(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool-system.c) |
| |
| 96 | | | static void *pool_system_realloc(pool_t pool ATTR_UNUSED, void *mem, |
| 97 | | | size_t old_size, size_t new_size) |
| 98 | | | { |
| 99 | | | if (unlikely(new_size == 0 || new_size > SSIZE_T_MAX)) |
Event 1:
Skipping " if". - new_size == 0 evaluates to false.
- new_size > 2147483647 evaluates to false.
hide
Event 2:
Skipping " if". !(new_size == 0 || new_size > 2147483647) evaluates to true.
hide
Event 3:
Skipping " if". !!(new_size == 0 || new_size > 2147483647) evaluates to false.
hide
Event 4:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 100 | | | i_panic("Trying to allocate %"PRIuSIZE_T" bytes", new_size); |
| 101 | | | |
| 102 | | | #if !defined(USE_GC) && defined(HAVE_MALLOC_USABLE_SIZE) |
| 103 | | | i_assert(old_size == (size_t)-1 || mem == NULL ||
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 104 | | | old_size <= malloc_usable_size(mem)); |
Event 5:
Skipping " if". old_size == (size_t)-1 evaluates to true.
hide
Event 6:
Considering the case where old_size must have been equal to -1.
hide
Event 7:
Skipping " if". !(old_size == (size_t)-1 || mem == (void *)0 || old_size <= malloc_usable_size(...)) evaluates to false.
hide
Event 8:
Skipping " if". !!(old_size == (size_t)-1 || mem == (void *)0 || old_size <= malloc_usable_size(...)) evaluates to true.
hide
Event 9:
Skipping " if". !!!(old_size == (size_t)-1 || mem == (void *)0 || old_size <= malloc_usable_size(...)) evaluates to false.
hide
Event 10:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 105 | | | #endif |
| 106 | | | |
| 107 | | | #ifndef USE_GC |
| 108 | | | mem = realloc(mem, new_size); |
Event 12:
The return value from realloc(mem, new_size) points to the beginning of the allocated block.
hide
Event 13:
mem is set to realloc(mem, new_size). See related event 11.
hide
|
|
| 109 | | | #else |
| 110 | | | mem = GC_realloc(mem, new_size); |
| 111 | | | #endif |
| 112 | | | if (unlikely(mem == NULL)) { |
Event 14:
Skipping " if". mem == (void *)0 evaluates to false.
hide
Event 15:
Skipping " if". !(mem == (void *)0) evaluates to true.
hide
Event 16:
Skipping " if". !!(mem == (void *)0) evaluates to false.
hide
Event 17:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 113 | | | i_fatal_status(FATAL_OUTOFMEM, "pool_system_realloc(%"PRIuSIZE_T |
| 114 | | | "): Out of memory", new_size); |
| 115 | | | } |
| 116 | | | |
| 117 | | | if (old_size < new_size) { |
Event 18:
Taking true branch. old_size < new_size evaluates to true.
hide
|
|
| 118 | | | |
| 119 | | | memset((char *) mem + old_size, 0, new_size - old_size); |
Event 19:
mem - 1, which evaluates to realloc(mem, new_size) - 1 from mempool-system.c:108, is passed to memset() as the first argument. See related events 6 and 13.
hide
Buffer Underrun
memset() writes before the beginning of the buffer pointed to by (char *)mem + old_size. - (char *)mem + old_size evaluates to realloc(mem, new_size) - 1 from mempool-system.c:108. See related event 19.
- (char *)mem + old_size begins 1 bytes before the beginning of the allocated memory. See related events 12 and 19.
- The first underrun byte is at offset -1 from the beginning of the object.
- The underrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 12 and 19. Show: All events | Only primary events |
|
| |