CodeSonar : pvm3.4.6 : Integer Overflow of Allocation Size

pvm3.4.6 : pvm3.4.6 analysis 2 : Integer Overflow of Allocation Size at trcfile.c:1371

Categories:	ALLOC.IOAS BSI:MALLOC-OVERFLOW CWE:680
Warning ID:	22158.29167
Procedure:	trc_store_trace_event
Trace:	view
Modified:	Thu Nov 26 11:35:32 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/tracer/trcfile.c

			Enter trc_store_trace_event

964

trc_store_trace_event( ID, TD, tid, omit )

TRC_ID ID;

TRC_TEVDESC TD;

int tid;

int omit;

{

TRC_DATADESC DD;

TRC_TEVTASK TT;

char upk_byte[TRC_MAX_UNPACK_ARR_SIZE];

...

int maxlen;

int ignore;

int tusec;

int tsec;

int len;

int num;

int i;

/* Dump Descriptor (if necessary) */

998

999

if ( !omit && TD->dump )

1000

trc_dump_tevdesc( ID, TD, tid );

1001

1002

/* Set New Task Flag */

1003

1004

TT = (TRC_TEVTASK) NULL;

tsec = tusec = -1;

newtask = TRC_FALSE;

endtask = TRC_FALSE;

if ( !strcmp( TD->name, "newtask" )

1012

|| !strcmp( TD->name, "spntask" ) )

{

newtask = TRC_TRUE;

}

else if ( !strcmp( TD->name, "endtask" ) )

endtask = TRC_TRUE;

ignore = TRC_FALSE;

/* Store Event Header */

1023

1024

if ( !omit )

1025

trc_store_event_header( ID, TD, tid );

1026

1027

/* Store Remainder of Event */

DD = TD->ddesc;

while ( DD != NULL )

{

if ( DD->array == TEV_DATA_ARRAY )

1034

{

1035

TRC_PVMCKERR ( pvm_upkint( &num , 1, 1 ),

1036

"Array Unpack", return( TRC_FALSE ) );

1037

1038

if ( num > TRC_MAX_UNPACK_ARR_SIZE /* Uninitialized Variable (ID: 22163.29172) */

1039

&& DD->dt != TEV_DATA_STRING )

1040

{

1041

if ( !omit )

1042

printf( "Error: Unpack Size %d Too Large\n", num );

return( TRC_FALSE );

}

if ( !omit )

{

if ( DD->dt == TEV_DATA_CPLX

1050

|| DD->dt == TEV_DATA_DCPLX )

1051

{

1052

fprintf( ID->trace_out, "[%d] { ", num * 2 );

/* matching } */

}

else if ( DD->dt == TEV_DATA_STRING )

1057

fprintf( ID->trace_out, "[%d] ", num );

1058

1059

else if ( DD->dt == TEV_DATA_BYTE )

1060

{

1061

fprintf( ID->trace_out, "[%d] { ", num + 1 );

/* matching } */

}

else

{

fprintf( ID->trace_out, "[%d] { ", num );

/* matching } */

}

}

}

else

num = 1;

switch ( DD->dt )

{

case TEV_DATA_NULL: break;

case TEV_DATA_BYTE:

{

TRC_PVMCKERR ( pvm_upkbyte( upk_byte , num , 1 ),

1083

"Event BYTE Unpack", return( TRC_FALSE ) );

if ( omit )

break;

if ( DD->array == TEV_DATA_ARRAY )

1089

fprintf( ID->trace_out, "\"" );

1090

1091

for ( i=0 ; i < num ; i++ )

1092

fprintf( ID->trace_out, "%c", upk_byte[i] );

1093

1094

if ( DD->array == TEV_DATA_ARRAY )

1095

fprintf( ID->trace_out, "\"" );

break;

}

case TEV_DATA_CPLX:

{

TRC_PVMCKERR ( pvm_upkfloat( upk_float , num * 2, 1 ),

1103

"Event CPLX Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1109

{

1110

fprintf( ID->trace_out, "%f, %f",

1111

upk_float[ 2 * i ],

1112

upk_float[ (2 * i) + 1 ] );

1113

1114

if ( i < num - 1 )

1115

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_DCPLX:

