(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/ftypes/ftype-string.c) |
| |
| 98 | | | string_to_repr(fvalue_t *fv, ftrepr_t rtype, char *buf) |
| 99 | | | { |
| 100 | | | gchar *p, c; |
| 101 | | | char *bufp; |
| 102 | | | char hex[3]; |
| 103 | | | |
| 104 | | | if (rtype == FTREPR_DFILTER) { |
Event 1:
Taking true branch. rtype == FTREPR_DFILTER evaluates to true.
hide
|
|
| 105 | | | bufp = buf; |
| 106 | | | *bufp++ = '"'; |
| 107 | | | for (p = fv->value.string; (c = *p) != '\0'; p++) { |
Event 2:
Entering loop body. (c = *p) != 0 evaluates to true.
hide
|
|
| 108 | | | |
| 109 | | | |
| 110 | | | if (c == '\\' || c == '"') { |
| 111 | | | *bufp++ = '\\'; |
| 112 | | | *bufp++ = c; |
| 113 | | | } |
| 114 | | | |
| 115 | | | |
| 116 | | | else if (!isprint((unsigned char)c)) { |
Event 4:
Taking true branch. isprint((unsigned char)c) evaluates to false.
hide
|
|
| 117 | | | |
| 118 | | | sprintf(hex, "%02x", (unsigned char) c); |
Event 5:
"%02x" is passed to sprintf() as the second argument.
hide
Event 6:
hex is passed to sprintf() as the first argument. - This points to the buffer that will be overrun later.
hide
Buffer Overrun
This code writes past the end of the buffer pointed to by hex. - sprintf() writes 9 bytes starting at the beginning of the buffer pointed to by hex, whose capacity is 3 bytes.
- The number of bytes written exceeds the number of allocated bytes.
- The overrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related events 5 and 6. Show: All events | Only primary events |
|
| |