(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 2029 | | | static void parseonetoken(struct pstate *psp) |
| 2030 | | | { |
| 2031 | | | char *x; |
| 2032 | | | x = Strsafe(psp->tokenstart); |
| 2033 | | | #if 0 |
| 2034 | | | printf("%s:%d: Token=[%s] state=%d\n",psp->filename,psp->tokenlineno, |
| 2035 | | | x,psp->state); |
| 2036 | | | #endif |
| 2037 | | | switch( psp->state ){ |
Event 1:
psp->state evaluates to 3.
hide
|
|
| 2038 | | | case INITIALIZE: |
| 2039 | | | psp->prevrule = 0; |
| 2040 | | | psp->preccounter = 0; |
| 2041 | | | psp->firstrule = psp->lastrule = 0; |
| 2042 | | | psp->gp->nrule = 0; |
| 2043 | | | |
| 2044 | | | case WAITING_FOR_DECL_OR_RULE: |
| 2045 | | | if( x[0]=='%' ){ |
| 2046 | | | psp->state = WAITING_FOR_DECL_KEYWORD; |
| 2047 | | | }else if( safe_islower(x[0]) ){ |
| 2048 2364 |  | | [ Lines 2048 to 2364 omitted. ] |
| 2365 | | | }else{ |
| 2366 | | | sp->prec = psp->preccounter; |
| 2367 | | | sp->assoc = psp->declassoc; |
| 2368 | | | } |
| 2369 | | | }else{ |
| 2370 | | | ErrorMsg(psp->filename,psp->tokenlineno, |
| 2371 | | | "Can't assign a precedence to \"%s\".",x); |
| 2372 | | | psp->errorcnt++; |
| 2373 | | | } |
| 2374 | | | break; |
| 2375 | | | case WAITING_FOR_DECL_ARG: |
| 2376 | | | if( (x[0]=='{' || x[0]=='\"' || safe_isalnum(x[0])) ){ |
Event 2:
Taking true branch. x[0] == 123 evaluates to true.
hide
|
|
| 2377 | | | char *zOld, *zNew, *zBuf, *z; |
| 2378 | | | int nOld, n, nLine, nNew, nBack; |
| 2379 | | | int addLineMacro; |
| 2380 | | | char zLine[50]; |
| 2381 | | | zNew = x; |
| 2382 | | | if( zNew[0]=='"' || zNew[0]=='{' ) zNew++; |
| 2383 | | | nNew = (int) strlen(zNew); |
| 2384 | | | if( *psp->declargslot ){ |
Event 4:
Taking true branch. *psp->declargslot evaluates to true.
hide
|
|
| 2385 | | | zOld = *psp->declargslot; |
Event 5:
zOld is set to *psp->declargslot. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 2386 | | | }else{ |
| 2387 | | | zOld = ""; |
| 2388 | | | } |
| 2389 | | | nOld = (int) strlen(zOld); |
Event 6:
zOld, which evaluates to *psp->declargslot, is passed to __builtin_strlen(). See related event 5.
hide
Event 7:
__builtin_strlen() returns the length of the string pointed to by zOld, which evaluates to the length of the string pointed to by *psp->declargslot. See related event 6.
hide
Event 8:
nOld is set to strlen(zOld), which evaluates to the length of the string pointed to by *psp->declargslot. See related event 7.
hide
|
|
| 2390 | | | n = nOld + nNew + 20; |
| 2391 | | | addLineMacro = psp->insertLineMacro && |
Event 9:
psp->insertLineMacro evaluates to true.
hide
|
|
| 2392 | | | (psp->decllinenoslot==0 || psp->decllinenoslot[0]!=0); |
Event 10:
psp->decllinenoslot == 0 evaluates to true.
hide
|
|
| 2393 | | | if( addLineMacro ){ |
Event 11:
Taking true branch. addLineMacro evaluates to true.
hide
|
|
| 2394 | | | for(z=psp->filename, nBack=0; *z; z++){ |
Event 12:
Leaving loop. *z evaluates to false.
hide
|
|
| 2395 | | | if( *z=='\\' ) nBack++; |
| 2396 | | | } |
| 2397 | | | sprintf(zLine, "#line %d ", psp->tokenlineno); |
| 2398 | | | nLine = (int) strlen(zLine); |
| 2399 | | | n += nLine + (int) strlen(psp->filename) + nBack; |
| 2400 | | | } |
| 2401 | | | *psp->declargslot = zBuf = realloc(*psp->declargslot, n); |
Event 13:
realloc() returns NULL.
hide
Event 14:
zBuf is set to realloc(*psp->declargslot, n), which evaluates to NULL. See related event 13.
hide
|
|
| 2402 | | | zBuf += nOld; |
Event 15:
zBuf is set to nOld, which evaluates to the length of the string pointed to by *psp->declargslot. See related events 8 and 14.
hide
|
|
| 2403 | | | if( addLineMacro ){ |
Event 16:
Taking true branch. addLineMacro evaluates to true.
hide
|
|
| 2404 | | | if( nOld && zBuf[-1]!='\n' ){ |
Event 17:
Skipping " if". nOld evaluates to false.
hide
Event 18:
Considering the case where nOld is equal to 0 so the length of the string pointed to by *psp->declargslot must have been equal to 0. See related event 8.
hide
|
|
| 2405 | | | *(zBuf++) = '\n'; |
| 2406 | | | } |
| 2407 | | | memcpy(zBuf, zLine, nLine); |
Event 19:
zBuf, which evaluates to the length of the string pointed to by *psp->declargslot, is passed to memcpy() as the first argument. See related event 15.
hide
Null Pointer Dereference
The body of memcpy() dereferences zBuf, but it is NULL. - zBuf evaluates to the length of the string pointed to by *psp->declargslot, which must be equal to 0.
The issue can occur if the highlighted code executes. See related events 18 and 19. Show: All events | Only primary events |
|
| |