(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 519 | | | static int acttab_insert(acttab *p){ |
| 520 | | | int i, j, k, n; |
| 521 | | | assert( p->nLookahead>0 );
x /usr/include/assert.h |
| |
91 | # define assert(expr) \ |
92 | ((expr) \ |
93 | ? __ASSERT_VOID_CAST (0) \ |
94 | : __assert_fail (__STRING(expr), __FILE__, __LINE__, __ASSERT_FUNCTION)) |
| |
x /usr/include/assert.h |
| |
42 | # define __ASSERT_VOID_CAST (void) |
| |
x /usr/include/assert.h |
| |
109 | # define __ASSERT_FUNCTION __PRETTY_FUNCTION__ |
| |
|
Event 1:
p->nLookahead > 0 evaluates to true.
hide
|
|
| 522 | | | |
| 523 | | | |
| 524 | | | |
| 525 | | | |
| 526 | | | |
| 527 | | | n = p->mxLookahead + 1; |
| 528 | | | if( p->nAction + n >= p->nActionAlloc ){ |
Event 2:
Taking true branch. p->nAction + n >= p->nActionAlloc evaluates to true.
hide
|
|
| 529 | | | int oldAlloc = p->nActionAlloc; |
| 530 | | | p->nActionAlloc = p->nAction + n + p->nActionAlloc + 20; |
Event 3:
p->nActionAlloc is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - Determines the allocation size later.
hide
|
|
| 531 | | | p->aAction = realloc( p->aAction, |
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:532 overflows, then realloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is sizeof( p->aAction[0] ) * p->nActionAlloc, which evaluates to the value assigned to p->nActionAlloc at lemon.c:530, times 8.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 532 | | | sizeof(p->aAction[0])*p->nActionAlloc); |
Event 4:
8 * p->nActionAlloc, which evaluates to the value assigned to p->nActionAlloc at lemon.c:530, times 8, is passed to realloc() as the second argument. - This multiplication may overflow and it is used as the allocation size later.
See related event 3.
hide
|
|
| |