(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 4334 | | | int Strsafe_insert(char *data) |
| 4335 | | | { |
| 4336 | | | x1node *np; |
| 4337 | | | int h; |
| 4338 | | | int ph; |
| 4339 | | | |
| 4340 | | | if( x1a==0 ) return 0; |
Event 1:
Skipping " if". x1a == 0 evaluates to false.
hide
|
|
| 4341 | | | ph = strhash(data); |
| 4342 | | | h = ph & (x1a->size-1); |
| 4343 | | | np = x1a->ht[h]; |
| 4344 | | | while( np ){ |
Event 2:
Leaving loop. np evaluates to false.
hide
|
|
| 4345 | | | if( strcmp(np->data,data)==0 ){ |
| 4346 | | | |
| 4347 | | | |
| 4348 | | | return 0; |
| 4349 | | | } |
| 4350 | | | np = np->next; |
| 4351 | | | } |
| 4352 | | | if( x1a->count>=x1a->size ){ |
Event 3:
Taking true branch. x1a->count >= x1a->size evaluates to true.
hide
|
|
| 4353 | | | |
| 4354 | | | int i,size; |
| 4355 | | | struct s_x1 array; |
| 4356 | | | array.size = size = x1a->size*2; |
Event 4:
size is set to 2 * x1a->size. - Determines the allocation size later.
hide
|
|
| 4357 | | | array.count = x1a->count; |
| 4358 | | | array.tbl = (x1node*)malloc( |
| 4359 | | | (sizeof(x1node) + sizeof(x1node*))*size ); |
Event 5:
16 * size, which evaluates to 32 * x1a->size, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:4359 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is (sizeof( x1node ) + sizeof( x1node * )) * size, which evaluates to 32 * x1a->size, which is bounded above by 32 * x1a->count.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |