(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-giop.c) |
| |
| 1228 | | | static guint32 string_to_IOR(guchar *in, guint32 in_len, guint8 **out){ |
| 1229 | | | gint8 tmpval_lsb; |
| 1230 | | | gint8 tmpval_msb; |
| 1231 | | | gint8 tmpval; |
| 1232 | | | guint32 i; |
| 1233 | | | |
| 1234 | | | *out = g_new0(guint8, in_len);
x /usr/include/glib-2.0/glib/gmem.h |
| |
175 | #define g_new0(struct_type, n_structs) _G_NEW (struct_type, n_structs, malloc0) |
| |
x /usr/include/glib-2.0/glib/gmem.h |
| |
102 | # define _G_NEW(struct_type, n_structs, func) \ |
103 | (struct_type *) (__extension__ ({ \ |
104 | gsize __n = (gsize) (n_structs); \ |
105 | gsize __s = sizeof (struct_type); \ |
106 | gpointer __p; \ |
107 | if (__s == 1) \ |
108 | __p = g_##func (__n); \ |
109 | else if (__builtin_constant_p (__n) && \ |
110 | (__s == 0 || __n <= G_MAXSIZE / __s)) \ |
111 | __p = g_##func (__n * __s); \ |
112 | else \ |
113 | __p = g_##func##_n (__n, __s); \ |
114 | __p; \ |
115 | })) |
| |
|
| 1235 | | | |
| 1236 | | | if (*out == NULL) { |
Event 3:
Skipping " if". *out == (void *)0 evaluates to false.
hide
|
|
| 1237 | | | return 0; |
| 1238 | | | } |
| 1239 | | | |
| 1240 | | | |
| 1241 | | | |
| 1242 | | | for (i=4; i<in_len-1; i+=2) { |
Event 4:
Entering loop body. i < in_len - 1 evaluates to true.
hide
|
|
| 1243 | | | if ( isxdigit(in[i]) && isxdigit(in[i+1]) ) { |
| 1244 | | | |
| 1245 | [+] | | if ( (tmpval_msb = hex_char_to_val(in[i])) < 0 ) { |
 |
| 1246 | | | g_warning("giop: Invalid value in IOR %i \n", tmpval_msb);
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 1247 | | | |
| 1248 | | | } |
| 1249 | | | |
| 1250 | [+] | | if ( (tmpval_lsb = hex_char_to_val(in[i+1])) < 0 ) { |
 |
| 1251 | | | g_warning("giop: Invalid value in IOR %i \n", tmpval_lsb);
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 1252 | | | } |
| 1253 | | | |
| 1254 | | | tmpval = tmpval_msb << 4; |
Event 16:
tmpval is set to 16 * tmpval_msb, which evaluates to -16. See related event 8.
hide
|
|
| 1255 | | | tmpval += tmpval_lsb; |
Event 17:
tmpval is set to -17. - Determines the value that is cast in the Cast Alters Value warning later.
See related events 13 and 16.
hide
|
|
| 1256 | | | (*out)[(i-4)/2] = (guint8) tmpval; |
Cast Alters Value
tmpval is cast from signed char to unsigned char. - tmpval evaluates to -17.
- Negative values cannot be stored as unsigned char. Casting them to unsigned char can cause data loss or sign change.
The issue can occur if the highlighted code executes. See related event 17. Show: All events | Only primary events |
|
| |