(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool-alloconly.c) |
| |
| 229 | | | static void block_alloc(struct alloconly_pool *apool, size_t size) |
| 230 | | | { |
| 231 | | | struct pool_block *block; |
| 232 | | | |
| 233 | | | i_assert(size > SIZEOF_POOLBLOCK);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
Event 1:
Skipping " if". size > (sizeof( struct pool_block ) + 8 - 1 & ~((unsigned int)8 - 1)) evaluates to true.
hide
Event 2:
Skipping " if". !(size > (sizeof( struct pool_block ) + 8 - 1 & ~((unsigned int)8 - 1))) evaluates to false.
hide
Event 3:
Skipping " if". !!(size > (sizeof( struct pool_block ) + 8 - 1 & ~((unsigned int)8 - 1))) evaluates to true.
hide
Event 4:
Skipping " if". !!!(size > (sizeof( struct pool_block ) + 8 - 1 & ~((unsigned int)8 - 1))) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 234 | | | |
| 235 | | | if (apool->block != NULL) { |
Event 6:
Taking true branch. apool->block != (void *)0 evaluates to true.
hide
|
|
| 236 | | | |
| 237 | | | if (size <= apool->block->size) |
Event 7:
Taking true branch. size <= apool->block->size evaluates to true.
hide
|
|
| 238 | | | size += apool->block->size; |
| 239 | | | |
| 240 | [+] | | size = nearest_power(size); |
 |
| 241 | | | #ifdef DEBUG |
| 242 | | | if (!apool->disable_warning) { |
| 243 | | | |
| 244 | | | |
| 245 | | | |
| 246 | | | t_buffer_alloc_last_full(); |
| 247 | | | i_warning("Growing pool '%s' with: %"PRIuSIZE_T, |
| 248 | | | apool->name, size); |
| 249 | | | } |
| 250 | | | #endif |
| 251 | | | } |
| 252 | | | |
| 253 | | | #ifndef USE_GC |
| 254 | | | block = calloc(size, 1); |
Event 17:
1 is passed to calloc() as the second argument.
hide
Event 18:
size, which evaluates to 1, is passed to calloc() as the first argument. See related event 16.
hide
Event 19:
The capacity of the buffer pointed to by calloc(size, 1) is set to 1. - This determines the capacity of the buffer that will be overrun later.
See related events 17 and 18.
hide
Event 21:
block is set to calloc(size, 1). See related event 20.
hide
|
|
| 255 | | | #else |
| 256 | | | block = GC_malloc(size); |
| 257 | | | #endif |
| 258 | | | if (unlikely(block == NULL)) { |
Event 22:
Skipping " if". block == (void *)0 evaluates to false.
hide
Event 23:
Skipping " if". !(block == (void *)0) evaluates to true.
hide
Event 24:
Skipping " if". !!(block == (void *)0) evaluates to false.
hide
Event 25:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 259 | | | i_fatal_status(FATAL_OUTOFMEM, "block_alloc(%"PRIuSIZE_T |
| 260 | | | "): Out of memory", size); |
| 261 | | | } |
| 262 | | | block->prev = apool->block; |
| 263 | | | apool->block = block; |
| 264 | | | |
| 265 | | | block->size = size - SIZEOF_POOLBLOCK;
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
| 266 | | | block->left = block->size; |
Buffer Overrun
This code writes past the end of the buffer pointed to by block. - block evaluates to calloc(size, 1) from mempool-alloconly.c:254.
- The first byte written is at offset 8 from the beginning of the buffer pointed to by block, whose capacity is 1 byte.
- The offset exceeds the capacity.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 19 and 21. Show: All events | Only primary events |
|
| |