(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 2539 | | | void Parse(struct lemon *gp) |
| 2540 | | | { |
| 2541 | | | struct pstate ps; |
| 2542 | | | FILE *fp; |
| 2543 | | | char *filebuf; |
| 2544 | | | long filesize; |
| 2545 | | | int lineno; |
| 2546 | | | char c; |
| 2547 | | | char *cp, *nextcp; |
| 2548 | | | int startline = 0; |
| 2549 | | | |
| 2550 | | | memset(&ps, '\0', sizeof(ps)); |
| 2551 | | | ps.gp = gp; |
| 2552 | | | ps.filename = gp->filename; |
| 2553 | | | ps.errorcnt = 0; |
| 2554 | | | ps.state = INITIALIZE; |
| 2555 | | | ps.prevrule = NULL; |
| 2556 | | | ps.preccounter = 0; |
| 2557 | | | ps.lastrule = NULL; |
| 2558 | | | ps.firstrule = NULL; |
| 2559 | | | ps.lhs = NULL; |
| 2560 | | | ps.nrhs = 0; |
| 2561 | | | ps.lhsalias = NULL; |
| 2562 | | | ps.declkeyword = NULL; |
| 2563 | | | ps.declargslot = NULL; |
| 2564 | | | ps.declassoc = UNK; |
| 2565 | | | ps.fallback = NULL; |
| 2566 | | | |
| 2567 | | | |
| 2568 | | | fp = fopen(ps.filename,"rb"); |
| 2569 | | | if( fp==0 ){ |
Event 1:
Skipping " if". fp == 0 evaluates to false.
hide
|
|
| 2570 | | | ErrorMsg(ps.filename,0,"Can't open this file for reading."); |
| 2571 | | | gp->errorcnt++; |
| 2572 | | | return; |
| 2573 | | | } |
| 2574 | | | fseek(fp,0,2); |
| 2575 | | | filesize = ftell(fp); |
Event 2:
ftell() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the capacity of the buffer that will be overrun later.
hide
Event 3:
Considering the case where ftell(fp) is equal to -1.
hide
Event 4:
filesize is set to ftell(fp). See related event 2.
hide
|
|
| 2576 | | | rewind(fp); |
| 2577 | | | |
| 2578 | | | filebuf = (char *)malloc( filesize+1 ); |
Event 5:
filesize + 1, which evaluates to ftell(fp) + 1 from lemon.c:2575, is passed to malloc(). See related event 4.
hide
Event 7:
Inside malloc(), the capacity of the buffer pointed to by malloc(filesize + 1) is set to ftell(fp) + 1 from lemon.c:2575. See related event 5.
hide
Event 8:
filebuf is set to malloc(filesize + 1). See related event 6.
hide
|
|
| 2579 | | | if( filebuf==0 ){ |
Event 9:
Skipping " if". filebuf == 0 evaluates to false.
hide
|
|
| 2580 | | | ErrorMsg(ps.filename,0,"Can't allocate %ld of memory to hold this file.", |
| 2581 | | | filesize+1); |
| 2582 | | | gp->errorcnt++; |
| 2583 | | | return; |
| 2584 | | | } |
| 2585 | | | if( fread(filebuf,1,filesize,fp)!=(size_t)filesize ){ |
Event 10:
filebuf, which evaluates to malloc(filesize + 1) from lemon.c:2578, is passed to fread() as the first argument. See related event 8.
hide
Buffer Overrun
This code writes past the end of the buffer pointed to by filebuf. - filebuf evaluates to malloc(filesize + 1) from lemon.c:2578.
- fread() writes to the byte at the beginning of the buffer pointed to by filebuf.
- The offset exceeds the capacity.
- The capacity of the buffer pointed to by filebuf, in bytes, is ftell(fp) + 1 from lemon.c:2575, which must be equal to 0. See related events 7 and 10.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 3, 7, and 10. Show: All events | Only primary events |
|
| |