(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 2029 | | | static void parseonetoken(struct pstate *psp) |
| 2030 | | | { |
| 2031 | | | char *x; |
| 2032 | | | x = Strsafe(psp->tokenstart); |
| 2033 | | | #if 0 |
| 2034 | | | printf("%s:%d: Token=[%s] state=%d\n",psp->filename,psp->tokenlineno, |
| 2035 | | | x,psp->state); |
| 2036 | | | #endif |
| 2037 | | | switch( psp->state ){ |
Event 1:
psp->state evaluates to 6.
hide
|
|
| 2038 | | | case INITIALIZE: |
| 2039 | | | psp->prevrule = 0; |
| 2040 | | | psp->preccounter = 0; |
| 2041 | | | psp->firstrule = psp->lastrule = 0; |
| 2042 | | | psp->gp->nrule = 0; |
| 2043 | | | |
| 2044 | | | case WAITING_FOR_DECL_OR_RULE: |
| 2045 | | | if( x[0]=='%' ){ |
| 2046 | | | psp->state = WAITING_FOR_DECL_KEYWORD; |
| 2047 | | | }else if( safe_islower(x[0]) ){ |
| 2048 2138 |  | | [ Lines 2048 to 2138 omitted. ] |
| 2139 | | | if( x[0]==':' && x[1]==':' && x[2]=='=' ){ |
| 2140 | | | psp->state = IN_RHS; |
| 2141 | | | }else{ |
| 2142 | | | ErrorMsg(psp->filename,psp->tokenlineno, |
| 2143 | | | "Missing \"->\" following: \"%s(%s)\".", |
| 2144 | | | psp->lhs->name,psp->lhsalias); |
| 2145 | | | psp->errorcnt++; |
| 2146 | | | psp->state = RESYNC_AFTER_RULE_ERROR; |
| 2147 | | | } |
| 2148 | | | break; |
| 2149 | | | case IN_RHS: |
| 2150 | | | if( x[0]=='.' ){ |
Event 2:
Taking true branch. x[0] == 46 evaluates to true.
hide
|
|
| 2151 | | | struct rule *rp; |
| 2152 | | | rp = (struct rule *)calloc( sizeof(struct rule) + |
| 2153 | | | sizeof(struct symbol*)*psp->nrhs + sizeof(char*)*psp->nrhs, 1); |
Event 3:
8 * psp->nrhs + 56 is passed to calloc() as the first argument. - This multiplication may overflow and it is used as the allocation size later.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:2152 overflows, then calloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is sizeof( struct rule ) + sizeof( struct symbol * ) * psp->nrhs + sizeof( char * ) * psp->nrhs, which evaluates to 8 * psp->nrhs + 56.
The issue can occur if the highlighted code executes. See related event 3. Show: All events | Only primary events |
|
| |