(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mailbox-list-index-sync.c) |
| |
| 530 | | | mailbox_list_index_sync_recreate_dir(struct mailbox_list_index_sync_ctx *ctx, |
| 531 | | | struct mailbox_list_sync_dir *sync_dir, |
| 532 | | | uint32_t offset_pos, bool partial) |
| 533 | | | { |
| 534 | | | struct mailbox_list_index *index = ctx->index; |
| 535 | | | const struct mailbox_list_dir_record *dir; |
| 536 | | | const struct mailbox_list_record *recs; |
| 537 | | | struct mailbox_list_dir_record *new_dir; |
| 538 | | | struct mailbox_list_record *new_recs; |
| 539 | | | struct mailbox_list_sync_record *sync_recs; |
| 540 | | | unsigned int src, dest, orig, count, nondeleted_count; |
| 541 | | | unsigned int space_needed, deleted_space; |
| 542 | | | uint32_t base_offset, name_pos, size; |
| 543 | | | void *base; |
| 544 | | | |
| 545 | | | i_assert((offset_pos % sizeof(uint32_t)) == 0);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". offset_pos % sizeof( uint32_t ) == 0 evaluates to true.
hide
Event 2:
Skipping " if". !(offset_pos % sizeof( uint32_t ) == 0) evaluates to false.
hide
Event 3:
Skipping " if". !!(offset_pos % sizeof( uint32_t ) == 0) evaluates to true.
hide
Event 4:
Skipping " if". !!!(offset_pos % sizeof( uint32_t ) == 0) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 546 | | | i_assert(offset_pos < index->mmap_size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 6:
Skipping " if". offset_pos < index->mmap_size evaluates to true.
hide
Event 7:
Skipping " if". !(offset_pos < index->mmap_size) evaluates to false.
hide
Event 8:
Skipping " if". !!(offset_pos < index->mmap_size) evaluates to true.
hide
Event 9:
Skipping " if". !!!(offset_pos < index->mmap_size) evaluates to false.
hide
Event 10:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 547 | | | |
| 548 | | | |
| 549 | | | |
| 550 | | | nondeleted_count = 0; space_needed = 0; |
| 551 | [+] | | sync_recs = array_get_modifiable(&sync_dir->records, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
174 | #define array_get_modifiable(array, count) \ |
175 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
176 | array_get_modifiable_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
|
 |
| 552 | | | for (src = 0; src < count; src++) { |
Event 11:
Entering loop body. src < count evaluates to true.
hide
Event 14:
Continuing from loop body. Leaving loop. src < count evaluates to false.
hide
|
|
| 553 | | | if (sync_recs[src].seen || partial) { |
Event 12:
Taking true branch. sync_recs[src].seen evaluates to true.
hide
|
|
| 554 | | | nondeleted_count++; |
| 555 | | | if (sync_recs[src].created) { |
Event 13:
Skipping " if". sync_recs[src].created evaluates to false.
hide
|
|
| 556 | | | |
| 557 | | | space_needed += strlen(sync_recs[src].name) + 1; |
| 558 | | | } |
| 559 | | | } |
| 560 | | | } |
| 561 | | | |
| 562 | | | |
| 563 | | | space_needed += sizeof(*dir) + nondeleted_count * sizeof(*new_recs); |
| 564 | | | if (mailbox_list_index_sync_alloc_space(ctx, space_needed, |
| 565 | [+] | | &base, &base_offset) < 0) |
 |
| 566 | | | return -1; |
| 567 | | | |
| 568 | | | |
| 569 | | | |
| 570 | | | if (sync_dir->offset == 0) { |
Event 19:
Taking true branch. sync_dir->offset == 0 evaluates to true.
hide
|
|
| 571 | | | dir = NULL; |
Event 20:
dir is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 572 | | | recs = NULL; |
| 573 | | | deleted_space = 0; |
| 574 | | | } else { |
| 575 | | | |
| 576 | | | i_assert(sync_dir->offset == offset_pos);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 577 | | | i_assert(sync_dir->offset < index->mmap_size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 578 | | | dir = CONST_PTR_OFFSET(index->const_mmap_base,
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
29 | #define CONST_PTR_OFFSET(ptr, offset) \ |
30 | ((const void *) (((const unsigned char *) (ptr)) + (offset))) |
| |
|
| 579 | | | sync_dir->offset); |
| 580 | | | recs = MAILBOX_LIST_RECORDS(dir);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mailbox-list-index-private.h |
| |
80 | #define MAILBOX_LIST_RECORDS(dir) \ |
81 | ((const struct mailbox_list_record *)(dir + 1)) |
| |
|
| 581 | | | |
| 582 | | | |
| 583 | | | |
| 584 | | | deleted_space = sizeof(*dir) + dir->dir_size; |
| 585 | | | } |
| 586 | | | |
| 587 | | | new_dir = base; |
| 588 | | | new_dir->count = nondeleted_count; |
| 589 | | | new_dir->dir_size = space_needed; |
| 590 | | | |
| 591 | | | new_recs = MAILBOX_LIST_RECORDS_MODIFIABLE(new_dir);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mailbox-list-index-private.h |
| |
82 | #define MAILBOX_LIST_RECORDS_MODIFIABLE(dir) \ |
83 | ((struct mailbox_list_record *)(dir + 1)) |
| |
|
| 592 | | | name_pos = (const char *)(new_recs + nondeleted_count) - |
| 593 | | | (const char *)base; |
| 594 | | | for (src = dest = 0; src < count;) { |
Event 21:
Entering loop body. src < count evaluates to true.
hide
|
|
| 595 | | | if (!sync_recs[src].seen && !partial) { |
Event 22:
Skipping " if". sync_recs[src].seen evaluates to true.
hide
|
|
| 596 | | | |
| 597 | | | uint32_t seq; |
| 598 | | | |
| 599 | | | if (mail_index_lookup_seq(ctx->mail_view, |
| 600 | | | sync_recs[src].uid, &seq)) |
| 601 | | | mail_index_expunge(ctx->trans, seq); |
| 602 | | | |
| 603 | | | |
| 604 | | | |
| 605 | | | |
| 606 | | | array_delete(&sync_dir->records, src, 1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
147 | #define array_delete(array, idx, count) \ |
148 | array_delete_i(&(array)->arr, idx, count) |
| |
|
| 607 | | | sync_recs = array_get_modifiable(&sync_dir->records,
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
174 | #define array_get_modifiable(array, count) \ |
175 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
176 | array_get_modifiable_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
|
| 608 | | | &count); |
| 609 | | | continue; |
| 610 | | | } |
| 611 | | | |
| 612 | | | new_recs[dest].name_hash = sync_recs[src].name_hash; |
| 613 | | | new_recs[dest].dir_offset = |
| 614 | | | mail_index_uint32_to_offset(sync_recs[src].dir_offset); |
| 615 | | | if (sync_recs[src].created) { |
Event 23:
Taking false branch. sync_recs[src].created evaluates to false.
hide
|
|
| 616 | | | |
| 617 | | | new_recs[dest].uid = sync_recs[src].uid; |
| 618 | | | new_recs[dest].name_offset = base_offset + name_pos; |
| 619 | | | size = strlen(sync_recs[src].name) + 1; |
| 620 | | | memcpy(PTR_OFFSET(base, name_pos), sync_recs[src].name,
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
27 | #define PTR_OFFSET(ptr, offset) \ |
28 | ((void *) (((unsigned char *) (ptr)) + (offset))) |
| |
|
| 621 | | | size); |
| 622 | | | name_pos += size; |
| 623 | | | } else { |
| 624 | | | |
| 625 | | | for (orig = 0; orig < dir->count; orig++) { |
Null Pointer Dereference
dir is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 20. Show: All events | Only primary events |
|
| |