(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-strmap.c) |
| |
| 814 | | | static void mail_index_strmap_view_renumber(struct mail_index_strmap_view *view) |
| 815 | | | { |
| 816 | | | struct mail_index_strmap_read_context ctx; |
| 817 | | | struct mail_index_strmap_rec *recs, *hash_rec; |
| 818 | | | uint32_t prev_uid, str_idx, *recs_crc32, *renumber_map; |
| 819 | | | unsigned int i, dest, count, count2; |
| 820 | | | int ret; |
| 821 | | | |
| 822 | | | memset(&ctx, 0, sizeof(ctx)); |
| 823 | | | ctx.view = view; |
| 824 | | | |
| 825 | | | |
| 826 | | | |
| 827 | [+] | | renumber_map = i_new(uint32_t, view->next_str_idx);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/imem.h |
| |
8 | #define i_new(type, count) ((type *) i_malloc(sizeof(type) * (count))) |
| |
|
Event 1:
4 * view->next_str_idx is passed to i_malloc(). - This multiplication may overflow and it is used as the allocation size later.
hide
|
|
 |
| |