(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 1387 | | | PRIVATE char* |
| 1388 | | | make_basename(char* fullname) |
| 1389 | | | { |
| 1390 | | | char *cp; |
| 1391 | | | char *new_string; |
| 1392 | | | |
| 1393 | | | |
| 1394 | | | cp = strrchr(fullname, '/'); |
| 1395 | | | |
| 1396 | | | #ifdef WIN32 |
| 1397 | | | |
| 1398 | | | |
| 1399 | | | if (!cp) |
| 1400 | | | cp = strrchr(fullname, '\\'); |
| 1401 | | | #endif |
| 1402 | | | |
| 1403 | | | if (!cp) { |
Event 1:
Taking true branch. cp evaluates to false.
hide
|
|
| 1404 | | | new_string = malloc( strlen(fullname) ); |
Event 2:
fullname is passed to __builtin_strlen(). - This determines the capacity of the buffer that will be overrun later.
hide
Event 3:
__builtin_strlen() returns the length of the string pointed to by fullname. See related event 2.
hide
Event 4:
strlen(fullname), which evaluates to the length of the string pointed to by fullname, is passed to malloc(). See related event 3.
hide
Event 6:
Inside malloc(), the capacity of the buffer pointed to by malloc(strlen(fullname)) is set to the length of the string pointed to by fullname. See related event 4.
hide
Event 7:
new_string is set to malloc(strlen(fullname)). See related event 5.
hide
|
|
| 1405 | | | strcpy(new_string, fullname); |
Event 8:
fullname is passed to strcpy() as the second argument. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 9:
new_string, which evaluates to malloc(strlen(fullname)) from lemon.c:1404, is passed to strcpy() as the first argument. See related event 7.
hide
Buffer Overrun
This code writes past the end of the buffer pointed to by new_string. - new_string evaluates to malloc(strlen(fullname)) from lemon.c:1404.
- strcpy() writes to the byte at an offset that is the length of the string pointed to by fullname from the beginning of the buffer pointed to by new_string.
- The offset exceeds the capacity.
- The length of the string pointed to by fullname is no less than 0. See related event 8.
- The capacity of the buffer pointed to by new_string, in bytes, is the length of the string pointed to by fullname, which is bounded below by 0. See related events 6 and 9.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 6, 8, and 9. Show: All events | Only primary events |
|
| |