(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/emem.c) |
| |
| 1523 | | | void * |
| 1524 | | | emem_tree_lookup_string(emem_tree_t* se_tree, const gchar* k, guint32 flags) |
| 1525 | | | { |
| 1526 | | | emem_tree_key_t key[2]; |
| 1527 | | | guint32 *aligned=NULL; |
| 1528 | | | guint32 len = (guint) strlen(k); |
| 1529 | | | guint32 div = (len+3)/4+1; |
| 1530 | | | guint32 i; |
| 1531 | | | guint32 tmp; |
| 1532 | | | void *ret; |
| 1533 | | | |
| 1534 | | | aligned = malloc(div * sizeof (guint32)); |
Event 1:
malloc() returns NULL. - Dereferenced later, causing the null pointer dereference.
hide
Event 2:
aligned is set to malloc(...), which evaluates to NULL. See related event 1.
hide
|
|
| 1535 | | | |
| 1536 | | | |
| 1537 | | | tmp = 0; |
| 1538 | | | for (i = 0;i < len;i++) { |
Event 3:
Leaving loop. i < len evaluates to false.
hide
|
|
| 1539 | | | unsigned char ch; |
| 1540 | | | |
| 1541 | | | ch = (unsigned char)k[i]; |
| 1542 | | | if (flags & EMEM_TREE_STRING_NOCASE) { |
| 1543 | | | if(isupper(ch)) { |
| 1544 | | | ch = tolower(ch); |
| 1545 | | | } |
| 1546 | | | } |
| 1547 | | | tmp <<= 8; |
| 1548 | | | tmp |= ch; |
| 1549 | | | if (i%4 == 3) { |
| 1550 | | | aligned[i/4] = tmp; |
| 1551 | | | tmp = 0; |
| 1552 | | | } |
| 1553 | | | } |
| 1554 | | | |
| 1555 | | | if (i%4 != 0) { |
Event 4:
Skipping " if". i % 4 != 0 evaluates to false.
hide
|
|
| 1556 | | | while (i%4 != 0) { |
| 1557 | | | i++; |
| 1558 | | | tmp <<= 8; |
| 1559 | | | } |
| 1560 | | | aligned[i/4-1] = tmp; |
| 1561 | | | } |
| 1562 | | | |
| 1563 | | | |
| 1564 | | | aligned[div-1] = 0x00000001; |
Null Pointer Dereference
aligned is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| |