(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool-alloconly.c) |
| |
| 269 | | | static void *pool_alloconly_malloc(pool_t pool, size_t size) |
| 270 | | | { |
| 271 | | | struct alloconly_pool *apool = (struct alloconly_pool *)pool; |
Event 1:
apool is set to pool.
hide
|
|
| 272 | | | void *mem; |
| 273 | | | size_t alloc_size; |
| 274 | | | |
| 275 | | | if (unlikely(size == 0 || size > SSIZE_T_MAX)) |
Event 2:
Skipping " if". - size == 0 evaluates to false.
- size > 2147483647 evaluates to false.
hide
Event 3:
Skipping " if". !(size == 0 || size > 2147483647) evaluates to true.
hide
Event 4:
Skipping " if". !!(size == 0 || size > 2147483647) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 276 | | | i_panic("Trying to allocate %"PRIuSIZE_T" bytes", size); |
| 277 | | | |
| 278 | | | #ifndef DEBUG |
| 279 | | | alloc_size = MEM_ALIGN(size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
| 280 | | | #else |
| 281 | | | alloc_size = MEM_ALIGN(sizeof(size)) + MEM_ALIGN(size + SENTRY_COUNT); |
| 282 | | | #endif |
| 283 | | | |
| 284 | | | if (apool->block->left < alloc_size) { |
Event 6:
Taking true branch. apool->block->left < alloc_size evaluates to true.
hide
|
|
| 285 | | | |
| 286 | [+] | | block_alloc(apool, alloc_size + SIZEOF_POOLBLOCK);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
Event 7:
apool, which evaluates to pool, is passed to block_alloc() as the first argument. See related event 1.
hide
|
|
 |
| 287 | | | } |
| 288 | | | |
| 289 | | | mem = POOL_BLOCK_DATA(apool->block) +
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool-alloconly.c |
| |
42 | #define POOL_BLOCK_DATA(block) \ |
43 | ((unsigned char *) (block) + SIZEOF_POOLBLOCK) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
24 | #define MEM_ALIGN(size) \ |
25 | (((size) + MEM_ALIGN_SIZE-1) & ~((unsigned int) MEM_ALIGN_SIZE-1)) |
| |
|
| 290 | | | (apool->block->size - apool->block->left); |
Buffer Overrun
This code reads past the end of the buffer pointed to by apool->block. - apool->block evaluates to calloc(size, 1) from mempool-alloconly.c:254.
- The first byte read is at offset 4 from the beginning of the buffer pointed to by apool->block, whose capacity is 1 byte.
- The offset exceeds the capacity.
- The overrun occurs in heap memory.
The issue can occur if the highlighted code executes. See related events 1, 27, and 34. Show: All events | Only primary events |
|
| |