(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 4696 | | | int State_insert(struct state *data, struct config *key) |
| 4697 | | | { |
| 4698 | | | x3node *np; |
| 4699 | | | int h; |
| 4700 | | | int ph; |
| 4701 | | | |
| 4702 | | | if( x3a==0 ) return 0; |
Event 1:
Skipping " if". x3a == 0 evaluates to false.
hide
|
|
| 4703 | | | ph = statehash(key); |
| 4704 | | | h = ph & (x3a->size-1); |
| 4705 | | | np = x3a->ht[h]; |
| 4706 | | | while( np ){ |
Event 2:
Leaving loop. np evaluates to false.
hide
|
|
| 4707 | | | if( statecmp(np->key,key)==0 ){ |
| 4708 | | | |
| 4709 | | | |
| 4710 | | | return 0; |
| 4711 | | | } |
| 4712 | | | np = np->next; |
| 4713 | | | } |
| 4714 | | | if( x3a->count>=x3a->size ){ |
Event 3:
Taking true branch. x3a->count >= x3a->size evaluates to true.
hide
|
|
| 4715 | | | |
| 4716 | | | int i,size; |
| 4717 | | | struct s_x3 array; |
| 4718 | | | array.size = size = x3a->size*2; |
Event 4:
size is set to 2 * x3a->size. - Determines the allocation size later.
hide
|
|
| 4719 | | | array.count = x3a->count; |
| 4720 | | | array.tbl = (x3node*)malloc( |
| 4721 | | | (sizeof(x3node) + sizeof(x3node*))*size ); |
Event 5:
20 * size, which evaluates to 40 * x3a->size, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:4721 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is (sizeof( x3node ) + sizeof( x3node * )) * size, which evaluates to 40 * x3a->size, which is bounded above by 40 * x3a->count.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |