(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3105 | | | PRIVATE void tplt_xfer(const char *name, FILE *in, FILE *out, int *lineno) |
| 3106 | | | { |
| 3107 | | | int i, iStart; |
| 3108 | | | char line[LINESIZE]; |
| 3109 | | | while( fgets(line,LINESIZE,in) && (line[0]!='%' || line[1]!='%') ){ |
Event 1:
Entering loop body. - fgets(line, 1000, in) evaluates to true.
- line[0] != 37 evaluates to true.
hide
|
|
| 3110 | | | (*lineno)++; |
| 3111 | | | iStart = 0; |
| 3112 | | | if( name ){ |
Event 2:
Taking true branch. name evaluates to true.
hide
|
|
| 3113 | | | for(i=0; line[i] && i<LINESIZE; i++){ |
Event 4:
During loop iterations, i is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 6:
Considering the case where i is no more than 999 so the value assigned to i must have been no more than 999. See related event 4.
hide
Event 8:
i is set to i + 1, which evaluates to the value assigned to i, plus 1. See related event 4.
hide
Buffer Overrun
This code could read past the end of line. - The code reads 1 byte starting at offset i from the beginning of line, whose capacity is 1000 bytes.
- The number of bytes read could exceed the number of allocated bytes beyond that offset.
- i evaluates to the value assigned to i, plus 1, which is bounded above by 1000. See related event 8.
- The overrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related events 6 and 8. Show: All events | Only primary events |
|
| 3114 | | | if( line[i]=='P' && i<(LINESIZE-5) && strncmp(&line[i],"Parse",5)==0 |
Event 7:
Skipping " if". line[i] == 80 evaluates to false.
hide
|
|
| 3115 | | | && (i==0 || !safe_isalpha(line[i-1])) |
| 3116 | | | ){ |
| 3117 | | | if( i>iStart ) fprintf(out,"%.*s",i-iStart,&line[iStart]); |
| 3118 | | | fprintf(out,"%s",name); |
| 3119 | | | i += 4; |
| 3120 | | | iStart = i+1; |
| |