{

TRC_PVMCKERR ( pvm_upkdouble( upk_double , num * 2, 1 ),

1124

"Event DCPLX Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1130

{

1131

fprintf( ID->trace_out, "%lf, %lf",

1132

upk_double[ 2 * i ],

1133

upk_double[ (2 * i) + 1 ] );

1134

1135

if ( i < num - 1 )

1136

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_DOUBLE:

1143

{

1144

TRC_PVMCKERR ( pvm_upkdouble( upk_double , num , 1 ),

1145

"Event DOUBLE Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1151

{

1152

fprintf( ID->trace_out, "%lf", upk_double[i] );

1153

1154

if ( i < num - 1 )

1155

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_FLOAT:

{

TRC_PVMCKERR ( pvm_upkfloat( upk_float , num , 1 ),

1164

"Event FLOAT Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1170

{

1171

fprintf( ID->trace_out, "%f", upk_float[i] );

1172

1173

if ( i < num - 1 )

1174

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_INT:

{

TRC_PVMCKERR ( pvm_upkint( upk_int , num , 1 ),

1183

"Event INT Unpack", return( TRC_FALSE ) );

if ( !omit )

{

for ( i=0 ; i < num ; i++ )

1188

{

1189

fprintf( ID->trace_out, "%d", upk_int[i] );

1190

1191

if ( i < num - 1 )

1192

fprintf( ID->trace_out, ", " );

}

}

if ( ( newtask || endtask )

1197

&& !strcmp( DD->did->name, "TID" ) )

1198

{

1199

if ( !omit && newtask )

1200

{

1201

TT = trc_get_tevtask_tid( ID, upk_int[0] );

if ( TT == NULL )

{

if ( !ignore )

{

sprintf( msg,

"Task TID=0x%x Connected to %s",

1209

upk_int[0], TRC_NAME );

1210

1211

trc_status_msg( ID, msg );

1212

}

1213

1214

TT = trc_create_tevtask();

1215

1216

TT->tid = upk_int[0];

1217

1218

TT->outstatus = TRC_TASK_NOOUT;

1219

1220

TT->next = ID->tevtask_list;

1221

1222

ID->tevtask_list = TT;

}

if ( !ignore )

TT->tevstatus = TRC_TASK_ALIVE;

1227

1228

else

1229

TT->tevstatus = TRC_TASK_IGNORE;

}

if ( endtask )

{

TT = trc_get_tevtask_tid( ID, upk_int[0] );

if ( TT != NULL )

{

if ( TT->tevstatus == TRC_TASK_ALIVE )

1239

{

1240

TT->tevstatus = TRC_TASK_DEAD;

1241

1242

trc_check_for_dead_host( ID, TT );

1243

1244

if ( !trc_tevtasks_alive( ID ) )

trc_end_trace( ID );

}

else

TT->tevstatus = TRC_TASK_DEAD;

}

else if ( !omit )

{

printf( "\nWarning: ENDTASK Unknown Task TID=0x%x.\n\n",

upk_int[0] );

}

}

}

else if ( !strcmp( DD->did->name, "TS" ) )

1261

tsec = upk_int[0]; /* Uninitialized Variable (ID: 22161.29170) */

1262

1263

else if ( !strcmp( DD->did->name, "TU" ) )

1264

tusec = upk_int[0]; /* Uninitialized Variable (ID: 22159.29168) */

break;

}

case TEV_DATA_UINT:

{

TRC_PVMCKERR ( pvm_upkint( upk_int , num , 1 ),

1272

"Event UINT Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1278

{

1279

fprintf( ID->trace_out, "%u",

1280

(unsigned) upk_int[i] );

1281

1282

if ( i < num - 1 )

1283

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_LONG:

{

TRC_PVMCKERR ( pvm_upklong( upk_long , num , 1 ),

1292

"Event LONG Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1298

{

1299

fprintf( ID->trace_out, "%ld", upk_long[i] );

1300

1301

if ( i < num - 1 )

1302

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_ULONG:

{

TRC_PVMCKERR ( pvm_upklong( upk_long , num , 1 ),

1311

"Event ULONG Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1317

{

1318

fprintf( ID->trace_out, "%ld", upk_long[i] );

1319

1320

if ( i < num - 1 )

1321

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_SHORT:

