CodeSonar : pvm3.4.6 : Buffer Overrun

pvm3.4.6 : pvm3.4.6 analysis 2 : Buffer Overrun at trcfile.c:2872

Categories:	LANG.MEM.BO CWE:120 CWE:121 CWE:122 CWE:126
Warning ID:	463.29224
Procedure:	trc_read_descriptor
Trace:	view
Modified:	Thu Nov 26 11:36:20 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/tracer/trcfile.c

			Enter trc_read_descriptor

2766

trc_read_descriptor( ID, eid, name, entry_exit, index )

TRC_ID ID;

int eid;

char *name;

int entry_exit;

int index;

{

TRC_DATADESC DD;

TRC_TEVDESC TD;

TRC_TEVDESC tdptr;

...

char last;

char c;

long tmp;

int done;

int i;

/* Find first bracket */

2791

2792

if ( !trc_find_event_str( ID, "{" ) )

2793

return( (TRC_TEVDESC) NULL );

/* matching } */

/* Create Descriptor Structure */

2798

2799

TD = trc_create_tevdesc(); /* Leak (ID: 458.29219) */

TD->refcount = 1;

TD->name = trc_copy_str ( name ); /* Leak (ID: 459.29220) */

TD->eid = eid;

TD->entry_exit = entry_exit;

TD->index = index;

/* Read in Data Descriptor Statements */

done = 0;

{

/* matching { */

while ( (c = getc( ID->trace_in )) != (char) EOF

2820

&& c != '/' && c != '}' );

2821

2822

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2823

return( (TRC_TEVDESC) NULL ) );

2824

2825

/* Another Descriptor Statement */

if ( c == '/' )

{

if ( TD->ddesc == NULL )

2830

DD = TD->ddesc = trc_create_datadesc(); /* Leak (ID: 457.29218) */

2831

2832

else

2833

DD = DD->next = trc_create_datadesc();

/* Get Second '/' */

c = getc( ID->trace_in );

2838

2839

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2840

return( (TRC_TEVDESC) NULL ) );

if ( c != '/' )

{

printf( "Error Parsing Event Descriptor\n" );

2845

2846

return( (TRC_TEVDESC) NULL );

2847

}

2848

2849

/* Read in TRC_DID Name */

2850

2851

if ( !trc_find_event_str( ID, "\"" ) )

2852

return( (TRC_TEVDESC) NULL );

i = 0;

while ( (c = getc( ID->trace_in )) != (char) EOF

2857

&& c != '"' && i < 8 )

{

did[i++] = c;

}

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2863

return( (TRC_TEVDESC) NULL ) );

if ( c != '"' )

{

printf( "Error Parsing Event Descriptor\n" );

2868

2869

return( (TRC_TEVDESC) NULL );

}

did[i] = '\0'; /* Buffer Overrun */

2873

2874

/* Read in TRC_DID Description */

2875

2876

if ( !trc_find_event_str( ID, "\"" ) )

2877

return( (TRC_TEVDESC) NULL );

i = 0;

while ( (c = getc( ID->trace_in )) != (char) EOF

2882

&& c != '"' && i < 1024 )

{

diddesc[i++] = c;

}

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2888

return( (TRC_TEVDESC) NULL ) );

if ( c != '"' )

{

printf( "Error Parsing Event Descriptor\n" );

2893

2894

return( (TRC_TEVDESC) NULL );

2895

}

2896

2897

diddesc[i] = '\0'; /* Buffer Overrun (ID: 462.29223) */

2898

2899

/* Get Descriptor TRC_DID struct */

2900

2901

DD->did = (TRC_DID) trc_lookup_trie ( TRC_DID_TRIE,

2902

(void *) did );

2903

2904

if ( DD->did == NULL )

2905

{

2906

DD->did = trc_create_did();

2907

2908

DD->did->name = trc_copy_str ( did );

2909

2910

DD->did->desc = trc_copy_str ( diddesc );

}

/* Get Data Type */

while ( (c = getc( ID->trace_in )) != (char) EOF

2916

&& ( c == ' ' || c == '\t' || c == '\n' ) );

2917

2918

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2919

return( (TRC_TEVDESC) NULL ) );

dtstr[0] = c;

i = 1;

while ( (c = getc( ID->trace_in )) != (char) EOF

2926

&& c != ' ' && c != '\t' && c != '\n' && c != '"' )

2927

{

2928

dtstr[i++] = c; /* Buffer Overrun (ID: 460.29221) */

2929

}

2930

2931

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2932

return( (TRC_TEVDESC) NULL ) );

