(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/emem.c) |
| |
| 1523 | | | void * |
| 1524 | | | emem_tree_lookup_string(emem_tree_t* se_tree, const gchar* k, guint32 flags) |
| 1525 | | | { |
| 1526 | | | emem_tree_key_t key[2]; |
| 1527 | | | guint32 *aligned=NULL; |
| 1528 | | | guint32 len = (guint) strlen(k); |
| 1529 | | | guint32 div = (len+3)/4+1; |
Event 1:
div is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - Determines the allocation size later.
hide
|
|
| 1530 | | | guint32 i; |
| 1531 | | | guint32 tmp; |
| 1532 | | | void *ret; |
| 1533 | | | |
| 1534 | | | aligned = malloc(div * sizeof (guint32)); |
Event 2:
4 * div, which evaluates to the value assigned to div at emem.c:1529, times 4, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 1.
hide
Integer Overflow of Allocation Size
- If the multiplication at emem.c:1534 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is div * sizeof( guint32 ), which evaluates to the value assigned to div at emem.c:1529, times 4.
The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| |