(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-xml.c) |
| |
| 970 | | | static void register_dtd(dtd_build_data_t* dtd_data, GString* errors) { |
| 971 | | | GHashTable* elements = g_hash_table_new(g_str_hash,g_str_equal); |
| 972 | | | gchar* root_name = NULL; |
Event 2:
root_name is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 973 | | | xml_ns_t* root_element = NULL; |
| 974 | | | GArray* hfs; |
| 975 | | | GArray* etts; |
| 976 | | | GPtrArray* hier; |
| 977 | | | gchar* curr_name; |
| 978 | | | GPtrArray* element_names = g_ptr_array_new(); |
| 979 | | | |
| 980 | | | |
| 981 | | | while(dtd_data->elements->len) { |
Event 4:
Leaving loop. dtd_data->elements->len evaluates to false.
hide
|
|
| 982 | | | dtd_named_list_t* nl = g_ptr_array_remove_index(dtd_data->elements,0); |
| 983 | | | xml_ns_t* element = g_malloc(sizeof(xml_ns_t)); |
| 984 | | | |
| 985 | | | |
| 986 | | | if (root_name == NULL) |
| 987 | | | root_name = g_strdup(nl->name); |
| 988 | | | |
| 989 | | | element->name = nl->name; |
| 990 | | | element->element_names = nl->list; |
| 991 | | | element->hf_tag = -1; |
| 992 | | | element->hf_cdata = -1; |
| 993 | | | element->ett = -1; |
| 994 | | | element->attributes = g_hash_table_new(g_str_hash,g_str_equal); |
| 995 | | | element->elements = g_hash_table_new(g_str_hash,g_str_equal); |
| 996 | | | |
| 997 | | | if( g_hash_table_lookup(elements,element->name) ) { |
| 998 | | | g_string_append_printf(errors,"element %s defined more than once\n", element->name); |
| 999 | | | free_elements(NULL,element,NULL); |
| 1000 | | | } else { |
| 1001 | | | g_hash_table_insert(elements,element->name,element); |
| 1002 | | | g_ptr_array_add(element_names,g_strdup(element->name)); |
| 1003 | | | } |
| 1004 | | | |
| 1005 | | | g_free(nl); |
| 1006 | | | } |
| 1007 | | | |
| 1008 | | | |
| 1009 | | | while(dtd_data->attributes->len) { |
Event 5:
Leaving loop. dtd_data->attributes->len evaluates to false.
hide
|
|
| 1010 | | | dtd_named_list_t* nl = g_ptr_array_remove_index(dtd_data->attributes,0); |
| 1011 | | | xml_ns_t* element = g_hash_table_lookup(elements,nl->name); |
| 1012 | | | |
| 1013 | | | if (!element) { |
| 1014 | | | g_string_append_printf(errors,"element %s is not defined\n", nl->name); |
| 1015 | | | |
| 1016 | | | goto next_attribute; |
| 1017 | | | } |
| 1018 | | | |
| 1019 | | | while(nl->list->len) { |
| 1020 | | | gchar* name = g_ptr_array_remove_index(nl->list,0); |
| 1021 | | | int* id_p = g_malloc(sizeof(int)); |
| 1022 | | | |
| 1023 | | | *id_p = -1; |
| 1024 | | | g_hash_table_insert(element->attributes,name,id_p); |
| 1025 | | | } |
| 1026 | | | |
| 1027 | | | next_attribute: |
| 1028 | | | g_free(nl->name); |
| 1029 | | | g_ptr_array_free(nl->list,TRUE); |
| 1030 | | | g_free(nl); |
| 1031 | | | } |
| 1032 | | | |
| 1033 | | | |
| 1034 | | | if( dtd_data->proto_root ) { |
Event 6:
Skipping " if". dtd_data->proto_root evaluates to false.
hide
|
|
| 1035 | | | g_free(root_name); |
| 1036 | | | root_name = g_strdup(dtd_data->proto_root); |
| 1037 | | | } |
| 1038 | | | |
| 1039 | | | |
| 1040 | | | hier = g_ptr_array_new(); |
| 1041 | | | |
| 1042 | | | |
| 1043 | | | |
| 1044 | | | |
| 1045 | | | |
| 1046 | | | if( ! dtd_data->proto_name ) { |
Event 8:
Taking true branch. dtd_data->proto_name evaluates to false.
hide
|
|
| 1047 | | | hfs = hf_arr; |
| 1048 | | | etts = ett_arr; |
| 1049 | | | g_ptr_array_add(hier,g_strdup("xml")); |
| 1050 | | | root_element = &xml_ns; |
| 1051 | | | } else { |
| 1052 | | | |
| 1053 | | | |
| 1054 | | | |
| 1055 | | | |
| 1056 | | | hfs = g_array_new(FALSE,FALSE,sizeof(hf_register_info)); |
| 1057 | | | etts = g_array_new(FALSE,FALSE,sizeof(gint*)); |
| 1058 | | | } |
| 1059 | | | |
| 1060 | | | |
| 1061 | | | root_element = g_malloc(sizeof(xml_ns_t)); |
| 1062 | | | root_element->name = g_strdup(root_name); |
| 1063 | | | root_element->fqn = dtd_data->proto_name ? g_strdup(dtd_data->proto_name) : root_element->name; |
Event 13:
dtd_data->proto_name evaluates to false.
hide
|
|
| 1064 | | | root_element->hf_tag = -1; |
| 1065 | | | root_element->hf_cdata = -1; |
| 1066 | | | root_element->ett = -1; |
| 1067 | | | root_element->elements = g_hash_table_new(g_str_hash,g_str_equal); |
| 1068 | | | root_element->element_names = element_names; |
| 1069 | | | |
| 1070 | | | |
| 1071 | | | |
| 1072 | | | |
| 1073 | | | |
| 1074 | | | |
| 1075 | | | if (dtd_data->recursion) { |
Event 15:
Taking true branch. dtd_data->recursion evaluates to true.
hide
|
|
| 1076 | | | xml_ns_t* orig_root; |
| 1077 | | | |
| 1078 | [+] | | make_xml_hier(root_name, root_element, elements,hier,errors,hfs,etts,dtd_data->proto_name); |
Event 16:
root_name, which evaluates to NULL, is passed to make_xml_hier() as the first argument. See related event 2.
hide
|
|
 |
| |