(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c) |
| |
| 1226 | | | static int yy_get_next_buffer (void) |
| 1227 | | | { |
| 1228 | | | register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1229 | | | register char *source = (yytext_ptr); |
| 1230 | | | register int number_to_move, i; |
| 1231 | | | int ret_val; |
| 1232 | | | |
| 1233 | | | if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 1:
Skipping " if". yy_c_buf_p > &yy_buffer_stack[yy_buffer_stack_top]->yy_ch_buf[yy_n_chars + 1] evaluates to false.
hide
|
|
| 1234 | | | YY_FATAL_ERROR( |
| 1235 | | | "fatal flex scanner internal error--end of buffer missed" ); |
| 1236 | | | |
| 1237 | | | if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 2:
Skipping " if". yy_buffer_stack[yy_buffer_stack_top]->yy_fill_buffer == 0 evaluates to false.
hide
|
|
| 1238 | | | { |
| 1239 | | | if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 ) |
| 1240 | | | { |
| 1241 | | | |
| 1242 | | | |
| 1243 | | | |
| 1244 | | | return EOB_ACT_END_OF_FILE; |
| 1245 | | | } |
| 1246 | | | |
| 1247 | | | else |
| 1248 | | | { |
| 1249 | | | |
| 1250 | | | |
| 1251 | | | |
| 1252 | | | return EOB_ACT_LAST_MATCH; |
| 1253 | | | } |
| 1254 | | | } |
| 1255 | | | |
| 1256 | | | |
| 1257 | | | |
| 1258 | | | |
| 1259 | | | number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1; |
| 1260 | | | |
| 1261 | | | for ( i = 0; i < number_to_move; ++i ) |
Event 3:
Leaving loop. i < number_to_move evaluates to false.
hide
|
|
| 1262 | | | *(dest++) = *(source++); |
| 1263 | | | |
| 1264 | | | if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
Event 4:
Taking false branch. yy_buffer_stack[yy_buffer_stack_top]->yy_buffer_status == 2 evaluates to false.
hide
|
|
| 1265 | | | |
| 1266 | | | |
| 1267 | | | |
| 1268 | | | YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1269 | | | |
| 1270 | | | else |
| 1271 | | | { |
| 1272 | | | int num_to_read = |
| 1273 | | | YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
296 | #define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)] |
| |
|
| 1274 | | | |
| 1275 | | | while ( num_to_read <= 0 ) |
Event 5:
Entering loop body. num_to_read <= 0 evaluates to true.
hide
|
|
| 1276 | | | { |
| 1277 | | | |
| 1278 | | | |
| 1279 | | | YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/uat_load.c |
| |
289 | #define YY_CURRENT_BUFFER ( (yy_buffer_stack) \ |
290 | ? (yy_buffer_stack)[(yy_buffer_stack_top)] \ |
291 | : NULL) |
| |
|
Event 6:
yy_buffer_stack evaluates to true.
hide
Event 7:
b is set to yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0. - Determines the allocation size later.
hide
|
|
| 1280 | | | |
| 1281 | | | int yy_c_buf_p_offset = |
| 1282 | | | (int) ((yy_c_buf_p) - b->yy_ch_buf); |
| 1283 | | | |
| 1284 | | | if ( b->yy_is_our_buffer ) |
Event 8:
Taking true branch. b->yy_is_our_buffer evaluates to true.
hide
|
|
| 1285 | | | { |
| 1286 | | | int new_size = b->yy_buf_size * 2; |
| 1287 | | | |
| 1288 | | | if ( new_size <= 0 ) |
Event 9:
Taking false branch. new_size <= 0 evaluates to false.
hide
|
|
| 1289 | | | b->yy_buf_size += b->yy_buf_size / 8; |
| 1290 | | | else |
| 1291 | | | b->yy_buf_size *= 2; |
Event 10:
b->yy_buf_size is set to 2 * b->yy_buf_size, which evaluates to (yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0)->yy_buf_size at uat_load.c:1279, times 2, where b is yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0 from uat_load.c:1279. - This multiplication may overflow and it is used as the allocation size later.
See related event 7.
hide
|
|
| 1292 | | | |
| 1293 | | | b->yy_ch_buf = (char *) |
| 1294 | | | |
| 1295 | [+] | | uat_load_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ); |
Event 11:
b->yy_buf_size + 2, which evaluates to (yy_buffer_stack ? yy_buffer_stack[yy_buffer_stack_top] : (void *)0)->yy_buf_size at uat_load.c:1279, times 2, plus 2, is passed to uat_load_realloc() as the second argument. See related events 7 and 10.
hide
|
|
 |
| |