Line: 124 Column: 23 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

               * Borrowed from drivers/input/keyboard/atakbd.c
 * This maps 1-byte scancodes to keycodes.
 */
static const unsigned char visorkbd_keycode[KEYCODE_TABLE_BYTES] = {
	/* American layout */
	[0] = KEY_GRAVE,
	[1] = KEY_ESC,
	[2] = KEY_1,
	[3] = KEY_2,

            

Line: 244 Column: 23 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

               * This maps the <xx> in extended scancodes of the form "0xE0 <xx>" into
 * keycodes.
 */
static const unsigned char visorkbd_ext_keycode[KEYCODE_TABLE_BYTES] = {
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,		    /* 0x00 */
	0, 0, 0, 0, 0, 0, 0, 0,					    /* 0x10 */
	0, 0, 0, 0, KEY_KPENTER, KEY_RIGHTCTRL, 0, 0,		    /* 0x18 */
	0, 0, 0, 0, 0, 0, 0, 0,					    /* 0x20 */
	KEY_RIGHTALT, 0, 0, 0, 0, 0, 0, 0,			    /* 0x28 */

            

Line: 432 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	switch (dtype) {
	case visorinput_keyboard:
		devdata->keycode_table_bytes = extra_bytes;
		memcpy(devdata->keycode_table, visorkbd_keycode,
		       KEYCODE_TABLE_BYTES);
		memcpy(devdata->keycode_table + KEYCODE_TABLE_BYTES,
		       visorkbd_ext_keycode, KEYCODE_TABLE_BYTES);
		devdata->visorinput_dev = setup_client_keyboard
			(devdata, devdata->keycode_table);

            

Line: 434 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		devdata->keycode_table_bytes = extra_bytes;
		memcpy(devdata->keycode_table, visorkbd_keycode,
		       KEYCODE_TABLE_BYTES);
		memcpy(devdata->keycode_table + KEYCODE_TABLE_BYTES,
		       visorkbd_ext_keycode, KEYCODE_TABLE_BYTES);
		devdata->visorinput_dev = setup_client_keyboard
			(devdata, devdata->keycode_table);
		if (!devdata->visorinput_dev)
			goto cleanups_register;

            

Line: 61 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
fpga_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%s\n", realview_arch_str(realview_coreid));
}

static DEVICE_ATTR_RO(fpga);

static ssize_t

            

Line: 45 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
manufacturer_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%02x\n", realview_coreid >> 24);
}

static DEVICE_ATTR_RO(manufacturer);

static ssize_t

            

Line: 53 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
board_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "HBI-%03x\n", ((realview_coreid >> 16) & 0xfff));
}

static DEVICE_ATTR_RO(board);

static ssize_t

            

Line: 69 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
build_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%02x\n", (realview_coreid & 0xFF));
}

static DEVICE_ATTR_RO(build);

static struct attribute *realview_attrs[] = {

            

Line: 183 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		return -EINVAL;
	size *= sizeof(u16);

	memcpy(to->red+tooff, from->red+fromoff, size);
	memcpy(to->green+tooff, from->green+fromoff, size);
	memcpy(to->blue+tooff, from->blue+fromoff, size);
	if (from->transp && to->transp)
		memcpy(to->transp+tooff, from->transp+fromoff, size);
	return 0;

            

Line: 184 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	size *= sizeof(u16);

	memcpy(to->red+tooff, from->red+fromoff, size);
	memcpy(to->green+tooff, from->green+fromoff, size);
	memcpy(to->blue+tooff, from->blue+fromoff, size);
	if (from->transp && to->transp)
		memcpy(to->transp+tooff, from->transp+fromoff, size);
	return 0;
}

            

Line: 185 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
	memcpy(to->red+tooff, from->red+fromoff, size);
	memcpy(to->green+tooff, from->green+fromoff, size);
	memcpy(to->blue+tooff, from->blue+fromoff, size);
	if (from->transp && to->transp)
		memcpy(to->transp+tooff, from->transp+fromoff, size);
	return 0;
}


            

Line: 187 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	memcpy(to->green+tooff, from->green+fromoff, size);
	memcpy(to->blue+tooff, from->blue+fromoff, size);
	if (from->transp && to->transp)
		memcpy(to->transp+tooff, from->transp+fromoff, size);
	return 0;
}

int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
{

            

Line: 67 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              #define DBC_PORTSC_CONFIG_CHANGE	BIT(23)

struct dbc_str_descs {
	char	string0[DBC_MAX_STRING_LENGTH];
	char	manufacturer[DBC_MAX_STRING_LENGTH];
	char	product[DBC_MAX_STRING_LENGTH];
	char	serial[DBC_MAX_STRING_LENGTH];
};


