(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3320 | | | PRIVATE void translate_code(struct lemon *lemp, struct rule *rp){ |
| 3321 | | | char *cp, *xp; |
| 3322 | | | int i; |
| 3323 | | | char lhsused = 0; |
| 3324 | | | char used[MAXRHS]; |
| 3325 | | | |
| 3326 | | | for(i=0; i<rp->nrhs; i++) used[i] = 0; |
Event 1:
Leaving loop. i < rp->nrhs evaluates to false.
hide
|
|
| 3327 | | | lhsused = 0; |
| 3328 | | | |
| 3329 | | | if (!rp->code) { |
Event 2:
Taking true branch. rp->code evaluates to false.
hide
|
|
| 3330 | | | rp->code = "\n"; |
Event 3:
rp->code is set to "\n".
hide
|
|
| 3331 | | | rp->line = rp->ruleline; |
| 3332 | | | } |
| 3333 | | | |
| 3334 | | | append_str(0,0,0,0); |
| 3335 | | | for(cp=rp->code; *cp; cp++){ |
Event 5:
During loop iterations, cp is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - This points to the buffer that will be overrun later.
hide
Event 6:
Continuing from loop body. Entering loop body. *cp evaluates to true.
hide
|
|
| 3336 | | | if( safe_isalpha(*cp) && (cp==rp->code || (!safe_isalnum(cp[-1]) && cp[-1]!='_')) ){ |
Event 8:
Considering the case where cp is equal to rp->code so "\n" must have been equal to the value assigned to cp at lemon.c:3335. See related events 3 and 5.
hide
|
|
| 3337 | | | char saved; |
| 3338 | | | for(xp= &cp[1]; safe_isalnum(*xp) || *xp=='_'; xp++); |
Event 9:
xp is set to cp + 1, which evaluates to the value assigned to cp + 1 at lemon.c:3335. See related event 5.
hide
Event 10:
Entering loop body. isalnum((unsigned char)*xp) evaluates to true.
hide
Event 11:
xp is set to xp + 1, which evaluates to the value assigned to cp + 2 at lemon.c:3335. See related event 9.
hide
Buffer Overrun
This code reads past the end of the buffer pointed to by xp. - xp evaluates to the value assigned to cp + 2 at lemon.c:3335.
- The byte read is at offset 2 from the beginning of the buffer pointed to by xp, whose capacity is 2 bytes.
- The offset exceeds the capacity.
The issue can occur if the highlighted code executes. See related events 8 and 11. Show: All events | Only primary events |
|
| 3339 | | | saved = *xp; |
| 3340 | | | *xp = 0; |
| 3341 | | | if( rp->lhsalias && strcmp(cp,rp->lhsalias)==0 ){ |
| 3342 | | | append_str("yygotominor.yy%d",0,rp->lhs->dtnum,0); |
| 3343 | | | cp = xp; |
| 3344 | | | lhsused = 1; |
| 3345 | | | }else{ |
| 3346 | | | for(i=0; i<rp->nrhs; i++){ |
| 3347 | | | if( rp->rhsalias[i] && strcmp(cp,rp->rhsalias[i])==0 ){ |
| 3348 | | | if( cp!=rp->code && cp[-1]=='@' ){ |
| 3349 | | | |
| 3350 | | | |
| 3351 | | | append_str("yymsp[%d].major",-1,i-rp->nrhs+1,0); |
| 3352 | | | }else{ |
| 3353 | | | struct symbol *sp = rp->rhs[i]; |
| 3354 | | | int dtnum; |
| 3355 | | | if( sp->type==MULTITERMINAL ){ |
| 3356 | | | dtnum = sp->subsym[0]->dtnum; |
| 3357 | | | }else{ |
| 3358 | | | dtnum = sp->dtnum; |
| 3359 | | | } |
| 3360 | | | append_str("yymsp[%d].minor.yy%d",0,i-rp->nrhs+1, dtnum); |
| 3361 | | | } |
| 3362 | | | cp = xp; |
| 3363 | | | used[i] = 1; |
| 3364 | | | break; |
| 3365 | | | } |
| 3366 | | | } |
| 3367 | | | } |
| 3368 | | | *xp = saved; |
| 3369 | | | } |
| 3370 | | | append_str(cp, 1, 0, 0); |
| |