(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/emem.c) |
| |
| 1472 | | | emem_tree_insert_string(emem_tree_t* se_tree, const gchar* k, void* v, guint32 flags) |
| 1473 | | | { |
| 1474 | | | emem_tree_key_t key[2]; |
| 1475 | | | guint32 *aligned=NULL; |
| 1476 | | | guint32 len = (guint32) strlen(k); |
| 1477 | | | guint32 div = (len+3)/4+1; |
Event 1:
div is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value . - Determines the allocation size later.
hide
|
|
| 1478 | | | guint32 i; |
| 1479 | | | guint32 tmp; |
| 1480 | | | |
| 1481 | | | aligned = malloc(div * sizeof (guint32)); |
Event 2:
4 * div, which evaluates to the value assigned to div at emem.c:1477, times 4, is passed to malloc(). - This multiplication may overflow and it is used as the allocation size later.
See related event 1.
hide
Integer Overflow of Allocation Size
- If the multiplication at emem.c:1481 overflows, then malloc() may allocate less space than expected; this might result in buffer overruns later.
- The allocation size is div * sizeof( guint32 ), which evaluates to the value assigned to div at emem.c:1477, times 4.
The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| |