(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/plugins/zlib/zlib-plugin.c) |
| |
| 102 | | | static int zlib_maildir_get_stream(struct mail *_mail, |
| 103 | | | struct message_size *hdr_size, |
| 104 | | | struct message_size *body_size, |
| 105 | | | struct istream **stream_r) |
| 106 | | | { |
| 107 | | | struct mail_private *mail = (struct mail_private *)_mail; |
Event 1:
mail is set to _mail. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 108 | | | struct index_mail *imail = (struct index_mail *)mail; |
Event 2:
imail is set to mail, which evaluates to _mail. See related event 1.
hide
|
|
| 109 | | | union mail_module_context *zmail = ZLIB_MAIL_CONTEXT(mail);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
46 | #define MODULE_CONTEXT(obj, id_ctx) \ |
47 | (*((void **)array_idx_modifiable(&(obj)->module_contexts, \ |
48 | (id_ctx).id.module_id) + \ |
49 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
179 | #define array_idx_modifiable(array, idx) \ |
180 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
181 | array_idx_modifiable_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 110 | | | struct istream *input; |
| 111 | | | struct zlib_handler *handler; |
| 112 | | | int fd; |
| 113 | | | |
| 114 | | | if (imail->data.stream != NULL) { |
Event 3:
Skipping " if". imail->data.stream != (void *)0 evaluates to false.
hide
Event 4:
Considering the case where imail->data.stream is equal to 0 so _mail[11].lookup_abort must have been equal to 0. See related event 2.
hide
|
|
| 115 | | | return zmail->super.get_stream(_mail, hdr_size, body_size, |
| 116 | | | stream_r); |
| 117 | | | } |
| 118 | | | |
| 119 | | | if (zmail->super.get_stream(_mail, NULL, NULL, &input) < 0) |
Event 5:
Skipping " if". zmail->super.get_stream(...) < 0 evaluates to false.
hide
|
|
| 120 | | | return -1; |
| 121 | | | i_assert(input == imail->data.stream);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 6:
Skipping " if". input == imail->data.stream evaluates to true.
hide
Event 7:
Skipping " if". !(input == imail->data.stream) evaluates to false.
hide
Event 8:
Skipping " if". !!(input == imail->data.stream) evaluates to true.
hide
Event 9:
Skipping " if". !!!(input == imail->data.stream) evaluates to false.
hide
Event 10:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 122 | | | |
| 123 | [+] | | handler = zlib_get_zlib_handler(imail->data.stream); |
 |
| 124 | | | if (handler != NULL) { |
Event 13:
Taking true branch. handler != (void *)0 evaluates to true.
hide
|
|
| 125 | | | if (handler->create_istream == NULL) { |
Event 14:
Taking true branch. handler->create_istream == (void *)0 evaluates to true.
hide
|
|
| 126 | | | mail_storage_set_critical(_mail->box->storage, |
| 127 | | | "zlib plugin: Detected %s compression " |
| 128 | | | "but support not compiled in", handler->ext); |
| 129 | | | fd = -1; |
| 130 | | | } else { |
| 131 | | | fd = dup(i_stream_get_fd(imail->data.stream)); |
| 132 | | | if (fd == -1) { |
| 133 | | | mail_storage_set_critical(_mail->box->storage, |
| 134 | | | "zlib plugin: dup() failed: %m"); |
| 135 | | | } |
| 136 | | | } |
| 137 | | | |
| 138 | | | imail->data.destroying_stream = TRUE; |
Event 15:
!0 evaluates to true.
hide
|
|
| 139 | [+] | | i_stream_unref(&imail->data.stream); |
Event 16:
&imail->data.stream, which evaluates to &_mail[11].lookup_abort, is passed to i_stream_unref(). See related event 2.
hide
|
|
 |
| |