(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-transaction-log-append.c) |
| |
| 238 | | | static void log_append_ext_intro(struct log_append_context *ctx, |
| 239 | | | uint32_t ext_id, uint32_t reset_id) |
| 240 | | | { |
| 241 | | | struct mail_index_transaction *t = ctx->trans; |
| 242 | | | const struct mail_index_registered_ext *rext; |
| 243 | | | struct mail_transaction_ext_intro *intro; |
| 244 | | | buffer_t *buf; |
| 245 | | | uint32_t idx; |
| 246 | | | unsigned int count; |
| 247 | | | |
| 248 | | | i_assert(ext_id != (uint32_t)-1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". ext_id != (uint32_t)-1 evaluates to true.
hide
Event 2:
Skipping " if". !(ext_id != (uint32_t)-1) evaluates to false.
hide
Event 3:
Skipping " if". !!(ext_id != (uint32_t)-1) evaluates to true.
hide
Event 4:
Skipping " if". !!!(ext_id != (uint32_t)-1) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 249 | | | |
| 250 | | | if (t->reset || |
Event 6:
Taking true branch. t->reset evaluates to true.
hide
|
|
| 251 | | | !mail_index_map_get_ext_idx(t->view->index->map, ext_id, &idx)) { |
| 252 | | | |
| 253 | | | idx = (uint32_t)-1; |
| 254 | | | } |
| 255 | | | |
| 256 | | | rext = array_idx(&t->view->index->extensions, ext_id);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
165 | #define array_idx(array, idx) \ |
166 | ARRAY_TYPE_CAST_CONST(array)array_idx_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
| 257 | | | if (!array_is_created(&t->ext_resizes)) {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
91 | #define array_is_created(array) \ |
92 | array_is_created_i(&(array)->arr) |
| |
|
Event 7:
Taking true branch. array_is_created_i(...) evaluates to false.
hide
|
|
| 258 | | | intro = NULL; |
Event 8:
intro is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 259 | | | count = 0; |
| 260 | | | } else { |
| 261 | | | intro = array_get_modifiable(&t->ext_resizes, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
174 | #define array_get_modifiable(array, count) \ |
175 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
176 | array_get_modifiable_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
|
| 262 | | | } |
| 263 | | | |
| 264 | | | buf = buffer_create_dynamic(pool_datastack_create(), 128); |
| 265 | | | if (ext_id < count && intro[ext_id].name_size != 0) { |
Event 9:
ext_id < count evaluates to true.
hide
Null Pointer Dereference
intro is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 8. Show: All events | Only primary events |
|
| |