(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 4498 | | | int Symbol_insert(struct symbol *data, char *key) |
| 4499 | | | { |
| 4500 | | | x2node *np; |
| 4501 | | | int h; |
| 4502 | | | int ph; |
| 4503 | | | |
| 4504 | | | if( x2a==0 ) return 0; |
Event 1:
Skipping " if". x2a == 0 evaluates to false.
hide
|
|
| 4505 | | | ph = strhash(key); |
| 4506 | | | h = ph & (x2a->size-1); |
| 4507 | | | np = x2a->ht[h]; |
| 4508 | | | while( np ){ |
Event 2:
Leaving loop. np evaluates to false.
hide
|
|
| 4509 | | | if( strcmp(np->key,key)==0 ){ |
| 4510 | | | |
| 4511 | | | |
| 4512 | | | return 0; |
| 4513 | | | } |
| 4514 | | | np = np->next; |
| 4515 | | | } |
| 4516 | | | if( x2a->count>=x2a->size ){ |
Event 3:
Taking true branch. x2a->count >= x2a->size evaluates to true.
hide
|
|
| 4517 | | | |
| 4518 | | | int i,size; |
| 4519 | | | struct s_x2 array; |
| 4520 | | | array.size = size = x2a->size*2; |
Event 4:
size is set to 2 * x2a->size. - Determines the allocation size later.
hide
|
|
| 4521 | | | array.count = x2a->count; |
| 4522 | | | array.tbl = (x2node*)malloc( |
| 4523 | | | (sizeof(x2node) + sizeof(x2node*))*size ); |
Event 5:
20 * size, which evaluates to 40 * x2a->size, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 4.
hide
Integer Overflow of Allocation Size
- If the multiplication at lemon.c:4523 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is (sizeof( x2node ) + sizeof( x2node * )) * size, which evaluates to 40 * x2a->size, which is bounded above by 40 * x2a->count.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| |