{

TRC_PVMCKERR ( pvm_upkshort( upk_short , num , 1 ),

1330

"Event SHORT Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1336

{

1337

fprintf( ID->trace_out, "%d", upk_short[i] );

1338

1339

if ( i < num - 1 )

1340

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_USHORT:

1347

{

1348

TRC_PVMCKERR ( pvm_upkshort( upk_short , num , 1 ),

1349

"Event USHORT Unpack", return( TRC_FALSE ) );

if ( omit )

break;

for ( i=0 ; i < num ; i++ )

1355

{

1356

fprintf( ID->trace_out, "%u", upk_short[i] );

1357

1358

if ( i < num - 1 )

1359

fprintf( ID->trace_out, ", " );

}

break;

}

case TEV_DATA_STRING:

{

if ( num < 1 )

break;

strarr = (char **) malloc( (unsigned) num

true

1371

* sizeof(char *) ); /* Integer Overflow of Allocation Size */ /* Leak (ID: 22156.29165) */

1372

trc_memcheck( strarr, "String Array" );

maxlen = 0;

for ( i=0 ; i < num ; i++ )

1377

{

1378

TRC_PVMCKERR ( pvm_upkstr( upk_str ),

1379

"Event STRING Unpack", return( TRC_FALSE ) );

1380

1381

if ( (len = strlen( upk_str )) > maxlen ) /* Uninitialized Variable (ID: 22162.29171) */

1382

maxlen = len;

1383

1384

strarr[i] = trc_copy_str ( upk_str );

1385

}

1386

1387

if ( !omit && newtask

1388

&& !strcmp( DD->did->name, "TN" ) )

1389

{

1390

if ( !(ID->group_tasks)

1391

&& TRC_GROUPTASK ( upk_str ) )

{

ignore = TRC_TRUE;

if ( TT != NULL )

{

sprintf( msg,

"Ignoring Task \"%s\"", upk_str );

1399

1400

trc_status_msg( ID, msg );

1401

1402

TT->tevstatus = TRC_TASK_IGNORE;

}

}

}

if ( !omit )

{

fprintf( ID->trace_out, "[%d] { ", maxlen + 1 );

1410

1411

for ( i=0 ; i < num ; i++ )

1412

{

1413

fprintf( ID->trace_out, "\"%s\"", strarr[i] );

1414

1415

if ( i < num - 1 )

1416

fprintf( ID->trace_out, ", " );

free( strarr[i] );

}

if ( DD->array == TEV_DATA_SCALAR )

1422

fprintf( ID->trace_out, " }" );

}

else

{

for ( i=0 ; i < num ; i++ )

free( strarr[i] );

}

free( strarr );

break;

}

case TEV_DATA_STRUCT_START:

1437

case TEV_DATA_STRUCT_END:

1438

case TEV_DATA_DEFERRED:

1439

{

1440

if ( !omit )

1441

printf( "DT Not Impl\n" );

break;

}

default:

{

if ( !omit )

printf( "DT Unknown\n" );

}

}

if ( !omit )

{

/* matching { */

if ( DD->array == TEV_DATA_ARRAY )

1458

fprintf( ID->trace_out, " }" );

1459

1460

if ( DD->next != NULL )

1461

fprintf( ID->trace_out, ", " );

1462

}

1463

1464

DD = DD->next;

Preconditions

omit = 0
&$unknown_11693756 >= 1025
ID->event_dump_hdr = 0
TD->dump = 0
TD->index >= 0
((char*)&((char*)$unknown_11693754)[20])[4] = 12
((char*)&((char*)$unknown_11693754)[20])[8] = 128
*TD->name = 115
strlen(*TD) = 7
pvmtoplvl != 0
$input_12 = 0

Postconditions

DD' = ((char*)&$unknown_11693754)[20]
TRC_TMP_CC' = 0
$unknown_11693757' is allocated by fopen
bytes_before(&$unknown_11693757)' = 0
endtask' = 0
newtask' = 1
num' = &$unknown_11693756
pvmtrc.trctid' >= 1
pvmtrccodef' = &$unknown_11693755

Change Warning 22158.29167 : Integer Overflow of Allocation Size

Priority:
State:
Finding:
Owner:
Note: