(/home/sate/Testcases/c/cve/wireshark-1.2.0/color_filters.c) |
| |
| 465 | | | read_filters_file(FILE *f, gpointer user_data) |
| 466 | | | { |
| 467 | | | #define INIT_BUF_SIZE 128 |
| 468 | | | gchar *name = NULL; |
| 469 | | | gchar *filter_exp = NULL; |
| 470 | | | guint32 name_len = INIT_BUF_SIZE; |
| 471 | | | guint32 filter_exp_len = INIT_BUF_SIZE; |
| 472 | | | guint32 i = 0; |
| 473 | | | gint32 c; |
| 474 | | | guint16 fg_r, fg_g, fg_b, bg_r, bg_g, bg_b; |
| 475 | | | gboolean disabled = FALSE; |
| 476 | | | gboolean skip_end_of_line = FALSE; |
| 477 | | | |
| 478 | | | name = g_malloc(name_len + 1); |
| 479 | | | filter_exp = g_malloc(filter_exp_len + 1); |
| 480 | | | |
| 481 | | | while (1) { |
Event 3:
Entering loop body. 1 evaluates to true.
hide
|
|
| 482 | | | |
| 483 | | | if (skip_end_of_line) { |
Event 4:
Skipping " if". skip_end_of_line evaluates to false.
hide
|
|
| 484 | | | do { |
| 485 | | | c = getc(f); |
| 486 | | | } while (c != EOF && c != '\n'); |
| 487 | | | if (c == EOF) |
| 488 | | | break; |
| 489 | | | disabled = FALSE; |
| 490 | | | skip_end_of_line = FALSE; |
| 491 | | | } |
| 492 | | | |
| 493 | | | while ((c = getc(f)) != EOF && isspace(c)) { |
| 494 | | | if (c == '\n') { |
| 495 | | | continue; |
| 496 | | | } |
| 497 | | | } |
| 498 | | | |
| 499 | | | if (c == EOF) |
Event 6:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 500 | | | break; |
| 501 | | | |
| 502 | | | if (c == '!') { |
Event 7:
Skipping " if". c == 33 evaluates to false.
hide
|
|
| 503 | | | disabled = TRUE; |
| 504 | | | continue; |
| 505 | | | } |
| 506 | | | |
| 507 | | | |
| 508 | | | if (c != '@') { |
Event 8:
Skipping " if". c != 64 evaluates to false.
hide
|
|
| 509 | | | skip_end_of_line = TRUE; |
| 510 | | | continue; |
| 511 | | | } |
| 512 | | | |
| 513 | | | |
| 514 | | | |
| 515 | | | |
| 516 | | | |
| 517 | | | |
| 518 | | | |
| 519 | | | i = 0; |
| 520 | | | while (1) { |
| 521 | | | c = getc(f); |
| 522 | | | if (c == EOF || c == '@') |
| 523 | | | break; |
| 524 | | | if (i >= name_len) { |
| 525 | | | |
| 526 | | | name_len *= 2; |
| 527 | | | name = g_realloc(name, name_len + 1); |
| 528 | | | } |
| 529 | | | name[i++] = c; |
| 530 | | | } |
| 531 | | | name[i] = '\0'; |
| 532 | | | |
| 533 | | | if (c == EOF) { |
Event 10:
Taking false branch. c == -1 evaluates to false.
hide
|
|
| 534 | | | break; |
| 535 | | | } else if (i == 0) { |
Event 11:
Skipping " if". i == 0 evaluates to false.
hide
|
|
| 536 | | | skip_end_of_line = TRUE; |
| 537 | | | continue; |
| 538 | | | } |
| 539 | | | |
| 540 | | | |
| 541 | | | i = 0; |
| 542 | | | while (1) { |
Event 13:
During loop iterations, i is set to i + 1, which evaluates to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 14:
Continuing from loop body. Entering loop body. 1 evaluates to true.
hide
|
|
| 543 | | | c = getc(f); |
| 544 | | | if (c == EOF || c == '@') |
Event 15:
Skipping " if". - c == -1 evaluates to false.
- c == 64 evaluates to false.
hide
|
|
| 545 | | | break; |
| 546 | | | if (i >= filter_exp_len) { |
Event 16:
Taking true branch. i >= filter_exp_len evaluates to true.
hide
|
|
| 547 | | | |
| 548 | | | filter_exp_len *= 2; |
| 549 | | | filter_exp = g_realloc(filter_exp, filter_exp_len + 1); |
Event 17:
g_realloc is an Undefined Function.
hide
Event 18:
filter_exp is set to g_realloc(...). - This points to the buffer that will be overrun later.
hide
|
|
| 550 | | | } |
| 551 | | | filter_exp[i++] = c; |
Buffer Overrun
This code could write past the end of the buffer pointed to by filter_exp. - filter_exp evaluates to g_realloc(...) from color_filters.c:549.
- The code writes 1 byte starting at offset i++ from the beginning of the buffer pointed to by filter_exp.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- i++ evaluates to the value assigned to i at color_filters.c:542, plus 1, which is bounded below by 1. See related event 13.
- The capacity of the buffer pointed to by filter_exp, in bytes, is the capacity of the buffer pointed to by g_realloc(...) at color_filters.c:549. See related event 18.
- If i++ plus 1 is higher than the capacity of the buffer pointed to by g_realloc(...) at color_filters.c:549, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 13 and 18. Show: All events | Only primary events |
|
| |