(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-map.c) |
| |
| 1170 | | | void mail_index_map_move_to_memory(struct mail_index_map *map) |
| 1171 | | | { |
| 1172 | | | struct mail_index_record_map *new_map; |
| 1173 | | | |
| 1174 | | | if (map->rec_map->mmap_base == NULL) |
Event 1:
Skipping " if". map->rec_map->mmap_base == (void *)0 evaluates to false.
hide
|
|
| 1175 | | | return; |
| 1176 | | | |
| 1177 | | | i_assert(map->rec_map->lock_id != 0);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 2:
Skipping " if". map->rec_map->lock_id != 0 evaluates to true.
hide
Event 3:
Skipping " if". !(map->rec_map->lock_id != 0) evaluates to false.
hide
Event 4:
Skipping " if". !!(map->rec_map->lock_id != 0) evaluates to true.
hide
Event 5:
Skipping " if". !!!(map->rec_map->lock_id != 0) evaluates to false.
hide
Event 6:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1178 | | | |
| 1179 | | | if (array_count(&map->rec_map->maps) == 1) |
Event 7:
Taking false branch. array_count_i(...) == 1 evaluates to false.
hide
|
|
| 1180 | | | new_map = map->rec_map; |
| 1181 | | | else { |
| 1182 | [+] | | new_map = mail_index_record_map_alloc(map); |
Event 8:
The resource of interest is allocated inside mail_index_record_map_alloc().
hide
|
|
 |
| 1183 | | | new_map->modseq = map->rec_map->modseq == NULL ? NULL : |
Event 28:
map->rec_map->modseq == (void *)0 evaluates to true.
hide
|
|
| 1184 | | | mail_index_map_modseq_clone(map->rec_map->modseq); |
| 1185 | | | } |
| 1186 | | | |
| 1187 | | | mail_index_map_copy_records(new_map, map->rec_map, |
Event 29:
The resource of interest is passed to mail_index_map_copy_records() as the first argument. - mail_index_map_copy_records() does not free it or save any references that are freed later.
- new_map, which evaluates to malloc(size) from imem.c:9, is passed to mail_index_map_copy_records() as the first argument.
See related event 27.
hide
|
|
| 1188 | [+] | | map->hdr.record_size); |
 |
| 1189 | | | (map, map); |
| 1190 | | | |
| 1191 | | | if (new_map != map->rec_map) { |
Event 33:
Taking false branch. new_map != map->rec_map evaluates to false.
hide
|
|
| 1192 | | | mail_index_record_map_unlink(map); |
| 1193 | | | map->rec_map = new_map; |
| 1194 | | | } else { |
| 1195 | [+] | | mail_index_unlock(map->index, &new_map->lock_id); |
Event 34:
The resource of interest is passed to mail_index_unlock() as the second argument. - mail_index_unlock() does not free it or save any references that are freed later.
- &new_map->lock_id, which evaluates to malloc(size) + 20 from imem.c:9, is passed to mail_index_unlock() as the second argument.
See related event 27.
hide
|
|
 |
| 1196 | | | if (munmap(new_map->mmap_base, new_map->mmap_size) < 0) |
| 1197 | | | mail_index_set_syscall_error(map->index, "munmap()"); |
| 1198 | | | new_map->mmap_base = NULL; |
| 1199 | | | } |
| 1200 | | | } |
Leak
There are no remaining references to the resource malloc(size) from imem.c:9. The issue can occur if the highlighted code executes. See related events 8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30, 32, 34, 35, 38, and 41. Show: All events | Only primary events |
|
| |