            

Line: 68 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
struct dbc_str_descs {
	char	string0[DBC_MAX_STRING_LENGTH];
	char	manufacturer[DBC_MAX_STRING_LENGTH];
	char	product[DBC_MAX_STRING_LENGTH];
	char	serial[DBC_MAX_STRING_LENGTH];
};

#define DBC_PROTOCOL			1	/* GNU Remote Debug Command */

            

Line: 69 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              struct dbc_str_descs {
	char	string0[DBC_MAX_STRING_LENGTH];
	char	manufacturer[DBC_MAX_STRING_LENGTH];
	char	product[DBC_MAX_STRING_LENGTH];
	char	serial[DBC_MAX_STRING_LENGTH];
};

#define DBC_PROTOCOL			1	/* GNU Remote Debug Command */
#define DBC_VENDOR_ID			0x1d6b	/* Linux Foundation 0x1d6b */

            

Line: 70 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	char	string0[DBC_MAX_STRING_LENGTH];
	char	manufacturer[DBC_MAX_STRING_LENGTH];
	char	product[DBC_MAX_STRING_LENGTH];
	char	serial[DBC_MAX_STRING_LENGTH];
};

#define DBC_PROTOCOL			1	/* GNU Remote Debug Command */
#define DBC_VENDOR_ID			0x1d6b	/* Linux Foundation 0x1d6b */
#define DBC_PRODUCT_ID			0x0010	/* device 0010 */

            

Line: 2188

              	.probe		= cirrusfb_pci_register,
	.remove		= cirrusfb_pci_unregister,
#ifdef CONFIG_PM
#if 0
	.suspend	= cirrusfb_pci_suspend,
	.resume		= cirrusfb_pci_resume,
#endif
#endif
};

            

Line: 1750 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	vxres = info->var.xres_virtual;
	vyres = info->var.yres_virtual;

	memcpy(&modded, region, sizeof(struct fb_fillrect));

	if (!modded.width || !modded.height ||
	   modded.dx >= vxres || modded.dy >= vyres)
		return;


            

Line: 1786 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
	vxres = info->var.xres_virtual;
	vyres = info->var.yres_virtual;
	memcpy(&modded, area, sizeof(struct fb_copyarea));

	if (!modded.width || !modded.height ||
	   modded.sx >= vxres || modded.sy >= vyres ||
	   modded.dx >= vxres || modded.dy >= vyres)
		return;

            

Line: 1852 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              				  (image->width * m) / 8, image->height,
				  fg, bg,
				  info->fix.line_length, op);
		memcpy(info->screen_base, image->data, size);
	}
}

#ifdef CONFIG_PCI
static int release_io_ports;

            

Line: 739 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	}
	e->cdbLen   = cmd->cmd_len;
	e->vcpuHint = smp_processor_id();
	memcpy(e->cdb, cmd->cmnd, e->cdbLen);

	e->tag = SIMPLE_QUEUE_TAG;

	if (cmd->sc_data_direction == DMA_FROM_DEVICE)
		e->flags = PVSCSI_FLAG_CMD_DIR_TOHOST;

            

Line: 1004 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              static const char *pvscsi_info(struct Scsi_Host *host)
{
	struct pvscsi_adapter *adapter = shost_priv(host);
	static char buf[256];

	sprintf(buf, "VMware PVSCSI storage adapter rev %d, req/cmp/msg rings: "
		"%u/%u/%u pages, cmd_per_lun=%u", adapter->rev,
		adapter->req_pages, adapter->cmp_pages, adapter->msg_pages,
		pvscsi_template.cmd_per_lun);

            

Line: 1006 Column: 2 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              	struct pvscsi_adapter *adapter = shost_priv(host);
	static char buf[256];

	sprintf(buf, "VMware PVSCSI storage adapter rev %d, req/cmp/msg rings: "
		"%u/%u/%u pages, cmd_per_lun=%u", adapter->rev,
		adapter->req_pages, adapter->cmp_pages, adapter->msg_pages,
		pvscsi_template.cmd_per_lun);

	return buf;

            

Line: 1124 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
static int pvscsi_setup_msg_workqueue(struct pvscsi_adapter *adapter)
{
	char name[32];

	if (!pvscsi_use_msg)
		return 0;

	pvscsi_reg_write(adapter, PVSCSI_REG_OFFSET_COMMAND,

            

Line: 70 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
arch_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%s\n", integrator_arch_str(integrator_coreid));
}

static DEVICE_ATTR_RO(arch);

static ssize_t

            

Line: 78 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
fpga_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%s\n", integrator_fpga_str(integrator_coreid));
}

static DEVICE_ATTR_RO(fpga);

static ssize_t

            

Line: 62 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
manufacturer_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%02x\n", integrator_coreid >> 24);
}

static DEVICE_ATTR_RO(manufacturer);

static ssize_t

            

Line: 86 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              static ssize_t
build_show(struct device *dev, struct device_attribute *attr, char *buf)
{
	return sprintf(buf, "%02x\n", (integrator_coreid >> 4) & 0xFF);
}

static DEVICE_ATTR_RO(build);

static struct attribute *integrator_attrs[] = {

            

Line: 766 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              			xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
				  len, seg->bounce_len);
	} else {
		memcpy(urb->transfer_buffer + seg->bounce_offs, seg->bounce_buf,
		       seg->bounce_len);
	}
	seg->bounce_len = 0;
	seg->bounce_offs = 0;
}

            

Line: 3487 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              				xhci_warn(xhci, "WARN Wrong bounce buffer write length: %zu != %d\n",
					  len, new_buff_len);
		} else {
			memcpy(seg->bounce_buf, urb->transfer_buffer + enqd_len, new_buff_len);
		}

		seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
						 max_pkt, DMA_TO_DEVICE);
	} else {

            

Line: 3612 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              			td->last_trb = ring->enqueue;
			td->last_trb_seg = ring->enq_seg;
			if (xhci_urb_suitable_for_idt(urb)) {
				memcpy(&send_addr, urb->transfer_buffer,
				       trb_buff_len);
				le64_to_cpus(&send_addr);
				field |= TRB_IDT;
			}
		}

            

Line: 3761 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		u64 addr;

		if (xhci_urb_suitable_for_idt(urb)) {
			memcpy(&addr, urb->transfer_buffer,
			       urb->transfer_buffer_length);
			le64_to_cpus(&addr);
			field |= TRB_IDT;
		} else {
			addr = (u64) urb->transfer_dma;

            

Line: 152 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
	rtw_init_netdev_name(pnetdev, ifname);

	memcpy(pnetdev->dev_addr, padapter->eeprompriv.mac_addr, ETH_ALEN);

	if (!rtnl_is_locked())
		ret = register_netdev(pnetdev);
	else
		ret = register_netdevice(pnetdev);

            

Line: 196 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	dup = rtw_malloc(src_len);
	if (dup) {
		dup_len = src_len;
		memcpy(dup, src, dup_len);
	}

keep_ori:
	ori = *buf;
	ori_len = *buf_len;

            

Line: 233 Column: 31 CWE codes: 120 20

               */
inline bool rtw_cbuf_empty(struct rtw_cbuf *cbuf)
{
	return (cbuf->write == cbuf->read) ? true : false;
}

/**
 * rtw_cbuf_push - push a pointer into cbuf
 * @cbuf: pointer of struct rtw_cbuf

            

Line: 268 Column: 25 CWE codes: 120 20

              	if (rtw_cbuf_empty(cbuf))
		return NULL;

	buf = cbuf->bufs[cbuf->read];
	cbuf->read = (cbuf->read + 1) % cbuf->size;

	return buf;
}


            

Line: 68 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		skb  = dev_alloc_skb(USB_HWDESC_HEADER_LEN + frag_length + 4);
		if (!skb)
			return false;
		memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
		tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
		tcb_desc->queue_index = TXCMD_QUEUE;
		tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_INIT;
		tcb_desc->bLastIniPkt = bLastIniPkt;


            

Line: 211 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
	rt_firmware		*pfirmware = priv->pFirmware;
	const struct firmware	*fw_entry;
	const char *fw_name[3] = { "RTL8192U/boot.img",
			   "RTL8192U/main.img",
			   "RTL8192U/data.img"};
	int rc;

	RT_TRACE(COMP_FIRMWARE, " PlatformInitFirmware()==>\n");

            

Line: 254 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              			}

			if (init_step != FW_INIT_STEP1_MAIN) {
				memcpy(pfirmware->firmware_buf, fw_entry->data, fw_entry->size);
				mapped_file = pfirmware->firmware_buf;
				file_length = fw_entry->size;
			} else {
				memset(pfirmware->firmware_buf, 0, 128);
				memcpy(&pfirmware->firmware_buf[128], fw_entry->data, fw_entry->size);

            

Line: 259 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              				file_length = fw_entry->size;
			} else {
				memset(pfirmware->firmware_buf, 0, 128);
				memcpy(&pfirmware->firmware_buf[128], fw_entry->data, fw_entry->size);
				mapped_file = pfirmware->firmware_buf;
				file_length = fw_entry->size + 128;
			}
			pfirmware->firmware_buf_size = file_length;
		} else if (rst_opt == OPT_FIRMWARE_RESET) {