(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-sync-ext.c) |
| |
| 461 | | | int mail_index_sync_ext_intro(struct mail_index_sync_map_ctx *ctx, |
| 462 | | | const struct mail_transaction_ext_intro *u) |
| 463 | | | { |
| 464 | | | struct mail_index_map *map = ctx->view->map; |
| 465 | | | struct ext_hdr; |
| 466 | | | const struct mail_index_ext *ext; |
| 467 | | | const char *name, *error; |
| 468 | | | uint32_t ext_map_idx; |
| 469 | | | bool no_shrink; |
| 470 | | | |
| 471 | | | |
| 472 | | | |
| 473 | | | ctx->cur_ext_map_idx = (uint32_t)-2; |
| 474 | | | ctx->cur_ext_ignore = TRUE; |
Event 1:
!0 evaluates to true.
hide
|
|
| 475 | | | |
| 476 | | | if (u->ext_id != (uint32_t)-1 && |
Event 2:
Skipping " if". - u->ext_id != (uint32_t)-1 evaluates to true.
- array_is_created_i(...) evaluates to true.
hide
|
|
| 477 | | | (!array_is_created(&map->extensions) ||
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
91 | #define array_is_created(array) \ |
92 | array_is_created_i(&(array)->arr) |
| |
|
| 478 | [+] | | u->ext_id >= array_count(&map->extensions))) { |
 |
| 479 | | | if (!mail_index_sync_ext_unknown_complain(ctx, u->ext_id)) |
| 480 | | | return -1; |
| 481 | | | mail_index_sync_set_corrupted(ctx, |
| 482 | | | "Extension introduction for unknown id %u", u->ext_id); |
| 483 | | | return -1; |
| 484 | | | } |
| 485 | | | |
| 486 | | | if (u->ext_id == (uint32_t)-1 && u->name_size == 0) { |
Event 4:
Skipping " if". u->ext_id == (uint32_t)-1 evaluates to false.
hide
|
|
| 487 | | | mail_index_sync_set_corrupted(ctx, |
| 488 | | | "Extension introduction without id or name"); |
| 489 | | | return -1; |
| 490 | | | } |
| 491 | | | |
| 492 | | | if (u->ext_id != (uint32_t)-1) { |
Event 5:
Taking true branch. u->ext_id != (uint32_t)-1 evaluates to true.
hide
|
|
| 493 | | | name = NULL; |
Event 6:
name is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 494 | | | ext_map_idx = u->ext_id; |
| 495 | | | } else { |
| 496 | | | name = t_strndup(u + 1, u->name_size); |
| 497 | | | if (!mail_index_map_lookup_ext(map, name, &ext_map_idx)) |
| 498 | | | ext_map_idx = (uint32_t)-1; |
| 499 | | | } |
| 500 | | | ext = ext_map_idx == (uint32_t)-1 ? NULL : |
Event 7:
ext_map_idx == (uint32_t)-1 evaluates to false.
hide
|
|
| 501 | [+] | | array_idx(&map->extensions, ext_map_idx);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
165 | #define array_idx(array, idx) \ |
166 | ARRAY_TYPE_CAST_CONST(array)array_idx_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
 |
| 502 | | | if (ext != NULL) |
Event 13:
Skipping " if". ext != (void *)0 evaluates to false.
hide
|
|
| 503 | | | name = ext->name; |
| 504 | | | |
| 505 | | | if (!ctx->internal_update && |
Event 14:
Skipping " if". ctx->internal_update evaluates to true.
hide
|
|
| 506 | | | strcmp(name, MAIL_INDEX_EXT_KEYWORDS) == 0) { |
| 507 | | | |
| 508 | | | |
| 509 | | | |
| 510 | | | mail_index_sync_set_corrupted(ctx, |
| 511 | | | "Extension introduction for keywords"); |
| 512 | | | return -1; |
| 513 | | | } |
| 514 | | | |
| 515 | | | memset(&ext_hdr, 0, sizeof(ext_hdr)); |
| 516 | | | ext_hdr.name_size = strlen(name); |
Event 15:
name, which evaluates to NULL, is passed to __builtin_strlen(). See related event 6.
hide
Null Pointer Dereference
The body of __builtin_strlen() dereferences name, but it is NULL. The issue can occur if the highlighted code executes. See related event 15. Show: All events | Only primary events |
|
| |