(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_preparse.c) |
| |
| 1645 | | | static void Dtd_PreParse_ensure_buffer_stack (void) |
| 1646 | | | { |
| 1647 | | | int num_to_alloc; |
| 1648 | | | |
| 1649 | | | if (!(yy_buffer_stack)) { |
Event 1:
Skipping " if". yy_buffer_stack evaluates to true.
hide
|
|
| 1650 | | | |
| 1651 | | | |
| 1652 | | | |
| 1653 | | | |
| 1654 | | | |
| 1655 | | | num_to_alloc = 1; |
| 1656 | | | (yy_buffer_stack) = (struct yy_buffer_state**)Dtd_PreParse_alloc |
| 1657 | | | (num_to_alloc * sizeof(struct yy_buffer_state*) |
| 1658 | | | ); |
| 1659 | | | if ( ! (yy_buffer_stack) ) |
| 1660 | | | YY_FATAL_ERROR( "out of dynamic memory in Dtd_PreParse_ensure_buffer_stack()" ); |
| 1661 | | | |
| 1662 | | | memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*)); |
| 1663 | | | |
| 1664 | | | (yy_buffer_stack_max) = num_to_alloc; |
| 1665 | | | (yy_buffer_stack_top) = 0; |
| 1666 | | | return; |
| 1667 | | | } |
| 1668 | | | |
| 1669 | | | if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){ |
Event 2:
Taking true branch. yy_buffer_stack_top >= yy_buffer_stack_max - 1 evaluates to true.
hide
|
|
| 1670 | | | |
| 1671 | | | |
| 1672 | | | int grow_size = 8 ; |
Event 3:
grow_size is set to 8.
hide
|
|
| 1673 | | | |
| 1674 | | | num_to_alloc = (yy_buffer_stack_max) + grow_size; |
Event 4:
num_to_alloc is set to yy_buffer_stack_max + 8. - Determines the allocation size later.
See related event 3.
hide
|
|
| 1675 | | | (yy_buffer_stack) = (struct yy_buffer_state**)Dtd_PreParse_realloc |
| 1676 | | | ((yy_buffer_stack), |
| 1677 | | | num_to_alloc * sizeof(struct yy_buffer_state*) |
Event 5:
4 * num_to_alloc, which evaluates to 4 * yy_buffer_stack_max + 32, is passed to Dtd_PreParse_realloc() as the second argument. - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
|
|
| 1678 | [+] | | ); |
 |
| |