(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/plugins/fts-squat/squat-uidlist.c) |
| |
| 111 | | | uidlist_write_array(struct ostream *output, const uint32_t *uid_list, |
| 112 | | | unsigned int uid_count, uint32_t packed_flags, |
| 113 | | | uint32_t offset, bool write_size, uint32_t *size_r) |
| 114 | | | { |
| 115 | | | uint8_t *uidbuf, *bufp, sizebuf[SQUAT_PACK_MAX_SIZE], *sizebufp; |
| 116 | | | uint8_t listbuf[SQUAT_PACK_MAX_SIZE], *listbufp = listbuf; |
| 117 | | | uint32_t uid, uid2, prev, base_uid, size_value; |
| 118 | | | unsigned int i, bitmask_len, uid_list_len; |
| 119 | | | unsigned int idx, max_idx, mask; |
| 120 | | | bool datastack; |
| 121 | | | int num; |
| 122 | | | |
| 123 | | | if ((packed_flags & UIDLIST_PACKED_FLAG_BEGINS_WITH_POINTER) != 0) |
Event 1:
Skipping " if". (packed_flags & 2) != 0 evaluates to false.
hide
|
|
| 124 | | | squat_pack_num(&listbufp, offset); |
| 125 | | | |
| 126 | | | |
| 127 | | | base_uid = uid_list[0] & ~UID_LIST_MASK_RANGE; |
| 128 | | | datastack = uid_count < 1024*8/SQUAT_PACK_MAX_SIZE; |
Event 2:
uid_count < 1024 * 8 / (sizeof( uint32_t ) * 8 + 7) / 7 evaluates to false.
hide
|
|
| 129 | | | if (datastack) |
Event 3:
Taking false branch. datastack evaluates to false.
hide
|
|
| 130 | | | uidbuf = t_malloc(SQUAT_PACK_MAX_SIZE * uid_count); |
| 131 | | | else |
| 132 | [+] | | uidbuf = i_malloc(SQUAT_PACK_MAX_SIZE * uid_count); |
Event 4:
5 * uid_count is passed to i_malloc(). - This multiplication may overflow and it is used as the allocation size later.
hide
|
|
 |
| |