(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-transaction-log-file.c) |
| |
| 1414 | | | mail_transaction_log_file_map_mmap(struct mail_transaction_log_file *file, |
| 1415 | | | uoff_t start_offset) |
| 1416 | | | { |
| 1417 | | | struct stat st; |
| 1418 | | | int ret; |
| 1419 | | | |
| 1420 | | | |
| 1421 | | | |
| 1422 | | | i_assert(file->buffer_offset == 0 || file->mmap_base == NULL);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". file->buffer_offset == 0 evaluates to true.
hide
Event 2:
Skipping " if". !(file->buffer_offset == 0 || file->mmap_base == (void *)0) evaluates to false.
hide
Event 3:
Skipping " if". !!(file->buffer_offset == 0 || file->mmap_base == (void *)0) evaluates to true.
hide
Event 4:
Skipping " if". !!!(file->buffer_offset == 0 || file->mmap_base == (void *)0) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1423 | | | i_assert(file->mmap_size == 0 || file->mmap_base != NULL);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 6:
Skipping " if". file->mmap_size == 0 evaluates to true.
hide
Event 7:
Skipping " if". !(file->mmap_size == 0 || file->mmap_base != (void *)0) evaluates to false.
hide
Event 8:
Skipping " if". !!(file->mmap_size == 0 || file->mmap_base != (void *)0) evaluates to true.
hide
Event 9:
Skipping " if". !!!(file->mmap_size == 0 || file->mmap_base != (void *)0) evaluates to false.
hide
Event 10:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1424 | | | |
| 1425 | | | if (fstat(file->fd, &st) < 0) { |
Event 11:
Skipping " if". fstat(file->fd, &st) < 0 evaluates to false.
hide
|
|
| 1426 | | | mail_index_file_set_syscall_error(file->log->index, |
| 1427 | | | file->filepath, "fstat()"); |
| 1428 | | | return -1; |
| 1429 | | | } |
| 1430 | | | file->last_size = st.st_size; |
| 1431 | | | |
| 1432 | | | if ((uoff_t)st.st_size < file->sync_offset) { |
Event 12:
Skipping " if". (uoff_t)st.st_size < file->sync_offset evaluates to false.
hide
|
|
| 1433 | | | mail_transaction_log_file_set_corrupted(file, |
| 1434 | | | "file size shrank"); |
| 1435 | | | return 0; |
| 1436 | | | } |
| 1437 | | | |
| 1438 | | | if (file->buffer != NULL && file->buffer_offset <= start_offset && |
Event 13:
Skipping " if". file->buffer != (void *)0 evaluates to false.
hide
Event 14:
Considering the case where file->buffer must have been equal to 0.
hide
|
|
| 1439 | | | (uoff_t)st.st_size == file->buffer_offset + file->buffer->used) { |
| 1440 | | | |
| 1441 | | | if ((ret = mail_transaction_log_file_sync(file)) < 0) |
| 1442 | | | return 0; |
| 1443 | | | if (ret > 0) |
| 1444 | | | return 1; |
| 1445 | | | |
| 1446 | | | } |
| 1447 | | | |
| 1448 | | | do { |
| 1449 | [+] | | mail_transaction_log_file_munmap(file); |
Event 15:
file is passed to mail_transaction_log_file_munmap(). - Dereferenced later, causing the null pointer dereference.
hide
|
|
 |
| |