(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 486 | | | static void acttab_action(acttab *p, int lookahead, int action){ |
| 487 | | | if( p->nLookahead>=p->nLookaheadAlloc ){ |
Event 1:
Taking true branch. p->nLookahead >= p->nLookaheadAlloc evaluates to true.
hide
|
|
| 488 | | | p->nLookaheadAlloc += 25; |
Event 2:
p->nLookaheadAlloc is set to p->nLookaheadAlloc + 25. - Determines the allocation size later.
hide
|
|
| 489 | | | p->aLookahead = realloc( p->aLookahead, |
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:490 overflows, then realloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is sizeof( p->aLookahead[0] ) * p->nLookaheadAlloc, which evaluates to 8 * p->nLookaheadAlloc + 200, which is bounded above by 8 * p->nLookahead + 200.
The issue can occur if the highlighted code executes. See related event 3. Show: All events | Only primary events |
|
| 490 | | | sizeof(p->aLookahead[0])*p->nLookaheadAlloc ); |
Event 3:
8 * p->nLookaheadAlloc, which evaluates to 8 * p->nLookaheadAlloc + 200, is passed to realloc() as the second argument. - This multiplication may overflow and it is used as the allocation size later.
See related event 2.
hide
|
|
| |