(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-transaction.c) |
| |
| 490 | | | void mail_index_transaction_sort_appends(struct mail_index_transaction *t) |
| 491 | | | { |
| 492 | | | struct mail_index_record *recs, *sorted_recs; |
| 493 | | | struct uid_map *new_uid_map; |
| 494 | | | uint32_t *old_to_newseq_map; |
| 495 | | | unsigned int i, count; |
| 496 | | | |
| 497 | | | if (!t->appends_nonsorted) |
Event 1:
Skipping " if". t->appends_nonsorted evaluates to true.
hide
|
|
| 498 | | | return; |
| 499 | | | |
| 500 | | | |
| 501 | [+] | | recs = array_get_modifiable(&t->appends, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
174 | #define array_get_modifiable(array, count) \ |
175 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
176 | array_get_modifiable_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
|
Event 2:
&count is passed to array_get_modifiable_i() as the second argument.
hide
|
|
 |
| 502 | | | i_assert(count > 0);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 5:
Skipping " if". count > 0 evaluates to true.
hide
Event 6:
Skipping " if". !(count > 0) evaluates to false.
hide
Event 7:
Skipping " if". !!(count > 0) evaluates to true.
hide
Event 8:
Skipping " if". !!!(count > 0) evaluates to false.
hide
Event 9:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 503 | | | |
| 504 | [+] | | new_uid_map = i_new(struct uid_map, count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
8 | #define i_new(type, count) ((type *) i_malloc(sizeof(type) * (count))) |
| |
|
Event 10:
8 * count, which evaluates to the value assigned to *count_r at array.h:171, times 8, is passed to i_malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
|
|
 |
| |