(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-sync-ext.c) |
| |
| 461 | | | int mail_index_sync_ext_intro(struct mail_index_sync_map_ctx *ctx, |
| 462 | | | const struct mail_transaction_ext_intro *u) |
| 463 | | | { |
| 464 | | | struct mail_index_map *map = ctx->view->map; |
| 465 | | | struct ext_hdr; |
| 466 | | | const struct mail_index_ext *ext; |
| 467 | | | const char *name, *error; |
| 468 | | | uint32_t ext_map_idx; |
| 469 | | | bool no_shrink; |
| 470 | | | |
| 471 | | | |
| 472 | | | |
| 473 | | | ctx->cur_ext_map_idx = (uint32_t)-2; |
| 474 | | | ctx->cur_ext_ignore = TRUE; |
Event 1:
!0 evaluates to true.
hide
|
|
| 475 | | | |
| 476 | | | if (u->ext_id != (uint32_t)-1 && |
Event 2:
Skipping " if". - u->ext_id != (uint32_t)-1 evaluates to true.
- array_is_created_i(...) evaluates to true.
hide
|
|
| 477 | | | (!array_is_created(&map->extensions) ||
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
91 | #define array_is_created(array) \ |
92 | array_is_created_i(&(array)->arr) |
| |
|
| 478 | [+] | | u->ext_id >= array_count(&map->extensions))) { |
 |
| 479 | | | if (!mail_index_sync_ext_unknown_complain(ctx, u->ext_id)) |
| 480 | | | return -1; |
| 481 | | | mail_index_sync_set_corrupted(ctx, |
| 482 | | | "Extension introduction for unknown id %u", u->ext_id); |
| 483 | | | return -1; |
| 484 | | | } |
| 485 | | | |
| 486 | | | if (u->ext_id == (uint32_t)-1 && u->name_size == 0) { |
Event 4:
Skipping " if". u->ext_id == (uint32_t)-1 evaluates to false.
hide
|
|
| 487 | | | mail_index_sync_set_corrupted(ctx, |
| 488 | | | "Extension introduction without id or name"); |
| 489 | | | return -1; |
| 490 | | | } |
| 491 | | | |
| 492 | | | if (u->ext_id != (uint32_t)-1) { |
Event 5:
Taking true branch. u->ext_id != (uint32_t)-1 evaluates to true.
hide
|
|
| 493 | | | name = NULL; |
Event 6:
name is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 494 | | | ext_map_idx = u->ext_id; |
| 495 | | | } else { |
| 496 | | | name = t_strndup(u + 1, u->name_size); |
| 497 | | | if (!mail_index_map_lookup_ext(map, name, &ext_map_idx)) |
| 498 | | | ext_map_idx = (uint32_t)-1; |
| 499 | | | } |
| 500 | | | ext = ext_map_idx == (uint32_t)-1 ? NULL : |
Event 7:
ext_map_idx == (uint32_t)-1 evaluates to false.
hide
|
|
| 501 | [+] | | array_idx(&map->extensions, ext_map_idx);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
165 | #define array_idx(array, idx) \ |
166 | ARRAY_TYPE_CAST_CONST(array)array_idx_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
 |
| 502 | | | if (ext != NULL) |
Event 13:
Skipping " if". ext != (void *)0 evaluates to false.
hide
|
|
| 503 | | | name = ext->name; |
| 504 | | | |
| 505 | | | if (!ctx->internal_update && |
Event 14:
Skipping " if". ctx->internal_update evaluates to false.
hide
|
|
| 506 | | | strcmp(name, MAIL_INDEX_EXT_KEYWORDS) == 0) { |
Event 15:
name, which evaluates to NULL, is passed to strcmp() as the first argument. See related event 6.
hide
Null Pointer Dereference
The body of strcmp() dereferences name, but it is NULL. The issue can occur if the highlighted code executes. See related event 15. Show: All events | Only primary events |
|
| |