(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/wimaxasncp/wimaxasncp_dict.c) |
| |
| 2486 | | | static void yy_push_state (int new_state ) |
| 2487 | | | { |
| 2488 | | | if ( (yy_start_stack_ptr) >= (yy_start_stack_depth) ) |
Event 1:
Taking true branch. yy_start_stack_ptr >= yy_start_stack_depth evaluates to true.
hide
|
|
| 2489 | | | { |
| 2490 | | | yy_size_t new_size; |
| 2491 | | | |
| 2492 | | | (yy_start_stack_depth) += YY_START_STACK_INCR; |
Event 2:
yy_start_stack_depth is set to yy_start_stack_depth + 25. - Determines the allocation size later.
hide
|
|
| 2493 | | | new_size = (yy_start_stack_depth) * sizeof( int ); |
Event 3:
new_size is set to 4 * yy_start_stack_depth, which evaluates to 4 * yy_start_stack_depth + 100. - This multiplication may overflow and it is used as the allocation size later.
See related event 2.
hide
|
|
| 2494 | | | |
| 2495 | | | if ( ! (yy_start_stack) ) |
Event 4:
Taking false branch. yy_start_stack evaluates to true.
hide
|
|
| 2496 | | | (yy_start_stack) = (int *) WimaxasncpDictalloc(new_size ); |
| 2497 | | | |
| 2498 | | | else |
| 2499 | [+] | | (yy_start_stack) = (int *) WimaxasncpDictrealloc((void *) (yy_start_stack),new_size ); |
Event 5:
new_size, which evaluates to 4 * yy_start_stack_depth + 100, is passed to WimaxasncpDictrealloc() as the second argument. See related event 3.
hide
|
|
 |
| |