(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/diam_dict.c) |
| |
| 2721 | | | static void yy_push_state (int new_state ) |
| 2722 | | | { |
| 2723 | | | if ( (yy_start_stack_ptr) >= (yy_start_stack_depth) ) |
Event 1:
Taking true branch. yy_start_stack_ptr >= yy_start_stack_depth evaluates to true.
hide
|
|
| 2724 | | | { |
| 2725 | | | yy_size_t new_size; |
| 2726 | | | |
| 2727 | | | (yy_start_stack_depth) += YY_START_STACK_INCR; |
Event 2:
yy_start_stack_depth is set to yy_start_stack_depth + 25. - Determines the allocation size later.
hide
|
|
| 2728 | | | new_size = (yy_start_stack_depth) * sizeof( int ); |
Event 3:
new_size is set to 4 * yy_start_stack_depth, which evaluates to 4 * yy_start_stack_depth + 100. - This multiplication may overflow and it is used as the allocation size later.
See related event 2.
hide
|
|
| 2729 | | | |
| 2730 | | | if ( ! (yy_start_stack) ) |
Event 4:
Taking false branch. yy_start_stack evaluates to true.
hide
|
|
| 2731 | | | (yy_start_stack) = (int *) DiamDictalloc(new_size ); |
| 2732 | | | |
| 2733 | | | else |
| 2734 | [+] | | (yy_start_stack) = (int *) DiamDictrealloc((void *) (yy_start_stack),new_size ); |
Event 5:
new_size, which evaluates to 4 * yy_start_stack_depth + 100, is passed to DiamDictrealloc() as the second argument. See related event 3.
hide
|
|
 |
| |