2933

2934

dtstr[i] = '\0'; /* Buffer Overrun (ID: 461.29222) */

2935

2936

DD->dt = trc_get_dt_str( dtstr );

if ( DD->dt < 0 )

{

printf( "Error: Unknown Data Type \"%s\".\n", dtstr );

2941

2942

return( (TRC_TEVDESC) NULL );

2943

}

2944

2945

/* Skip over var name */

if ( c != '"' )

{

if ( !trc_find_event_str( ID, "\"" ) )

2950

return( (TRC_TEVDESC) NULL );

2951

}

2952

2953

if ( !trc_find_event_str( ID, "\"" ) )

2954

return( (TRC_TEVDESC) NULL );

2955

2956

/* Check for Data Array */

2957

2958

c = getc( ID->trace_in );

2959

2960

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2961

return( (TRC_TEVDESC) NULL ) );

if ( c == '[' )

{

if ( DD->dt == TEV_DATA_BYTE

2966

|| DD->dt == TEV_DATA_STRING )

2967

{

2968

/* Get closing ']' */

2969

2970

c = getc( ID->trace_in );

2971

2972

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2973

return( (TRC_TEVDESC) NULL ) );

if ( c != ']' )

{

printf( "Error Parsing Event Descriptor\n" );

2978

2979

return( (TRC_TEVDESC) NULL );

2980

}

2981

2982

/* Check for another [] */

2983

2984

c = getc( ID->trace_in );

2985

2986

TRC_CKEOF( c, "EOF Reading Event Descriptor\n",

2987

return( (TRC_TEVDESC) NULL ) );

2988

2989

/* [][] -> STRING[] */

2990

if ( c == '[' )

2991

{

2992

if ( DD->dt == TEV_DATA_BYTE )

2993

DD->dt = TEV_DATA_STRING;

2994

2995

DD->array = TEV_DATA_ARRAY;

}

/* [] -> BYTE[] */

else

{

if ( DD->dt == TEV_DATA_STRING )

3002

DD->dt = TEV_DATA_BYTE;

3003

3004

DD->array = TEV_DATA_ARRAY;

}

}

else

DD->array = TEV_DATA_ARRAY;

}

else

DD->array = TEV_DATA_SCALAR;

3014

}

3015

3016

/* End of Descriptor */

else

{

if ( !trc_find_event_end( ID ) )

3021

return( (TRC_TEVDESC) NULL );

done++;

}

}

while ( !done );

Preconditions

&$unknown_12087687 != 0
$input_12 = 47
$input_585524 <= 8
$input_585524 >= 1
$input_621876 = 47
$input_621884 != 34
$input_621884 <= 254
$input_621884 >= -1
$input_621892 = 34

Postconditions

DD' = &$heap_435005
TD' = &$heap_435003
c' = $input_621892
done' >= -1
done' <= 0
errno' != 0
$heap_435003' = &$heap_435004
bytes_after(&$heap_435003)' = 36
$heap_435003' is allocated by malloc
$heap_435003' is allocated
bytes_before(&$heap_435003)' = 0
((char*)&$heap_435003)[16]' = -1
((char*)&$heap_435003)[20]' = -1
((char*)&$heap_435003)[24]' = &$unknown_12087687
((char*)&$heap_435003)[28]' = 1
((char*)&$heap_435003)[32]' = 0
((char*)&$heap_435003)[4]' = eid
((char*)&$heap_435003)[8]' = entry_exit
((char*)&$heap_435003)[12]' = index
$heap_435004' = *name
bytes_after(&$heap_435004)' = strlen(name) + 1
$heap_435004' is allocated by malloc
$heap_435004' is allocated
bytes_before(&$heap_435004)' = 0
strlen(&$heap_435004)' = strlen(name)
tocttou($heap_435004)' = tocttou(*name)
$heap_435005' = 0
bytes_after(&$heap_435005)' = 24
$heap_435005' is allocated by malloc
$heap_435005' is allocated
bytes_before(&$heap_435005)' = 0
((char*)&$heap_435005)[16]' = -1
((char*)&$heap_435005)[20]' = 0
((char*)&$heap_435005)[4]' = -1
((char*)&$heap_435005)[8]' = -1
((char*)&$heap_435005)[12]' = 0
i' = $input_585524

Change Warning 463.29224 : Buffer Overrun

Priority:
State:
Finding:
Owner:
Note: