(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3436 | | | PRIVATE void print_stack_union( |
| 3437 | | | FILE *out, |
| 3438 | | | struct lemon *lemp, |
| 3439 | | | int *plineno, |
| 3440 | | | int mhflag) |
| 3441 | | | { |
| 3442 | | | int lineno = *plineno; |
| 3443 | | | char **types; |
| 3444 | | | int arraysize; |
| 3445 | | | int maxdtlength; |
| 3446 | | | char *stddt; |
| 3447 | | | int i,j; |
| 3448 | | | int hash; |
| 3449 | | | const char *name; |
| 3450 | | | |
| 3451 | | | |
| 3452 | | | arraysize = lemp->nsymbol * 2; |
| 3453 | | | types = (char**)calloc( arraysize, sizeof(char*) ); |
| 3454 | | | for(i=0; i<arraysize; i++) types[i] = 0; |
Event 1:
Leaving loop. i < arraysize evaluates to false.
hide
|
|
| 3455 | | | maxdtlength = 0; |
| 3456 | | | if( lemp->vartype ){ |
Event 2:
Taking true branch. lemp->vartype evaluates to true.
hide
|
|
| 3457 | | | maxdtlength = (int) strlen(lemp->vartype); |
Event 3:
lemp->vartype is passed to __builtin_strlen(). - Determines the allocation size later.
hide
Event 4:
__builtin_strlen() returns the length of the string pointed to by lemp->vartype. See related event 3.
hide
Event 5:
maxdtlength is set to strlen(lemp->vartype), which evaluates to the length of the string pointed to by lemp->vartype. See related event 4.
hide
|
|
| 3458 | | | } |
| 3459 | | | for(i=0; i<lemp->nsymbol; i++){ |
Event 6:
Leaving loop. i < lemp->nsymbol evaluates to false.
hide
|
|
| 3460 | | | int len; |
| 3461 | | | struct symbol *sp = lemp->symbols[i]; |
| 3462 | | | if( sp->datatype==0 ) continue; |
| 3463 | | | len = (int) strlen(sp->datatype); |
| 3464 | | | if( len>maxdtlength ) maxdtlength = len; |
| 3465 | | | } |
| 3466 | | | stddt = (char*)malloc( maxdtlength*2 + 1 ); |
Event 7:
2 * maxdtlength + 1, which evaluates to the length of the string pointed to by lemp->vartype, times 2, plus 1, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 5.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:3466 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is maxdtlength * 2 + 1, which evaluates to the length of the string pointed to by lemp->vartype, times 2, plus 1, which is bounded below by 1.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| |