(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/plugins/virtual/virtual-sync.c) |
| |
| 1047 | | | static void virtual_sync_backend_map_uids(struct virtual_sync_context *ctx) |
| 1048 | | | { |
| 1049 | | | uint32_t virtual_ext_id = ctx->mbox->virtual_ext_id; |
| 1050 | | | struct virtual_sync_mail *vmails; |
| 1051 | | | struct virtual_backend_box *bbox, *const *bboxes; |
| 1052 | | | struct virtual_backend_uidmap *uidmap = NULL; |
| 1053 | | | struct virtual_add_record add_rec; |
| 1054 | | | const struct virtual_mail_index_record *vrec; |
| 1055 | | | const void *data; |
| 1056 | | | bool expunged; |
| 1057 | | | uint32_t i, vseq, vuid, messages, count; |
| 1058 | | | unsigned int j = 0, uidmap_count = 0; |
| 1059 | | | |
| 1060 | | | messages = mail_index_view_get_messages_count(ctx->sync_view); |
| 1061 | | | |
| 1062 | | | |
| 1063 | | | |
| 1064 | | | vmails = messages == 0 ? NULL : |
Event 1:
messages == 0 evaluates to true.
hide
|
|
| 1065 | | | i_new(struct virtual_sync_mail, messages);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
8 | #define i_new(type, count) ((type *) i_malloc(sizeof(type) * (count))) |
| |
|
Event 2:
vmails is set to messages == 0 ? (void *)0 : (struct virtual_sync_mail *)i_malloc(...), which evaluates to NULL. - Determines the freed value in the Free Null Pointer warning later.
hide
|
|
| 1066 | | | for (vseq = 1; vseq <= messages; vseq++) { |
Event 3:
Leaving loop. vseq <= messages evaluates to false.
hide
|
|
| 1067 | | | mail_index_lookup_ext(ctx->sync_view, vseq, virtual_ext_id, |
| 1068 | | | &data, &expunged); |
| 1069 | | | vrec = data; |
| 1070 | | | vmails[vseq-1].vseq = vseq; |
| 1071 | | | vmails[vseq-1].vrec = *vrec; |
| 1072 | | | } |
| 1073 | | | qsort(vmails, messages, sizeof(*vmails), virtual_sync_mail_cmp); |
| 1074 | | | |
| 1075 | | | |
| 1076 | | | |
| 1077 | | | memset(&add_rec, 0, sizeof(add_rec)); |
| 1078 | | | bbox = NULL; |
| 1079 | | | for (i = 0; i < messages; i++) { |
Event 4:
Leaving loop. i < messages evaluates to false.
hide
|
|
| 1080 | | | vseq = vmails[i].vseq; |
| 1081 | | | vrec = &vmails[i].vrec; |
| 1082 | | | |
| 1083 | | | if (bbox == NULL || bbox->mailbox_id != vrec->mailbox_id) { |
| 1084 | | | |
| 1085 | | | for (; j < uidmap_count; j++) { |
| 1086 | | | add_rec.rec.real_uid = uidmap[j].real_uid; |
| 1087 | | | array_append(&ctx->all_adds, &add_rec, 1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
116 | #define array_append(array, data, count) \ |
117 | array_append_i(&(array)->arr + ARRAY_TYPE_CHECK(array, data), \ |
118 | data, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
47 | # define ARRAY_TYPE_CHECK(array, data) \ |
48 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE( \ |
49 | **(array)->v_modifiable, *data) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 1088 | | | } |
| 1089 | | | bbox = virtual_backend_box_lookup(ctx->mbox, |
| 1090 1111 |  | | [ Lines 1090 to 1111 omitted. ] |
| 1112 | | | } |
| 1113 | | | if (j == uidmap_count || uidmap[j].real_uid != vrec->real_uid) |
| 1114 | | | mail_index_expunge(ctx->trans, vseq); |
| 1115 | | | else { |
| 1116 | | | |
| 1117 | | | uidmap[j++].virtual_uid = vuid; |
| 1118 | | | virtual_sync_external_flags(ctx, bbox, vseq, |
| 1119 | | | vrec->real_uid); |
| 1120 | | | } |
| 1121 | | | } |
| 1122 | | | i_free(vmails);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
14 | #define i_free(mem) \ |
15 | STMT_START { \ |
16 | free(mem); \ |
17 | (mem) = NULL; \ |
18 | } STMT_END |
| |
|
Event 5:
vmails, which evaluates to NULL, is passed to free(). See related event 2.
hide
Free Null Pointer
vmails is not a valid address. - vmails evaluates to NULL.
- Some older implementations of free() have unsafe behavior on NULL pointers.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |