CodeSonar : pvm3.4.6 : Buffer Overrun

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun at trcfile.c:3480

Categories:	LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID:	22173.29228
Procedure:	trc_process_trace_event
Trace:	view
Modified:	Thu Nov 26 11:36:21 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/tracer/trcfile.c

			Enter trc_process_trace_event

3073

trc_process_trace_event( ID, name, entry_exit, index )

TRC_ID ID;

char *name;

int entry_exit;

int index;

{

TRC_DATADESC DD;

TRC_TEVDESC TD;

TRC_TEVREC TR;

...

short read_short;

long read_long;

int read_int;

char c;

int i, j;

int flag;

int num;

if ( !(ID->handle_event) )

3105

{

3106

trc_find_event_end( ID );

return( TRC_TRUE );

}

TD = (TRC_TEVDESC) trc_lookup_trie ( TRC_EVENT_TRIE, name );

3112

3113

while ( TD != NULL &&

3114

( TD->entry_exit != entry_exit || TD->index != index ) )

{

TD = TD->next;

}

if ( TD == NULL )

{

printf( "Error: Event \"%s\" Descriptor Not Found\n", name );

3122

3123

trc_find_event_end( ID );

return( TRC_FALSE );

}

if ( !trc_find_event_str( ID, "{" ) )

return( TRC_FALSE );

/* matching } */

DD = TD->ddesc;

TR = (TRC_TEVREC) NULL;

while ( DD != NULL )

{

if ( TR == NULL )

trptr = TR = trc_create_tevrec(); /* Leak (ID: 465.29226) */

3141

3142

else

3143

trptr = trptr->next = trc_create_tevrec();

trptr->ddesc = DD;

if ( DD->array == TEV_DATA_ARRAY )

3148

{

3149

if ( !trc_find_event_str( ID, "[" ) )

3150

return( TRC_FALSE );

3151

3152

flag = fscanf( ID->trace_in, "%d", &num );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3157

3158

trc_find_event_end( ID );

return( TRC_FALSE );

}

if ( !trc_find_event_str( ID, "{" ) )

return( TRC_FALSE );

/* matching } */

}

else

num = 1;

trptr->value = trc_make_value( DD->dt, ( num > 0 ) ? num : 1 ); /* Leak (ID: 464.29225) */

3173

3174

if ( trptr->value == NULL )

3175

{

3176

printf( "Error Allocating Value dt=%d num=%d\n",

DD->dt, num );

return( TRC_FALSE );

}

trptr->num = num;

switch ( DD->dt )

{

case TEV_DATA_NULL: break;

case TEV_DATA_BYTE:

{

if ( DD->array == TEV_DATA_ARRAY )

3191

{

3192

if ( !trc_find_event_str( ID, "\"" ) )

return( TRC_FALSE );

i = 0;

while ( i < num

&& (c = getc( ID->trace_in )) != (char) EOF

3199

&& c != '"' )

3200

{

3201

TRC_ARR_VALUE_OF( trptr->value, char, i++ ) = c;

3202

}

3203

3204

TRC_CKEOF( c, "EOF Parsing Event Record\n",

3205

return( TRC_FALSE ) );

if ( i == num )

{

printf( "Error: Character Overflow\n" );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, char, i ) = '\0';

}

else

{

while ( (c = getc( ID->trace_in )) != (char) EOF

3220

&& ( c == ' ' || c == '\t' || c == '\n' ) );

3221

3222

TRC_CKEOF( c, "EOF Parsing Event Record\n",

3223

return( TRC_FALSE ) );

3224

3225

TRC_VALUE_OF( trptr->value, char ) = c;

}

break;

}

case TEV_DATA_CPLX:

case TEV_DATA_FLOAT:

{

for ( i=0 ; i < num ; i++ )

3235

{

3236

flag = fscanf( ID->trace_in, "%f", &read_float );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3241

3242

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, float, i ) =

read_float;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_DCPLX:

case TEV_DATA_DOUBLE:

3262

{

3263

for ( i=0 ; i < num ; i++ )

3264

{

3265

flag = fscanf( ID->trace_in, "%lf", &read_double );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3270

3271

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, double, i ) =

read_double;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_INT:

{

for ( i=0 ; i < num ; i++ )

3292

{

3293

flag = fscanf( ID->trace_in, "%d", &read_int );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3298

3299

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, int, i ) = read_int;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_UINT:

{

for ( i=0 ; i < num ; i++ )

3319

{

3320

flag = fscanf( ID->trace_in, "%u", &read_uint );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3325

3326

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, unsigned int, i ) =

read_uint;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_LONG:

{

for ( i=0 ; i < num ; i++ )

3347

{

3348

flag = fscanf( ID->trace_in, "%ld", &read_long );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3353

3354

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, long, i ) =

read_long;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_ULONG:

{

for ( i=0 ; i < num ; i++ )

3375

{

3376

flag = fscanf( ID->trace_in, "%lu", &read_ulong );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3381

3382

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, unsigned long, i ) =

read_ulong;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_SHORT:

{

for ( i=0 ; i < num ; i++ )

3403

{

3404

flag = fscanf( ID->trace_in, "%hd", &read_short );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3409

3410

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, short, i ) =

read_short;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_USHORT:

3429

{

3430

for ( i=0 ; i < num ; i++ )

3431

{

3432

flag = fscanf( ID->trace_in, "%hu", &read_ushort );

if ( flag != 1 )

{

printf( "Error Parsing Event Record\n" );

3437

3438

trc_find_event_end( ID );

return( TRC_FALSE );

}

TRC_ARR_VALUE_OF( trptr->value, unsigned short, i )

= read_ushort;

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

break;

}

case TEV_DATA_STRING:

3457

{

3458

if ( DD->array == TEV_DATA_SCALAR )

3459

{

3460

if ( !trc_find_event_str( ID, "{" ) )

return( TRC_FALSE );

}

for ( i=0 ; i < num ; i++ )

3465

{

3466

if ( !trc_find_event_str( ID, "\"" ) )

return( TRC_FALSE );

j = 0;

while ( (c = getc( ID->trace_in )) != (char) EOF

3472

&& c != '"' )

3473

{

3474

read_str[j++] = c; /* Buffer Overrun (ID: 22172.29227) */

3475

}

3476

3477

TRC_CKEOF( c, "EOF Parsing Event Record\n",

3478

return( TRC_FALSE ) );

3479

j > 1023

3480

read_str[j] = '\0'; /* Buffer Overrun */

3481

3482

TRC_ARR_VALUE_OF( trptr->value, char *, i ) =

3483

trc_copy_str ( read_str );

if ( i < num - 1 )

{

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

}

if ( DD->array == TEV_DATA_SCALAR )

3493

{

3494

if ( !trc_find_event_str( ID, "}" ) )

return( TRC_FALSE );

}

break;

}

case TEV_DATA_STRUCT_START:

3502

case TEV_DATA_STRUCT_END:

3503

case TEV_DATA_DEFERRED:

3504

{

3505

printf( "DT Not Impl\n" );

3506

3507

trc_find_event_end( ID );

...

default:

{

printf( "DT Unknown\n" );

3515

3516

trc_find_event_end( ID );

return( TRC_FALSE );

}

}

if ( DD->array == TEV_DATA_ARRAY )

{

/* matching { */

if ( !trc_find_event_str( ID, "}" ) )

return( TRC_FALSE );

}

if ( DD->next != NULL )

3531

{

3532

if ( !trc_find_event_str( ID, "," ) )

return( TRC_FALSE );

}

DD = DD->next;

Preconditions

&$unknown_12088564 != 0
&$unknown_12088566 >= 3
ID->handle_event != 0
((char*)&((char*)((char*)$unknown_12088561)[32])[24])[4] <= 12
((char*)&((char*)((char*)$unknown_12088561)[32])[24])[4] >= 0
((char*)&((char*)$unknown_12088563)[20])[4] = 12
((char*)&((char*)$unknown_12088563)[20])[8] = 128
$input_12 = 1
$input_622036 >= 1
$input_630556 = &$unknown_12088566
$input_630556 >= 3
$input_630564 != 34
$input_630564 <= 254
$input_630564 >= -1
$input_630572 = 34

Postconditions

DD' = ((char*)&$unknown_12088563)[20]
TD' = ((char*)&$unknown_12088561)[32]
TR' = &$unknown_12088564
c' = $input_630572
errno' != 0
flag' = $input_12
$heap_435455' = ((char*)&$unknown_12088563)[20]
bytes_after(&$heap_435455)' = 16
$heap_435455' is allocated by malloc
$heap_435455' is allocated
bytes_before(&$heap_435455)' = 0
((char*)&$heap_435455)[4]' = &$unknown_12088567
((char*)&$heap_435455)[8]' = &$unknown_12088566
((char*)&$heap_435455)[12]' = 0
j' = $input_622036
num' = &$unknown_12088566
trptr' = &$heap_435455

Change Warning 22173.29228 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: