(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool-alloconly.c) |
| |
| 337 | | | static void *pool_alloconly_realloc(pool_t pool, void *mem, |
| 338 | | | size_t old_size, size_t new_size) |
| 339 | | | { |
| 340 | | | struct alloconly_pool *apool = (struct alloconly_pool *)pool; |
| 341 | | | unsigned char *new_mem; |
| 342 | | | |
| 343 | | | if (unlikely(new_size == 0 || new_size > SSIZE_T_MAX)) |
Event 1:
Skipping " if". - new_size == 0 evaluates to false.
- new_size > 2147483647 evaluates to false.
hide
Event 2:
Skipping " if". !(new_size == 0 || new_size > 2147483647) evaluates to true.
hide
Event 3:
Skipping " if". !!(new_size == 0 || new_size > 2147483647) evaluates to false.
hide
Event 4:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 344 | | | i_panic("Trying to allocate %"PRIuSIZE_T" bytes", new_size); |
| 345 | | | |
| 346 | | | if (mem == NULL) |
Event 5:
Skipping " if". mem == (void *)0 evaluates to false.
hide
|
|
| 347 | | | return pool_alloconly_malloc(pool, new_size); |
| 348 | | | |
| 349 | | | if (new_size <= old_size) |
Event 6:
Skipping " if". new_size <= old_size evaluates to false.
hide
|
|
| 350 | | | return mem; |
| 351 | | | |
| 352 | | | new_size = MEM_ALIGN(new_size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
| 353 | | | |
| 354 | | | |
| 355 | [+] | | if (!pool_try_grow(apool, mem, new_size)) { |
 |
| 356 | | | |
| 357 | [+] | | new_mem = pool_alloconly_malloc(pool, new_size); |
Event 9:
pool is passed to pool_alloconly_malloc() as the first argument.
hide
|
|
 |
| 358 | | | memcpy(new_mem, mem, old_size); |
Event 50:
new_mem, which evaluates to calloc(size, 1) + 16 from mempool-alloconly.c:254, is passed to memcpy() as the first argument. See related event 49.
hide
Buffer Overrun
This code writes past the end of the buffer pointed to by new_mem. - new_mem evaluates to calloc(size, 1) + 16 from mempool-alloconly.c:254.
- memcpy() writes to the byte at offset 16 from the beginning of the buffer pointed to by new_mem, whose capacity is 1 byte.
- The offset exceeds the capacity.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 37 and 50. Show: All events | Only primary events |
|
| |