Event 1:
getenv() returns the address of a new object.
- This points to the buffer that will be overrun later.
hide
Event 2:
Inside
getenv(), the capacity of the buffer pointed to by
getenv("CONVERT_MAIL") is set to a potentially dangerous value [
?potentially dangerous: the value cannot be determined and may come from program input].
- This determines the capacity of the buffer that will be overrun later.
hide
Event 3:
Considering the case where the capacity of the buffer pointed to by
getenv("CONVERT_MAIL") is at least
1.
hide