(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 2539 | | | void Parse(struct lemon *gp) |
| 2540 | | | { |
| 2541 | | | struct pstate ps; |
| 2542 | | | FILE *fp; |
| 2543 | | | char *filebuf; |
| 2544 | | | long filesize; |
| 2545 | | | int lineno; |
| 2546 | | | char c; |
| 2547 | | | char *cp, *nextcp; |
| 2548 | | | int startline = 0; |
| 2549 | | | |
| 2550 | | | memset(&ps, '\0', sizeof(ps)); |
| 2551 | | | ps.gp = gp; |
| 2552 | | | ps.filename = gp->filename; |
| 2553 | | | ps.errorcnt = 0; |
| 2554 | | | ps.state = INITIALIZE; |
| 2555 | | | ps.prevrule = NULL; |
| 2556 | | | ps.preccounter = 0; |
| 2557 | | | ps.lastrule = NULL; |
| 2558 | | | ps.firstrule = NULL; |
| 2559 | | | ps.lhs = NULL; |
| 2560 | | | ps.nrhs = 0; |
| 2561 | | | ps.lhsalias = NULL; |
| 2562 | | | ps.declkeyword = NULL; |
| 2563 | | | ps.declargslot = NULL; |
| 2564 | | | ps.declassoc = UNK; |
| 2565 | | | ps.fallback = NULL; |
| 2566 | | | |
| 2567 | | | |
| 2568 | | | fp = fopen(ps.filename,"rb"); |
| 2569 | | | if( fp==0 ){ |
Event 1:
Skipping " if". fp == 0 evaluates to false.
hide
|
|
| 2570 | | | ErrorMsg(ps.filename,0,"Can't open this file for reading."); |
| 2571 | | | gp->errorcnt++; |
| 2572 | | | return; |
| 2573 | | | } |
| 2574 | | | fseek(fp,0,2); |
| 2575 | | | filesize = ftell(fp); |
Event 2:
ftell() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the capacity of the buffer that will be overrun later.
hide
Event 3:
filesize is set to ftell(fp). See related event 2.
hide
|
|
| 2576 | | | rewind(fp); |
| 2577 | | | |
| 2578 | | | filebuf = (char *)malloc( filesize+1 ); |
Event 4:
filesize + 1, which evaluates to ftell(fp) + 1 from lemon.c:2575, is passed to malloc(). See related event 3.
hide
Event 6:
Inside malloc(), the capacity of the buffer pointed to by malloc(filesize + 1) is set to ftell(fp) + 1 from lemon.c:2575. See related event 4.
hide
Event 7:
filebuf is set to malloc(filesize + 1). See related event 5.
hide
|
|
| 2579 | | | if( filebuf==0 ){ |
Event 8:
Skipping " if". filebuf == 0 evaluates to false.
hide
|
|
| 2580 | | | ErrorMsg(ps.filename,0,"Can't allocate %ld of memory to hold this file.", |
| 2581 | | | filesize+1); |
| 2582 | | | gp->errorcnt++; |
| 2583 | | | return; |
| 2584 | | | } |
| 2585 | | | if( fread(filebuf,1,filesize,fp)!=(size_t)filesize ){ |
Event 9:
fread() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input].
hide
Event 10:
Skipping " if". fread(...) != (size_t)filesize evaluates to false.
hide
Event 11:
Considering the case where fread(...) is equal to filesize so ftell(fp) from lemon.c:2575 must have been equal to fread(...). See related events 3 and 9.
hide
|
|
| 2586 | | | ErrorMsg(ps.filename,0,"Can't read in all %ld bytes of this file.", |
| 2587 | | | filesize); |
| 2588 | | | free(filebuf); |
| 2589 | | | gp->errorcnt++; |
| 2590 | | | return; |
| 2591 | | | } |
| 2592 | | | fclose(fp); |
| 2593 | | | filebuf[filesize] = 0; |
Event 12:
The length of the string pointed to by filebuf is set to filesize, which evaluates to ftell(fp) from lemon.c:2575, where filebuf is malloc(filesize + 1) from lemon.c:2578. See related events 3 and 7.
hide
|
|
| 2594 | | | |
| 2595 | | | |
| 2596 | [+] | | preprocess_input(filebuf); |
Event 13:
filebuf, which evaluates to malloc(filesize + 1) from lemon.c:2578, is passed to preprocess_input(). See related event 7.
hide
|
|
 |
| 2597 | | | |
| 2598 | | | |
| 2599 | | | lineno = 1; |
| 2600 | | | for(cp=filebuf; (c= *cp)!=0; ){ |
Event 20:
cp is set to filebuf, which evaluates to malloc(filesize + 1) from lemon.c:2578. See related event 7.
hide
Event 21:
Entering loop body. (c = *cp) != 0 evaluates to true.
hide
|
|
| 2601 | | | if( c=='\n' ) lineno++; |
Event 22:
Skipping " if". c == 10 evaluates to false.
hide
|
|
| 2602 | | | if( safe_isspace(c) ){ cp++; continue; } |
Event 23:
Skipping " if". isspace((unsigned char)c) evaluates to false.
hide
|
|
| 2603 | | | if( c=='/' && cp[1]=='/' ){ |
Event 24:
Skipping " if". - c == 47 evaluates to true.
- cp[1] == 47 evaluates to false.
hide
|
|
| 2604 | | | cp+=2; |
| 2605 | | | while( (c= *cp)!=0 && c!='\n' ) cp++; |
| 2606 | | | continue; |
| 2607 | | | } |
| 2608 | | | if( c=='/' && cp[1]=='*' ){ |
| 2609 | | | cp+=2; |
Event 26:
cp is set to cp + 2, which evaluates to malloc(filesize + 1) + 2 from lemon.c:2578. See related event 20.
hide
|
|
| 2610 | | | while( (c= *cp)!=0 && (c!='/' || cp[-1]!='*') ){ |
Buffer Overrun
This code could read past the end of the buffer pointed to by cp. - cp evaluates to malloc(filesize + 1) + 2 from lemon.c:2578.
- The code reads 1 byte starting at offset 2 from the beginning of the buffer pointed to by cp.
- The number of bytes read could exceed the number of allocated bytes beyond that offset.
- The capacity of the buffer pointed to by cp, in bytes, is ftell(fp) + 1 from lemon.c:2575, which is bounded above by fread(...) + 1 from lemon.c:2585 and below by 2 and fread(...) + 1 from lemon.c:2585. See related events 6 and 26.
- If ftell(fp) + 1 from lemon.c:2575 is 3 or lower, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 6, 11, 17, and 26. Show: All events | Only primary events |
|
| |