(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-transaction.c) |
| |
| 1261 | | | void mail_index_update_ext(struct mail_index_transaction *t, uint32_t seq, |
| 1262 | | | uint32_t ext_id, const void *data, void *old_data_r) |
| 1263 | | | { |
| 1264 | | | struct mail_index *index = t->view->index; |
| 1265 | | | const struct mail_index_registered_ext *rext; |
| 1266 | | | const struct mail_transaction_ext_intro *intro; |
| 1267 | | | uint16_t record_size; |
| 1268 | | | ARRAY_TYPE(seq_array) *array; |
| 1269 | | | unsigned int count; |
| 1270 | | | |
| 1271 | | | i_assert(seq > 0 &&
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 1272 | | | (seq <= mail_index_view_get_messages_count(t->view) || |
| 1273 | | | seq <= t->last_new_seq)); |
Event 1:
Skipping " if". - seq > 0 evaluates to true.
- seq <= mail_index_view_get_messages_count(...) evaluates to true.
hide
Event 2:
Skipping " if". !(seq > 0 && (seq <= mail_index_view_get_messages_count(...) || seq <= t->last_new_seq)) evaluates to false.
hide
Event 3:
Skipping " if". !!(seq > 0 && (seq <= mail_index_view_get_messages_count(...) || seq <= t->last_new_seq)) evaluates to true.
hide
Event 4:
Skipping " if". !!!(seq > 0 && (seq <= mail_index_view_get_messages_count(...) || seq <= t->last_new_seq)) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1274 | | | i_assert(ext_id < array_count(&index->extensions));
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 6:
Skipping " if". ext_id < array_count_i(...) evaluates to true.
hide
Event 7:
Skipping " if". !(ext_id < array_count_i(...)) evaluates to false.
hide
Event 8:
Skipping " if". !!(ext_id < array_count_i(...)) evaluates to true.
hide
Event 9:
Skipping " if". !!!(ext_id < array_count_i(...)) evaluates to false.
hide
Event 10:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1275 | | | |
| 1276 | | | t->log_ext_updates = TRUE; |
Event 11:
!0 evaluates to true.
hide
|
|
| 1277 | | | |
| 1278 | | | if (!array_is_created(&t->ext_resizes)) {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
91 | #define array_is_created(array) \ |
92 | array_is_created_i(&(array)->arr) |
| |
|
Event 12:
Taking true branch. array_is_created_i(...) evaluates to false.
hide
|
|
| 1279 | | | intro = NULL; |
Event 13:
intro is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 1280 | | | count = 0; |
| 1281 | | | } else { |
| 1282 | | | intro = array_get(&t->ext_resizes, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
156 | #define array_get(array, count) \ |
157 | ARRAY_TYPE_CAST_CONST(array)array_get_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
| 1283 | | | } |
| 1284 | | | if (ext_id < count && intro[ext_id].name_size != 0) { |
Event 14:
ext_id < count evaluates to true.
hide
Null Pointer Dereference
intro is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 13. Show: All events | Only primary events |
|
| |