(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/addr_resolv.c) |
| |
| 354 | | | static int fgetline(char **buf, int *size, FILE *fp) |
| 355 | | | { |
| 356 | | | int len; |
| 357 | | | int c; |
| 358 | | | |
| 359 | | | if (fp == NULL) |
Event 1:
Skipping " if". fp == (void *)0 evaluates to false.
hide
|
|
| 360 | | | return -1; |
| 361 | | | |
| 362 | | | if (*buf == NULL) { |
Event 2:
Skipping " if". *buf == (void *)0 evaluates to false.
hide
|
|
| 363 | | | if (*size == 0) |
| 364 | | | *size = BUFSIZ;
x /usr/include/stdio.h |
| |
128 | # define BUFSIZ _IO_BUFSIZ |
| |
x /usr/include/libio.h |
| |
46 | #define _IO_BUFSIZ _G_BUFSIZ |
| |
|
| 365 | | | |
| 366 | | | if ((*buf = g_malloc(*size)) == NULL) |
| 367 | | | return -1; |
| 368 | | | } |
| 369 | | | |
| 370 | | | if (feof(fp)) |
Event 3:
Skipping " if". feof(fp) evaluates to false.
hide
|
|
| 371 | | | return -1; |
| 372 | | | |
| 373 | | | len = 0; |
| 374 | | | while ((c = getc(fp)) != EOF && c != '\r' && c != '\n') { |
Event 5:
During loop iterations, len is set to len + 1, which evaluates to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
|
|
| 375 | | | if (len+1 >= *size) { |
Event 7:
Taking true branch. len + 1 >= *size evaluates to true.
hide
|
|
| 376 | | | if ((*buf = g_realloc(*buf, *size += BUFSIZ)) == NULL)
x /usr/include/stdio.h |
| |
128 | # define BUFSIZ _IO_BUFSIZ |
| |
x /usr/include/libio.h |
| |
46 | #define _IO_BUFSIZ _G_BUFSIZ |
| |
|
Event 8:
g_realloc is an Undefined Function.
hide
Event 9:
*buf is set to g_realloc(*buf, *size += 8192). - This points to the buffer that will be overrun later.
hide
Event 10:
Skipping " if". (*buf = g_realloc(...)) == (void *)0 evaluates to false.
hide
|
|
| 377 | | | return -1; |
| 378 | | | } |
| 379 | | | (*buf)[len++] = c; |
Buffer Overrun
This code could write past the end of the buffer pointed to by *buf. - *buf evaluates to g_realloc(*buf, *size += 8192) from addr_resolv.c:376.
- The code writes 1 byte starting at offset len++ from the beginning of the buffer pointed to by *buf.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- len++ evaluates to the value assigned to len at addr_resolv.c:374, plus 1, which is bounded below by 1. See related event 5.
- The capacity of the buffer pointed to by *buf, in bytes, is the capacity of the buffer pointed to by g_realloc(*buf, *size += 8192) at addr_resolv.c:376. See related event 9.
- If len++ plus 1 is higher than the capacity of the buffer pointed to by g_realloc(*buf, *size += 8192) at addr_resolv.c:376, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 5 and 9. Show: All events | Only primary events |
|
| |