(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c) |
| |
| 1480 | | | static int yy_get_next_buffer (void) |
| 1481 | | | { |
| 1482 | | | register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1483 | | | register char *source = (yytext_ptr); |
| 1484 | | | register int number_to_move, i; |
| 1485 | | | int ret_val; |
| 1486 | | | |
| 1487 | | | if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 1:
Skipping " if". yy_c_buf_p > &yy_buffer_stack[yy_buffer_stack_top]->yy_ch_buf[yy_n_chars + 1] evaluates to false.
hide
|
|
| 1488 | | | YY_FATAL_ERROR( |
| 1489 | | | "fatal flex scanner internal error--end of buffer missed" ); |
| 1490 | | | |
| 1491 | | | if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 2:
Skipping " if". yy_buffer_stack[yy_buffer_stack_top]->yy_fill_buffer == 0 evaluates to false.
hide
|
|
| 1492 | | | { |
| 1493 | | | if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 ) |
| 1494 | | | { |
| 1495 | | | |
| 1496 | | | |
| 1497 | | | |
| 1498 | | | return EOB_ACT_END_OF_FILE; |
| 1499 | | | } |
| 1500 | | | |
| 1501 | | | else |
| 1502 | | | { |
| 1503 | | | |
| 1504 | | | |
| 1505 | | | |
| 1506 | | | return EOB_ACT_LAST_MATCH; |
| 1507 | | | } |
| 1508 | | | } |
| 1509 | | | |
| 1510 | | | |
| 1511 | | | |
| 1512 | | | |
| 1513 | | | number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1; |
| 1514 | | | |
| 1515 | | | for ( i = 0; i < number_to_move; ++i ) |
Event 3:
Leaving loop. i < number_to_move evaluates to false.
hide
|
|
| 1516 | | | *(dest++) = *(source++); |
| 1517 | | | |
| 1518 | | | if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 4:
Taking false branch. yy_buffer_stack[yy_buffer_stack_top]->yy_buffer_status == 2 evaluates to false.
hide
|
|
| 1519 | | | |
| 1520 | | | |
| 1521 | | | |
| 1522 | | | YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1523 | | | |
| 1524 | | | else |
| 1525 | | | { |
| 1526 | | | int num_to_read = |
| 1527 | | | YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1528 | | | |
| 1529 | | | while ( num_to_read <= 0 ) |
Event 5:
Entering loop body. num_to_read <= 0 evaluates to true.
hide
|
|
| 1530 | | | { |
| 1531 | | | |
| 1532 | | | |
| 1533 | | | YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dtd_parse.c |
| |
289 | #define YY_CURRENT_BUFFER ( (yy_buffer_stack) \ |
290 | ? (yy_buffer_stack)[(yy_buffer_stack_top)] \ |
291 | : NULL) |
| |
|
Event 6:
yy_buffer_stack evaluates to true.
hide
Event 7:
b is set to yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0. - Determines the allocation size later.
hide
|
|
| 1534 | | | |
| 1535 | | | int yy_c_buf_p_offset = |
| 1536 | | | (int) ((yy_c_buf_p) - b->yy_ch_buf); |
| 1537 | | | |
| 1538 | | | if ( b->yy_is_our_buffer ) |
Event 8:
Taking true branch. b->yy_is_our_buffer evaluates to true.
hide
|
|
| 1539 | | | { |
| 1540 | | | int new_size = b->yy_buf_size * 2; |
| 1541 | | | |
| 1542 | | | if ( new_size <= 0 ) |
Event 9:
Taking false branch. new_size <= 0 evaluates to false.
hide
|
|
| 1543 | | | b->yy_buf_size += b->yy_buf_size / 8; |
| 1544 | | | else |
| 1545 | | | b->yy_buf_size *= 2; |
Event 10:
b->yy_buf_size is set to 2 * b->yy_buf_size, which evaluates to (yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0)->yy_buf_size at dtd_parse.c:1533, times 2, where b is yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0 from dtd_parse.c:1533. - This multiplication may overflow and it is used as the allocation size later.
See related event 7.
hide
|
|
| 1546 | | | |
| 1547 | | | b->yy_ch_buf = (char *) |
| 1548 | | | |
| 1549 | [+] | | Dtd_Parse_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ); |
Event 11:
b->yy_buf_size + 2, which evaluates to (yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0)->yy_buf_size at dtd_parse.c:1533, times 2, plus 2, is passed to Dtd_Parse_realloc() as the second argument. See related events 7 and 10.
hide
|
|
 |
| |