PrintSenseArea(SRB_ExecSCSICmd *prb)
  BYTE  *rqbuf = prb->SenseArea;
  if (rqbuf[15]&0x8) {
    TRACE("Pointer at %d, bit %d\n",

The analyzer detected that the program tries to address items 16 and 17 of the rgbuf array, which is beyond its bounds as it only contains 16 items. The rqbuf[15]&0x8 condition is rarely true, that’s why the error hasn’t been noticed.

Please click here to see more bugs from this project.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.