(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-mail/message-size.c) |
| |
| 8 | | | int (struct istream *input, struct message_size *hdr, |
| 9 | | | bool *has_nuls) |
| 10 | | | { |
| 11 | | | const unsigned char *msg; |
| 12 | | | size_t i, size, startpos, missing_cr_count; |
| 13 | | | int ret = 0; |
| 14 | | | |
| 15 | | | memset(hdr, 0, sizeof(struct message_size)); |
| 16 | | | if (has_nuls != NULL) |
Event 1:
Skipping " if". has_nuls != (void *)0 evaluates to false.
hide
|
|
| 17 | | | *has_nuls = FALSE; |
| 18 | | | |
| 19 | | | missing_cr_count = 0; startpos = 0; |
| 20 | [+] | | while (i_stream_read_data(input, &msg, &size, startpos) > 0) { |
Event 3:
&msg is passed to i_stream_read_data() as the second argument.
hide
|
|
 |
| 21 | | | for (i = startpos; i < size; i++) { |
Event 10:
Entering loop body. i < size evaluates to true.
hide
|
|
| 22 | | | if (msg[i] != '\n') { |
Null Pointer Dereference
msg is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 23 | | | if (msg[i] == '\0' && has_nuls != NULL) |
| 24 | | | *has_nuls = TRUE; |
| 25 | | | continue; |
| 26 | | | } |
| 27 | | | |
| 28 | | | hdr->lines++; |
| 29 | | | if (i == 0 || msg[i-1] != '\r') { |
| 30 | | | |
| 31 | | | missing_cr_count++; |
| 32 | | | } |
| 33 | | | |
| 34 | | | if (i == 0 || (i == 1 && msg[i-1] == '\r')) { |
| 35 | | | |
| 36 | | | break; |
| 37 | | | } |
| 38 | | | |
| 39 | | | if ((i > 0 && msg[i-1] == '\n') || |
| 40 | | | (i > 1 && msg[i-2] == '\n' && msg[i-1] == '\r')) { |
| 41 | | | |
| 42 | | | break; |
| 43 | | | } |
| 44 | | | } |
| 45 | | | |
| 46 | | | if (i < size) { |
| 47 | | | |
| 48 | | | startpos = i+1; |
| 49 | | | break; |
| 50 | | | } |
| 51 | | | |
| 52 | | | |
| 53 | | | startpos = size == 1 ? 1 : 2; |
| 54 | | | i_stream_skip(input, i - startpos); |
| 55 | | | |
| 56 | | | hdr->physical_size += i - startpos; |
| |