(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 4838 | | | int Configtable_insert(struct config *data) |
| 4839 | | | { |
| 4840 | | | x4node *np; |
| 4841 | | | int h; |
| 4842 | | | int ph; |
| 4843 | | | |
| 4844 | | | if( x4a==0 ) return 0; |
Event 1:
Skipping " if". x4a == 0 evaluates to false.
hide
|
|
| 4845 | | | ph = confighash(data); |
| 4846 | | | h = ph & (x4a->size-1); |
| 4847 | | | np = x4a->ht[h]; |
| 4848 | | | while( np ){ |
Event 2:
Leaving loop. np evaluates to false.
hide
|
|
| 4849 | | | if( Configcmp(np->data,data)==0 ){ |
| 4850 | | | |
| 4851 | | | |
| 4852 | | | return 0; |
| 4853 | | | } |
| 4854 | | | np = np->next; |
| 4855 | | | } |
| 4856 | | | if( x4a->count>=x4a->size ){ |
Event 3:
Taking true branch. x4a->count >= x4a->size evaluates to true.
hide
|
|
| 4857 | | | |
| 4858 | | | int i,size; |
| 4859 | | | struct s_x4 array; |
| 4860 | | | array.size = size = x4a->size*2; |
Event 4:
size is set to 2 * x4a->size. - Determines the allocation size later.
hide
|
|
| 4861 | | | array.count = x4a->count; |
| 4862 | | | array.tbl = (x4node*)malloc( |
| 4863 | | | (sizeof(x4node) + sizeof(x4node*))*size ); |
Event 5:
16 * size, which evaluates to 32 * x4a->size, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:4863 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is (sizeof( x4node ) + sizeof( x4node * )) * size, which evaluates to 32 * x4a->size, which is bounded above by 32 * x4a->count.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |