(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 1387 | | | PRIVATE char* |
| 1388 | | | make_basename(char* fullname) |
| 1389 | | | { |
| 1390 | | | char *cp; |
| 1391 | | | char *new_string; |
| 1392 | | | |
| 1393 | | | |
| 1394 | | | cp = strrchr(fullname, '/'); |
Event 1:
strrchr() returns an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - This determines the capacity of the buffer that will be overrun later.
hide
Event 2:
cp is set to strrchr(fullname, 47). See related event 1.
hide
|
|
| 1395 | | | |
| 1396 | | | #ifdef WIN32 |
| 1397 | | | |
| 1398 | | | |
| 1399 | | | if (!cp) |
| 1400 | | | cp = strrchr(fullname, '\\'); |
| 1401 | | | #endif |
| 1402 | | | |
| 1403 | | | if (!cp) { |
Event 3:
Taking false branch. cp evaluates to true.
hide
|
|
| 1404 | | | new_string = malloc( strlen(fullname) ); |
| 1405 | | | strcpy(new_string, fullname); |
| 1406 | | | } |
| 1407 | | | else { |
| 1408 | | | |
| 1409 | | | cp++; |
Event 4:
cp is set to cp + 1, which evaluates to strrchr(fullname, 47) + 1 from lemon.c:1394. See related event 2.
hide
|
|
| 1410 | | | new_string = malloc( strlen(cp) ); |
Event 5:
cp, which evaluates to strrchr(fullname, 47) + 1 from lemon.c:1394, is passed to __builtin_strlen(). See related event 4.
hide
Event 6:
__builtin_strlen() returns the length of the string pointed to by cp, which evaluates to the length of the string pointed to by strrchr(fullname, 47) at lemon.c:1394, minus 1. See related event 5.
hide
Event 7:
strlen(cp), which evaluates to the length of the string pointed to by strrchr(fullname, 47) at lemon.c:1394, minus 1, is passed to malloc(). See related event 6.
hide
Event 9:
Inside malloc(), the capacity of the buffer pointed to by malloc(strlen(cp)) is set to the length of the string pointed to by strrchr(fullname, 47) at lemon.c:1394, minus 1. See related event 7.
hide
Event 10:
new_string is set to malloc(strlen(cp)). See related event 8.
hide
|
|
| 1411 | | | strcpy(new_string, cp); |
Event 11:
cp, which evaluates to strrchr(fullname, 47) + 1 from lemon.c:1394, is passed to strcpy() as the second argument. See related events 4 and 5.
hide
Event 12:
new_string, which evaluates to malloc(strlen(cp)) from lemon.c:1410, is passed to strcpy() as the first argument. See related event 10.
hide
Buffer Overrun
This code writes past the end of the buffer pointed to by new_string. - new_string evaluates to malloc(strlen(cp)) from lemon.c:1410.
- strcpy() writes to the byte at an offset that is the length of the string pointed to by cp from the beginning of the buffer pointed to by new_string.
- The offset exceeds the capacity.
- The length of the string pointed to by cp evaluates to the length of the string pointed to by strrchr(fullname, 47) at lemon.c:1394, minus 1, which is bounded below by 0. See related event 11.
- The capacity of the buffer pointed to by new_string, in bytes, is the length of the string pointed to by strrchr(fullname, 47) at lemon.c:1394, minus 1, which is bounded below by 0. See related events 9 and 12.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 9, 11, and 12. Show: All events | Only primary events |
|
| |