(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3040 | | | PRIVATE char *pathsearch(char *argv0, char *name, int modemask) |
| 3041 | | | { |
| 3042 | | | char *pathlist; |
| 3043 | | | char *path,*cp; |
| 3044 | | | char c; |
| 3045 | | | |
| 3046 | | | #ifdef __WIN32__ |
| 3047 | | | cp = strrchr(argv0,'\\'); |
| 3048 | | | #else |
| 3049 | | | cp = strrchr(argv0,'/'); |
| 3050 | | | #endif |
| 3051 | | | if( cp ){ |
Event 1:
Taking false branch. cp evaluates to false.
hide
|
|
| 3052 | | | c = *cp; |
| 3053 | | | *cp = 0; |
| 3054 | | | path = (char *)malloc( strlen(argv0) + strlen(name) + 2 ); |
| 3055 | | | if( path ) sprintf(path,"%s/%s",argv0,name); |
| 3056 | | | *cp = c; |
| 3057 | | | }else{ |
| 3058 | | | pathlist = getenv("PATH"); |
Event 3:
Inside getenv(), the length of the string pointed to by getenv("PATH") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input].
hide
Event 4:
Considering the case where the length of the string pointed to by getenv("PATH") is at least 0.
hide
Event 5:
pathlist is set to getenv("PATH"). See related event 2.
hide
|
|
| 3059 | | | if( pathlist==0 ) pathlist = ".:/bin:/usr/bin"; |
Event 6:
Skipping " if". pathlist == 0 evaluates to false.
hide
|
|
| 3060 | | | path = (char *)malloc( strlen(pathlist)+strlen(name)+2 ); |
Event 7:
strlen(...) + strlen(...) + 2 is passed to malloc(). - This determines the capacity of the buffer that will be overrun later.
hide
Event 9:
Inside malloc(), the capacity of the buffer pointed to by malloc(...) is set to strlen(...) + strlen(...) + 2. See related event 7.
hide
Event 10:
path is set to malloc(...). See related event 8.
hide
|
|
| 3061 | | | if( path!=0 ){ |
Event 11:
Taking true branch. path != 0 evaluates to true.
hide
|
|
| 3062 | | | while( *pathlist ){ |
Event 12:
Entering loop body. *pathlist evaluates to true.
hide
Event 13:
Considering the case where the length of the string pointed to by pathlist is not equal to 0 so the length of the string pointed to by getenv("PATH") at lemon.c:3058 must have been at least 1. See related events 3, 4, and 5.
hide
|
|
| 3063 | | | cp = strchr(pathlist,':'); |
| 3064 | | | if( cp==0 ) cp = &pathlist[strlen(pathlist)]; |
Event 14:
Taking true branch. cp == 0 evaluates to true.
hide
|
|
| 3065 | | | c = *cp; |
| 3066 | | | *cp = 0; |
| 3067 | | | sprintf(path,"%s/%s",pathlist,name); |
Event 15:
name is passed to sprintf() as the fourth argument.
hide
Event 16:
pathlist, which evaluates to getenv("PATH") from lemon.c:3058, is passed to sprintf() as the third argument. See related event 5.
hide
Event 17:
"%s/%s" is passed to sprintf() as the second argument.
hide
Event 18:
path, which evaluates to malloc(...) from lemon.c:3060, is passed to sprintf() as the first argument. See related event 10.
hide
Buffer Overrun
This code could write past the end of the buffer pointed to by path. - path evaluates to malloc(...) from lemon.c:3060.
- sprintf() writes multiple bytes starting at the beginning of the buffer pointed to by path.
- The number of bytes written could exceed the number of allocated bytes.
- The number of bytes written is the length of the string pointed to by getenv("PATH") at lemon.c:3058, plus 2, which is bounded below by 3.
- The capacity of the buffer pointed to by path, in bytes, is strlen(...) + strlen(...) + 2 from lemon.c:3060, which is bounded below by 0. See related events 9 and 18.
- If the length of the string pointed to by getenv("PATH") at lemon.c:3058, plus 2 is higher than strlen(...) + strlen(...) + 2 from lemon.c:3060, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 3, 9, 13, 15, 16, 17, and 18. Show: All events | Only primary events |
|
| |